Tag Archive: Chilliwack Phone Repair


Here’s why many people want their BlackBerrys back after switching to iOS and Android

Following the release of the original iPhone in 2007 and the subsequent launch of Android, many people with work-issued phones spent years asking for their employers to switch away from BlackBerry smartphones to more modern devices. Finally, as Apple and Google increased their focus on security and BlackBerry hit dire straights a few years ago, workers began getting what that wanted and bring your own device (BYOD) policies became more common.

More recently, however, an interesting trend is being observed: Workers want their BlackBerry’s back.

CIO’s Tom Kaneshige reports on an interesting phenomenon that we’ve heard rumblings of in the past. At companies where employees were permitted to ditch their work-issued BlackBerry phones and bring their own iPhones and Android handsets, they’re now begging their IT departments to move back to BlackBerry.

Why? It turns out there are a few reasons.

For one thing, there are privacy concerns. When workers use their own iOS and Android devices, IT departments gain access to all of their private data in addition to any corporate apps that might be on the devices. It’s never a good thing when you have to hand over a smartphone packed full of naked selfies so that IT can fix an issue with email not syncing properly.

Beyond that, IT professionals Kaneshige spoke with say they are having some serious problems with mobile device management (MDM) software, and the related on-device apps often cause issues like battery drain and device bogging.

Source: BGR

Critical crypto bug leaves Linux, hundreds of apps open to eavesdropping

Hundreds of open source packages, including the Red Hat, Ubuntu, and Debian distributions of Linux, are susceptible to attacks that circumvent the most widely used technology to prevent eavesdropping on the Internet, thanks to an extremely critical vulnerability in a widely used cryptographic code library.

The bug in the GnuTLS library makes it trivial for attackers to bypass secure sockets layer (SSL) and Transport Layer Security (TLS) protections available on websites that depend on the open source package. Initial estimates included in Internet discussions such as this one indicate that more than 200 different operating systems or applications rely on GnuTLS to implement crucial SSL and TLS operations, but it wouldn’t be surprising if the actual number is much higher. Web applications, e-mail programs, and other code that use the library are vulnerable to exploits that allow attackers monitoring connections to silently decode encrypted traffic passing between end users and servers.

The bug is the result of commands in a section of the GnuTLS code that verify the authenticity of TLS certificates, which are often known simply as X509 certificates. The coding error, which may have been present in the code since 2005, causes critical verification checks to be terminated, drawing ironic parallels to the extremely critical “goto fail” flaw that for months put users of Apple’s iOS and OS X operating systems at risk of surreptitious eavesdropping attacks. Apple developers have since patched the bug.

“It was discovered that GnuTLS did not correctly handle certain errors that could occur during the verification of an X.509 certificate, causing it to incorrectly report a successful verification,” an advisory issued by Red Hat warned. “An attacker could use this flaw to create a specially crafted certificate that could be accepted by GnuTLS as valid for a site chosen by the attacker.”

GnuTLS developers published this bare-bones advisory that urges all users to upgrade to version 3.2.12. The flaw, formally indexed as CVE-2014-0092, is described by a GnuTLS developer as “an important (and at the same time embarrassing) bug discovered during an audit for Red Hat.” Debian’s advisory is here.

As was the case with last week’s critical encryption bug from Apple, the GnuTLS vulnerability is the result of someone making mistakes in source code that controls critical functions of the program. This time, instead of a single misplaced “goto fail” command, the mistakes involve errors with several “goto cleanup” calls. The GnuTLS program, in turn, prematurely terminates code sections that are supposed to establish secure TLS connections only after the other side presents a valid X509 certificate signed by a trusted source. Attackers can exploit the error by presenting vulnerable systems with a fraudulent certificate that is never rejected, despite its failure to pass routine security checks. The failure may allow attackers using a self-signed certificate to pose as the cryptographically authenticated operator of a vulnerable website and to decrypt protected communications. It’s significant that no one managed to notice such glaring errors, particularly since they were contained in code that anyone can review.

Security researchers are still studying the vulnerability and assessing its effect on the wide array of OSes and applications that depend on GnuTLS. For the moment, readers should assume that the severity is critical given the dizzying amount of downstream code that may be affected. One example: the apt-get installer some distributions of Linux use to distribute and update applications relies on GnuTLS, although exploits against the package can probably be caught by cryptographic code-signing of the downloaded program (thanks to readers for pointing out this secondary level of protection). Version 3 of lib-curl, which is distributed in Debian and Ubuntu, also depends on GnuTLS. Some Debian- and Ubuntu-based virtual private networking applications that work with Cisco Systems hardware are also affected. This list goes on and on.

Source: ArsTechnica