
The real source of Apple device IDs leaked by Anonymous last week - ssclafani
http://redtape.nbcnews.com/_news/2012/09/10/13781440-exclusive-the-real-source-of-apple-device-ids-leaked-by-anonymous-last-week
======
tptacek
Matt Blaze, on Twitter:

@mattblaze: So, instead of being tightly held data given to the FBI by Apple,
UDIDs are widely available to random app developers you've never heard of.

@mattblaze: And thanks to Anonymous, if the FBI didn't have that list of UDIDs
before, they do now.

~~~
ChuckMcM
Matt always has a great perspective on these things. At one of his talks I
attended he commented on the difference between the 'security' business and
the 'intelligence' business and noted that they both depended heavily on
obfuscation and misdirection. Prior to that I had never really connected them
in that way, but in hindsight it seemed amazingly obvious. Interesting times
indeed.

~~~
tptacek
Matt Blaze is probably the most important computer scientist at the
intersection of security & privacy; look at the relatively recent work his
group did on wiretaps for a good example of why. He's not a grandstander.

------
hrbrmstr
Make sure to read the actual details from David Schuetz's – @DarthNull – blog
post (the dude who did the digging):

[http://intrepidusgroup.com/insight/2012/09/tracking-udid-
src...](http://intrepidusgroup.com/insight/2012/09/tracking-udid-src/)

~~~
brittohalloran
... and the BlueToad blog post. Nothing of substance, mostly just a "sorry"
and "we've fixed it".

[http://blog.bluetoad.com/2012/09/10/statement-from-
bluetoad-...](http://blog.bluetoad.com/2012/09/10/statement-from-bluetoad-
regarding-the-cyber-attack-suffered-in-the-recent-case-of-stolen-apple-udids/)

~~~
mikehotel
I wish they also said they were not collecting "other personal data as, full
names, cell numbers, addresses, zipcodes", which the pastebin posters claimed
was in the original file.

Unfortunately, BlueToad's statement leaves some wiggle room.

"BlueToad does not collect, nor have we ever collected, highly sensitive
personal information like credit cards, social security numbers or medical
information. The illegally obtained information primarily consisted of Apple
device names and UDIDs – information that was reported and stored pursuant to
commercial industry development practices."

Edit: The "98% correlation" leads me to believe the publicly posted info is
the full extent of the leak.

~~~
Dylan16807
Why? If 98% of the posted UDIDs are in their database then I could see them
say "98% correlation"

------
neilk
Can we agree to stop using Anonymous as a collective noun? It's like saying
"In other news, a site was vandalized by The Hackers."

All it means is that someone published something anonymously, with an intent
to associate themselves with this larger collective. Maybe for those in the
know, they can say that this particular hack was discussed in Anonymous' IRC
chanels or something. Better to say "an Anonymous" or "a hacker claiming
allegiance with Anonymous".

Of course, this is how the media is being hacked. Unlike the devil, Anonymous'
greatest trick was convincing the world that it did exist.

~~~
noamsml
IIRC, wasn't this leak made by the group AntiSec? IIRC, they consider
themselves separate from Anonymous and have their own very odd manifesto
having to do with exploit disclosure.

------
bo1024
This is still somewhat consistent with Anonymous' story....

The chain of events could have been:

1\. Blue Toad either gets hacked, or gives their data to the FBI or someone
else.

2\. Somehow this data ends up on an FBI agent's laptop.

3\. Anonymous breaches the laptop and gets the data.

4\. Anonymous sees all the UDIDs and mistakenly thinks, "Apple and the FBI
must be in cahoots!", and publishes it.

~~~
scythe
My guess is somewhat blander.

1\. Anon breaches laptop, finds UDIDs.

2\. Anon tells other anons he got the UDIDs from a laptop.

3\. Other anons tell more anons it was a government laptop.

4\. Release group writes "FBI laptop" in their pastebin.

(5. ??? --> 6\. Profit!)

The heterogeneity and disorder in Anonymous (at least it was like this back in
the day) means that the chain from leaker to releaser -- usually passing
through several people and IRC channels -- plays out a bit like a game of
telephone. This serves to protect the leakers, but it can mess with some of
the details.

~~~
gyardley
The releaser of the data mentioned the name of a specific FBI agent and
claimed the data had a specific file name containing the acronym of an non-
profit organization set up to share data between private industry and
intelligence organizations.

Details like that don't emerge over the course of a game of telephone. If this
story is correct, and the data was not in the possession of the FBI, someone
deliberately decided to make up an elaborate lie.

~~~
ralfd
The FBI Agent (Christopher K. Stangl) appears in a recruiting video for
cybersecurity experts. It is no sign of secret knowledge when his name is
used.

~~~
gyardley
Wasn't implying that it was.

It's entirely plausible that someone, disliking the FBI, made up an elaborate
lie to discredit them.

~~~
adgar
It's entirely plausible that you work for the FBI and are trying to discredit
talk of the FBI's involvement by proposing relatively poor arguments to the
contrary.

See how ridiculous you sound?

------
zerovox

      The analysis found a 98 percent correlation between the two datasets. 
      "That's 100 percent confidence level, it's our data," DeHart said. 
    

The numbers don't quite add up. Having said that, the hackers may have removed
their device data, this might be (some of) the 2% missing data.

~~~
lifeisstillgood
That would be insanely stupid [#] for the attackers to do - especially as they
claim the FBI have the original 2%.

    
    
      diff ours theirs | xargs fbi_arrest_warrent_generator.py
    

I cannot come up with a convincing reason that the 2% is missing however - or
if the 2% is in addition to. Which would raise even more weird questions.

edit: [#] that seems a bit aggressive, but I am not aiming at the parent post
here, apologies if it reads badly. I think I mean these guys would make it
onto Americas Dumbest Hackers TV special if that were the case.

~~~
vhf
The md5 sum of the UDIDs list contains 1337 on purpose.

It seems to me that the easier way to achieve this is either by randomly
modifying the order of lines, which they didn't do, or to add/remove some
bytes.

It could be the 2% diff between the two files : bruteforcing the md5 hashing
by removing some random lines till they got a md5 digest containing 1337.

------
freehunter
So Blue Toad doesn't feel it's their responsibility to contact the people they
exposed? The individual publishers assumed the risk of working with Blue Toad
so they are partially responsible, but Blue Toad isn't going out of their way
to make people feel sorry for them.

~~~
jamesmcn
It seems like Blue Toad's customers were intermediaries between Blue Toad and
the final end-users of Blue Toad's apps. Much like the RSA breakin a few years
back, it makes sense for Blue Toad to make a general announcement and leave
the direct customer communication up to Blue Toad's customers (who own the
direct relationship with the customers).

Of course, this brings up the question of why Blue Toad should have Personally
Identifying Information about its customers' customers.

~~~
btown
It provides an SaaS solution, and it had a security breach. If we compare
their solution to Salesforce, is it Salesforce's (legal) responsibility to
keep all of your customers' data encrypted and inaccessible to anyone except
your company? Only if they provide an SLA saying that, or otherwise advertise
that feature. Blue Toad never advertised that feature, and it wants to be
invisible to its end users.

~~~
freehunter
Legal responsibility? Probably not. Ethical responsibility? I think so. Think
about if, say, Conde Nast got hacked and login information was leaked from all
of their servers. What would I expect from Ars Technica, Wired, Reddit, etc? A
link to a Conde Nast page with one unified statement, closing with something
like "We at Ars and Conde Nast apologize...", "We at Wired and Conde Nast..."
etc.

Even if Blue Toad wants to be invisible to end users, it's gone a little
beyond that. Legally they only have to follow the fairly open-ended PII laws
that are in place (I believe California is the only state to require they
notify users of a breech), but ethically I believe their responsibility falls
a little beyond that line.

~~~
olalonde
What if AWS security was breached. Do you think they should email all Dropbox
customers to inform them of the breach or leave that responsibility to
Dropbox? (Dropbox is hosted on AWS) I think that analogy is more accurate
because Conde Nast actually own the web properties you mentioned whereas
BlueToad is an independent service provider.

------
angrydev
BlueToad said they were able to confirm several of their own devices in the
dataset which they go on to use as evidence that the dataset is their own. If
antisec took this database from BlueToad why would they not trim out the
BlueToad devices that could help confirm that this leak didn't come from the
FBI? They trimmed out 11 million rows but left in the 19 used by the developer
itself?

~~~
lgg
How would they do that? The data contained "Apple Device UDID, Apple Push
Notification Service DevToken, Device Name, Device Type." None of those fields
necessarily indicate who owns any of the devices.

------
drcube
This doesn't necessarily rule out the FBI as the Anonymous's source, but it
does cast a lot of doubt on their story.

~~~
tptacek
It also doesn't rule out the aliens from Zarvox who may secretly control our
government from the highest levels.

~~~
noahc
I'm glad someone brought this up! I've been concerned about this for years!

------
vhf
Now that's another story !

Kudos to Mr. Schuetz who went through all these UDID to find out what seems to
be the truth, for once.

------
jahewson
> The analysis found a 98 percent correlation between the two datasets.

Hate to say "I told you so" <http://news.ycombinator.com/item?id=4473971> :)

------
ricardobeat
So which apps were to blame?

------
andrewflnr
Sorry for the OT, but for crying out loud, a professional journalist has no
excuse at all for using "pouring" in place of "poring".

------
geedee77
Blue Toad could be a front company for the FBI ...

