Actually, while we’re here, question for lobsters: should the NSA crack the phone?
If it’s a thing they do on their own, and in a way that exploits existing security weaknesses which they do not attempt to politically perpetuate, rather than asking for the introduction of new weaknesses…
… then I still disapprove, but only at the level that I disapprove of all their surveillance. :) As far as I can see, that would remove the negative externalities which are specific to this case, leaving only the ones inherent in their mission.
I asked the question because the slant of this article seemed to be piling on the FBI. The FBI is wrong to invoke writs act. Even the cyber czar says so! But his suggestion for what they should do is also disagreeable, no? So we should perhaps discount his advise?
I’m waiting for some former advisor to say that back in the day we’d have tortured the shooters friends and family to get intel. What will ars say then? :)
When professional spies are talking, we need to not accept the package deals implicit in how they frame things. The intelligence community has had its own unique and effective form of PR since its inception. He can say a true thing and a false one in the same breath; it happens. :)
I have to admit it’s frustrating that Ars pretty much just let him use their platform without adding their own critical thought. Thank you for adding yours.
I suggest desoldering the flash memory and attacking it offline, without the phone.
But should they? The NSA and FBI are two different organizations with different goals and boundaries. Who is to say the NSA didn’t falsify evidence? They’d need to provide proof, which would reveal their methods.
That would require having a way to bypass the fact that the phone’s TPM chip is the only component that has the decryption key. A brute-force attack on the entire keyspace isn’t going to work.
The phone in question is a 5c, that lacks a TPM.
They shouldn’t - unless I’m missing some major change, their mandate is to spy on non-“U.S. persons”.
The FBI is the thing we use to investigate citizens and other “U.S. persons”, with different rules and oversight.
I still think this distinction is important.
Although I might be convinced that some sharing of expertise and techniques would be acceptable, direct collaboration along the lines of “here NSA, crack this phone” seems too far.
Why would they?
Morally, or in what sense?
The question of whether or not they can is interesting from a legal perspective mostly because per US v NY Telephone, if the Government can access the data on their own they must pursue that angle in preference to compelling action from a third-party via All Writs.
So from a legal perspective if the FBI wants that data then yes, the NSA should crack the phone rather than Apple. But whether they should from a security perspective is a different question
…and every other device out there?
Using 0-day vulns to investigate even the most egregious of gun violence is not a good long term strategy.