
FBI’s Comey Concedes Mistake Was Made Over iPhone in San Bernardino Case - gist
http://www.wsj.com/articles/fbis-comey-concedes-mistake-was-made-over-iphone-in-terror-case-1456862127
======
Zizzle
"During his testimony today, Comey dismissed the notion that Apple’s
assistance in the San Bernardino case would impact other phones, reiterating
his belief that any code Apple created to help in this case would only work on
Farook’s phone."

And that belief is based on what exactly?

Apple has being saying the opposite. Apple doesn't know it's own code? FBI
knows it better.

~~~
jonlucc
It's true, but very narrow, I think. FBI means that Apple could sign the
update to only work on that phone. Apple means that once the compromised
version of the OS is built, the only thing stopping it from being widespread
is changing the device id check code to other phones or taking it out
entirely.

~~~
tfinniga
Right. If you look at it from a security point of view, once the compromised
OS is created you've created a much more valuable and vulnerable target for
hacking.

Let's say that some attacker wants to create a compromised OS and install it
on a certain device.

If apple never creates the compromised OS, they would need to hack into apple,
get all of the source code necessary to build iOS, figure out how to build it,
figure out how to modify it in the desired ways, how to get it installed on a
phone, steal the crypto keys necessary to do the signing, and sign the bad
build.

If apple has created the compromised OS, they would just need to hack into
apple and get the compromised OS build, steal the crypto keys, and sign it.

The first scenario is a large-scale software engineering project. Anyone
that's been given a large source dump will tell you that it's horrible and
takes forever to do anything, and iOS is going to be absolutely huge and
tricky. You'd need a large, highly trained team of security/OS devs, which is
hard to come by and would be extremely expensive.

The second scenario could conceivably be done by a single hacker, if they can
find vulnerabilities in apple's security.

~~~
rtpg
Except digital signing makes the compromised OS totally and utterly useless
for other phones. Changing the OS would cause the signature check to fail.

And if you can get around the digital signage, you don't need the compromised
OS.

Conway's technical interpretation of the Apple deliverables is right. There's
a legal precedent which could cause reuse (and is rightly matter for
debate/utter refusal of the FBI position), but if you just debate the
technical merits Apple has been very misleading about the consequences.

~~~
simonh
For this one case you're right because the FBI will allow Apple to lock the
special OS build to this device's ID. The problem is if the FBI can force
Apple to create a special build to order, with features specified by the FBI,
they can also be ordered by the FBI to create an OS build that isn't locked to
one device. And if the FBI can make them do this, so can any law enforcement
or government agency capable of finding an amenable judge, such as say the
CIA, the DEA, the NSA, or any random public prosecutor. THAT is the problem.

~~~
mistermumble
Not to mention that once this is done in the US, what is to prevent other
governments in countries where Apple does business to compel Apple to do the
same?

China (or Russia or Germany or whoever) could force Apple to backdoor phones
used by CIA informants in that country.

~~~
fredsir
And the fact that who is to assure that Apple doesn't leave one or multiple
bugs around that makes the compromised OS not so tied to a single device as
they meant it to be?

It's a ticking bomb, man.

------
alblue
I sat through the YouTube presentation (which is available at
[https://www.youtube.com/watch?v=g1GgnbN9oNw](https://www.youtube.com/watch?v=g1GgnbN9oNw)
if you have four hours to spare). In general the discussions were quite well
presented, apart from a couple of rabid questioners suggesting that public
security trumped any one individuals' right to personal security.

I've written up a summary of the hearings at InfoQ here:
[http://www.infoq.com/news/2016/03/apple-fbi-
congress](http://www.infoq.com/news/2016/03/apple-fbi-congress)

The general responses from Apple were that it wouldn't be possible to write
this just for one phone; that once the FBiOS was available for one it would be
available for any phone. Dr Landon also highlighted the fact that most people
now use their phones as part of a two-factor authentication, and that the
easiest way to break into a system (such as the IRS leak) is to compromise
login credentials. The fear is, therefore, that once pandora's box is opened
that the operating system would be installable on any device and thus
potentially give access to any state actor to any account simply through
device compromise.

The entire hearing was very well laid out, though in a few cases Apple's
witnesses weren't quite as fluid as the FBI's.

The congress members have five days to ask additional questions, after which
presumably a report will be made. More information is available at the House
page here:

[http://judiciary.house.gov/index.cfm/2016/3/the-
encryption-t...](http://judiciary.house.gov/index.cfm/2016/3/the-encryption-
tightrope-balancing-americans-security-and-privacy)

~~~
evincarofautumn
It’s fascinating to me how many laypeople are saying “public security is
important, therefore we should unlock the phone” while many technologists are
saying “public security is important, therefore we should _absolutely not_
unlock the phone”.

~~~
alanwatts
>We’ve arranged a society based on science and technology, in which nobody
understands anything about science and technology. And this combustible
mixture of ignorance and power, sooner or later, is going to blow up in our
faces. Who is running the science and technology in a democracy if the people
don’t know anything about it?

-Carl Sagan

------
matt_wulfeck
> “If I didn’t do that, I ought to be fired, honestly,”

There is a serious problem here. If you ask me any government official who
forces a backdoor down the throat of a private company ought to be fired, yet
he believes he should be fired if he DOESN'T do it.

There's a very big divide happening right now in the US. This is going to be a
rough time.

~~~
chongli
I disagree. The FBI's job should be to pursue any and all opportunities at
gathering evidence for its cases, within the bounds of the law. It is the job
of the courts to sketch out those boundaries by interpretation and precedent.
If everything is working properly, the courts will decide that the All Writs
Act does not grant the Government this power. Then this matter will be settled
and the FBI will have to find some other avenue.

Looking at it from the other angle, I think it's a bad precedent if the FBI
were to refrain from pursuing an avenue which it believes it may have legal
standing to pursue. At that point, it runs the risk of a downward spiral of
second-guessing and apprehension.

~~~
dredmorbius
Consider the Geneva Convention. It's _every_ combatants' obligation to see
that the Convention's requirements are upheld. Disobeying direct orders to the
contrary is a requirement.

This ... creates certain elements of friction and pressure.

~~~
AnkhMorporkian
In no world can the FBI be viewed as 'combatants.' They're a civilian law
enforcement agency, and the Geneva convention definitely _does not_ apply to
them. Ethically, yes, they shouldn't be doing this, but we can't pretend rules
of war apply to a civilian agency with 0 role in combat.

~~~
adventured
The parent comment was not making that comparison. They were not trying to
imply that the FBI is a combatant on a battlefield. It was meant to be an
example of friction caused by multi-directional pressure (in the FBI's case,
to strictly obey the law and yet to be aggressive in solving crimes by any
means within the law).

~~~
AnkhMorporkian
I guess I'm confused then, because that's precisely what the FBI is doing, and
that's exactly what the grandparent comment is doing. The FBI didn't try to
side-step the courts, it brought it to them directly and is indeed strictly
following the law.

~~~
matt_wulfeck
> it brought it to them directly and is indeed strictly following the law

If this is your definition of "strictly following the law" imagine yourself in
a scenario where the FBI brings a lawsuit against you: risk going to court,
losing, and going to jail, or hiring a lawyer and fighting something with
dubious constitution grounding.

There are so many different ways to lose when the FBI plays this game against
private companies or individual. They sue you because they want to put you in
jail, not clarify the law.

If you're a strongly opinionated CEO of a company with a war chest you fight
it and at the very least stay out of jail. If you're the CEO of a small
ISP/web hosting company you suck it up, do what they say, and follow the gag
order.

~~~
AnkhMorporkian
What would you propose then? Obviously someone needs to fight the law
enforcement agents making these requests; we can't just tell the FBI "you just
have to follow the law exactly as it's written, you can't challenge anything"
because that would _severely_ tie its wrists.

I do agree it's not quite fair to put defense costs on the company/individual
that needs to fight it, but the alternative I can think of is a public
defender type system that I don't think many people would be happy with for
corporations.

~~~
Zigurd
> _" you just have to follow the law exactly as it's written, you can't
> challenge anything"_

Isn't that what we expect from all people and institutions? moreover, we
expect the people to be in control of "challenges" to the laws, and the laws
themselves. Much of what's wrong with government comes from government
creating self-serving laws.

~~~
AnkhMorporkian
Laws are rigid and don't keep up with the changing times. You might argue that
that's the government's fault for not passing new laws, and that's a fair
point. However, the judicial has set a precedent over the past 200 years or so
of interpreting laws to fit with changing circumstances. Given that's the
case, it's hard to blame the FBI for taking advantage of that.

The laws are what the courts interpret them to be; no more and no less. Like
it or not, strict interpretation is a fantasy and has been since the late
1700s.

------
criddell
> During his testimony today, Comey dismissed the notion that Apple’s
> assistance in the San Bernardino case would impact other phones, reiterating
> his belief that any code Apple created to help in this case would only work
> on Farook’s phone.

I hate this kind of willful ignorance. That update, if properly signed, will
work on similar phones. The software is distinct from the signing and it's the
software that Apple doesn't want to create.

Or maybe Comey believes that every time his phone is updated, an engineer in
Cupertino lovingly arranged the bits for him.

~~~
macintux
Artisanal bit wrangling. As a service.

------
studentrob
Manhattan District Attorney Cyrus Vance sums up the DOJ's position quite
succinctly. Emphasis added

> "Apple has created a technology which is default disk encryption. It didn't
> exist before. It exists now. Apple is now claiming a right of privacy about
> a technology that it just created. _That right of privacy didn 't exist
> before Apple created the technology._" [1]

Wrong. The first and fourth amendments grant rights to privacy. The exact
transcripts of what we say in the privacy of our homes, prior to a warranted
wiretap or without witness testimony, are not the subject of law enforcement's
investigation. Our entire history of digital communications should not be open
for government surveillance. It would be overreach to try to implement, and
anyway it is impossible to guarantee without destroying the US tech industry
and turning us into a big brother state.

[1]
[https://youtu.be/g1GgnbN9oNw?t=4h46m22s](https://youtu.be/g1GgnbN9oNw?t=4h46m22s)

~~~
russell_h
The fourth amendment specifically requires a warrant to violate someone's
privacy. In all of the cases at hand a warrant has been issued.

There really isn't a fourth amendment issue.

~~~
studentrob
You're right, and thanks for correcting me.

I do still disagree with the District Attorney's statement. We can write
something on a piece of paper and burn it, or think something in our heads,
and keep it private. That this is now possible with digital communications via
encryption is not a new right, it is simply a new means to protect that right.
Further, Apple didn't invent encryption, and this statement further shows how
little the DOJ understands about technology.

~~~
wjy
Vance seems to be confusing the right to privacy with the ability to actually
enforce it. Apparently, a "right" to privacy is all well and good, as long it
can be casually violated and a warrant served later. As soon as the mechanism
protecting your privacy has real teeth, then it's a problem.

------
bsirkia
"Oh wait, our attempt create a backdoor to every private citizen's iPhone,
using a single terrorism case as a trojan horse, has been discovered? Oops
sorry but we still need those backdoors."

It also amazes me he thought it was a helpful metaphor to say that the FBI
doesn't want a backdoor, just for Apple to take the “vicious guard dog away”
and “let us pick the lock.” I think every American would prefer having a guard
dog protecting their personal property and data than just let these liars pick
the lock.

~~~
illumin8
The vicious guard dog metaphor is very poor, most likely planned to
intentionally confuse non-technical people.

The reality is that he is asking Apple to weaken the front-door to the point
where an average attacker can open it with a paper clip.

------
studentrob
Comey also said,

 _They [Apple] sell phones, they don 't sell civil liberties, they don't sell
public safety, that's our business to worry about._ [1]

He thinks public safety is entirely his domain and private companies cannot
help people keep themselves safe. That's as bad as "self-made" business owners
who cannot see that roads and infrastructure helped make their businesses
successful and cry socialism whenever taxes are levied.

[1]
[https://youtu.be/g1GgnbN9oNw?t=3h16m18s](https://youtu.be/g1GgnbN9oNw?t=3h16m18s)

~~~
alanwatts
As technology has become more and more pervasive in society the role of
security, at least in the preventative sense, has fallen more and more on the
people who make the technology.

------
jonlucc
Does anyone know what happens if Apple loses engineers over this? Not that
it's likely, but I could see someone saying "I came here to build secure
systems, not break them". Does the government bear costs to replace or
retrain? If enough quit, can the government compel them to stay to complete
the task?

~~~
rplst8
This is an excellent question. Congressman Darrel Issa had some great
questions about this during today's hearing. Basically he hinted at the fact
that how far can the government go to ensure they did their job correctly.

------
eganist
"We made a mistake, but you must still help us!"

You know, the sad part about this (paraphrased) quote is that it'll probably
be used as justification by the California court system to rule on this case
specifically rather than on the circumstance more broadly. I wonder if that's
Comey's strategy in admitting the error.

------
gist
Non paywalled:

[https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&c...](https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0ahUKEwjM3KGNtqDLAhXBFT4KHYnGDGoQqQIIHjAA&url=http%3A%2F%2Fwww.wsj.com%2Farticles%2Ffbis-
comey-concedes-mistake-was-made-over-iphone-in-terror-
case-1456862127&usg=AFQjCNFGornE8LJjU8ejqSqETEo3o4FwfQ&cad=rja)

~~~
dclowd9901
Is there some reason this doesn't work for me?

~~~
xerophyte12932
Works for me. The "article" is super short anyway. The walled part barely adds
anything

------
thecosas
The Congressional hearing is happening now:
[http://www.c-span.org/networks/?channel=c-span-3](http://www.c-span.org/networks/?channel=c-span-3)

------
ibejoeb
Lots of interesting stuff in this session.

"We are a rule-of-law country. The FBI is not cracking into your phone or
listening to your communications except under the rule of law," says Comey
(1:37). I suppose that's the NSA's job...

[https://www.youtube.com/watch?v=g1GgnbN9oNw](https://www.youtube.com/watch?v=g1GgnbN9oNw)

------
Cheezmeister
TL;DR: "Yadda yadda terrorists something something guns kill people blah blah
blah think of the children yadda AMERICA."

Truly, I'm getting weary of all the nearly-identical news of Uncle Sam's
assault on digital privacy. If the strategy is to desensitize and wear down
the US populace, it's working.

------
draw_down
This seems a bit more complicated than simply saying they made a mistake,
though. If they didn't do this, someone who knew the password could have wiped
the backups or changed other info, and then everyone would be yelling at the
FBI for not having the employer change the password. So it's a choice between
potentially leaving the device/backups open to tampering, and whatever the
hell the situation is now.

------
jfoster
I'm putting on my pragmatism hat.

I can't understand why Apple are fighting this. They're essentially forcing
the government into resorting to legal mechanisms that will have longer term
impacts.

It's pretty clear to nearly everyone that this phone belonged to someone who
committed a terrorist attack. The data on it may prove useful in preventing
future attacks. If Apple were being cooperative, they could create the
mechanism to get the data off the phone, have the FBI hand over the phone so
they could do that for them, (optionally) delete that version of the OS if
there's a problem with it even existing, and no legal precedent would be set.
The question of whether the FBI should be able to compel them wouldn't arise,
because they would have been cooperating off their own accord.

If the FBI asks them to do this to the iPhone of someone who is more likely to
be innocent, perhaps then this debate should be had. For now, they have the
means, can do it without setting a precedent, have a pretty good reason to do
it, and can do it in isolation. They should just do it, in my opinion.

~~~
mpeg
I don't think the FBI can or will hand over the phone, that would compromise
their entire investigation.

Besides, once the software exists and is signed by Apple, it's very hard to
prove that all copies have been deleted.

~~~
jfoster
It's difficult to imagine this recovery operation could happen if Apple never
get access to the phone. Perhaps they could have representatives from both
Apple & FBI present.

Proving all copies are gone isn't possible; you can't prove non-existence.
Ensuring extreme unlikelihood seems relatively straightforward, though. Make
fewer copies, trusted personnel only, isolate the development to a particular
location with no network access, etc. Naturally there'll be a risk that a copy
survives, just as there's a risk that a contingent of rogue Apple employees
are already working on it for the FBI.

------
nightpool
I feel like all of this talking about a "hard drive" that transports the tool
around is a little specious—aren't Apples firmware updates signed? And the
update itself would be IMEI locked?

The issue here isn't the reusability of the _technology_ —the issue is the
reusability of the legal precedent. And this is certainly a very scary
precedent to set!

~~~
X-Istence
Apples updates are signed, but they are not locked to a particular IMEI.

~~~
nightpool
Right, but the FBI has indicated that they would like this particular one to
be, to add some amount of code that would render it non-functional when put on
another device. (and certainly from a security perspective that would be the
correct choice to make)

~~~
acqq
"Comey told a congressional panel on Tuesday that a final court ruling forcing
Apple Inc (AAPL.O) to give the FBI data from an iPhone used by one of the San
Bernardino shooters would be “potentially precedential” in other cases where
the agency might request similar cooperation from technology companies."

[http://www.reuters.com/article/us-apple-encryption-
congress-...](http://www.reuters.com/article/us-apple-encryption-congress-
idUSKCN0W33G7)

"Manhattan District Attorney Cyrus Vance testified in support of the FBI on
Tuesday, arguing that default device encryption "severely harms" criminal
prosecutions at the state level, including in cases in his district involving
at least 175 iPhones."

~~~
nightpool
Exactly—this _completely_ agrees with my top level comment. Its not the
technology we should be worrying about (although of course apple should be
closing the vulnerability that allows the FBI to compel them to help decrypt
this phone) but the more important—and scary—thing we should be worrying about
here is the legal precedent that this case sets.

------
DavideNL
One important fact(1) i haven't heard in the entire hearing:

(2)The FBI wants 3 things: disable 'erase after 10', disable delay between
attempts, create possibility to enter PINs programmatically so they can be
brute forced.

(1) If this would be created, criminals/terrorist could easily defeat this by
(instead of 6 digits) enabling alphanumeric passwords and creating strong
passwords that cannot be brute forced (which isn't even a usability problem
since you can easily unlock your iPhone with your fingerpint most of the
time.)

So the end result of (2): security is lowered for 99% of all people (innocent)
and criminals/terrorist (1%) can still easily avoid being caught by this
measure.

------
lowpro
If anyone watched the entire hearing today, Personally I was astounded by the
misunderstandings of both the director and everyone asking the questions, it
seemed that only one or two of them understood what Apple was trying to say in
a technical sense.

~~~
DavideNL
Exactly, i was suprised about this also. Even at the end of the hearing the
same 'stupid' questions were asked over and over, by which it became clear
they still didn't understand the basics.

------
PascalsMugger
He seems to be suggesting that the FBI (and maybe law enforcement in general)
is in charge of deciding what our civil liberties _are_. They've simply
decided there's no right to create an unlockable lock, when there's clearly no
law or part of the constitution that indicates that. But since they think
they're in charge of civil liberties, they've decided by fiat.

------
chatmasta
I appreciate that Professor Landau emphasized the "arms race" between
companies securing their systems, and adversaries breaking them. Companies
push software with bugs, adversaries exploit the bugs (and hopefully
responsibly disclose them), then the company patches the bug and pushes a new
update.

Any iPhone <5 running iOS <8 is comically exploitable. This should drive home
the point that as time progresses, older vulnerabilities become easier to
exploit, so that leaving them unpatched becomes irresponsible.

If the FBI asks Apple to create new software to grant the FBI the ability to
unlock the phone, they are effectively asking Apple to exploit a vulnerability
in their software. By definition, Apple will know that vulnerability exists.
In the "arms race," when Apple identifies a vulnerability, they fix it. In
this case, when Apple identifies the vulnerability, will the FBI allow them to
fix it? Or would the FBI prefer that Apple have a responsibility to "maintain"
the vulnerability and ensure it remains exploitable?

------
studentrob
I'd love to see a transcript [2], or list of participants [4] and find out
which representatives present lean towards Apple or towards the FBI.

I skipped around the video. I mostly saw support for Apple, with a few
exceptions, one being Mr. Sensenbrenner.

Mr. Sensenbrenner, a House republican of Wisconsin, asked Apple what
legislation they would support, and Mr. Sewell, Apple's general counsel, said
they support debate on the subject [1]

The congressman was clearly bullying Mr. Sewell here and using his position as
congressman to make it appear as though Apple is not being agreeable. Well,
encouraging debate before writing one-sided legislation sounds like great
teamwork to me.

The congressman should have been reminded that _not_ supporting new
legislation is a valid position, and that every problem we face need not be
solved with new laws.

Perhaps Mr. Sewell is trying to be respectful to the congressman. But I think
he should not shy from responding in kind. Treat others as they treat you. No
one will judge you for it. I think Apple missed an opportunity here to say
they do not feel new legislation is needed, since guaranteeing back doors into
devices would be an abridgement of consumers' right to privacy, and Apple's
right to create safe products for consumers as it sees fit.

Overall though this seemed like a productive session.

Mr. Gowdy, a House republican of South Carolina, also bullies Sewell in the
same manner [3], literally asking Apple to _lobby for_ legislation.

In other words he is saying, get some lobbyists, do my work for me, pay for my
next election campaign and solve your own problem. I don't know how you could
be more blatantly obvious about being a corrupt, useless politician.

[1]
[https://youtu.be/g1GgnbN9oNw?t=3h59m30s](https://youtu.be/g1GgnbN9oNw?t=3h59m30s)

EDIT transcript here, though no speaker names are given and quotes are cut
short

[2] [http://www.c-span.org/video/?405442-1/hearing-encryption-
fed...](http://www.c-span.org/video/?405442-1/hearing-encryption-federal-
investigations)

[3]
[https://youtu.be/g1GgnbN9oNw?t=4h36m35s](https://youtu.be/g1GgnbN9oNw?t=4h36m35s)

EDIT list of participants:

[4] [http://pastebin.com/raw/rHqYpv3g](http://pastebin.com/raw/rHqYpv3g)

------
eastern
Read that as FBI's Comedy

------
dmitrygr
NON PAYWALLED: [http://news.yahoo.com/fbi-chief-admits-mistake-iphone-
wake-s...](http://news.yahoo.com/fbi-chief-admits-mistake-iphone-wake-san-
bernardino-203036523--abc-news-topstories.html)

~~~
kencausey
There is another choice which is to click the 'web' link under the title above
which does a Google search for the title. Nearly always at the top of the
Google search the article will appear and through that route you will get the
entire article from many paywalled news sites, including WSJ.

~~~
hmahncke
WSJ closed this[1]; web link here finds the article in google which still hits
the paywall.

[1][http://digiday.com/publishers/wall-street-journal-paywall-
go...](http://digiday.com/publishers/wall-street-journal-paywall-google/)

~~~
levemi
This is fixed in Google Chrome by opening up the console in Web Enspector, and
enabling Network conditions from the three dot menu and then in that new tab
select Googlebot as the custom user agent. Note that you will still have to
click on a google search link.

~~~
retromario
I wouldn't exactly call that a "fix", but still, thanks for the tip.

~~~
levemi
Once you've set it up once and figured it out it's easy to just to toggle it
the next time. It's definitely more work. I prefer this to installing a random
extension that can read all my data on all websites.

------
eridius
Anyone have a non-paywalled version? Going through Google isn't bypassing the
paywall.

~~~
crb
You now have to open an Incognito window and then paste into Google search to
bypass the WSJ paywall - I suspect they look at some login cookie to detect
humans.

~~~
eridius
Already tried that, it doesn't work. I think WSJ is A/B testing, closing the
loophole for some people and not others.

------
cdellin
I'm as strong a supporter of a citizen's right to encryption as anyone, but I
actually think that Mr. Comey's testimony was accurate and forthright, and his
framing of the issue of encryption as it relates to the capabilities of law
enforcement was appropriate and well-reasoned.

