This could be big – although just how big remains unclear. “There you have. 1,000,001 Apple Devices UDIDs linking to their users and their APNS tokens. The original file contained around 12,000,000 devices. We decided a million would be enough to release. We trimmed out other personal data as, full names, cell numbers, addresses, zipcodes, etc.” How did AntiSec get this data (they claim)? From an FBI laptop. Why an FBI laptop would have a file with personal information on 12 million iOS users, we don’t know – especially since 10000 of them are Dutch/Belgian, and last I checked, those do not fall under FBI jurisdiction. Did the FBI obtain it from an application developer, or from Apple itself? Then again – 12 million users? From a single iOS developer? I find that hard to believe.
I thought information wanted to be free? The new more transparent society is coming.
– Cory Doctorow
–Thermodynamics
“If there is one thing the history of [the internet] has taught us it’s that [information] will not be contained. [Information] breaks free, it expands to new territories and crashes through barriers, painfully, maybe even dangerously, but, uh… well, there it is. ”
-Ian Malcom
“People caught freeing information will lose their personal freedom.”
This kind of news makes me glad I ditched Apple a while back. Though, this kind of thing is possible via Microsoft as well I’m sure.
I guess it’s fortunate that I’ve recently been given an extra laptop that happens to be nearly 100% hardware supported on Haiku as well as most flavors of GNU/Linux. The sweet, sweet irony? It’s a Sony Vaio. F*ck.
Edited 2012-09-04 11:00 UTC
Full quote:
“On the one hand information wants to be expensive, because it’s so valuable. The right information in the right place just changes your life. On the other hand, information wants to be free, because the cost of getting it out is getting lower and lower all the time. So you have these two fighting against each other.” -Stewart Brand
“Information wants to be free” means that data, now that it is easily duplicable and transferable, cannot be kept under locks. It will “break free” sooner or later.
Edited 2012-09-04 13:07 UTC
I’ve not viewed the contents (or even downloaded the file), but if the published data is purely just UDID then there’s a chance this might be a hoax.
They might have just cracked the algorithm that generates UDID and published those. After all, if there’s no user data associated, then how do you prove that those IDs were not generated rather than hacked.
But as I said, I’m just speculating based on what little information has been posted in here. If anyone has more information then I’d be very interested
Edited 2012-09-04 09:29 UTC
‘0cb11950aa5fdfd24aaad38a39c1223592770c91′,’38db602b33ac54c3bf0550f a4054550d011adb0f6ef982bd79921b7dcbcf6acb’,’Laurence’s iPad’,’iPad’
‘2956c245da3e3dbb23d3a437e627fc285b9dbab8′,’a61549c81d75ac46c2b01ba 31739b3544901114e3196f087d89284d6a09aabc2′,’laurence’s iPad’,’iPad’
‘3dc97161297f601a98b3deeb56841f8d7df22e02′,’661c1610ff8d9ad1755639e b6e91ebf3268c8986f7b8cb937513d172be90aaf3′,’Laurence\’s iPad’,’iPad’
‘5a07bd3a737818a71998be5210e1d75766b4bc36′,’db785464d1a45312f88afef 3a6afe6b034a805999d9473f7af98b3a855313c7b’,’Laurence’s iPad’,’iPad’
‘5c7ece5b8d51962fae165889d3fea46e6c3055dd’,’1204fa2d68175a3f73fdf7c affb583eba5682a6c7be67eb437f7d1c12b929201′,’Laurence’s iPad’,’iPad’
‘6d821ab2f557faaa203939d952bb765d6d72689f’,’61fe059163f86055b2d954f 53be983f9f39cde2a800d625e5eaab0db06785f60′,’Laurence’s iPad’,’iPad’
‘6d821ab2f557faaa203939d952bb765d6d72689f’,’8f6e483641f2fc40aab7d30 5c934debf591d079528b20170b9c7321f09497680′,’Laurence’s iPad’,’iPad’
‘6d821ab2f557faaa203939d952bb765d6d72689f’,’aa2067037e1eff611ec20a7 564a32ab9b8ce5b26d039925bf85adb9c8d6ff6c9′,’Laurence’s iPad’,’iPad’
’71f51fbd7810c314aae4f938cbb79da63d210e04′,’3dc6a8eed4e006ef4fdaf5f 8433a6eb7d210c54302233da2c2217bdc2132ce9c’,’LAURENCE’s iPad’,’iPad’
‘ffd12e42211d2d7cddc885e219e9be7d2872cc27′,’fb4c1eacf173968c12c8be0 273b22bc44cbecd8699d522b4bfd10d35bca7d1b6′,’Laurence’s iPad’,’iPad’
‘2c6e3ff598743cae7addfe88e9d1d039d445da11′,’41558120ce78947e2aa19ea 294d9bced3b66c3481d6399af554655ad99a7bbc9′,’Laurence\’s iPhone 4s’,’iPhone’
‘1f2a3002cfef8794b212cc1cda57cd00c2ff1593′,’aa7816d9293e8d6b2e63cc4 cf420999ff10799f1e5f77770b96000a67bee8803′,’Laurence’s iPhone’,’iPhone’
‘673b23ded5c3da24d366656f7ab1d4b05064bfc0′,’b98edafe57729b1f9ece37c 59ca52641b65688570020ad7face96cac810bc2dd’,’Laurence’s iPhone’,’iPhone’
‘963b8acca0ec752afcb2dbacdfe956ddd3d7cf8a’,’98d7fa6a3c2774eddfd1f77 31589c90837a2e6ea4bd387db482b1fad5910aee7′,’laurence’s iPhone’,’iPhone’
‘cc4a5651c160803bff742cb99192f06bcefe7312′,’986a1012b20719803b8f53a 00e0e9311285eb83579b12ec59b4190307c7ff560′,’Laurence’s iPhone’,’iPhone’
‘fe742c9e24f0fa5389a122aeccc705b431ac6b04′,’8752e46ec4081811fc07ff3 f559128752d247bfe464628066a0faa737d9d3a57′,’Laurence’s iPhone’,’iPhone’
‘f3b900b80af74b6f360e97b9b0583486a8d01d2d’,’7f47d1f70dc3a2b79c48b2a 8ea273d28bf63d80ec2aa494a87de545f29225ba6′,’Laurence\’s iPod’,’iPod touch’
I see. It would be be pointless faking those details as they could easily be verified.
M name isn’t on the list, that would have made it easy to verify the validity.
But the UDIDs look real and the assigned device names look real too. If it’s fake someone put in some effort to make it look real.
Now grabbing a file with 12 million UDIDs from a FBI laptop is less likely, but stranger things have happened.
hahaah, all 17 of your devices are being tracked by the FBI right now
…Rovio, for one, could easily have that many users.
And, I do know someone (who told me about the leak, actually), who claimed that his device was on the leak.
The only ways I see it being a hoax are if it didn’t actually come from the FBI, but rather Apple or a developer. And, then, it’s real data still, and the hoax is just the source of it.
Edited 2012-09-04 11:58 UTC
Apparently the published list is 130 MB. If it’s a twelfth of the total the complete file would be about 1.5 GB.
It’s kind of hard to believe that a FBI laptop with a Java vulnerability get spotted by some automated scan and somehow “they” managed to locate a file and download 1.5 GB of data.
They couldn’t have know it was a FBI laptop, what was on it and where it was located.
Of course they could just have grabbed the biggest file around, but there is a real risk the connection is dropped before it completes considering the time it would take. Besides, large files often are pirated movies you could download anyway without needing to hack a laptop.
Another possibility is that the laptop got discovered by an automated scan and a human sniffed around after that, but that’s also a low probability option also because having a file with 12 million UDIDs is very rare.
Discovering and hacking a FBI laptop and finding a 12 million UDID entries file and downloading it probably has a probability that’s smaller than one in twelve million.
The way I understand it, FBI agents in the field are required to use a DoD-provided Linux-based liveCD whenever they connect to the public Internet. It allows for a secure VPN tunnel back to government datacenters. Even my lowly terminal at work goes through two separate encrypted VPNs and it’s just a county law enforcement terminal.
As to whether they actually do it in practice, who knows? Some of my coworkers completely ignore their Security and Integrity training and use their mobile data terminals to look up license plate info on cute women. Those sorts of shenanigans go all the way to the top of the ladder too.
Chances are pretty high that there are FBI agents out there ignoring security protocol and chances are pretty high some become victim of an non-patched system.
But I estimate chances rather low of having (1 FBI laptop, (2 non-patched system, (3 getting hacked, (4 a file containing 12 million UDIDs, (5 finding it, (6 downloading it.
Then again stranger things have happened, so I don’t rule it out.
There is a huge half-patched Java exploit running around:
http://www.forbes.com/sites/andygreenberg/2012/09/04/beware-fake-mi…
and the FBI agent who has been hacked is not a nobody, he appeared in a FBI video ad calling for hackers to join the Bureau:
http://www.forbes.com/sites/parmyolson/2012/09/04/fbi-agents-laptop…
That reduces the “improbability” of point 1), 2) and 3) of your analysis. As for 4), 5) and 6), if this agent had this data on his personal computer, it should have been all too easy.
It would be relative easy he he and his laptop were specifically targeted and they managed to get his IP address.
Now I guess his video did make him pop out from the crowd.
Claiming stuff is easy, especially when whatever you claim is bound to get headlines. Providing actual proof is harder.
Isn’t it a little convenient that of all the FBI employees the one that gets supposedly hacked is the one person who the public knows about?
From the article:
Hmm…what is it we call those people again?. Oh yeah, attention whores.
Few people outside the hacking community knew about this guy.
What you call suspiciously “convenient” is… well, rather obvious. FBI agent stars in a stupid ad, FBI agent gets targeted.
Attention whores, but with 12 million UDID and personal data. Not bad, eh?
And how do you know there are 12 million?
Hey, you know what? I have 50 million UDID’s that I got from a DoD laptop. Want proof? Oh well, just look at the ones already released, they’re in my list to. Trust me, I have 50.
Smartass.
It makes for good publicity though….
Well, the FBI has now denied it was their man/laptop.
But then again: don’t believe anything until it’s officially denied.
Would you believe an official denial made by a spying agency? Heck, these days it’s even hard to believe an official denial made by a (once) respected athlete that defeated cancer and went on to win seven Tour de France titles.
Official denials are the worst, they are almost certain false.
(The FBI isn’t a spying organization, but an investigating one (well, it supposed to be)).
Well, camping nearby some FBI offices with a cantenna most likely significantly increases chances of communicating with an FBI laptop…
Also, 1.5 GiB over a decent wifi isn’t that much; plus maybe they set up the transfer in a way that a partial file will be saved, too. And pirated movies tend to have very recognizable names & extensions… (but I guess you might be used to the obfuscation done by iTunes? ;p )
…plus, FBI agents would never download and keep such, right?
You don’t have to be Rovio to have that many users, in our database we do have ~25 million udid’s used for push and pull messaging.
they could also come out from some third-party push notification web services. there are lots of them out there, some used by big apps.
This puts this recent article into perspective:
http://www.schneier.com/blog/archives/2012/08/is_iphone_secur.html…
Not really. They’re two entirely different things:
Bruce Schneier talks about data security and this article is about security of personal details.
The former is held on the iPhone itself and the latter is broadcast to authorised 3rd parties.
So while both are very relevant issues that fall under the “security” umbrella, they’re still different topics.
Full names, cell numbers, addresses, zipcodes, etc. are usually broadcast to 3rd parties?
If you’re buying something online, then definitely. Even if that process requires the user manually entering said details into a HTML form, it’s still being transmitted from client (iOS) to server (3rd party)
http://thenextweb.com/apple/2012/09/04/heres-check-apple-device-udi…
Is there still anyone who thinks Apple or Google or Facebook or Microsoft or Twitter or anyone won’t provide data to FBI/NSA or anything like that ? Rather suprising expecially because this is the only reason why many of such houses give their products out for free 😉
For Google, it is already known. They even have a whole sub website dedicated to listing all the takedown orders and official data access requests they are asked to comply to, month by month.
I wouldn’t be concerned of “official” requests. I would be far more concerned of under-the-hood access which basically anyone provides. Expecially those free services like Facebook and so on. That smells under-the-hood controlling as hell.
I don’t get the point of this. Sure somewhere this data was not fully protected. Country sponsored and crime syndicate sponsored programs run 24/7 trying to hack into any and all devices. The ability to access 12 million accounts would be a tempting target if the names and addresses and other personal data exist.
The main person who is the victim here is the common simple user. They don’t have any idea of security. They bought a cute device, hoped it was safe since everyone else has one and does this or that on it. They now have to worry that they will be the victim of identity theft.
Trust me. It took me two years to get my credit cleared from a Russian hacker that took thousands of peoples credit card data and stole money. Many of the victims just paid the money.
1) The hackers claim they have the addresses and phone numbers, but they didn’t release them (yet – I guess they’ll use that to put pressure on Apple).
2) It’s sad, but without that kind of scandals, users will never care about security. If we get 10 more of those, maybe people will start worrying about all the data collection and sharing that’s happening.
Edited 2012-09-04 19:06 UTC
Why should we be worried? As others have commented already with various quotes, this information ‘wants to be free’ and can never be contained, despite whatever laws are passed and/or trying to wish it away. It’s like worrying about whether it’s going to rain tomorrow.
In a world where information is infinitely copyable and instantly transportable around the world, those of you who still think you can keep information private that others want to get their hands on are living in a dream world, unless you can encrypt it, and make sure it doesn’t get in the hands of the wrong person. And, well… it’s kind of hard to encrypt/keep secret somebody’s address and phone number.
Yeah I don’t care about my address, it’s in the phonebook anyway.
The problem is that UDIDs allow you to access some information that might be sensible about a person. For example, see the OpenFeint flaw :
http://corte.si/posts/security/openfeint-udid-deanonymization/index…
http://corte.si/posts/security/udid-leak.html
For example, the query returns the last game the user played. Not a big deal in most case. But if you replace last game played with last webpage visited or something else, this can quickly become a problem.
The thing is – and this isn’t really Apple’s fault – a lot of companies are not serious at all about how they handle user’s private data (not talking address or phone number here, but history of games played or visited url).
Thank goodness Apple keeps track of devices and their owners, as well as their cell phone locations!
When it comes to Apple and privacy, the customer comes last.
Not to put too fine a point on it, but if you carry a cel phone, you can be tracked. Period. Whether it’s Apple (insert other cel phone manufacturer here as well)or your carrier, a stocker interested in you or even the government. If you don’t want to be tracked, you had better ditch that cel phone right now, whether it’s a smartphone or the dumbest feature phone one can still buy. If it connects to those towers, you can be found.
Switched off virtually all the time, a mobile phone still has plenty of utility… and any possible tracking is much less severe.
You don’t even need a SIM card, not even a prepaid one, for some of the more notable utility – any GSM phone will dial 112 even without SIM, or even if its locked.
I just want to add a few things in addition to some of the suspicians already raised around here.
1. They decided one million out of twelve million would be enough to release? That’s only 1/12 the information. In other words, they don’t actually care about our security as opposed to their publicity, or they would’ve released all twelve million. How am I supposed to know if I’m on that list? Sure, I might not be on the list they’ve deigned to give us, but hey, that doesn’t prove a damn thing.
2. They say the original file was about 1.5 gb and that’s why they couldn’t release it. Are you telling me some supposedly expert hackers like this haven’t heard of LZMA or BZIP2? It’s called compression and that is exactly what it’s for. They could’ve even split it up or released it as a torrent, but instead, they withhold it. My red flag just went up.
Now, these types of things do happen. If you have a cel phone or other device that connects to towers, you can be tracked without difficulty. But do these guys actually have twelve million device IDs? I seriously doubt it. Show me the proof and then, if they actually do have proof, I might get worried about it.
Yeah, because it is vitally important to know if they have one or twelve million. I mean, one million is nothing, it’s peanuts, right?
Really worth raising a red flag.
Ah, but itis worth raising a red flag because, you see, there is no proof they have those IDs and that casts doubt on whether the IDs they have published are even real. For someone who often claims to want full disclosure of information, you seem rather relaxed about having it here. As for me, I don’t believe things until they’re proven. They have twelve million IDs? Show us the proof or else realize that those of us who generally want solid facts won’t believe the so-called IDs they did release. I understand that there are folks on here who will believe something like this so long as it’s against a company they hate but, as for me, I prefer to stay neutral in the brand wars.
Even if they don’t have the whole twelve million, they already have a friggin’ million; isn’t that already important? Isn’t that already a big proof?
You sound like a lawyer who would say “only one fingerprint of my client has been found on the weapon; all complete fingerprints of all the ten fingers should be there! Your proof is void!”
Seriously, it is worth more freaking out for the fact that there is one million UDID in the hands of Antisec and others, rather than discussing where are the other eleven million.
Edited 2012-09-05 13:58 UTC
And you sound like a juror that would convict a person based on one small set of circumstancial evidence. “Well, they look guilty, so book ’em and let’s get out of here.” I’m glad you won’t be on any jury of mine should I ever be falsely arrestedand, by the way, I’ve noticed that you haven’t actually addressed any of the concerns I raised but resorted to riddicule. Care to actually address these points? First, why not release the whole file and second, if it really is too big, why not split it up and/or compress it? I realize I’m not falling into the “I hate Apple” mode that’s so popular around here, but nevertheless I have valid concerns that relate directly to whether this information is true or false.
One privacy violation is a tragedy; a million is a statistic.
Edited 2012-09-05 15:03 UTC
1M or 12M, same thing. Either way it shows that the data wasn’t sufficiently protected, which is what AntiSec set out to demonstrate. I understand the hatred towards the group, but whether we like them or not I think it does provide an incentive for companies to improve their security practices.
I’m willing to bet that more than half of us work at companies with lax security where the managers privately don’t care for (or can’t justify) working towards resolving security problems until AFTER they’ve been exploited. I still remember one response when I personally pressed the issue with a PM (paraphrased) “we get paid to add new feature, we don’t get paid to fix the old ones”. What disturbs me about it is that it’s absolutely true, so we end up with data being vulnerable and no one wants to pay to fix it. Politicians make laws like HIPAA, but from where I’m sitting it hasn’t made much of a difference on the ground level in IT.