FBI Tells Congress It Needs Hackers To Keep Up With Tech Company Encryption

An anonymous reader quotes a report from BuzzFeed: A high ranking technology official with the FBI told members of Congress Tuesday that the agency is incapable of cracking locked phones and devices on its own, even with additional resources. Amy Hess, the agency's executive assistant director for science and technology told a panel of the House Energy and Commerce Committee that encrypted communications continue to pose a challenge to the American law enforcement, and to the safety of the American public. But when asked by lawmakers to provide a practical solution beyond the FBI's talking points, she said that the cooperation of technology companies would be necessary. According to the New York Times, "The FBI defended its hiring of a third-party company to break into an iPhone used by a gunman in last year's San Bernardino, Calif., mass shooting, telling some lawmakers on Tuesday that it needed to join with partners in the rarefied world of for-profit hackers as technology companies increasingly resist their demands for consumer information." They are stressing the importance of cooperation with tech companies and "third parties" to help fight terrorism, claiming they do not have the capabilities and resources available to crack encrypted devices. Congress is currently debating potential legislation on encryption.

Dear FBI and US Gov

[Quzak]

We will keep making more sophisticated encryption. You will not beable to keep pace with our progress. We do not want you in our devices, fuck your laws. Crapfully yours, The internet

Re:Dear FBI and US Gov

[msauve]

It's a free speech issue. Whether someone chooses to speak in plain English, Swahili, or encryption, it all falls under an absolute right to speak as they wish.

Sure, the anarchists/communists/terrorists/boogyman may get away with something, but that's the cost of freedom. With liberty comes risk. And it's liberty which we've been guaranteed, not security against all comers.

Re:Dear FBI and US Gov

[ArmoredDragon]

I think one of the bigger things hurting the FBI is they are so exclusive towards otherwise talented people compared to the private sector, and so their human resource pool leaves a lot to be desired. For example, even though polygraph is nothing more than an intimidation tactic that is basically useless, (and people who know it's a load of crap aren't intimidated by it) they won't hire anybody without subjecting them to it. They also exclude anybody who has at any point in their life consumed cannabis, which is in many ways more benign than alcohol.

On top of it all, they don't pay shit compared to private sector jobs. (In only my second year after graduation, I already make more than most FBI agents at GS12 by just doing datacenter work.)

Re: Dear FBI and US Gov

[macs4all]

When hardware encryption fails, software encryption will just get stronger.

Now, I came to comment in this article, because I'm curious if there has been any information on what they found on the phone. Is there anything of interest, or are they just keeping silent about it, because they didn't find anything of note, as many had thought before they broke into it?

Their silence tells you everything you need to know.

Re:Dear FBI and US Gov

[spire3661]

"You're ability to type in spite of sub-Human levels of sentience makes me sick."

well played........

Re: Dear FBI and US Gov

[dcw3]

Their silence tells you everything you need to know.

Really? Any idea how long it takes to chase down leads, especially if it connects to unfriendly places? How long did it take to hunt down Bin Laden, and did we get a play-by-play while it was going on? No, your premise that it tells you anything isn't logical.

Re: Dear FBI and US Gov

[TapeCutter]

Oh please, if the FBI had found anything even remotely useful they would be publicly beating Apple and lawmakers over the head with it. This whole saga is nothing more than a political wedge to extend their powers of search and seizure.

Re: Dear FBI and US Gov

[macs4all]

Oh please, if the FBI had found anything even remotely useful they would be publicly beating Apple and lawmakers over the head with it. This whole saga is nothing more than a political wedge to extend their powers of search and seizure.

What he said.

Re: Dear FBI and US Gov

[StikyPad]

So does, say, the news.

Not surprising, since they thoroughly destroyed everything with pertinent information on it. Why would they leave the iPhone untouched unless it was -- unsurprisingly -- used only for the purpose it was issued: work. This guy (or couple) was clearly exercising opsec, not even talking to their relatives about their feelings, let alone their plans, so it would have been more surprising if they had found anything on it.

Re:Dear FBI and US Gov

[TechyImmigrant]

We will keep making more sophisticated encryption. You will not beable to keep pace with our progress. We do not want you in our devices, fuck your laws.t

As one of the people who makes the crypto in the devices, I am delighted that the overreaching government actions have made it much easier for me to argue to do the right thing in terms of taking security seriously at all levels in our products and I assume this is the same in many companies. People have been claiming to do this for ever, but the apple-fbi thing really got engineers to think about it the right way.

Re:Dear FBI and US Gov

[Steve+B]

touch screen phones are difficult to secure with complex passwords

That's why one of the built-in security features is to accept password input only via the touchscreen, and only with escalating time delays after a few wrong guesses. Those are two of the features the government wanted Apple to bypass by writing a custom FBiOS.

Re:Dear FBI and US Gov

[tom229]

Those security features require the data to be mounted within the iPhone's runtime processes. You can always reverse engineer (or get a source code leak of) their encryption algorithm, mount the data (or a copy of it) externally, and brute force it that way. A 4 digit pin is what? 100,000 combinations? It wouldn't even take a second to brute force. I'd imagine this is close to what the FBI ended up doing.

Re:Dear FBI and US Gov

[Mr.CRC]

Sounds like a cult the way you describe the FBI.

Hackers?

What are we paying the NSA for?

Re:Hackers?

[gweihir]

The NSA is not into getting convictions and keeping the prisons full. The NSA is into getting information. They will never expose a source unless there is an extremely good reason from _their_ POV. Incidentally, that is why no state with an intact rule-of-law ever allows information from a secret agency to be used by law-enforcement.

Privacy in the past

I find it strange that nobody seems to mention that law enforcement worked just fine in ancient history when private conversations were not recorded at all. The government could not get a transcript on demand because there was none. Likewise, the government still is unable to read our thoughts. Why should a thought be treated differently when it is expressed in speech or electronically through writing? Why should the government feel hamstrung by inability to read our encrypted written thoughs when it still can not read them while they reside in our heads? Should we not demand that both be treated as private without question and inaccessible to government extortion? Law enforcement has done just fine without reading our thoughs for centuries; it should do just fine in the future without reading our encrypted letters.

Re:Privacy in the past

[NotInHere]

If there were thought reading devices (and I'm sure there will be one day), they'd want them to be used as well.

Re:Privacy in the past

[desdinova+216]

but curing the causes would cost money. not generate money for the law enforcement/corrections industr

Re:Privacy in the past

[tom229]

I know right? And he was voted 5 insightful. For having an utterly delusional and just plain ridiculous point. It kind of shows you what slashdot has become.

Hmm

[liqu1d]

Public vs private pay packet? Easy win.

After running Edward Snowden out of town

[Hadlock]

Should it come to any surprise that the people they need don't want to work for the government? Or fled to Berlin to escape a similar fate?
 
If you keep backdooring encryption and ostracizing your own citizens who are strong on security, you can't expect to have any citizens who particularly want to help you out.
 
You can't just throw warm bodies at the problem like you can with traditional war. The Germans lost Einstein and countless other academic Jews to countries like the United States and Russia in WW2, and now the same thing is happening with security experts in the United States. Good luck with that.

Re:After running Edward Snowden out of town

Pretty much this.

The U.S. government has more-or-less shown their disdain for "hackers" - and Congress jokes about their distaste for "technology" every chance they get, with several of them often reminding people that they don't use email, etc. as if that's some kind of evil.

Technologically-inclined individuals are often treated with distrust and suspicion - especially if they're security researchers trying to show others how poorly their personal data is being handled.

Why would those in this sector give a rat's ass about the government's "need" for talent? They're gonna have to be throwing around some serious money to get attention - and even then, they're likely to just attract the moronic contractors that feed on taxpayer money without delivering much value.

Re:After running Edward Snowden out of town

The irony of this is that due to US anti-hacking laws, those hackers are likely to increasingly come from overseas which could completely turns the NSA's dual directives on their head of foreign signals intelligence and domestic signals defense. They'll have to work with foreign hackers for domestic signals intelligence.

Re:After running Edward Snowden out of town

[gweihir]

Indeed. One of the last steps in this process is prevent citizens from leaving the country by use of mine-fields, electric fences, etc. to limit the brain-drain. That has never worked well either.

Re:After running Edward Snowden out of town

[gweihir]

Very much this. In addition, you will find very few bright, capable and educated people that will want to work for the government in the first place. The government is where ideas, enthusiasm and individual freedom goes to die and they pay badly in addition. It is a valid way out for the mediocre that just want a master to serve, but that is it.

Re:After running Edward Snowden out of town

[nehumanuscrede]

What has my curiosity at the moment is this:

While the lawmakers made sure that the Government and various law enforcement agencies are exempt from the circumvention rules of the DMCA, I don't see where that would apply to the use of non-government or non-law enforcement talent. Being within the employ of the FBI itself, ( thus subject to US laws ) is one thing, resorting to non-US talent is quite another.

How can we hope to keep anything in check if our own government is going to utilize non-US talent to circumvent those pesky laws ?

Re:After running Edward Snowden out of town

[Agripa]

Indeed. One of the last steps in this process is prevent citizens from leaving the country by use of mine-fields, electric fences, etc. to limit the brain-drain. That has never worked well either.

It does not work in Sim City either. Of course I lacked mines and fencing and could only bulldoze the roads leading away.

incompatible

[supernova87a]

Maybe if the FBI stopped requiring drug tests and lie detector tests for those employees it wants to be security and programming experts / hackers of its own, they might get some better applicants. The Venn diagram of those qualities reduces your option pool by quite a lot.

Re:incompatible

Most hackers would not compromise their ethics enough for the FBI

Re:incompatible

[nicoleb_x]

How can you insult the intelligence of hires with a "lie detector" test? I mean you walk in and they say, oh we want the best and brightest, now line up for your lie detector test. Really, does that work?

Re:incompatible

[PRMan]

I've never done drugs but I would never work for the FBI, especially with the last 2 directors at the helm.

We hackers are happy to help the good guys. Not FB

[raymorris]

I've worked in information security for a long time. I 've spoken with colleagues at various government agencies and learned that indeed they don't have a expertise far beyond what's available in the private sector; the movies are as fictional in that respect as they are in others. They do need assistance from the private side of the infosec community.

Fifteen years ago, I would have been happy to assist those who protect and serve if they were working on some actual crime, such as a murder case I was once contacted about. Since Snowden and other events, it's become quite clear that the federal government is not the good guys, for any definition of "good guys".

There's no single solution, but there is one thing that would really help. Prior to 9/11, international spy agencies such as the NSA were prohibited from sharing information with domestic police at agencies such as the FBI. The thinking was that the techniques and mindset used against our enemies, such as North Korea, shouldn't be used against our own citizens. After 9/11 it was determined (correctly) that the prohibition on cooperation made it more difficult to defend against attacks, so the rules were weakened or eliminated and cooperation between intelligence and law enforcement was encouraged. We need to put those walls back in place. Yes it will make defending against attacks more difficult, but it's worth it because the alternative turns out to be having the NSA and FBI attacking the citizens.

This will not end well

[Sir+Holo]

The FBI wants to grow the market-sector of black-hat hacking? (Yes, I know, but language evolves, so I use the 'press-accepted' term here.)

In what reality could this conceivably be a good idea? Tons of new "exploit-mining" companies would spring up. Many would then have the FBI as perhaps one of their clients.

We already saw this with Symantec in the 1980's giving away $50 for each 'new' or even 'variant' of a virus that someone 'discovered'. They helpfully provided examples – you know, for training and reference purposes. We ended up with tons of variants on the first PC viruses, with someone changing a single line of a text string in an irrelevant way – such as changing the text displayed.

Back to the FBI hoping to contract this work out: WTF? That's worse than making this part of the revolving door between government service and private-sector employment.

Re:This will not end well

[Sir+Holo]

I missed mentioning that current US Law on 'cyber-security' would mean that most or all of these new companies would be based outside of the US, quite likely putting them beyond the reach of US Law (outside their contracts with the FBI), as long as they chose their country-of-incorporation and activity wisely.

Re:This will not end well

[andrewbaldwin]

As is often the case, Terry Pratchett had some wise/comic insights which are relevant.

"How Vetinari himself ascended to the Patricianship is a story yet untold. It is known that his advice was heeded by Snapcase's administration on at least one occasion: when a 20p bounty on rat tails was introduced to combat a serious rodent infestation, but threatened to drain the treasury dry without curtailing the rats' numbers. Vetinari's suggestion to "tax the rat farms" provided an early demonstration of his shrewd political insight. "

Re:This will not end well

[Sir+Holo]

As is often the case, Terry Pratchett had some wise/comic insights which are relevant.

"How Vetinari himself ascended to the Patricianship is a story yet untold. Vetinari's suggestion to "tax the rat farms" provided an early demonstration of his shrewd political insight. "

Relevant and incisive quote indeed!

Re:This will not end well

[tom229]

I think as soon as you start "hacking" for law enforcement the color of your hat changes. Isn't that the entire definition?

Re:This will not end well

[Sir+Holo]

I think as soon as you start "hacking" for law enforcement the color of your hat changes. Isn't that the entire definition?

To what?

"Blue-hat" hacker?

Shall we coin a term right here, right now? (I do not advocate this idea.)

Re:This will not end well

[tom229]

Red-white-and-blue hat.

U-S-A! U-S-A!

And so

[mentil]

The FBI becomes indistinguishable from black hats.

Who else?

[IMightB]

Who else are they going to turn to? All the honest, moral people gave them the finger.

Re:Who else?

[PRMan]

No. They gave us the finger.

Re:Who else?

[tom229]

No, no, Apple gave them the finger. Before you continue to have an opinion on this I'd suggest you read the full text of the court order. It's very easy to find online, it's short, and it's in plain English. It includes provisions in it that allow Apple to set up a secure lab for which the fbi only has remote access to, among other provisions. The order is very careful to make sure the fbi only has access to this one device. The permanent backdoor hyperbole was crafted by Apple and worked very well on a population that couldn't be bothered to actually research the facts. All indications are that Apple Inc is using our fears of losing or civil rights to run a public relations campaign. Conveniently close to when their new major version iPhone releases that will no doubt boast enhanced security.

Re: The Republican-ruled FBI...

[dcw3]

Ah, and in the last eight years, what had the Obama administration done to counter that? Fucking moronic AC.

Re: The Republican-ruled FBI...

[dcw3]

Umm, no. The executive branch doesn't control the judicial.

Re: The Republican-ruled FBI...

[dcw3]

No, executive orders can be reversed at any time by the occupant of the White House. Nice try.

Re:We hackers are happy to help the good guys. Not

[TheRaven64]

It's a general problem with police forces in general. A police force can only function effectively if it has the consent and support of the population. To do this, it has to be seen as being on the side of the majority of the population. When you pass laws that criminalise the majority and when you cut funding for police programs that visibly assist the community, then this breaks down.

They are breaking their own laws

[samantha]

By their own laws the people they seek to "help" them are not "hackers" but "crackers" who would normally pursued and locked up by that same FBI. Don't tehy have NSA assets to use? No, because even the NSA cannot blatantly circumvent what Congress has ruled over and over regarding mandatory back doors. No, they are looking for criminals because they are engaging in crime and in circumvention of he will of the people. They must be treated as law breakers.

Left Hand Right Hand

[SJ]

The US already have a bunch of very bright hackers on its payroll. They work down at Fort Meade in a big glass building with NSA written on the front of it.

What this smacks of, is kingdom building. The FBI is trying to bolster its own little playpen, instead of playing nicely with others and asking the NSA for help.

The FBI simply wants a bigger budget.

Take away the academy, weapons qualification, etc

[Joe_Dragon]

Take away the academy, weapons qualification, etc parts and will let them get more people as well as older tech pro's who should not be cut out if they are.

older than 37 (right now only have an Veterans ones)

don't have the right degree (they can also add more wavers)

driver’s license (easy to get but there are people in areas where you don't need a car)

There should be non field desk job roll that even some in wheel chair can do tech stuff for the FBI.

Just say no

[StikyPad]

There is no right of the government to monitor communications. Before we had communications technology, it was all but impossible. The telegraph offered the first viable method for the government (and others) to spy on any and all communications, followed by the telephone, the cellphone, email, texts, etc. At each step, security was an afterthought, and so it provided a larger and larger attack surface. Governments (and others) have enjoyed the access that inattention has brought for too long. For so long, in fact, that they now view their access as an inalienable right that's being assaulted by "evil" tech companies.

The fact is that communications cannot be subject to eavesdropping by the government without also being subject to eavesdropping by criminals. The government knows this, and uses encryption to protect its own communications. The banks know this, and use encryption to protect their communications. Criminals know this, and use encryption to protect theirs. But that doesn't make criminals omnipotent. It doesn't even obstruct targeted surveillance. From bugs to keyloggers to laser microphones to tails, there are a wide array of surveillance tools and techniques to practice targeted surveillance. The problem is laziness -- the government wants to sit on its ass and let the information come to it, instead of going out and collecting it.

That's all well and good, if it works. But the downside isn't just the potential for abuse by the government, or the lack of oversight, or the intrusiveness. An insecure infrastructure is open to attack by malicious individuals, organizations, and nation-states. "Protection" against the narrow segment of "crimes and attacks that are preventable by solely by dragnet surveillance" comes at the cost of criminal network penetration, identity theft, corporate espionage, credit card fraud, malware, ransomware, and spying by foreign powers. We shore up defenses against the rare (if spectacularly awful) terrorist attack at the expense of the everyday cybercrimes, which are, taken together, *far* more harmful and preventable, even if they don't make for very dramatic headlines. It's like devoting all of our law enforcement resources to stopping serial killers and leaving regular murders -- the vast majority -- uninvestigated, let alone solved, and in fact encouraging them by a declared lack of enforcement. Worse, it's allowing our enemy to dictate our actions, to provoke a change in our behavior, ethics, and values.

Perversely, dragnet surveillance is not the antidote to anything other than security, and it takes a myopic vision and tragically flawed reasoning to believe otherwise. When the government asks for the keys to everything, just say no.

Re:Take away the academy, weapons qualification, e

[JASegler]

Would that matter?

I'm surprised they can find anyone who would claim to be a Hacker to work with them.

Low pay.
Poor track record sticking to the letter of the law, let alone the spirit of the law.
Do illegal things and hide them behind national security.

To me it is no different than the scientists that won't work on weapons technology for the military.

We can't trust them to use that kind of power responsibly at any level (local, state, or federal law enforcement).
The proper checks and balances are just not there.

Re:Take away the academy, weapons qualification, e

[Sir+Holo]

There should be non field desk job roll that even some in wheel chair can do tech stuff for the FBI.

There probably are. There is law that lets people declared permanently disabled by the SSA –people on SSDI – "go to the front of the line". Effectively, from the bits I've read, anyone SSDI disabled, applying for a Federal Government job:

    * Gets to skip the resume-culling steps that everyone else must pass through—They get to be considered in the last round.
    * Is entitled to 'special considerations'. Not just wheelchair ramps, but flexible scheduling and similar accommodations.
    * Is a 'diversity hire', scoring the hiring departments political points

The program is intended to have the same % of 'regular' people employed in proper jobs as the $ of SSDI people employed in proper jobs – jobs for which they must be qualified, BTW.

Re:We hackers are happy to help the good guys. Not

[Agripa]

How many politicians are in jail, how many CEOs, how many multi-millionaires?

They went after the Quest CEO and put him in jail for 6 years after he refused to cooperate with the NSA.

anti-intellectualism rolls downhill

[bzipitidoo]

And sloshes back up to The Hill. These Congressional leaders know what they know and don't listen to no scientists! The contempt and fear is palpable. When reality doesn't conform, they resort to threats, blame games and force.

So the FBI can't find talented people to help them with imaginary, badly conceived, and wrongheaded problems. I'm shocked, I tell you, shocked!