SoylentNews is people
SoylentNews
The Washington Post reports that the FBI did not require the services of Israeli firm Cellebrite to hack a San Bernardino terrorist's iPhone. Instead, it paid a one-time fee to a group of hackers and security researchers, at least one of whom the paper labels a "gray hat". It's also reported that the U.S. government has not decided whether or not to disclose to Apple the previously unknown vulnerability (or vulnerabilities) used to unlock the iPhone (specifically an iPhone 5C running iOS 9):
The FBI cracked a San Bernardino terrorist's phone with the help of professional hackers who discovered and brought to the bureau at least one previously unknown software flaw, according to people familiar with the matter. The new information was then used to create a piece of hardware that helped the FBI to crack the iPhone's four-digit personal identification number without triggering a security feature that would have erased all the data, the individuals said.
The researchers, who typically keep a low profile, specialize in hunting for vulnerabilities in software and then in some cases selling them to the U.S. government. They were paid a one-time flat fee for the solution.
[...] The bureau in this case did not need the services of the Israeli firm Cellebrite, as some earlier reports had suggested, people familiar with the matter said. The U.S. government now has to weigh whether to disclose the flaws to Apple, a decision that probably will be made by a White House-led group.
FBI Director James Comey told students at Catholic University's Columbus School of Law that "Apple is not a demon," and "I hope people don't perceive the FBI as a demon." What a saint.
(Score: 5, Insightful) by Anonymous Coward on Wednesday April 13 2016, @07:39PM
When someone has to assure you that they are not "that thing", then most likely they are exactly that thing. All of their actions point towards bad intent, weakening and breaking the security of everyone.
Once law enforcement views the average citizen as innocent and upstanding, and treat them accordingly, THEN I will stop viewing them as demons out to destroy society. Whether they realize it or not, treating a population as criminals by default is probably one of the fastest ways to fracture a society.
Are you a suspect for one reason or another? Prepare to have your rights violated in every way imagined by Hollywood, the "tough" cops will bring their weight down on you simply out of suspicion, and if you're innocent you won't even get an apology. YMMV per department, but as a general trend that seems to be the case in the US at least.
(Score: 0) by Anonymous Coward on Wednesday April 13 2016, @07:49PM
Because they're the police, not the IA department. Why are the FBI the bad guys here, or, why are they the only bad guys here? Not disclosing the info isn't making the iPhones any more vulnerable. It isn't like they know about this technique that is in the wild and suddenly all these phones are at risk. And if you need to build special hardware to implement it, what's Apple going to do about that? Recall all the phones?
Why do the grey hats get a pass? They make a living finding vulnerabilities and selling them. Why aren't we shitting on them for not finding vulnerabilities and giving them away out of the goodness of their hearts?
Why does Apple get a pass as the aggrieved victim? Why don't they purchase all the secrets the grey hats have found and fix them all?
(Score: 3, Interesting) by takyon on Wednesday April 13 2016, @07:52PM
Maybe they don't want to set an industry precedent where companies are extorted or else the vulns are sold to the highest bidder.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 2) by Gaaark on Wednesday April 13 2016, @07:59PM
Yes, they want to be able to say 'We don't bargain with terrorists, we only pay people, who may, for all we know, be terrorists, a one time fee.'
BRING MR. ROBOT TO LIFE: BRING DOWN WALL STREET!
OCCUPY MY COMPUTER CHAIR SO I CAN LINUX, AND PLAY CIV5!!! :)
--- Please remind me if I haven't been civil to you: I'm channeling MDC. I have always been here. ---Gaaark 2.0 --
(Score: 2) by Gravis on Wednesday April 13 2016, @08:17PM
ha! we're way past that point.
(Score: 5, Insightful) by edIII on Wednesday April 13 2016, @08:32PM
The FBI are the bad guys, and have been now for over two decades. They've consistently refused to be bound by due process and slowed down by magistrates blocking warrants. I could go on and on about their history with Ma Bell, Congress, the Clipper Chip, Carnivore 1, Carnivore 2, DSCNet, etc.
Yes, they are truly bad people that think of themselves before the rest of us. You're entirely correct though, they're not the only bad guy here.
The sun coming up doesn't heat up the desert, either.
It isn't like this technique may already be in the wild.... or possessed by China, Russia, or shared with the other 4 participants in the Five Eyes. From that point, it is one corrupt official away and one Mosseck Fonseca shell company from being revealed to people that would use it against us.
I agree with you. They should be shot, or at the very least, have every one of their fingers broken permanently. Gray hats are far worse than black hats. At least black hats are honest about their motivations and what they do. A black hat wants to be paid, or use the information to their advantage. A black hat is a criminal.
A gray hat is somebody flirting with the idea that they actually have a little bit of white in there somewhere because they betray the rest of us to government. As if that is any better than betraying us to organized crime syndicates.
Damn right. Those two should be hiding from the rest of us right now, and for good reason.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 0) by Anonymous Coward on Wednesday April 13 2016, @09:50PM
What about Apple? You giving them a pass, then?
(Score: 2) by butthurt on Thursday April 14 2016, @01:19AM
A pass for what? Creating a platform that has at least one security hole, or failing to assist the government in an investigation?
(Score: 1, Interesting) by Anonymous Coward on Thursday April 14 2016, @03:43PM
He seems to imply that the FBI is under a moral obligation to report the exploit to Apple. He also implies that grey hats are under moral obligations to either stop doing what they're doing, or to reveal every exploit they find. It would seem consistent with his views that Apple would be under a moral obligation to purchase all the known exploits for sale by grey hats so that they could fix them (regardless of their cost, I would suspect).
Shouldn't Apple be compelled to do this? And if not, why hold the other two up to such high standards?
(Score: 2) by butthurt on Thursday April 14 2016, @11:02PM
He takes [soylentnews.org] the extreme view that grey hat security researchers "should be shot." Assuming the meaning is shot to death, that would forestall the possibility of them selling, or revealing, their discoveries.
Apple have found it profitable to not offer a bug bounty. [nytimes.com] Perhaps they'll reconsider. Compelling them to pay for security research isn't in the cards.
(Score: 2, Interesting) by Arik on Wednesday April 13 2016, @10:42PM
If we designed stuff for security this would be a very different situation. We don't, Apple actually does a better job than most, and they are HORRIBLE at it.
And not just Apple but all their competitors as well *should* be expected to secure their devices at their own expense. Designing it in from the start is expensive, but patching an insecure design later much worse. They go with the latter simply because our legal system, combined with customer ignorance, allows them to externalize the costs of their crappy designs.
If laughter is the best medicine, who are the best doctors?
(Score: 1, Insightful) by Anonymous Coward on Wednesday April 13 2016, @11:23PM
(Score: 2) by edIII on Thursday April 14 2016, @12:24AM
You're entirely correct. The FBI was born bad. Hoover was a true piece of shit in the same mold as McCarthy.
I was limiting my comments specifically to more advanced telecommunication systems that started in the late 80's.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 0) by Anonymous Coward on Thursday April 14 2016, @01:24AM
In those days they were at least trying protect us from the communists and the blacks. What they're doing now is inexcusable.
(Score: 5, Insightful) by stormwyrm on Wednesday April 13 2016, @11:39PM
They have been the bad guys for way, way more than two decades... As long ago as 1945 President Truman already had this to say about the FBI: "We want no Gestapo or secret police. The FBI is tending in that direction. They are dabbling in sex-life scandals and plain blackmail. J. Edgar Hoover would give his right eye to take over, and all congressmen and senators are afraid of him." Have you all forgotten what they did under a program called COINTELPRO [wikipedia.org]? Under that program, among other things, they did surveillance on Martin Luther King and after digging up some sordid details of his private life they actually urged him to commit suicide [wikipedia.org]. I think it's pretty hard to find a time in its history when the FBI were actually the good guys.
Numquam ponenda est pluralitas sine necessitate.
(Score: 3, Interesting) by edIII on Thursday April 14 2016, @12:27AM
You are entirely correct, and I was just trying to limit it to the telecoms bullshit that really got going in the late 80's when Ma Bell was standing up to them for it. They were responsible for getting Congress to disband them, for no other reason than to disband the security department in Ma Bell. They were so fucking unreasonable in Ma Bell. Each, and every warrant was inspected and those assholes protected our rights! Yeah, no wonder Ma Bell had to be broken up as a monopoly right?
I was being too gracious.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 3, Informative) by bitstream on Thursday April 14 2016, @01:41PM
Apple has already done the next step that may protect against this. And that is "secure domain" which in essence is a separate microcontroller that communicates only via one communication channel. To defeat that one would need to decap and interface directly with the chip die.
Apple 5 and lower phones have flaws that a determined opponent may exploit without decap.
(Score: 0) by Anonymous Coward on Thursday April 14 2016, @04:19PM
wow, you're some sort of super moron!
(Score: 4, Interesting) by Anonymous Coward on Wednesday April 13 2016, @07:57PM
Apple can't sue the FBI for hacking the phone but they should be able to force them to reveal who hacked the phone considering it's a violation of the DMCA. Law enforcement may not have to follow laws but third parties do.
I hope Apple drags the FBI to court to reveal who did it. The third party may have immunity from criminal proceedings - thanks to the FBI - but not civil liabilities.
(Score: 3, Funny) by Nerdfest on Wednesday April 13 2016, @08:56PM
Law enforcement most certainly does have to follow laws.
(Score: 2) by PartTimeZombie on Wednesday April 13 2016, @10:15PM
Law enforcement most certainly does have to follow laws.
Theoretically you're quite right, in practice if an agency or individual has protection, they don't really have to.
The Iran/Contra affair showed that any agency of the US Government is above the law.
(Score: 3, Interesting) by frojack on Thursday April 14 2016, @01:17AM
The third party may have immunity from criminal proceedings - thanks to the FBI - but not civil liabilities.
I suspect the third party is not subject to civil liabilities because the are all Israelis (moon lighting from Cellebrite). Cellebrite has every reason not to become a target of every other hacker group in the world, and a little plausible deniability goes a long way.
But more to the point....
Isn't it interesting that we are talking about how they did it and who helped them, and nobody is saying a word about the fact that they FOUND NOTHING ON THE PHONE. Its like the old Jedi mind trick all over again.
No, you are mistaken. I've always had this sig.
(Score: 1, Interesting) by Anonymous Coward on Thursday April 14 2016, @08:55AM
We all predicted there was nothing on the phone. This was never about "only this one phone" no matter how many times the FBI made that claim in court, in front of Congress or in the press.
(Score: 5, Informative) by Gravis on Wednesday April 13 2016, @08:20PM
"Apple is not a demon,"
"I hope people don't perceive the FBI as a demon."
notice he didn't actually say that the FBI isn't a demon. (≧∇≦)/
(Score: 1, Informative) by Anonymous Coward on Wednesday April 13 2016, @09:47PM
Of course it's not. The FBI isn't a single entity. It's not a demon, it's a horde of demons.
(Score: 0) by Anonymous Coward on Wednesday April 13 2016, @09:00PM
They totally got that guy from the Die Hard movie to take a break from hacking into the DOD on his laptop and crack this iPhone.
(Score: 1) by evil_spork on Wednesday April 13 2016, @09:01PM
The director should be dragged in on the carpet by congress on the ethics of using hackers at this level. More likely, they bought the hack on the black market or otherwise quietly, and this wasn't the first time they have done so. If they paid them using government funds, let's hope they kept track of the funds used.
(Score: 0) by Anonymous Coward on Thursday April 14 2016, @01:30AM
--Jeremy Bentham (inventor of the Panopticon)
(Score: 0) by Anonymous Coward on Thursday April 14 2016, @05:54AM
We're talking about the creations of Hoover and Jobs. No ethics involved whatsoever!
(Score: 2) by inertnet on Wednesday April 13 2016, @10:14PM
The article says that they needed a piece of hardware to take advantage of a software flaw. Could it be that they disabled a memory write line and the software doesn't read back to check if the write was successful? Did they also find a way to disable the timer that adds a delay after a failed attempt? I hope we'll get an answer someday.
(Score: 2) by frojack on Thursday April 14 2016, @01:20AM
THAT'S what you want to ask them?
Nothing about "did you find anything of value on the phone or was this more security theater"?
No, you are mistaken. I've always had this sig.
(Score: 0) by Anonymous Coward on Thursday April 14 2016, @04:28AM
They'll just lie about it:
https://theintercept.com/2014/10/17/draft-two-cases-cited-fbi-dude-dumb-dumb/ [theintercept.com]
https://theintercept.com/2015/09/15/fbi-keeps-telling-purely-theoretical-encryption-horror-stories/ [theintercept.com]
https://theintercept.com/2015/02/26/fbi-manufacture-plots-terrorism-isis-grave-threats/ [theintercept.com]
https://theintercept.com/2015/03/16/howthefbicreatedaterrorist/ [theintercept.com]
(Score: 2) by CirclesInSand on Thursday April 14 2016, @01:20AM
They probably called tech support and pretended to be a housewife who forget who password.
Really though there are several possibilities. All they really need to be able to do is get the raw data off the disk, checking passwords becomes trivial after that. And odds are, they would have probably had a hard time trusting anyone unless that is what they were doing, since it isn't like you get a second chance if you screw up. I wonder whether the hardware supplier for the chips disclosed the VLSI or whatever for it.
(Score: 0) by Anonymous Coward on Thursday April 14 2016, @04:32AM
FBI Director James Comey told students at Catholic University's Columbus School of Law that "Apple is not a demon," and "I hope people don't perceive the FBI as a demon."
FYI, here's the talk this is referring to:
https://www.youtube.com/watch?v=-VL4cDLdP1g [youtube.com]
I haven't watched it yet but it might be neat.
(Score: 0) by Anonymous Coward on Thursday April 14 2016, @04:27PM
the FBI is a terrorist organization and are enemies of the people and should be treated as such.