FBI Couldn't Tell Apple What Hack It Used, Even If It Wanted To (qz.com)
An anonymous reader writes: The US Federal Bureau of Investigation doesn't own the technique used to unlock the San Bernardino iPhone, so it can't reveal the method to Apple even if it wanted to, Reuters reported, citing unnamed White House sources. The Washington Post reported yesterday, citing unnamed sources, that the FBI had paid a hacker a one-time fee to use a piece of hardware that allowed it to access the iPhone 5c belonging to one of the San Bernardino, California assailants. The vendor that supplied the hack is a non-US company, according to Reuters. But according to the Post report, it is not the Israeli firm Cellebrite, which had previously been named. The FBI would require the vendor's cooperation in order to submit the technique it used to Vulnerabilities Equities Process, a mechanism that allows the government to consider whether it should disclose security flaws to manufacturers. It's a move that mirrors Apple's own efforts to create security systems on its phones that even it wouldn't be able to crack, meaning it can't comply with a government order to hand over user data even if it wanted to.
... but when I do, I prefer them to be unnamed.
My Other Computer Is A Data General Nova III.
At least one of these things has to be false:
1) The FBI paid a hacker to unlock the phone and doesn't have access to the technique
2) The FBI is able to help local law enforcement unlock iPhones
Which of these is false? Assuming the FBI isn't going to foot the bill to pay a hacker each time local law enforcement wants an iPhone unlocked, these things are mutually exclusive. Which lie did the FBI tell?
And because the FBI lied, why should I have confidence in law enforcement at all? I understand that they may not want to disclose the details of an ongoing investigation, but that doesn't justify lying about things that don't have to be kept secret to preserve the integrity of the investigation.
IANAL, but it seems like they would have a chain-of-evidence problem here or something like that. Let's imagine, instead of a phone, that the FBI wanted to unlock a safe. So they hire a safe cracker, and he says, "I'm going to unlock the safe, but you can't watch me do it." The safe cracker goes into the room, shuts the door. After a few minutes the safe cracker walks out and says, "It's all yours," wherein the FBI finds an open safe. But now we don't know what happened. Did the safe cracker take anything from the safe? Did he put anything in the safe? The FBI doesn't know for sure.
It seems like there could be a similar problem with the phone. If you don't know how it's done, then how do you know if what you see is what was really in the phone? Did the hacker put something in the phone? Did he take anything out? If there is evidence in the phone that says, for example, that Bob Loblaw was part of the conspiracy, can you trust that information?
Basically, it sounds like the FBI hired someone to make it rain. That person lit a fire, and did a little dance, and it rained. And now the FBI is saying, "Hey, we don't know what the guy did. We're just happy that it's raining."
Proverbs 21:19
I posted relevant portions of the law last week, if you care to read the details. There are two sections that are mainly relevant.
First, DMCA explicitly says that circumvention by or FOR the government is legal. So you can hack it if the government asks you to.
Secondly, and this is important to my job developing security testing tools, DMCA says twice that it is legal to create tools to research on the security of the measures as long as those tools aren't used, or intended to be used, for copyright infringement as specified in DMCA.
So it's a lot like gun laws in areas that have Constitutional gun laws - using a gun to commit a felony is an additional crime, but just having a gun is legal. Similarly, building a circumvention tool FOR THE PURPOSE of copyright violation is unlawful, but building it for research, security, and investigation purposes is fine.