Hacker News new | comments | ask | show | jobs | submit login
FBI Paid More Than $1M to Hack San Bernardino iPhone (wsj.com)
316 points by maibaum on Apr 21, 2016 | hide | past | web | favorite | 199 comments

Same article on the FT:


James Comey, director of the FBI, said on Thursday that the cost was “worth it”, but added that an accommodation needed to be made with Apple and other technology companies in the future, as paying outside technologists to find ways to access highly-encrypted messages on phones used by terrorist suspects was not “scalable.”

> was not “scalable.”

This is the same James Comey that said they just were just asking Apple for access to just that one phone.

Indeed. Americans need to wake up to the fact that these spooks simply cannot be trusted. The very concept of trust is alien to their culture. Would be nice of we could count on congress to provide adequate oversight.

It's amazing to me too that the very concept of an "unwarrantable" space is simply impossible to conceive.

Considering all communication is subject to eavesdropping the space they are wanting to access borders on the realm of private thoughts. And some day soon it just may exist in that realm.

> private thoughts


CGP Grey has a very good explanation of this situation.

Then contrast our potential inability to keep private thoughts with the fact that the government is allowed theirs by merely stamping Top Secret across a document.

I will be reporting this thought crime to the Ministry of Truth.

I don't disagree, but do some countries truly publicly accept unwarranted spaces? I can imagine most governments wouldn't really want to give up that ability if possible.

In some civilized countries, yes. Take eg. your brain (as an accused), a doctor, a lawyer. There are even countries respecting the sources of journalists...

...also military, law enforcement, and other government secrets.

It's always been this way and always will... neverending, necessary security "arms race."

That won't happen unless American voters want it. They don't want it, as evidenced by their not voting for it, so they won't get it.

This absurdly reductionist view of participatory politics comes up again and again. What are you trying to add to the conversation? Do you think that this notion is new? Or that the rest of us haven't considered it?

Instead of a pithy but pointless HN comment, let me suggest a book for you that might expand your thinking on this topic:


> absurdly reductionist view

> Do you think that this notion is new? Or that the rest of us haven't considered it?

> a pithy but pointless HN comment

> might expand your thinking on this topic

Just throwing it out there: http://paulgraham.com/disagree.html

It would be more helpful if you expanded on why it's a bad argument. Off the top of my head:

> They don't want it, as evidenced by their not voting for it, so they won't get it

Was there a vote on it? When exactly?

Here's a book about how election results can change people's opinions on topics. It applies here because X. I used to think Y, but it changed my thinking to Z. I'd highly recommend it.

Not that GP is any better, but hey... And to be fair, the guy is practically trolling, whether intentional or not.

You're right of course disagreement should be explained better.

But he is responding to a one-line meme whose only purpose is to establish learned helplessness and end discussion that massively oversimplifies a very complex issue and is essentially copy pasted in any article here that even touches on politics. It gets quite exhausting engaging, having long in depth discussion about how this view is overly simplistic on every single thread only to have it appear again tomorrow, exactly the same as before.

I think downvotes and silence is the correct move here.

You're right. I got a bit impatient there. This argument seems to come up again and again and no amount of reason and explanation seems to be able to overcome it, even to the point of convincing its adherents to read what others have said about it.

This notion ("the people get exactly what they vote for") goes back to Ancient Greece; it's not like its a novel topic.

I don't think it's that straightforward. It's hard to vote for something that doesn't come up for a vote. And it doesn't come up for a vote if the right people don't want it to come up for a vote.

"The people" aren't given the opportunity to vote on many things, yet the people they elect do vote. The people they elect often side with their supporters (especially financial ones) on issues that are important to said supporters. A candidate can use their NRA/pro gun status as part of their platform and it will have a meaningful impact on the turnout.

Logically if the US electorate cared even half as much about [topic x] as they do about guns - candidates would care too and "democracy" would follow... no?

(I'm not bashing the US, just taking gun control as an example where a passionate popular view is reflected democratically)

> Please avoid introducing classic flamewar topics unless you have something genuinely new to say about them.

What "it" can one vote for ?

“The relief we seek is limited and its value increasingly obsolete because the technology continues to evolve. We simply want the chance, with a search warrant, to try to guess the terrorist’s passcode without the phone essentially self-destructing and without it taking a decade to guess correctly. That’s it.

“We don’t want to break anyone’s encryption or set a master key loose on the land,” Comey continued. “I hope thoughtful people will take the time to understand that. Maybe the phone holds the clue to finding more terrorists. Maybe it doesn’t. But we can’t look the survivors in the eye, or ourselves in the mirror, if we don’t follow this lead. “

That's a lot of double-speak. They know that removing the timeout so they can try thousands of passwords per second opens up a huge security hole. What he's saying is "we want it both ways". We don't want to take away security for users, we just want to make it easier for someone who's not the owner of the phone to get into it.

The government owned the iPhone in question.

If the government org in question had followed iOS deployment best-practices, they would have already had sanctioned access to this phone.

Which is a bigger flag for mismanagement. If the phone had had device management software as most major companies provision, no hack would have been necessary.

But it didn't own the software, which is still patented and copyrighted by Apple, and merely licensed to end users.

So an EULA just protected people?

"The government" is not one organization.

That doesn't seem relevant unless there's a dispute over ownership, which there isn't.

Well reset it, and start downloading pictures of cats, what's the problem?

In what sense of ownership?

Public funds purchased the phone. I'm not sure what you mean?

"public funds" is not a single shared bucket of loot that everyone puts into. In this case it was a county owned device.

County governments are typically recognized incorporated organizations that have no real line of authority or connection with the federal government.

So no, the FBI or federal doesn't have some ownership claim that makes it ok to break into. As others point out they have basically seized the device from its owner in the course of investigation.

Unless the county was forced to hand it over, this is not relevant.

can you explain the comment on relevance a bit more? You said it twice but I'm not seeing your point.

Regarding the Director's double speak I think it is relevant. The FBI or federal government is still not the owner. Regardless of whether the device was seized or surrendered the property is still owned by the county.

> What he's saying is "we want it both ways". We don't want to take away security for users, we just want to make it easier for someone who's not the owner of the phone to get into it.

If they have permission from the owner, it's wrong to describe it as trying to get into "someone else's phone". There's no expectation of privacy in a government owned phone.

Who decides paying $1M to get access to a government owned device is appropriate use of public money though?

Why didn't they go through proper channels? Why did they reset the iCloud passwords? What steps have they taken to prevent this from happening in the future?

The FBI is doing a lot of hand waving and there is no accountability. Where are all those fiscal conservatives when we need them?

In my personal experience with an iPhone, it will not backup to iCloud without wifi and it will not connect to wifi without having the passcode entered at least once since boot. According to the government, the device was found powered off. If that is true, the iCloud backup would never have worked.

The government ran its own tests of the scenarios and found that to be true: https://www.scribd.com/doc/303759192/Declaration-by-Stacey-P... (paragraphs 37-39)

Apple's engineer's response left that assertion unchallenged (while challenging other stuff wrong with paragraphs 37-39, see his paragraphs 32-33): https://www.scribd.com/doc/304898553/SUPPLEMENTAL-DECLARATIO...

Of course, you can choose not to believe the government that the phone was found powered off (http://www.wired.com/wp-content/uploads/2016/03/Apple-govt-R...), but I think you'd have to pick and choose what you're willing to believe and not believe from what the government have said.

Finally, even though it wouldn't have helped, it's clear Pluhar's team did not consider the iCloud backup possibility when they were making their examination, so they very well could have screwed this up. It's just that they didn't in this case.

It's also possible the phone was actually found powered on and the battery was drained and it turned off by the time Pluhar's team examined it the same day. It wasn't mentioned if anyone checked it and tried to make sure it was kept charged (probably not). I imagine it might be difficult to train the officers on the ground about mobile device forensics best practices, since they change fairly frequently.

I would not trust their word over Apple's because Apple has a better insight of the situation.

The whole thing was a very poor allocation of resources. Of course, those whose promotions and maybe even jobs are on the line will fight back any claim of incompetence or malice.

Huh? Apple has no idea what's on the phone, how could they have better info than the FBI on this?

The phone is evidence in a police investigation, they didn't buy it, while its owners are dead surely it belongs to their hiers? or does that whole rule of law thing mean nothing

The phone was a work phone issued by the San Bernardino Health Department, so no - the heirs of the killers didn't assume ownership of the phone. It was always the property of the San Bernardino Health Department.

So if someone the FBI is interested in knew they were being targeted and used a strong, complex, long password which would be impossible to 'guess' even without the restrictions then how does

> and without it taking a decade to guess correctly.

even make sense when there isn't a force in the universe that can guess that password in 10 millennia.

If they demand that restrictions like gated attempts and automatic wipes be removed, they're just pushing the industry to move to restrictions that can't be removed.

Hell, if I was feeling really cheeky and worked for Apple, I would give the FBI their backdoor which allowed them access, but they have to provide the phone a proof of work worth at least $10 trillion.

No this probably couldn't be made secure.

The only way to accomplish the goal in the first paragraph is to execute the steps they "don't want to" do from the second paragraph. It's more than double-speak, it's pure bullshit.

Just think of how many lives were saved by the data they got off that phone. Oh wait...

I hope someone sticks a couple hundred FOIA requests in that hole they speak to the people from. Hold them accountable: "What did the FBI get out of this?"

Is it unreasonable to think there is legitimately valuable Intel on that phone? I'd say it's at least plausible, maybe even likely lives can be saved by getting at messages on a known terrorists phone.

I wouldn't say likely when it was a government-owned phone and he also had a personal phone and went very much out of his way to thoroughly destroy that phone and another. Possible? Sure. But not in any way justifying a "scalable" solution. He doesn't want to look victims in the eye, but he's ignoring human rights activists who have had their identities compromised for less.

Yes. The FBI had offers (from credible firms) to crack the phone from day 2. (After they screwed it up and started talking about it.) They didn't take those offers because they were trying to force Apple into a larger breach.

Why did they risk it? Because they knew there was nothing of value on the phone. If this was the criminal's only phone we might hypothesize that it has valuable info on it. But when the criminal destroyed one phone and didn't bother to destroy the other it suggests there's nothing on it.

I'm sure it has more than zero data. The FBI merely has to claim that knowing if criminals play Candy Crush is helpful to justify it, in one sense. But enough to justify the trouble they put Apple through? Doubtful.

Enough to justify the decades of distrust they sowed in the security community? Not a chance.

Well, heads of US security apparatuses haven't seemed to be capable of anything beyond immediate contradiction lately

To me they seem to be a step behind. Maybe they're just too old.

I think they're farther ahead than you think. Apple is having to stand up against this overreach because the public simply isn't. We here are an echo chamber, but we're hardly representative of public opinion, which it turns out support the FBI more than Apple.


"Not scalable" is a good thing! I hope the next phone costs $5m to hack.

>paying outside technologists to find ways to access highly-encrypted messages on phones used by terrorist suspects was not “scalable.”

Good! I don't want it to be "scalable". That means they want to expand the data that they are collecting to include more a more phones. There is no need to do that!

Yeah. I thought the whole point of court ordered warrants was to NOT be scalable, cause, you know, due process or whatever.

I see two ways to interpret what he said, and I'm kind of appalled at both interpretations:

(1) "We can't afford to pay someone every time we need to bypass security, therefore we need the ability to force third parties to do this work for free": um, OK.


(2) "Bypassing security takes too much time and effort, therefore we need a backdoor": even more horrifying, even though he's repeatedly denied that this is the endgame.

Edit: typo

He doesn't want a "backdoor" just special treatment time and again.

It's not an either-or. They want the backdoor so they don't have to ask, and they want a new backdoor created anytime they ask.

Making it not scalable is the point. It places a monetary restriction so that they have to pick and choose what devices they think are worth hacking and which ones are not. This is the balance between citizen's rights and government power.

Otherwise we just collect everyone's data on everything all the time and have access to everything.

Why would you expect them to be responsible with money that isn't theirs?

Your argument would work for an individual, and to a lesser extent a corporation (where money spent comes out of profit and would be balanced against benefit), but the government plays with your money - not their own.

If they want to get into a hundred phones, they'll just ask congress for an appropriation for $100m. And since the government is one of its own largest lobbyists, it'll happen.

They don't have unlimited money. If they can bring it down to $1000 per phone to crack, they still can't crack millions of phones without wondering why their budget is allocated this way.

The only reason it would be 'Worth it' is if they found something of note (something to help prosecution of other criminals or prevent further attacks). Is there any reason to believe that this hack accomplished this?

What else would make it 'worth it'? Or is this just politicking?

It's just politicking, its "worth it" because they get to flex their muscle and show the world that they don't need apple's cooperation to get what they want.

And because they didn't get to see their precious All Wits Act request struck down setting a precedent against them. A few million to be able to keep invoking the AWA would definitely be "worth it" in their eyes.

And because it wasn't their own money.

That's an important point. They're paid our money, to plot ways to spend more of our money on marketing and lawyers, to misinform us.

I doubt it was worth it. It wasn't even the terrorist's phone. It was owned by their employer. The terrorists destroyed their personal phones prior to attack.

> Is there any reason to believe that this hack accomplished this?

You mean besides the fact that the FBI guy said it was worth it? You don't expect them to publish the intel they got from the phone before being able to act on it, no?

It was worth it to get out of a court case they were obviously losing that would establish precedent.

Since they have other similar cases with more friendly judges to the FBI desires.

At what scale are they accessing the hardware of terrorists anyways?

Can I live in a country that doesn't think a million dollars to break encryption on one phone is worth it? I value my tax dollar way more than they seem to, and way more than 50 thousand dollar air conditioners for jet fighters.

Air conditioning in most jet fighters is a necessity in order to keep the avionics cool.

Was it "worth it" because they dodged the potential for setting a precedent that limited the FBI's power?

It doesn't seem like it was "worth it" because they found useful evidence on the phone.

This also has a paywall. Is there a non-paywalled version of this story, or will this story remain irrelevant to my life forever?

(If it were relevant to myself and others, someone would create a non-paywalled version of the story, maybe so simply as just retyping here what they've read elsewhere. Humans see censorship, paywalls, etc as damage and route around them, as long as positive value is generated.)

Along what dimension is this "not scalable"? If you have 100 iPhoneCs and the exploit works on all of them, it sounds like it's very scalable to me. It doesn't scale across every iphone ever made (or that will be made), but honestly, with a few tweaks (maybe a forced OS downgrade, whatever), it could be made to be.

Also, if you don't release the attack vector, things get even murkier.

Plus, the government happens to be the entity that prints our money, as well as an entity that is essentially limitless in funds because it extracts it's budget from US.

Competition from firms may keep the price of breaking the iphone down, well within what the government can pay without anyone noticing (once this dies down). Nevermind companies that would LOVE to sell the NSA a single iphone exploit for anywhere close to $1M.

I think he meant "scalable" in terms of the amount of money, time and effort it will take to overcome each subsequent security obstacle faced by law enforcement. In that sense, this whole Apple-FBI fiasco was certainly not scalable.

Also, money is a very real limiting factor. The government can't just print more money to solve its problems.

Could you explain that, please? I had understood that the 3 rounds of QE essentially achieved this?

That's why you're supposed to use law enforcement resources where you know it makes a difference. The FBI made this whole circus around this phone when everyone already knew they wouldn't found anything. But worst of all, they didn't even bother to check the metadata for that phone, which would've also confirmed whether the phone was used to set-up crimes or not.

It was all a ruse to get their precedent for backdoors, and now they're dripping this (probably bullshit) story to the media in a way that further progresses their agenda, after classifying the information in the first place.

Not scalable as in 'we can't spend a year breaking into every version of OSX', not 'we can't spend a million dollars breaking into every version of OSX'. Because a million bucks is chump change in government spending.

> as paying outside technologists to find ways to access highly-encrypted messages on phones used by terrorist suspects was not “scalable.”

It would be fucking hilarious if he used this kind of language to mock the SV lingo.

> James Comey, director of the FBI, said on Thursday that the cost was “worth it”, but added that an accommodation needed to be made with Apple and other technology companies in the future, as paying outside technologists to find ways to access highly-encrypted messages on phones used by terrorist suspects was not “scalable.”

That is exactly what we want. If its clearly in the public interest to expended substantial effort as part of a criminal investigation, they absolutely should do so.

The problem is they want scalable access to everything.

Was there something on the phone what made it worth it? I don't know if I understand the hypocrisy of hn. We cry "oh humanity" when Ford pays $50k over sticker for a new Tesla car for reverse engineering but of course if the FBI does something then surely they were judicious with their purse strings.


> Was there something on the phone what made it worth it?

It doesn't matter to me tbh. They want to investigate, they can.

I just don't want them to be able to "scale" their investigations like they seem to want so they can get into all encrypted communications without a serious financial hurdle because they'll abuse it.

> I don't know if I understand the hypocrisy of hn. We cry "oh humanity" when Ford pays $50k over sticker for a new Tesla car for reverse engineering but of course if the FBI does something then surely they were judicious with their purse strings.

I didn't. Generalizing like that is unhealthy because it causes you to make some silly assumptions.

I wish people who paid lots of government money for things were always forced to do so out of their salary. For example: we will pay you $X per year in exchange for giving you the responsibility to make up to 10 big purchases; each time you purchase however, 1% of the proposed sum comes out of that $X salary; now then, how judicious will you be?

One thing Ron Paul did in Congress years ago, after one of those stupid “let’s spend taxpayer money on a bunch of medals” proposals or something, was to rephrase that expense: he challenged Congress to simply donate a percentage of their own salaries to make it happen. After all, if it was so wonderful (echoing all the things other Congress members had stood up and said about the idea before then), and so worthwhile, surely they would personally not mind chipping in something, right? Predictably, a very small number of congresspeople were suddenly willing to go quite that far.

Reminds me of Not Yours To Give: http://www.constitution.org/cons/crockett.htm

Thanks for that link. Great read.

I've often seen people propose things like that, such as congress being paid the average salary or maybe even no salary. However they're much more likely to take kickbacks if they have the power and not the money.

Kickbacks are a risk, though that could also be balanced with harsh penalties such as minimum sentences for being caught accepting kickbacks.

To me this raises a question about selling security vulnerabilities to state actors in general (in the context of the Facebook vulnerability thread where the standard discussion about value is being hashed out).

Specifically, I live in the UK and one of the complaints law enforcement has is that US companies can (and do) totally ignore valid court orders because they don't apply in the US (reddit being an arbitrary concrete example).

So, what would be the impact of GCHQ setting up a scheme where you can sell vulnerabilities to them (assuming they do the legwork to make it legal)? Would it violate some kind of trade agreement? I assume at minimum it would harm diplomatic relations given the pressure the big companies would exert on the US to push back.

> Specifically, I live in the UK and one of the complaints law enforcement has is that US companies can (and do) totally ignore valid court orders because they don't apply in the US (reddit being an arbitrary concrete example).

A US company (or individual) should absolutely ignore court orders from a non-US court; such courts have no jurisdiction. A "valid" court order necessarily must come from a court with jurisdiction.

Similarly, I'd expect a UK company to ignore US court orders.

(And in both cases, I'd ideally hope the court knows better than to take the case in the first place or to issue such an order.)

Actually, the court would issue such an order _because_ it knows better: without it, you basically have little leverage when you try to enforce the same in the foreign country in a court that actually _has_ jurisdiction.

Here's an example where a French court issued a court order to a US firm:


> A US company (or individual) should absolutely ignore court orders from a non-US court; such courts have no jurisdiction. A "valid" court order necessarily must come from a court with jurisdiction.

Remember: US privacy protections (e.g. 4th Amendment) don't apply to non-US people outside the USA. Please fix US courts & law to actually give us protection.

The thing is, companies like Google, Facebook and Apple are kinda companies of great britain or at least Ireland. They have bases in Ireland for tax purposes and to comply with certain data retention laws.

That aside, it is not really too much to ask that a company that does business in England abide by English law.

> The thing is, companies like Google, Facebook and Apple are kinda companies of great britain or at least Ireland.

It's useful to read the terms of service:

All Google interactions are with the US entity: https://www.google.com/intl/en/policies/terms/ identify

    The Services are provided by Google Inc. (“Google”), located at 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States.
Facebook actually segregates US/Canada users from users of other countries: https://www.facebook.com/legal/terms

    If you are a resident of or have your principal place of business in the US or Canada, this Statement is an agreement between you and Facebook, Inc.  Otherwise, this Statement is an agreement between you and Facebook Ireland Limited.  References to “us,” “we,” and “our” mean either Facebook, Inc. or Facebook Ireland Limited, as appropriate.

I'd certainly agree that a company with a legal nexus in a given country must obey that country's laws (or leave).

But "does business in England" and "has a legal nexus in England" are two different things, depending on your definition of "does business". For instance, if I sell a service online, and someone from England buys it, that might count as "does business in England" but it doesn't make either me or the service subject to English law or jurisdiction.

Yeah, but at the same time... If they want to reap the tax benefits of basing themselves out of a country, I would argue that they should be subject to that country's rule.

Really, calling themselves an "Irish" company seems like tax evasion to me, if it's in name only, with none of the negative ramifications.

Edit: speaking with regard to Apple, though other companies are in the same boat.


> Noted eagle eye and EFF Investigative Researcher Dave Maass happened on an interesting item from earlier this week on FedBizOpps, the site for government agencies to post contracting opportunities. The Navy put up a solicitation explaining that the government wants “access to vulnerability intelligence, exploit reports and operational exploit binaries affecting widely used and relied upon commercial software,” including Microsoft, Adobe, Android, Apple, “and all others.” If that weren’t clear enough, the solicitation explains that “the vendor shall provide the government with a proposed list of available vulnerabilities, 0-day or N-day (no older than 6 months old). . . .The government will select from the supplied list and direct development of exploit binaries.”


> The National Security Agency bought hacking tools from a security firm, based on documents unearthed by a FOI request.

The US is doing it. The GCHQ likely does it too and I bet at least some of this list was built via information purchased from others:


Uh, state actors (including GCHQ) already are some of the primary buyers of vulnerabilities.

Imagine if some eager beaver out there started weaponizing microbes and selling them to the highest bidder. They would rightly be droned to a greasy smear on their lab wall. "Security researchers" who sell vulns to governments are no better.

Given that they found no relevant information on his work phone, exactly as experts and reasonable amateurs and common men predicted, how was it "worth it" as he claims? Is it that wasting huge sums of taxpayer money while attacking civil rights and attempting to instantiate a police surveillance state with no privacy is simply "worth it" no matter what, even if pointless?

It was worth it because they didn't know that beforehand. Now the FBI are sure that the attackers weren't in contact with other ISIS members. The FBI thinks that information is worth the $1.2M+ they paid.

How could they possibly have known that without unlocking the phone?

> Now the FBI are sure that the attackers weren't in contact with other ISIS members.

Umm, no - no they aren't. Not even close. The terrorists personal phones were destroyed before the FBI could recover them, this was just a 'work phone'.

Don't you think it's likely that a) there is a reason they destroyed their personal phones, and b) if they were going to communicate with other actors they'd be more likely to use the phone that's completely under their control?

Yes, you're right. I guess the FBI just confirmed that there was no info on the work phone, which seems a valid line of inquiry.

On the work phone, sure. Yay.

You do know that they destroyed their personal phones, right? And that it's been months now, wasted bickering with Apple even if there would have been any leads.

> How could they possibly have known that without unlocking the phone?

Smart money says they already unlocked it with an exploit and knew there was nothing, then played legal games with Apple until they started losing, and to exit gracefully they accepted the offer of one of the many firms begging to extract data from the phone for them.

They have the NSA's phone number. They were playing helpless for a reason.


I find it interesting that this entire issue is the same as the nuclear issue was in the cold war.

Government Technocrats: We need bigger and more powerful warheads to protect us from the Soviets.

General Public: OK we'll learn Duck and Cover.

Sensible Few: Is risking the destruction of everything we're trying to protect worth it?

Government Technocrats: We can't look our children in the eye ... yadda yadda yadda.

I'm trying to see what's around the corner for this argument.

Sure they can go to congress and push for increased funding or whatever for their top cases. Which gives congress a tangible budget number that could be "saved" by passing a law, but politics/congress doesn't really work this way - spending money benefits the administrating critters, the FBI, and the contractors doing the work.

Furthermore, $1M is essentially a small amount and obviously "worth it" for the major sensational events that they'd use to push through backdoors. So it seems they're actually giving up ground by having to move the argument to the urgency for backdoors in cases that aren't worth $1M.

I can see the argument playing for fiscal-primacy authoritarians who would take this as an example of government waste, but they'd already support government backdoors and I don't see this riling them up enough to be worth it.

It seems like a dead-end for propaganda purposes. What am I missing?

Maybe they're just trying to salt the earth so that their technical success in this case does not hinder them arguing for backdoors next time?

This really seems like a terrible market for a state to be so openly involved in.

So they should be clandestinely involved, instead? They're going to do it anyways, I'd rather know about it.

False dichotomy is false. They didn't have to do this, and by all accounts, received nothing of value for the money.

> by all accounts, received nothing of value for the money

How can you know that?

come on do all internet comments have to be perfect? how about "by all public accounts to date".

I'd have though that extra context wasn't necessary.

> I'd have though that extra context wasn't necessary.

New to the internet?

Unless you lawyer every possible comment against the most uncharitable reading while combining it with the kind of source research that would make a Harvard law professor weep a tear of joy you'll get called on it.

The point is that the people who would be in a position to provide concrete evidence one way or another are very unlikely to make a public account. "All public accounts to date" that I know of are basically hearsay.

I was just being charitable. If I had to bet, he has no idea and no way of knowing (because the FBI isn't going to go around disclosing whatever intel they got from the phone). But maybe he had a way of knowing, so I asked. Turns out he didn't.

>>How can you know that?

We can't. That's the problem! The government just spend a million fucking dollars to access a phone's contents, and we have no idea if it was worth it. This lack of accountability is what's causing them to flaunt civil liberties so brazenly and shamelessly. If cornered, they always use the "it's a matter of national security!" excuse.

You should look into Pentagon procurement, especially for the big projects like the F-35. Eisenhower would weep.

I can't KNOW it, which is why I said, "By all accounts".

According to their own account they did get their money's worth:


The fact that the FBI have confirmed there were no contacts with other ISIS members is valuable information.

They have not confirmed that at all. Should any such contact have existed, it would have been through the destroyed personal phones.

Yes, you're right. See my reply to djrogers.

Don't they have a tool to get into other iPhone's now?

$1,000,000 doesn't seem too bad.

Not necessarily, they might not own the tool, just paid for someone to use it on the phone.

The subtitle quote indicates that the tool was bought outright.

AFAIK, the exploit only works on older iphones. It'll quickly lose value going forward.

You can't put a price on national security. Never mind, they just did and they got to define national security as well.

There is no indication that it wasn't what had been claimed they could always do, and that's physically clone NAND gates. Remember, the FBI wasn't after data in the first place, they were after a legal precedent.

Is that it? Had they found a way to do it internally it could easily have cost 10x more.

5 people, 1 year = 1million. Likely a team of 4 devs and a PM. 10months to prototype, 2 months to clean up and release?

Sounds reasonable.

I agree.

Were they going to pay Apple if they had somehow forced them to do the deed?

Example: http://www.cbsnews.com/news/verizon-att-get-most-bucks-from-...

>AT&T, for example, imposes a $325 "activation fee" for each wiretap and $10 a day to maintain it. Smaller carriers Cricket and U.S. Cellular charge only about $250 per wiretap. But snoop on a Verizon customer? That costs the government $775 for the first month and $500 each month after that, according to industry disclosures made last year to Congressman Edward Markey.

>And while Microsoft, Yahoo and Google won't say how much they charge, the American Civil Liberties Union found that email records can be turned over for as little as $25.

So the only argument the FBI hears is how much? Disgusting.

An argument you could make is that by associating a cost with wiretapping it discourages frivolous usage.

Since when did the FBI care about spending money that they get from taxpayers?


To me this sounds like the typical "teachers and firefighters" government PR tactic. The best response is an equally ridiculous knee-jerk public reaction. We need to call to defund the FBI by 1 million dollars to settle the accounting. Clearly they have too much money burning holes in their pockets if they are able to make large purchases of this nature.

Is that a lot or a little?

It's a lot if they want to hack millions of iPhones each year. As a one-off engineering project to break into an iPhone, it seems remarkably reasonable.

It's about par. Some security firms will charge $1M/year and over. Corporate enterprises involved in intelligence gathering for the government (i.e. ATnT, Apple, Google, Microsoft, basically any "free" and paid tech service) can make a lot of money depending on how many accounts they pass off to the FBI,NSA, etc... If you're using any service in the US and the "West", even the "free speech" stuff like ytcombinator, reddit, they'll pass of information and can charge for it.

edit: Apple's encryption fight, for example, is a bit of a wash. It's basically to lure in more users which they can charge more for. The more value the user has for their privacy, the more companies can charge for access.

They are all corporate enterprises, and their responsibility is to profit for their shareholders. When the government offers a legal profitable offer, they have a responsibility to take it. If they are found not to take it, and a group or party finds out and can prove it was a profitable venture, they can attack the company with the courts.

That's bullshit.

Management has wide-ranging freedom to define what they see as the best course of action and nothing short of fraud is actionable in a court: https://en.wikipedia.org/wiki/Business_judgment_rule.

In this case, the obvious defense would be that for a company such as Apple, the fees they charge the government for access are completely meaningless, compared to the damage the brand could suffer if they're found violating their user's privacy.

At 25$ each as mentioned above, these fees probably don't even cover the costs of having a lawyer take a quick look at it.

$180k is a dangerously small amount to pay someone with James Comey's responsibility.

the fringe benefits and consulting/speaking fees post-FBI make up for it and then some.

Where did that $1M come from? If it's from tax I'll say that a big waste.

Where else does it come from?

We financed it - your kids will be paying for it.

Why does the source of money change the efficiency of a given use?

Don't worry, it came from the Federal Reserve's printing press

Paywalled for me here in the UK. I assume the title sums up the article?

Since I can't read the article, from anyone that can, how did they come to that figure? Is that just the cost of the exploit or..?


> The Federal Bureau of Investigation paid more than $1 million for a hacking tool that opened the iPhone of a terrorist gunman in San Bernardino, Calif., the head of the agency said Thursday.

> Speaking at the Aspen Security Forum in London, FBI Director James Comey didn’t cite a precise figure for how much the government paid for the solution to cracking the phone but said it was more than his salary for the seven-plus years remaining in his term at the FBI.

> His annual salary is about $180,000 a year, so that comes to $1.26 million or more.

> “[We] paid a lot’’ for the hacking tool, Mr. Comey said. “But it was worth it.’’

I wonder how exactly it's worth it, given that nothing of interest of relevance was found on the device.

Given that this is FBI procurement, I'm guessing they bought an "Enterprise license" with full support and the opportunity to use the application on any phone that fits the spec just in case because additional procurements would take a long time. Typing this sarcastic comments made me realize that they may have bought this tool for all open cases with this device which actually might've been fairly cost effective, but a bit scarier.

Well now they have a tool they can use at any time.

On iPhone 5. Until Apple updates the software to fix the vulnerability.

If they know what to fix. FBI aren't idiots to tell them.

Apple could probably buy the same tool and analyze it.

I was just thinking this. Again, I haven't been able to read the article but I was under the impression that the FBI paid to crack this one phone, I didn't realize that they have this tool that could 'hack' more iPhones with.

If over $1M is reasonable, I wonder what Comey would deem as an "unreasonable" amount and the rationale behind the calculation.

What evidence is there that the phone was actually hacked? Wouldn't saying "ah never mind we hacked it" be a convenient way out of a precedent-setting court case the FBI was losing?

Except the other cases haven't been dropped, and this case was perhaps the one most sympathetic to the government (terror).

If you consider all of the time and effort that they put into this case, they spent a hell of a lot more than $1M. We're focusing so much on it because it a single line item.

Exactly. Think about the resources they put on this case. It should worth way more than $1M and all that came from tax payers money.

Ugh - total paywall on the article.

Seriously, we need to just ban domains that do that (full paywall after 1st paragraph) - it's not really sharing any content with the community.

This is our tax money down the drain by scaring us to death for fear of non-existent terrorist threat. It is remarkable how such FBI directors don't get fired from their job.

I'm not entirely sure how you can call 14 deaths "non-existent".

14 deaths out of 300 million people is close enough to zero that it's not worth thinking about.

Yes, I completely agree that terrorism is something that people shouldn't worry about. However that doesn't mean you shouldn't investigate the murders, just like you would any other murder.

You appear to be saying that 14 murders is something that shouldn't be investigated properly.

Law enforcement has limited resources and hence they should spend based on what they have. I feel they are spending too much of our money.

14 deaths for 300 million is non existent if you understand statistics. More people commit suicide each year and even more people die each year because FDA takes too long to approve new medicines.

not sure how cracking encryption will "un-kill" even one of those people.

Who said it will? It's to prevent it happening again.

What? The government pwning some terrorists iPhone will prevent terrorist attacks from happening again? How? I'm completely gobsmacked at the line of reasoning here.

The reasoning is that there may be new information that helps identify conspirators or abettors. We all know the chances of finding smoking-gun type evidence on that phone was slim, but that doesn't mean you ignore possible leads when attempting to piece together how a crime was committed. Just because the shooter didn't intend to leave any evidence on the company-issued phone, doesn't mean that there wouldn't have been meaningful data on there that would advance the investigation and generate valuable leads. Think GPS info, or items that complete a timeline, etc.

Here's an example. Suppose they uncovered GPS info from the phone that showed that the shooter visited a particular location frequently in the days leading up to the attack. FBI checks that location out, and discovers that it is implicated in another ongoing investigation for money laundering. The other investigation wasn't tied to terrorism, but this thread creates a link and enables another source of support to be found and squashed.

My example is just an illustration of one of many possible ways the data on the phone could advance the case. It's absolutely worth pursuing.

To be clear, I'm 100% opposed to any attempts at government backdoors, and I sided with Apple when they refused the FBI's request initially, but that doesn't mean the Bureau should just shrug their shoulders and not do their job.

All the data you mentioned was already vacuumed up, "ingested" through the NSA's illegal surveillance dragnet....you know - the one for "fighting terrorism" ?

I thought that's what all the illegal mass-surveillance was for ?

Next time they should just bring the phone to RSA and have their pick of vendor-booth-magician to decrypt it.

That's it?

a) The amount is nice since I think they apparently approached them after figuring out how to do this. So impossible to think anywhere near that amount of work was actually involved.

b) Establish and prove they can do the job. Will get other work like this and be able to charge more. Really no different than what the local handyman or plumber does in some cases.

I still don't believe they've actually hacked it. There's no evidence that they have.

Apparently $1 million is how much it costs to discover that no information was on the phone.

I'm in the wrong profession!

I'd like a refund, please.

Why not www.iphoneasyunlock.com

this money comes out off our pockets.. YAY. NAY

What bothers me is they apparently had no better intel available to spend that money on. An iPhone really? This screams of the government having absolutely nothing to do if not being outright incompetent entirely.

McAfee offered to do it free of charge. Should have took him up on that, rather than wast $1M.

McAfee's offer was a PR stunt. He admitted it a week later.

And he made a series of public statements which made it clear he had no understanding whatsoever of the technical issues involved.

First, he claimed that he would use "social engineering" to access the phone's data.

Later, he claimed that he could do it easily by clearing the area of flash memory containing the phone's password, apparently unaware of the fact that the password was used as a key to encrypt data.

Source: http://arstechnica.com/security/2016/03/john-mcafee-better-p...

Social engineering could plausibly work against Apple employees.

Which is undoubtedly one of the many reasons why  didn't want to create the software necessary to unlock the phone.

ot: it's oddly satisfying to me that the Apple unicode is broken for my browser.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact