http://www.ft.com/cms/s/0/af23e3ea-07f1-11e6-b6d3-746f8e9cdd...
James Comey, director of the FBI, said on Thursday that the cost was “worth it”, but added that an accommodation needed to be made with Apple and other technology companies in the future, as paying outside technologists to find ways to access highly-encrypted messages on phones used by terrorist suspects was not “scalable.”
This is the same James Comey that said they just were just asking Apple for access to just that one phone.
“We don’t want to break anyone’s encryption or set a master key loose on the land,” Comey continued. “I hope thoughtful people will take the time to understand that. Maybe the phone holds the clue to finding more terrorists. Maybe it doesn’t. But we can’t look the survivors in the eye, or ourselves in the mirror, if we don’t follow this lead. “
Good! I don't want it to be "scalable". That means they want to expand the data that they are collecting to include more a more phones. There is no need to do that!
(1) "We can't afford to pay someone every time we need to bypass security, therefore we need the ability to force third parties to do this work for free": um, OK.
-or-
(2) "Bypassing security takes too much time and effort, therefore we need a backdoor": even more horrifying, even though he's repeatedly denied that this is the endgame.
Edit: typo
Otherwise we just collect everyone's data on everything all the time and have access to everything.
Your argument would work for an individual, and to a lesser extent a corporation (where money spent comes out of profit and would be balanced against benefit), but the government plays with your money - not their own.
If they want to get into a hundred phones, they'll just ask congress for an appropriation for $100m. And since the government is one of its own largest lobbyists, it'll happen.
What else would make it 'worth it'? Or is this just politicking?
You mean besides the fact that the FBI guy said it was worth it? You don't expect them to publish the intel they got from the phone before being able to act on it, no?
It doesn't seem like it was "worth it" because they found useful evidence on the phone.
(If it were relevant to myself and others, someone would create a non-paywalled version of the story, maybe so simply as just retyping here what they've read elsewhere. Humans see censorship, paywalls, etc as damage and route around them, as long as positive value is generated.)
Also, if you don't release the attack vector, things get even murkier.
Plus, the government happens to be the entity that prints our money, as well as an entity that is essentially limitless in funds because it extracts it's budget from US.
Competition from firms may keep the price of breaking the iphone down, well within what the government can pay without anyone noticing (once this dies down). Nevermind companies that would LOVE to sell the NSA a single iphone exploit for anywhere close to $1M.
Also, money is a very real limiting factor. The government can't just print more money to solve its problems.
It was all a ruse to get their precedent for backdoors, and now they're dripping this (probably bullshit) story to the media in a way that further progresses their agenda, after classifying the information in the first place.
It would be fucking hilarious if he used this kind of language to mock the SV lingo.
That is exactly what we want. If its clearly in the public interest to expended substantial effort as part of a criminal investigation, they absolutely should do so.
The problem is they want scalable access to everything.
Surely.
One thing Ron Paul did in Congress years ago, after one of those stupid “let’s spend taxpayer money on a bunch of medals” proposals or something, was to rephrase that expense: he challenged Congress to simply donate a percentage of their own salaries to make it happen. After all, if it was so wonderful (echoing all the things other Congress members had stood up and said about the idea before then), and so worthwhile, surely they would personally not mind chipping in something, right? Predictably, a very small number of congresspeople were suddenly willing to go quite that far.
Specifically, I live in the UK and one of the complaints law enforcement has is that US companies can (and do) totally ignore valid court orders because they don't apply in the US (reddit being an arbitrary concrete example).
So, what would be the impact of GCHQ setting up a scheme where you can sell vulnerabilities to them (assuming they do the legwork to make it legal)? Would it violate some kind of trade agreement? I assume at minimum it would harm diplomatic relations given the pressure the big companies would exert on the US to push back.
A US company (or individual) should absolutely ignore court orders from a non-US court; such courts have no jurisdiction. A "valid" court order necessarily must come from a court with jurisdiction.
Similarly, I'd expect a UK company to ignore US court orders.
(And in both cases, I'd ideally hope the court knows better than to take the case in the first place or to issue such an order.)
Here's an example where a French court issued a court order to a US firm:
Remember: US privacy protections (e.g. 4th Amendment) don't apply to non-US people outside the USA. Please fix US courts & law to actually give us protection.
That aside, it is not really too much to ask that a company that does business in England abide by English law.
> Noted eagle eye and EFF Investigative Researcher Dave Maass happened on an interesting item from earlier this week on FedBizOpps, the site for government agencies to post contracting opportunities. The Navy put up a solicitation explaining that the government wants “access to vulnerability intelligence, exploit reports and operational exploit binaries affecting widely used and relied upon commercial software,” including Microsoft, Adobe, Android, Apple, “and all others.” If that weren’t clear enough, the solicitation explains that “the vendor shall provide the government with a proposed list of available vulnerabilities, 0-day or N-day (no older than 6 months old). . . .The government will select from the supplied list and direct development of exploit binaries.”
http://www.zdnet.com/article/nsa-purchased-zero-day-exploits...
> The National Security Agency bought hacking tools from a security firm, based on documents unearthed by a FOI request.
The US is doing it. The GCHQ likely does it too and I bet at least some of this list was built via information purchased from others:
https://www.schneier.com/blog/archives/2014/07/gchq_catalog_...
How could they possibly have known that without unlocking the phone?
Umm, no - no they aren't. Not even close. The terrorists personal phones were destroyed before the FBI could recover them, this was just a 'work phone'.
Don't you think it's likely that a) there is a reason they destroyed their personal phones, and b) if they were going to communicate with other actors they'd be more likely to use the phone that's completely under their control?
You do know that they destroyed their personal phones, right? And that it's been months now, wasted bickering with Apple even if there would have been any leads.
> How could they possibly have known that without unlocking the phone?
Smart money says they already unlocked it with an exploit and knew there was nothing, then played legal games with Apple until they started losing, and to exit gracefully they accepted the offer of one of the many firms begging to extract data from the phone for them.
They have the NSA's phone number. They were playing helpless for a reason.
Government Technocrats: We need bigger and more powerful warheads to protect us from the Soviets.
General Public: OK we'll learn Duck and Cover.
Sensible Few: Is risking the destruction of everything we're trying to protect worth it?
Government Technocrats: We can't look our children in the eye ... yadda yadda yadda.
Sure they can go to congress and push for increased funding or whatever for their top cases. Which gives congress a tangible budget number that could be "saved" by passing a law, but politics/congress doesn't really work this way - spending money benefits the administrating critters, the FBI, and the contractors doing the work.
Furthermore, $1M is essentially a small amount and obviously "worth it" for the major sensational events that they'd use to push through backdoors. So it seems they're actually giving up ground by having to move the argument to the urgency for backdoors in cases that aren't worth $1M.
I can see the argument playing for fiscal-primacy authoritarians who would take this as an example of government waste, but they'd already support government backdoors and I don't see this riling them up enough to be worth it.
It seems like a dead-end for propaganda purposes. What am I missing?
Maybe they're just trying to salt the earth so that their technical success in this case does not hinder them arguing for backdoors next time?
>AT&T, for example, imposes a $325 "activation fee" for each wiretap and $10 a day to maintain it. Smaller carriers Cricket and U.S. Cellular charge only about $250 per wiretap. But snoop on a Verizon customer? That costs the government $775 for the first month and $500 each month after that, according to industry disclosures made last year to Congressman Edward Markey.
>And while Microsoft, Yahoo and Google won't say how much they charge, the American Civil Liberties Union found that email records can be turned over for as little as $25.
edit: Apple's encryption fight, for example, is a bit of a wash. It's basically to lure in more users which they can charge more for. The more value the user has for their privacy, the more companies can charge for access.
They are all corporate enterprises, and their responsibility is to profit for their shareholders. When the government offers a legal profitable offer, they have a responsibility to take it. If they are found not to take it, and a group or party finds out and can prove it was a profitable venture, they can attack the company with the courts.
Management has wide-ranging freedom to define what they see as the best course of action and nothing short of fraud is actionable in a court: https://en.wikipedia.org/wiki/Business_judgment_rule.
In this case, the obvious defense would be that for a company such as Apple, the fees they charge the government for access are completely meaningless, compared to the damage the brand could suffer if they're found violating their user's privacy.
At 25$ each as mentioned above, these fees probably don't even cover the costs of having a lawyer take a quick look at it.
[0]: http://www.wsj.com/articles/SB100014240531119034809045765122...
Since I can't read the article, from anyone that can, how did they come to that figure? Is that just the cost of the exploit or..?
Cheers
> Speaking at the Aspen Security Forum in London, FBI Director James Comey didn’t cite a precise figure for how much the government paid for the solution to cracking the phone but said it was more than his salary for the seven-plus years remaining in his term at the FBI.
> His annual salary is about $180,000 a year, so that comes to $1.26 million or more.
> “[We] paid a lot’’ for the hacking tool, Mr. Comey said. “But it was worth it.’’
I wonder how exactly it's worth it, given that nothing of interest of relevance was found on the device.
Seriously, we need to just ban domains that do that (full paywall after 1st paragraph) - it's not really sharing any content with the community.
b) Establish and prove they can do the job. Will get other work like this and be able to charge more. Really no different than what the local handyman or plumber does in some cases.
First, he claimed that he would use "social engineering" to access the phone's data.
Later, he claimed that he could do it easily by clearing the area of flash memory containing the phone's password, apparently unaware of the fact that the password was used as a key to encrypt data.
Source: http://arstechnica.com/security/2016/03/john-mcafee-better-p...
