The United States Justice Department announced this week that it was able to unlock the iPhone used by the gunman in the San Bernardino shooting in December, and that it no longer needed Apple’s assistance. F.B.I. investigators have not said how they were able to access the smartphone, but a law enforcement official said that a company outside the government had helped them hack into the operating system.
Should hackers help the government?
Should Hackers Help the F.B.I.?
The New York Times
Room for Debate
http://www.nytimes.com/roomfordebate/2016/03/30/should-hackers-help-the-fbi?ref=opinion
Nothing Like a Challenge to Bring Out the Hackers
by Fred Kaplan
http://www.nytimes.com/roomfordebate/2016/03/30/should-hackers-help-the-fbi/nothing-like-a-challenge-to-bring-out-the-hackers
The question implies that all hackers are bad guys or anarchists. In fact, some are patriots; many want to do good, not harm; and all of them love a puzzle.
For the past 20 years, U.S. intelligence and law enforcement agencies have come to view some hackers as allies in the quest for cybersecurity. Many software companies pay bounties to hackers who find and exploit vulnerabilities in their programs — and dozens of professional hacking firms have risen up to meet the challenge.
Imagine the sheer sport of the F.B.I. vs. Apple case. The F.B.I. moans that it can’t crack the San Bernardino shooter’s iPhone without Apple’s assistance; Apple claims its phones are so secure, the slightest compromise could do grave damage. Watching this standoff, clever hackers worldwide mused, “Let me give this a try.” One firm of such hackers has now succeeded — and it may have taken its solution to the F.B.I., not to Apple, because Apple is one of the few giants of Silicon Valley that doesn’t pay bounties.
Hackers haven’t been absorbed into the system entirely. Some are bad guys who do commerce with criminals or foreign spies. Some among the “white-hat hackers” are too rebellious to collude with government; others, who have tried, are turned away — certainly denied security clearances — because they’ve illegally downloaded music or movies in their wayward youth (which, in some cases, may have been just a few months ago).
The government should relax its standards. It’s long been known that hacking is a major problem — not just to personal banking accounts, but to the nation’s critical infrastructure and the military’s command networks. Often the best way to beat hacking is with another hacker — someone who can find and patch the holes before a bad guy exploits them. A lot of hackers want to help; the government should do more to let them.
It’s How Hackers Help That Matters
by Alan Butler
http://www.nytimes.com/roomfordebate/2016/03/30/should-hackers-help-the-fbi/its-how-hackers-help-that-matters
Hackers help the government all the time; it is how they do so, not whether they do so, that should be the subject of rigorous public debate.
We all rely on secure systems every day, whether we realize it or not. That is why my organization, the Electronic Privacy Information Center, supported Apple in the recent dispute over changing the software that protects the contents of an iPhone. A government-induced vulnerability places all users at risk.
Strong encryption is essential to data security, which is essential to both individual and national security. But data security requires constant vigilance. We rely on companies, technical experts and computer hackers to find flaws and help fix systems.
So what does this mean for the hacker community? It means hackers should promote data security. It also means that the government should disclose vulnerabilities to companies to help patch the security holes. The White House acknowledged this when it responded to “Heartbleed,” a widespread vulnerability to one of the key security protocols used by Internet servers, but the statement was only the beginning of this larger conversation.
The President’s Review Group on Intelligence also recommended that “U.S. policy should generally move to ensure” that vulnerabilities are “quickly blocked” in order to protect citizens and critical infrastructure. In the iPhone case, for example, it is now on the F.B.I. to work with Apple to make sure the vulnerability in the iPhone is fixed. That will reduce the likelihood that innocent people whose phones are stolen will suffer from identity theft and financial fraud.
So the question is not whether hackers should help the government, the question is how can the government help improve security for its citizens. We are all “dancing madly on the lip of a volcano,” and we could use a hand now and then to pull us back from the edge.
Hackers Can Be Helpers
by Katie Moussouris
http://www.nytimes.com/roomfordebate/2016/03/30/should-hackers-help-the-fbi/hackers-can-be-helpers
Hackers hack because they are skilled and curious. They often report what they find — despite sometimes facing legal threats — in order to help make people safer. Many hackers care deeply about the world around them.
A hacker uncovered security holes in hospital medical pumps, causing an unprecedented recall of the device by the United States Food and Drug Administration. Why? Because like others before him, he was a hospital patient.
If hacking to help defend a government aligns with their motivations, then hackers will help.
Many still fear government, because they fear incarceration. Many hacking activities became felonies over 30 years ago with the creation of the Computer Fraud and Abuse Act in 1984, and similar anti-hacking laws around the world. Many hackers, who disagree with government practices like the mass surveillance that the Edward Snowden leaks unveiled and the F.B.I.’s fight with Apple over creating a backdoor to an iPhone belonging to one of shooters in the San Bernardino attack, may choose not to help governments, as a silent protest.
So what can governments do to encourage skilled hackers to come forward, hackers who would actually be willing to help? Create an open invitation and safe harbor for hackers who try to report security vulnerabilities in government websites. The United States Department of Defense has done this by creating the government bug bounty program, called Hack the Pentagon, designed to pay hackers cash for any security holes they find.
It is not only a green light for hackers to come forward, it’s a tangible incentive for them to do so, and a much-needed recruiting exercise for Uncle Sam. The recognition of being the first U.S. government bug bounty pilot program, even more than the cash, will encourage hackers to take up the challenge. Not every hacker will heed the call, but enough will.
I know because I created Microsoft’s first ever bug bounty programs, and I know because I am a hacker. I hack policies instead of computers these days, but the principles are the same: Learn the secrets about the system you are trying to hack and turn it to do your will. Hackers are humans above all else, and like most humans, we want to help.
Nothing will ever be 100 percent secure. Building things more securely is the first step. For everything else, hackers will show the way, if you let us.
Constantly Bolstering Computer Security Is Vital
by Matt Blaze
http://www.nytimes.com/roomfordebate/2016/03/30/should-hackers-help-the-fbi/constantly-bolstering-computer-security-is-vital
The F.B.I. has been complaining a lot in recent years about computer security. They worry that it’s too good, that criminals can lock down their computers with encryption and other techniques to hide evidence of crime.
But the worst kept secret in computer security is that systems are far from secure. While we can build large scale software systems that seem to work, we can’t build them to reliably resist serious attack. That includes just about about everything in use today.
The problem is that the same devices used by the occasional criminal are also used by ordinary people and business, as well as the government itself, to protect some of our most sensitive information. In other words, making computers more secure prevents crime. And right now, their insecurity is nothing less than a national crisis.
How can we make software better? There’s no simple answer, but we can understand the situation as a continual arms race in which software is “patched” whenever new vulnerabilities are found, hopefully before attackers are able to discover and exploit them to do damage. We fail at least as often as we succeed, but systems get a little more secure with each iteration. Unfortunately, we make only Sisyphean progress, with new features and applications bringing in new vulnerabilities as quickly as we can repair the old ones.
As a computer scientist, I’d love to find a better way, but the problem of software bugs is as old as software itself. For the foreseeable future, staying one step ahead in this arms race is the best we can hope for.
The question is less whether the F.B.I. should hack devices — as cases going back to 2001 show, it has been for years — than how to do so in a way that doesn’t harm, and ideally even bolsters, our delicate software security ecosystem. That means we need to make sure that any vulnerabilities they exploit, whoever discovers them, ultimately find their way to back to the vendor so they can be fixed before they get exploited by others, too.
This is a difficult balance. The F.B.I. is naturally inclined away from reporting what they exploit, hoping to maximize the usable life of their tools. But that goal must be balanced against the urgent need for our overwhelmingly digital society to strengthen its defenses. Ultimately, the F.B.I. must remember that it is in the business not just of crime solving, but even more important, of crime prevention.