Also, what's the point of releasing password protected files to public? I mean, they give you the password thus kind of making the whole password thing a moot point.
So download it, decrypt it, and pick a different password. Takes a couple minutes, tops. And if your 'release' gets more attention than the original, how does the original prove that's what happened, or even get heard?
This is the stated reason for the release - to have people ask why an agent has 12m UDID numbers on his laptop. They released 1m out of the 12m UDIDs so that they can guarantee a statistical sample that can be verified, while preserving a bit of privacy.
Along with the UDIDs were other columns with an assortment of personal data, although there were a lot of holes.
It might be a gigabyte if there were about 90 characters per line 1 or 2 gigabytes tops? "on the order of gigabytes" is a rather pretentious way of saying that.
The filename refers to NCFTA, which might seem in context to be http://www.ncfta.net — perhaps some bit of intel that's widely-traded in NCFTA circles for various uses? I mean, hey, pretty useful if you're tracking down pretty much anything in which an Apple device is used, right?
Money quote for the people that don't want to wade through ten pages of rant:
During the second week of March 2012, a Dell Vostro notebook, used by
Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action
Team and New York FBI Office Evidence Response Team was breached using the
AtomicReferenceArray vulnerability on Java, during the shell session some files
were downloaded from his Desktop folder one of them with the name of
"NCFTA_iOS_devices_intel.csv" turned to be a list of 12,367,232 Apple iOS
devices including Unique Device Identifiers (UDID), user names, name of device,
type of device, Apple Push Notification Service tokens, zipcodes, cellphone
numbers, addresses, etc.
Sure - me. Both my iOS devices are on this list - confirmed both by name and UDID match.
However, I renamed my iPad around last November after I started using it more in public, yet its original name (easy to find if you search for my HN nick) is the name listed.
EDIT: Oh, and fwiw, law-abiding natural born US citizen here. But who am I kidding - LEAs don't give a toss about that.
This is very disturbing. How did the FBI gain access to all this information? It should be locked up in Apple.
From what I see, the NCFTA in "NCFTA_iOS_devices_intel.csv" looks like it stands for the National Cyber-Forensics & Training Alliance, which "functions as a conduit between private industry and law enforcement." (http://www.ncfta.net/)
Is Apple willingly sharing personal information with the FBI through the NCFTA?
Doesn't a popular iOS developer have the same information?
UDIDs, APNS tokens (for push notifications), basic demographic information is something a popular social app or game might have. 12 million is a pretty good number, though.
edit: our iOS app has over 2 million of these type of device records (though we don't collect any demographic info, so just device ids, apns tokens, device names, device types -- standard for push notifications).
So Marco Arment could go all CSI for us and let us know whether the sample corresponds to info he retained and which would have been on the server at the time.
I've been using Instapaper since pretty much the first day, and my information is not in the file. Not to say they don't have it, but, it's not in that file, FWIW.
According to one report [1], only 1 million of about 12 million stored records were released by AntiSec, so the absence of your record is not conclusive.
I couldn't even guess the episode, but Marco has stated on is 5by5 podcast that he doesn't collect user information and only dips into user information grudgingly. I'd be surprised if this came from him as according to his statements he finds holding any user information that could be described as private unpleasant.
This is all based on recollection however.
Still cant find the podcast, but here is what Marco says the FBI tool, quoted from the Instapaper blog about a year ago:
>>The server was used as a MySQL replication slave, handling read-only queries to speed up the site. Instapaper suffered no downtime as a result of its theft and no data has been lost.<<
Further down:
>>Possibly most importantly, though, the FBI is now presumably in possession of a complete copy of the Instapaper database as it stood on Tuesday morning, including the complete list of users and any non-deleted bookmarks. (“Archived” bookmarks are not deleted. “Deleted” bookmarks are hard-deleted out of the database immediately.)
Instapaper stores only salted SHA-1 hashes of passwords, so those are relatively safe. But email addresses are stored in the clear, as is the saved content of each bookmark saved by the bookmarklet.
The server also contained a complete copy of the Instapaper website codebase, but not the codebase of the iOS app.
Linked Facebook, Twitter, or Tumblr accounts only store their respective OAuth keys. Linked Evernote accounts only store the Evernote email-in address. Linked Pinboard accounts, however, store plaintext usernames and encrypted passwords, and the encryption keys are present in the website source code on the server. <<
So "FBI theft" should be a new failure mode to defend against in web applications, right after SQLi and XSS? I'm handling this by not having any servers in the USA, hopefully GB is safe.
Yeah, this gives a whole new meaning to having live backups/redundancy. I guess this is an advantage of hosting on EC2 since there would be difficult for the FBI to seize the physical server.
Absolutely, that wasn't my point. Since the FBI could do that, you are unlikely to get your server seized from an unrelated raid. Still, a crappy situation.
You are right. I misread the announcement. That still leaves the issue of the personal data, but as I said: app developers could acquire that directly from the user.
Possibly, the fact that personal data is missing so often actually might point to a non-apple leak, because they would have the link to personal data. Of course it could be fake, but it would be prsesent.
I imagine it wouldn't be that difficult to extrapolate this information from your address book: I keep my own name, phone number, address, etc. all in there, and you can probably figure out which record is mine.
Well, at least the FBI is not going to share your personal information with advertisers, or (opt-in) spam you to death trying to sell you something.
The FBI's mission is reasonably clear; it's a government-regulated organization; it's non-commercial. They have a certain amount of accountability. Alas, we can't say the same for "popular iOS developers". We've seen how sneaky some iOS app developers can be with respect to privacy, and with little remorse after they get caught.
It wouldn't be "willingly". But If Apple was presented with an order from a court, then yes, they'd have no choice. They could fight it; but they'd lose, depending on the reason. Frankly the only reason would be some terrorism angle.
It's a no win situation for them. Hand the info over and you're on msnbc for giving it up, don't hand it over and you're on fox news for helping the terrorists...
Plus for certain kinds of investigations, it would go against the court order to go public. I don't want to defend apple here but this is an American law enforcement problem, I'm certain ms, google and others have provided info to the government that would anger many and there are probably a lot of companies that do it without a court order... Trying to be good citizens.
That would depend on which court the order came from. If it was from the FISA court, for example, then publicizing it would send people to jail.
But again, if that were the case then it would be related to anti-terrorism efforts. Well I hope it would be. The FISA court exists for that reason (mostly).
I guess my paranoia depends on how much I trust the government :)
Good thing the announcement didn't say "A large monster from Mars radioed these in" - Imagine how upset you'd have been at NASA!!!!
A bit of a dick way of putting it, but there's no evidence the FBI is involved in this other than some words in an announcement that could be by anyone with an axe to grind.
I'm not sure why you're getting downvoted here, it's a valid point. There is nothing to prove this list came from the FBI, and I wouldn't put it above Antisec/Anonymous to get into a database of some popular iOS app, release the info, and then say it was from the FBI both to slag on the FBI and to stroke their e-peni^H^H^H^H^H^H^H ego.
Couldn't an American request a FOIA for this to see what's the level of information gathering on iPhone users? Could EFF sue them for it or something to unveil more?
I have no idea. There are a lot of assumptions implicit in that question.
I'm just saying that you are unlikely to be successful in requesting more information for this file. Information that "could reasonably interfere" with law enforcement is exempt. Also, the FBI does not make it easy to request documents form them and, further, the turnaround on a request can be months or years.
The National Cyber Forensics and Training Alliance in Pittsburgh is the office where the FBI Agent who posed as a member of the carding community worked when he helped take down Max Ray Vision, née Butler.
http://www.fbi.gov/news/stories/2011/september/cyber_091611
“The exchange of strategic and threat intelligence is really the bread and butter of the NCFTA,” said Special Agent Eric Strom, who heads the FBI unit—the Cyber Initiative and Resource Fusion Unit (CIRFU)—assigned to the NCFTA. “The success of this effort at every level comes down to the free flow of information among our partners.”
Note that he used to be with CIRFU. LIkely that he still is with the CIRFU. They share office space:
http://www.itbusiness.ca/it/client/en/home/News.asp?id=51778...
"Mularski works for a little-known FBI division called the Cyber Initiative and Resource Fusion Unit, run out of the National Cyber-Forensics & Training Alliance in Pittsburgh, Pennsylvania. The unit is different from a typical FBI field office. It works hand in hand with industry and takes the time to do the deep research required to penetrate the world of online crimina
we trimmed out other personal data as, full names, cell
numbers, addresses, zipcodes, etc. not all devices have
the same amount of personal data linked. some devices
contained lot of info.
So the release "just" contains UDID's and zip codes.
I have information this morning from source thats "in the know" that this is definitely a false-flag attack against the FBI.
Non-gov researchers I know also attribute this to a possible hacking of an iphone/ipad application backend DB before Apple put in the UUID storing restrictions to the IOS api.
I'm only bringing this to light because it is easy to fall for things you read on the Internet and get excited/theorize.
Wow, this is bad, and an excellent example of how the security machine (in this case FBI) can always be turned on itself. The methods required for FBI to "protect" citizens can be misused (or hacked) to do the opposite. A gun can always be turned around, etc.
This is troubling on so many levels. Why did an FBI agent have a document of user and device info on his desktop and the real question is why are the FBI tracking this information in the first place? Surely this is illegal.
By the way, I think AntiSec needs to hire someone to write their releases for them. I struggled at times to make sense of the almost gibberish in their rant-filled sentences and at times some of the things they were saying read like the paranoid ramblings of a crystal meth addict. It wasn't until the end where everything they were saying was put into perspective and I understood what they were talking about.
I was confused by the writing style as well. It seems to be almost intentional. I wonder if it's a way of avoiding any style or nuances that could be attributed to a single person. Almost like a cut and paste ransom note.
It's elite (or 1337 if you will). It's supposed to sound cool. All the underground computer groups have talked like that since the early warez/cracking/phreaking scene.
A lot of the "scene" traditions and symbols has a lineage back to adolescent boys in the early 80's as that's when many of the influential groups exploded onto the scene, so even if they're emulating a traditional style, they're emulating one that arose out of kids who wrote badly who tried to sound cool.
(I've some really horrible examples to my credit too, but thankfully I don't think any of it has survived)
It struck me as well-written but highly in-jokey, and targeted at a very specific audience. If they were writing for the general reader, this would be terrible. But I took it as addressing other members of the hacker scene, hoping to prompt them into similar politically-focused action.
We're talking about the FBI, not the CIA. You know, the same FBI that walked from Gitmo because detainee constitutional rights were being violated when they were being tortured.
I'd love to read the warrant that granted this disclosure. If one doesn't exist I'd love to hear Apple's reasoning for releasing a 12 million + user database to LE without being legally obliged to do so.
There's always one person in the comments section that leaves a comment that couldn't be any further disconnected from the discussion. As pointed out you're getting confused with the CIA, it even quite clearly says in the Wikipedia article you linked: "...a failed assassination attempt organized by the American CIA and British intelligence"
Lets not make this situation out to sound worse than it is. The FBI having access to 12 million UDID's and user information which apparently had holes in it anyway is nowhere near as bad as innocent civilians being killed and seriously injured. It's bad, but not that bad, calm down.
No I am not. I was talking about the executive branch of the our government.
> Lets not make this situation out to sound worse than it is.
I was commenting on the assertion that this is 'illegal' and thus how could FBI possibly do this. And my response was that it seems illegality isn't exactly stopping anyone, be it FBI, CIA or other agency.
No need to go that far back - we can talk about the warrent-less wiretaps, or the pre-trial assassinations of US citizens.
...of course, the current administration insists that those are legal, but because they refuse to release a legal argument defending the practice, the best explanation they've given is 'Just trust us, okay?'. Not sure how that would hand up in a court of law.
The point isn't that life meant never having to work. To make a stylized sketch of it: life, or identity, is increasingly made more legible to the State. Legibility of information is the backbone of state power(1), moreso than even violence or popular support. Legibility of identity is therefore granting the state more power over the individual, which further undermines human autonomy by making the ability to live dependent on remaining in the good graces of the State, by paying our dues and contenting ourselves within the all-encompassing social system that develops.
(1)For instance, the first recorded use of writing is not typically for poems or liturgy but for tax documentation for imperial states.
I thought it was quite well written, also noticed the "Life as a Service" part. Maybe it only works on me because I thought about those things before, but it wouldn't be an effective propaganda piece.
One interesting thing I've found is that apparently 190 of those 1000001 people have named their devices "The Titanic", for that iTunes "The Titanic is syncing" pun. I'm curious if there's anything else interesting that might be found in this data.
I seem to see a disproportionate number of pro photographer accounts (grep for dot coms as device names) which might point to some commonality--some photo app? A quick search showed more female email addresses, but not sure if this is related to the source or if it is related to the likelihood of women using their email addresses as device names.
There are a few phones named 'Venice', presumably for the 'Venice is syncing' pun. My iPhone is named Venice for a different reason, but it's not in the list.
The fact that there is a column for APNS (Apple Push Notifications) suggests that this is a database dump from an iPhone app that supports push notifications. APNS tokens are generally tied to a specific app so it may be possible to figure out what app leaked their database.
The "NCFTA" seems to deal with identity theft. (Ironic)
APNS tokens are generally tied to a specific app so it may be possible to figure out what app leaked their database
This isn't true, APNS device tokens are shared among apps on a device. The only time a device will have more than one device token is if it's being used for development.
This isn't to say that Apple couldn't correlate the device tokens by looking for shared apps with active APNS entitlements.
No: the APNS token is only changed if you get a new device (as it is tied to your device's certificate) or restore your phone (and not restore a backup: if you restore a backup it restores the token).
Putting a file of user data on a laptop is a fireable offense at at any reputable organization. Sad that the FBI is less careful about user data protection than consumer Internet companies.
Putting a file of user data on a laptop is a fireable offense at at any reputable organization.
Correction, it's only a fireable offense if the employee of said reputable organization let's the file become compromised somehow, there's huge PR blow back, and the organization needs somebody's head on a platter in show of how serious they take the issue. Otherwise, m'eh.
One imagines it was bitlockered, and you were required to inform them the instant of a loss and hence possible data breach - where upon the company would have to pass the data on to any clients whose data might have been compromised (and the public body governing data security)
On the other hand the disk or better said the partition with sensitive data should decrypted (mounted) only when needed. I doubt he needed that data during the conference.
just a comment: we are still waiting for published news about the
$ 2 billions worth loans Assad has taken from Russia,
mentioned on the syrian mails
and also about the transfer of money to austrian banks etc....
and also cocks...
So, don't be lazy journos and look for them.
Any one have any additional info on that?
EDIT: Derp...thanks for the correction. I read too fast. Still intrigued if anyone knows anything more.
One of the best examples of a real Australian accent I've heard on American television is Dr. Chase [Jesse Spencer] from House, who is a real Australian and did not ham it up for an American audience. (Oddly though, the man who played his father in one episode had possibly the most embarrassingly bad fake Australian accent ever. Surprised Spencer didn't kick his arse during filming.)
You do not get real foreign accents on prime time American television, the viewers would be bemused and look for subtitles.
You get what Americans think are foreign accents, i.e. lightly accented. The one exception is that Brits playing bad guys are allowed to use camp, pantomime villain accents. Alan Rickman has made his fame and fortune from this, a shame as he is rather a good actor.
Hugh Grant sounds nothing like he does/did before that series started.
Then, one can hope, the government might actually be forced to engage in meaningful discussion about whether their ridiculously expensive and obviously damaging espionage programs make sense.
"Get informed, and inform."
Straight up manifesto material.
Gratzi!
"...engage in meaningful discussion.."
It's hard to engage in meaningful dialogue with people who are so entrenched in their own views (BIG$$,BIGOIL,BIGGOVV-types) but we shall continue!
Question: is it possible for a malicious hacker to use this information for anything? E.g. sending rogue push notifications to a user, or tracking down a user's additional personal information by knowing his/her device UDID or APNs token?
I sincerely hope both the U.S. government and Apple address this. I'd also be interested in hearing why Apple chose to have hardware coded unique ids for each device.
If a webservice tries to send a push notification to a device that has not registered for push notifications for the entitlement requesting the notification to be sent, the notification gets discarded. Remember, all notifications are to be pushed to Apple using a certificate generated on a per-app basis, who in turn pushes the message to devices.
Yep... well, based on this, I was able to fill in a UDID from the file and pull back an openfeint result. It didn't pull any sensitive information, but it worked. so seems to be real udids.
Refresh my memory - aren't the device tokens for the Apple Push Notification Service application-specific? That suggests this data comes from a single application, not Apple. The patchy personal information columns also suggests that this is a single (somewhat grabby) application's data store - presumably Apple would have more comprehensive records.
My wild speculation, assuming what we're told is true - the application developer shared this information with the NCFTA, who in turn shared it with the FBI. (After all, that's what the NCFTA does.) The application developer may have shared this information because they wanted the FBI to investigate a 'cybercrime' of some sort against them - who knows what, in-app purchase fraud? That could explain why the data ended up on this FBI agent's desktop.
EDIT: I refreshed my own memory - APNS tokens are device-specific, not device+app specific. I still think this is a single application's data dump, if the statement about sparse personal info is true.
I doubt that they are a single app's data. Look at the repeat of certain Device names (try "Abo Mossa") and check their UDIDs - those UDIDs show an incremental pattern in their first 3 digits. This tells me: (a) those devices were bought in bulk and (b) those devices were never sold to one person - since the Device names were unchanged [assumption is that a regular customer cannot own so many devices]. I just don't see how one app (not pre-installed) could be on all the devices bought in bulk by one person and dump all its data to FBI.
The UDID is a SHA1 of a few fields (including a couple MAC addresses): we actually know the exact algorithm; if you are seeing patterns in them it is either a trick your brain is playing on you or a trick the user is playing on you (some people modify their UDID occasionally to keep themselves from being tracked by apps).
At some point, the UDID is being processed by code, so you don't really need to permanently modify anything: you just edit the code that generates it and make that return something different. These kinds of changes are very simple using Substrate, the library we all use (that I developed) for changing code at runtime. For the UDID, the obvious candidates are "edit every app so [UIDrvice uniqueIdentifier] returns fake" and "edit lockdownd so it calculates the wrong value every time it is generated".
Apple could probably figure out if this data came from an app developer because I'd bet there's only exactly one app which every single one of those 1,000,001 devices downloaded.
Even if they threw in a few fake rows to mess up the data, they could find the app that has the highest percentage of downloads from that entire data set.
Another more likely possibility would be to identify people who are on the list and compare all their installed apps and search for a common denominator.
People delete apps though, you'd need their entire history to cross reference that. Not to mention false positives - how many people have the Twitter or Facebook app installed, for example?
You might still be able to find an app that has a much higher installation rate for users on the leaked list that for users who aren't.
Of course, that wouldn't be a proof but merely a first step to narrow the possibilities.
I can't think of any apps that take a full address. Perhaps there are some, I just don't know them.
Apple could have been compelled to release this data to the FBI. Unfortunately, we're unlikely to ever know this and Apple are equally unlikely to want to shed light on it.
If the claim is true, that the source data included full postal address, then I find it hard to identify a better source for all of that than Apple themselves. And that the data was brought together from various systems, and that we're glimpsing data that was shared between Apple and the FBI.
Not to say that there's anything illegal about that, more that the laws that allow that are a bit screwed but that's another issue altogether.
A reasonable assumption, besides Apple, is Facebook. With all the information these services have the easiest part may be to acquire your home address.
If you look at the UDID's for the '“Administrator”的 iPad's or '“Administrator”的 iPhone's, there seems to be an incremental pattern in their first 2-3 digits. Does that mean these devices were purchased/ordered in bulk and hence belong to some reseller? In which case, these must not have been sold to people and thus we don't see change in the Device names maybe? And thus the claim that this came from one or two apps seems a bit infeasible, no?
The Chinese character "的" is being used here as a possessive; it just means that the iPad belongs to the "Administrator", which is the default account name for many Windows XP computers [1]. Because iTunes activates iPods, iPhones, and iPads under the current user account name, and because the default user account names in many XP installations is "Administrator", there are a plethora of devices with the same name: '“Administrator”的 iPad'.
So, the only significance of this name is that there are quite a few Chinese Apple devices in this sample. Perhaps they are over-represented in the whole dataset; it's hard to say without having the breakdown of Apple devices sold by country, as well as the entire dataset.
The UDID is a SHA1 of a few fields (including a couple MAC addresses): we actually know the exact algorithm; if you are seeing patterns in them it is either a trick your brain is playing on you or a trick the user is playing on you (some people modify their UDID occasionally to keep themselves from being tracked by apps).
Seriously? Personal info about the President was leaked? Not that this particular instance looks like a big deal. Doesn't the NSA secure the President's communication? That must be carrer-impacting-embarrassing for someone.
You do know that there are other people in world with the name Obama, right?
I know for a fact, the NSA protects all communications from the president (and most of the top level folk in his administration). If this turns out to really be the president (which I doubt) it would be a MAJOR breech.
It was an issue widely covered in the press, or at least widely covered enough that I remember people joking about it in monologues. Obama wanted to keep his blackberry and other gadgets in opposition to what the Secret Service wanted. They finally compromised with security-enhanced versions of the devices such as his so-called "Blackberry One" a pun off of Air Force One.
Though I didn't hear anything about securing it when he got an iPad, I did see photos in the news of him carrying one. I would assume it would be equally vetted and locked down.
This is huge. I've been fearing this kind of leak for a long time. If you're unsure why this is huge, here are some posts of mine on this issue showing de-anonymization, complete takeover of social media accounts, and more:
I've often been asked what I thought the worst-case scenario is regarding the mis-management of UDIDs. My answer has always been that a large UDID database leaking would be a privacy catastrophe...
If you look at line #'s 3741 through 3845, you will see they all (105) belong to one Abo Mossa. Is Abo Mossa some kind of an iPhone/iPad reseller or is there something else going on?
Don't iOS apps have the permission to use the internet without any hassle? In that case, I would assume by using such app, chances are, you are contributing to another entity's UDID collection.
278 comments
[ 3.2 ms ] story [ 305 ms ] threadhttp://freakshare.com/files/6gw0653b/Rxdzz.txt.html http://u32.extabit.com/go/28du69vxbo4ix/?upld=1 http://d01.megashares.com/dl/22GofmH/Rxdzz.txt http://minus.com/l3Q9eDctVSXW3 https://minus.com/mFEx56uOa http://uploadany.com/?d=50452CCA1 http://www.ziddu.com/download/20266246/Rxdzz.txt.html http://www.sendmyway.com/2bmtivv6vhub/Rxdzz.txt.html
It also causes all the data to be released atomically even if it took a while to upload to all the places.
I don't see what would stop you from stating the password to a file you didn't upload.
Along with the UDIDs were other columns with an assortment of personal data, although there were a lot of holes.
Not sure how many bytes per entry, but it would be of the order of gigabytes.
http://www.forbes.com/sites/kashmirhill/2012/04/26/the-fbi-w...
And is there some way to validate these are real UDIDs?
However, I renamed my iPad around last November after I started using it more in public, yet its original name (easy to find if you search for my HN nick) is the name listed.
EDIT: Oh, and fwiw, law-abiding natural born US citizen here. But who am I kidding - LEAs don't give a toss about that.
From what I see, the NCFTA in "NCFTA_iOS_devices_intel.csv" looks like it stands for the National Cyber-Forensics & Training Alliance, which "functions as a conduit between private industry and law enforcement." (http://www.ncfta.net/)
Is Apple willingly sharing personal information with the FBI through the NCFTA?
UDIDs, APNS tokens (for push notifications), basic demographic information is something a popular social app or game might have. 12 million is a pretty good number, though.
edit: our iOS app has over 2 million of these type of device records (though we don't collect any demographic info, so just device ids, apns tokens, device names, device types -- standard for push notifications).
http://developer.apple.com/library/mac/#documentation/Networ...
Just because I am ok with one organization having my information doesn't mean that I am ok with any others having the same.
1: http://thenextweb.com/2012/09/04/antisec-hackers-leak-100000...
Further down:
>>Possibly most importantly, though, the FBI is now presumably in possession of a complete copy of the Instapaper database as it stood on Tuesday morning, including the complete list of users and any non-deleted bookmarks. (“Archived” bookmarks are not deleted. “Deleted” bookmarks are hard-deleted out of the database immediately.)
Instapaper stores only salted SHA-1 hashes of passwords, so those are relatively safe. But email addresses are stored in the clear, as is the saved content of each bookmark saved by the bookmarklet.
The server also contained a complete copy of the Instapaper website codebase, but not the codebase of the iOS app.
Linked Facebook, Twitter, or Tumblr accounts only store their respective OAuth keys. Linked Evernote accounts only store the Evernote email-in address. Linked Pinboard accounts, however, store plaintext usernames and encrypted passwords, and the encryption keys are present in the website source code on the server. <<
Possibly, the fact that personal data is missing so often actually might point to a non-apple leak, because they would have the link to personal data. Of course it could be fake, but it would be prsesent.
The FBI's mission is reasonably clear; it's a government-regulated organization; it's non-commercial. They have a certain amount of accountability. Alas, we can't say the same for "popular iOS developers". We've seen how sneaky some iOS app developers can be with respect to privacy, and with little remorse after they get caught.
(and yeah, I know this is probably going to hammer my HN karma all the way to the bottom but...lol man)
Define "willingly."
But those types of actions are rare.
Plus for certain kinds of investigations, it would go against the court order to go public. I don't want to defend apple here but this is an American law enforcement problem, I'm certain ms, google and others have provided info to the government that would anger many and there are probably a lot of companies that do it without a court order... Trying to be good citizens.
Why the hell was that info on a laptop?
But again, if that were the case then it would be related to anti-terrorism efforts. Well I hope it would be. The FISA court exists for that reason (mostly).
I guess my paranoia depends on how much I trust the government :)
could anonymous have hacked this information from Apple or a carrier themselves? what information is present that they didn't do that?
A bit of a dick way of putting it, but there's no evidence the FBI is involved in this other than some words in an announcement that could be by anyone with an axe to grind.
I'm just saying that you are unlikely to be successful in requesting more information for this file. Information that "could reasonably interfere" with law enforcement is exempt. Also, the FBI does not make it easy to request documents form them and, further, the turnaround on a request can be months or years.
http://www.fbi.gov/news/stories/2011/september/cyber_091611 “The exchange of strategic and threat intelligence is really the bread and butter of the NCFTA,” said Special Agent Eric Strom, who heads the FBI unit—the Cyber Initiative and Resource Fusion Unit (CIRFU)—assigned to the NCFTA. “The success of this effort at every level comes down to the free flow of information among our partners.”
Dan Larkin (the FBI Agent who setup NCFTA in 1997) http://www.linkedin.com/pub/dan-larkin/25/90/910
Note that he used to be with CIRFU. LIkely that he still is with the CIRFU. They share office space: http://www.itbusiness.ca/it/client/en/home/News.asp?id=51778... "Mularski works for a little-known FBI division called the Cyber Initiative and Resource Fusion Unit, run out of the National Cyber-Forensics & Training Alliance in Pittsburgh, Pennsylvania. The unit is different from a typical FBI field office. It works hand in hand with industry and takes the time to do the deep research required to penetrate the world of online crimina
Non-gov researchers I know also attribute this to a possible hacking of an iphone/ipad application backend DB before Apple put in the UUID storing restrictions to the IOS api.
I'm only bringing this to light because it is easy to fall for things you read on the Internet and get excited/theorize.
By the way, I think AntiSec needs to hire someone to write their releases for them. I struggled at times to make sense of the almost gibberish in their rant-filled sentences and at times some of the things they were saying read like the paranoid ramblings of a crystal meth addict. It wasn't until the end where everything they were saying was put into perspective and I understood what they were talking about.
ccc presentation: http://www.youtube.com/watch?v=-b0Ta9h62_E
EDIT: also as grumpysimon says, it's a proud tradition going back decades.
(I've some really horrible examples to my credit too, but thankfully I don't think any of it has survived)
So? Pretty sure torture and car bombing innocent women and children is also illegal.
http://en.wikipedia.org/wiki/1985_Beirut_car_bombing
I'd love to read the warrant that granted this disclosure. If one doesn't exist I'd love to hear Apple's reasoning for releasing a 12 million + user database to LE without being legally obliged to do so.
They are both part of the government and the culture of 'laws for us vs laws for them (the regular people)' is present in both.
Lets not make this situation out to sound worse than it is. The FBI having access to 12 million UDID's and user information which apparently had holes in it anyway is nowhere near as bad as innocent civilians being killed and seriously injured. It's bad, but not that bad, calm down.
No I am not. I was talking about the executive branch of the our government.
> Lets not make this situation out to sound worse than it is.
I was commenting on the assertion that this is 'illegal' and thus how could FBI possibly do this. And my response was that it seems illegality isn't exactly stopping anyone, be it FBI, CIA or other agency.
...of course, the current administration insists that those are legal, but because they refuse to release a legal argument defending the practice, the best explanation they've given is 'Just trust us, okay?'. Not sure how that would hand up in a court of law.
"a monthly fee, forever until you die. That's the future; nothing is really yours. LAAS - Life As A Service."
(1)For instance, the first recorded use of writing is not typically for poems or liturgy but for tax documentation for imperial states.
The "NCFTA" seems to deal with identity theft. (Ironic)
This isn't true, APNS device tokens are shared among apps on a device. The only time a device will have more than one device token is if it's being used for development.
This isn't to say that Apple couldn't correlate the device tokens by looking for shared apps with active APNS entitlements.
http://stackoverflow.com/questions/2338267/is-the-apn-device...
just a comment: we are still waiting for published news about the $ 2 billions worth loans Assad has taken from Russia, mentioned on the syrian mails and also about the transfer of money to austrian banks etc.... and also cocks... So, don't be lazy journos and look for them.
Any one have any additional info on that?
EDIT: Derp...thanks for the correction. I read too fast. Still intrigued if anyone knows anything more.
One of the best examples of a real Australian accent I've heard on American television is Dr. Chase [Jesse Spencer] from House, who is a real Australian and did not ham it up for an American audience. (Oddly though, the man who played his father in one episode had possibly the most embarrassingly bad fake Australian accent ever. Surprised Spencer didn't kick his arse during filming.)
You get what Americans think are foreign accents, i.e. lightly accented. The one exception is that Brits playing bad guys are allowed to use camp, pantomime villain accents. Alan Rickman has made his fame and fortune from this, a shame as he is rather a good actor.
Hugh Grant sounds nothing like he does/did before that series started.
Then, one can hope, the government might actually be forced to engage in meaningful discussion about whether their ridiculously expensive and obviously damaging espionage programs make sense.
Not everything is a government conspiracy.
"...engage in meaningful discussion.." It's hard to engage in meaningful dialogue with people who are so entrenched in their own views (BIG$$,BIGOIL,BIGGOVV-types) but we shall continue!
If they don't have it, it cannot leak.
I sincerely hope both the U.S. government and Apple address this. I'd also be interested in hearing why Apple chose to have hardware coded unique ids for each device.
also: http://corte.si/posts/security/udid-must-die/index.html
My wild speculation, assuming what we're told is true - the application developer shared this information with the NCFTA, who in turn shared it with the FBI. (After all, that's what the NCFTA does.) The application developer may have shared this information because they wanted the FBI to investigate a 'cybercrime' of some sort against them - who knows what, in-app purchase fraud? That could explain why the data ended up on this FBI agent's desktop.
EDIT: I refreshed my own memory - APNS tokens are device-specific, not device+app specific. I still think this is a single application's data dump, if the statement about sparse personal info is true.
EDIT: unless... is it just a side effect of how the data was exported? Sorted on Username, then on UDID
Ya, the more I look at it, the more I think it's just secondary sorting on UDID
Even if they threw in a few fake rows to mess up the data, they could find the app that has the highest percentage of downloads from that entire data set.
I can't think of any apps that take a full address. Perhaps there are some, I just don't know them.
Apple could have been compelled to release this data to the FBI. Unfortunately, we're unlikely to ever know this and Apple are equally unlikely to want to shed light on it.
If the claim is true, that the source data included full postal address, then I find it hard to identify a better source for all of that than Apple themselves. And that the data was brought together from various systems, and that we're glimpsing data that was shared between Apple and the FBI.
Not to say that there's anything illegal about that, more that the laws that allow that are a bit screwed but that's another issue altogether.
Primary sort is by username. Secondary sort is by UDID.
So, the only significance of this name is that there are quite a few Chinese Apple devices in this sample. Perhaps they are over-represented in the whole dataset; it's hard to say without having the breakdown of Apple devices sold by country, as well as the entire dataset.
1. http://www.mydigitallife.info/unhide-the-administrator-accou...
thea:Downloads admin$ cat ./iphonelist.txt | grep -i obama '473d6e1ebf0b100ed172ce5f69c97ba6c8f12ad5','766a23201c6089be11845bfef624dbaada68be52155079850951836e9373e5cd','hobamain','iPad' 'c63e008e6271c3ac128eb6a242a9817528b6baef','b996a080e11265a0c93436ba0b13b7c07ee4e8eef6faeb8516917b015d7355fb','Obama','iPad'
Looks legit...
I know for a fact, the NSA protects all communications from the president (and most of the top level folk in his administration). If this turns out to really be the president (which I doubt) it would be a MAJOR breech.
Though I didn't hear anything about securing it when he got an iPad, I did see photos in the news of him carrying one. I would assume it would be equally vetted and locked down.
No I'm kidding of course. Obviously, I did work in that area, ages ago.
And it's been like this for a long time, by the way. Even back in ancient times when we all used dials.
The president lives in the ultimate bubble. Nothing gets in or out without being vetted.
De-anonymizing UDIDs with OpenFeint: http://corte.si/posts/security/openfeint-udid-deanonymizatio...
A survey of how UDIDs are used: http://corte.si/posts/security/apple-udid-survey/index.html
Why the Apple UDID had to die: http://corte.si/posts/security/udid-must-die/index.html
I've often been asked what I thought the worst-case scenario is regarding the mis-management of UDIDs. My answer has always been that a large UDID database leaking would be a privacy catastrophe...
https://www.facebook.com/video/video.php?v=512364171294