
Tim Cook’s refusal to help FBI hack iPhone is validated by ‘WannaCry’ attack - BishopD
http://bgr.com/2017/05/15/wannacry-ransomware-apple-ios-tim-cook/
======
flexie
The damages caused by US agencies* are easily underestimated. It's not just
the equipment rendered useless and data lost due to their software. It's also
the millions of hours spent by IT departments worldwide battling with infected
computers and securing not yet infected computers. Damages are easily in the
tens of billions of USD.

And then there is the loss of credibility of the US government and the
companies involved.

*Edit: FBI changed to US agencies.

~~~
simonh
The recent hacks used NSA tech, the FBI had nothing to do with it. The OP is
generalizing that un-closed vulnerabilities in the hands of any government
agency are an unacceptable risk, which I agree with, but let's put the blame
for the current issue where it belongs.

~~~
flexie
Agree and edited, although it really is two units under the same government -
and that's where the blame belongs.

------
smoyer
I'm generally in favor of everyone's computer working but I think it would be
wonderful if the WannaCry malware infects the NSA to the point they're shut
down for a week or two. I don't know if I'll call it karma but they should at
least share some of the pain. If it hadn't been the health-care system, I
would have been cheering for the compromise of any of the five-eyes partners
as well.

Note to the NSA/CIA - I want to cheer for my government, to be proud to be an
American (even the U.S. variety) and it would be wonderful if the U.S. could
return to being viewed as "the good guys". I'm not sure that type of
patriotism will ever return.

~~~
ApolloFortyNine
It concerns me more that the UK's healthcare system runs on a no longer
supported operating system. Something that important should be kept up to
date.

The UK's NHS computers were running Windows XP (which was EOL).
[http://www.telegraph.co.uk/news/2017/05/12/nhs-hit-major-
cyb...](http://www.telegraph.co.uk/news/2017/05/12/nhs-hit-major-cyber-attack-
hackers-demanding-ransom/)

Otherwise, the patch to fix the security flaw was released back in March
before it was a real problem. There will always be holes in software, it's
important to have a system in place to patch them in a timely manner.

~~~
DanBC
"only" 5% of the computers are running XP, which is an improvement driven
through after a report given to Hunt last year about the risks of old IT.

It wasn't just affecting XP machines, it was affecting other machines if they
hadn't been patched.

[http://www.bbc.co.uk/news/uk-39918426](http://www.bbc.co.uk/news/uk-39918426)

> We know there have been warnings before about IT security in the NHS - last
> summer a review said it needed looking at.

> But the problem is that over the last three years the capital budget - which
> is a ring-fenced fund used to pay for buildings and equipment - has been
> raided by the government to bail out day-to-day services, such as A&E.

> Last year a fifth of the capital budget was diverted.

> That, of course, makes it more difficult for trusts to keep their systems up
> to date.

EDIT: Here's a better post
[https://www.instituteforgovernment.org.uk/blog/nhs-cyber-
att...](https://www.instituteforgovernment.org.uk/blog/nhs-cyber-attack-about-
more-old-computers)

> One of the problems with digital government is reforming the technology
> infrastructure which underpins its services (‘legacy’). There has been much
> speculation about how the continued use of Windows XP operating systems
> within the NHS contributed to the cyber-attack. Although only 4.7% of NHS
> devices use Windows XP, these are spread across 90% of trusts. Computers
> that have not been updated with Microsoft’s latest software were susceptible
> to the ransomware. Meanwhile, NHS legacies are further complicated by the
> patchwork of contracts across trusts. This digital fragmentation is in
> keeping with the scale of fragmentation within the NHS itself.

~~~
ApolloFortyNine
> it was affecting other machines if they hadn't been patched.

My point is mission critical software should always be up to date. To go
months without installing the update on important systems is unacceptable. It
doesn't matter who originally released this exploit, exploits routinely become
available. It's about fixing them in a timely manner when they appear.

------
ikeboy
This is a shallow, incorrect argument.

As a reminder, a custom version of iOS is absolutely useless without the means
to get it onto a device. In fact, it's possible and relatively cheap for a
talented team to make that custom version without Apple's help.

That means is a key held only by Apple, needed to sign software before it can
run on any iOS device. Apple uses this key every single time any iOS device
around the world is updated- a nonce is generated on device, sent to Apple,
signed along with the firmware, then verified on-device before it allows the
new software to run.

Creating the software may have been work for Apple, but would not contribute
in any way to making phones less safe. Signing a piece of software inside
their own premises for a particular nonce and device ID can likewise not be
used to make any other device unsafe. This is a process Apple does many times
a day, whenever any device updates.

~~~
Matt3o12_
If the started that, local law enforcement companies would also ask to have
their govOS signed by apple to be installed on a particular device. How do you
make sure that a) the link from the local law enforcement branch is authentic
and has not been compromised, b) make sure that the person requesting such an
update is actually authorized to do so (and not just some criminal how gained
access to the law enforcement computers).

Not matter what you do, there is still a very good chance that somehow
unauthorized people get access to sign an OS for any of apple's devices device
they want. It might not result in such a huge attacked but nonetheless, there
is still damaged to be done.

~~~
ikeboy
The right answer here is they need a valid writ from a court, just like the
FBI had.

We don't have much of an issue with criminals getting wiretaps through faking
subpoenas to phone companies (although I did find
[https://arstechnica.com/tech-policy/2017/03/feds-brooklyn-
pr...](https://arstechnica.com/tech-policy/2017/03/feds-brooklyn-prosecutor-
forged-judges-signatures-to-wiretap-lover/) when searching.)

Note that I'm not arguing that Apple should have complied, that the court
should have said a particular thing, or anything like that (did enough arguing
last year when the case was going on). All I'm saying is the comparison is
invalid, and the author doesn't know the technical details and is therefore
wrong.

------
davidf18
The reason the attack happened to including British National Health Service
hospitals was because they didn't follow manufacturer's instructions (in this
case Microsoft) and upgrade their Windows XP software to Windows 10.

The only people to blame are those that don't follow manufacturers
instructions.

They were warned ahead of time. There were even news reports about this.

Target and Home Depot both had credit card hacks precisely because they did
not follow manufacturer (again Microsoft) instructions of upgrading Windows XP
embedded to a supported version of the OS.

I don't understand how hospitals can get accredited if their IT systems are
not up-to-date and verified by cybersecurity experts. Since the companies and
the NHS can't be counted on to follow manufacturer instructions, this is
extremely important.

May 11, 2017: British Medical Journal: The hackers holding hospitals to ransom
- Hospitals need to be prepared to avoid shutdowns
[http://www.bmj.com/content/bmj/357/bmj.j2214.full.pdf](http://www.bmj.com/content/bmj/357/bmj.j2214.full.pdf)

Also: Hospital accreditation [http://www.uktreatment.com/why-the-uk/hospital-
accreditation...](http://www.uktreatment.com/why-the-uk/hospital-
accreditation/)

EDIT: The computer systems are capital equipment and like any other form of
capital equipment (eg, vehicles in the motor vehicle pool) they must be
maintained. Complex machines undergo changes over the life of the equipment
and manufacturers issue updates (eg, field change orders) that should be
followed by the purchasers of the equipment.

Regarding proper cybersecurity, that would include hardware upgrades since
later Intel CPUs incorporate hardware that assist with proper security that is
taken advantage of by later versions of the Microsoft OS.

The problems of hospitals both in the US and in Britain were because of a
refusal to follow the manufacturer's (Microsoft's in this case) instructions.

Those familiar with the hacks of Target and Home Depot would know that they
were hacked because Target and Home Depot refused to follow Microsoft's
instructions to upgrade their point of sale software from _unsupported Windows
XP embedded_ to a later, supported version of the OS.

~~~
ajross
> The reason the attack happened ...

A reason. Real events have lots of root and proximate causes. MS could also
have avoided writing the bug, or discovered it themselves with better
auditing. NHS could have disabled SMB on systems that don't use it, or
otherwise firewalled it.

And, of course, the NSA could have disclosed the bug when they found it
instead of hoarding it. Or better protected their tools from theft. Or the
Shadow Brokers could have better audited their disclosure to avoid spilling
active hacks into the public.

Almost all of these things were required to get to where we are, and all of
them are "simple and expected" from at least someone's perspective.

Lots of blame to go around, basically.

~~~
davidf18
> "A reason. Real events have lots of root and proximate causes. MS could also
> have avoided writing the bug, or discovered it themselves with better
> auditing. NHS could have disabled SMB on systems that don't use it, or
> otherwise firewalled it."

No machines are built perfectly from the start and there are changes made over
the capital equipment's life be it airframes, jet engines, or computer
systems.

When purchasing capital equipment or buildings, bridges, etc, part of the
responsibility of the firm is to follow the manufacturer's or builder's
instructions and including maintenance upgrades. In the case of Microsoft,
they gave warnings for years that the Windows XP software would not continue
to be maintained.

The issue was not Microsoft, but NHS (and other governments, firms) decisions
not to budget for and perform maintenance for the capital equipment that they
purchased.

------
DarkKomunalec
His refusal was already more than validated by acting as a safeguard for
privacy.

~~~
panzer_wyrm
Not sure how much apple care about my privacy when they force the phone to
call home after factory reset and using it as a dumbphone and blackmail you to
provide a valid credit card before installing any free app...

If you care about privacy you don't collect data on your users.

~~~
pjc50
> force the phone to call home after factory reset

Sounds like a useful anti-theft measure?

~~~
panzer_wyrm
Yes. Banning cash and making every transaction public without bank secrecy is
great anti money laundering measure But we are talking privacy. Privacy means
also privacy from the vendor. It is almost impossible in iOS.

~~~
petre
People ate already "laundering money" using cryptocurrencies, so banning cash
won't fix anything. It will just make it easier for the government to _take_
the taxes directly out of your account. And then invent some new taxes, until
you will have to resort to "money laundering" yourself to make ends meet.

------
easilyBored
If two people know one secret is one to many. How many people in USA work for
the FBI, CIA, NSA, police departments, have top secret security clearances?
Millions of them. One is all it takes, as shown by Snowden, Manning etc.

So thanks, but no thanks.

~~~
tomschlick
> How many people in USA work for the FBI, CIA, NSA, police departments, have
> top secret security clearances? Millions of them.

To be fair, the number of people who had direct access to the NSA/CIA exploit
archives was probably in the hundreds. TS information is usually
compartmentalized so only the people who need to access it can (known as TS-
SCI).

Still bad that they have that many who can access it, but not in the millions.

~~~
easilyBored
Turns out I'm right. I thought about the military and contractors as well. _"
A Top Secret clearance, meanwhile, costs the government nearly 20 times more,
at an average of $3,959 per background check. At that rate, investigating the
1.5 million people with Top Secret passes may have cost as much as $5.9
billion over several years. _ [https://www.washingtonpost.com/news/the-
switch/wp/2014/03/24...](https://www.washingtonpost.com/news/the-
switch/wp/2014/03/24/5-1-million-americans-have-security-clearances-thats-
more-than-the-entire-population-of-norway/)

"As of last October, nearly five million people held government security
clearances. Of that, 1.4 million held top-secret clearances. More than a third
of those with top-secret clearances are contractors, which would appear to
include Mr. Snowden."
[https://www.wsj.com/articles/SB10001424127887323495604578535...](https://www.wsj.com/articles/SB10001424127887323495604578535653583992418)

Now we can get into semantics until the cows come home but even tens of
thousands of people are way too many. Imagine 1+ million people.

~~~
jpitz
A TS clearance isn't some magical pass card to every piece of TS information.

~~~
easilyBored
I know you can't walk to NSA HQ and demand to see everything that they have in
TS but Snwoden and Manning case showed that stuff isn't that compartmentalized

------
kevindqc
Couldn't Apple have updated the phone with an iOS that bypasses the
verification, then destroy that iOS installer? Then the FBI can access the
phone, but they don't have access to the OS, so they can't use it on other
phones?

~~~
sigmar
>then destroy that iOS installer

You can't do that in forensic investigations. Everything that is done to the
phone needs to be verifiable to prove evidence wasn't planted. And besides,
the FBI was more looking to set a precedent for future investigations than it
was concerned about that one phone.

~~~
londons_explore
Apple has designed both server side and client side keystores to now be
resistant against "future evil Apple".

Basically, even apple the company now can't break into their phones with
software updates. The phone requires an erase or user unlock to update. It's
scary because now apple can't even fix bugs in certain parts of the system
without erasing user data.

------
hardlianotion
I do think that someone needs to have a good go at suing these exploit
hoarders.

~~~
Eric_WVGG
I'm not sure what you mean by "exploit hoarders," but that got me thinking.
[edit: ah, thanks]

Institutions weigh costs, and somewhere these hospitals decided that having
unmaintained, aging information systems, was more cost-effective than either
maintaining or upgrading the systems.

Thus, problems like this will not go away until NOT-fixing the systems is more
expensive than fixing the systems. So what does that take? Fines?

Irony alert: the hospital that ignores aging systems and hopes that they never
get hacked are not at all unlike people who lack health insurance and hope
they never get injured or sick.

~~~
hardlianotion
I meant the NSA in this case, but I agree there is are problem organisations
with data protection responsibilities that do not prioritise them highly
enough.

------
noblethrasher
Of course, this doesn't end the negotiations, it just means that that privacy
advocates have just gained a bit of leverage. Now, how do they use it?

------
kolbe
Gotta love a government that stockpiles exploits to use against citizens (them
loses them), rather than shares them with companies to protect citizens.

------
neves
My Company lost a lot of money due to WannaCry. Should I sue the USA Gov?

------
albertini_89
another article bullshitting, yeah, coz no one is doing it already... great!

------
draw_down
That whole story stunk anyway, we still don't know if the FBI withdrew the
request because they just found some other way into the device that they
wanted to access. So forgive me if my first thought in the midst of all this
chaos is not to praise Tim Cook's name.

~~~
ceejayoz
> we still don't know if the FBI withdrew the request because they just found
> some other way into the device that they wanted to access

We do know that. It's public knowledge. The iPhone 5C didn't have Secure
Enclave (later iPhones did), so it was crackable in another way (that more
modern iPhones can't be).

[https://www.washingtonpost.com/world/national-
security/fbi-p...](https://www.washingtonpost.com/world/national-security/fbi-
paid-professional-hackers-one-time-fee-to-crack-san-bernardino-
iphone/2016/04/12/5397814a-00de-11e6-9d36-33d198ea26c5_story.html)

[https://www.washingtonpost.com/news/post-
nation/wp/2016/04/0...](https://www.washingtonpost.com/news/post-
nation/wp/2016/04/07/fbi-director-says-method-for-unlocking-san-bernardino-
iphone-only-works-on-narrow-slice-of-devices/)

------
bostand
BGR logic strikes again. There is a world of difference between a backdoor and
an exploit...

Neither is desirable but one can at least be secured by a key or something.

~~~
kardos
A hoarded vulnerability and a hoarded backdoor key are difficult to
distinguish is this context, ie, leaking of either results in the same
catastrophe.

~~~
ikeboy
Apple already has a backdoor key which they use every single time any iOS
device needs to update. The FBI wasn't asking for the key, they were asking
for the key to be used to sign one update. That signature would inherently
have only worked once, as it includes a nonce and device ID.

