The Truthiness Of BlackBerry's Security

| About: BlackBerry Ltd. (BBRY)


BlackBerry wants us to believe it is more secure than other systems.

Security is NOT easy.

Good security is a company mindset, not an added concern.

As a holder of BlackBerry (NASDAQ:BBRY), I get a great deal of pushback from some pretty smart people that think BlackBerry is a failed company in its death throes. Here, I outline why I think BlackBerry stands a chance, even if it still is a very high-risk holding. To understand my investment thesis, we will have to take a dive into software development and testing. We'll stay in the shallow end of the pool, but this isn't a typical financial analysis and justification for owning a stock.

Here is a link to the latest security breach for iOS:

Brute Force Vulnerability

My point isn't to bash Apple (NASDAQ:AAPL) and pump BlackBerry. There will be plenty of people crowing over Apple's "failure" and trumpeting BlackBerry's security chops. My point is to raise some awareness about the difficulty of creating secure systems. According to the article, it appears that the problem was attributed to a login process that allowed a brute force attack. Brute force attacks are ancient, exceedingly simple, and perhaps among the most easily defended. Anyone that has mistyped their own password a few times (too many martinis?) and been locked out of an account knows how blocking a brute force attack works. You get locked out after a set number of attempts. A brute force attack needs thousands or even millions of attempts to work.

What can we conclude about this particular security breach? Since I know nothing about Apple's development and testing processes, probably nothing with certainty. But there are a few things that can be said with some confidence.

In order to test for something, you have to first ask a question. What happens to X if we do Y? Best-practice software testing proceeds from a list of important questions. The most important questions are tested EVERY TIME a software component is changed. So if a login process is modified, the tester pulls out the list of important questions and steps through them, checking them off. Somewhere in this list you would expect "does it reject a brute force attack?"

In Apple's testing, either the validation of brute force defense was not on the list, or it was on the list and the tester skipped it. Or more insidiously, the tester ran the test and the test passed, but the test itself was flawed. This last possibility is the one that illustrates how difficult it is to keep a system secure.

Assume that everyone did their job and that it was actually the test itself that was flawed. While there are a number of possibilities as to the origin of the flaw, often it boils down to unintended consequences from changes somewhere else in the system. The brute force test could actually have worked perfectly every other time it was used. It could have been well-designed and rigorously vetted and have had a stellar track record. But along comes a new feature or application that handles login processes in some slightly different manner. This new process has a condition that the original test sequence doesn't recognize. Because it doesn't even recognize the sequence, it doesn't "ask the question." The testing process steps through all of its known conditions, everything passes and the new login process is green lighted.

Everyone did their job. The testing sequence did EXACTLY what it was programmed to do. And it still failed. The reason it failed is that the system itself is so complex that no one person knows everything about it, and so none of the engineers were familiar enough with the specific testing procedure to realize that a subtle change in the login process added a special case that needed to be tested. So the software was released.

Hackers are actually really good at what they do. Some of them are as talented and brilliant as any engineer at any legitimate company. The best ones are disciplined and methodical when trying to hack a system, so very likely one of the things they try is to run a brute force script. Not because they expect it to work since a defense against it is so easy, but because it MIGHT work if there is an unknown bug.

Fait accompli.

This problem exists for EVERY software development project. BlackBerry has the same challenges as Apple, Google (NASDAQ:GOOG) (NASDAQ:GOOGL) or whomever. To those who think BlackBerry has perfect security, it is a virtual certainty that it will have some type of similar security breach because of some unintended consequence of some change in its systems that was not caught in its testing, even with best practices in place.

Yet, herein is where we can see some potential differentiation between BlackBerry and other device manufacturers. Apple, as an iconic consumer-oriented company, makes decisions based on what is best for its target demographic -- end-users that are heavily skewed to entertainment and socialization. Hence, each iteration of its products must prioritize the feature sets in any release to service that demographic. Security isn't sexy. It isn't a cool new feature. It barely seems to be on the radar of many consumers. When a deadline for release approaches and it has to decide what needs to go into the new product and what can go into the next iteration, it's conceivable that security testing would be somewhat further down the list (i.e., the testing system always worked before, so they don't need to invest resources making sure that it still does). This is not the same thing as saying that Apple doesn't care about security or doesn't test for it. It is only saying that when decisions are made about resource allocation, that security is prioritized according to its business model and target demographics. It is a business decision.

On the other hand, BlackBerry is positioning itself as a business platform. In this case, security looms large. When a deadline for a new product is looming, the decisions about resource allocation are weighted differently. Hence, the decision might be to actually spend additional resources making sure that the testing processes relevant to security are valid when applied to the new features. Not because security is important, but because security is important to its targeted customers. It is still a business decision.

This is a difference in mindset, not talent, best practices, feature sets, and marketing. The argument that BlackBerry is making is that it is MORE secure (not perfectly secure), that this claim is based on security being a critical feature to its offerings, and that its development practices and resource allocations are weighted towards security before "cool new features."

Which brings up a good question. If the Internet of Things creates an information environment that links together BILLIONS of devices, what systems will be the most secure? Those that chase flashy features, or those that put security higher up in their priorities?

This brings us to why I think that BlackBerry is a good, long-term, albeit very risky investment. Under the leadership of John Chen, it has stabilized its financial status, cut away the fat, identified its strengths, and is focusing on a demographic that leverages those strengths. It is also positioning itself to take advantage of that explosion of opportunity called "The Internet of Things," not as a flashy, consumer-oriented, feature-driven company, but as a solid, secure, business-oriented platform for companies that want productivity and security, not the ability to play the next mega-game that appears on social networks.

Will I be proven wrong? The next few quarters will tell. Now is the time for Chen and team to demonstrate that the company doesn't have just the appearance of a successful restructuring, but is actually revitalized and executing a winning strategy.

Disclosure: The author is long BBRY, INTC.

The author wrote this article themselves, and it expresses their own opinions. The author is not receiving compensation for it. The author has no business relationship with any company whose stock is mentioned in this article.