1 million Apple UUIDs leaked after FBI security breach
September 4, 2012 5:24 AM   Subscribe

The AntiSec hacking group claims to have released a set of more than 1 million Apple Unique Device Identifiers (UDIDs) allegedly obtained from breaching an FBI agent's laptop via a Java vulnerability. The group claims to have over 12 million IDs, as well as personal information such as user names, device names, notification tokens, cell phone numbers and addresses. There's a tool to help you check if your device is in the list.

The Antisec file offers the follow explanation of how the information was obtained:
During the second week of March 2012, a Dell Vostro notebook, used by
Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action
Team and New York FBI Office Evidence Response Team was breached using the
AtomicReferenceArray vulnerability on Java, during the shell session some files
were downloaded from his Desktop folder one of them with the name of
"NCFTA_iOS_devices_intel.csv" turned to be a list of 12,367,232 Apple iOS
devices including Unique Device Identifiers (UDID), user names, name of device,
type of device, Apple Push Notification Service tokens, zipcodes, cellphone
numbers, addresses, etc. the personal details fields referring to people
appears many times empty leaving the whole list incompleted on many parts. no
other file on the same folder makes mention about this list or its purpose.
and the following justification:
well we have learnt it seems quite clear nobody pays attention if you just come
and say 'hey, FBI is using your device details and info and who the fuck knows
what the hell are they experimenting with that', well sorry, but nobody will care.
FBI will, as usual, deny or ignore this uncomfortable thingie and everybody will
forget the whole thing at amazing speed. so next option, we could have released
mail and a very small extract of the data. some people would eventually pick up
the issue but well, lets be honest, that will be ephemeral too.
So without even being sure if the current choice will guarantee that people
will pay attention to this fucking shouted
'FUCKING FBI IS USING YOUR DEVICE INFO FOR A TRACKING PEOPLE PROJECT OR SOME
SHIT'
More at Hacker News.
posted by unSane (151 comments total) 27 users marked this as a favorite
 
It is really remarkably annoying that this much data was just on some random agent's laptop. Not a rate limited call to a remote server or anything. No. Assuming this is legit, just a data dump on a guy's laptop.
posted by jaduncan at 5:33 AM on September 4, 2012 [6 favorites]


Which, of course, leads to the question of just why an individual FBI agent would have data on more than a million US citizens on his laptop?
posted by Malor at 5:42 AM on September 4, 2012 [27 favorites]


Antisec claims he had data on more than 12 million, of which they've released 1m.

It's not clear, as far as I can tell, what proportion of these belong to US citizens.
posted by unSane at 5:46 AM on September 4, 2012 [1 favorite]


It is really remarkably annoying that this much data was just on some random agent's laptop. Not a rate limited call to a remote server or anything. No. Assuming this is legit, just a data dump on a guy's laptop.

Well, if true, it's more than annoying, because it's hard (for me) to think of legitimate reasons for the FBI to have data on 1 million users. I actually want the FBI to be chasing around catching bad guys, but I don't buy that there are 1 million bad guys the FBI is specifically interested in who all happen to use Apple phones.
posted by OmieWise at 5:50 AM on September 4, 2012 [2 favorites]


12 million Omie, anti-sec only released one million (claimed, not verified, etc.).
posted by Divine_Wino at 5:53 AM on September 4, 2012


Note that Apple has sold approximately 400 million iOS devices, so a list of 12 million devices is about 3% of the the total sold. Given that the list has UUIDs, but very spotty metadata, I think Apple is not the source of this list. Probable sources could include mobile ad networks like AdMob, or iOS developers. For example, one iOS developer I know has a customer database that includes UUIDs, push toxens, etc. and his database has about that many entries.
posted by RichardP at 6:01 AM on September 4, 2012 [4 favorites]


The FBI has a database with info on millions of iDevices because the FBI requested it and Apple (and probably every other wireless company) gave it to them.
posted by muddgirl at 6:01 AM on September 4, 2012 [8 favorites]


In fact I think the more interesting question that this news raises is not (if all the salient facts are correct) why is the fbi interested in having unique identifiers on 12 million IOS devices or 1 million ios devices, but how come our federal intelligence, counter-intelligence and LEO agencies are so fucking technically inept and not capable of even basic security measures or good data hygiene?
posted by Divine_Wino at 6:03 AM on September 4, 2012 [4 favorites]


"(...)but by far the most alarming was the fact that it was possible to use OpenFeint to completely de-anonymize a large proportion of UDIDs."
from here

it's such a huge clusterfuck.
Naturally, all the usual curmudgeons, Gruber et al are more or less quiet concerning this. the UDID API has been under criticism for nigh on two years, and now this happens. You'd think there'd be more of an uproar towards Apple and more people asking themselves why the FBI or a Non-Profit Org needs a database 12 MILLION users iPhones. one of which has been confirmed to belong to a brit.

It just boggles the mind, since if you have the UDID of an iDevice, you can pretty much look for it with DPI/PI and localize unique traffic easily. You can also, scrape for current location of the phone and therefore the person.

Amongst other dastardly devious things.
posted by xcasex at 6:03 AM on September 4, 2012 [2 favorites]


I give it a week before all mention of this drops from "legitimate" news services, if they pick it up at all.

Going out on a limb here, but I think there's much more important things to cover, like which clown is going to utter which scripted PR statement at which convention.

The MSM is also going bonkers over the fact that all the torture lawsuits were dropped, isn't it?

The "legitimate" news services don't exist to inform.
posted by Noisy Pink Bubbles at 6:05 AM on September 4, 2012 [18 favorites]


The FBI has a database with info on millions of iDevices because the FBI requested it and Apple (and probably every other wireless company) gave it to them.

In order to comply with warrants or other lawful orders. And not a database, but individual searches or record dumps. Big, big difference.

Does the FBI have warrants for these leaked device IDs and associated info? Doubt it.
posted by His thoughts were red thoughts at 6:05 AM on September 4, 2012 [1 favorite]


...it's hard (for me) to think of legitimate reasons for the FBI to have data on 1 million users.

Isn't it obvious? They keep data on everybody, just in case they get a reason someday to be interested in any one of them in particular.
posted by ceribus peribus at 6:05 AM on September 4, 2012 [5 favorites]


You'd think there'd be more of an uproar towards Apple

I think the proper uproar is towards the fact that there's no clear law protecting this data. Every single wireless company releases their data, usually without a warrant, because that is their understanding of the law.

In order to comply with warrants or other lawful orders.

Do we know there wasn't a warrant or other lawful order attached to this?

And not a database, but individual searches or record dumps. Big, big difference.

This looks like a record dump from a database to me.
posted by muddgirl at 6:08 AM on September 4, 2012 [3 favorites]


Sooo....if your device is on the list, what does that mean? What does one do?

I actually want the FBI to be chasing around catching bad guys, but I don't buy that there are 1 million bad guys the FBI is specifically interested in who all happen to use Apple phones.

Data mining is probably key to law enforcement. I'm not saying its right or wrong, but with so much of the world's information being flung around the net and onto various devices, data mining is a natural outgrowth of law enforcement.
posted by Brandon Blatcher at 6:08 AM on September 4, 2012 [1 favorite]


@blatcher
Data mining, yes. Database storage, no.
Now I don't claim to know of FBI procedure, but I have a hard time seeing a case involving 12 million iDevices.

no matter the spin, this is bad, in the same manner as warrantless wiretaps, if not worse, considering the sheer amount of shit you can do with just the UDID.
posted by xcasex at 6:14 AM on September 4, 2012 [2 favorites]


I actually want the FBI to be chasing around catching bad guys, but I don't buy that there are 1 million bad guys the FBI is specifically interested in who all happen to use Apple phones.

Well, so-called bad-guys make calls to other people who are not bad-guys too.

My parents phone at one time was tapped by the FBI. They were told so in a letter. The reason was that calls had been made to/from their house to a criminal they were tracking. This criminal was a second-cousin of mine and was making calls to my parents for regular family reasons.
posted by vacapinta at 6:16 AM on September 4, 2012


The FPP kind of buried the lede:
to journalists: no more interviews to anyone till Adrian Chen get featured in the front page of Gawker, a whole day, with a huge picture of him dressing a ballet tutu and shoe on the head, no photoshop. yeah, man. like Keith Alexander. go, go, go.to journalists: no more interviews to anyone till Adrian Chen get featured in the front page of Gawker, a whole day, with a huge picture of him dressing a ballet tutu and shoe on the head, no photoshop. yeah, man. like Keith Alexander. go, go, go.
posted by postcommunism at 6:18 AM on September 4, 2012 [1 favorite]


I'm not saying its right or wrong,

Right or wrong. Hard to say? Unconstitutional? Yes, definitely.

What is wrong is that these things happen despite the fact that they infringe one of the basic rights all American citizens are supposed to enjoy.

But I guess since America is in eternal, permanent war against terror, anything President Bush, oops, I mean President Obama, has to do to protect Americans is OK.
posted by three blind mice at 6:19 AM on September 4, 2012 [5 favorites]


It's not even the evil tracking that gets me. That doesn't even surprise me any more. It's the incompetent IT.

Guy is from: FBI Regional Cyber Action Team

This makes me want to see the geographical breakdown of the target phones. If it's all NYC/NJ, you can safely assume that there's a bunch of other guys walking around with this much data. Being lazy enough to walk around with software with a zero-day and not even turn off the Java/net contact points might just be him being super special.

Good job, captain cyber. We can only hope the rest of your cyber security isn't worse than the work experience legal secretary 5 meters from me.
posted by jaduncan at 6:19 AM on September 4, 2012 [5 favorites]


xcasex, Gruber isn't quiet: it's the top of his page right now,and all he says is, "Well, this sounds like a total clusterfuck."

And I also just read where Richard Forno says he's hearing that it's a hoax. That doesn't make the underlying issue any less dire, but maybe it can be mitigate a little (by tightening things up at the app level?) before this really does happen.
posted by wenestvedt at 6:20 AM on September 4, 2012


Data mining is probably key to law enforcement. I'm not saying its right or wrong, but with so much of the world's information being flung around the net and onto various devices, data mining is a natural outgrowth of law enforcement.

This law enforcement dictum definitely needs to be questioned. Of course it's wrong! Not just wrong in an ethical sense of creating a dragnet security mechanism which can be used to incriminate anyone for anything. But also wrong in a procedural sense -- the way to find a needle in a haystack is not pouring on more hay.

The only way to find something in, say, a database of every email ever sent is to target the search with something like "Give me the email trail of every male Muslim between the ages of 18-35 who has visited Yemen in the past year that has the word 'bomb' in it." Well, naturally that says more about the prejudices of our society than the criminality of any individual.

Of course we could come up with other examples, but the point is there is no database query for "Point me to everything that looks suspicious" or "Get me the bad guys." For instance, stop-and-frisk in NY looks for "furtive movements" amongst people on the street -- the result is that minorities get harassed by the police.

We need to, as a society, get back to targeted police work and drop this Panopticon shit. Both for moral and procedural reasons.

P.S. Can we stop using the phrase "Bad guys"? Please? It creates an assumption of guilt that is often unwarranted. For instance when the FBI is going around entrapping vulnerable populations because of their idea of who is a "terrorist," as they so often do these days. Who is the "bad guy" then?
posted by Noisy Pink Bubbles at 6:21 AM on September 4, 2012 [22 favorites]


Well, if true, it's more than annoying, because it's hard (for me) to think of legitimate reasons for the FBI to have data on 1 million users. I actually want the FBI to be chasing around catching bad guys, but I don't buy that there are 1 million bad guys the FBI is specifically interested in who all happen to use Apple phones.

How else do you expect them to catch copyright violators?
posted by cjorgensen at 6:24 AM on September 4, 2012 [2 favorites]


wenestvedt, considering his eloquence on all things samsung and android, I expected more ;)

and while we're talking about the grapevine, i'm hearing from multiple sources it aint. but it's antisec and anon so it could very well be.
posted by xcasex at 6:24 AM on September 4, 2012


Sooo....if your device is on the list, what does that mean?

It means that Bad People could write a tool that uses your UUID to hit various web services or apps and collect any data about you that the service/app holds. The Bad Guy could then correlate all that personal data into a more-detailed dossier than any one of the services currently holds. And if one of the records had a CC# for in-game purchases, say, that could be used directly or resold to an Internet Scumbag for twenty bucks.

(As I understand it, anyway.)
posted by wenestvedt at 6:24 AM on September 4, 2012 [2 favorites]


wenestvedt, considering his eloquence on all things samsung and android, I expected more ;)

Well, I cannot disagree with you there! At least he's not trying to spin it.
posted by wenestvedt at 6:25 AM on September 4, 2012


You know, maybe I'm not too old and too fat to begin again as a mountain man…
posted by ob1quixote at 6:30 AM on September 4, 2012 [5 favorites]


From that Hacker News thread:

I have found my own UDID - I can confirm these are real UDID's - and now I want to know why an FBI agent had my (a brit) UDID on their laptop.
posted by unSane at 6:37 AM on September 4, 2012 [5 favorites]


P.S. Can we stop using the phrase "Bad guys"? Please? It creates an assumption of guilt that is often unwarranted. For instance when the FBI is going around entrapping vulnerable populations because of their idea of who is a "terrorist," as they so often do these days.

My pet hate is LEO use of the word "perp". Every time, and I mean *every* time that is used my first thought is "not until convicted in a court of law, but thanks for marking yourself out as an asshole".
posted by jaduncan at 6:38 AM on September 4, 2012 [1 favorite]


I have found my own UDID - I can confirm these are real UDID's - and now I want to know why an FBI agent had my (a brit) UDID on their laptop.

We'd be wanting more than one result here though. Aside from the fact it's a million spins of the roulette wheel (abeit on a 40 char code, so the chances would be *very* low), the chances of hitting a random attention seeker willing to say random stuff on the internet are quite a lot higher.
posted by jaduncan at 6:42 AM on September 4, 2012


Given how potentially sensitive UUID numbers are, how concerned should I be about using that tool to see if I'm affected -- ie. typing my UUID into a form on some Web site? Even if I trust thenextweb, could anyone see my entry before or after the fact?
posted by PlusDistance at 6:42 AM on September 4, 2012 [3 favorites]


Naturally, all the usual curmudgeons, Gruber et al are more or less quiet concerning this.

Um, Gruber had the link to this story on his site long before this FPP appeared.
posted by Thorzdad at 6:43 AM on September 4, 2012 [1 favorite]


FBI Regional Cyber Action Team

It's reading tea leaves, but the filename is: NCFTA_iOS_devices_intel.csv. The NCFTA is the FBI's national taskforce for electronic crime, and it has a Canadian branch too. As this looks like a db export, I'd suspect that it is not only US-national but contains Canadian data too. That would be interesting to confirm, if true. Any Canadian mefites with an iPhone care to check?
posted by bonehead at 6:45 AM on September 4, 2012 [1 favorite]


The FBI has a database with info on millions of iDevices because the FBI requested it and Apple (and probably every other wireless company) gave it to them.

Unless I missed something in the article it was not Apple (which is not in the wireless business, at least yet) that gave up all this info, but the carriers: ATT, Verizon, Sprint, etc.
posted by TedW at 6:47 AM on September 4, 2012 [2 favorites]


Heh. The FBI must be very unhappy then. Very unhappy indeed.

If/when all 12 mil are released, you'd be able to tell if your Apple device was suspected or not on a certain date.
posted by jaduncan at 6:48 AM on September 4, 2012


OP here: I actually saw the story simultaneously on Waxy, Slasdot and DF on my RSS feed.
posted by unSane at 6:48 AM on September 4, 2012


I'm at work, and therefore prohibited from downloading files full of consumer data to my work machine, but the checker at TheNextWeb says my iPad's UDID is in there, so I don't think these are random UDIDs.

I'll pull the file at home later to check on our other iDevices.
posted by SubterraneanRedStateBlues at 6:52 AM on September 4, 2012 [1 favorite]


Given how potentially sensitive UUID numbers are, how concerned should I be about using that tool to see if I'm affected -- ie. typing my UUID into a form on some Web site?

It's not your server, not many ways to know. You'd be typing in the password to really quite a lot of stuff. But, you know, you could.

If it actually has been compromised I'd like to think you'd be getting email from Apple.

Although gah, I just realised that if emails are exposed there are going to be an awful lot of emails saying "your details have been exposed. Your data has been reset to protect you. Click here to update your Apple Security Protection details."
posted by jaduncan at 6:54 AM on September 4, 2012 [3 favorites]


Unless I missed something in the article it was not Apple (which is not in the wireless business, at least yet) that gave up all this info, but the carriers: ATT, Verizon, Sprint, etc.

You're right - totally my bad at being lazy with terminology. This makes claims that we should be pissed at Apple even more confusing, considering that we know for a fact that many, many companies collect this information off our cell phones, track it, and store it. From the wireless carriers to app writers.

I suppose we could get pissed at Apple if they don't prevent app writers from collecting this information?
posted by muddgirl at 6:56 AM on September 4, 2012


Protip: if you're actually worried just download the source file and check for yourself.
posted by jaduncan at 6:57 AM on September 4, 2012 [1 favorite]


thorzdad, well. not to be that guy but, you don't quite understand the meaning of "more or less". mentioning it in passing, when devoting paragraphs to gloat at Apple competitors is ingenious.

I just expect more, such as mentioning the hazards of your UDID being leaked, what could happen to your social networks, gaming accts etc etc etc. hell, there's even more than a simple proof of concept in the wild for what you can do with $JoeUser's iDevice UDID.

Also, my iphone is in there, I'm Swedish, residing in Sweden and I haven't been to the states since '04 (at which time I had a nokia candybar) which is why i'm very, very, unamused.
posted by xcasex at 6:59 AM on September 4, 2012 [4 favorites]


With this and Trapwire, is the US just tracking its citizens indiscriminately? It sounds like some dystopian future.
posted by Jehan at 7:01 AM on September 4, 2012 [1 favorite]


It means that Bad People could write a tool that uses your UUID to hit various web services or apps and collect any data about you that the service/app holds. The Bad Guy could then correlate all that personal data into a more-detailed dossier than any one of the services currently holds. And if one of the records had a CC# for in-game purchases, say, that could be used directly or resold to an Internet Scumbag for twenty bucks.

So if your device is on the list, you're utterly defenseless, correct? You have no recourse to prevent what you describe above from happening, unless you never connect the machine to a network?

Adama was right!
posted by Brandon Blatcher at 7:01 AM on September 4, 2012 [1 favorite]


P.S. Can we stop using the phrase "Bad guys"? Please? It creates an assumption of guilt that is often unwarranted.

What? No it doesn't. The phrase refers to people who have done bad things. Those are the people I want the FBI to catch. I dont want the fbi to catch suspects, and of course i deplore the tendency to see groups as being bad guys who have not actually done anything. How else would you like to refer to people who have done bad things?
posted by OmieWise at 7:01 AM on September 4, 2012


Also, my iphone is in there, I'm Swedish, residing in Sweden and I haven't been to the states since '04 (at which time I had a nokia candybar) which is why i'm very, very, unamused.

Well, you're probably a Bad Guy in some way, of course you're unamused. Otherwise this would look like a pointless list of chaff rather than wheat, and that's a threatening viewpoint. Hamburger.
posted by jaduncan at 7:03 AM on September 4, 2012


djeeees *twirls moustache-io* me and my brave minions shall overturn die erde and make way for our lord supreme, SUPAFLY RICK JAMES!

no you nitwit, the only bad thing i've ever done is stick around on mefi :p
posted by xcasex at 7:06 AM on September 4, 2012 [1 favorite]


And remember, folks, when thinking about these things, you need to remember the #1 central truth of an adversarial justice system, that a prosecutor is a paid professional at misconstruing facts. And the more facts they have to work with, the more easily they'll find something that looks incriminating. It doesn't have to BE incriminating, it just has to LOOK incriminating.
If you give me six lines written by the hand of the most honest of men, I will find something in them which will hang him.

Cardinal Richelieu
posted by Malor at 7:06 AM on September 4, 2012 [18 favorites]


If nothing else this whole discussion proves how a hacker group seeking attention can effectively whip up a frenzy with minimal evidence.

It is possible that AntiSec's claims about the nature and origin of the data dump are all true. It is also possible that their claims are false, or partially true and partially false. The swiftness with which commenters accept their claims is just as if not more disturbing than the implications of their claims being all true.

I have no idea what is true in this case. I do know that hacker groups do publish bad leaks designed to taunt or expose law enforcement agencies. These leaks often contain plausible looking information which is actually false, or outdated, or a mix or true and false data, or data obtained from a source other than claimed. It is the height of naivete to take anonymous boasts from a hacker group at their word. Believe it or not, these folks are not Robin Hoods. They have their own motives and -- shocking, I know -- they are hardly pure.
posted by thebordella at 7:06 AM on September 4, 2012 [3 favorites]


you'd be able to tell if your Apple device was suspected or not on a certain date.

I'm not so sure how good of a suspicion detector this could possibly be. Given that they have 12,000,000 records, rounding up the usual suspects equals the entire city of New York plus a chunk of New Jersey. Since only a portion of those people are going to be using Apple products, though, it's a much wider dragnet than that. Just assuming it's one person in four, we're talking about something on the order of the entire population of the eastern seaboard from D.C to Boston.
posted by Kid Charlemagne at 7:07 AM on September 4, 2012


I mean, "bad guys" isn't another way of saying "suspect.". That's another word and means something else. I want the FBI to be thinking about and catching bad guys. I have no idea why that would be controversial, unless one simply does not believe in policing.
posted by OmieWise at 7:07 AM on September 4, 2012 [2 favorites]


I for one am glad to know that the FBI is tracking the great Swedish menace. Tonight I will sleep soundly.
posted by dogbusonline at 7:08 AM on September 4, 2012 [3 favorites]


xcasex, being Swedish, you might not realize that this release comes early in the US East Coast morning on the day after a 3-day weekend (earlier still on the US West Coast, where much of the tech press lives). I'm sure there will be thousands of words of commentary in the next 8-10 hours, but Gruber's relative silence at this point likely just means he was asleep.
posted by SubterraneanRedStateBlues at 7:09 AM on September 4, 2012


dogbus, there shan’t be no more Swedish Bikini Team for you! there I go internalizing misogyny again...
posted by xcasex at 7:10 AM on September 4, 2012 [1 favorite]


If nothing else this whole discussion proves how a hacker group seeking attention can effectively whip up a frenzy with minimal evidence.

It is possible that AntiSec's claims about the nature and origin of the data dump are all true. It is also possible that their claims are false, or partially true and partially false. The swiftness with which commenters accept their claims is just as if not more disturbing than the implications of their claims being all true.

I have no idea what is true in this case. I do know that hacker groups do publish bad leaks designed to taunt or expose law enforcement agencies. These leaks often contain plausible looking information which is actually false, or outdated, or a mix or true and false data, or data obtained from a source other than claimed. It is the height of naivete to take anonymous boasts from a hacker group at their word. Believe it or not, these folks are not Robin Hoods. They have their own motives and -- shocking, I know -- they are hardly pure.


Oh, I'm not even going to bother going through and changing AntiSec to FBI and vice versa. I'm just going to say that Anon tends to deliver a lot more than the FBI/DEA/CIA do on big claims.
posted by jaduncan at 7:10 AM on September 4, 2012 [5 favorites]


It is possible that AntiSec's claims about the nature and origin of the data dump are all true. It is also possible that their claims are false, or partially true and partially false.

Yeah, I was goign to ask xcasex if his phone number/address were connected to the correct UDID, but I just realized that only UDIDs were released, right? On one hand, that's a good thing for privacy. On the other hand, that plus 'spotty metadata' starts to ping my skeptic-meter. Spotty metadata is a convenient excuse for responding to people who contact them and say "I found my UDID, is my address attached?" if the UDIDs were collected in a different way than advertised, or even if they were independently generated (the way I could generate valid credit card numbers, claim I hacked into Amazon, and claim hits when they happen to match someone's credit card).
posted by muddgirl at 7:10 AM on September 4, 2012


SRSB, or that he's just as biased as ever, take your pick ;)
posted by xcasex at 7:11 AM on September 4, 2012 [1 favorite]


From HN also:
I run Cydia, and have determined only 16.7% of the UDIDs in that file are from jailbroken devices: I thereby do not believe that whatever managed to get this data is anywhere in our ecosystem.
So, it's definitely real. This is so similar to the Bradley Manning situation, except I guess in this case finding a single honest FBI agent willing to release this themselves was too much to ask. Who knows, maybe that has something to do with the fact we've been torturing Manning for years

Personal information on 12 million people, in a CSV file on some random FBI agent's laptop. What the FUCK. This isn't even a competent surveillance state. The danger posed by simply shining the tiniest bit of light on our government's actions makes it clear that we are their enemy

I went to the New York Times to see if they had this story. Instead I got served an ad and then a headline, "Without Spirit of ’08, Mutual Fears Reunite Democrats"

This needs to end
posted by crayz at 7:11 AM on September 4, 2012 [7 favorites]


I am not an expert on Apple security, but the issue surrounding the UDID data seems confusing. My understanding is that iOS developers accumulate UDID data from their app users. There is some speculation that the data dumped by AntiSec may originate from one or more iOS apps. This data may have, for some reason, wound up in the hands of the FBI when AntiSec lifted it (*if that ever happened at all, despite their claims).

But how can UDID data be so incredibly valuable and secure if every iOS app collects that data from its users? This would mean that Apple end user security is ultimately being protected -- or not -- by individual iOS developers, whose security practices will surely range widely.
posted by thebordella at 7:12 AM on September 4, 2012 [6 favorites]


the way I could generate valid credit card numbers, claim I hacked into Amazon, and claim hits when they happen to match someone's credit card

With only a million spins of the roulette wheel on a 40 character password involving letters and numbers? You'd be lucky to get one right out of all that. Very lucky indeed.
posted by jaduncan at 7:13 AM on September 4, 2012


dogbus, there shan’t be no more Swedish Bikini Team for you! there I go internalizing misogyny again...
Just take a picture of the Swedish Bikini Team on your smart phone... The FBI will make sure it is well distributed amongst freedom loving Americans.
posted by dogbusonline at 7:15 AM on September 4, 2012


I'm just going to say that Anon tends to deliver a lot more than the FBI/DEA/CIA do on big claims.

Except Anon doesn't have a spokesman. Anon is a scale of trustworthiness from "not at all" to "completely" depending on who Anon is today.

(Note that whether or not this particular Antisec claim is true or a hoax doesn't change the ridiculously disturbing fact that cell phone info and communications are protected at a much lower level than landline or even, as I understand it, computer data.)

With only a million spins of the roulette wheel on a 40 character password involving letters and numbers? You'd be lucky to get one right out of all that. Very lucky indeed.

Credit card numbers, for example, are not generated by picking a random string of numbers. Your credit card number has to hash to the correct value, and that value is different depending on whether it's a Visa, Mastercard, etc. Knowing the hash, you can work backwards to a much, much smaller set of valid credit card numbers (which is why, generally, a credit card number alone is no longer enough information to make a purchase). I would be very surprised if Apple UDIDs were truly a random 40 character password, but I suppose it's possible.
posted by muddgirl at 7:17 AM on September 4, 2012


(I might be mis-remembering credit card number hashing - maybe it's that the first 4 digits can be generated based on the card issuer, and if you hash the first N-1 digits they have to match the Nth digit).
posted by muddgirl at 7:19 AM on September 4, 2012


Now I don't claim to know of FBI procedure, but I have a hard time seeing a case involving 12 million iDevices.

Oh noes! The fanboy underground has been infiltrated.
posted by chillmost at 7:19 AM on September 4, 2012


thebordella, Apple has deprecated the UDID, about a year ago.

From an article at The Unofficial Apple Weblog in August 2011:
From the beginning, Apple has always uniquely identified its devices via UDIDs or other means, and the iPhone is no exception. There is a class called "UIDdevice" which describes the things on the iPhone, i.e., the features unique to that device. Until today, developers could have access to a users' UDIDs, and they've used them as identifiers for a lot of gaming, user info persistence and subscription systems (including some of our favorite apps). The downside of UDIDs in the past is because they're related to devices and not accounts, sometimes it's hard to have the device identifiers talk to each other. Some developers have grabbed or scraped these without user permission for marketing and other less than reputable purposes -- hence the privacy concern behind broadcasting UDIDs to third-party developers.
posted by SubterraneanRedStateBlues at 7:20 AM on September 4, 2012 [2 favorites]


Expecting major American media outlets (cf NYT) to have something up on this or any other potentially serious technology hack early in the morning is probably dreaming. Their technology people are still scrambling to figure out what's going on and how they can distill it to the bite-sized attention span of their readers/viewers. In their worldview, like it or not, a potential phone hack is not that important.

(Me, I'm here reading and posting, so I care.)
posted by immlass at 7:24 AM on September 4, 2012


I would be very surprised if Apple UDIDs were truly a random 40 character password, but I suppose it's possible.

I'd hope so. Check digits and card issuer/type bits of a CC number are for fat fingers and really old computers at the point of design. Surely one would expect that without the need for that legacy stuff the UDID is just a unique ID for an Apple DB call?
posted by jaduncan at 7:27 AM on September 4, 2012 [1 favorite]


So if you have my UUID, what can you do with it? What does it reveal about me?
posted by modernnomad at 7:29 AM on September 4, 2012


Except Anon doesn't have a spokesman. Anon is a scale of trustworthiness from "not at all" to "completely" depending on who Anon is today.

Yeah, and they still deliver more on average even with that institutional disadvantage and vulnerability to false flags. Or, you know, it could be that bath salts will be killing our children again and the FBI will only use National Security Letters for terrorism cases.

Also, I have to think that Apple PR are having a really very bad day today. If this didn't appear to be real data you'd have to think that they'd be shouting that fact from the rooftops.

They can, after all, check all the UDID things.
posted by jaduncan at 7:34 AM on September 4, 2012


maybe it's that the first 4 digits can be generated based on the card issuer

The first 6 digits of a credit/debit card identify the issuer, though if you're talking about big banks they'll have multiple BINs.
posted by kmz at 7:35 AM on September 4, 2012


I suppose we should find that the FBI a) has this data, b) got this data from the carriers and c) thought nothing of having it on an agent's laptop (rather than somewhere more secure) to be shocking, but we (the US in general, not MeFi in particular) seem to be anything but shocked. Are we so used to be spied upon that this just seems like business as usual?

The terrorists really have won.
posted by tommasz at 7:37 AM on September 4, 2012


If this didn't appear to be real data you'd have to think that they'd be shouting that fact from the rooftops.

It's about 10:30 am on the East Coast of the US, 7:30 in Cupertino. I don't expect the head of the Apple PR department has even had his first cup of coffee yet.

Again, I am not making any definitive claims either way. It seems most likely to me that these were really hacked from an FBI computer (if they weren't, the FBI will be making a strong and forceful denial sometime today), but nothing I've seen so far rules out the other options, including the possibility that they were hacked from some other source. Independently generating them seems much less likely but has not been ruled out.)

seem to be anything but shocked. Are we so used to be spied upon that this just seems like business as usual?

No, I'm not shocked. That doesn't mean I think it's okey-dokey.
posted by muddgirl at 7:39 AM on September 4, 2012


In the Olympic event of Jumping to Conclusions, Metafilter wins the gold!
posted by thebordella at 7:42 AM on September 4, 2012 [3 favorites]


SRSB, the UDID API is deprecated, it's however scheduled for removal in ios6, which means, every single solitary release until then will feature it.
posted by xcasex at 7:46 AM on September 4, 2012


Holy shit... this means FBI field agents know how to use CSV files.
posted by benzenedream at 7:47 AM on September 4, 2012 [9 favorites]


I found an interesting survey (from May 2011) of UDID leakage that notes "Three big aggregators of UDID-related data dominate: Apple, Flurry, and OpenFeint. Each one of these companies has the vast majority of UDIDs on file, linked to a rich set of privacy-sensitive information. OpenFeint's ubiquity is one of the reasons why UDID de-anonymization using their API is so serious."

The same source posted on UDID de-anonymization, also in May 2011. Notable section:
The saving grace is that your device UDID is not linked to your real-world identity. If it were possible to de-anonymize UDIDs, the result would be a serious privacy breach. Apple is well aware of this, and explicitly tells developers that they are not permitted to publicly link a UDID to a user account.

I recently published a tool called mitmproxy, a man-in-the-middle proxy that allows one to intercept and monitor SSL-encrypted HTTP traffic. Using mitmproxy to view the encrypted traffic sent by my own iOS devices, I was able to observe protocols and data flows that have clearly received very little external review. A slew of interesting security results followed (keep an eye on this blog), but by far the most alarming was the fact that it was possible to use OpenFeint to completely de-anonymize a large proportion of UDIDs.
My recollection is that such concerns led to Apple's deprecation of the UDID, and a policy that apps that used it would be rejected from the App Store, as they've been doing since March 2012.
posted by SubterraneanRedStateBlues at 7:50 AM on September 4, 2012 [3 favorites]


Does anyone think it's likely that AntiSec is going to post any evidence supporting their claim that they retrieved this information from the FBI? I wouldn't be surprised if the FBI has this information somewhere, but nothing from this story gives me a good reason to believe AntiSec obtained it.

A huge reason that I don't but this story at face value is that it seems unlikely that the FBI would have "spotty metadata" if they retrieved it from either the carriers or Apple. It seems more likely that this is a dump of some advertiser or marketer's stash of personal information.

It would be easy enough for AntiSec to demonstrate the provenance of their leak: If AntiSec owned FBI d00dz laptop, they should have a cache of information (emails, random word documents, etc) that may be less scandalous than a list of Apple UUID but would corroborate the source as being an FBI employee. Why haven't we seen any of that?

... and if you think that the file name indicates this is really from NCFTA, memail me and you will be amazed by something awesome I have to teach you about computers.
posted by elsp at 7:53 AM on September 4, 2012 [3 favorites]


Consider me in the "not at all surprised if this did happen" camp. I mean, remember when the warantless wiretapping came to light and then nothing at all was done to hold the agency accountable for its unconstitutional actions and the law was changed to make it explicitly acceptable? The current administration is just as uninterested in protecting us from massive overbearing surveillance than the last.
posted by nTeleKy at 7:53 AM on September 4, 2012


it's hard (for me) to think of legitimate reasons for the FBI to have data on 1 million users

The reason is unfortunate: because it's easy. The systems built over the past few decades leave electronic "paper trails" a mile wide concerning their use. Both for diagnostic reasons, and the fact that it's very hard to engineer a computing system that isn't an automatic quasi-surveillance system. Add to this a giant blossoming of machine-learning analytics tools from the targeted advertizing industry, and you have falling-down-easy surveillance capabilities within reach of anyone with an ounce of authority.

Law enforcement has been completely unable to resist the temptation of using it. Where "it" is the very general ability to listen/watch/track everything. It's just too easy. If there were some broad political consensus that surveillance was evil and unacceptable, you might be able to legally mandate the engineering effort required to avoid building it into everything. But the slightest potential for that consensus to emerge (if it ever existed; I doubt it) evapourated with 9/11.

We need to, as a society, get back to targeted police work and drop this Panopticon shit. Both for moral and procedural reasons.

The odds of this happening in the current technical landscape are exactly nil.

(I agree completely, but there's no way it's going to happen. No way.)
posted by ead at 7:54 AM on September 4, 2012 [2 favorites]


Marco Arment of Instapaper fame just wrote a post on the matter:
Update: The popular and free AllClear ID app, related to NCFTA, is a likely culprit, especially given the filename.
The inevitable official statements are going to be very interesting indeed...
posted by whittaker at 7:58 AM on September 4, 2012 [5 favorites]


> remember, folks, when thinking about these things, you need to remember the #1 central truth of an adversarial justice system, that a prosecutor is a paid professional at misconstruing facts. And the more facts they have to work with, the more easily they'll find something that looks incriminating.

This bugs me most when talking about industrial-scale surveillance. Setting up active surveillance or massive databases of otherwise innocuous information is a problem not because the people who own those databases will find something you have to hide, but because the information goes to entities whose purpose is to take that data and build the worst story they can out of it. An adversarial justice system is one thing; but to gather data from the general populace like some kind of information super-trawler? What sense does that make?

Even if AntiSec is entirely full of it this time around, that point stands.
posted by postcommunism at 8:00 AM on September 4, 2012


For those asking what UDIDs are and how they are used.

Mobile devices typically have several unique numbers associated with them: a serial number, IMEI, MAC address, etc. All mobile phones have these numbers, not just Apple devices, including Android devices. These numbers are unique to a device but also have special meaning. For example, with a mobile device serial number you might be able to look up the warranty records for the device and with the IMEI you could ask a network carrier for the current cell location of the device. Different mobile OS platforms place various different restrictions on the accessibility of these unique IDs. Apple's iOS provides access to the MAC address, but not the IMEI or serial number. Google's Android provides access to the MAC address and the IMEI (if you grant the app the appropriate permissions).

Developers want a way to distinguish devices from one another, and the mobile platforms oblige with unique IDs that are less sensitive than the previously mentioned IDs. Apple's UDIDs are unique numbers assigned by Apple to iOS devices, however, unlike the other unique numbers assigned to their mobile devices, they have no predetermined meaning or scope of use. The thing about UDIDs is they are not valuable in and of themselves. The have no meaning to Apple or the carriers. Android has a similar concept, called an ANDROID_ID, although, unlike UDIDs they change if you factory reset an Android device.

The value to knowing a UDID for a device comes from the iOS developers who have collected UDIDs in the course of their operations, the degree to which these databases are public, and the correlations you can make if these developers have lax security policies.
posted by RichardP at 8:01 AM on September 4, 2012 [5 favorites]


Aldo Cortesi, the security consultant I quoted above, has posted his response to the AntiSec leak.
As serious these problems are, I'm afraid it's just the tip of the iceberg. Negotiating disclosure and trying to convince companies to fix their problems has taken literally months of my time, so I've stopped publishing on this issue for the moment. It's disheartening to say it, but some of the companies mentioned in my posts still have unfixed problems (they were all notified well in advance of any publication). I will also note ominously that I know of a number of similar vulnerabilities elsewhere in the IOS app ecosystem that I've just not had the time to pursue.

When speaking to people about this, I've often been asked "What's the worst that can happen?". My response was always that the worst case scenario would be if a large database of UDIDs leaked... and here we are.
"In advance of publication" above means before May or September of 2011, depending on the vulnerability for which he was providing a UDID-using network notification.

Also, I've never heard of the AllClear ID app, and can't imagine I would have run it, but my iPad's UDID is reportedly in the file.
posted by SubterraneanRedStateBlues at 8:04 AM on September 4, 2012


SubterraneanRedStateBlues: It's also possible that the list is collated from multiple incomplete sources. It'd explain why it's too high to be a list only of individuals who had warrants out and too low to be the vendor database in its entirety.
posted by whittaker at 8:15 AM on September 4, 2012


So here's a question: All Apple devices, not just iPhones/iPods/iPads, have UUIDs or UDIDs. How do we know that this list is only of iOS devices and not also of other Apple devices, like MacBooks, iMacs, Mac Pros, etc.? Is there something specific that distinguishes iOS UDIDs/UUIDs from Mac OS UDIDs/UUIDs?
posted by limeonaire at 8:22 AM on September 4, 2012


limeonaire, Apple devices running Mac OS X do not have UDIDs, they're a feature specific to iOS. However, an application on Mac OS X can retrieve the Mac's serial number or Ethernet MAC address.
posted by RichardP at 8:30 AM on September 4, 2012


I suppose we could get pissed at Apple if they don't prevent app writers from collecting this information?

Yeah. They really should lock down the hardware and make it impossible for developers to get access to this kind of information.

I mean, they should open the hardware to the cleansing light of open source, where this sort of thing wouldn't happen!

I mean, they should protect users from...

I mean.. Augh!
posted by verb at 8:40 AM on September 4, 2012 [1 favorite]


Better security and privacy is supposed to be one of the features of a walled garden, no? A walled garden with lax security/privacy checks would be the worst of both worlds.
posted by kmz at 9:08 AM on September 4, 2012 [4 favorites]


This really does show the problem with the 'just trust us' model of internet surveillance.

When the local copper has the keys to your house, even if you trust his honesty, you also have to trust him not to lose it, for his black sheep son not to copy it, to lock his doors at night so it can't be stolen, and so on. When, as here, every local copper has the key to every house in the neighbourhood, the complexity multiplies up until there is no possibility of security.

There is a potential solution, but it relies on cryptography and server-proof hosting.
posted by unSane at 9:15 AM on September 4, 2012


Better security and privacy is supposed to be one of the features of a walled garden, no? A walled garden with lax security/privacy checks would be the worst of both worlds.

You make the mistake of thinking that the walled garden was ever for your benefit.
posted by Malor at 9:23 AM on September 4, 2012 [2 favorites]


Does the FBI have warrants for these leaked device IDs and associated info? Doubt it.

As of August 14th, they no longer need them, at least for location tracking.

With this and Trapwire, is the US just tracking its citizens indiscriminately? It sounds like some dystopian future.

30+ year NSA technical director turned whistleblower Bill Binney says yes.
posted by ryanshepard at 9:26 AM on September 4, 2012 [2 favorites]


If you find yourself feeling nostalgic for Pravda, here's what the FBI has to say about the NCFTA.
posted by Kid Charlemagne at 9:27 AM on September 4, 2012


Which, of course, leads to the question of just why an individual FBI agent would have data on more than a million US citizens on his laptop?

Because fuck you, that's why.
posted by LordSludge at 9:33 AM on September 4, 2012 [4 favorites]


Maybe because the terminal computer only had Excel installed and he couldn't open a csv with 12 million entries.

I'm being absolutely straight-faced serious here.
posted by muddgirl at 9:35 AM on September 4, 2012 [5 favorites]


Remember when people were freaking out over Intel trying to add a UUID to every chip? Those were the days.

I go through a confidentiality and data security course every 6 damn months. It is like 4 fucking hours of answering questions about putting shit on portable devices. Guess what! People still email me confidential information and it ends up on my laptop.

I'm sure this is nothing compared to the "training" FBI cyber-dudes get.

I guess we can be thankful the FBI didn't just pop this sucker up on dropbox so they could all take a look.
posted by Ad hominem at 9:43 AM on September 4, 2012 [2 favorites]


I guess we can be thankful the FBI didn't just pop this sucker up on dropbox so they could all take a look.

... as far as we know, anyway.
posted by unSane at 9:48 AM on September 4, 2012


A few stories from the usual sources are starting to trickle out. Unlike some of the above commentators, I won't be holding my breath for NYT coverage...if anything, this story may get a passing reference ("Apple no longer uses UDIDs so we're all safe again and stop worrying about the government!") in some article about the New! Improved! iPhone! Coming! Soon!
posted by antonymous at 10:12 AM on September 4, 2012


That hacker news thread is a scream.

My favorite so far:

Looks like they've got Obama's iPad:

$ cat ./iphonelist.txt | grep -i obama '473d6e1ebf0b100ed172ce5f69c97ba6c8f12ad5','766a23201c6089be11845bfef624dbaada68be52155079850951836e9373e5cd','hobamain','iPad' 'c63e008e6271c3ac128eb6a242a9817528b6baef','b996a080e11265a0c93436ba0b13b7c07ee4e8eef6faeb8516917b015d7355fb','Obama','iPad'

(David Brin has been saying let's just go all the way with this already for a long time. He hasn't posted anything about this yet nor has Schneier but I noticed Schneier is doing a Q&A on The Well this week.)
posted by bukvich at 10:21 AM on September 4, 2012 [1 favorite]


Adrian Chen:
I'm totally open to the possibility. I know I look pretty good in a tutu.

But how can I be sure Anonymous will hold up their part of the deal? Shadowy outlaw hacker groups are not known for their integrity. There was, for example, the time a prominent Anonymous hacker tried to trick me into writing a story falsely reporting he was working for the U.S. government to hack Chinese websites.

I'm currently trying to gain certain assurances. Stay tuned for tutu-age.
posted by homunculus at 10:29 AM on September 4, 2012 [2 favorites]


Expecting major American media outlets (cf NYT) to have something up on this or any other potentially serious technology hack early in the morning is...

You know, call me crazy, but shouldn't we be HAPPY that our major news organizations don't just rush to press? Shouldn't we want them to check out the veracity of all the angles on a story before they just reprint a post from a hacker group? Or is it all about now now now me me me.

Also: is there anyone out there who hasn't found their UDID on this list? Everyone seems to be on it so far.
posted by fungible at 11:16 AM on September 4, 2012 [1 favorite]


This release should give zero comfort to Android (or Windows Phone, or Blackberry) users that they're safe because they're not iDrones, although I fear the primary storyline that's developing is "Apple users pwned." Flurry, OpenFeint, the various mob* ad networks, and of course Google all exist on other platforms, and all profit to a greater or lesser extent from personal data aggregation.

Here's a paper from the 2012 Mobile Security Technologies Conference in May on 'Investigating User Privacy in Android Ad Libraries'. From the conclusion:
Almost all of the libraries have functionality that allows for sensitive user data to be sent to the ad provider, although we consider the cases where the library automatically extracts and sends information when permissions are available to pose the greatest privacy threats. Additionally, we observed a number of ad libraries that check for and leverage permissions beyond what is specified in their documentation. Although no single ad provider may provide a complete private user profile, we identified that the UDID field present in nearly all in-app ad requests allows someone observing the network to correlate user information between different ad providers. Because the UDID fields are populated by persistent values, this allows the observer to build a long-term user profile including GPS locations and targeting information.
The preponderance of free apps on Android, in particular, suggests app developers need a revenue stream outside of user purchases, and the platform owes its existence to Google's desire to capitalize on mobile advertising.

I would be surprised to learn that there is no corresponding NCFTA_Android_devices_intel.csv.
posted by SubterraneanRedStateBlues at 11:17 AM on September 4, 2012 [1 favorite]


"They've targeted Adrian Chen because he's the prototypical pro-establishment Eichmann. Every article Adrian writes about WikiLeaks, Anonymous, the Occupy movement, or any other progressive institution of civil disobedience is dripping with disdain. I'd say Adrian should be thankful Anonymous only appears to be interested in humiliating him as opposed to launching a full-blown, scorched-Earth campaign against him."
So it's either grim agents of the security-surveillance state watching my every keystroke or hackers so intoxicated with their own leetness they'll wreck my life if I anger them. Lovely.
posted by octobersurprise at 11:18 AM on September 4, 2012 [4 favorites]


12 million Apple ID's. I wonder how many of those participated in or actively engaged digitally in #Occupy.
posted by Slackermagee at 11:33 AM on September 4, 2012 [1 favorite]


limeonaire, Apple devices running Mac OS X do not have UDIDs, they're a feature specific to iOS. However, an application on Mac OS X can retrieve the Mac's serial number or Ethernet MAC address.

Yes, but Apple devices running Mac OS X have UUIDs (easy to find in System Profiler), and the linked page with the TNW look-up tool talks about there being both UUIDs and UDIDs in this batch of information. So again: How do we know that this list is only of iOS devices and not also of other Apple devices, like MacBooks, iMacs, Mac Pros, etc.? Is there something specific about the numbers themselves that distinguishes iOS UDIDs from Mac OS UUIDs? And are there also definitely UUIDs in with this information, as suggested on TNW, or not?
posted by limeonaire at 11:38 AM on September 4, 2012


I wonder if one day, we will look back at Steve Jobs as a mysterious figure that made the Panopticon so damn appetizing. A man of great ideas that came at a great price.
posted by phaedon at 11:47 AM on September 4, 2012 [2 favorites]


@octobersuprise

and the delineation is permeable; one can easily become the other! ain't life grand!
posted by This, of course, alludes to you at 12:10 PM on September 4, 2012


also was there ever even a remote chance that the fucking internet wouldn't turn into a panopticon
posted by This, of course, alludes to you at 1:05 PM on September 4, 2012


limeonaire,

The leaked file has four columns: UDID, APNS token, device name, and device type (iPad, iPhone, iPod touch). I don't see any reason to think there are Macs in the full dump. I think there's just some confusion between UDID/UUID.
posted by polyhedron at 1:18 PM on September 4, 2012 [1 favorite]


Is there something specific about the numbers themselves that distinguishes iOS UDIDs from Mac OS UUIDs?

Mac OS X UUIDs (sometimes called a "Hardware UUID", but technically a "IOPlatformUUID") are 128-bit values almost always presented as 36 character strings consisting of 32 hexidecimal digits interspersed with 4 hyphens. iOS UDIDs are 160-bit values almost always presented as a 40 character strings consisting of 40 hexidecimal digits.

And are there also definitely UUIDs in with this information, as suggested on TNW, or not?

All the values in the raw, decrypted, uncompressed "iphonelist.txt" file released by AntiSec are consisted with iOS UDID values, none are the size necessary to match Mac OS X UUIDs. Furthermore, the data dump identifies each device entry as an "iPhone", "iPad", or "iPod touch".
posted by RichardP at 1:18 PM on September 4, 2012 [2 favorites]


Cool, thanks polyhedron and RichardP. I was just curious!
posted by limeonaire at 1:28 PM on September 4, 2012


also was there ever even a remote chance that the fucking internet wouldn't turn into a panopticon

It still isn't, if you take care.
posted by jaduncan at 2:23 PM on September 4, 2012


FBI says nuh-uh.
The FBI is aware of published reports alleging that an FBI laptop was compromised and private data regarding Apple UDIDs was exposed. At this time there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data.
posted by unSane at 2:23 PM on September 4, 2012


The first iPod came out the same year 9/11 happened. I mean, it's kind of hilarious, right? Twelve years ago all we wanted to do was share music and listen to our ripped mp3's on a portable device. Now everyone talks about the benefits of walled gardens (is that Apple-speak for DRM?) meanwhile we're totally taking it up the ass from the government in unprecedented ways.
posted by phaedon at 2:28 PM on September 4, 2012 [2 favorites]


12 million Apple ID's. I wonder how many of those participated in or actively engaged digitally in #Occupy.

Just doing a little back of the envelope calculating (based on this) 12 million represents about 30% of the active Iphones out there. Given the number of people who buy the high end technical geegaw and never use more than a fraction of it's capacity, I'd say a more likely common denominator is checking on Baseball scores or looking at the weather forecast. There is no way this is targeted beyond, "we've found that most crimes are committed by people."
posted by Kid Charlemagne at 2:35 PM on September 4, 2012 [1 favorite]


So is this actually confirmed yet? Because I didn't dare type my phone's UDID into that website (that I had never heard of before!), for fear that this was an elaborate ruse.
posted by Joh at 2:41 PM on September 4, 2012


So is this actually confirmed yet? Because I didn't dare type my phone's UDID into that website (that I had never heard of before!), for fear that this was an elaborate ruse.

Status at the moment: many people with access to UDID lists are clear they are actual UDIDs, but it's unclear if they actually came from the FBI (after the FBI's somewhat non-denial denial, although that's probably just CYA caution about absolute statements).
posted by jaduncan at 2:45 PM on September 4, 2012


Also: is there anyone out there who hasn't found their UDID on this list?

Mine isn't on the list.

So is this actually confirmed yet? Because I didn't dare type my phone's UDID into that website

There's a lot of people reporting that their UDID is in the leaked data, so it's been confirmed as much as anything can be confirmed by people on the internet. I downloaded a copy of the list; if you'd prefer to have a stranger on mefi look for your UDID, send it my way and I'll get back to you when I can.
posted by elsp at 2:59 PM on September 4, 2012


fungible: Also: is there anyone out there who hasn't found their UDID on this list? Everyone seems to be on it so far.

IANOTL.
(Oh, and: free bona-mefide UDID list checks here ;-!)

On preview: jinx, elsp.

posted by progosk at 3:08 PM on September 4, 2012 [1 favorite]


At this time there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data.

Wow, that's about as sleazy a non-denial as you're likely to see. Make it look like you're refuting the claims, without actually refuting them.
posted by Malor at 3:09 PM on September 4, 2012 [1 favorite]


Wow, that's about as sleazy a non-denial as you're likely to see. Make it look like you're refuting the claims, without actually refuting them.

It certainly doesn't make me feel bad about my working assumption that random Anons on pastebin are more likely to be telling the truth than FBI flacks.
posted by jaduncan at 3:24 PM on September 4, 2012 [3 favorites]


It certainly doesn't make me feel bad about my working assumption that random Anons on pastebin are more likely to be telling the truth than FBI flacks.

All I know is, if these "Anons" have now figured out a method for creating or renaming a file with any name they want then there is no telling what they could do next.
posted by thebordella at 3:28 PM on September 4, 2012


Expanding on what might be the spirit of jaduncan's comment. The following summary is pitched largely at web browsing and email. There are apparently qualified people who, concerned about privacy, advise against owning a mobile phone at all. (SMS should probably never be used.)

Regardless of the facts of this particular case, it's increasingly clear that it is in the interest of the average person to think about risks to their privacy online and to be proactive about mitigating them. Fortunately, there are concrete things one can do, which are summarized nicely by the Electronic Frontier Foundation here. Depending on what one considers the dangers to be, or what types of privacy one wishes to protect, using Tor might be a good idea. A VPN is another possibility. riseup.net explains some surveillance issues, and runs a free VPN (please donate if you use it and have the means). There are also browser extensions that work by themselves, or in conjunction with the Tor Browser, to limit some kinds of tracking and other corporate surveillance. (Privacy isn't even the best reason to avoid using shit like facebook, but that's a derail.)

Email can also be encrypted. Public-key cryptography, otherwise ubiquitous on the intertubes, is surprisingly little-used: if you send a non-encrypted email, it should probably be assumed that you have no control over who reads it. Fortunately, email encryption has become very easy.

I suspect running a minority operating system (i.e. GNU/Linux) is probably to one's advantage. In an era where peaceful activist organizations have been officially described as "terrorist", communication associated with activity of where it would likely occur to the participants that "man, I am using my free speech rights right now" might best be done while running TAILS or similar from a USB on a public computer. There are numerous other good methods of maintaining privacy and anonymity of communication, even for instant messaging and voice calls.

In general, the more people taking these measures, whether or not they feel they are likely targets of surveillance (and we are all targets of various kinds of corporate surveillance), the better. It's not hard, and it's kind of interesting. I very often use the Tor Browser, simply because my choice of, like, random recreational Wikipedia articles is between me and my god. The same sentiment holds doubly for, like, bad puns emailed to my girlfriend. Moreover, this type of self-protection should be normalized, and even the fact that the presence of large amounts of personal information, not all relevant to a particular investigation, on an LEO computer with no public oversight, seems plasuible (whatever the actual details of the story) is a good reason to think about issues of this type.

Maybe one of the NSA folks reading this will be inspired to pony up a fiver and elaborate.

posted by kengraham at 3:37 PM on September 4, 2012 [6 favorites]


All I know is, if these "Anons" have now figured out a method for creating or renaming a file with any name they want then there is no telling what they could do next.

They truly are Hackers on Steroids. I heard one of them even made a file disappear. Just disappear!
posted by jaduncan at 3:37 PM on September 4, 2012 [1 favorite]


no more interviews to anyone till Adrian Chen get featured in the front page of Gawker a whole day, with a huge picture of him dressing a ballet tutu and shoe on the head

Gawker has published said picture.
posted by toxic at 3:44 PM on September 4, 2012


"I do understand your position, i'd like a word before stunting like that, too xD," one of his colleagues said. "On the bright side, I've worked with him for long time now and the man does live up to his word."
Now that's journalism!

On the bright side Chen seems like a good sport.
posted by muddgirl at 3:48 PM on September 4, 2012


Yeah, I pretty much do mean pervasive encryption and Tor (although Freenet is still good for some things). Liberte Linux is not too bad if you just want plug and play reasonable security on someone else's box.

I'd point out that Linux isn't exactly security by either obscurity or magic. NSA produces a secure distro, and given that the vast majority of secure servers run on Linux I'm sure that NSA have a large set of zero-day attack vectors if they are interested enough. It's very unlikely that anyone here would rate that though, given that if the cops actually care they are more likely just to plant some crack on you or something.

NSA do a whole bunch of stuff in their distro that very few other distros do, and even that doesn't stop hardware level flaws and backdoors. It's almost like they have almost infinite budgets for elint and sigint or something.

I used to do post-nuclear strike signals, and the hardware we had for comms and IT didn't look like civilian stuff at all. We were under no illusions that that hardware couldn't be cracked, either.
posted by jaduncan at 3:49 PM on September 4, 2012


I'd point out that Linux isn't exactly security by either obscurity or magic.

Of course you are right. I think a big part of the most folks' threat model, in terms of protecting personal information, is (at the moment) less government surveillance than organized crime stealing credit card information and such, so by that suggestion I really just mean "minimize the risk of random malware", and I can't speak from experience about OSes other than Windows and a couple of different GNU/Linux distros.

Also, I have the feeling that using non-free software exposes one to various risks. For example, no third party has, as far as I know, publicly evaluated the security features of Skype, because it's proprietary. I would assume that Windows disk encryption features and such, being closed-source, have all sorts of backdoors.

Thanks for the Liberte Linux link!
posted by kengraham at 4:08 PM on September 4, 2012


I used to do post-nuclear strike signals, and the hardware we had for comms and IT didn't look like civilian stuff at all. We were under no illusions that that hardware couldn't be cracked, either.

I probably know way less about this sort of thing than you do. On one hand, it seems like all bets are probably off, security-wise, if the adversary has access your hardware. On the other hand, assuming there's no secret polynomial-time factorization algorithm* or similar, I'm not sure what an adversary would do with, say, a few RSA-encrypted emails plucked from Google's servers. There's presumably a reason for the draconian UK laws forcing the revelation of keys to LEOs.

I guess I don't understand what "cracked" means in this context.

*The idea of keeping that kind of mathematical progress secret is deeply troubling to me as a mathematician.
posted by kengraham at 4:19 PM on September 4, 2012


I probably know way less about this sort of thing than you do.

This isn't a "I know more than you could possibly imagine" claim I'm making so much as a common sense attitude that we were an attractive sigint target and should act as such. Our kit was obviously physically protected by men with rifles and such, but it was supplied by non-British defence contractors. I'd be surprised if NSA hadn't heavily pushed their own defence contractors for hardware backdoors, but aside from that it would have been stupid to depend on hardware as a single trusted element point of failure.

We just had a base assumption that we shouldn't trust anything less than one time pads for anything really important. Remember that these were flash priority messages like 'hey, we're about to die so if Australia could take over command of all the Trident subs that would be great' or 'apparently it was China that started it' so bandwidth wasn't really important compared to security.

Hardware backdoors are what manufacturers are heavily pushed to put in; if you're on a machine with a TPM chip it isn't even subtle. Trusting the trusted element is fairly suicidal when you don't even have the rights to write over the existing private and public keys. In this case the standard actually explicitly supports remote attestation, and the TPM chip has the right to read random memory addresses. In the light of that, OS security starts to look less important if people actually care about you. I certainly wouldn't bet any important (where important is defined as above) plaintext traffic on that hardware.

There's a reason USG gets a bit jumpy about PRC-made fake chips; it's not very practical (or possible) to check the actual chip installed beyond the markings on the top, and they can't be sure they have full control of the hardware. The actual chip is often unknown. Elint people spend careers trying to get the jump on each other in this way.

The trick isn't to break the cryptography; as you say, it's not like there's many attacks on AES that wouldn't require heat death or at least such decoding time that they're impractical unless you already have exactly the person you want even if we assume unknown fundamental cryptographic flaws. The trick is to try to pick up the plaintext or keys somehow.

It also has to be said that the data of who is talking to who is often as valuable as the actual data, if all you want to know is who's talking to who. If DPRK start having a lot of radio traffic between artillery units and C&C people get very unhappy even when they are using OTPs. As mentioned above though, if domestic law enforcement actually care about there's nothing to stop them slipping some crack in someone's pocket rather than bothering with all the sophisticated stuff. The real security by obscurity is that most people (and, frankly, most states) don't have any data worth disclosing capabilities for; all the hardware level stuff is more high level, and is the type of thing that tends to stay inside NSA and GCHQ walls until required. It's not like people give a shit about some random Occupy person when they can just haul them in.

My apologies for the slight derail.
posted by jaduncan at 4:51 PM on September 4, 2012 [7 favorites]


Oh, and even aside from that side channel flaws such as keygen tend to screw people a lot; look at what happened to Debian (and Debian derived distros, of course) when they accidentally screwed the randomness of their SSL keygen. That's a zero-day that I'm quite sure that sigint people would sit on for as long as they could, and it's something that a user could be screwed by after even the perfect setup. Security is a chain that breaks at the weakest link, and most of the time it's not much to do with mathematical cryptographic flaws.

Highlight from the link (and remember that you'd only need to do this once):

Q: How long does it take a crack a SSH user account using these keys?
A: This depends on the speed of the network and the configuration of the SSH server. It should be possible to try all 32,767 keys of both DSA-1024 and RSA-2048 within a couple hours, but be careful of anti-brute-force scripts on the target server.

Q: I use 16384-bit RSA keys, can these be broken?
A: Yes, its just a matter of time and processing power. The 8192-bit RSA keyset would take about 3100 hours of CPU time to generate all 32,767 keys (100 hours on the 31 cores im using now). I imagine the 16384-bit RSA keyset would take closer to 100,000 hours of CPU time. One thing to keep in mind is that most keys are within a much smaller range, based on the process ID seed, and the entire set would not need to be generated to cover the majority of user keys (most keys are within the first 3,000 process IDs).
posted by jaduncan at 5:05 PM on September 4, 2012 [1 favorite]


I'm not sure what an adversary would do with, say, a few RSA-encrypted emails plucked from Google's servers.

Intelligence agencies? They would probably get Google to ping them your IP whenever you connected up, then run a script with a 0-day on you and pluck the keys out of the OS. At a guess.
posted by jaduncan at 5:14 PM on September 4, 2012 [1 favorite]


Once the data is gathered it cannot be protected because someone on your org will accidentally email it to the wrong person, upload it to Dropbox or lose their laptop. Big data sucks, false correlations, questionable models, and privacy nightmares.
posted by humanfont at 5:16 PM on September 4, 2012 [1 favorite]


is it just me or is adrian chen kind of hot
posted by This, of course, alludes to you at 5:23 PM on September 4, 2012


just another day in the goverment's war on hipsters
posted by klangklangston at 5:25 PM on September 4, 2012 [2 favorites]


Once the data is gathered it cannot be protected because someone on your org will accidentally email it to the wrong person, upload it to Dropbox or lose their laptop. Big data sucks, false correlations, questionable models, and privacy nightmares.

As Cory Doctorow (yeah, I know) once wrote, personal data should be treated like toxic waste. Some processes will need to handle it, but those should be minimised and every effort should be made to contain it, because once it's out there, the damage is irrevocably done.
posted by acb at 5:47 PM on September 4, 2012


...personal data should be treated like toxic waste.

At work, this is pretty much my attitude: can I get rid of it now? Do I have to keep all of it? How soon can I get rid of it?
posted by wenestvedt at 7:19 PM on September 4, 2012 [1 favorite]


Contrary to what some upthread claimed, the NYT did finally cover this story.
posted by dd42 at 1:36 AM on September 5, 2012


also @jaduncan i remain unconvinced that the internet itself is not intrinsically disposed to that kind of thing on an abstract level
posted by This, of course, alludes to you at 5:52 AM on September 5, 2012


“The FBI has not requested this information from Apple, nor have we provided it to the FBI or any organization. Additionally, with iOS 6 we introduced a new set of APIs meant to replace the use of the UDID and will soon be banning the use of UDID,” Apple spokesperson Natalie Kerris told AllThingsD.
Hmmm.... this doesn't really surprise me as the list is neither comprehensive nor particularly hard to compile from third party sources without Apple coming into the picture at all.

I bet they're glad they made their iOS 6 bed the way they did....
posted by whittaker at 10:17 AM on September 5, 2012






also @jaduncan i remain unconvinced that the internet itself is not intrinsically disposed to that kind of thing on an abstract level

Which thing?
posted by jaduncan at 11:22 PM on September 5, 2012


homonculus, I heartily agree with the sentiments in the article "Apple Should Reinstate Drone+ & Stop Censoring Apps" but isn't that a little bit outside the scope of this discussion?
posted by whittaker at 9:53 AM on September 6, 2012


A follow up post by Marco Arment discusses findings by Bojan Gajic:
His UDID was among those in the “FBI leak” the other day, and the push notification (APNS) token associated with it was created by Glitter Draw Free, an app he had installed.
[...]
Bojan’s theory about a compromised push-notification database is far more plausible, and is a much better fit to the actual data.
In addition to that, there was an excellent overview post by Intrepedus Group--a mobile security outfit:
First, could the FBI have built this database? They couldn’t easily build it by eavesdropping: That much data simply isn’t passed in a conveniently concise fashion. It’d take a lot of work to pull together, and it’d be highly unlikely to end up on some agent’s laptop.

Could they have received it from Apple? While Apple would need a list of devtokens to route push messages to end users’ devices, that list could be built on-the-fly as devices come online and connect to Apple. It probably wouldn’t need UDIDs, and certainly wouldn’t need all the other personal information allegedly contained in the breach. [Update: A statement from Apple says, in part, "The FBI has not requested this information from Apple, nor have we provided it to the FBI or any organization."]

So where could this data have come from? The logical answer is a 3rd party application server. For example, a cable TV carrier might have an iPhone app for their customers to view and pay bills. The back-end account database would then need mailing addresses and probably phone numbers. If they also push messages to customer’s devices (for example, to alert of an outage) then they’d need devtokens. A compromise of that kind of application (from a utility, bank, social media company, game company, publishing company, etc.) is a very plausible source of this leak.
I think there's a lot of entities in this story to sceptical of--not least of all AntiSec.

(Although, with regards to the first paragraph, I absolutely agree that muddgirl's theory of poor data handling in action is is all-too-feasible.)
posted by whittaker at 12:09 PM on September 6, 2012


Oh hey guys, looks likely that--in a shocking turn of events--AntiSec was actually making up aggrandizing, sensationalist bullshit as to where they sourced that UDID list as well as how many they actually stole.

New York Times article:
An Orlando, Fla., company said on Monday that it — not the F.B.I. — was the source of a file hackers posted online last week that contained a million identification numbers for Apple mobile devices.

The company, BlueToad, which works with thousands of publishers to translate printed content into digital and mobile formats, said hackers had breached its systems more than a week ago and stolen the file. A few days after the file appeared online, the company realized it matched the stolen information, said Paul DeHart, BlueToad’s chief executive.
posted by whittaker at 9:40 AM on September 10, 2012 [2 favorites]


Yeah, NBC News also has a good article on the revelation that the source of the UDIDs was BlueToad.
posted by RichardP at 10:01 AM on September 10, 2012


I wonder how many conspiracy theories will be completly unaffected by that.
posted by Artw at 10:54 AM on September 10, 2012


I wonder how many conspiracy theories will be completely unaffected by that.
Yeah, horse is out of the barn now.

It seems to me that the rationale behind hacker announcements could become disturbingly similar to that of sites that run linkbait articles: Visibility over truth--it doesn't matter as long as enough people believe it early in the news cycle.
posted by whittaker at 11:03 AM on September 10, 2012 [1 favorite]


Oh hey guys, looks likely that--in a shocking turn of events--AntiSec was actually making up aggrandizing, sensationalist bullshit as to where they sourced that UDID list as well as how many they actually stole.

Whoops. Way to go, tech media.
posted by Blazecock Pileon at 11:10 AM on September 10, 2012


I wonder how many conspiracy theories will be completly unaffected fueled by that.

Here's some helpful data to get the kook ball rolling, courtesy of Wikipedia:
Some of the publishing partners for BlueToad include:

Modern Luxury
Snap-on
NAPCO (North American Publishing Co.)
Road Magazine
Arhaus
US Department of State
Performance Racing Industry
Public Relations Society of America
posted by Sys Rq at 12:01 PM on September 10, 2012


The best would be a conspiracy theory dependent on both.
posted by Artw at 12:13 PM on September 10, 2012


Adrian Chen: Anonymous’ Big FBI Hack Was a Big Lie
posted by homunculus at 1:03 PM on September 10, 2012 [1 favorite]


whittaker, I thought I'd posted that link in another thread. I blame Bill Clinton and his intoxicating speech for making me so disoriented that night.
posted by homunculus at 1:16 PM on September 10, 2012


« Older The Smoothest Con Man That Ever Lived   |   très moving Newer »


This thread has been archived and is closed to new comments