What's new

FBI Went to 'Gray Hat Hackers' for Zero-Day Exploit to Open San Bernardino iPhone

dgstorm

Editor in Chief
Joined
Jul 27, 2011
Messages
911
Reaction score
328
Greyhat.png

The truth has finally been revealed regarding how the FBI was able to crack into the San Bernardino shooter's iPhone C. Apparently, the DOJ (Department of Justice) found some "Gray Hat" hackers who sold them a zero-day exploit to break into the device.

This exploit basically allowed the FBI to create a piece of hardware that took advantage of a security vulnerability. This newly created hardware let the FBI guess the passcode through multiple attempts without erasing the iPhone. This solution only works on older Apple devices. Apple devices starting with the iPhone 5S and newer are not affected by this vulnerability.

The DOJ is weighing whether or not it will share this exploit with Apple. Here's a quote with a few more details,

"If the government shares data on the flaws with Apple, “they’re going to fix it and then we’re back where we started from,” Comey said last week in a discussion at Ohio’s Kenyon College. Nonetheless, he said Monday in Miami, “we’re considering whether to make that disclosure or not.”

The White House has established a process in which federal officials weigh whether to disclose any security vulnerabilities they find. It could be weeks before the FBI’s case is reviewed, officials said. The policy calls for a flaw to be submitted to the process for consideration if it is “newly discovered and not publicly known.”

“When we discover these vulnerabilities, there’s a very strong bias towards disclosure,” White House cybersecurity coordinator Michael Daniel said in an October 2014 interview, speaking generally and not about the Apple case. “That’s for a good reason. If you had to pick the economy and the government that is most dependent on a digital infrastructure, that would be the United States.”

But, he added, “we do have an intelligence and national security mission that we have to carry out. That is a factor that we weigh in making our decisions.” ~ Washington Post

According to additional reports, Apple has decided not to sue the DOJ to obtain the details of the exploit. More than likely, Apple already knows about it, and doesn't consider it worth pursing since it only affects older iPhones.

A better question is... how do you feel about the government specifically paying for help from a "gray hat" hacker?
 
After all is said and done, I've gone back and forth over this whole issue. I mean, where do you draw the line between security and freedom? Obviously, a police state is the wrong solution, and lawlessness is equally stupid. How does one decide when lives are less important than ideas?
 
I've also thought about this through the weeks. I have come to the conclusion that if the FBI/DHS wants to get into a phone via a hack (whether made by Apple or whomever) to gather intel from known terrorists and/or those who commit terror then it is perfectly fine for me. Im all about saving innocent lives and that takes precedence over my phone being totally secure from the FBI.

I have my privacy and don't engage in activities that I have to worry about the FBI wanting to get into my phone. How do I feel about the government paying a gray hat hacker? You got to do what you got to do. That phone was going to get hacked with or without Apple's help
 
With the budgets the government already spends on people and technology to me it is embarrassing that they didn't already know this. It's embarrassing that it came to this point because they deemed it necessary to change the iCloud passwords without thinking first. This is supposed to be our "best and brightest" at the NSA/FBI and the bungled this completely from the get go.

The mere fact that they think they are entitled to have complete access to all of our phones and are fighting against encryption is another matter that is just a slap in the face. They think us all muppets.
 
I have my privacy and don't engage in activities that I have to worry about the FBI wanting to get into my phone.

This line of thinking is dangerous to me. Sure, you may not feel that you've done anything wrong and don't care if the FBI hacked your phone. But I value my privacy, regardless of if I have or haven't done anything wrong. The FBI doesn't need to know whom I'm talking to, or what about. History has shown that if they have the power to do something, they will... legal or not. And not just to terrorists, but to entire, large swaths of American Citizens.

This quote always reminds me that you need to be careful and stand up for your rights and privacy, even if it isn't currently affecting you:

First they came for the Socialists, and I did not speak out—
Because I was not a Socialist.


Then they came for the Trade Unionists, and I did not speak out—
Because I was not a Trade Unionist.


Then they came for the Jews, and I did not speak out—
Because I was not a Jew.


Then they came for me—and there was no one left to speak for me.
 
After all is said and done, I've gone back and forth over this whole issue. I mean, where do you draw the line between security and freedom? Obviously, a police state is the wrong solution, and lawlessness is equally stupid. How does one decide when lives are less important than ideas?

Freedom isn't just an idea, it is a way of life. Many many people have given their lives so that we can have that freedom. That privacy from the government. This entire country was founded on those ideals. The terrorists want to take that away from us and the Government seems to be helping them with this goal. Our forefathers would be ashamed.
 
Without getting into the bigger issue of privacy Vs. Security, the terrorists were dead, so no information in this phone was needed to prosecute them. I get that there's an outside (very outside) chance that info on the phone could implicate others, or prevent other attacks, but I don't think it's likely. Most terrorists are not idiots.

The whole thing just seemed like an obvious use of a public event to grab power.
 
Without getting into the bigger issue of privacy Vs. Security, the terrorists were dead, so no information in this phone was needed to prosecute them. I get that there's an outside (very outside) chance that info on the phone could implicate others, or prevent other attacks, but I don't think it's likely. Most terrorists are not idiots.

The whole thing just seemed like an obvious use of a public event to grab power.

I have no problem with them breaking into this phone... I have a problem with them using this tragedy to weaken ALL of our phones. Which is exactly what they tried to do.
 
I've also thought about this through the weeks. I have come to the conclusion that if the FBI/DHS wants to get into a phone via a hack (whether made by Apple or whomever) to gather intel from known terrorists and/or those who commit terror then it is perfectly fine for me. Im all about saving innocent lives and that takes precedence over my phone being totally secure from the FBI.

I have my privacy and don't engage in activities that I have to worry about the FBI wanting to get into my phone. How do I feel about the government paying a gray hat hacker? You got to do what you got to do. That phone was going to get hacked with or without Apple's help
Also, CK, I think you are missing the point of the FBI vs Apple debate. Most folks didn't have a problem if the FBI could find a way into the phone to get the info. The problem was that they were trying to force Apple to do it for them. Also, they were using tactics that were designed to create legal precedents so they could gain broader power without Constitutional oversight. You have to draw a line at some point.

If we allow unfettered access by our government without any personal privacy, then we will have given them power that is seriously unlikely to be lessened. We mostly trust our government to do the right thing now (because of all the legal checks and balances), but what if in the future something shifts in such a way as to turn our government darker? If that happens, and we have already given them too much power, then it's a slippery slope toward a dystopian police state.
 
This line of thinking is dangerous to me. Sure, you may not feel that you've done anything wrong and don't care if the FBI hacked your phone. But I value my privacy, regardless of if I have or haven't done anything wrong. The FBI doesn't need to know whom I'm talking to, or what about. History has shown that if they have the power to do something, they will... legal or not. And not just to terrorists, but to entire, large swaths of American Citizens.

This quote always reminds me that you need to be careful and stand up for your rights and privacy, even if it isn't currently affecting you:

I get that, but the notion that you or I have privacy is a falsehood. If the FBI or any other governmental agency wants info on us they can and will get it. We're not giving up anything because we've never had it.

That's why I don't care. We're already standing naked, I don't need someone to verify that they can now see us.
 
I feel like it is somewhat of a moot point. The DOJ spent a lot of money, probably A LOT of money.


For the general populous, I feel like one of the closing statements that one of the security consultants made sums it up.

- Do you worry about trained martial artists beating you up on the street?
- Not particularly
- But you are aware that they exist. You are also aware that you probably couldn't do anything if they wanted to beat you up.

The odds that "they" are going to go after you are slim if you are not doing anything questionable.
 
I don't speak like you people, and maybe that's good.
I don't know how old you maybe that's good.
What l do know is that when you were 1 year old tiny little tots you had your innocence.
But now all has changed. There are groups of people in all forms not only terrorists, we don't start out in life that way something happens or is made to happen by our parents or way of life.
That will never change. That's just my view.
I do know that if something happens the first thing people do is call the POLICE for HELP.
That is worldwide. Sorry for any spelling errors guys und gals K



Gregory Isaacs r.i.p.
 
I get that, but the notion that you or I have privacy is a falsehood. If the FBI or any other governmental agency wants info on us they can and will get it. We're not giving up anything because we've never had it.

That's why I don't care. We're already standing naked, I don't need someone to verify that they can now see us.
So your answer is that because we already have almost no privacy that we should throw our hands up in the air and say "screw it, let them have anything they want"? It's up to us to say that enough is enough. We should NOT let the FBI (or any other governmental organization) have the power to make our privacy completely vanish. If you truly feel we are standing naked in the open, then you should be the one most passionate to stop that abuse of power. The more we concede our rights as citizens, the more we help create exactly the dark future we want to avoid.

In an ideal world, we wouldn't need privacy. But we don't live in an ideal world. In the real world, there are people with power who will judge you, push their perspectives on you and do things to affect your life if you let them. Not all people, just some, but it is our personal responsibility to ourselves and to each other that we should set some boundaries, and not let those few manipulate the system to gain even more power.

"The only thing necessary for the triumph of evil is that good men should do nothing.”
 
So your answer is that because we already have almost no privacy that we should throw our hands up in the air and say "screw it, let them have anything they want"? It's up to us to say that enough is enough. We should NOT let the FBI (or any other governmental organization) have the power to make our privacy completely vanish. If you truly feel we are standing naked in the open, then you should be the one most passionate to stop that abuse of power. The more we concede our rights as citizens, the more we help create exactly the dark future we want to avoid.

In an ideal world, we wouldn't need privacy. But we don't live in an ideal world. In the real world, there are people with power who will judge you, push their perspectives on you and do things to affect your life if you let them. Not all people, just some, but it is our personal responsibility to ourselves and to each other that we should set some boundaries, and not let those few manipulate the system to gain even more power.

"The only thing necessary for the triumph of evil is that good men should do nothing.”
No, what I'm saying is that they already have access to anything and everything they want if they want it. That ship sailed a long time ago so I no longer care. It hasn't impacted my life in any way and it hasn't impacted a majority of American's life in any way. When's the last time you were visited by the FBI for suspicious behavior? Me neither.
 
Interesting thread and some really interesting comments that I can't better except to say that I'm very glad Apple stood their ground.
 
Top