FBI, Apple, liberty, security, blah blah blah
There are a number of key points I want to highlight that are going to get lost in the hot takes. So, here is my hot take.
Bottom Line Up Front
- Farook and Malik were amateur terrorists who conducted an attack more reminiscent of American “going postal” workplace violence than an operation directed by a terrorist organisation.
- Farook destroyed his personal phone. The FBI wants access to his work phone. UPDATE: FBI locked themselves out of the iCloud account after it was seized.
- FBI already has huge amounts of data from the telco and Apple. This is almost certainly enough to rule out clear connection with any other terrorists.
- FBI is playing politics, very cynically and very adroitly.
- FBI already has a massive amounts of data, all of which indicates that Farook and Malik were not in contact with a foreign terrorist organisation, nor were they in contact with any other unknown terrorists.
- Even if, despite all evidence to the contrary, Farook and Malik were somehow in invisible traceless contact with an ISIS handler, that handler would not have revealed information about other cells, because that would violate the most basic tenet of security — need to know.
As terrorists, Farook and Malik were not particularly highly skilled. They were unable to assemble functional IEDs. After they completed their attack, they drove around a bit then went home. They appear to have had no coherent operational plan extending beyond the execution of the attack. This is amateur hour. (Contrast with a professional terrorist operational plan.)
The FBI complains that they don’t know what happened for 18 minutes after the shooting. This sort of “losing sight of the target” happens all the time during surveillance. The shadow makes a note, and moves on. There is basically no chance that the Malik cell used this 18 minute window for making first contact with other operatives in the US. These guys were not highly trained operatives working hard to lose surveillance and achieve 18 minutes “in the black” so they could… send a text message?
Workplace Mass Shootings, as American as Apple Pie
They do not appear to have outside direction from a real terrorist group. It is extremely unlikely that a terrorist group would allow the target selection done by the Malik cell. An office holiday party for an obscure government agency is not the sort of high profile (or symbolic) target that terrorist organisations tend to attack.
This attack is more American (“going postal”) than it is ISIS. Until Facebook discovered their bayat to ISIS (posted after the attacks) it was unclear whether this was a common workplace mass shooting or a terrorist action.
The attack suggests American influences more than foreign terrorist organisation direction.
Call Data Records and Other Traces
Verizon has provided the FBI with all the data they have from the mobile devices used by the two shooters. This includes:
- the locations,
- the calls,
- the SMS messages,
- the Internet data, including volume (and probably DNS, IP, and web logs)
The FBI probably knows everyone that Farook and Malik were in contact with. The FBI probably know everything of interest already. If there was a hint of any connection with a terrorist organisation they would have announced it already. They have, instead, been clear that there was nothing suggesting any such contact took place.
Personal Phone Destroyed
Media reports suggest that Farook and Malik had personal phones that they completely destroyed after the attack. This destruction was complete enough that there is nothing that can be forensically recovered.
It seems unlikely that Farook would use his work issued phone to contact and discuss terrorist activity rather than his personal device. He would have to add the contact, install the app, etc. This would have to occur in the short window after he disabled iCloud backups and before he conducted the attack.
It is unclear why Farook would destroy his personal phone but not his work phone if the work phone had sensitive data. They were already destroying two devices, why not three? They were executing some sort of “going dark” plan. It seems entirely possible that they didn’t see the need to destroy a device that was never used for anything sensitive.
Farook’s Work Phone’s iCloud Backup
The iPhone 5C in question was the work phone provided to Farook by his employer. This device was backed up by iCloud until about 6 weeks before the attack.
UPDATE: The FBI locked themselves out of the iCloud account, preventing further backups, after the device was seized.
The County was working cooperatively with the FBI when it reset the iCloud password at the FBI's request.
— SBCounty (@SBCounty) February 20, 2016
The FBI has complete content of everything from iCloud up until 6 weeks before the attack.
including connection logs and IP addresses you’ve used. … and any other information that can be backed up to iCloud. As of this writing, this list includes contacts, calendars, browser bookmarks, Photo Stream photos, anything that uses the “documents and data” feature (which can include not just word processors but also photo and video apps, games, and data from other applications), and full device backups.
The key point here is that the iMessage content would be available in backups.
Is the FBI playing politics?
Yes. That is kinda what they do. It is what they always do. They are being extremely cynical in this case. They have selected a case which will cast the tech vendors in the worst possible light. The FBI has been planning exactly this for a while, waiting only for an attack that would provide the pretext.
Privately, law enforcement officials have acknowledged that prospects for congressional action this year are remote. Although “the legislative environment is very hostile today,” the intelligence community’s top lawyer, Robert S. Litt, said to colleagues in an August e-mail, which was obtained by The Post, “it could turn in the event of a terrorist attack or criminal event where strong encryption can be shown to have hindered law enforcement.”
Source: Washington Post (emphasis added)
CYA Scare Tactics
The FBI is really keen to ensure they don’t make any falsifiable statements. This would be career ending if they were wrong, so instead they are making all sorts of scary vague statements.
In the immediate hours after the Dec. 2, 2015 shootings, some witnesses told law enforcement officers and reporters that they saw three gunmen at the center. But by the end of the day, the FBI had issued a statement saying there were only two confirmed shooters, local residents Syed Farook and his wife, Tashfeen Malik. Farook worked with many of those he gunned down at the party.
“What we have confirmed is evidence indicating that two weapons were fired at the Inland Regional Center,” Laura Eimiller, a spokesperson for the FBI Los Angeles, told ABC News this week. “But in the absence of video it’s something you can’t entirely rule out until every question is answered. There’s still unanswered questions.”
Source: ABC News
There were confused eye witness accounts. Eye witness accounts are always confused and frequently wrong, particularly about things like “how many masked gunmen were shooting at you while you tried to hide?” or “how many people do you think you saw while you weren’t paying attention to them?” There is only evidence for two shooters. There is nothing to indicate that there was a third militant involved, or that Farook and Malik were in contact with any other Islamic militants in the US.
Indeed, there has been no indication that they were in contact with anyone associated with a terrorist organisation, either foreign or domestic. They seem to be a clear case of a leaderless resistance cell.
It is extremely unlikely that they were in contact with anyone else who is currently unknown to the intelligence community.
ISIS Isn’t That Dumb
If they were in contact with anyone in ISIS (which seems unlikely given the American style target selection and the non functional IEDs), then for security reasons that ISIS handler should not reveal the existence of any other cells. This is very basic compartmentation.
The only reason that a terrorist organisation would place cells in contact with each other, breaking the most basic and fundamental security rules, is to conduct multiple attacks simultaneously. This is what ISIS did in France for the Charlie Hebdo attacks in January 2015.
If there was an ISIS handler and if there was another cell that the Maliks were in contact with, that cell would have gone operational at around the same time. Since there have been no other terrorist attacks in the US, they were not in contact with another cell. QED.
There is no point contaminating two cells without an operational reason, such as logistics or coordinated attacks. ISIS are not that incompetent.
I'm officially for Apple fatigue. If there's another analysis piece or think piece it better fucking include the damn PIN code
— thaddeus e. grugq (@thegrugq) February 19, 2016
After all this, the PIN for Farook’s work phone is probably — 1234.
UPDATE: Slate has an interesting analysis of the value of the data on the phone, reaching the same conclusion: there’s probably nothing.