This is a scary precedent.<p>From the bits I've seen of it, the Vulnerabilities Equities Process is a really great bit of government transparency, run by a group of people who understand that the best interests of different parts of the government and the citizens of the country often end up at odds. The process allows for vulnerabilities to be periodically reviewed so that the costs and benefits of not disclosing can be weighed over time, and by an at-least-somewhat independent group.<p>Just skipping it altogether because "we paid a contractor" completely subverts the process. What's stopping all the TLAs from simply routing all their vulns through a private third party and bypassing the VEP altogether?
This might be great for the FBI right up until they actually try to use the evidence in court. The defense attorney can claim (rightly so) that unless they can examine the unlock method to verify it doesn't tamper with any of the data on the phone, the evidence is inadmissible.<p>The only way the FBI will be able to use this data in court is if they turn the process over to the defense so they can have the process independently verified. Since the article states that they don't have access to the "technical details" of the hack, they have no way to prove the method doesn't manipulate the data on the device.
Did any of the commenters here actually read the article?<p><i>Although the FBI paid more than $1.3 million for the method, Amy Hess, the agency’s executive assistant director for science and technology, said Wednesday that it didn’t purchase the rights to the technical details and therefore doesn’t have the necessary information to submit the method for an Obama administration review known as the Vulnerabilities Equities Process.
"The FBI assesses that it cannot submit the method to the VEP," Hess said in a statement. "We do not have enough technical information about any vulnerability that would permit any meaningful review.”<p>...<p>The law enforcement agency bought the hacking tool from an entity it hasn’t identified and then used it to access data on an encrypted iPhone</i><p>It sounds like the FBI doesn't actually understand the details of how the crack worked and was hand-holded through the process.
So, if I understand correctly, the FBI doesn't really know how the phone was hacked? Wouldn't that also mean that they don't really know if the data their contractors retrieved from the phone is really from the phone?
I've never seen government decision-making work first-hand, so I wouldn't claim that this speculation should carry weight.<p>But if I was someone on the FBI side who wanted to "win" this somehow, I could imagine how this might look like a victory. Apple wanted for its phones to look so secure that they will even stand up to the government to protect them. In response, the FBI made Apple's phones look so weak that anyone who has $1M to spend on the black market can get in.
I personally don't have a problem with this, just as I had no problem with Apple not wanting to help the government with an investigation. I don't think it is right to want it both ways.
I am really beginning to think if the FBI actually used a hack. There were reports that the passcode was changed when in FBI's possession, what if this was just a deliberate attempt to force Apple to create a backdoor?
Micro-probing the bus lines, to disable the self-destruct or time-delay counter ? Or perhaps "glitching", sending badly-timed signals to the specific part of the asic that keeps count of the number of bad tries, causing it to lock up. Then brute forcing it at high speed.
These times are so interesting. The FBI is making policy that they wont expose the 0 days they bought for over a million USD. We need to consider the amount of cool things we learn right now and appreciate it.
Ive got a friend at Sun Corporation who, a few weeks ago, when I congratulated her on the recent (unconfirmed) news of her company, she said it was Cellebrite's news and not theirs.
What would stop one or couple of apple engineers from creating a backdoor and then selling a "unlock service" trough some foreign intermediary making $1 mil each time?
Is FBI faking again [1]?<p>[1] - <a href="https://news.ycombinator.com/item?id=11578240" rel="nofollow">https://news.ycombinator.com/item?id=11578240</a>
Isn't this title a little misleading if they never knew the actual technical process of hacking the iPhone? They can't share what they don't know.
I hope that the security community reciprocates: if the FBI won't disclose security flaws to the community, then neither should the security community give the FBI any special privilege or notice in disclosing flaws in FBI software. The FBI might then learn about the benefits of disclosure the hard way.
Just seems petty of the FBI to actually make an official announcement like this. I get if it's understood that they're not releasing it, but why make a formal press release about it?