Obama's new BlackBerry: The NSA's secure PDA?
President-elect Barack Obama checks his BlackBerry while riding on his campaign bus in Pennsylvania last March.
(Credit: Pete Souza/ Rapport Press )Bill Clinton sent only two e-mail messages as president and has yet to pick up the habit. George W. Bush ceased using e-mail in January 2001 but has said he's looking forward to e-mailing "my buddies" after leaving Washington, D.C.
Barack Obama, though, is a serious e-mail addict. "I'm still clinging to my BlackBerry," he said in a recent interview with CNBC. "They're going to pry it out of my hands."
One reason to curb presidential BlackBerrying is the possibility of eavesdropping by hackers and other digital snoops. While Research In Motion offers encryption, the U.S. government has stricter requirements for communications security.
"Without more details I would have to say that putting sensitive or classified information on a BlackBerry is a risky proposition," said Greg Shipley, chief technology officer at Neohapsis, a governance, risk, and compliance consultancy.
Fortunately for an enthusiastic e-mailer-in-chief, some handheld devices have been officially blessed as secure enough to handle even classified documents, e-mail, and Web browsing.
The Sectera Edge, a combination phone-PDA that's been certified by the National Security Agency as being acceptable for Top Secret voice communications and Secret e-mail and Web sites.
(Credit: General Dynamics)One is General Dynamics' Sectera Edge, a combination phone-PDA that's been certified by the National Security Agency as being acceptable for Top Secret voice communications and Secret e-mail and Web sites. Through three separate interchangeable modules, it works with Wi-Fi, GSM, or CDMA networks, and is dust-proof, waterproof, and rugged enough to survive repeated 4-foot drops onto concrete. Physically, it's a chunkier second cousin to the Palm Treo 750, though with an additional LCD display below the keyboard.
The price is $3,350 with a two-year warranty, a princely sum that's reflected in the Pentagon-worthy price tags for accessories: a simple adapter for a lighter plug costs $100. (Never again should you complain about how much your civilian analogue costs.)
The Sectera runs a mobile version of Microsoft Windows, including versions of Word, Excel, PowerPoint, and Windows Media Player. The NSA claims that the installed versions of Internet Explorer, WordPad, and Windows Messenger are good enough for data that's classified at a level of Secret. Presumably the federal spooks have found a way to protect IE from the numerous security flaws that continue to plague the Internet's most popular browser.
The NSA declined to comment on Monday.
L-3 Communications' Guardian, still in development, is similar, but sports a chunkier antenna and a slightly less conventional keyboard shaped like a V. It, too, runs Windows, boasts a stylus and QWERTY keyboard, supports desktop synchronization, and can be used on secure data plans with AT&T, Sprint, T-Mobile, and, internationally, Worldcell. Files stored locally are encrypted.
General Dynamics' C4 Systems boasts that the Sectera is rugged enough to survive repeated 4-foot falls onto concrete.
(Credit: General Dynamics)Both PDA-phones owe their existence to a Defense Department project called SME-PED, meaning Secure Mobile Environment Portable Electronic Device. Because the SME-PED was explicitly designed to act as a classified-information-friendly replacement for a BlackBerry, it should be an easy switch for a President Obama.
That's assuming he still feels like e-mailing after Inauguration Day. Even though President Bush enjoys the same access to NSA-certified handhelds, he has never resumed his daily e-mail habit from the days when he went by the humble moniker of G94B@aol.com. (On January 17, 2001, Bush sent out this sad farewell: "Since I do not want my private conversations looked at by those out to embarrass, the only course of action is not to correspond in cyberspace. This saddens me. I have enjoyed conversing with each of you.")
At the time, Karen Hughes, one of Bush's closest aides, said that the president chose to abandon e-mail because of public records laws. That includes the Freedom of Information Act, or FOIA, and the Presidential Records Act of 1978.
Obama may find the convenience of wireless e-mail a pleasure difficult to give up. News reports during the presidential campaign described how he relied on his BlackBerry to bypass aides, which was even satirized by the Onion.
He checked e-mail during his daughter's football games, e-chatted with actress Scarlett Johansson, and before the New Hampshire primary told CNET News that the BlackBerry was his favorite gadget. On the other hand, Republican VP candidate Sarah Palin's e-mail breach is still within recent memory, as are the Bush White House's legal troubles stemming from the use of Republican National Committee e-mail systems.
"It's not just the flow of information," Obama said in the recent interview. "I mean, I can get somebody to print out clips for me, and I can read newspapers. What it has to do with is having mechanisms where you are interacting with people who are outside of the White House in a meaningful way. And I've got to look for every opportunity to do that--ways that aren't scripted, ways that aren't controlled, ways where, you know, people aren't just complimenting you or standing up when you enter into a room, ways of staying grounded."
Federal law does explicitly exempt from disclosure any "personal records" that do not relate to the president's official function. Those include electronic records that are "of a purely private or non-public character" and don't relate to official duties; the law lists diaries, journals, notes, and presidential campaign materials as examples. Similarly, FOIA prevents files from being released if the disclosure would significantly jeopardize "personal privacy."
In other words, Obama could choose to keep e-mailing judiciously, and trust his lawyers and the law to fend off overly nosy journalists and historians.
This secure PDA-phone from L-3 Communications is still being developed.
(Credit: L-3 Communications)
Wireless devices: What price convenience?
One thing that security experts can agree on is that despite RIM's efforts, a BlackBerry probably isn't up to the security standards for a leader of the free (or even unfree) world.
BlackBerrys can become infected with viruses that install spyware or turn the microphone on and record conversations, malware can be inadvertently downloaded, e-mail and text messages can be intercepted, and, of course, they can be lost or stolen, said Dan Hoffman, chief technology officer of SMobile Systems, which sells antivirus software for the devices.
The National Vulnerability Database, which is sponsored by the Department of Homeland Security's National Cyber Security Division, lists 14 vulnerabilities for BlackBerrys. Those include ways that a malicious attacker can install malware, and perhaps crash the device through a so-called denial of service attack.
It's not like snoopy computer utilities are difficult to find. Flexispy.com sells spyware that can be installed by someone with physical possession of a phone for 15 minutes. The creators boast that their software, once installed, can "bug a room or person" and "catch cheating husbands."
The U.S. government uses special ciphers for secret information and they use different data networks from the public data networks, said Phil Dunkelberger, chief executive of encryption provider PGP Corp. "Unless you're using point-to-point encryption technology...or the mail itself is encrypted, you would have exposure to people administering the network." And, on a related note, we know that Obama's cell phone records through Verizon were improperly accessed last year.
There's also the risk of someone tracking the coordinates of a BlackBerry through the device's built-in GPS or the carrier's ability to triangulate on the signal--something that police, for instance, claim they should be able to do without a search warrant or evidence of criminal activity. Bush White House aides say that security concerns prompted them to disable the GPS feature on their BlackBerrys.
James Atkinson, president of Granite Island Group, an engineering firm that helps the government protect classified networks and equipment, pointed this out as a possible security vulnerability. "You can identify where a person is without gaining access to the cell phone network just by the timing of the signals, Atkinson said. "You can identify who is sitting in which seat in a conference room from a couple thousand feet away."
Then again, it's not like the president of the United States and his entourage travel incognito that often.
If nothing else works, Obama can always turn to Bush for some tips. Not his immediate predecessor, but former President George H.W. Bush, a late-in-life convert to the joys of e-mail. Bush the Elder has been quoted as saying: "I'm what you might call a black belt wireless e-mailer."
CNET News' Elinor Mills contributed to this report.
Declan McCullagh, CNET News' chief political correspondent, chronicles the intersection of politics and technology. He has covered politics, technology, and Washington, D.C., for more than a decade, which has turned him into an iconoclast and a skeptic of anyone who says, "We oughta have a new federal law against this." E-mail Declan. 
Anyways, it kind of amazes me that they can't get it together and give the leader of our country the most secure kind of whatever phone he wants. I mean are you really telling me there's not someone smart enough to program something to do whatever he wants and have it be the most secure device it needs to be. And on the other hand, do you really think someone as intelligent as he is that regularly uses a Blackberry would really be stupid enough to share anything of a high security nature over the phone?
It's a fact that the vetting process for Obama's cabinet was so rigid that Obama himself (due to his Chicago affiliations and prior illegal drug use) would probably not have qualified. It's also a fact that most security breaches are the result of human failures (being duped by trojans, setting guessable passwords, being dishonest, etc) and not technical device failures.
Obama is obviously more intelligent than most people, so hopefully human failure will not be a factor.
I'm still wondering how this community agitator is worthy of a security clearance in the first place. Given his friendship with William Ayers, he wouldn't be eligible for one otherwise.
------------------------------------------------------------------------
That's why you lost in November. It's also why we call you retardicans. We're not going to bother wasting our time attempting to teach you because you are patently unteachable. What we will do is clean up the messes you have caused over the last decade and return our great nation to the status it deserves. And keep your kind out of office for the next decade.
RIM is a Canadian company so it will never get NSA security approval. It as nothing to do with the technology.
OTOH it does serve one good purpose: That thing is a perfect visual indication of just how badly things can go wrong when you have the government design a Crackberry. All it lacks now is a 2-kilo battery hanging off the back.
/P
Like it or not Windows Mobile was built for corporate environments. Even the run of the mill consumer models support encryopted storage, certificates, pin unlocking, and remote data wipes.
Stop being such an MS hater. The NSA doesn't dick around with this stuff. They picked this device for a reason.
I see you've mastered the usage of LOTS of question marks to emphasize your AMAZING points, but other than that, there isnt a lot of other value in your post.
So I guess you are saying that you have a problem with Chinese and Pakistanis? Or perhaps Russians? And I assume that you are of the mind that your beloved Linux (and/or Mac OS - cant tell which of those two malcontent darlings you have your mean on for) have no "Chinese" and/or "Pakistani" programmers on them?
I'd suspect that the Open Source community, with its "one big family" international dev effort and wide open source code, has lots more of "them foreigners" coding in and on it, if that really matters to you.
Either way I suspect you know very little about RIM or their security model (or lack thereof) and just, like so many polluting tech blogs, just like to make reactionary, religious and inflammatory comments (generally of the DOWN WITH M$!!!!!!!!!1111!! variety)
I'd prefer if every message the president sends isnt funneled through a corporate owned data center off of US soil, personally. But I guess for you, as long as it isnt "M$" nothing really matters at all. Good to see you and guys like you are thinking very rationally about important matters! :)
----------------------------------------------------------------------
by mlambert890 January 14, 2009 2:42 PM PST
So I guess you are saying that you have a problem with Chinese and Pakistanis? Or perhaps Russians? And I assume that you are of the mind that your beloved Linux (and/or Mac OS - cant tell which of those two malcontent darlings you have your mean on for) have no "Chinese" and/or "Pakistani" programmers on them?
----------------------------------------------------------------------
That's not how I read that comment. Think more along the lines of "outsourcing presidential security". Do you think THAT is a good idea?
----------------------------------------------------------------------
I'd suspect that the Open Source community, with its "one big family" international dev effort and wide open source code, has lots more of "them foreigners" coding in and on it, if that really matters to you.
----------------------------------------------------------------------
Fair enough, but tell us where they would "hide" code-of-questionable-merit. Keep in mind they would have to hide it from the entire open source community (well, at least from all the other developers working on this open source code). That's much easier when the source is closed, proprietary and coding tasks parceled out by a controlling entity.
Personally, I think winblows mobile was chosen because of back room kickbacks to the government by M$. M$ hasn't exactly had a stellar history when it comes to security. I'm also guessing that people in the government, outside of M$, have had a chance to lock down and customize some aspects of win mobile for their use - it would be incredibly stupid to NOT have insisted on that!
To that extent the only way to fly in the US military is on board a non military created craft.
I'm not so sure about this L-3 company but GE is very American, and has been making military equipment for a very long time.
And I'm not sure where this Chinese Pakistani and Russian hyperbole came from. Last time I checked Microsoft is based out of Redmond. Not Reutov (or any other Russian city starting with a "R").
'cause windows can be secured.
You know how to secure a windows machine? Unplug it. Then crush it with a 40 Ton weight. That is as close to secure and windows will ever get.
Oh and "andyengle", your right wing talking point of ignorance is so 2 months ago. Give it up already. The right wing BS machine has moved on to FDR and New Deal denial. Try to stay current on your ignorance....
The problem is that operating systems and all software are written by these imperfect little beings hitching a ride around this water covered rock circling around a lone star in the outreaches of an average galaxy. When we can convince omnipotent deities to write our software for us, then and only then might we approach "secure software". Assuming we can completely trust these deities to work in our best interests.
Plus this device is hardly handheld! its the size and weight of the average cookbook!!
Obama Stick to your blackberry or iPhone (as we know you have one of those too)as despite what the NSA say it is more secure than their offering!! who listen to an agency that has warnings about 9/11 and dis nothing!!
1) The secure devices are "smart card" equipped, and have features such as secure / classified capable USB ports, etc. Your standard Blackberry does not, though there are options for bluetooth-enabled "card-sleds" (which if not properly secured open up the possibility of blue-jacking).
2) NO operating system is 100% secure, there is no such thing. Given enough time and computer power, any "secure" or "encrypted" system can be broken. Current goals is to make it secure enough, that by the time the security or encryption is broken, it won't matter, because the information is not as relevant. I would venture to guess the target would be approximately 12 years in this case, planning for 2 terms of office, etc.
3) The reason Microsoft has such a bad rep for security, is their OS is in use on over 80% of the computers in the US alone, and own a significant share worldwide. Thus, writing attack code or searching for vulnerabilities in a Windows OS version will yield much higher potential targets, versus Linux or Macintosh. Let's not forget, some of the first "Home PC" viruses were written to attack the Apple IIc, which had significant market penetration early on in the PC revolution.
4) Very few people in either the public or private sector really understand information and/or computer security, or can be bothered to learn anything about it. A simple wireless scan with a PDA or phone will often pickup unsecured wireless networks in the area. Following NSA and DISA guidelines to securing your professional and/or personal computing devices vastly increases your security (how many posters here are logged on as administrator level accounts at the moment?), as does good habits. Additionally, disabling unused/unneeded services can increase the stability of the device in question, and a comprehensive hardware/software encryption system, combined with multi-factor authentication makes them much more secure than any current Blackberry device is.
Good story, I enjoyed it.
I found everything else in your comment to be rock solid, it's just that mythical market share argument I couldn't let stand.
While Microsoft has an admittedly poor track record for security (in part because for every area of "increased functionality" for customers, increases it's vulnerability footprint), following published guidelines (primarily the NSA guidelines, along with implementing DISA's STIGs) to harden it's OS' makes it usable in an enterprise environment. No argument that it is not as secure "out-of-the-box" as many professionals would like, going all the way back to 3.11 for Workgroups- but that's why there's always a market for IT professionals, especially in the security field. (minor political note... does this mean that Microsoft creates jobs, by releasing a product that needs support- an interesting economics problem, but I digress)
I would wager however, that if OS X owned 80+% of the OS market, that there would be claims that it had security issues, since attackers would focus their efforts on the widest available array of targets, instead of a growing, but still essentially "niche" population of users. In my opinion, the best option for Apple right now would be licensing the OS to major builders such as *shudder* Dell and HP. That's a whole separate argument however.
Thanks for your comment, it's always nice to engage in intelligent debate, versus the chest-pounding "leet-speak" that inundates some of these forums.
Regards,
Ben
They couldn't come up with a secure Linux mobile? WOW!!! I didn't know that Windows Mobile (custom edition) was more secure than Blackberry. LOL!!!!
Now, I have used both the blackberry and winmo.
All you people saying the blackberry is secure, I cant log into BofA using this thing, because all of the traffic goes through RIM's servers, which is UNSECURE, since anyone at the company with enough privileges can view the emails.
I'm an admitted Obama fan, but even I wouldn't want him being able to launch nukes from his cell phone or PDA.
http://www.voltage.com/pdf/GPG_IBE_May_June_2007.pdf
- by jrepenning January 13, 2009 11:26 AM PST
- > Then again, it's not like the president of the United States and his entourage travel incognito that often.
- Reply to this comment
-
Showing 1 of 2 pages (66 Comments)... that we know of ...