BlackBerry security and VPNs

On Tuesday last week, The Economist keenly observed that:

Whenever you read about a dispute between a web-based service and a country, you need to ask yourself only one question: where is the server located?

BlackBerry servers are located in Canada, and data is encrypted when it is sent from one phone to another. That’s a problem for countries that want to intercept and monitor information sent across BlackBerry networks. From The Economist article:

Countries have two basic technical methods of controlling the flow of information over the internet. First, they claim legal jurisdiction over information stored on servers within their own borders. Second, they can read or block traffic moving through the choke-points where internet cables cross the border.

Neither of those options is available to countries wanting to spy on BlackBerry users, which is why Research In Motion, the makers of the BlackBerry, have been getting flack from the governments of India, Lebanon, Saudi Arabia and now the UAE:

The UAE’s Telecommunications Regulatory Authority said it would suspend BlackBerry Messenger, email and Web browsing services beginning on October 11th if RIM does not provide a solution for local messaging control.

Fortunately, Research In Motion told its customers not to worry:

The BlackBerry security architecture for enterprise customers is purposefully designed to exclude the capability for RIM or any third party to read encrypted information under any circumstances. RIM would simply be unable to accommodate any request for a copy of a customer’s encryption key since at no time does RIM, or any wireless network operator, ever possess a copy of the key.

Unfortunately, Research In Motion quickly made a deal with the government of Saudi Arabia that undoes those fine intentions:

The agreement, which would involves placing a BlackBerry server inside Saudi Arabia, would allow the government to monitor users’ messages and allay official fears the service could be used for criminal purposes.

A similar deal with the UAE is likely to follow.

Staying secure when eavesdropping is a risk: VPNs

This brings up a general point about safe internet use in any setting where third parties — including governments, your ISP, or the guy next to you in the coffee shop sharing that WiFi hotspot — may be able to peek at your communications. A commentator at The Economist’s article wisely noted that:

…one can go to any hotel in Dubai, hop on its wifi with your laptop and use your own VPN (or company VPN in my case), effectively blocking them from seeing your communications.

Although it may be illegal to do so depending on your location, and I’m in favour of following the laws in the country you’re in, using a VPN may be a good idea in some scenarios.

The best explanation of VPNs I’ve read is from HowStuffWorks.com, which suggests the analogy of the internet as an ocean and most internet traffic as being like a ferry from one island to another. When you’re on a ferry, everyone can see who you are and what you are doing. It’s public.

A VPN, on the other hand, is like a submarine that allows you to travel underwater from island to island. Some savvy observers of the ocean (your ISP, for example) may know that you are in a submarine, but they won’t know your ultimate destination or what’s inside of the submarine (i.e., the information you are transferring from your computer to the destination computer).

To use a VPN, you simply need to install VPN software on your computer (some suggestions are provided below), connect to the internet, start the VPN software, then proceed to browse the net.

Drawbacks of VPNs

As with any security solution, VPNs have some drawbacks:

  1. You have to trust the VPN provider more than you trust your current connection. There’s no way around this if you’re using a commercial VPN (highly technical users can set up their own VPN servers to get around this problem, but the process is too difficult for most of us). The best assurance any VPN company can give you is something like this:

    What needs to be understood, is that our livelihood depends on keeping you safe and honoring your privacy. If we ever compromised that, unwillingly or with bad intent, I would imagine word would get out pretty fast. I can say that here at WiTopia, we take it very very seriously.

  2. They slow your browsing/VOIPing/messaging. Because of the encryption/decryption process and because your internet communications are first routed to your VPN’s servers before being routed to the ultimate destination, you’ll probably notice some lag.

A few VPN companies

I can’t promise that these companies will keep your information secure. There is no such thing as perfect security. If it’s important to you, you need to do the background research and decide for yourself if using a VPN is safer than the alternative. That said, here are two companies that were discussed by CNET and one that a friend recommended to me:

  1. WiTopia
  2. HotSpotVPN
  3. proXPN, which is free and has a Facebook page where the company often answers user questions

Added 10 Aug 2010: U.S. authorities are already able to tap BlackBerry messages. And Bruce Schneier noted a few days ago that:

The UAE can’t eavesdrop on BlackBerry traffic because it is encrypted between RIM’s servers and the phones. That makes sense, but conventional e-mail services are no different. Gmail, for example, is encrypted between Google’s servers and the users’ computers. So are most other webmail services. Is the mobile nature of BlackBerrys really that different? Is it really not a problem that any smart phone can access webmail through an encrypted SSL tunnel?

Wait a year on Vista

A while back, I stated in a comment to one my posts that I thought it would be a good idea to wait a year or so after its release before installing a new operating system. This applies to Windows Vista, which, according to Wired News will be available 30 January 2007.

It’s fun to get the most advanced operating system when it first becomes available, but it can be a hassle, too. At least one Wired News reporter thinks similarly:

I would not recommend going out and buying Vista off the shelf or pre-installed on a PC when it becomes available. Users will likely suffer many headaches with missing peripheral drivers and a lack of backward compatibility with legacy software, and those headaches will not make Vista worth its hefty price tag.

If possible, wait a year or more after Vista’s launch to invest in the operating system. At least by then, numerous updates, hardware drivers and service packs will likely have been released.

Security, too, could be a patchy issue (pun fully intended) during the initial weeks and months of Vista’s launch. Better to stand on the sidelines and wait until the time is right to buy the unproven operating system.

Read more about recommended software

Viruses have come of age

If your installation of Windows XP is lacking an antivirus program or firewall, it’ll take about 8 seconds for it to become rabid and foaming with worms, viruses, and spyware. At least, that’s what this BBC article suggests.

But seriously, remember when all you had to worry about was some dork impressing his friends with some virus named after a girl that kneed him in the balls last week? That was a more innocent time.

Today, viruses have come of age. And they’re not even called viruses anymore. The biggest problems today are spyware and adware. The trouble with viruses was that their sole object was to penetrate your computer, then destroy it. That didn’t make anybody rich, though, because good parasites don’t kill their hosts.

The most sinister and pervasive threats have morphed into commercially propelled vehicles for privacy extraction with a view to profit. These days, when I look at a friend’s computer that has slowed and showed signs of derangement from infection, I don’t find a lot of viruses. But I find boatloads of spyware and adware (and that’s a metric boatload, not one of those sissy imperial boatloads).

So be aware of the threat you face now. A new enemy requires new tactics–this means your anti-spyware and adware programs are more important than ever. I previously recommended Spybot and Adaware for the newly important jobs – read my review of both and find out how to get them (they’re free, of course).

Software recap

To date I’ve recommended five computer programs that are essential to keeping your privacy and security intact. They are all free, they all work very well, and they all rival similar programs that often cost a lot of money. Here’s a recap:

Web browser:

If you’re still using Internet Explorer, you’re exposing yourself to unnecessary danger when you surf the web. Malicious websites can install spyware, adware, and viruses without your knowledge or consent by exploiting IE’s subpar security architecture. If you’ve got some spyware on your computer and don’t know where it came from, there is a good chance IE invited it in.

The fix is really easy, so there’s simply no excuse to stand on the sidelines any longer. Stop using Internet Explorer, download Mozilla Firefox, and start browsing the web safely. (continue reading…)

Read more about recommended software

Get an antivirus program

If you have been following this blog, you have so far installed a firewall, spyware and adware detectors, and a secure browser to keep you feeling safe and warm at night. And the best part is that it hasn’t cost you a single gold nugget to do so. Now it’s time for the final piece of software that is absolutely vital if you wish to protect your computer. As always, it’s free.

It takes a pirate to know a pirate

Avast! is a simple and clean, but ever swashbuckling, antivirus program that will have viruses walking the plank and begging for mercy. But there will be no mercy. Download it, update it often, scan often, and live a long, fully-toothed life on the high seas of security.

In an upcoming post I will map out how to use your new virus scanner most effectively. Here’s the gist of it: it’s easier to prevent viruses from boarding your ship in the first place than it is to fight them off once they’ve ransacked your rum rations and gorged a hole in the hull of your once mighty vessel.

Next Page »