During the second week of March 2012, a Dell Vostro notebook, used byand the following justification:
Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action
Team and New York FBI Office Evidence Response Team was breached using the
AtomicReferenceArray vulnerability on Java, during the shell session some files
were downloaded from his Desktop folder one of them with the name of
"NCFTA_iOS_devices_intel.csv" turned to be a list of 12,367,232 Apple iOS
devices including Unique Device Identifiers (UDID), user names, name of device,
type of device, Apple Push Notification Service tokens, zipcodes, cellphone
numbers, addresses, etc. the personal details fields referring to people
appears many times empty leaving the whole list incompleted on many parts. no
other file on the same folder makes mention about this list or its purpose.
well we have learnt it seems quite clear nobody pays attention if you just comeMore at Hacker News.
and say 'hey, FBI is using your device details and info and who the fuck knows
what the hell are they experimenting with that', well sorry, but nobody will care.
FBI will, as usual, deny or ignore this uncomfortable thingie and everybody will
forget the whole thing at amazing speed. so next option, we could have released
mail and a very small extract of the data. some people would eventually pick up
the issue but well, lets be honest, that will be ephemeral too.
So without even being sure if the current choice will guarantee that people
will pay attention to this fucking shouted
'FUCKING FBI IS USING YOUR DEVICE INFO FOR A TRACKING PEOPLE PROJECT OR SOME
SHIT'
to journalists: no more interviews to anyone till Adrian Chen get featured in the front page of Gawker, a whole day, with a huge picture of him dressing a ballet tutu and shoe on the head, no photoshop. yeah, man. like Keith Alexander. go, go, go.to journalists: no more interviews to anyone till Adrian Chen get featured in the front page of Gawker, a whole day, with a huge picture of him dressing a ballet tutu and shoe on the head, no photoshop. yeah, man. like Keith Alexander. go, go, go.posted by postcommunism at 6:18 AM on September 4, 2012 [1 favorite]
If you give me six lines written by the hand of the most honest of men, I will find something in them which will hang him.posted by Malor at 7:06 AM on September 4, 2012 [19 favorites]
Cardinal Richelieu
I run Cydia, and have determined only 16.7% of the UDIDs in that file are from jailbroken devices: I thereby do not believe that whatever managed to get this data is anywhere in our ecosystem.So, it's definitely real. This is so similar to the Bradley Manning situation, except I guess in this case finding a single honest FBI agent willing to release this themselves was too much to ask. Who knows, maybe that has something to do with the fact we've been torturing Manning for years
From the beginning, Apple has always uniquely identified its devices via UDIDs or other means, and the iPhone is no exception. There is a class called "UIDdevice" which describes the things on the iPhone, i.e., the features unique to that device. Until today, developers could have access to a users' UDIDs, and they've used them as identifiers for a lot of gaming, user info persistence and subscription systems (including some of our favorite apps). The downside of UDIDs in the past is because they're related to devices and not accounts, sometimes it's hard to have the device identifiers talk to each other. Some developers have grabbed or scraped these without user permission for marketing and other less than reputable purposes -- hence the privacy concern behind broadcasting UDIDs to third-party developers.posted by SubterraneanRedStateBlues at 7:20 AM on September 4, 2012 [2 favorites]
The saving grace is that your device UDID is not linked to your real-world identity. If it were possible to de-anonymize UDIDs, the result would be a serious privacy breach. Apple is well aware of this, and explicitly tells developers that they are not permitted to publicly link a UDID to a user account.My recollection is that such concerns led to Apple's deprecation of the UDID, and a policy that apps that used it would be rejected from the App Store, as they've been doing since March 2012.
I recently published a tool called mitmproxy, a man-in-the-middle proxy that allows one to intercept and monitor SSL-encrypted HTTP traffic. Using mitmproxy to view the encrypted traffic sent by my own iOS devices, I was able to observe protocols and data flows that have clearly received very little external review. A slew of interesting security results followed (keep an eye on this blog), but by far the most alarming was the fact that it was possible to use OpenFeint to completely de-anonymize a large proportion of UDIDs.
Update: The popular and free AllClear ID app, related to NCFTA, is a likely culprit, especially given the filename.The inevitable official statements are going to be very interesting indeed...
As serious these problems are, I'm afraid it's just the tip of the iceberg. Negotiating disclosure and trying to convince companies to fix their problems has taken literally months of my time, so I've stopped publishing on this issue for the moment. It's disheartening to say it, but some of the companies mentioned in my posts still have unfixed problems (they were all notified well in advance of any publication). I will also note ominously that I know of a number of similar vulnerabilities elsewhere in the IOS app ecosystem that I've just not had the time to pursue."In advance of publication" above means before May or September of 2011, depending on the vulnerability for which he was providing a UDID-using network notification.
When speaking to people about this, I've often been asked "What's the worst that can happen?". My response was always that the worst case scenario would be if a large database of UDIDs leaked... and here we are.
I'm totally open to the possibility. I know I look pretty good in a tutu.posted by homunculus at 10:29 AM on September 4, 2012 [2 favorites]
But how can I be sure Anonymous will hold up their part of the deal? Shadowy outlaw hacker groups are not known for their integrity. There was, for example, the time a prominent Anonymous hacker tried to trick me into writing a story falsely reporting he was working for the U.S. government to hack Chinese websites.
I'm currently trying to gain certain assurances. Stay tuned for tutu-age.
Almost all of the libraries have functionality that allows for sensitive user data to be sent to the ad provider, although we consider the cases where the library automatically extracts and sends information when permissions are available to pose the greatest privacy threats. Additionally, we observed a number of ad libraries that check for and leverage permissions beyond what is specified in their documentation. Although no single ad provider may provide a complete private user profile, we identified that the UDID field present in nearly all in-app ad requests allows someone observing the network to correlate user information between different ad providers. Because the UDID fields are populated by persistent values, this allows the observer to build a long-term user profile including GPS locations and targeting information.The preponderance of free apps on Android, in particular, suggests app developers need a revenue stream outside of user purchases, and the platform owes its existence to Google's desire to capitalize on mobile advertising.
"They've targeted Adrian Chen because he's the prototypical pro-establishment Eichmann. Every article Adrian writes about WikiLeaks, Anonymous, the Occupy movement, or any other progressive institution of civil disobedience is dripping with disdain. I'd say Adrian should be thankful Anonymous only appears to be interested in humiliating him as opposed to launching a full-blown, scorched-Earth campaign against him."So it's either grim agents of the security-surveillance state watching my every keystroke or hackers so intoxicated with their own leetness they'll wreck my life if I anger them. Lovely.
The FBI is aware of published reports alleging that an FBI laptop was compromised and private data regarding Apple UDIDs was exposed. At this time there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data.posted by unSane at 2:23 PM on September 4, 2012
"I do understand your position, i'd like a word before stunting like that, too xD," one of his colleagues said. "On the bright side, I've worked with him for long time now and the man does live up to his word."Now that's journalism!
“The FBI has not requested this information from Apple, nor have we provided it to the FBI or any organization. Additionally, with iOS 6 we introduced a new set of APIs meant to replace the use of the UDID and will soon be banning the use of UDID,” Apple spokesperson Natalie Kerris told AllThingsD.Hmmm.... this doesn't really surprise me as the list is neither comprehensive nor particularly hard to compile from third party sources without Apple coming into the picture at all.
His UDID was among those in the “FBI leak” the other day, and the push notification (APNS) token associated with it was created by Glitter Draw Free, an app he had installed.[...]
Bojan’s theory about a compromised push-notification database is far more plausible, and is a much better fit to the actual data.In addition to that, there was an excellent overview post by Intrepedus Group--a mobile security outfit:
First, could the FBI have built this database? They couldn’t easily build it by eavesdropping: That much data simply isn’t passed in a conveniently concise fashion. It’d take a lot of work to pull together, and it’d be highly unlikely to end up on some agent’s laptop.I think there's a lot of entities in this story to sceptical of--not least of all AntiSec.
Could they have received it from Apple? While Apple would need a list of devtokens to route push messages to end users’ devices, that list could be built on-the-fly as devices come online and connect to Apple. It probably wouldn’t need UDIDs, and certainly wouldn’t need all the other personal information allegedly contained in the breach. [Update: A statement from Apple says, in part, "The FBI has not requested this information from Apple, nor have we provided it to the FBI or any organization."]
So where could this data have come from? The logical answer is a 3rd party application server. For example, a cable TV carrier might have an iPhone app for their customers to view and pay bills. The back-end account database would then need mailing addresses and probably phone numbers. If they also push messages to customer’s devices (for example, to alert of an outage) then they’d need devtokens. A compromise of that kind of application (from a utility, bank, social media company, game company, publishing company, etc.) is a very plausible source of this leak.
An Orlando, Fla., company said on Monday that it — not the F.B.I. — was the source of a file hackers posted online last week that contained a million identification numbers for Apple mobile devices.posted by whittaker at 9:40 AM on September 10, 2012 [2 favorites]
The company, BlueToad, which works with thousands of publishers to translate printed content into digital and mobile formats, said hackers had breached its systems more than a week ago and stolen the file. A few days after the file appeared online, the company realized it matched the stolen information, said Paul DeHart, BlueToad’s chief executive.
I wonder how many conspiracy theories will be completely unaffected by that.Yeah, horse is out of the barn now.
Some of the publishing partners for BlueToad include:posted by Sys Rq at 12:01 PM on September 10, 2012
Modern Luxury
Snap-on
NAPCO (North American Publishing Co.)
Road Magazine
Arhaus
US Department of State
Performance Racing Industry
Public Relations Society of America
« Older Victor Lustig escaped from prisons, fooled Al Capo... | Paris in Motion is a beautiful... Newer »
This thread has been archived and is closed to new comments
posted by jaduncan at 5:33 AM on September 4, 2012 [6 favorites]