Should the government tell Apple how it hacked the iPhone?

[Yookeroo]

DrCube:

They have a moral obligation, both to Apple and its customers. They probably don’t have a legal obligation.

And I’d say celebrating the insecurities of your own citizen’s technology is ass-backwards for a government agency, but it’s been SOP for the NSA and FBI for a long time, so it doesn’t surprise me. Could you imagine the FBI (or its predecessor) proudly proclaiming to the world how poor Model Ts perform, after they just got done telling Henry Ford he was helping the gangsters by making it harder for cops to catch them on horseback?

This.

i’m finding the glee in sticking it to Apple kind of off-putting. However much you hate Apple, isn’t making their phones more secure better for everyone? I’m not going to argue that the government has an obligation to share this with Apple, but wouldn’t their customers be better off? The “Apple didn’t share with the government, so the government shouldn’t share with them!” attitude is kind of childish, no?

[Omar_Little]

Lemur866:

The “third party” could easily be the NSA,

Pretty sure the NSA is considered part of the government and not a 3rd party.

[Omar_Little]

Yookeroo:

I’m not going to argue that the government has an obligation to share this with Apple, but wouldn’t their customers be better off?

Wouldn’t Google’s android customers be better off if the government pointed out their security vulnerabilities as well?

It’s not the mission of the federal government to make people’s products better.

[Doug_K]

Voyager:

This is not like the big bad government spying on you - it is more like someone forgetting his password, going the the Genius Bar, and being told “tough luck, chump. We have to protect security, you know.”

I can’t be the only one who thinks this smells slightly like built-in ransomware.

[AdamF]

Omar_Little:

It’s not the mission of the federal government to make people’s products better.

From FBI website (emphasis mine):
*Our mission is to help protect you, your children, your communities, and your businesses from the most dangerous threats facing our nation—from international and domestic terrorists to spies on U.S. soil…from cyber villains to corrupt government officials…from mobsters to violent street gangs…from child predators to serial killers.*If they are aware of a vulnerability in a device used by millions of people, isn’t it part of their mission to share this with Apple so it could be fixed faster?

[Ruken]

AdamF:

From FBI website (emphasis mine):
*Our mission is to help protect you, your children, your communities, and your businesses from the most dangerous threats facing our nation—from international and domestic terrorists to spies on U.S. soil…from cyber villains to corrupt government officials…from mobsters to violent street gangs…from child predators to serial killers.*If they are aware of a vulnerability in a device used by millions of people, isn’t it part of their mission to share this with Apple so it could be fixed faster?

Law enforcement agencies routinely advise private parties on security vulnerabilities. I don’t know if it’s their “mission”, but stopping the bad guys before they commit crimes sounds like good policing.

[Sage_Rat]

Here’s a snippet of history:

[

Wikipedia:

On 17 March 1975, the proposed DES was published in the Federal Register. Public comments were requested, and in the following year two open workshops were held to discuss the proposed standard. There was some criticism from various parties, including from public-key cryptography pioneers Martin Hellman and Whitfield Diffie,[2] citing a shortened key length and the mysterious “S-boxes” as evidence of improper interference from the NSA. The suspicion was that the algorithm had been covertly weakened by the intelligence agency so that they—but no-one else—could easily read encrypted messages.[3] Alan Konheim (one of the designers of DES) commented, “We sent the S-boxes off to Washington. They came back and were all different.”[4] The United States Senate Select Committee on Intelligence reviewed the NSA’s actions to determine whether there had been any improper involvement. In the unclassified summary of their findings, published in 1978, the Committee wrote:

In the development of DES, NSA convinced IBM that a reduced key size was sufficient; indirectly assisted in the development of the S-box structures; and certified that the final DES algorithm was, to the best of their knowledge, free from any statistical or mathematical weakness.[5]

However, it also found that

NSA did not tamper with the design of the algorithm in any way. IBM invented and designed the algorithm, made all pertinent decisions regarding it, and concurred that the agreed upon key size was more than adequate for all commercial applications for which the DES was intended.[6]

Another member of the DES team, Walter Tuchman, stated “We developed the DES algorithm entirely within IBM using IBMers. The NSA did not dictate a single wire!”[7] In contrast, a declassified NSA book on cryptologic history states:

In 1973 NBS solicited private industry for a data encryption standard (DES). The first offerings were disappointing, so NSA began working on its own algorithm. Then Howard Rosenblum, deputy director for research and engineering, discovered that Walter Tuchman of IBM was working on a modification to Lucifer for general use. NSA gave Tuchman a clearance and brought him in to work jointly with the Agency on his Lucifer modification."[8]

and

NSA worked closely with IBM to strengthen the algorithm against all except brute force attacks and to strengthen substitution tables, called S-boxes. Conversely, NSA tried to convince IBM to reduce the length of the key from 64 to 48 bits. Ultimately they compromised on a 56-bit key.[9][10]

Some of the suspicions about hidden weaknesses in the S-boxes were allayed in 1990, with the independent discovery and open publication by Eli Biham and Adi Shamir of differential cryptanalysis, a general method for breaking block ciphers. The S-boxes of DES were much more resistant to the attack than if they had been chosen at random, strongly suggesting that IBM knew about the technique in the 1970s. This was indeed the case; in 1994, Don Coppersmith published some of the original design criteria for the S-boxes.[11] According to Steven Levy, IBM Watson researchers discovered differential cryptanalytic attacks in 1974 and were asked by the NSA to keep the technique secret.[12] Coppersmith explains IBM’s secrecy decision by saying, “that was because [differential cryptanalysis] can be a very powerful tool, used against many schemes, and there was concern that such information in the public domain could adversely affect national security.” Levy quotes Walter Tuchman: “[t]hey asked us to stamp all our documents confidential… We actually put a number on each one and locked them up in safes, because they were considered U.S. government classified. They said do it. So I did it”.[12] Bruce Schneier observed that “It took the academic community two decades to figure out that the NSA ‘tweaks’ actually improved the security of DES.”[13]

](Data Encryption Standard - Wikipedia)

The NSA intervened to strengthen data security among the corporate world, because it was good for national security.

With iPhones being so popular among the nation’s populace, it’s not too hard to make a case that the government would be failing in its duty by not supplying Apple with any information that they are allowed to share. The government’s agents probably use iPhones too.

[Voyager]

DrCube:

The point is that there is a zero day exploit of iOS that Apple’s customers depend on them to fix. I don’t have a problem with the government opening this particular phone, I have a problem with weakening the security of widely used personal devices.

It’s pretty shitty to hold Apple customers hostage because the FBI is angry at Tim Cook. They should do the right thing by the citizens who employ them and tell Apple what security hole they used so that Apple can fix it. But they won’t, because our intelligence agencies are anti-American. The American people are their enemies, and withholding important security information from an American company that protects millions of Americans’ personal data proves it.

If this were an exploit that allowed anyone to hack into the phone remotely, I’d agree. But it isn’t.
BTW Apple fought strongly against a law mandating that phones must have the ability to be bricked remotely - required because thieves were robbing people of their phones left and right. Did Apple care about that kind of security? Hell no.
If you are in possession of your phone, it should be safe. If you lose your phone, you should be able to brick it. If you can’t because you’re a terrorist who has been blown up - tough.

[Voyager]

Yookeroo:

This.

i’m finding the glee in sticking it to Apple kind of off-putting. However much you hate Apple, isn’t making their phones more secure better for everyone? I’m not going to argue that the government has an obligation to share this with Apple, but wouldn’t their customers be better off? The “Apple didn’t share with the government, so the government shouldn’t share with them!” attitude is kind of childish, no?

First, as mentioned above, the government probably doesn’t own the method. Apple is free to try to buy it from the probable owner. Unless that would be admitting weakness. And if Apple did get the answer, would they be willing to pay for it by not saying screw you to the court’s request to unlock a phone as requested by the owner of the phone?

[iamthewalrus_3]

Voyager:

If this were an exploit that allowed anyone to hack into the phone remotely, I’d agree. But it isn’t.

Assertion not in evidence. Do we actually know this?

BTW Apple fought strongly against a law mandating that phones must have the ability to be bricked remotely - required because thieves were robbing people of their phones left and right. Did Apple care about that kind of security? Hell no.
If you are in possession of your phone, it should be safe. If you lose your phone, you should be able to brick it. If you can’t because you’re a terrorist who has been blown up - tough.

Such a feature is inherently risky for Apple. What if they make a mistake implementing it and someone is able to issue a mass-brick command to lots of phones? There go a few billions in shareholder value.

Omar_Little:

Pretty sure the NSA is considered part of the government and not a 3rd party.

The parties to the lawsuit were the Dept. of Justice and Apple. NSA isn’t part of the Dept. of Justice, so that might arguably make it a “third” party.

[doorhinge]

Lemur866:

The “third party” could easily be the NSA, or some other spook agency. That’s what we pay them for, right? If the FBI can’t get the NSA to hack the phone of a terrorist for them, what’s the point of the NSA?

I thought that the purpose of the NSA was, besides catching criminals, spying, and disinformation, was to encourage interagency cooperation??? Interagency completion would suggest that the NSA would be chomping at the bit to prove that the NSA could do something that the FBI could not.

I’m under the impression that no security system can prevent someone from breaking into a car, a building, a bank, a phone, or a computer system provided they have access and time. Lot’s of time.

Security systems have to be upgraded constantly because some one (or some nation) wants to break into the system.

[Voyager]

iamthewalrus_3:

Assertion not in evidence. Do we actually know this?

Such a feature is inherently risky for Apple. What if they make a mistake implementing it and someone is able to issue a mass-brick command to lots of phones? There go a few billions in shareholder value.

None of the possible ways of getting into the phone I’ve read about involve remote access. I know that Cook claimed the FBI wanted a backdoor, but that’s not true.

Other phones have this capability already. Plus something like over 20% of muggings in San Francisco (number from memory - it might be bigger) involved thefts of phones, especially iPhones. We’re not talking potential issues here, we are talking real property loss and possibly physical harm to their customers.

[AdamF]

Voyager:

If you are in possession of your phone, it should be safe. If you lose your phone, you should be able to brick it.

If your phone can be bricked remotely, it’s not safe from hackers. If you lose your phone, you should be able to locate it even after factory reset.

[Skammer]

I supported Apple in its decision not to provide a hack for its code (although I was sympathetic to arguments on both sides). And, I don’t believe the government or the 3rd party is under any obligation to share their hacking method with Apple, although Apple is free to try to purchase the information from the 3rd party.

I’d be especially pissed if I were an Apple competitor and the government was helping Apple make its phones more secure. Let Apple figure it out themselves.

[iamthewalrus_3]

Voyager:

None of the possible ways of getting into the phone I’ve read about involve remote access.

None of the possible ways you’ve read about were used, though. If they were viable and well-known, the FBI would have already used them, no?

It’s generally the case that remote vulnerabilities are less common and more valuable than non-remote vulnerabilities. But that doesn’t tell us anything in particular about the unknown vulnerability in question that was actually used.

[iamthewalrus_3]

Skammer:

I’d be especially pissed if I were an Apple competitor and the government was helping Apple make its phones more secure. Let Apple figure it out themselves.

Is that really the most important consideration?

What about the millions of American citizens who have Apple phones that the government could have helped make more secure, but decided not to.

I don’t think the government currently has a legal obligation to do this, but I would support a law that requires the government to reveal security vulnerabilities to companies in a reasonable manner.

[Steve_MB]

Voyager:

None of the possible ways of getting into the phone I’ve read about involve remote access. I know that Cook claimed the FBI wanted a backdoor, but that’s not true.

Is there supposed to be some text between these statements that would establish some sort of logical linkage between the former and the latter?

[ISiddiqui]

Of course this came about because the government had a subpoena and couldn’t get Apple’s help to get the information. So, if the government were to give Apple this information, so it could fix it, would Apple still fight future subpoenas?

Because on some level, complying with duly issued federal subpoenas IS important for the government to enforce its laws. So there is a push and pull here - now I know people said subpoenas don’t require the government to force Apple to make something to break into its phones. However, why would the government give up an important law enforcement tool if had to go back to square one and pay hackers to get in once again.

I’d even argue it is a moral imperative that the government does not give the information to Apple so that it can continue with law enforcement subject to a legally issued subpoena (I mean, how else do you think the government gets information to charge people with the vast majority of white collar crimes?).

[Omar_Little]

iamthewalrus_3:

What about the millions of American citizens who have Apple phones that the government could have helped make more secure, but decided not to.

Of those millions of Apple customers, how many really need that level of security? Do dick pics really need to be that secure?

[DrCube]

Omar_Little:

Of those millions of Apple customers, how many really need that level of security? Do dick pics really need to be that secure?

It doesn’t matter because the FBI’s mission is, in part, to protect American businesses and American citizens from cyber threats. They’re derelict in their duty if they don’t. And go ask some revenge porn victims if nude pictures should or should not be left unsecured.