278 comments

[ 3.2 ms ] story [ 305 ms ] thread
Also, what's the point of releasing password protected files to public? I mean, they give you the password thus kind of making the whole password thing a moot point.
It proves that the author of the rant is the leaker of the data, not just some guy linking to data someone else posted.

It also causes all the data to be released atomically even if it took a while to upload to all the places.

Ah that makes sense. Thanks tlb.
> It proves that the author of the rant is the leaker of the data, not just some guy linking to data someone else posted.

I don't see what would stop you from stating the password to a file you didn't upload.

That's why for these types of archives the password actually contains the credentials.
true, but in this case the password contains "antis3c" [Antisec], the group that is responsible.
So download it, decrypt it, and pick a different password. Takes a couple minutes, tops. And if your 'release' gets more attention than the original, how does the original prove that's what happened, or even get heard?
You can see who came first, the internet knows.
The internet attributes much to the wrong sources. And forgets many redactions. I wouldn't trust such a thing to the internet.
because you wouldn't know the password before the public announcement, and after the announcement it doesn't matter.
It also allows the file to be widely disseminated and mirrored before revealing what it contains, as an anti-DDOS measure.
why does an FBI agent have 12 million+ identification numbers for iOS devices?
This is the stated reason for the release - to have people ask why an agent has 12m UDID numbers on his laptop. They released 1m out of the 12m UDIDs so that they can guarantee a statistical sample that can be verified, while preserving a bit of privacy.

Along with the UDIDs were other columns with an assortment of personal data, although there were a lot of holes.

How large would a 12m line long .csv file be?

Not sure how many bytes per entry, but it would be of the order of gigabytes.

It would probably compress well
It might be a gigabyte if there were about 90 characters per line 1 or 2 gigabytes tops? "on the order of gigabytes" is a rather pretentious way of saying that.
The 1,000,001 line file is 136MBs uncompressed, so 12M should be around 1.6GB
(comment deleted)
The filename refers to NCFTA, which might seem in context to be http://www.ncfta.net — perhaps some bit of intel that's widely-traded in NCFTA circles for various uses? I mean, hey, pretty useful if you're tracking down pretty much anything in which an Apple device is used, right?
Money quote for the people that don't want to wade through ten pages of rant:

  During the second week of March 2012, a Dell Vostro notebook, used by
  Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action
  Team and New York FBI Office Evidence Response Team was breached using the
  AtomicReferenceArray vulnerability on Java, during the shell session some files
  were downloaded from his Desktop folder one of them with the name of
  "NCFTA_iOS_devices_intel.csv" turned to be a list of 12,367,232 Apple iOS
  devices including Unique Device Identifiers (UDID), user names, name of device,
  type of device, Apple Push Notification Service tokens, zipcodes, cellphone
  numbers, addresses, etc.
Is there any evidence that this data comes from the source they claim?

And is there some way to validate these are real UDIDs?

Sure - me. Both my iOS devices are on this list - confirmed both by name and UDID match.

However, I renamed my iPad around last November after I started using it more in public, yet its original name (easy to find if you search for my HN nick) is the name listed.

EDIT: Oh, and fwiw, law-abiding natural born US citizen here. But who am I kidding - LEAs don't give a toss about that.

...assuming this has any connection to LEA
How does that prove that an FBI laptop was the source of this information (per the grandparent post's question)?
Your grandparent asked two questions. He answered the other one.
Does it have an APNS token? Is it possible to send yourself a push notification and see what app it appears to come from?
It would be interesting if you and others with their device on the list could come up with a list of apps that you've had installed.
This is very disturbing. How did the FBI gain access to all this information? It should be locked up in Apple.

From what I see, the NCFTA in "NCFTA_iOS_devices_intel.csv" looks like it stands for the National Cyber-Forensics & Training Alliance, which "functions as a conduit between private industry and law enforcement." (http://www.ncfta.net/)

Is Apple willingly sharing personal information with the FBI through the NCFTA?

Doesn't a popular iOS developer have the same information?

UDIDs, APNS tokens (for push notifications), basic demographic information is something a popular social app or game might have. 12 million is a pretty good number, though.

edit: our iOS app has over 2 million of these type of device records (though we don't collect any demographic info, so just device ids, apns tokens, device names, device types -- standard for push notifications).

http://developer.apple.com/library/mac/#documentation/Networ...

Would all of those millions install an application from the FBI knowing it gave them that information?

Just because I am ok with one organization having my information doesn't mean that I am ok with any others having the same.

I'm presuming the FBI got the database from an App Developer. Not that the FBI released a popular iOS app.
Uh, yes. I think that is a safe assumption that they did not compile the list themselves.
The FBI stole an Instapaper server in an unrelated raid http://blog.instapaper.com/post/6830514157
So Marco Arment could go all CSI for us and let us know whether the sample corresponds to info he retained and which would have been on the server at the time.
I've been using Instapaper since pretty much the first day, and my information is not in the file. Not to say they don't have it, but, it's not in that file, FWIW.
I couldn't even guess the episode, but Marco has stated on is 5by5 podcast that he doesn't collect user information and only dips into user information grudgingly. I'd be surprised if this came from him as according to his statements he finds holding any user information that could be described as private unpleasant. This is all based on recollection however.
Still cant find the podcast, but here is what Marco says the FBI tool, quoted from the Instapaper blog about a year ago: >>The server was used as a MySQL replication slave, handling read-only queries to speed up the site. Instapaper suffered no downtime as a result of its theft and no data has been lost.<<

Further down:

>>Possibly most importantly, though, the FBI is now presumably in possession of a complete copy of the Instapaper database as it stood on Tuesday morning, including the complete list of users and any non-deleted bookmarks. (“Archived” bookmarks are not deleted. “Deleted” bookmarks are hard-deleted out of the database immediately.)

Instapaper stores only salted SHA-1 hashes of passwords, so those are relatively safe. But email addresses are stored in the clear, as is the saved content of each bookmark saved by the bookmarklet.

The server also contained a complete copy of the Instapaper website codebase, but not the codebase of the iOS app.

Linked Facebook, Twitter, or Tumblr accounts only store their respective OAuth keys. Linked Evernote accounts only store the Evernote email-in address. Linked Pinboard accounts, however, store plaintext usernames and encrypted passwords, and the encryption keys are present in the website source code on the server. <<

So "FBI theft" should be a new failure mode to defend against in web applications, right after SQLi and XSS? I'm handling this by not having any servers in the USA, hopefully GB is safe.
Yeah, this gives a whole new meaning to having live backups/redundancy. I guess this is an advantage of hosting on EC2 since there would be difficult for the FBI to seize the physical server.
It would be easier on EC2 since the FBI could just have Amazon clone your EBS volume and you'd never be the wiser.
Absolutely, that wasn't my point. Since the FBI could do that, you are unlikely to get your server seized from an unrelated raid. Still, a crappy situation.
iOS developers don't have the Apple IDs nor ZIP codes nor addresses (unless they separately ask for them but at least the apple ID is very uncommon)
There are no "Apple IDs" in here. Just Apple device UDIDs.
You are right. I misread the announcement. That still leaves the issue of the personal data, but as I said: app developers could acquire that directly from the user.

Possibly, the fact that personal data is missing so often actually might point to a non-apple leak, because they would have the link to personal data. Of course it could be fake, but it would be prsesent.

When he said "a popular iOS developer" I assumed he meant Facebook.
Well if Facebook sells the data on the open market, who is really alarmed that FBI bought it?
Could this data have been taken from the AT&T "breach" a while back where all the data for iPhone customers wasn't protected and crawled?
I imagine it wouldn't be that difficult to extrapolate this information from your address book: I keep my own name, phone number, address, etc. all in there, and you can probably figure out which record is mine.
And 12 million is the number claimed. Only 1 million is shown.
Well, at least the FBI is not going to share your personal information with advertisers, or (opt-in) spam you to death trying to sell you something.

The FBI's mission is reasonably clear; it's a government-regulated organization; it's non-commercial. They have a certain amount of accountability. Alas, we can't say the same for "popular iOS developers". We've seen how sneaky some iOS app developers can be with respect to privacy, and with little remorse after they get caught.

lol

(and yeah, I know this is probably going to hammer my HN karma all the way to the bottom but...lol man)

>Is Apple willingly sharing personal information with the FBI through the NCFTA?

Define "willingly."

FBI: "Can we have this data? we can pay something" Apple: "Sure! In which format do you prefer to have it?"
It wouldn't be "willingly". But If Apple was presented with an order from a court, then yes, they'd have no choice. They could fight it; but they'd lose, depending on the reason. Frankly the only reason would be some terrorism angle.

But those types of actions are rare.

I would be surprised if you could get a court order to turn over details on 12 million users.
I wish that Apple, if indeed presented with a court order, would've gone the Twitter route and publicized that fact.
It's a no win situation for them. Hand the info over and you're on msnbc for giving it up, don't hand it over and you're on fox news for helping the terrorists...

Plus for certain kinds of investigations, it would go against the court order to go public. I don't want to defend apple here but this is an American law enforcement problem, I'm certain ms, google and others have provided info to the government that would anger many and there are probably a lot of companies that do it without a court order... Trying to be good citizens.

Why the hell was that info on a laptop?

That would depend on which court the order came from. If it was from the FISA court, for example, then publicizing it would send people to jail.

But again, if that were the case then it would be related to anti-terrorism efforts. Well I hope it would be. The FISA court exists for that reason (mostly).

I guess my paranoia depends on how much I trust the government :)

what kind of verification do you have that the file was pulled from an FBI computer?

could anonymous have hacked this information from Apple or a carrier themselves? what information is present that they didn't do that?

Are there any indication in the files that points towards a hack on apple or a carrier?
Good thing the announcement didn't say "A large monster from Mars radioed these in" - Imagine how upset you'd have been at NASA!!!!

A bit of a dick way of putting it, but there's no evidence the FBI is involved in this other than some words in an announcement that could be by anyone with an axe to grind.

I'm not sure why you're getting downvoted here, it's a valid point. There is nothing to prove this list came from the FBI, and I wouldn't put it above Antisec/Anonymous to get into a database of some popular iOS app, release the info, and then say it was from the FBI both to slag on the FBI and to stroke their e-peni^H^H^H^H^H^H^H ego.
Neither am I, but I suppose the humour was a little too barbed.
Couldn't an American request a FOIA for this to see what's the level of information gathering on iPhone users? Could EFF sue them for it or something to unveil more?
If there is indeed an ongoing investigation, FOIA would not apply (reasonably enough).
An ongoing investigation of 12 million people?
I have no idea. There are a lot of assumptions implicit in that question.

I'm just saying that you are unlikely to be successful in requesting more information for this file. Information that "could reasonably interfere" with law enforcement is exempt. Also, the FBI does not make it easy to request documents form them and, further, the turnaround on a request can be months or years.

A more likely source is neustar (a spinoff of Lockheed), who also has all that information and is actually in the intel business.
The National Cyber Forensics and Training Alliance in Pittsburgh is the office where the FBI Agent who posed as a member of the carding community worked when he helped take down Max Ray Vision, née Butler.
More:

http://www.fbi.gov/news/stories/2011/september/cyber_091611 “The exchange of strategic and threat intelligence is really the bread and butter of the NCFTA,” said Special Agent Eric Strom, who heads the FBI unit—the Cyber Initiative and Resource Fusion Unit (CIRFU)—assigned to the NCFTA. “The success of this effort at every level comes down to the free flow of information among our partners.”

Dan Larkin (the FBI Agent who setup NCFTA in 1997) http://www.linkedin.com/pub/dan-larkin/25/90/910

Note that he used to be with CIRFU. LIkely that he still is with the CIRFU. They share office space: http://www.itbusiness.ca/it/client/en/home/News.asp?id=51778... "Mularski works for a little-known FBI division called the Cyber Initiative and Resource Fusion Unit, run out of the National Cyber-Forensics & Training Alliance in Pittsburgh, Pennsylvania. The unit is different from a typical FBI field office. It works hand in hand with industry and takes the time to do the deep research required to penetrate the world of online crimina

Another important money quote:

    we trimmed out other personal data as, full names, cell     
    numbers, addresses, zipcodes, etc. not all devices have 
    the same amount of personal data linked. some devices
    contained lot of info.
So the release "just" contains UDID's and zip codes.
Actually, it appears to only be UDID's, APNS tokens, device name, and device type.
I have information this morning from source thats "in the know" that this is definitely a false-flag attack against the FBI.

Non-gov researchers I know also attribute this to a possible hacking of an iphone/ipad application backend DB before Apple put in the UUID storing restrictions to the IOS api.

I'm only bringing this to light because it is easy to fall for things you read on the Internet and get excited/theorize.

(comment deleted)
Wow, this is bad, and an excellent example of how the security machine (in this case FBI) can always be turned on itself. The methods required for FBI to "protect" citizens can be misused (or hacked) to do the opposite. A gun can always be turned around, etc.
This is troubling on so many levels. Why did an FBI agent have a document of user and device info on his desktop and the real question is why are the FBI tracking this information in the first place? Surely this is illegal.

By the way, I think AntiSec needs to hire someone to write their releases for them. I struggled at times to make sense of the almost gibberish in their rant-filled sentences and at times some of the things they were saying read like the paranoid ramblings of a crystal meth addict. It wasn't until the end where everything they were saying was put into perspective and I understood what they were talking about.

I was confused by the writing style as well. It seems to be almost intentional. I wonder if it's a way of avoiding any style or nuances that could be attributed to a single person. Almost like a cut and paste ransom note.
I wouldn't be surprised in the slightest. A lot of work has been done on adversarial stylometry recently, for precisely this reason.

ccc presentation: http://www.youtube.com/watch?v=-b0Ta9h62_E

EDIT: also as grumpysimon says, it's a proud tradition going back decades.

It's elite (or 1337 if you will). It's supposed to sound cool. All the underground computer groups have talked like that since the early warez/cracking/phreaking scene.
Are you sure they're not just really bad at writing?
A lot of the "scene" traditions and symbols has a lineage back to adolescent boys in the early 80's as that's when many of the influential groups exploded onto the scene, so even if they're emulating a traditional style, they're emulating one that arose out of kids who wrote badly who tried to sound cool.

(I've some really horrible examples to my credit too, but thankfully I don't think any of it has survived)

It struck me as well-written but highly in-jokey, and targeted at a very specific audience. If they were writing for the general reader, this would be terrible. But I took it as addressing other members of the hacker scene, hoping to prompt them into similar politically-focused action.
> Surely this is illegal.

So? Pretty sure torture and car bombing innocent women and children is also illegal.

http://en.wikipedia.org/wiki/1985_Beirut_car_bombing

We're talking about the FBI, not the CIA. You know, the same FBI that walked from Gitmo because detainee constitutional rights were being violated when they were being tortured.

I'd love to read the warrant that granted this disclosure. If one doesn't exist I'd love to hear Apple's reasoning for releasing a 12 million + user database to LE without being legally obliged to do so.

> We're talking about the FBI, not the CIA

They are both part of the government and the culture of 'laws for us vs laws for them (the regular people)' is present in both.

There's always one person in the comments section that leaves a comment that couldn't be any further disconnected from the discussion. As pointed out you're getting confused with the CIA, it even quite clearly says in the Wikipedia article you linked: "...a failed assassination attempt organized by the American CIA and British intelligence"

Lets not make this situation out to sound worse than it is. The FBI having access to 12 million UDID's and user information which apparently had holes in it anyway is nowhere near as bad as innocent civilians being killed and seriously injured. It's bad, but not that bad, calm down.

> you're getting confused with the CIA

No I am not. I was talking about the executive branch of the our government.

> Lets not make this situation out to sound worse than it is.

I was commenting on the assertion that this is 'illegal' and thus how could FBI possibly do this. And my response was that it seems illegality isn't exactly stopping anyone, be it FBI, CIA or other agency.

No need to go that far back - we can talk about the warrent-less wiretaps, or the pre-trial assassinations of US citizens.

...of course, the current administration insists that those are legal, but because they refuse to release a legal argument defending the practice, the best explanation they've given is 'Just trust us, okay?'. Not sure how that would hand up in a court of law.

While yes, it was generally poor, I got a kick out of the following:

"a monthly fee, forever until you die. That's the future; nothing is really yours. LAAS - Life As A Service."

Not too poignant. When was living ever free?
The point isn't that life meant never having to work. To make a stylized sketch of it: life, or identity, is increasingly made more legible to the State. Legibility of information is the backbone of state power(1), moreso than even violence or popular support. Legibility of identity is therefore granting the state more power over the individual, which further undermines human autonomy by making the ability to live dependent on remaining in the good graces of the State, by paying our dues and contenting ourselves within the all-encompassing social system that develops.

(1)For instance, the first recorded use of writing is not typically for poems or liturgy but for tax documentation for imperial states.

I didn't enjoy it for its poignancy; I was simply delighted by the phrase "Life as a Service".
I thought it was quite well written, also noticed the "Life as a Service" part. Maybe it only works on me because I thought about those things before, but it wouldn't be an effective propaganda piece.
(comment deleted)
One interesting thing I've found is that apparently 190 of those 1000001 people have named their devices "The Titanic", for that iTunes "The Titanic is syncing" pun. I'm curious if there's anything else interesting that might be found in this data.
I seem to see a disproportionate number of pro photographer accounts (grep for dot coms as device names) which might point to some commonality--some photo app? A quick search showed more female email addresses, but not sure if this is related to the source or if it is related to the likelihood of women using their email addresses as device names.
Actually, it’s more like 166:

    $ grep -c -i "titanic\'" iphonelist.txt 
    166
It’s only 190 if you include names like “Titanic’s iPad”, but those aren’t funny.
There are a few phones named 'Venice', presumably for the 'Venice is syncing' pun. My iPhone is named Venice for a different reason, but it's not in the list.
The fact that there is a column for APNS (Apple Push Notifications) suggests that this is a database dump from an iPhone app that supports push notifications. APNS tokens are generally tied to a specific app so it may be possible to figure out what app leaked their database.

The "NCFTA" seems to deal with identity theft. (Ironic)

APNS tokens are generally tied to a specific app so it may be possible to figure out what app leaked their database

This isn't true, APNS device tokens are shared among apps on a device. The only time a device will have more than one device token is if it's being used for development.

This isn't to say that Apple couldn't correlate the device tokens by looking for shared apps with active APNS entitlements.

I don't think so. The device token is even generated over the version of the app. Meaning: you get a new device token if the app version changes.
Putting a file of user data on a laptop is a fireable offense at at any reputable organization. Sad that the FBI is less careful about user data protection than consumer Internet companies.

    Putting a file of user data on a laptop is a fireable offense at at any reputable organization.
Correction, it's only a fireable offense if the employee of said reputable organization let's the file become compromised somehow, there's huge PR blow back, and the organization needs somebody's head on a platter in show of how serious they take the issue. Otherwise, m'eh.
Kinda odd isn't it. My organization issued me a laptop to store all the confidental financial data I work with.
One imagines it was bitlockered, and you were required to inform them the instant of a loss and hence possible data breach - where upon the company would have to pass the data on to any clients whose data might have been compromised (and the public body governing data security)
The laptop was compromised while running. We do not know whether the disc was encrypted or not.
If it was exploited through the JRE, then it doesn't really matter...
On the other hand the disk or better said the partition with sensitive data should decrypted (mounted) only when needed. I doubt he needed that data during the conference.
As an Australian I am intrigued by the following:

just a comment: we are still waiting for published news about the $ 2 billions worth loans Assad has taken from Russia, mentioned on the syrian mails and also about the transfer of money to austrian banks etc.... and also cocks... So, don't be lazy journos and look for them.

Any one have any additional info on that?

EDIT: Derp...thanks for the correction. I read too fast. Still intrigued if anyone knows anything more.

Austrian banks.
"Austrian, eh? <puts on australian accent> Let's put some shrimp on the barbie!"
Paul Hogan hammed up his Australian accent.

One of the best examples of a real Australian accent I've heard on American television is Dr. Chase [Jesse Spencer] from House, who is a real Australian and did not ham it up for an American audience. (Oddly though, the man who played his father in one episode had possibly the most embarrassingly bad fake Australian accent ever. Surprised Spencer didn't kick his arse during filming.)

You do not get real foreign accents on prime time American television, the viewers would be bemused and look for subtitles.

You get what Americans think are foreign accents, i.e. lightly accented. The one exception is that Brits playing bad guys are allowed to use camp, pantomime villain accents. Alan Rickman has made his fame and fortune from this, a shame as he is rather a good actor.

Hugh Grant sounds nothing like he does/did before that series started.

Haxxors, what can we lay people with no computationalizing skills do?
Get informed, and inform.

Then, one can hope, the government might actually be forced to engage in meaningful discussion about whether their ridiculously expensive and obviously damaging espionage programs make sense.

It's far more likely that this data was willingly shared by an application developer who was the victim of a crime the FBI is investigating.

Not everything is a government conspiracy.

"Get informed, and inform." Straight up manifesto material. Gratzi!

"...engage in meaningful discussion.." It's hard to engage in meaningful dialogue with people who are so entrenched in their own views (BIG$$,BIGOIL,BIGGOVV-types) but we shall continue!

One question... where are these people usually, where do they talk? IRC? Random server in the outback? Encrypted channels?
Refuse to give personal information and carry minimal personal information in devices and websites outside of one's control.

If they don't have it, it cannot leak.

Question: is it possible for a malicious hacker to use this information for anything? E.g. sending rogue push notifications to a user, or tracking down a user's additional personal information by knowing his/her device UDID or APNs token?

I sincerely hope both the U.S. government and Apple address this. I'd also be interested in hearing why Apple chose to have hardware coded unique ids for each device.

If a webservice tries to send a push notification to a device that has not registered for push notifications for the entitlement requesting the notification to be sent, the notification gets discarded. Remember, all notifications are to be pushed to Apple using a certificate generated on a per-app basis, who in turn pushes the message to devices.
I'm still somewhat unclear on the dangers involved with this leak (other than the likelihood of being tracked), but this link seems relevant: http://www.cultofmac.com/160248/what-the-hell-is-a-udid-and-...
Refresh my memory - aren't the device tokens for the Apple Push Notification Service application-specific? That suggests this data comes from a single application, not Apple. The patchy personal information columns also suggests that this is a single (somewhat grabby) application's data store - presumably Apple would have more comprehensive records.

My wild speculation, assuming what we're told is true - the application developer shared this information with the NCFTA, who in turn shared it with the FBI. (After all, that's what the NCFTA does.) The application developer may have shared this information because they wanted the FBI to investigate a 'cybercrime' of some sort against them - who knows what, in-app purchase fraud? That could explain why the data ended up on this FBI agent's desktop.

EDIT: I refreshed my own memory - APNS tokens are device-specific, not device+app specific. I still think this is a single application's data dump, if the statement about sparse personal info is true.

I doubt that they are a single app's data. Look at the repeat of certain Device names (try "Abo Mossa") and check their UDIDs - those UDIDs show an incremental pattern in their first 3 digits. This tells me: (a) those devices were bought in bulk and (b) those devices were never sold to one person - since the Device names were unchanged [assumption is that a regular customer cannot own so many devices]. I just don't see how one app (not pre-installed) could be on all the devices bought in bulk by one person and dump all its data to FBI.
you're right. the pattern is weird. and it shows up a lot (see Admin's iPad, Ahmed's iPhone etc...)

EDIT: unless... is it just a side effect of how the data was exported? Sorted on Username, then on UDID

Ya, the more I look at it, the more I think it's just secondary sorting on UDID

The UDID is a SHA1 of a few fields (including a couple MAC addresses): we actually know the exact algorithm; if you are seeing patterns in them it is either a trick your brain is playing on you or a trick the user is playing on you (some people modify their UDID occasionally to keep themselves from being tracked by apps).
How do you modify the UDID? Does it depend on the model?
At some point, the UDID is being processed by code, so you don't really need to permanently modify anything: you just edit the code that generates it and make that return something different. These kinds of changes are very simple using Substrate, the library we all use (that I developed) for changing code at runtime. For the UDID, the obvious candidates are "edit every app so [UIDrvice uniqueIdentifier] returns fake" and "edit lockdownd so it calculates the wrong value every time it is generated".
Apple could probably figure out if this data came from an app developer because I'd bet there's only exactly one app which every single one of those 1,000,001 devices downloaded.

Even if they threw in a few fake rows to mess up the data, they could find the app that has the highest percentage of downloads from that entire data set.

Another more likely possibility would be to identify people who are on the list and compare all their installed apps and search for a common denominator.
People delete apps though, you'd need their entire history to cross reference that. Not to mention false positives - how many people have the Twitter or Facebook app installed, for example?
You might still be able to find an app that has a much higher installation rate for users on the leaked list that for users who aren't. Of course, that wouldn't be a proof but merely a first step to narrow the possibilities.
And if the data came from Apple?

I can't think of any apps that take a full address. Perhaps there are some, I just don't know them.

Apple could have been compelled to release this data to the FBI. Unfortunately, we're unlikely to ever know this and Apple are equally unlikely to want to shed light on it.

If the claim is true, that the source data included full postal address, then I find it hard to identify a better source for all of that than Apple themselves. And that the data was brought together from various systems, and that we're glimpsing data that was shared between Apple and the FBI.

Not to say that there's anything illegal about that, more that the laws that allow that are a bit screwed but that's another issue altogether.

A reasonable assumption, besides Apple, is Facebook. With all the information these services have the easiest part may be to acquire your home address.
interestingly enough, top ten ios devices names:

  42797 'iPhone'    
  5191 'iPod touch'
  3136 '“Administrator”的 iPad'
  2202 '“Administrator”的 iPhone'
  1534 'Owner’s iPad'
  1453 ' iPhone'
  1309 'Administrator’s iPad'
  1196 'Administrator’s iPhone'
  1141 'PdaTX.Net'
  1058 'John’s iPad'
If you look at the UDID's for the '“Administrator”的 iPad's or '“Administrator”的 iPhone's, there seems to be an incremental pattern in their first 2-3 digits. Does that mean these devices were purchased/ordered in bulk and hence belong to some reseller? In which case, these must not have been sold to people and thus we don't see change in the Device names maybe? And thus the claim that this came from one or two apps seems a bit infeasible, no?
maybe an enterprise location or school that bought in bulk?
Wouldn't the devices' names still be changed when individual members of the enterprise/school activated them?
Devices being used in a kiosk-like or other setting in which they are mostly not being used by people who would be responsible for activating them?
I replied elsewhere. Isn't it possible this is just a side-effect of how the data was exported?

Primary sort is by username. Secondary sort is by UDID.

The Chinese character "的" is being used here as a possessive; it just means that the iPad belongs to the "Administrator", which is the default account name for many Windows XP computers [1]. Because iTunes activates iPods, iPhones, and iPads under the current user account name, and because the default user account names in many XP installations is "Administrator", there are a plethora of devices with the same name: '“Administrator”的 iPad'.

So, the only significance of this name is that there are quite a few Chinese Apple devices in this sample. Perhaps they are over-represented in the whole dataset; it's hard to say without having the breakdown of Apple devices sold by country, as well as the entire dataset.

1. http://www.mydigitallife.info/unhide-the-administrator-accou...

The UDID is a SHA1 of a few fields (including a couple MAC addresses): we actually know the exact algorithm; if you are seeing patterns in them it is either a trick your brain is playing on you or a trick the user is playing on you (some people modify their UDID occasionally to keep themselves from being tracked by apps).
Looks like they've got Obama's iPad:

thea:Downloads admin$ cat ./iphonelist.txt | grep -i obama '473d6e1ebf0b100ed172ce5f69c97ba6c8f12ad5','766a23201c6089be11845bfef624dbaada68be52155079850951836e9373e5cd','hobamain','iPad' 'c63e008e6271c3ac128eb6a242a9817528b6baef','b996a080e11265a0c93436ba0b13b7c07ee4e8eef6faeb8516917b015d7355fb','Obama','iPad'

Openfeint shows that 'Obama' last played 'Fishing Fun 2'

    curl 'https://api.openfeint.com/users/for_device.xml?udid=c63e008e6271c3ac128eb6a242a9817528b6baef

    <?xml version="1.0" encoding="UTF-8"?>
    <resources>
    <user>
    <chat_enabled>true</chat_enabled>
    <gamer_score>160</gamer_score>
    <id>1479631313</id>
    <last_played_game_id>165632</last_played_game_id>
    <last_played_game_name>Fishing Fun 2</last_played_game_name>
    <online>false</online>
    <profile_picture_source nil="true"></profile_picture_source>
    <profile_picture_updated_at nil="true"></profile_picture_updated_at>
    <profile_picture_url nil="true"></profile_picture_url>
    <status nil="true"></status>
    <uploaded_profile_picture_content_type nil="true"></uploaded_profile_picture_content_type>
    <uploaded_profile_picture_file_name nil="true"></uploaded_profile_picture_file_name>
    <uploaded_profile_picture_file_size nil="true"></uploaded_profile_picture_file_size>
    <uploaded_profile_picture_updated_at nil="true"></uploaded_profile_picture_updated_at>
    <name>Player 1479631313</name>
    </user>
    </resources>
Seriously? Personal info about the President was leaked? Not that this particular instance looks like a big deal. Doesn't the NSA secure the President's communication? That must be carrer-impacting-embarrassing for someone.
Personal information about someone who had their device name set to "Obama". Let's not get all crazy now.
Yeah, pretty sure Mr. President's device would probably be called "Barack's iDevice", grepping for that, now that'd be something.
$ cat iphonelist.txt | grep c63e008e6271c3ac128eb6a242a9817528b6baef 'c63e008e6271c3ac128eb6a242a9817528b6baef','b996a080e11265a0c93436ba0b13b7c07ee4e8eef6faeb8516917b015d7355fb','“Administrator”的 iPad','iPad' 'c63e008e6271c3ac128eb6a242a9817528b6baef','b996a080e11265a0c93436ba0b13b7c07ee4e8eef6faeb8516917b015d7355fb','Obama','iPad'

Looks legit...

You do know that there are other people in world with the name Obama, right?

I know for a fact, the NSA protects all communications from the president (and most of the top level folk in his administration). If this turns out to really be the president (which I doubt) it would be a MAJOR breech.

For a fact? How so?
They had news articles about protecting his phone back when he was elected.
It was an issue widely covered in the press, or at least widely covered enough that I remember people joking about it in monologues. Obama wanted to keep his blackberry and other gadgets in opposition to what the Secret Service wanted. They finally compromised with security-enhanced versions of the devices such as his so-called "Blackberry One" a pun off of Air Force One.

Though I didn't hear anything about securing it when he got an iPad, I did see photos in the news of him carrying one. I would assume it would be equally vetted and locked down.

I'd have to kill ya if I told you. :)

No I'm kidding of course. Obviously, I did work in that area, ages ago.

And it's been like this for a long time, by the way. Even back in ancient times when we all used dials.

The president lives in the ultimate bubble. Nothing gets in or out without being vetted.

Is the address the white house?
This is huge. I've been fearing this kind of leak for a long time. If you're unsure why this is huge, here are some posts of mine on this issue showing de-anonymization, complete takeover of social media accounts, and more:

De-anonymizing UDIDs with OpenFeint: http://corte.si/posts/security/openfeint-udid-deanonymizatio...

A survey of how UDIDs are used: http://corte.si/posts/security/apple-udid-survey/index.html

Why the Apple UDID had to die: http://corte.si/posts/security/udid-must-die/index.html

I've often been asked what I thought the worst-case scenario is regarding the mis-management of UDIDs. My answer has always been that a large UDID database leaking would be a privacy catastrophe...

so, any of you iOS guys find your device? it'd be interesting to know what apps you have in common (if any)
(comment deleted)
If you look at line #'s 3741 through 3845, you will see they all (105) belong to one Abo Mossa. Is Abo Mossa some kind of an iPhone/iPad reseller or is there something else going on?
He probably is using a tool that spoofs his UDID... a lot. ;P
What's an easy way to figure out the UDID of a device (without hooking it up to a Mac to sync)?
there's a bunch of UDID apps (free) that you can download from the App Store.
Don't iOS apps have the permission to use the internet without any hassle? In that case, I would assume by using such app, chances are, you are contributing to another entity's UDID collection.
If in doubt, download and turn flight mode on before running, then uninstall?
Files in ~/Library/Application Support/MobileSync/Backup/ are named by UDID.
His delivery is painful to listen to.
Not everyone is a polished orator.
Practice in front of a mirror or video camera a few times. Write some notes. It's not too hard to get competent, even if you can't become phenomenal.