The
FBI paid hackers to break onto the iPhone of the San Bernardino, California,
shooter, according to a news report published Tuesday in The
Washington Post.
The bureau obtained the services of gray hats, the Post said, citing unnamed sources. It
apparently did not get help from Cellebrite, as earlier reports had suggested.
Gray hats are hackers who sell flaws to governments or
companies that make surveillance tools.
The FBI would not confirm that it had turned to gray
hats, but its National Press Office directed the E-Commerce Times to a speech
FBI Director James Comey made at Kenyon College last week, calling attention to
his statement that someone outside the government came up with a solution that
"will be closely protected, and used lawfully and appropriately."
Comey knows about the people the FBI bought the
solution from, he said, and he expressed "a high degree of confidence that
they are very good at protecting it, and their motivations align with
ours."
Support for the FBI's Actions
"The use of bad guys by the United States
government, and in fact all governments, has been going on since the beginning
of time," remarked Philip Lieberman, CEO of Lieberman
Software.
"I would rather live in the U.S., where safety
and sanity trumps a repressive government that implements an idealistic set of
privacy laws that end up putting my life at risk," he told the E-Commerce Times.
U.S. policy holds that the government's need to
protect citizens trumps privacy rights, while the UK and the EU take the
opposite tack, "which has resulted in unintended consequences of death and
destruction due to laws that protect criminals and psychopaths and criminalize
breaches of privacy to the degree that potentially saving the lives of others
is a criminal act," Lieberman said.
"When it comes to justice, the FBI should be able
to use whatever resources necessary in its pursuit of information," argued
Brad Bussie, director of product management at Stealthbits Technologies.
The gray hat is a contractor, and "I'm more
interested in how closely the FBI will be watching its new contractor to see if
they try to make more money with the technique that was used on the terrorist's
iPhone," he told the E-Commerce Times.
The Other Side of the Argument
"From a macro perspective, it's incredibly
stupid" to work with the gray hats, argued Rob Enderle principal analyst
at the Enderle Group.
"It's in line with negotiating with terrorists or
kidnappers," he told the E-Commerce Times. "The larger outcome is
generally worse than the specific problem the effort's attempting to
address."
If true, the action "comes uncomfortably close to
blackmail," Enderle suggested. "The implicit threat is that, if you
don't do what we ask, we will open your platform to attackers harming your
customers and putting your business at risk."
The problem is, the ethics have "an extremely
fuzzy boundary," Craig Kensek, security expert at Lastline, pointed out.
"There are people who will say once you've gone
black or gray, you'll always go back," he told the E-Commerce Times.
If the FBI pays researchers to discover
vulnerabilities and then reports them to the vendors, it's participating in
beneficial vulnerability research, suggested Tim Erlin, director of IT security
and risk strategy for Tripwire.
However, "choosing to not disclose discovered
vulnerabilities to the vendors simply ensures that risk remains in the
market," he told the E-Commerce Times.
The FBI has not decided whether to disclose the
vulnerability to Apple. In the meantime, it reportedly has written to local
police departments offering its help to crack iPhones of suspects…
!
Zakaria Jabri
0 commentaires :
Enregistrer un commentaire