F.B.I. Director Suggests Bill for iPhone Hacking Topped $1.3 Million
By ERIC LICHTBLAU and KATIE BENNER

WASHINGTON — The director of the F.B.I. suggested Thursday that his agency paid at least $1.3 million to an undisclosed group to help hack into the encrypted iPhone used by an attacker in the mass shooting in San Bernardino, Calif.

At a technology conference in London, a moderator asked James B. Comey Jr., the F.B.I. chief, how much bureau officials had to pay the undisclosed outside group to demonstrate how to bypass the phone’s encryption.

“A lot,” Mr. Comey said, as audience members at the Aspen Institute event laughed.

He continued: “Let’s see, more than I will make in the remainder of this job, which is seven years and four months, for sure.”

The F.B.I. had been unwilling to say anything at all until Thursday about how much it paid for what has become one of the world’s most publicized hacking jobs, so Mr. Comey’s cryptic comments about his own wages and the bounty quickly sent listeners scurrying in search of their calculators.

The F.B.I. director makes about $185,100 a year — so Mr. Comey stands to earn at least $1.35 million at that base rate of pay for the remainder of his 10-year term.

The F.B.I. declined to confirm or deny Thursday whether the bureau had in fact paid at least $1.3 million for the hacking, and it declined to elaborate on Mr. Comey’s suggestive remarks.

But that price tag, if confirmed, appears in line with what other companies have offered for identifying iOS vulnerabilities.

Zerodium, a security firm in Washington that collects and then sells such bugs, said last fall that it would pay $1 million for weaknesses in Apple’s iOS 9 operating system. Hackers eventually claimed that bounty. The iPhone used by the San Bernardino gunman ran iOS 9.

“A number of factors go into pricing these bounties,” said Alex Rice, the co-founder of the security start-up HackerOne CTO, who also started Facebook’s bug bounty program. Mr. Rice said that the highest premiums were paid when the buyer didn’t intend to disclose the flaw to a party that could fix it.

“The cost of keeping a flaw secret is high,” Mr. Rice said. He added that buyers like Zerodium’s customers and the government might not work to fix problems.

When companies run bug bounty programs, they may pay about $100,000 to hackers that show them system vulnerabilities that must be fixed. “When you sell at a high price, you have to be O.K. with the possibility that the person you sold the flaw to could do something bad with it,” Mr. Rice said.

While Mr. Comey’s remarks appeared to address the lingering mystery of how much the F.B.I. paid to get into the San Bernardino phone, he said nothing that would indicate the actual identity of the outside group behind the hacking. Some media reports have named an Israeli software company that might have helped the F.B.I., but numerous law enforcement officials have said that company was not involved.

After an intense courtroom fight in Southern California, the F.B.I. disclosed three weeks ago that it had managed to get access to the data inside an iPhone 5c used by Syed Farook, one of the attackers in the San Bernardino rampage, which killed 14 people, by paying the outside group.

The Justice Department had gone to court to try to force Apple to develop a new operating system to allow access into the encrypted phone, setting off an intense national debate about privacy versus national security. But it withdrew its case after the outside party came to the F.B.I. and demonstrated a way around the phone’s internal defenses, which would have destroyed the data inside after 10 failed password attempts and would have meant longer and longer intervals in between guesses.

With those mechanisms disabled, the F.B.I. was able to use what is called a brute force attack — using computers to guess vast numbers of password combinations at once — in order to get inside the phone.

But the Justice Department is still trying to force Apple in court to help unlock encrypted phones in Brooklyn, Boston and elsewhere.

破解一隻iPhone花4千萬 FBI：很值得

美國聯邦調查局（FBI）局長柯梅21日說，為了破解去年12月加州聖伯納地諾恐攻案其中一名凶手使用的iPhone，FBI花的錢比他剩下的七年四個月任期薪水總額還多。根據現有薪水計算，他剩餘任期可拿134萬美元（約台幣4328萬元）。

柯梅參加倫敦的亞斯平安全論壇（Aspen Security Forum）時，被問到FBI為破解軟體付了多少錢時，他回答：「一大筆錢。」

他說：「鐵定比我在這個職務的剩餘時間所賺的薪水還多，而我還要擔任這個工作七年四個月。但在我看來，很值得。」

根據FBI和管理預算辦公室的數字，截至2015年1月，柯梅的年薪是18萬3300美元，假設未加薪也沒有獎金，他在剩餘任期內將賺134萬美元，創下FBI為駭客技術付出金額的紀錄。

FBI先前為駭客技術付出的紀錄是付給美國資安公司「Zerodium」100萬美元，作為破解手機的報酬。

柯梅任期10年，2013年9月4日上任。

為破解聖伯納地諾凶手的iPhone 5C，美國政府槓上蘋果公司，但美司法部3月說，在未透露身分的第三方協助下，已破解凶手的iPhone，並撤銷控告蘋果公司的案件，結束這場高風險的法律衝突，但柯梅表示，必須設法兼顧網路個人隱私、安全和公共安全。柯梅說，FBI可以使用這個軟體破解使用IOS 9作業系統的其他iPhone 5C。

原文參照：
http://www.nytimes.com/2016/04/22/us/politics/fbi-director-suggests-bill-for-iphone-hacking-was-1-3-million.html

2016-04-22．聯合晚報．A6．國際焦點．國際新聞組