Posts

Discrepancies between Past Versions of Mateen’s Calls and the “Transcript”

/11 Comments/in /by

As promised, DOJ has censored the transcript of Omar Mateen’s calls with authorities the night of his attack. There is a discrepancy between Jim Comey’s earlier version of the calls and what appears in today’s “transcript.” Here’s what Comey said a week ago.

It is also not entirely clear at this point just what terrorist group he aspired to support; although, he made clear his affinity, at the time of the attack, for ISIL, and generally, leading up to the attack, for radical Islamist groups. He made 911 calls from the club, during the attack, at about 2:30 in the morning, Sunday morning. There were three different calls. He called and he hung up. He called again and spoke briefly with the dispatcher, and then he hung up, and then the dispatcher called him back again and they spoke briefly. There were three total calls.

During the calls he said he was doing this for the leader of ISIL, who he named and pledged loyalty to, but he also appeared to claim solidarity with the perpetrators of the Boston Marathon bombing, and solidarity with a Florida man who died as a suicide bomber in Syria for al Nusra Front, a group in conflict with Islamic State. The bombers at the Boston Marathon and the suicide bomber from Florida were not inspired by ISIL, which adds a little bit to the confusion about his motives.

And here’s what FBI says the censored “transcript” says.

The following is based on Orlando Police Department (OPD) radio communication (times are approximate):

  • 2:02 a.m.: OPD call transmitted multiple shots fired at Pulse nightclub.
  • 2:04 a.m.: Additional OPD officers arrived on scene.
  • 2:08 a.m.: Officers from various law enforcement agencies made entrance to Pulse and engaged the shooter.
  • 2:18 a.m.: OPD S.W.A.T. (Special Weapons & Tactics) initiated a full call-out.
  • 2:35 a.m.: Shooter contacted a 911 operator from inside Pulse. The call lasted approximately 50 seconds, the details of which are set out below:

Orlando Police Dispatcher (OD)
Shooter (OM)

OD: Emergency 911, this is being recorded.
OM: In the name of God the Merciful, the beneficial [in Arabic]
OD: What?
OM: Praise be to God, and prayers as well as peace be upon the prophet of God [in Arabic]. I let you know, I’m in Orlando and I did the shootings.
OD: What’s your name?
OM: My name is I pledge of allegiance to [omitted].
OD: Ok, What’s your name?
OM: I pledge allegiance to [omitted] may God protect him [in Arabic], on behalf of [omitted].
OD: Alright, where are you at?
OM: In Orlando.
OD: Where in Orlando?
[End of call.]

(Shortly thereafter, the shooter engaged in three conversations with OPD’s Crisis Negotiation Team.)

  • 2:48 a.m.: First crisis negotiation call occurred lasting approximately nine minutes.
  • 3:03 a.m.: Second crisis negotiation call occurred lasting approximately 16 minutes.
  • 3:24 a.m.: Third crisis negotiation call occurred lasting approximately three minutes.

In these calls, the shooter, who identified himself as an Islamic soldier, told the crisis negotiator that he was the person who pledged his allegiance to [omitted], and told the negotiator to tell America to stop bombing Syria and Iraq and that is why he was “out here right now.” When the crisis negotiator asked the shooter what he had done, the shooter stated, “No, you already know what I did.” The shooter continued, stating, “There is some vehicle outside that has some bombs, just to let you know. You people are gonna get it, and I’m gonna ignite it if they try to do anything stupid.” Later in the call with the crisis negotiator, the shooter stated that he had a vest, and further described it as the kind they “used in France.” The shooter later stated, “In the next few days, you’re going to see more of this type of action going on.” The shooter hung up and multiple attempts to get in touch with him were unsuccessful.

In Comey’s original version, there were just 3 calls, and only with the dispatcher, two of which included actual conversation. Now, there are 4 total calls, only one with the dispatcher (and no mention of the hang-up). I’d say the difference stemmed from confusion and a conflation, last week,  of all calls with authorities, but there seems to be a counting discrepancy I’d like resolved.

Predictably, the FBI censored details that should have led them to raise questions about Mateen’s invocation of ISIS. It made no mention of what Comey did: that Mateen also invoked al-Nusra and the Tsarnaev brothers (presumably in the calls to the crisis negotiation team), which doesn’t make sense. So rather than elucidating, this “transcript” actually covers over one of the problems with FBI’s reaction.

As noted, there’s also a (more explicable) discrepancy between this “transcript” and what survivor Patience Carter has said (7:16 and following). She said that Mateen said he wanted the US to stop bombing “his country,” which reports on this have interpreted to mean Afghanistan. Given the unbelievable amount of stress she must have been under, I would expect discrepancies in any case. But since she doesn’t specify precisely what he said that she interpreted to mean, “his country,” I don’t think this is a significant discrepancy.

Update: FBI and DOJ have now released the name Abu Bakr al-Baghdadi (calling it the “complete” transcript), but not the other things that would make them look bad.

Share this entry

DOJ Thinks Releasing Omar Mateen’s ISIS Allegiance Claims It Released Last Week Will Revictimize the Victims

/12 Comments/in /by

Yesterday, NPR reported that people investigating the Orlando mass shootings increasingly believe his attack may have had nothing to do with ISIS.

In fact, intelligence officials and investigators say they’re “becoming increasingly convinced that the motive for this attack had very little — or maybe nothing — to do with ISIS.”

Speaking on Weekend Edition Saturday, Dina says that al-Qaida and ISIS-inspired attacks tend to follow a different pattern. She explains:

“We know that during the attack the gunman posted messages on Facebook saying he was doing this on behalf of ISIS. But officials have yet to find any of the precursors usually associated with radicalization. They’ve interviewed dozens of people who either knew him or had contact with Mateen.

“And they say that they’ve yet to find any indication that he became noticeably more religious, which is one of the indicators of radicalization. He still was going to the same mosque. The way he dressed didn’t change. His relationship with his family didn’t change in any way. And these are all typically warning signs that parents and friends and educators are told to look for if they’re worried that someone they’re close to is radicalizing.”

She adds “this isn’t science,” but so far the signs of radicalization aren’t there, which has led investigators to wonder whether the 29-year-old invoked the name of ISIS to garner more publicity for his deadly attack.

I’ve been suggesting not only that Mateen was likely motivated for other reasons — but that FBI likely missed those cues because they were evaluating him for one and only one kind of threat, an Islamic terrorist rather than an angry violent man threat.

[I]t seems that when a Muslim guy invents a terrorist tie explicitly saying he wants the FBI to come after him in response so he can martyr himself protecting a particular image of his life — “He said he hoped that law enforcement would raid his apartment and assault his wife and child so that he could martyr himself” — the Bureau might think a little more critically about what is going on.

Instead, it appears, the FBI assessed Mateen for one and only one thing: whether his bogus claims of ties to terrorist organizations were real. There have been a slew of articles, such as this one or this one, wondering why the FBI didn’t “identify” Mateen as a “real” terrorist in its two investigations of him. But it appears the FBI was assessing only whether he was likely to commit violence because of–and with the support of–an Islamic terrorist group. It appears they weren’t assessing whether he was, like the overwhelming majority of men who commit mass shootings in this country, really screwed up, expressing it in violent ways, and seeking attention with such actions.

It is true that Islamic extremists want to attack this country. It is also true that far, far more Americans die when men carry out mass killings because they’re fucked up and begging for attention. If you’re Muslim, the easiest way to get attention right now is to say that word, “ISIS,” because it’s a guarantee law enforcement and politicians will give that killing more due then they might give the next disturbed mass shooter.

Of course, the apparent fact that investigators have now come to agree with me means that those who started screaming ISIS right away — and, importantly, leaking and officially revealing news that Mateen claimed affiliation with ISIS (and other conflicting terrorist groups) on his 911 call — means the people who rushed out the ISIS explanation in fact did ISIS’ propaganda work for them, giving them credit for a mass killing that was really your garden variety mass killing conducted by an angry man.

Which is why this is so batshit. After blowing off Florida’s open record laws for a week, DOJ will finally release his 911 transcripts. But, according to Loretta Lynch, they’re going to edit out the references to ISIS so as to avoid “revictimizing” the victims.

A week after the worst mass shooting in U.S. history, Attorney General Loretta Lynch said a portion of Orlando shooter Omar Mateen‘s calls with hostage negotiators will be released Monday.

“We’ll be releasing a partial transcript of the calls between the killer and the hostage negotiators so people can, in fact, see the type of interaction that was had there,” Lynch told ABC News’ Jonathan Karl on “This Week” Sunday.

The Attorney General says she’ll travel to Orlando on Tuesday to get an on-the-ground perspective on the investigation.

“I say partial because we’re not going to be, for example, broadcasting his pledges of allegiance. We are trying not to re-victimize those who went through that horror,” she added. “We’re trying to get as much information about this investigation out as possible, and we want people to provide information that they have to us.”

If releasing these claims of affiliation would “revictimize” the victims, then releasing them in the first place served to victimize them. So the much better approach would be to release the full transcripts and admit the Department fucked up, both in its assessment of a potential mass killer, and in rushing to blame ISIS in the first place. Not to mention that this will just feed conspiracy theories.

If DOJ fucked up — and the claim this could revictimize people is tacit admission it seriously fucked up — then admit that and make it right. Pay the political consequences of admitting that our obsessive focus on terrorism has distracted us from the more general, and therefore more lethal, problem with mass killings. Don’t try to pretend there’s a good reason for suppressing the very same claims you made a big deal of a week ago.

If DOJ now believes the claims served to do nothing more than give Mateen’s rampage more attention — and it was a key part of generating that attention — then it needs to come clean.

Update: One more point on this. Releasing the full transcript would reveal how non-credible the ISIS claim was, appearing as it did with a claim of affiliation with al-Nusra, which would make it even clearer that FBI shouldn’t have started telling everyone about the ISIS claim.

Update: Here’s the transcript from Meet the Press.

LORETTA LYNCH:

Yes, I’ll be going to Orlando on Tuesday to continue my briefings in the case. Actually though what we are announcing tomorrow is that the F.B.I. is releasing a partial transcript of the killer’s calls with law enforcement from inside the club. These are the calls with the Orlando P.D. negotiating team who were trying to ascertain who he was, where he was, and why he was doing this, all the while the rescue operations were continuing. That’ll be coming out tomorrow and I’ll be headed to Orlando on Tuesday.

CHUCK TODD:

Including the hostage negotiation part of this?

LORETTA LYNCH:

Yes. It will be primarily a partial transcript of his calls with the hostage negotiators.

CHUCK TODD:

You say partial. What’s being left out?

LORETTA LYNCH:

Well, what we’re not going to do is further proclaim this individual’s pledges of allegiance to terrorist groups and further his propaganda.

CHUCK TODD:

So we’re not going to hear him talk about those things?

LORETTA LYNCH:

We will hear him talk about some of those things, but we’re not going to hear him make his ascertains of allegiance and that. This will not be audio. This will be a printed transcript. But it will begin to capture the back and forth between him and the negotiators. We’re trying to get as much information about this investigation out as possible. As you know, because the killer is dead, we have a bit more leeway there. And so we will be producing that information tomorrow.

 

Share this entry

Why Did FBI’s Multiple Informants Fail to Catch Omar Mateen in a Sting?

/7 Comments/in /by

One detail of the FBI’s 2013 investigation into Omar Mateen that seems to be getting inadequate attention is that they used multiple informants with him, per Jim Comey’s press conference on Monday:

Our investigation involved introducing confidential sources to him, recording conversations with him, following him, reviewing transactional records from his communications, and searching all government holdings for any possible connections, any possible derogatory information. We then interviewed him twice. [my emphasis]

Normally, when the FBI identifies a Muslim mouthing off about joining ISIS, they throw one or more informants at him, develop his trust, then have him press a button or buy a plane ticket to Syria, which they use to arrest the guy.

That didn’t happen here. While they did record the conversations between these informants and Mateen, they never got him to do something they could arrest him for.

And I suspect we won’t get answers why they didn’t, though it seems an absolutely critical question for assessing how the FBI investigates terrorism. If FBI’s chosen method of using informants only works with the dopes and not the real threats, all it does is juice the FBI’s prosecution numbers, without keeping us safe. Alternately, it’s possible FBI assumes certain things about a potential “Islamic” threat, which turned out to be wrong in this case.

I can think of several possible reasons why FBI’s informants might not have worked the way they normally do (these are speculative):

  • Mateen was just not serious about terrorism in 2013, but something since then (perhaps the decline in his marriage, perhaps the US launching yet another war against Muslims in the Middle East) led him to embrace it in 2016
  • Mateen, who went to cop school, recognized the informants for what they were
  • The prominent reporting on FBI’s investigations into Ibragim Todashev and their infiltration of his circle of friends (the FBI’s investigation would have lasted from July 2013 until May 2014) made Mateen vigilant enough to resist the informants’ appeals
  • The informants tried to entice Mateen via Islamic ideology and not homophobic self-hatred (that is, they used the wrong trigger)
  • The process of being investigated — and interviewed 3 times — actually further pissed off Mateen, leading him closer to violence

Again, these are all speculative. We can’t know without more detail why the FBI’s typical use of informants failed this time.

But we deserve answers to the question, because if the Muslim community is going to be riddled with informants, they had better be serving some purpose other than selective surveillance of a minority group.

Share this entry

John Cornyn Wants to Pass Law Letting FBI Collect Information on Omar Mateen It Already Collected

/3 Comments/in /by

The bodies from Sunday’s Orlando massacre are not yet buried, but that hasn’t stopped John Cornyn from trying to use their deaths to expand surveillance that would not have stopped the attack.

Cornyn told reporters yesterday he will use the attack to push to include Electronic Communications Transaction Records in the things FBI can obtain with a National Security Letter.

Senator John Cornyn of Texas, the No. 2 Senate Republican, pointed to a longstanding request by the FBI to expand the scope of electronic records — such as web browsing history — agents could sweep up from companies in terrorism investigations without obtaining a court order.

“They could go and get additional information, like metadata, who he’s e-mailing, the websites he’s accessing. Not content,” Cornyn told reporters Monday.

[snip]

Legislation dealing with the FBI’s surveillance powers — something that has been requested by FBI Director James Comey — could come to the Senate floor as soon as this week as part of a debate on the spending bill that funds law enforcement.

“This was the No. 1 legislative priority of the FBI according to James Comey, and those sort of additional surveillance tools could have provided the FBI more information, which would have allowed them to identify this guy as the threat that he obviously was,” Cornyn said.

In his push for new authorities, Cornyn actually claimed that if the FBI had obtained Omar Mateen’s ECTRs, it “could have provided the FBI more information” which would have “allowed” the FBI to “identify this guy as the threat that he obviously was.”

But even the article quotes (but does not unpack) Jim Comey explaining why Cornyn’s claim that ECTRs would have helped the FBI identify Mateen as a threat is complete bullshit: because FBI obtained his ECTRs.

Our investigation involved introducing confidential sources to him, recording conversations with him, following him, reviewing transactional records from his communications, and searching all government holdings for any possible connections, any possible derogatory information. We then interviewed him twice.

John Cornyn wants to give FBI the authority to obtain what they obtained (presumably via a subpoena), promising that obtaining the same records via a parallel authority somehow would have tipped the FBI that he was a threat when the very same ECTRs didn’t do so obtained via subpoena.

The claim is so stupid I can only assume former judge, TX Attorney General, and longtime Senate Judiciary Committee member has no fucking clue what he’s talking about.

And based on that position of authority, Cornyn wants us to believe we need to pass this law?

Share this entry

Notorious “FOIA Terrorist” Jason Leopold “Saves” FBI Over $300,000

/8 Comments/in /by

Last week, Jim Comey suggested the FBI paid more for the vulnerability that helped it break into Syen Rizwan Farook’s phone than he will be paid for the 7 years he’ll remain at FBI. The WSJ then did this math.

Speaking at the Aspen Security Forum in London, FBI Director James Comey didn’t cite a precise figure for how much the government paid for the solution to cracking the phone but said it was more than his salary for the seven-plus years remaining in his term at the FBI.

His annual salary is about $180,000 a year, so that comes to $1.26 million or more.

“[We] paid a lot’’ for the hacking tool, Mr. Comey said. “But it was worth it.’’

Over 600 outlets covered that story, claiming — without further confirmation — that FBI paid over $1 million for the hack, with many accounts settling on $1.3 million.

I noted at the time that 1) Jim Comey has a history of telling untruths when convenient and 2) he had an incentive to exaggerate the cost of this exploit, because it would pressure Congress to pass a bill, like the horrible Burr-Feinstein bill, that would force Apple and other providers to help law enforcement crack phones less expensively. I envisioned this kind of exchange at a Congressional hearing:

Credulous Congressperson: Wow. $1M. That’s a lot.

Comey: Yes, you’ll need to triple our budget or help me find a cheaper way.

Lonely sane Congressperson: But, uh, if we kill security won’t that be more expensive?

Comey: Let me tell you abt time I ran up some steps.

I then mused that, because Comey had officially acknowledged paying that kind of figure, it would make it a lot easier to FOIA the exact amount. By the time I tweeted that thought, of course, Jason Leopold had already submitted a FOIA for the amount.

Sure enough, the outcome I figured has already happened: without offering an explanation for the discrepancy, Mark Hosenball reported today that the figure was actually under $1 million, and FBI will be able to use it on other phones.

The FBI paid under $1 million for the technique used to unlock the iPhone used by one of the San Bernardino shooters – a figure smaller than the $1.3 million the agency’s chief initially indicated the hack cost, several U.S. government sources said on Thursday.

The Federal Bureau of Investigation will be able to use the technique to unlock other iPhone 5C models running iOS 9 – the specifications of the shooter’s phone – without additional payment to the contractor who provided it, these people added.

Just one FOIA submission later (and, probably, the calls of a bunch of outraged members of Congress wondering why FBI paid $1.3 million for a hack they claimed, in explaining why they would not submit the hack to the Vulnerabilities Equity Process that might require them to share it with Apple nine months after Apple patched it, they didn’t understand at all), and all of a sudden this hack is at least $300,000 less expensive (and I’m betting a lot more than that).

You see how effective a little aggressive FOIAing is at reining in waste, fraud, and abuse?

A pity it can’t reverse the impact of all those credulous reports repeating Comey’s claim.

Share this entry

FBI Has Been Not Counting Encryption’s Impact on Investigations for Over a Decade

/4 Comments/in /by

During the first of a series of hearings in the last year in which Jim Comey (at this particular hearing, backed by Deputy Attorney General Sally Yates) pushed for back doors, they were forced to admit they didn’t actually have numbers proving encryption was a big problem for their investigations because they simply weren’t tracking that number.

On the issue on which Comey — and his co-witness at the SJC hearing, Deputy Attorney General Sally Yates — should have been experts, they were not. Over an hour and a quarter into the SJC hearing, Al Franken asked for actual data demonstrating how big of a problem encryption really is. Yates replied that the government doesn’t track this data because once an agency discovers they’re targeting a device with unbreakable encryption, they use other means of targeting. (Which seems to suggest the agencies have other means to pursue the targets, but Yates didn’t acknowledge that.) So the agencies simply don’t count how many times they run into encryption problems. “I don’t have good enough numbers yet,” Comey admitted when asked again at the later hearing about why FBI can’t demonstrate this need with real data.

In point of fact, a recent wiretap report shows that in the criminal context, at least, federal agencies do count such incidences, sometimes. But they don’t report the numbers in a timely fashion (5 of the 8 encrypted federal wiretaps reported in 2014 were from earlier years that were only then being reported), and agencies were eventually able to break most of the encrypted lines (also 5 of 8). Moreover, those 8 encrypted lines represented only 0.6 percent of all their wiretaps (8 of 1279). Reporting for encrypted state wiretaps were similarly tiny. Those numbers don’t reflect FISA wiretaps. But there, FBI often partners with NSA, which has even greater ability to crack encryption.

In any case, rather than documenting the instances where encryption thwarted the FBI, Comey instead asks us to just trust him.

Which is important background to an ancillary detail in this NYT story on how FBI tried a work-around for PGP in 2003 — its first attempt to do so — to go after some animal rights activists (AKA “eco-terrorists).

In early 2003, F.B.I. agents hit a roadblock in a secret investigation, called Operation Trail Mix. For months, agents had been intercepting phone calls and emails belonging to members of an animal welfare group that was believed to be sabotaging operations of a company that was using animals to test drugs. But encryption software had made the emails unreadable.

So investigators tried something new. They persuaded a judge to let them remotely, and secretly, install software on the group’s computers to help get around the encryption.

[snip]

“This was the first time that the Department of Justice had ever approved such an intercept of this type,” an F.B.I. agent wrote in a 2005 document summing up the case.

DOJ didn’t include this encounter with encryption in the wiretap reports that mandate such reporting.

It is also unclear why the Justice Department, which is required to report every time it comes across encryption in a criminal wiretap case, did not do so in 2002 or 2003. The Justice Department and F.B.I. did not comment Wednesday.

It didn’t count that encounter with crypto even though FBI was discussing — as Bob Litt would 13 years later — exploiting fears of “terrorism” to get Congress to pass a law requiring back doors.

“The current terrorism prevention context may present the best opportunity to bring up the encryption issue,” an F.B.I. official said in a December 2002 email. A month later, a draft bill, called Patriot Act 2, revealed that the Justice Department was considering outlawing the use of encryption to conceal criminal activity. The bill did not pass.

Now, it may be that, as remained the case until last year, FBI simply doesn’t record that they encountered encryption and instead tries to get the information some other way. But by all appearances, encryption was tied to that wiretap.

Which suggests another option: that FBI isn’t tracking how often it encounters encryption because it doesn’t want to disclose that it is actually finding a way around it.

That’d be consistent with what they’ve permitted providers to report in their transparency reports. Right now, providers are not permitted to report on new collection (say, collection reflecting the compromise of Skype) for two years after it starts. The logic is that the government is effectively giving itself a two year window of exclusive exploitation before it will permit reporting that might lead people to figure out something new has been subjected to PRISM or other collection.

Why would we expect FBI to treat its own transparency any differently?

Update: This post has been updated to include more of the NYT article and a discussion of how encryption transparency may match provider transparency.

Share this entry

FBI’s Latest Story about the Hack of Farook’s Phone

/3 Comments/in /by

There’s a lot that doesn’t quite make sense in Ellen Nakashima’s explanation for how FBI broke into Syed Rizwan Farook’s iPhone.

The FBI cracked a San Bernardino terrorist’s phone with the help of professional hackers who discovered and brought to the bureau at least one previously unknown software flaw, according to people familiar with the matter.

The new information was then used to create a piece of hardware that helped the FBI to crack the iPhone’s four-digit personal identification number without triggering a security feature that would have erased all the data, the individuals said.

The researchers, who typically keep a low profile, specialize in hunting for vulnerabilities in software and then in some cases selling them to the U.S. government. They were paid a one-time flat fee for the solution.

[snip]

At least one of the people who helped the FBI in the San Bernardino case falls into a third category, often considered ethically murky: researchers who sell flaws — for instance, to governments or to companies that make surveillance tools.

This last group, dubbed “gray hats,” can be controversial. Critics say they might be helping governments spy on their own citizens. Their tools, however, might also be used to track terrorists or hack an adversary spying on the United States. These researchers do not disclose the flaws to the companies responsible for the software, as the exploits’ value depends on the software remaining vulnerable.

Don’t get me wrong. I don’t doubt Nakashima is reporting what she learned; I know other reporters were working on a similar direction.

It’s just that the FBI’s currently operative story still makes no sense. For starters, why would the FBI pay someone selling zero days but not be willing to consider the solutions offered by (just as an example of one forensics person I know who offered to help) Jonathan Zdziarski?

And I still wonder why the government apparently unsealed the warrant in Farook’s case once before it unsealed it to compel Apple. Indeed, while Nakashima (and other reporters) says FBI “did not need the services of the Israeli firm Cellebrite,” I still think using them (or someone similar) as a middle-man might offer the best of all worlds: no official possession of this exploit, easy contracting, the ability to give (as FBI has been) conflicting stories without any of them being fully false. Just as an example, if Cellebrite told FBI it currently couldn’t crack the phone before FBI got an All Writs Act order obligating Apple, then FBI could fairly claim, as they did, that only Apple or FBI could open the phone (even if they hadn’t actually asked many other people who might be able to hack the phone). But if someone went to Cellebrite or even FBI with the exploit after that, then FBI would have a way of using the exploit without having it and therefore having to submit it to the Vulnerabilities Equities Process (though technically they should still have to). FBI would have a way of promising to keep the exploit hidden, which the vendor would require, because it would technically never be in possession of it.

There’s one more thing that is getting lost in this debate. Comey and others keep talking about the use of this for an intelligence function, as if to justify keeping this exploit secret. I know that’s the convenient part of using a terrorism case to raise the stakes of back dooring phones. But this is ultimately a law enforcement issue, not an intelligence one, no matter how much FBI wants to pretend we’re going to find out something going forward. And as such it should be subject to greater standards of disclosure than a pure use of an exploit for intelligence purposes would.

In other words, FBI is still playing word games.

Share this entry

DOJ’s Pre-Ass-Handing Capitulation

/6 Comments/in , /by

In its February 16 application for an All Writs Act to force Apple to help crack Syed Rizwan Farook’s phone, DOJ asserted,

Apple has the exclusive technical means which would assist the government in completing its search, but has declined to provide that assistance voluntarily.

[snip]

2. The government requires Apple’s assistance to access the SUBJECT DEVICE to determine, among other things, who Farook and Malik may have communicated with to plan and carry out the IRC shootings, where Farook and Malik may have traveled to and from before and after the incident, and other pertinent information that would provide more information about their and others’ involvement in the deadly shooting.

[snip]

3. As an initial matter, the assistance sought can only be provided by Apple.

[snip]

4. Because iOS software must be cryptographically signed by Apple, only Apple is able to modify the iOS software to change the setting or prevent execution of the function.

[snip]

5. Apple’s assistance is necessary to effectuate the warrant.

[snip]

6. This indicates to the FBI that Farook may have disabled the automatic iCloud backup function to hide evidence, and demonstrates that there may be relevant, critical communications and data around the time of the shooting that has thus far not been accessed, may reside solely on the SUBJECT DEVICE, and cannot be accessed by any other means known to either the government or Apple.

FBI’s forensics guy Christopher Pluhar claimed,

7. I have explored other means of obtaining this information with employees of Apple and with technical experts at the FBI, and we have been unable to identify any other methods feasible for gaining access to the currently inaccessible data stored within the SUBJECT DEVICE.

On February 19, DOJ claimed,

8. The phone may contain critical communications and data prior to and around the time of the shooting that, thus far: (1) has not been accessed; (2) may reside solely on the phone; and (3) cannot be accessed by any other means known to either the government or Apple.

[snip]

9. Apple left the government with no option other than to apply to this Court for the Order issued on February 16, 2016.

[snip]

10. Accordingly, there may be critical communications and data prior to and around the time of the shooting that thus far has not been accessed, may reside solely on the SUBJECT DEVICE; and cannot be accessed by any other means known to either the government or Apple.

[snip]

11. Especially but not only because iPhones will only run software cryptographically signed by Apple, and because Apple restricts access to the source code of the software that creates these obstacles, no other party has the ability to assist the government in preventing these features from obstructing the search ordered by the Court pursuant to the warrant.

[snip]

12. Apple’s close relationship to the iPhone and its software, both legally and technically – which are the produce of Apple’s own design – makes compelling assistance from Apple a permissible and indispensable means of executing the warrant.

[snip]

13. Apple’s assistance is also necessary to effectuate the warrant.

[snip]

14. Moreover, as discussed above, Apple’s assistance is necessary because without the access to Apple’s software code and ability to cryptographically sign code for the SUBJECT DEVICE that only Apple has, the FBI cannot attempt to determine the passcode without fear of permanent loss of access to the data or excessive time delay. Indeed, after reviewing a number of other suggestions to obtain the data from the SUBJECT DEVICE with Apple, technicians from both Apple and the FBI agreed that they were unable to identify any other methods – besides that which is now ordered by this Court – that are feasible for gaining access to the currently inaccessible data on the SUBJECT DEVICE. There can thus be no question that Apple’s assistance is necessary, and that the Order was therefore properly issued.

Almost immediately after the government made these claims, a number of security researchers I follow not only described ways FBI might be able to get into the phone, but revealed that FBI had not returned calls with suggestions.

On February 25, Apple pointed out the government hadn’t exhausted possible of means of getting into the phone.

Moreover, the government has not made any showing that it sought or received technical assistance from other federal agencies with expertise in digital forensics, which assistance might obviate the need to conscript Apple to create the back door it now seeks. See Hanna Decl. Ex. DD at 34–36 [October 26, 2015 Transcript] (Judge Orenstein asking the government “to make a representation for purposes of the All Writs Act” as to whether the “entire Government,” including the “intelligence community,” did or did not have the capability to decrypt an iPhone, and the government responding that “federal prosecutors don’t have an obligation to consult the intelligence community in order to investigate crime”). As such, the government has not demonstrated that “there is no conceivable way” to extract data from the phone.

On March 1, members of Congress and House Judiciary Committee witness Susan Landau suggested there were other ways to get into the phone (indeed, Darrell Issa, who was one who made that point, is doing a bit of a victory lap). During the hearing, as Jim Comey insisted that if people had ways to get into the phone, they should call FBI, researchers noted they had done so and gotten no response.

Issa: Is the burden so high on you that you could not defeat this product, either through getting the source code and changing it or some other means? Are you testifying to that?

Comey: I see. We wouldn’t be litigating if we could. We have engaged all parts of the U.S. Government to see does anybody that has a way, short of asking Apple to do it, with a 5C running iOS 9 to do this, and we don not.

[snip]

a) Comey: I have reasonable confidence, in fact, I have high confidence that all elements of the US government have focused on this problem and have had great conversations with Apple. Apple has never suggested to us that there’s another way to do it other than what they’ve been asked to do in the All Writs Act.

[snip]

b) Comey [in response to Chu]: We’ve talked to anybody who will talk to us about it, and I welcome additional suggestions. Again, you have to be very specific: 5C running iOS 9, what are the capabilities against that phone. There are versions of different phone manufacturers and combinations of models and operating system that it is possible to break a phone without having to ask the manufacturer to do it. We have not found a way to break the 5C running iOS 9.

[snip]

c) Comey [in response to Bass]: There are actually 16 other members of the US intelligence community. It pains me to say this, because I — in a way, we benefit from the myth that is the product of maybe too much television. The only thing that’s true on television is we remain very attractive people, but we don’t have the capabilities that people sometimes on TV imagine us to have. If we could have done this quietly and privately we would have done it.

[snip]

Cicilline: I think this is a very important question for me. If, in fact — is it in fact the case that the government doesn’t have the ability, including the Department of Homeland Security Investigations, and all of the other intelligence agencies to do what it is that you claim is necessary to access this information?

d) Comey: Yes.

While Comey’s statements were not so absolutist as to suggest that only Apple could break into this phone, Comey repeatedly said the government could not do it.

On March 10, DOJ claimed,

15. The government and the community need to know what is on the terrorist’s phone, and the government needs Apple’s assistance to find out.

[snip]

16. Apple alone can remove those barriers so that the FBI can search the phone, and it can do so without undue burden.

[snip]

17. Without Apple’s assistance, the government cannot carry out the search of Farook’s iPhone authorized by the search warrant. Apple has ensured that its assistance is necessary by requiring its electronic signature to run any program on the iPhone. Even if the Court ordered Apple to provide the government with Apple’s cryptographic keys and source code, Apple itself has implied that the government could not disable the requisite features because it “would have insufficient knowledge of Apple’s software and design protocols to be effective.”

[snip]

18. Regardless, even if absolute necessity were required, the undisputed evidence is that the FBI cannot unlock Farook’s phone without Apple’s assistance.

[snip]

19. Apple deliberately established a security paradigm that keeps Apple intimately connected to its iPhones. This same paradigm makes Apple’s assistance necessary for executing the lawful warrant to search Farook’s iPhone.

On March 15, SSCI Member Ron Wyden thrice suggested someone should ask NSA if they could hack into this phone.

On March 21, DOJ wrote this:

Specifically, since recovering Farook’s iPhone on December 3, 2015, the FBI has continued to research methods to gain access to the data stored on it. The FBI did not cease its efforts after this litigation began. As the FBI continued to conduct its own research, and as a result of the worldwide publicity and attention on this case, others outside the U.S. government have continued to contact the U.S. government offering avenues of possible research.

On Sunday, March 20, 2016, an outside party demonstrated to the FBI a possible method for unlocking Farook’s iPhone

You might think that FBI really did suddenly find a way to hack the phone, after insisting over and over and over and over and over and over and over and over and over and over and over and over and over and over and over and over and over and over and over they could only get into it with Apple’s help. Indeed, the described timing coincides remarkably well with the announcement that some Johns Hopkins researchers had found a flaw in iMessage’s encryption (which shouldn’t relate at all to breaking into such phones, though it is possible FBI is really after iMessages they think will be on the phone). Indeed, in describing the iMessage vulnerability, Johns Hopkins prof Matthew Green ties the discovery to the Apple fight.

Now before I go further, it’s worth noting that the security of a text messaging protocol may not seem like the most important problem in computer security. And under normal circumstances I might agree with you. But today the circumstances are anything but normal: encryption systems like iMessage are at the center of a critical national debate over the role of technology companies in assisting law enforcement.

A particularly unfortunate aspect of this controversy has been the repeated call for U.S. technology companies to add “backdoors” to end-to-end encryption systems such as iMessage. I’ve always felt that one of the most compelling arguments against this approach — an argument I’ve made along with other colleagues — is that we just don’t know how to construct such backdoors securely. But lately I’ve come to believe that this position doesn’t go far enough — in the sense that it is woefully optimistic. The fact of the matter is that forget backdoors: webarely know how to make encryption workat all. If anything, this work makes me much gloomier about the subject.

Plus, as Rayne noted to me earlier, Ellen Nakashima’s first report on this went up just after midnight on what would be the morning of March 21, suggesting she had an embargo (though that may be tied to Apple’s fix for the vulnerability). [Update: Correction — her story accidentally got posted then unposted earlier than that.]

But that would require ignoring the 19 plus times (ignoring Jim Comey’s March 1 testimony) that DOJ insisted the only way they could get into the phone was by having Apple’s help hacking it (though note most of those claims only considered the ways that Apple might crack the phone, not ways that, say, NSA might). You’d have to ignore the problems even within these statements. You’d have to ignore the conflicting sworn testimony from FBI’s witnesses (including Jim Comey).

It turns out FBI’s public argument went to shit fast. Considering the likelihood they screwed up with the forensics on this phone and that there’s absolutely nothing of interest on the phone, I take this as an easy retreat for them.

But that doesn’t mean this is over. Remember, FBI has already moved to unlock this iPhone, of similar vintage to Farook’s, which seems more central to an actual investigation (even if FBI won’t be able to scream terrorterrorterror). There are two more encrypted phones FBI has asked Apple to break open.

But for now, I take this as FBI’s attempt to take its claims back into the shadows, where it’s not so easy to expose the giant holes in their claims.

Updated with Comey testimony.

Share this entry

Coming Soon to Apple vs FBI: Live Witnesses and Dead Terrorists

/13 Comments/in /by

Screen Shot 2016-03-18 at 1.31.47 PMApple today revealed that the FBI intends to call two witnesses in the March 22 hearing regarding the All Writs Act order to help crack Syed Rizwan Farook’s phone: what I understand to be Privacy Manager Erik Neuenschwander and its Law Enforcement Compliance lawyer Lisa Olle. The tech company declined to say whether it will call the FBI personnel who made sworn statements in the case.

Things could get interesting fast, especially if Apple calls FBI’s forensics guy, Christopher Pluhar — or even better, FBI Director Jim Comey — as there’s an apparent discrepancy between their sworn testimony.

Here’s what Jim Comey had to say in response to a Jerry Nadler question in the March 1 House Judiciary Committee hearing.

As I understand from the experts, there was a mistake made in the, that 24 hours after the attack where the County at the FBI’s request took steps that made it hard later — impossible later to cause the phone to back up again to the iCloud. The experts have told me I’d still be sitting here, I was going to say unfortunately[?], I’m glad I’m here, but we would still be in litigation because — the experts tell me — there’s no way we would have gotten everything off the phone from a backup, I have to take them at their word.

Comey’s comments appear to conflict with this sworn declaration of FBI Christopher Pluhar.

To add further detail, on December 3, 2015, the same day the Subject Device was seized from the Lexus IS300, I supervised my Orange County Regional Computer Forensics Laboratory (“OCRCFL”) team who performed the initial triage of the Subject Device, and observed that the device was powered off, and had to be powered up, or booted, to conduct the triage.

[snip]

I learned from SBCDPH IT personnel that SBCDPH also owned the iCloud account associated with the Subject Device, that SBCDPH did not have the current user password associated with the iCloud account, but that SBCDPH did have the ability to reset the iCloud account password.

Without the Subject Device’s passcode to gain access to the data on the Subject Device, accessing the information stored in the iCloud account associated with the Subject Device was the best and most expedient option to obtain at least some data associated with the Subject Device. With control of the iCloud account, the iCloud back-ups of the Subject Device could be restored onto different, exemplar iPhones, which could then be processed and analyzed.

[snip]

After that conversation with Ms. Olle, and after discussions with my colleagues, on December 6, 2015, SBCDPH IT personnel, under my direction, changed the password to the iCloud account that had been linked to the Subject Device. Once that was complete, SBCDPH provided exemplar iPhones that were used as restore targets for two iCloud back-ups in the Subject Device’s iCloud account. Changing the iCloud password allowed the FBI and SBCDPH IT to restore the contents of the oldest and most recent back-ups of the Subject Device to the exemplar iPhones on December 6, 2015. Once back-ups were restored, OCRCFL examiners processed the exemplar iPhones and provided the extracted data to the investigative team. Because not all of the data on an iPhone is captured in an iCloud back-up (as discussed further below), the exemplar iPhones contained only that subset of data as previously backed-up from the Subject Device to the iCloud account, not all data that would be available by extracting data directly from the Subject Device (a “physical device extraction”).

That’s true for several reasons. First, as I understand it, once the phone was turned off, such a backup would no longer be possible, so it would have not been a mistake to change the password. And while Pluhar’s assertion that you can’t get everything from an iCloud backup is consistent with Comey’s claim (presumably Pluhar is one of the experts Comey relied on), Neuenschwander explained that that was false in his own supplemental declaration.

Note, this passage is also the first confirmation that the FBI had already told Apple this phone was part of the investigation by December 6, meaning it must have been one of the ones Apple provided metadata for on December 5.

There is just one way that Pluhar’s declaration and Comey’s statement (again, both were sworn) can be true: if the FBI turned off the phone themselves [update: or let it drain, h/t Some Guy]. That would also mean Comey’s claim that “a mistake was made in that 24 hours after the attack” would make more sense, as it would refer to the decision to turn off the phone, rather than FBI’s direction to San Bernardino County to change the password.

That said, I wonder whether FBI isn’t trying something else by calling Olle and Neuenschwander to testify.

As part of its reply, Apple had Senior Vice President for Software Engineering Craig Federighi submit a declaration to rebut government claims Apple has made special concessions to China. After making some absolute statements — such as that “Apple has also not provided any government with its proprietary iOS source code,” Federighi stated, “It is my understanding that Apple has never worked with any government agency from any country to create a “backdoor” in any of our products or services.”

I was struck at the time that the statement was not as absolute as the others. Federighi relies on what he knows, without, as elsewhere, making absolute assurances.

Which got me wondering. If any country had demanded a back door (or, for that matter, Apple’s source code) would Federighi really need to know? From Neuenschwander’s declaration, it sounded like a smallish team could make the back door the FBI is currently demanding, meaning he might be as high as such knowledge would rise.

So I wonder whether, in an attempt to be dickish, the government intends to ask Neuenschwander and Olle, who would be involved in such compliance issues, if they also back Federighi’s statement.

We shall see. For now, I just bet myself a quarter that Apple will call Comey.

Share this entry

“Noteworthy” Ron Wyden Interview on Apple vs FBI: Ask NSA, Ask NSA, Ask NSA

/9 Comments/in /by

This interview Ron Wyden did with Oregon Public Radio includes a lot of what you might expect from him, including an argument that weakening encryption makes us less safe, including possibly exposing kids (because their location gets identified) to pedophiles.

But the most interesting part of this interview are the three times Ron Wyden made it clear, in his inimitable fashion, that someone better ask NSA whether they can decrypt this phone. To me, the interview sounds like this:

Let me tell you what I think is noteworthy here. This is a fight between FBI and Apple. I think it’s noteworthy that nobody has heard from the NSA on this. [around 2:00]

And I want to come back to the fact that the NSA has not been heard from on this and I think that that is noteworthy. [before 7:25]

[After finally being asked what he had heard from NSA] I’m on the intelligence committee, so I’m bound, I take an oath, to not get into classified matters so I’m just going to, uh, leave that there with respect to the NSA. [at 8:30]

We’ve had experts like Susan Landau and Richard Clarke insist that NSA can get into this phone. Jim Comey, in testimony before HJC, sort of dodged by claiming that NSA doesn’t have the ability to get into a phone with this particular configuration.

But Ron Wyden sure seems to think the NSA might have more to say about that.

Golly, I can’t imagine what he thinks the NSA might have to offer about this phone.

Share this entry