
UDID Leak : Identifying the Traitor - FredericJ
http://fredericjacobs.com/identifying-the-traitor
======
cortesi
Sorry, I don't think this strategy is workable. Consider - 74% of apps I
tested sent the UDID to one or more upstream servers. Furthermore, Flurry
alone received UDIDs from 15% of apps I tested. That's just one aggregator,
and they surely have nearly 100% of UDIDs on file. The APNS tokens narrow it
down somewhat, but not too much. It's also not at at all clear that there is a
single source involved - this could be an amalgamation of a number of sources.

See this post for the source of these figures:
<http://corte.si/posts/security/apple-udid-survey/index.html>

~~~
jotaro17
Statistics created with the sample of 25,000 udids, Fruit Ninja is suspect?
(Not conclusive) pic.twitter.com/vlyoE2ij

------
smutticus
Why do people keep assuming that the FBI is actually involved in this? The
only evidence of that is from the pastebin page. They could just as easily be
lying.

We know nothing. Other than that there are 1,000,001 leaked UDIDs. Everything
else is just speculation and needs to be regarded as such until such time as
proven otherwise.

~~~
guelo
Anonymous' credibility is good. I haven't heard of an instance where they were
caught lying in a high profile incident like this.

~~~
codehotter
I have followed these lines of thought before. They contain a fatal mistake.

Anonymous is not a group that can have a reputation. At best, it's a
subculture. Anyone can call themselves anonymous. Whoever didn't lie in all
the previous incidents may not be behind this one - this could be a totally
different person or group of persons with totally different ideals.

~~~
Retric
Cultures can have a reputation. They can also fight back when someone uses
their name for something they disagree with.

------
terhechte
I doubt it's Apple. I checked the list, and there're tons of German people in
there too (one can see that by how they named their iPad). I really doubt that
the FBI would be interested in tons of German girls, for example (many iPads
seem to belong to girls named 'Sandra' (iPad von Sandra)). If Apple were the
culprit here, they would have been able to just deliver the UUIDs from people
residing in the states (since they know which UUID is connected to which app
store).

I hardly think it's Apple that leaked the information. Even if it's hard to
believe for some people: Apple values their users' personal information pretty
high.

I personally believe that this is from a internal FBI job, so they got this
information in a non-legal way.

~~~
jwr
Seconded. The UDID for one of my iOS devices was there, and I am in Poland. It
is definitely not just the US.

------
mahrain
Well, one piece of the puzzle is in the Lulzsec Pastebin itself. the hacked
file's original filename is supposed to be "NCFTA_iOS_devices_intel.csv" and a
quick Duckduckgo gave me <http://www.ncfta.net/> those contractors as source
of the data.

~~~
gonzo
<http://www.fbi.gov/news/stories/2011/september/cyber_091611> “The exchange of
strategic and threat intelligence is really the bread and butter of the
NCFTA,” said Special Agent Eric Strom, who heads the FBI unit—the Cyber
Initiative and Resource Fusion Unit (CIRFU)—assigned to the NCFTA. “The
success of this effort at every level comes down to the free flow of
information among our partners.”

Dan Larkin (the FBI Agent who setup NCFTA in 1997)
<http://www.linkedin.com/pub/dan-larkin/25/90/910>

Note that he used to be with CIRFU.

Now, check it out: <https://www.allclearid.com/plans/mobile-app>

------
jahewson
The whole FBI story is not credible, it's the _least_ likely explanation. I'd
start looking for the app that all these UUIDs have in common. This data is
probably a dump of that app's server-side database. And what about the zip
codes? GeoIP.

------
damncabbage

      I've Never Installed: ... Other [            ]
    

This is a joke, isn't it? How could I possibly answer this question correctly?

(My deadpan-sarcasm filter isn't working very well right now.)

------
alan_cx
Traitor? Is Apple a nation state now?

Which leads to an interesting question for me. Given that many web sites have
more users than many countries, should there be a more proscribed
relationship?

~~~
sp332
Maybe you're thinking of high treason? It's possible to be a traitor to things
other than countries. Actually I think the reason more people are on FB than
the US is because there are fewer obligations.

------
mtgx
This is a question we should keep asking Apple until they give a proper, real
answer: Who gave this information to FBI? If they say they gave it, then we
know Apple gave this information and it will be a PR nightmare for them. If
they say they didn't, then they will imply FBI obtained it illegally and we
can focus our attention on FBI.

~~~
biot
It's rather like the FBI having a list of 12,000,000 wifi MAC addresses. Would
the mere possession of such a list by the FBI be illegal? What if the MAC
addresses supplied by Starbucks are from customers who voluntarily connect
their devices to Starbucks' network and transmit their MAC address as part of
the connection negotiation?

Similarly, what if the UDIDs are from people who installed a common app on
their devices and agreed as part of the terms and conditions to allow
information about their hardware (including device name, UDID, etc.) to be
transmitted to the app vendor and to other parties including law enforcement?

EDIT: the question of whether they _should_ have this information is
completely separate from whether it's _illegal_ for them to have this
information. And, as noted by others, no proof has been presented that it was
obtained from the FBI.

~~~
Dylan16807
MAC address, user name, phone number, street address...

------
andyv88
What about PokerStars?

Their US operations were shut down the FBI recently on bank fraud and money
laundering charges.

<http://www.tightpoker.com/news/pokerstars-shuts-down-2347/>

Can anyone else confirm they have PokerStars installed?
<http://news.ycombinator.com/item?id=4473730>

------
retube
Can someone explain what a UDID is (sounds like a MAC address or similar) and
what the privacy or security implications are?

~~~
zyb09
Some insecure apps and services use the UDID as a way to identify users. For
example you can get some profile data from OpenFeint with the UDID. There are
probably a ton of other small things like this, but overall I wouldn't worry
too much.

~~~
prof_hobart
And some secure ones used to use it for multi-factor authentication - e.g. you
still username/password, but you can only do it on the device that you
registered on.

However, use of UDID has been deprecated by Apple, and they are now rejecting
some new apps that read it. You're meant to use a unique application-level ID
instead.

------
bcl
Small datapoint: my iPhone and iPod aren't in this dump. The iPhone hasn't
been used in about a year. And the iPod is infrequently used for playing
games.

~~~
llimllib
Negative datapoints are nearly completely useless in this scenario, as we only
have ~8% of the leaked UDIDs.

Think about it this way: there are more than 250m iOS devices in the world[1].
I think 300m is a good, conservative estimate.

12m (~4%) of the world's UDIDs have leaked. 1m of _those_ (~.33% of the total,
8% of the dump) have leaked.

A data point saying "my iOS device is in the dump" represents 1/1m of its
group. Pretty significant, relative to 300m devices!

A data point saying "my iOS device isn't in the dump" has two possibilities; a
96% chance it isn't in the dump and a 3.66% chance it is but wasn't leaked.

As one of the 99.66% of iOS users, your data point represents just 1/299m of
its group, and is thus ~300x less powerful than a positive data point.

[1]: [http://www.engadget.com/2011/10/04/apple-250-million-ios-
dev...](http://www.engadget.com/2011/10/04/apple-250-million-ios-devices-
sold/)

------
lloyddobbler
It's an interesting question...but as someone who used to word in the survey
world, I've gotta say it: the questions here are not going to give very useful
data. Here's a couple of examples (& a tl;dr):

1) "Have you been to the US recently"? The way this Q is worded suggests that
the audience is not people who live in the US. Either way, the non-specificity
of the Q makes me worry with what info will be extrapolated from the
responses.

2) "I haven't installed the following apps: Facebook, LinkedIn...OTHER".

...there are a lot of apps I haven't installed. I hope you don't want me to
list them all...?

tl;dr - when putting together a survey like this, be careful to look at it
from all sides and see where you could be introducing a bias of some sort.
Drawing conclusions from flawed data = FTL.

------
DaveWoldrich
I love all the outrage and concern. All your information is for sale in the
walled garden, outside the walled garden, everywhere! You don't deserve to
expect anonymity and privacy because you offer up all your secrets willingly.

Rabble all you want over this traitor business, even clamor for new laws to
protect us (although that just makes things worse and poisons the waters). In
my humble opinion, you breathless bloggers are all just wasting energy. Until
we techies start designing networks and storage systems for anonymity and
privacy, all your dirty laundry is money in the bank to these service
providers and easily searchable by big brother.

------
pppqqqooowww
For what it is worth, the languages used by users to name their devices are
certainly not limited to US English. Out of the 1,000,001 device list, about
10,000 device names contain the Korean possessive "ui", about 5,000 contain
the Japanese possessive "no", and a whopping 32,000 contained a Chinese
possessive. Unsurprisingly, none contained all three. :-)

$ grep 의 iphonelist.txt | wc 10682 23316 1469444 $ grep 的 iphonelist.txt | wc
32168 77171 4522336 $ grep の iphonelist.txt | wc 4838 15191 671159 $ grep 의
iphonelist.txt | grep 的 | grep の | wc 0 0 0

------
brokenparser
I recommend everyone to fill in this form, even if you don't own an iDevice.
The person who leaked the information could be any ones son or daughter, we
all know how careless we were ourselves when we were younger. The stakes have
become higher, but that doesn't mean we should try to jail a kid with an
Internet connection and deprive him/her of his/her future. We should all try
to help ensure that incidents such as this leak cannot happen, in the simplest
form by rejecting privacy policies which waive your privacy.

Please, why won't anybody _think of the children_?

------
ikangai
Actually, the notification tokens are a bigger threat, because they allow
imposters to send notifications to apps. We know this from our own experience:
[http://www.ikangai.com/news/udids-leaks-and-push-
notificatio...](http://www.ikangai.com/news/udids-leaks-and-push-notification-
token-security-threats/) However, there is also a good thing: sending
notifications with the tokens from the data can be used to identify the apps
which collected the UDIDs.

------
phelmig
Finally it all depends on AntiSec. We have no idea wich 1'000'001 datasets
they published (first 1m, last 1m or random). If they have access to all 12m
UDIDs + the additional information (Country, Postal code, Addresses) they
could at least release some statistics about it, this would make it a lot
easier to find a (potential) source. (E.g. If we knew wich percentage of the
UDIDs came from Europe etc.)

------
stcredzero
Is the formatting of this blog meant to be iPad unfriendly?

<http://pic.twitter.com/rLOyOHbh>

~~~
siglesias
Had the same problem. Use Safari's Reader feature.

------
derp1101
There are a lot more than 12 million iDevices out there, so why only
12,000,000?

The small number leads me to think that the UUIDs might belong to people the
FBI are particularly interested in tracking. If your UUID is in there, fasten
your tinfoil hat.

Just a thought.

~~~
FredericJ
Or it may be have been released by some dude making a fart app.

~~~
WhaleBiologist
Or maybe the FBI are secretly releasing fart apps in order to get UDIDs.

~~~
fwr
I'd give a lot to be on the briefing where that was agreed on.

------
ajuc
FBI will just fill 1000 fake datapoints to cover its informator.

------
FredericJ
Let me know if you find other relevant questions to ask.

~~~
OpenFeint
You might want to ask whether users have installed any game associated with
OpenFeint. Some examples are listed on their Wikipedia page:
<http://en.wikipedia.org/wiki/OpenFeint>.

~~~
jotaro17
Yes, but is very dangerous, for example:
[https://twitter.com/jotaro17/status/243144140878143488/photo...](https://twitter.com/jotaro17/status/243144140878143488/photo/1/large)

~~~
OpenFeint
Heh, I've been compiling the same list as you already did. My results look a
lot like yours.

What do you mean that it is "very dangerous"?

As I posted in another thread... I wonder if it is significant that so many of
the UDIDs are known to OpenFeint. If you took a random sample of UDIDs, how
many would OpenFeint have data on?

~~~
jotaro17
I think that about 50% have openfeint data. I do not know the legal terms of
OpenFeint, but I would not like anyone could see that I play.

------
ajanuary
"I've never installed: Other" That's a looong list.

------
jrnkntl
Why is "Facebook" pre-checked?

~~~
FredericJ
My bad. Fixed

~~~
stcredzero
<http://pic.twitter.com/rLOyOHbh>

The formatting of this blog is just awful for iPad users zooming in on the
text.

------
ObnoxiousJul
Are any jailbreaked iphones with privacy patches installed being leaked? Xhi2
analysis is not only about what triggers the correlation, what does not
trigger the correlation is also important. My guess is jailbreaked are
underrepresented in leaked UDID either because jailbreak is shielding users or
because users able to install a jailbreak are more aware of computer security
issues. Regular Iphone are cell phones remotely controled by a 3rd party,
jailbreaked iphones are computers you control. I am no paranoid freak, I am
just a regular sysadmin with a pretty low security awareness.

------
berntb
It would surprise me if intelligence organisations _didn't_ make databases
like this. I assume the CIA could get the user information from Apple, with or
without Apple's consent.

I have no real problem if the UDID:s of my iPad/iPhone/iPod are stored with my
name by intelligence organisations in democracies.

But... I do have problems with them being so incompetent that private
information about me is leaked!!

~~~
pstuart
You have no real problems with the secret police monitoring you? Is that an
expression of acceptance to something you cannot control or that you really
are ok with it?

We have to accept that we are being spied upon because we have no control over
that, but we should always resent and resist it when possible.

~~~
berntb
Terrorism is quite easy in today's world. By definition terror scares people,
hence a strong voter pressure to stop it. This results in a Big Brother
society.

The number of stopped terror attacks in the West over the last decade is quite
large, that would hardly have happened without spying on the citizens.

Is it worth the security? I don't really know. As long as it is in very stable
democracies, it _ought_ to be safe...

~~~
king_jester
> Is it worth the security? I don't really know. As long as it is in very
> stable democracies, it ought to be safe...

Uh, hell no. We have already seen the kind of evil things the FBI are willing
to do in the US: <http://en.wikipedia.org/wiki/Cointelpro>

~~~
berntb
Wow, it is scary when intelligence organisations start to infiltrate political
organisations... an even worse variant of regulatory capture.

But that was during the cold war, 40 years ago. The levels of paranoia
increased after 9/11, but hardly to the pre-1989 levels.

~~~
berntb
The down votes here are interesting. I don't argue an extreme position, imho?

No one has attempted to argue against my point about active terror threats
imply high voter pressure for security.

But maybe the problem is that I'm Swedish.

Traditionally, Swedes trust the state uncritically to do the right thing (I've
heard the explanation that the king historically was allied with the lower
classes against the nobility).

I thought I was immune to those Swedish attitudes, after e.g. seeing
oligopolies (food, building, etc) keeping prices high and hurting both
individuals' economy and the country's, without getting any problems from
either politicians or media.

But maybe I still have naive reflexes.

Edit: I wish I hadn't gone away for a while, so I could have added this
comment while people still were reading and give feedback. :-)

------
accarrino
i wonder if the FBI got the UDID list from Apple, or if the FBI has a stealth
app in the App Store and people gave up their info voluntarily when they
installed it...

