Andrew Burton/Getty
Apple: If we're forced to build a tool to hack iPhones, someone will steal it.
FBI: Nonsense.
Russia: We just published NSA's hacking tools
"The component of the government that is supposed to be absolutely best at keeping secrets didn't manage to keep this secret effectively," Nate Cardozo, a senior staff attorney with the Electronic Frontier Foundation, told Business Insider.
In February, $4 Apple to help the FBI unlock an iPhone that was used by Syed Rizwan Farook, one of two attackers $4 attack in San Bernardino, California. That order set off a vigorous debate between
While the company's legal team fought the order, Apple CEO Tim Cook published $4 arguing against being forced to build a so-called "backdoor" that would subvert the encryption that not only kept the shooter's phone secure, but millions of other users of Apple's smart phones.
Most in the technology community rallied around Apple at the time, arguing that $4 might help government investigators, but it would also make customers vulnerable to hackers.
Now, with $4 having been leaked online, it appears they were right.
"The NSA's stance on vulnerabilities seems to be based on the premise that secrets will never get out. That no one will ever discover the same bug, that no one will ever use the same bug, that there will never be a leak," Cardozo said. "We know for a fact, that at least in this case, that's not true."
The government eventually backed down from its fight with Apple in late March, after investigators said they were able to unlock the shooter's phone with the "$4" It never disclosed who that was or how it broke into the phone.
Exactly how the FBI got into the phone is yet another case where the government is holding on to "zero days," or software exploits that are completely unknown to companies and users. These exploits, when found, are typically disclosed to vendors so they can fix the problem, used by hackers to break into systems more easily, or sold on the black market.
But Cardozo believes the FBI's exploit of the San Bernardino shooter's iPhone 5C, its still-unknown exploit of the $4, and NSA's apparent hoarding of exploits that have now been made public, raises a larger issue around the legalities of government hacking.
"When the government finds, creates, or discovers a vulnerability in a system, there are essentially two things they can do: They can disclose it, or they can use it," he said. "But the rules around that are completely broken."
There are some guidelines around how the government is supposed to deal with vulnerabilities in what is called the $4, a framework that is supposed to outline how and when it would make sense to disclose a vulnerability to an affected company if the larger security risk is greater than the reward it could yield.
But the VEP is just non-binding guidance created by the Obama administration - not an executive order or law - which has no legal standing.
"We need rules, and right now there aren't any," Cardozo said. "Or at least none that work."