
FBI Paid More Than $1M to Hack San Bernardino iPhone - maibaum
http://www.wsj.com/articles/comey-fbi-paid-more-than-1-million-to-hack-san-bernardino-iphone-1461266641
======
oneloop
Same article on the FT:

[http://www.ft.com/cms/s/0/af23e3ea-07f1-11e6-b6d3-746f8e9cdd...](http://www.ft.com/cms/s/0/af23e3ea-07f1-11e6-b6d3-746f8e9cdd33.html#axzz46UpvC84n)

James Comey, director of the FBI, said on Thursday that the cost was “worth
it”, but added that an accommodation needed to be made with Apple and other
technology companies in the future, as paying outside technologists to find
ways to access highly-encrypted messages on phones used by terrorist suspects
was not “scalable.”

~~~
isleyaardvark
> was not “scalable.”

This is the same James Comey that said they just were just asking Apple for
access to just that one phone.

~~~
intrasight
Indeed. Americans need to wake up to the fact that these spooks simply cannot
be trusted. The very concept of trust is alien to their culture. Would be nice
of we could count on congress to provide adequate oversight.

~~~
Nutmog
That won't happen unless American voters want it. They don't want it, as
evidenced by their not voting for it, so they won't get it.

~~~
jMyles
This absurdly reductionist view of participatory politics comes up again and
again. What are you trying to add to the conversation? Do you think that this
notion is new? Or that the rest of us haven't considered it?

Instead of a pithy but pointless HN comment, let me suggest a book for you
that might expand your thinking on this topic:

[http://www.thriftbooks.com/w/do-elections-
matter/1470236/?gc...](http://www.thriftbooks.com/w/do-elections-
matter/1470236/?gclid=CjwKEAjw9OG4BRDJzY3jrMng4iQSJABddor1GnER5RdItcJl_5VbZKMKh_bNAFT8a-Fom5anrbW7MBoCGQXw_wcB#isbn=1563244462&pcrid=70112876352&pkw=&pmt=&plc=)

~~~
dave_sullivan
> absurdly reductionist view

> Do you think that this notion is new? Or that the rest of us haven't
> considered it?

> a pithy but pointless HN comment

> might expand your thinking on this topic

Just throwing it out there:
[http://paulgraham.com/disagree.html](http://paulgraham.com/disagree.html)

It would be more helpful if you expanded on why it's a bad argument. Off the
top of my head:

> They don't want it, as evidenced by their not voting for it, so they won't
> get it

Was there a vote on it? When exactly?

Here's a book about how election results can change people's opinions on
topics. It applies here because X. I used to think Y, but it changed my
thinking to Z. I'd highly recommend it.

Not that GP is any better, but hey... And to be fair, the guy is practically
trolling, whether intentional or not.

~~~
wfo
You're right of course disagreement should be explained better.

But he is responding to a one-line meme whose only purpose is to establish
learned helplessness and end discussion that massively oversimplifies a very
complex issue and is essentially copy pasted in any article here that even
touches on politics. It gets quite exhausting engaging, having long in depth
discussion about how this view is overly simplistic on every single thread
only to have it appear again tomorrow, exactly the same as before.

I think downvotes and silence is the correct move here.

------
makecheck
I wish people who paid lots of government money for things were always forced
to do so out of their salary. For example: we will pay you $X per year in
exchange for giving you the responsibility to make up to 10 big purchases;
each _time_ you purchase however, 1% of the proposed sum comes out of that $X
salary; now then, how judicious will you be?

One thing Ron Paul did in Congress years ago, after one of those stupid “let’s
spend taxpayer money on a bunch of medals” proposals or something, was to
rephrase that expense: he challenged Congress to simply donate a percentage of
their own salaries to make it happen. After all, if it was so wonderful
(echoing all the things other Congress members had stood up and said about the
idea before then), and so worthwhile, surely they would _personally_ not mind
chipping in something, right? Predictably, a very small number of
congresspeople were suddenly willing to go quite that far.

~~~
epmatsw
Reminds me of Not Yours To Give:
[http://www.constitution.org/cons/crockett.htm](http://www.constitution.org/cons/crockett.htm)

~~~
function_seven
Thanks for that link. Great read.

------
aidanhs
To me this raises a question about selling security vulnerabilities to state
actors in general (in the context of the Facebook vulnerability thread where
the standard discussion about value is being hashed out).

Specifically, I live in the UK and one of the complaints law enforcement has
is that US companies can (and do) totally ignore valid court orders because
they don't apply in the US (reddit being an arbitrary concrete example).

So, what would be the impact of GCHQ setting up a scheme where you can sell
vulnerabilities to them (assuming they do the legwork to make it legal)? Would
it violate some kind of trade agreement? I assume at minimum it would harm
diplomatic relations given the pressure the big companies would exert on the
US to push back.

~~~
JoshTriplett
> Specifically, I live in the UK and one of the complaints law enforcement has
> is that US companies can (and do) totally ignore valid court orders because
> they don't apply in the US (reddit being an arbitrary concrete example).

A US company (or individual) should absolutely ignore court orders from a non-
US court; such courts have no jurisdiction. A "valid" court order necessarily
must come from a court with jurisdiction.

Similarly, I'd expect a UK company to ignore US court orders.

(And in both cases, I'd ideally hope the court knows better than to take the
case in the first place or to issue such an order.)

~~~
wodenokoto
The thing is, companies like Google, Facebook and Apple are kinda companies of
great britain or at least Ireland. They have bases in Ireland for tax purposes
and to comply with certain data retention laws.

That aside, it is not really too much to ask that a company that does business
in England abide by English law.

~~~
JoshTriplett
I'd certainly agree that a company with a legal nexus in a given country must
obey that country's laws (or leave).

But "does business in England" and "has a legal nexus in England" are two
different things, depending on your definition of "does business". For
instance, if I sell a service online, and someone from England buys it, that
might count as "does business in England" but it doesn't make either me or the
service subject to English law or jurisdiction.

~~~
murjinsee
Yeah, but at the same time... If they want to reap the tax benefits of basing
themselves out of a country, I would argue that they should be subject to that
country's rule.

Really, calling themselves an "Irish" company seems like tax evasion to me, if
it's in name only, with none of the negative ramifications.

Edit: speaking with regard to Apple, though other companies are in the same
boat.

------
readams
No paywall link: [http://www.cbsnews.com/news/fbi-paid-more-than-1-million-
for...](http://www.cbsnews.com/news/fbi-paid-more-than-1-million-for-san-
bernardino-iphone-hack-james-comey/)

------
droithomme
Given that they found no relevant information on his work phone, exactly as
experts and reasonable amateurs and common men predicted, how was it "worth
it" as he claims? Is it that wasting huge sums of taxpayer money while
attacking civil rights and attempting to instantiate a police surveillance
state with no privacy is simply "worth it" no matter what, even if pointless?

~~~
cpncrunch
It was worth it because they didn't know that beforehand. Now the FBI are sure
that the attackers weren't in contact with other ISIS members. The FBI thinks
that information is worth the $1.2M+ they paid.

How could they possibly have known that without unlocking the phone?

~~~
djrogers
> Now the FBI are sure that the attackers weren't in contact with other ISIS
> members.

Umm, no - no they aren't. Not even close. The terrorists personal phones were
destroyed before the FBI could recover them, this was just a 'work phone'.

Don't you think it's likely that a) there is a reason they destroyed their
personal phones, and b) if they were going to communicate with other actors
they'd be more likely to use the phone that's completely under their control?

~~~
cpncrunch
Yes, you're right. I guess the FBI just confirmed that there was no info on
the work phone, which seems a valid line of inquiry.

------
nickbauman
I find it interesting that this entire issue is the same as the nuclear issue
was in the cold war.

Government Technocrats: We need bigger and more powerful warheads to protect
us from the Soviets.

General Public: OK we'll learn Duck and Cover.

Sensible Few: Is risking the destruction of everything we're trying to protect
worth it?

Government Technocrats: We can't look our children in the eye ... yadda yadda
yadda.

------
mindslight
I'm trying to see what's around the corner for this argument.

Sure they can go to congress and push for increased funding or whatever for
their top cases. Which gives congress a tangible budget number that could be
"saved" by passing a law, but politics/congress doesn't really work this way -
spending money _benefits_ the administrating critters, the FBI, and the
contractors doing the work.

Furthermore, $1M is essentially a small amount and obviously "worth it" for
the major sensational events that they'd use to push through backdoors. So it
seems they're actually giving up ground by having to move the argument to the
urgency for backdoors in cases that _aren 't_ worth $1M.

I can see the argument playing for fiscal-primacy authoritarians who would
take this as an example of government waste, but they'd already support
government backdoors and I don't see this riling them up enough to be worth
it.

It seems like a dead-end for propaganda purposes. What am I missing?

Maybe they're just trying to salt the earth so that their technical success in
this case does not hinder them arguing for backdoors _next_ time?

------
Aelinsaar
This really seems like a terrible market for a state to be so openly involved
in.

~~~
joeld42
So they should be clandestinely involved, instead? They're going to do it
anyways, I'd rather know about it.

~~~
Aelinsaar
False dichotomy is false. They didn't have to do this, and by all accounts,
received nothing of value for the money.

~~~
jsprogrammer
Don't they have a tool to get into other iPhone's now?

$1,000,000 doesn't seem too bad.

~~~
carlosdp
Not necessarily, they might not own the tool, just paid for someone to use it
on the phone.

~~~
jsprogrammer
The subtitle quote indicates that the tool was bought outright.

------
techterrier
Is that it? Had they found a way to do it internally it could easily have cost
10x more.

~~~
ascotan
5 people, 1 year = 1million. Likely a team of 4 devs and a PM. 10months to
prototype, 2 months to clean up and release?

Sounds reasonable.

------
agsimeonov
Were they going to pay Apple if they had somehow forced them to do the deed?

~~~
belltaco
Example: [http://www.cbsnews.com/news/verizon-att-get-most-bucks-
from-...](http://www.cbsnews.com/news/verizon-att-get-most-bucks-from-feds-
for-wiretaps/)

>AT&T, for example, imposes a $325 "activation fee" for each wiretap and $10 a
day to maintain it. Smaller carriers Cricket and U.S. Cellular charge only
about $250 per wiretap. But snoop on a Verizon customer? That costs the
government $775 for the first month and $500 each month after that, according
to industry disclosures made last year to Congressman Edward Markey.

>And while Microsoft, Yahoo and Google won't say how much they charge, the
American Civil Liberties Union found that email records can be turned over for
as little as $25.

~~~
coldcode
So the only argument the FBI hears is how much? Disgusting.

~~~
discreditable
An argument you could make is that by associating a cost with wiretapping it
discourages frivolous usage.

~~~
kabdib
Since when did the FBI care about spending money that they get from taxpayers?

------
ikeboy
[https://archive.is/OfqcJ](https://archive.is/OfqcJ)

------
mkhpalm
To me this sounds like the typical "teachers and firefighters" government PR
tactic. The best response is an equally ridiculous knee-jerk public reaction.
We need to call to defund the FBI by 1 million dollars to settle the
accounting. Clearly they have too much money burning holes in their pockets if
they are able to make large purchases of this nature.

------
pbreit
Is that a lot or a little?

~~~
potatohaven
It's about par. Some security firms will charge $1M/year and over. Corporate
enterprises involved in intelligence gathering for the government (i.e. ATnT,
Apple, Google, Microsoft, basically any "free" and paid tech service) can make
a lot of money depending on how many accounts they pass off to the FBI,NSA,
etc... If you're using any service in the US and the "West", even the "free
speech" stuff like ytcombinator, reddit, they'll pass of information and can
charge for it.

edit: Apple's encryption fight, for example, is a bit of a wash. It's
basically to lure in more users which they can charge more for. The more value
the user has for their privacy, the more companies can charge for access.

They are all corporate enterprises, and their responsibility is to profit for
their shareholders. When the government offers a legal profitable offer, they
have a responsibility to take it. If they are found not to take it, and a
group or party finds out and can prove it was a profitable venture, they can
attack the company with the courts.

~~~
matt4077
That's bullshit.

Management has wide-ranging freedom to define what they see as the best course
of action and nothing short of fraud is actionable in a court:
[https://en.wikipedia.org/wiki/Business_judgment_rule](https://en.wikipedia.org/wiki/Business_judgment_rule).

In this case, the obvious defense would be that for a company such as Apple,
the fees they charge the government for access are completely meaningless,
compared to the damage the brand could suffer if they're found violating their
user's privacy.

At 25$ each as mentioned above, these fees probably don't even cover the costs
of having a lawyer take a quick look at it.

------
d_t_w
$180k is a dangerously small amount to pay someone with James Comey's
responsibility.

~~~
pyvpx
the fringe benefits and consulting/speaking fees post-FBI make up for it and
then some.

------
kureikain
Where did that $1M come from? If it's from tax I'll say that a big waste.

~~~
ProAm
Where else does it come from?

~~~
thisisdave
legalized theft [0]

[0]:
[http://www.wsj.com/articles/SB100014240531119034809045765122...](http://www.wsj.com/articles/SB10001424053111903480904576512253265073870)

------
tomtoise
Paywalled for me here in the UK. I assume the title sums up the article?

Since I can't read the article, from anyone that can, how did they come to
that figure? Is that just the cost of the exploit or..?

Cheers

~~~
pavel_lishin
> _The Federal Bureau of Investigation paid more than $1 million for a hacking
> tool that opened the iPhone of a terrorist gunman in San Bernardino, Calif.,
> the head of the agency said Thursday._

> _Speaking at the Aspen Security Forum in London, FBI Director James Comey
> didn’t cite a precise figure for how much the government paid for the
> solution to cracking the phone but said it was more than his salary for the
> seven-plus years remaining in his term at the FBI._

> _His annual salary is about $180,000 a year, so that comes to $1.26 million
> or more._

> _“[We] paid a lot’’ for the hacking tool, Mr. Comey said. “But it was worth
> it.’’_

I wonder how exactly it's worth it, given that nothing of interest of
relevance was found on the device.

~~~
losteric
Well now they have a tool they can use at any time.

~~~
LeifCarrotson
On iPhone 5. Until Apple updates the software to fix the vulnerability.

~~~
imaginenore
If they know what to fix. FBI aren't idiots to tell them.

~~~
pavel_lishin
Apple could probably buy the same tool and analyze it.

------
dschweig
If over $1M is reasonable, I wonder what Comey would deem as an "unreasonable"
amount and the rationale behind the calculation.

------
epalm
What evidence is there that the phone was actually hacked? Wouldn't saying "ah
never mind we hacked it" be a convenient way out of a precedent-setting court
case the FBI was losing?

~~~
ikeboy
Except the other cases haven't been dropped, and this case was perhaps the one
most sympathetic to the government (terror).

------
ryporter
If you consider all of the time and effort that they put into this case, they
spent a hell of a lot more than $1M. We're focusing so much on it because it a
single line item.

~~~
azazqadir
Exactly. Think about the resources they put on this case. It should worth way
more than $1M and all that came from tax payers money.

------
sixtypoundhound
Ugh - total paywall on the article.

Seriously, we need to just ban domains that do that (full paywall after 1st
paragraph) - it's not really sharing any content with the community.

------
tn13
This is our tax money down the drain by scaring us to death for fear of non-
existent terrorist threat. It is remarkable how such FBI directors don't get
fired from their job.

~~~
cpncrunch
I'm not entirely sure how you can call 14 deaths "non-existent".

~~~
x1798DE
14 deaths out of 300 million people is close enough to zero that it's not
worth thinking about.

~~~
cpncrunch
Yes, I completely agree that terrorism is something that people shouldn't
worry about. However that doesn't mean you shouldn't investigate the murders,
just like you would any other murder.

You appear to be saying that 14 murders is something that shouldn't be
investigated properly.

~~~
tn13
Law enforcement has limited resources and hence they should spend based on
what they have. I feel they are spending too much of our money.

------
Shicholas
Next time they should just bring the phone to RSA and have their pick of
vendor-booth-magician to decrypt it.

------
refriedbeans3
That's it?

~~~
gist
a) The amount is nice since I think they apparently approached them after
figuring out how to do this. So impossible to think anywhere near that amount
of work was actually involved.

b) Establish and prove they can do the job. Will get other work like this and
be able to charge more. Really no different than what the local handyman or
plumber does in some cases.

------
amptorn
I still don't believe they've actually hacked it. There's no evidence that
they have.

------
chris_wot
Apparently $1 million is how much it costs to discover that no information was
on the phone.

------
WalterBright
I'm in the wrong profession!

------
bobwaycott
I'd like a refund, please.

------
known
Why not www.iphoneasyunlock.com

------
yohann305
this money comes out off our pockets.. YAY. NAY

------
Kequc
What bothers me is they apparently had no better intel available to spend that
money on. An iPhone really? This screams of the government having absolutely
nothing to do if not being outright incompetent entirely.

------
VT_Drew
McAfee offered to do it free of charge. Should have took him up on that,
rather than wast $1M.

~~~
mtmail
McAfee's offer was a PR stunt. He admitted it a week later.

~~~
duskwuff
And he made a series of public statements which made it clear he had no
understanding whatsoever of the technical issues involved.

First, he claimed that he would use "social engineering" to access the phone's
data.

Later, he claimed that he could do it easily by clearing the area of flash
memory containing the phone's password, apparently unaware of the fact that
the password was used as a key to encrypt data.

Source: [http://arstechnica.com/security/2016/03/john-mcafee-
better-p...](http://arstechnica.com/security/2016/03/john-mcafee-better-
prepare-to-eat-a-shoe-because-he-doesnt-know-how-iphones-work/)

~~~
HappyTypist
Social engineering could plausibly work against Apple employees.

~~~
djrogers
Which is undoubtedly one of the many reasons why  didn't want to create the
software necessary to unlock the phone.

~~~
serf
ot: it's oddly satisfying to me that the Apple unicode is broken for my
browser.

