13

It's widely publicised that Obama has a blackberry, but it isn't clear to me what security settings are employed by the NSA or what private businesses can learn from his configuration?

What is known, or what can you infer about a secure Blackberry deployment of such a critical nature?

knipp
  • 589
  • 5
  • 14
makerofthings7
  • 50,488
  • 54
  • 253
  • 542

4 Answers4

14

From what I've seen, he simply isn't allowed to use it for official purposes. He has to use a secure device instead.

http://www.intomobile.com/2009/01/21/obama-cant-give-up-his-blackberry-keeping-it-for-personal-use/

Xander
  • 35,616
  • 27
  • 114
  • 141
  • Thanks, that is a cool link to know about. I'd still be interested in the settings that he uses for his Blackberry that private industry can emulate. – makerofthings7 Nov 23 '10 at 17:45
3

2G communications is proven to be very unsafe for both voice and data.

GPRS/UMTS use A5/3 encryption and the encryption for that has not been broken. It's possible that his blackberry only uses GPRS/UMTS networks

makerofthings7
  • 50,488
  • 54
  • 253
  • 542
  • 2
    A5/3 is 64 bits if I recall (128-bit KASUMI with a 64-bit key repeated twice), so it's not particularly secure. – forest Dec 19 '18 at 09:42
1

From my basic searching I wasn't able to find anything specific, and I don't believe I'm likely to find anything as the details aren't released to the public. There's some basic information out there from this article (https://www.nytimes.com/2009/01/23/us/politics/23berry.html) though that lets us draw our own conclusions:

  • "First, only a select circle of people will have his address"

    • There's a bit of security-through-obscurity happening here where if you wanted to send Obama a phishing email, you'd have a hard time figuring out even the easy part (where to send the email address). As a security engineer we avoid relying on security-through-obscurity measures like this, but it can absolutely be helpful as part of your defense in depth. Probably not practical for a company because this information is a little more public - using first.last@company.com allows everyone to know each other's email/memorize their own, and the names of the employees at your company is more or less public information and easily found.
  • "Second, anyone placed on the A-list to receive his e-mail address must first receive a briefing from the White House counsel’s office"

    • This is interesting, but non-technical and non-practical for a company to implement in the vast majority of cases. Employee training/awareness might be the closest parallel.
  • "Third, messages from the president will be designed so they cannot be forwarded."

    • There are a few methods that email providers implement that prevent email forwarding. This may not seem like a particularly strong mechanism because anybody who receives a message can manually copy/paste and forward it themselves, but it's important to keep in mind that a lot of security controls protect against ignorant and forgetful users rather than malicious ones. This is a simple defense-in-depth measure that reminds users not to forward sensitive mail.
  • "he had to agree to use a specially made device, which must be approved by national security officials."

    • From this I'm inferring that Obama doesn't have full control of his device aka isn't a root user. This is something you see companies doing every so often when they provision mobile devices for their employees - you want your specialists in IT to have full control over the device and not allow your users to disable a safety mechanism or have their password associated with root privileges. If you're provisioning a phone for an employee there should be no cases where they'll require root/privileged user access, so just access to the phone, messenger, and internet apps may be enough.
  • "“It’s a pretty small group of people,” Mr. Gibbs said, explaining who would be allowed to e-mail the president."

    • I'm guessing that not only does this small group get access to Obama's email address, but a mechanism in the phone will drop any connections/reject any messages from addresses not in an approved whitelist. Would definitely be useful implementing this in a company if you have a business context where you only expect your users to receive messages from a known list of people.
Buffalo5ix
  • 2,646
  • 13
  • 18
0

what private businesses can learn from his configuration?

Not much. I expect the measures are extreme in complexity and cost and appropriate for heads of state or equivelent value individuals.

In short that Blackberry may cost $1.000.000 USD to secure, who else could afford to pay that much?

this.josh
  • 8,843
  • 2
  • 29
  • 51