On Tuesday, the House Judiciary Committee met to hear testimony about the dispute between Apple and the Federal Bureau of Investigation over unlocking one of the San Bernardino shooters' iPhones. In a lengthy three-hour testimony, FBI Director James Comey attempted to answer questions from a number of representatives and explain the FBI's choice to ask a magistrate judge in California to compel Apple to break the security on its numeric passcode lock feature. And as the questions went on, Comey seemed more and more baffled.
Throughout his testimony, Comey was careful to present himself as calm, humble, and reasonable. For example, responding to a hypothetical from Rep. Steve King, Republican of Iowa, about ISIS acquiring nuclear devices, Comey said:
I do worry that it’s hard to have nuanced, complicated conversations [about digital security] in an emergency and in the wake of a disaster, which is why I think it’s so important we have this conversation now. Because in the wake of something awful happening it would be hard to talk about this in a thoughtful, nuanced way. And so I think that’s why I so welcome the Chairman having this hearing and having further conversations about it.
Beneath the surface, though, there was some pretty blatant fudging going on. Let's pull a few Comey assertions out, shall we?
On Apple's ability to securely store the tool it would hypothetically create:
I have a lot of faith, maybe I don’t know them well enough, in the company’s ability to secure their information.
OK, yeah, you don't know them well enough.
The iCloud for example is not encrypted.
Wait, yes it is.
But I don’t lie awake at night worrying about whether they’re able to protect the contents of the iCloud.
Even though iCloud data is encrypted, it has had numerous security vulnerabilities in the past and was notably breached in 2014.
They are very very good at protecting their information and their innovation. So no thing is for certain, but I think these folks are pros.
On the question of whether the hypothetical tool would work for the iPhone 6 and 6S:
There’s already a door on that iPhone [5C]. ... The later phones, as I understand, the 6 and after, there aren’t doors.
Let's check in with Bruce Sewell, Apple general counsel and senior VP of legal and global security, about this. Sewell: "There’s no distinction between a 5C and 6 in this context. The tool we’re being asked to create will work on any iPhone in use today." Oh.
Trying to answer technical questions from Rep. Darrell Issa, Republican of California:
Issa: Did you receive the source code from Apple? Did you demand the source code?
Comey: Did we ask Apple for their source code? Not that I'm aware of.
Issa: Does the 5C have a non-volatile memory in which all of the encrypted data and the selection switches for the phone settings are all located in that encrypted data?
Comey: I don't know.
Issa: Well, it does. Take my word for it for now. So that means that you can in fact remove from the phone all of its no-nvolatile memory, its disk drive if you will, and set it over here and have a true copy of it that you could conduct infinite number of attacks on. Let's assume that you can make an infinite number of copies once you make one copy, right?
Comey: I have no idea.
Issa: I'm doing this because I came out of the security business and this befuddles me that you haven't looked at the source code and you don't really understand the disk drive.
On how awesome U.S. computing is:
A lot of tech experts ask why can’t you mirror the phone in some way and then play with the mirror. For reasons I don’t fully understand, not possible in this circumstance.
See above confusion.
So we do want to try and brute-force the phone. That is the multiple guesses. We’ll do that ourselves, but we need removed the auto-erase function and the delay-between-guesses function ... If we have those removed we can guess this phone’s password with our computing power in 26 minutes, is what we’re told, because we have enormous computing power in the U.S. government.
That's great, dude, but regular consumer-grade servers have been able to do that for years.