James Comey, director of the FBI, said on Thursday that the cost was “worth it”, but added that an accommodation needed to be made with Apple and other technology companies in the future, as paying outside technologists to find ways to access highly-encrypted messages on phones used by terrorist suspects was not “scalable.”
This is the same James Comey that said they just were just asking Apple for access to just that one phone.
CGP Grey has a very good explanation of this situation.
Instead of a pithy but pointless HN comment, let me suggest a book for you that might expand your thinking on this topic:
> Do you think that this notion is new? Or that the rest of us haven't considered it?
> a pithy but pointless HN comment
> might expand your thinking on this topic
Just throwing it out there: http://paulgraham.com/disagree.html
It would be more helpful if you expanded on why it's a bad argument. Off the top of my head:
> They don't want it, as evidenced by their not voting for it, so they won't get it
Was there a vote on it? When exactly?
Here's a book about how election results can change people's opinions on topics. It applies here because X. I used to think Y, but it changed my thinking to Z. I'd highly recommend it.
Not that GP is any better, but hey... And to be fair, the guy is practically trolling, whether intentional or not.
But he is responding to a one-line meme whose only purpose is to establish learned helplessness and end discussion that massively oversimplifies a very complex issue and is essentially copy pasted in any article here that even touches on politics. It gets quite exhausting engaging, having long in depth discussion about how this view is overly simplistic on every single thread only to have it appear again tomorrow, exactly the same as before.
I think downvotes and silence is the correct move here.
This notion ("the people get exactly what they vote for") goes back to Ancient Greece; it's not like its a novel topic.
Logically if the US electorate cared even half as much about [topic x] as they do about guns - candidates would care too and "democracy" would follow... no?
(I'm not bashing the US, just taking gun control as an example where a passionate popular view is reflected democratically)
“We don’t want to break anyone’s encryption or set a master key loose on the land,” Comey continued. “I hope thoughtful people will take the time to understand that. Maybe the phone holds the clue to finding more terrorists. Maybe it doesn’t. But we can’t look the survivors in the eye, or ourselves in the mirror, if we don’t follow this lead. “
County governments are typically recognized incorporated organizations that have no real line of authority or connection with the federal government.
So no, the FBI or federal doesn't have some ownership claim that makes it ok to break into. As others point out they have basically seized the device from its owner in the course of investigation.
Regarding the Director's double speak I think it is relevant. The FBI or federal government is still not the owner. Regardless of whether the device was seized or surrendered the property is still owned by the county.
> What he's saying is "we want it both ways". We don't want to take away security for users, we just want to make it easier for someone who's not the owner of the phone to get into it.
Why didn't they go through proper channels? Why did they reset the iCloud passwords? What steps have they taken to prevent this from happening in the future?
The FBI is doing a lot of hand waving and there is no accountability. Where are all those fiscal conservatives when we need them?
The government ran its own tests of the scenarios and found that to be true: https://www.scribd.com/doc/303759192/Declaration-by-Stacey-P... (paragraphs 37-39)
Apple's engineer's response left that assertion unchallenged (while challenging other stuff wrong with paragraphs 37-39, see his paragraphs 32-33): https://www.scribd.com/doc/304898553/SUPPLEMENTAL-DECLARATIO...
Of course, you can choose not to believe the government that the phone was found powered off (http://www.wired.com/wp-content/uploads/2016/03/Apple-govt-R...), but I think you'd have to pick and choose what you're willing to believe and not believe from what the government have said.
Finally, even though it wouldn't have helped, it's clear Pluhar's team did not consider the iCloud backup possibility when they were making their examination, so they very well could have screwed this up. It's just that they didn't in this case.
It's also possible the phone was actually found powered on and the battery was drained and it turned off by the time Pluhar's team examined it the same day. It wasn't mentioned if anyone checked it and tried to make sure it was kept charged (probably not). I imagine it might be difficult to train the officers on the ground about mobile device forensics best practices, since they change fairly frequently.
The whole thing was a very poor allocation of resources. Of course, those whose promotions and maybe even jobs are on the line will fight back any claim of incompetence or malice.
> and without it taking a decade to guess correctly.
even make sense when there isn't a force in the universe that can guess that password in 10 millennia.
If they demand that restrictions like gated attempts and automatic wipes be removed, they're just pushing the industry to move to restrictions that can't be removed.
Hell, if I was feeling really cheeky and worked for Apple, I would give the FBI their backdoor which allowed them access, but they have to provide the phone a proof of work worth at least $10 trillion.
No this probably couldn't be made secure.
Why did they risk it? Because they knew there was nothing of value on the phone. If this was the criminal's only phone we might hypothesize that it has valuable info on it. But when the criminal destroyed one phone and didn't bother to destroy the other it suggests there's nothing on it.
I'm sure it has more than zero data. The FBI merely has to claim that knowing if criminals play Candy Crush is helpful to justify it, in one sense. But enough to justify the trouble they put Apple through? Doubtful.
Enough to justify the decades of distrust they sowed in the security community? Not a chance.
Good! I don't want it to be "scalable". That means they want to expand the data that they are collecting to include more a more phones. There is no need to do that!
(1) "We can't afford to pay someone every time we need to bypass security, therefore we need the ability to force third parties to do this work for free": um, OK.
(2) "Bypassing security takes too much time and effort, therefore we need a backdoor": even more horrifying, even though he's repeatedly denied that this is the endgame.
Otherwise we just collect everyone's data on everything all the time and have access to everything.
Your argument would work for an individual, and to a lesser extent a corporation (where money spent comes out of profit and would be balanced against benefit), but the government plays with your money - not their own.
If they want to get into a hundred phones, they'll just ask congress for an appropriation for $100m. And since the government is one of its own largest lobbyists, it'll happen.
What else would make it 'worth it'? Or is this just politicking?
You mean besides the fact that the FBI guy said it was worth it? You don't expect them to publish the intel they got from the phone before being able to act on it, no?
It doesn't seem like it was "worth it" because they found useful evidence on the phone.
(If it were relevant to myself and others, someone would create a non-paywalled version of the story, maybe so simply as just retyping here what they've read elsewhere. Humans see censorship, paywalls, etc as damage and route around them, as long as positive value is generated.)
Also, if you don't release the attack vector, things get even murkier.
Plus, the government happens to be the entity that prints our money, as well as an entity that is essentially limitless in funds because it extracts it's budget from US.
Competition from firms may keep the price of breaking the iphone down, well within what the government can pay without anyone noticing (once this dies down). Nevermind companies that would LOVE to sell the NSA a single iphone exploit for anywhere close to $1M.
Also, money is a very real limiting factor. The government can't just print more money to solve its problems.
It was all a ruse to get their precedent for backdoors, and now they're dripping this (probably bullshit) story to the media in a way that further progresses their agenda, after classifying the information in the first place.
It would be fucking hilarious if he used this kind of language to mock the SV lingo.
That is exactly what we want. If its clearly in the public interest to expended substantial effort as part of a criminal investigation, they absolutely should do so.
The problem is they want scalable access to everything.
It doesn't matter to me tbh. They want to investigate, they can.
I just don't want them to be able to "scale" their investigations like they seem to want so they can get into all encrypted communications without a serious financial hurdle because they'll abuse it.
> I don't know if I understand the hypocrisy of hn. We cry "oh humanity" when Ford pays $50k over sticker for a new Tesla car for reverse engineering but of course if the FBI does something then surely they were judicious with their purse strings.
I didn't. Generalizing like that is unhealthy because it causes you to make some silly assumptions.
One thing Ron Paul did in Congress years ago, after one of those stupid “let’s spend taxpayer money on a bunch of medals” proposals or something, was to rephrase that expense: he challenged Congress to simply donate a percentage of their own salaries to make it happen. After all, if it was so wonderful (echoing all the things other Congress members had stood up and said about the idea before then), and so worthwhile, surely they would personally not mind chipping in something, right? Predictably, a very small number of congresspeople were suddenly willing to go quite that far.
Specifically, I live in the UK and one of the complaints law enforcement has is that US companies can (and do) totally ignore valid court orders because they don't apply in the US (reddit being an arbitrary concrete example).
So, what would be the impact of GCHQ setting up a scheme where you can sell vulnerabilities to them (assuming they do the legwork to make it legal)? Would it violate some kind of trade agreement? I assume at minimum it would harm diplomatic relations given the pressure the big companies would exert on the US to push back.
A US company (or individual) should absolutely ignore court orders from a non-US court; such courts have no jurisdiction. A "valid" court order necessarily must come from a court with jurisdiction.
Similarly, I'd expect a UK company to ignore US court orders.
(And in both cases, I'd ideally hope the court knows better than to take the case in the first place or to issue such an order.)
Here's an example where a French court issued a court order to a US firm:
Remember: US privacy protections (e.g. 4th Amendment) don't apply to non-US people outside the USA. Please fix US courts & law to actually give us protection.
That aside, it is not really too much to ask that a company that does business in England abide by English law.
It's useful to read the terms of service:
All Google interactions are with the US entity: https://www.google.com/intl/en/policies/terms/ identify
The Services are provided by Google Inc. (“Google”), located at 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States.
If you are a resident of or have your principal place of business in the US or Canada, this Statement is an agreement between you and Facebook, Inc. Otherwise, this Statement is an agreement between you and Facebook Ireland Limited. References to “us,” “we,” and “our” mean either Facebook, Inc. or Facebook Ireland Limited, as appropriate.
But "does business in England" and "has a legal nexus in England" are two different things, depending on your definition of "does business". For instance, if I sell a service online, and someone from England buys it, that might count as "does business in England" but it doesn't make either me or the service subject to English law or jurisdiction.
Really, calling themselves an "Irish" company seems like tax evasion to me, if it's in name only, with none of the negative ramifications.
Edit: speaking with regard to Apple, though other companies are in the same boat.
> Noted eagle eye and EFF Investigative Researcher Dave Maass happened on an interesting item from earlier this week on FedBizOpps, the site for government agencies to post contracting opportunities. The Navy put up a solicitation explaining that the government wants “access to vulnerability intelligence, exploit reports and operational exploit binaries affecting widely used and relied upon commercial software,” including Microsoft, Adobe, Android, Apple, “and all others.” If that weren’t clear enough, the solicitation explains that “the vendor shall provide the government with a proposed list of available vulnerabilities, 0-day or N-day (no older than 6 months old). . . .The government will select from the supplied list and direct development of exploit binaries.”
> The National Security Agency bought hacking tools from a security firm, based on documents unearthed by a FOI request.
The US is doing it. The GCHQ likely does it too and I bet at least some of this list was built via information purchased from others:
How could they possibly have known that without unlocking the phone?
Umm, no - no they aren't. Not even close. The terrorists personal phones were destroyed before the FBI could recover them, this was just a 'work phone'.
Don't you think it's likely that a) there is a reason they destroyed their personal phones, and b) if they were going to communicate with other actors they'd be more likely to use the phone that's completely under their control?
You do know that they destroyed their personal phones, right? And that it's been months now, wasted bickering with Apple even if there would have been any leads.
> How could they possibly have known that without unlocking the phone?
Smart money says they already unlocked it with an exploit and knew there was nothing, then played legal games with Apple until they started losing, and to exit gracefully they accepted the offer of one of the many firms begging to extract data from the phone for them.
They have the NSA's phone number. They were playing helpless for a reason.
Government Technocrats: We need bigger and more powerful warheads to protect us from the Soviets.
General Public: OK we'll learn Duck and Cover.
Sensible Few: Is risking the destruction of everything we're trying to protect worth it?
Government Technocrats: We can't look our children in the eye ... yadda yadda yadda.
Sure they can go to congress and push for increased funding or whatever for their top cases. Which gives congress a tangible budget number that could be "saved" by passing a law, but politics/congress doesn't really work this way - spending money benefits the administrating critters, the FBI, and the contractors doing the work.
Furthermore, $1M is essentially a small amount and obviously "worth it" for the major sensational events that they'd use to push through backdoors. So it seems they're actually giving up ground by having to move the argument to the urgency for backdoors in cases that aren't worth $1M.
I can see the argument playing for fiscal-primacy authoritarians who would take this as an example of government waste, but they'd already support government backdoors and I don't see this riling them up enough to be worth it.
It seems like a dead-end for propaganda purposes. What am I missing?
Maybe they're just trying to salt the earth so that their technical success in this case does not hinder them arguing for backdoors next time?
How can you know that?
I'd have though that extra context wasn't necessary.
New to the internet?
Unless you lawyer every possible comment against the most uncharitable reading while combining it with the kind of source research that would make a Harvard law professor weep a tear of joy you'll get called on it.
We can't. That's the problem! The government just spend a million fucking dollars to access a phone's contents, and we have no idea if it was worth it. This lack of accountability is what's causing them to flaunt civil liberties so brazenly and shamelessly. If cornered, they always use the "it's a matter of national security!" excuse.
The fact that the FBI have confirmed there were no contacts with other ISIS members is valuable information.
$1,000,000 doesn't seem too bad.
>AT&T, for example, imposes a $325 "activation fee" for each wiretap and $10 a day to maintain it. Smaller carriers Cricket and U.S. Cellular charge only about $250 per wiretap. But snoop on a Verizon customer? That costs the government $775 for the first month and $500 each month after that, according to industry disclosures made last year to Congressman Edward Markey.
>And while Microsoft, Yahoo and Google won't say how much they charge, the American Civil Liberties Union found that email records can be turned over for as little as $25.
edit: Apple's encryption fight, for example, is a bit of a wash. It's basically to lure in more users which they can charge more for. The more value the user has for their privacy, the more companies can charge for access.
They are all corporate enterprises, and their responsibility is to profit for their shareholders. When the government offers a legal profitable offer, they have a responsibility to take it. If they are found not to take it, and a group or party finds out and can prove it was a profitable venture, they can attack the company with the courts.
Management has wide-ranging freedom to define what they see as the best course of action and nothing short of fraud is actionable in a court: https://en.wikipedia.org/wiki/Business_judgment_rule.
In this case, the obvious defense would be that for a company such as Apple, the fees they charge the government for access are completely meaningless, compared to the damage the brand could suffer if they're found violating their user's privacy.
At 25$ each as mentioned above, these fees probably don't even cover the costs of having a lawyer take a quick look at it.
Since I can't read the article, from anyone that can, how did they come to that figure? Is that just the cost of the exploit or..?
> Speaking at the Aspen Security Forum in London, FBI Director James Comey didn’t cite a precise figure for how much the government paid for the solution to cracking the phone but said it was more than his salary for the seven-plus years remaining in his term at the FBI.
> His annual salary is about $180,000 a year, so that comes to $1.26 million or more.
> “[We] paid a lot’’ for the hacking tool, Mr. Comey said. “But it was worth it.’’
I wonder how exactly it's worth it, given that nothing of interest of relevance was found on the device.
Seriously, we need to just ban domains that do that (full paywall after 1st paragraph) - it's not really sharing any content with the community.
You appear to be saying that 14 murders is something that shouldn't be investigated properly.
Here's an example. Suppose they uncovered GPS info from the phone that showed that the shooter visited a particular location frequently in the days leading up to the attack. FBI checks that location out, and discovers that it is implicated in another ongoing investigation for money laundering. The other investigation wasn't tied to terrorism, but this thread creates a link and enables another source of support to be found and squashed.
My example is just an illustration of one of many possible ways the data on the phone could advance the case. It's absolutely worth pursuing.
To be clear, I'm 100% opposed to any attempts at government backdoors, and I sided with Apple when they refused the FBI's request initially, but that doesn't mean the Bureau should just shrug their shoulders and not do their job.
b) Establish and prove they can do the job. Will get other work like this and be able to charge more. Really no different than what the local handyman or plumber does in some cases.
First, he claimed that he would use "social engineering" to access the phone's data.
Later, he claimed that he could do it easily by clearing the area of flash memory containing the phone's password, apparently unaware of the fact that the password was used as a key to encrypt data.