FBI Couldn't Tell Apple What Hack It Used, Even If It Wanted To (qz.com) 99
An anonymous reader writes: The US Federal Bureau of Investigation doesn't own the technique used to unlock the San Bernardino iPhone, so it can't reveal the method to Apple even if it wanted to, Reuters reported, citing unnamed White House sources. The Washington Post reported yesterday, citing unnamed sources, that the FBI had paid a hacker a one-time fee to use a piece of hardware that allowed it to access the iPhone 5c belonging to one of the San Bernardino, California assailants. The vendor that supplied the hack is a non-US company, according to Reuters. But according to the Post report, it is not the Israeli firm Cellebrite, which had previously been named. The FBI would require the vendor's cooperation in order to submit the technique it used to Vulnerabilities Equities Process, a mechanism that allows the government to consider whether it should disclose security flaws to manufacturers. It's a move that mirrors Apple's own efforts to create security systems on its phones that even it wouldn't be able to crack, meaning it can't comply with a government order to hand over user data even if it wanted to.
I may not always quote sources... (Score:5, Funny)
... but when I do, I prefer them to be unnamed.
Re:Nice (Score:4, Interesting)
One wonders if they set up a little fake company so they could use some technique buried deep inside the NSA, so they could hide it from court examination. There is no plausible parallel construction lie.
As the guy is dead, there is no trial, and thus no defense lawyers to force the issue.
Re: (Score:2)
According to both unnamed sources an unnamed entity used an unnamed technique for the hack.
Find out more next episode.
Re: (Score:1)
Which lie did the FBI tell? (Score:5, Insightful)
At least one of these things has to be false:
1) The FBI paid a hacker to unlock the phone and doesn't have access to the technique
2) The FBI is able to help local law enforcement unlock iPhones
Which of these is false? Assuming the FBI isn't going to foot the bill to pay a hacker each time local law enforcement wants an iPhone unlocked, these things are mutually exclusive. Which lie did the FBI tell?
And because the FBI lied, why should I have confidence in law enforcement at all? I understand that they may not want to disclose the details of an ongoing investigation, but that doesn't justify lying about things that don't have to be kept secret to preserve the integrity of the investigation.
Re: (Score:1)
Re: (Score:2)
I don't think that the FBI should be above the law (even contract law)
Apparently you are not familiar with the concept of Sovereign Immunity?
Re: (Score:2)
Sovereign Immunity is not a blank check. The FBI (or any other agency) cannot have the legal authority to trump the legal process by contract. That would allow them to trump discovery in any court case by constructing contracts that prevent disclosure.
"Your Honor, your order to produce the basis for the evidence against the plantiff is trumped by our contract with party X to not disclose that." Nope.
It would work if they actually don't have that information, not if they 'promised' not to disclose it.
Re: (Score:3)
Sovereign Immunity is not a blank check. The FBI (or any other agency) cannot have the legal authority to trump the legal process by contract. That would allow them to trump discovery in any court case by constructing contracts that prevent disclosure.
"Your Honor, your order to produce the basis for the evidence against the plantiff is trumped by our contract with party X to not disclose that." Nope.
It would work if they actually don't have that information, not if they 'promised' not to disclose it.
You either work for the government and/or have never sued the government.
You say that that Sovereign Immunity doesn't trump Discovery? Well, technically that is true; but as soon as you file a Discovery Request, the Gummint WILL immediately file two Motions (well, they will probably have already filed a Motion To Dismiss based on that Sovereign Immunity), but they will DEFINITELY file for a "Stay" of your Discovery Request "Until the Motion To Dismiss is Adjudicated." They will trot out two metric tons of
Re: (Score:2)
The problem for the FBI comes the next time they want Apple to do something. Apple could reasonably request them to explain why the method they used before is not applicable now.
Re: (Score:2)
The problem for the FBI comes the next time they want Apple to do something. Apple could reasonably request them to explain why the method they used before is not applicable now.
Yeahrightsure.
Re: (Score:3)
They are probably both true: the FBI knows how to unlock some phones themselves, and for others, they need outside help.
It should be obvious to anybody that civilization requires jackbooted thugs carrying guns and protected by (un)qualified immunity reading your E-mail. For the children. And so that you don't cheat on your taxes. Seriously, do you want to live in SOMALIA?
Re: (Score:2)
What he wrote is no different than me writing that you have no credibility because you score is zero or because you are posting anonymously. Do you agree that the prior statement has no foundation?
If you agree then you'll agree that the parent comment had no foundation and was intended to draw in the sheep behind him because you know how spitting on authorities is popular on /.
If we are going to start modding up implied facts then we are in for further dilution of content on /.
Re: (Score:2)
Screw people like you that turn whatever they read into unneeded arguments.....
Actually, I'd rather not, thank you. They're probably the kind to fake their orgasms..
Re: (Score:2)
I pointed out a comment that was modded up which should not because it was implied and not factual. But don't worry, the majority of users on /. took care of making sure it was treated like fact just because it goes with their own opinion. It's just unfortunate opinions for some aren't based on facts.
Re: (Score:2)
Meh. (Score:2)
The FBI's ever changing story is flaky to say the least. On the other hand, I don't really care.
But what about when they need it next time? (Score:2, Insightful)
Certainly someone in government could reverse engineer the code to enable re-use?
Who would be the wiser? I mean besides defendants who suddenly start seeing the contents of their phones used as evidence against them in trial.
I mean, if the company that licensed the software to the FBI tried to force the them to reveal their decryption technique, could the FBI then argue that releasing such code into the wild could result in the widespread hacking of iPhones around the planet? You know, turn the tables a bit
Re: (Score:2)
Re: (Score:3)
Certainly someone in government could reverse engineer the code to enable re-use?
From the "story":
the FBI had paid a hacker a one-time fee to use a piece of hardware that allowed it to access the iPhone 5c
...which actually is an interesting clue.
Re: (Score:3)
They desoldered the chip, cloned it, and cracked it, using brute force. From how fast it took to actually crack it, it probably wasn't that difficult once the chip was cloned. And this would hardly be a "hack" of the phone. It would require specific skills and direct access to the phone.
Physical access to the hardware has always been a security concern from the origins of computing.
Re: (Score:2)
Re: (Score:2)
What you said isn't at odds to what I said. I didn't say who did the desoldering or the brute attack, I just said how it was done. And quite frankly it doesn't matter "who" did it, but the how.
Re: (Score:1)
Re: (Score:1)
What I find ironic is that they feel they can force a company focused on securing devices to make those devices less secure, and yet, they didn't try to force a company that specializes in breaking secure devices from revealing how it was done.
Sure seems like they could give a rats ass about security, and those who break security for a living are the good guys here?
Can we trust what they found? (Score:5, Insightful)
IANAL, but it seems like they would have a chain-of-evidence problem here or something like that. Let's imagine, instead of a phone, that the FBI wanted to unlock a safe. So they hire a safe cracker, and he says, "I'm going to unlock the safe, but you can't watch me do it." The safe cracker goes into the room, shuts the door. After a few minutes the safe cracker walks out and says, "It's all yours," wherein the FBI finds an open safe. But now we don't know what happened. Did the safe cracker take anything from the safe? Did he put anything in the safe? The FBI doesn't know for sure.
It seems like there could be a similar problem with the phone. If you don't know how it's done, then how do you know if what you see is what was really in the phone? Did the hacker put something in the phone? Did he take anything out? If there is evidence in the phone that says, for example, that Bob Loblaw was part of the conspiracy, can you trust that information?
Basically, it sounds like the FBI hired someone to make it rain. That person lit a fire, and did a little dance, and it rained. And now the FBI is saying, "Hey, we don't know what the guy did. We're just happy that it's raining."
Re:Can we trust what they found? (Score:4, Insightful)
sure it might not be admissible but that wont stop them from creating warrantless wiretaps using the info found in the phone and then they can use evidence gathered there in court.
It should matter, but in this day and age,it really doesn't.
Re: (Score:1)
"It should matter, but in this day and age,it really doesn't."
I'll bet it matters to the poor SOB who is facing a life sentence based on a parallel-construction which is based on fabricated evidence, and his lawyer.
Re: (Score:2)
"It should matter, but in this day and age,it really doesn't."
I'll bet it matters to the poor SOB who is facing a life sentence based on a parallel-construction which is based on fabricated evidence, and his lawyer.
There's no need for parallel construction based on fabricated evidence here. That's only necessary when the investigators have no *legal* authorization to perform a search. In this case they had total legal authority to extract the contents of the phone, they just lacked the practical ability to do it. The extraction process may mean that any information from the phone that is presented as evidence in court can be challenged by the defense (probably not excluded, but impeached), but there's absolutely no pr
Re: (Score:2)
it seems like they would have a chain-of-evidence problem here
There is no problem, because the terrorist is dead. They are not prosecuting him, thus there is no defense team nit-picking their tactics.
Re: (Score:2)
Yet. https://en.wikipedia.org/wiki/... [wikipedia.org]
Except that is not applicable here. The FBI had a warrant to recover information from the phone, so how they did it is irrelevant to weather or not the evidence was obtained legally. In addition, even if a court decided there wasn't probable cause for the FBI to search the phone, since ether FBI did the search in good faith believing the search was legal then the good faith exception would apply.
Re: (Score:1)
Re: (Score:2)
What has the weather got to do with it?
Because when the DOJ decides to to charge you their motto for bringing charges is "When it rains, it pours..."
Alternatively, I hate auto correct...
Re: (Score:3)
Yes, but even if they have a warrant, they still need to maintain proper chain of evidence. That's really the issue I'm talking about. If the FBI can't see what the hacker did to the phone, how do they know, without a shadow of a doubt, that what they found in the phone was actually there and not planted by the hacker?
Re: (Score:2)
Yes, but even if they have a warrant, they still need to maintain proper chain of evidence. That's really the issue I'm talking about. If the FBI can't see what the hacker did to the phone, how do they know, without a shadow of a doubt, that what they found in the phone was actually there and not planted by the hacker?
Since they would act on the information in a good faith belief it was accurate, if they found other evidence as a result of an investigation I would doubt the courts would toss out a case. I would agree they can't just grab the person and charge them base don a connection or text on the phone; but using it to start an investigation would not seem to be an issue even if they cannot establish with 100% certainty the information was not planted. The standard is reasonable doubt, not shadow, and is really only
Answer a question? (Score:2)
it seems like they would have a chain-of-evidence problem here
There is no problem, because the terrorist is dead. They are not prosecuting him, thus there is no defense team nit-picking their tactics.
Can you answer a question for me?
Suppose rooting around on the phone they find evidence of someone helping them plan and execute their crimes. Suppose the evidence doesn't directly indicate culpability, but strongly implies it.
Can that be used as evidence against such a 3rd party conspirator?
Would chain-of-evidence be broken, and could that be used as a defence in court?
Re: (Score:2)
Depends. If the phone is the only logical evidence tying both people together, then the FBI has a major problem, because a competent defense attorney would first ask what t
Re: (Score:3)
As for the FBI case, they probably don't care about chain of custody, as the person using the phone is already dead. Nothing from that phone is going to see a court, so they don't have to keep meticulous chain-of-custody for it.
As for other law enforcement agencies using this "service" that is probably a legitimate question.
Re: (Score:2)
Not only that, but they took the safe, sent it outside the country to probably a we-spy-back-on-the-US country (eg. Israel) and let not just the hacker but possibly a host of other countries it passed through on the way (whatever North-African or European country UPS/FedEx has a depot in) mess with the phone.
An unfortunate new reality (Score:1)
"can't comply with a government order to hand over user data even if it wanted to."
Which is unfortunately what all manufacturers/software developers should be working towards. We're seeing case after case where government orders effect the purchased and owned products of consumers, most of whom are completely innocent. Cases where people have books deleted off of their E-readers because some court order to the company that makes the reader, DVRs being remotely disabled because of a patent dispute, and car
The problem with non-disclosure legally (Score:3)
Re: (Score:2)
The evidence doesn't need to be admissible, it just needs to point them to the people they should get warrantless wiretaps against so they know who to monitor for evidence they can use. Awful, isn't it?
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
But But But .... Global Warming Deniers need to be prosecuted!
Re: (Score:2, Insightful)
No Reports About what they FOUND on the phone (Score:3)
Maybe the contents of the phone contained NO helpful information pertaining to the investigation - and perhaps the FBI doesn't want to admit that they jumped created this huge FUSS and it provided no distinctive investigative advantage over not having access to the data on the phone.
Re: (Score:1)
I believe I noted something similar in another board when this whole thing began. "We'll see one of two outcomes. They crack it and find something crucial in which case they'll saturate every news service and press conference with a "this proves we need backdoors into consumer devices by law". Alternatively they crack it and find nothing, they claim that they are "still assessing" the information for months/years and eventually quietly release a hundred page report that effectively says "we found nothing
..."can't do it, even if i/it/they/we wanted to.." (Score:2)
Court Order (Score:2)
Perhaps Apple could get a court order forcing the FBI to expend resources to figure out how to get the information it claims it can't access. That would be reasonable, right?
That can't be true (Score:2)
Re: (Score:3)
That can't be true. If they found data that led them to a conspirator, they would want to arrest that person. They would need to have evidence to present in that person's trial that they participated in this terrorist event. I can't imagine that their plan is that if the defendant's attorney asks them how they got this data, they'll just say "some un-named third party pulled this data out of their own hardware and assured us their hardware had copied it from this mobile phone."
Your honor, the phone data merely indicated possible suspects. We conducted an investigation, based on that and other information in addition to ongoing investigations, determined the defendant was conspiring to commit terrorist acts.
The phone data would merely be one piece of evidence used and probably only point to possible additional suspects. In essence, it's no differenttahn a tip that comes in anonymously.
DMCA (Score:2)
Doesn't the DMCA have some anti-circumvention measures in there? While the FBI may be immune to that sort of thing, I'm pretty sure that circumventing encryption for profit is not exempt, aside from being a criminal offence. Despite the fact that the phone belonged to an alleged criminal, afaik it is still illegal for a private individual to hack into it.
DMCA allows it (Score:5, Informative)
I posted relevant portions of the law last week, if you care to read the details. There are two sections that are mainly relevant.
First, DMCA explicitly says that circumvention by or FOR the government is legal. So you can hack it if the government asks you to.
Secondly, and this is important to my job developing security testing tools, DMCA says twice that it is legal to create tools to research on the security of the measures as long as those tools aren't used, or intended to be used, for copyright infringement as specified in DMCA.
So it's a lot like gun laws in areas that have Constitutional gun laws - using a gun to commit a felony is an additional crime, but just having a gun is legal. Similarly, building a circumvention tool FOR THE PURPOSE of copyright violation is unlawful, but building it for research, security, and investigation purposes is fine.
Re: (Score:2)
This is why I've said all along that this is a bad case for Apple to be pursuing this line of objection. Basically, Apple was refu
So what did they find already? (Score:2)
Was it worth all this commotion? Will they stop future terrorist attacks from the information retrieved?
Why is this not the question everyone is asking??
Re: (Score:2)
so didn't the hacker violate DMCA? (Score:1)
by going around the protective mechanisms?
So FBI hired someone they consider a criminal and ignored the crime.
Shouldn't be hard to figure out (Score:2)
Supposedly, the exploit works on the 5c, but wouldn't work on the 6. It should not be that hard for Apple to check the design history to see what holes they plugged between those designs.
Re: (Score:2)
I think it is funny people think Apple does not already know what the FBI had done. They suggested several times that the FBI could get into the phone on their own.