Money quote for the people that don't want to wade through ten pages of rant:
During the second week of March 2012, a Dell Vostro notebook, used by
Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action
Team and New York FBI Office Evidence Response Team was breached using the
AtomicReferenceArray vulnerability on Java, during the shell session some files
were downloaded from his Desktop folder one of them with the name of
"NCFTA_iOS_devices_intel.csv" turned to be a list of 12,367,232 Apple iOS
devices including Unique Device Identifiers (UDID), user names, name of device,
type of device, Apple Push Notification Service tokens, zipcodes, cellphone
numbers, addresses, etc.
This is very disturbing. How did the FBI gain access to all this information? It should be locked up in Apple.
From what I see, the NCFTA in "NCFTA_iOS_devices_intel.csv" looks like it stands for the National Cyber-Forensics & Training Alliance, which "functions as a conduit between private industry and law enforcement." (http://www.ncfta.net/)
Is Apple willingly sharing personal information with the FBI through the NCFTA?
Doesn't a popular iOS developer have the same information?
UDIDs, APNS tokens (for push notifications), basic demographic information is something a popular social app or game might have. 12 million is a pretty good number, though.
edit: our iOS app has over 2 million of these type of device records (though we don't collect any demographic info, so just device ids, apns tokens, device names, device types -- standard for push notifications).
So Marco Arment could go all CSI for us and let us know whether the sample corresponds to info he retained and which would have been on the server at the time.
I've been using Instapaper since pretty much the first day, and my information is not in the file. Not to say they don't have it, but, it's not in that file, FWIW.
According to one report [1], only 1 million of about 12 million stored records were released by AntiSec, so the absence of your record is not conclusive.
I couldn't even guess the episode, but Marco has stated on is 5by5 podcast that he doesn't collect user information and only dips into user information grudgingly. I'd be surprised if this came from him as according to his statements he finds holding any user information that could be described as private unpleasant.
This is all based on recollection however.
Still cant find the podcast, but here is what Marco says the FBI tool, quoted from the Instapaper blog about a year ago:
>>The server was used as a MySQL replication slave, handling read-only queries to speed up the site. Instapaper suffered no downtime as a result of its theft and no data has been lost.<<
Further down:
>>Possibly most importantly, though, the FBI is now presumably in possession of a complete copy of the Instapaper database as it stood on Tuesday morning, including the complete list of users and any non-deleted bookmarks. (“Archived” bookmarks are not deleted. “Deleted” bookmarks are hard-deleted out of the database immediately.)
Instapaper stores only salted SHA-1 hashes of passwords, so those are relatively safe. But email addresses are stored in the clear, as is the saved content of each bookmark saved by the bookmarklet.
The server also contained a complete copy of the Instapaper website codebase, but not the codebase of the iOS app.
Linked Facebook, Twitter, or Tumblr accounts only store their respective OAuth keys. Linked Evernote accounts only store the Evernote email-in address. Linked Pinboard accounts, however, store plaintext usernames and encrypted passwords, and the encryption keys are present in the website source code on the server. <<
So "FBI theft" should be a new failure mode to defend against in web applications, right after SQLi and XSS? I'm handling this by not having any servers in the USA, hopefully GB is safe.
Yeah, this gives a whole new meaning to having live backups/redundancy. I guess this is an advantage of hosting on EC2 since there would be difficult for the FBI to seize the physical server.
Absolutely, that wasn't my point. Since the FBI could do that, you are unlikely to get your server seized from an unrelated raid. Still, a crappy situation.
You are right. I misread the announcement. That still leaves the issue of the personal data, but as I said: app developers could acquire that directly from the user.
Possibly, the fact that personal data is missing so often actually might point to a non-apple leak, because they would have the link to personal data. Of course it could be fake, but it would be prsesent.
I imagine it wouldn't be that difficult to extrapolate this information from your address book: I keep my own name, phone number, address, etc. all in there, and you can probably figure out which record is mine.
Well, at least the FBI is not going to share your personal information with advertisers, or (opt-in) spam you to death trying to sell you something.
The FBI's mission is reasonably clear; it's a government-regulated organization; it's non-commercial. They have a certain amount of accountability. Alas, we can't say the same for "popular iOS developers". We've seen how sneaky some iOS app developers can be with respect to privacy, and with little remorse after they get caught.
Couldn't an American request a FOIA for this to see what's the level of information gathering on iPhone users? Could EFF sue them for it or something to unveil more?
I have no idea. There are a lot of assumptions implicit in that question.
I'm just saying that you are unlikely to be successful in requesting more information for this file. Information that "could reasonably interfere" with law enforcement is exempt. Also, the FBI does not make it easy to request documents form them and, further, the turnaround on a request can be months or years.
It wouldn't be "willingly". But If Apple was presented with an order from a court, then yes, they'd have no choice. They could fight it; but they'd lose, depending on the reason. Frankly the only reason would be some terrorism angle.
It's a no win situation for them. Hand the info over and you're on msnbc for giving it up, don't hand it over and you're on fox news for helping the terrorists...
Plus for certain kinds of investigations, it would go against the court order to go public. I don't want to defend apple here but this is an American law enforcement problem, I'm certain ms, google and others have provided info to the government that would anger many and there are probably a lot of companies that do it without a court order... Trying to be good citizens.
That would depend on which court the order came from. If it was from the FISA court, for example, then publicizing it would send people to jail.
But again, if that were the case then it would be related to anti-terrorism efforts. Well I hope it would be. The FISA court exists for that reason (mostly).
I guess my paranoia depends on how much I trust the government :)
The National Cyber Forensics and Training Alliance in Pittsburgh is the office where the FBI Agent who posed as a member of the carding community worked when he helped take down Max Ray Vision, née Butler.
http://www.fbi.gov/news/stories/2011/september/cyber_091611
“The exchange of strategic and threat intelligence is really the bread and butter of the NCFTA,” said Special Agent Eric Strom, who heads the FBI unit—the Cyber Initiative and Resource Fusion Unit (CIRFU)—assigned to the NCFTA. “The success of this effort at every level comes down to the free flow of information among our partners.”
Note that he used to be with CIRFU. LIkely that he still is with the CIRFU. They share office space:
http://www.itbusiness.ca/it/client/en/home/News.asp?id=51778...
"Mularski works for a little-known FBI division called the Cyber Initiative and Resource Fusion Unit, run out of the National Cyber-Forensics & Training Alliance in Pittsburgh, Pennsylvania. The unit is different from a typical FBI field office. It works hand in hand with industry and takes the time to do the deep research required to penetrate the world of online crimina
Good thing the announcement didn't say "A large monster from Mars radioed these in" - Imagine how upset you'd have been at NASA!!!!
A bit of a dick way of putting it, but there's no evidence the FBI is involved in this other than some words in an announcement that could be by anyone with an axe to grind.
I'm not sure why you're getting downvoted here, it's a valid point. There is nothing to prove this list came from the FBI, and I wouldn't put it above Antisec/Anonymous to get into a database of some popular iOS app, release the info, and then say it was from the FBI both to slag on the FBI and to stroke their e-peni^H^H^H^H^H^H^H ego.
we trimmed out other personal data as, full names, cell
numbers, addresses, zipcodes, etc. not all devices have
the same amount of personal data linked. some devices
contained lot of info.
So the release "just" contains UDID's and zip codes.
Sure - me. Both my iOS devices are on this list - confirmed both by name and UDID match.
However, I renamed my iPad around last November after I started using it more in public, yet its original name (easy to find if you search for my HN nick) is the name listed.
EDIT: Oh, and fwiw, law-abiding natural born US citizen here. But who am I kidding - LEAs don't give a toss about that.
I have information this morning from source thats "in the know" that this is definitely a false-flag attack against the FBI.
Non-gov researchers I know also attribute this to a possible hacking of an iphone/ipad application backend DB before Apple put in the UUID storing restrictions to the IOS api.
I'm only bringing this to light because it is easy to fall for things you read on the Internet and get excited/theorize.
This is huge. I've been fearing this kind of leak for a long time. If you're unsure why this is huge, here are some posts of mine on this issue showing de-anonymization, complete takeover of social media accounts, and more:
I've often been asked what I thought the worst-case scenario is regarding the mis-management of UDIDs. My answer has always been that a large UDID database leaking would be a privacy catastrophe...
One interesting thing I've found is that apparently 190 of those 1000001 people have named their devices "The Titanic", for that iTunes "The Titanic is syncing" pun. I'm curious if there's anything else interesting that might be found in this data.
I seem to see a disproportionate number of pro photographer accounts (grep for dot coms as device names) which might point to some commonality--some photo app? A quick search showed more female email addresses, but not sure if this is related to the source or if it is related to the likelihood of women using their email addresses as device names.
There are a few phones named 'Venice', presumably for the 'Venice is syncing' pun. My iPhone is named Venice for a different reason, but it's not in the list.
This is troubling on so many levels. Why did an FBI agent have a document of user and device info on his desktop and the real question is why are the FBI tracking this information in the first place? Surely this is illegal.
By the way, I think AntiSec needs to hire someone to write their releases for them. I struggled at times to make sense of the almost gibberish in their rant-filled sentences and at times some of the things they were saying read like the paranoid ramblings of a crystal meth addict. It wasn't until the end where everything they were saying was put into perspective and I understood what they were talking about.
The point isn't that life meant never having to work. To make a stylized sketch of it: life, or identity, is increasingly made more legible to the State. Legibility of information is the backbone of state power(1), moreso than even violence or popular support. Legibility of identity is therefore granting the state more power over the individual, which further undermines human autonomy by making the ability to live dependent on remaining in the good graces of the State, by paying our dues and contenting ourselves within the all-encompassing social system that develops.
(1)For instance, the first recorded use of writing is not typically for poems or liturgy but for tax documentation for imperial states.
I was confused by the writing style as well. It seems to be almost intentional. I wonder if it's a way of avoiding any style or nuances that could be attributed to a single person. Almost like a cut and paste ransom note.
It's elite (or 1337 if you will). It's supposed to sound cool. All the underground computer groups have talked like that since the early warez/cracking/phreaking scene.
A lot of the "scene" traditions and symbols has a lineage back to adolescent boys in the early 80's as that's when many of the influential groups exploded onto the scene, so even if they're emulating a traditional style, they're emulating one that arose out of kids who wrote badly who tried to sound cool.
(I've some really horrible examples to my credit too, but thankfully I don't think any of it has survived)
It struck me as well-written but highly in-jokey, and targeted at a very specific audience. If they were writing for the general reader, this would be terrible. But I took it as addressing other members of the hacker scene, hoping to prompt them into similar politically-focused action.
I thought it was quite well written, also noticed the "Life as a Service" part. Maybe it only works on me because I thought about those things before, but it wouldn't be an effective propaganda piece.
There's always one person in the comments section that leaves a comment that couldn't be any further disconnected from the discussion. As pointed out you're getting confused with the CIA, it even quite clearly says in the Wikipedia article you linked: "...a failed assassination attempt organized by the American CIA and British intelligence"
Lets not make this situation out to sound worse than it is. The FBI having access to 12 million UDID's and user information which apparently had holes in it anyway is nowhere near as bad as innocent civilians being killed and seriously injured. It's bad, but not that bad, calm down.
No I am not. I was talking about the executive branch of the our government.
> Lets not make this situation out to sound worse than it is.
I was commenting on the assertion that this is 'illegal' and thus how could FBI possibly do this. And my response was that it seems illegality isn't exactly stopping anyone, be it FBI, CIA or other agency.
No need to go that far back - we can talk about the warrent-less wiretaps, or the pre-trial assassinations of US citizens.
...of course, the current administration insists that those are legal, but because they refuse to release a legal argument defending the practice, the best explanation they've given is 'Just trust us, okay?'. Not sure how that would hand up in a court of law.
We're talking about the FBI, not the CIA. You know, the same FBI that walked from Gitmo because detainee constitutional rights were being violated when they were being tortured.
I'd love to read the warrant that granted this disclosure. If one doesn't exist I'd love to hear Apple's reasoning for releasing a 12 million + user database to LE without being legally obliged to do so.
I can't believe with nearly 100 comments I appear to be the only one to call the whole story of how these were acquired into doubt.
I'm not saying that the FBI story isn't true, but so many comments here just assume it to be 100% factual - there's no evidence that it was taken from the FBI vs found on a USB Stick in the garbage.
It's a big story, yes, but I think maybe a deep breath is in order before we all accuse the FBI of leaking/losing/stealthily acquiring something!
Nitpick: While I agree with the idea (of accountability), the fact of the matter is that the FBI--being what they are and doing what they do--actually does have things to hide, often with good reason, even.
You're right, we should extend the courtesy of innocent until proven guilty. :)
Though, it must be curious why AntiSec have had 12 million UDID's, but only now are releasing them. Also, no one else from AntiSec is corroborating it?
Whatsapp, ebuddy pro, ebuddy XMS, Angry Birds, Angry Birds Space, FML, XKCD, Facebook, Spotify, BBC News, Dropbox, Steam and PokerStars are the more popular ones official I have installed. I also have Cydia, a few tweaks and finally Installous (didn't want to admit that - I don't use it often - but thought it may spread some light here)
I run Cydia, and have determined only 16.7% of the UDIDs in that file are from jailbroken devices: I thereby do not believe that whatever managed to get this data is anywhere in our ecosystem.
The question "how many users do you have" is impossible to answer, as all I can ever demonstrate is "X users used Cydia in the last Y period". As for your second question, the information I have for your average Cydia user (one that is not actively paying me money, in which case I obviously have tons of information) is purposely highly limited: I certainly do not have, for example, the "names" of devices that was included in these dumps from AntiSec (which often discloses the name of the user), or any of the other personal details that are claimed to be in the original file.
One would not expect it to be at the average, because this information is going to have come from some popular app, and there will be high correlation between "people who have never used even a single app: they just wanted a phone" and "people who have never considered jailbreaking: they just wanted a phone"; this is even more the case once you consider that it might not be an app that "virtually everyone has": it might be an app that is either correlated with skill (you are slightly more likely to have the app, even controlling for people who have apps at all, if you are the kind of person who really cares) or negatively correlated with age (you are more likely to have the app if you are younger, which correlates better with the demographic of people who jailbreak).
Very interesting analysis. The question now is : which app/network exhibits such properties? Considering the data is recent, I suppose it eliminates big guys like Facebook/Apple. Thanks for sharing your numbers with the community.
I have Installous, so that could make this possible. However you need to jailbreak (which often involves Cydia) in order to even get access to Installous, so how about the other 84%?
(PS: I only use Installous if I need to trial an expensive app - I will buy the app if it does what I need :))
Honestly, I'm pretty sure it's Facebook. They are the ones tracking everyone, including non-FB users, via a tracking cookie the moment you visit their site after all... And you know the feds just love that data that FB can acquire.
I haven't traveled to the US with this particular handset. I got a replacement handset a few months ago on the insurance. The serial number makes it seem like it was assembled in week 31 of 2011, so what happened to it before it got into my hands I'm not quite sure.
Refresh my memory - aren't the device tokens for the Apple Push Notification Service application-specific? That suggests this data comes from a single application, not Apple. The patchy personal information columns also suggests that this is a single (somewhat grabby) application's data store - presumably Apple would have more comprehensive records.
My wild speculation, assuming what we're told is true - the application developer shared this information with the NCFTA, who in turn shared it with the FBI. (After all, that's what the NCFTA does.) The application developer may have shared this information because they wanted the FBI to investigate a 'cybercrime' of some sort against them - who knows what, in-app purchase fraud? That could explain why the data ended up on this FBI agent's desktop.
EDIT: I refreshed my own memory - APNS tokens are device-specific, not device+app specific. I still think this is a single application's data dump, if the statement about sparse personal info is true.
I doubt that they are a single app's data. Look at the repeat of certain Device names (try "Abo Mossa") and check their UDIDs - those UDIDs show an incremental pattern in their first 3 digits. This tells me: (a) those devices were bought in bulk and (b) those devices were never sold to one person - since the Device names were unchanged [assumption is that a regular customer cannot own so many devices]. I just don't see how one app (not pre-installed) could be on all the devices bought in bulk by one person and dump all its data to FBI.
The UDID is a SHA1 of a few fields (including a couple MAC addresses): we actually know the exact algorithm; if you are seeing patterns in them it is either a trick your brain is playing on you or a trick the user is playing on you (some people modify their UDID occasionally to keep themselves from being tracked by apps).
At some point, the UDID is being processed by code, so you don't really need to permanently modify anything: you just edit the code that generates it and make that return something different. These kinds of changes are very simple using Substrate, the library we all use (that I developed) for changing code at runtime. For the UDID, the obvious candidates are "edit every app so [UIDrvice uniqueIdentifier] returns fake" and "edit lockdownd so it calculates the wrong value every time it is generated".
Seriously? Personal info about the President was leaked? Not that this particular instance looks like a big deal. Doesn't the NSA secure the President's communication? That must be carrer-impacting-embarrassing for someone.
You do know that there are other people in world with the name Obama, right?
I know for a fact, the NSA protects all communications from the president (and most of the top level folk in his administration). If this turns out to really be the president (which I doubt) it would be a MAJOR breech.
It was an issue widely covered in the press, or at least widely covered enough that I remember people joking about it in monologues. Obama wanted to keep his blackberry and other gadgets in opposition to what the Secret Service wanted. They finally compromised with security-enhanced versions of the devices such as his so-called "Blackberry One" a pun off of Air Force One.
Though I didn't hear anything about securing it when he got an iPad, I did see photos in the news of him carrying one. I would assume it would be equally vetted and locked down.
This is the stated reason for the release - to have people ask why an agent has 12m UDID numbers on his laptop. They released 1m out of the 12m UDIDs so that they can guarantee a statistical sample that can be verified, while preserving a bit of privacy.
Along with the UDIDs were other columns with an assortment of personal data, although there were a lot of holes.
It might be a gigabyte if there were about 90 characters per line 1 or 2 gigabytes tops? "on the order of gigabytes" is a rather pretentious way of saying that.
The filename refers to NCFTA, which might seem in context to be http://www.ncfta.net — perhaps some bit of intel that's widely-traded in NCFTA circles for various uses? I mean, hey, pretty useful if you're tracking down pretty much anything in which an Apple device is used, right?
Also, what's the point of releasing password protected files to public? I mean, they give you the password thus kind of making the whole password thing a moot point.
So download it, decrypt it, and pick a different password. Takes a couple minutes, tops. And if your 'release' gets more attention than the original, how does the original prove that's what happened, or even get heard?
Question: is it possible for a malicious hacker to use this information for anything? E.g. sending rogue push notifications to a user, or tracking down a user's additional personal information by knowing his/her device UDID or APNs token?
I sincerely hope both the U.S. government and Apple address this. I'd also be interested in hearing why Apple chose to have hardware coded unique ids for each device.
If a webservice tries to send a push notification to a device that has not registered for push notifications for the entitlement requesting the notification to be sent, the notification gets discarded. Remember, all notifications are to be pushed to Apple using a certificate generated on a per-app basis, who in turn pushes the message to devices.
well we have learnt it seems quite clear nobody pays attention if you just come
and say 'hey, FBI is using your device details and info and who the fuck knows what
the hell are they experimenting with that', well sorry, but nobody will care.
Arms race for attention, while the government races towards quieter actions and laws...
If you've been exposed take some time to help us identify who gave this UDID's to the FBI. (Already working with 3 exposed device owners) http://news.ycombinator.com/item?id=4473833
Putting a file of user data on a laptop is a fireable offense at at any reputable organization. Sad that the FBI is less careful about user data protection than consumer Internet companies.
Putting a file of user data on a laptop is a fireable offense at at any reputable organization.
Correction, it's only a fireable offense if the employee of said reputable organization let's the file become compromised somehow, there's huge PR blow back, and the organization needs somebody's head on a platter in show of how serious they take the issue. Otherwise, m'eh.
On the other hand the disk or better said the partition with sensitive data should decrypted (mounted) only when needed. I doubt he needed that data during the conference.
One imagines it was bitlockered, and you were required to inform them the instant of a loss and hence possible data breach - where upon the company would have to pass the data on to any clients whose data might have been compromised (and the public body governing data security)
Apple could probably figure out if this data came from an app developer because I'd bet there's only exactly one app which every single one of those 1,000,001 devices downloaded.
Even if they threw in a few fake rows to mess up the data, they could find the app that has the highest percentage of downloads from that entire data set.
I can't think of any apps that take a full address. Perhaps there are some, I just don't know them.
Apple could have been compelled to release this data to the FBI. Unfortunately, we're unlikely to ever know this and Apple are equally unlikely to want to shed light on it.
If the claim is true, that the source data included full postal address, then I find it hard to identify a better source for all of that than Apple themselves. And that the data was brought together from various systems, and that we're glimpsing data that was shared between Apple and the FBI.
Not to say that there's anything illegal about that, more that the laws that allow that are a bit screwed but that's another issue altogether.
A reasonable assumption, besides Apple, is Facebook. With all the information these services have the easiest part may be to acquire your home address.
Another more likely possibility would be to identify people who are on the list and compare all their installed apps and search for a common denominator.
People delete apps though, you'd need their entire history to cross reference that. Not to mention false positives - how many people have the Twitter or Facebook app installed, for example?
You might still be able to find an app that has a much higher installation rate for users on the leaked list that for users who aren't.
Of course, that wouldn't be a proof but merely a first step to narrow the possibilities.
If you look at the UDID's for the '“Administrator”的 iPad's or '“Administrator”的 iPhone's, there seems to be an incremental pattern in their first 2-3 digits. Does that mean these devices were purchased/ordered in bulk and hence belong to some reseller? In which case, these must not have been sold to people and thus we don't see change in the Device names maybe? And thus the claim that this came from one or two apps seems a bit infeasible, no?
The Chinese character "的" is being used here as a possessive; it just means that the iPad belongs to the "Administrator", which is the default account name for many Windows XP computers [1]. Because iTunes activates iPods, iPhones, and iPads under the current user account name, and because the default user account names in many XP installations is "Administrator", there are a plethora of devices with the same name: '“Administrator”的 iPad'.
So, the only significance of this name is that there are quite a few Chinese Apple devices in this sample. Perhaps they are over-represented in the whole dataset; it's hard to say without having the breakdown of Apple devices sold by country, as well as the entire dataset.
The UDID is a SHA1 of a few fields (including a couple MAC addresses): we actually know the exact algorithm; if you are seeing patterns in them it is either a trick your brain is playing on you or a trick the user is playing on you (some people modify their UDID occasionally to keep themselves from being tracked by apps).
We've recently discovered that even though the Apple docs suggest the APNS tokens may be unique to each app and may change over time they are NOT unique to an app and they also do not change (at least not over the last 18 months).
So if you have two apps on the same device they both share the same UDID and the same APNS token.
Whilst on the surface this may seem like a huge security issue it is not as bad as it seems, because in order to send push notifications to a device you must have the correct APNS .p12 certificate generated by Apple for the app AND the app must be installed on that device.
I would see the UDID's as more of a security breach given the fact that many developers are still using the now depreciated udid to interface with web services.
On a similar note, If you are developing an app and need to have a unique identifier you should be using Secure UDID or something similar https://github.com/crashlytics/secureudid and if you're sending data to you're own webservice, don't just use SSL, use encryption such SHA to prevent mitm sniffing of your data - Both iOS and Android both allow installation of root CA certs which is amazing for developing and sniffing API's but dangerous if your writing webservices and ONLY relying on SSL and no other encryption.
If you save the random number, what happens when they wipe the device and reinstall your app? No way to get that original number back. Secure UDID is deterministic, so you'd get the same ID, and can resume the original session.
Wow, this is bad, and an excellent example of how the security machine (in this case FBI) can always be turned on itself. The methods required for FBI to "protect" citizens can be misused (or hacked) to do the opposite. A gun can always be turned around, etc.
The fact that there is a column for APNS (Apple Push Notifications) suggests that this is a database dump from an iPhone app that supports push notifications. APNS tokens are generally tied to a specific app so it may be possible to figure out what app leaked their database.
The "NCFTA" seems to deal with identity theft. (Ironic)
APNS tokens are generally tied to a specific app so it may be possible to figure out what app leaked their database
This isn't true, APNS device tokens are shared among apps on a device. The only time a device will have more than one device token is if it's being used for development.
This isn't to say that Apple couldn't correlate the device tokens by looking for shared apps with active APNS entitlements.
No: the APNS token is only changed if you get a new device (as it is tied to your device's certificate) or restore your phone (and not restore a backup: if you restore a backup it restores the token).
If the full file (including addresses) gets into the wild, and I fear that this may happen, it will be a really useful tool for burglars. Many iOS devices probably correlate with many valuables in a home. That's a lot of lawsuits against everybody involved...
Pretty sure that a smart burglar could figure out approximate addresses of people who own iPhones by looking at publicly available Instagram or Twitter or Facebook or Flickr locations. Not to mention people telling the world "I'm camping this weekend" which a burglar hears as "I'll be gone all weekend, steal my things!"
I think a smart burglar would just look at any commonly available database of home sales. Anybody who has moved in the last few years into a more-expensive-than-average house should correlate much better with valuables than iPhones.
However, I'd hope any criminal with brains like that would find something to do that has higher yield and lower risk than housebreaking. I'd suggest working for a private equity company.
Yeah i'm not really worried that burglars are going to use this data-set for harm. If they know about this data-set they likely know about databases of home sales or car sales or just plain old census data listing the average income by county.
There's a pretty nice power law in the names, which would support a real random sample. http://tinypic.com/r/11gmwjl/6 That PDATX.net business is really weird, though.
Is there some good reason for all those steps to actually get the file after downloading? I don't see the point of encrypting it, or of having a tarball with just one file. They also suggest checking the file integrity of the download, and then also checking the integrity of the final extracted file--this seems completely pointless as the final extracted file is derived deterministically from the download so you've already checked it when you checked the download checksum.
Encrypting it, at least, makes sense: They can take their time distributing the file without anyone peeking at it before they're suppose to. Then, when they release the decryption key, the file is already copied all over the place and really hard to shut down.
Guess all the verifying means they are afraid someone will distribute "altered" versions. Checking it twice is maybe a little drastic? Don't know how hard it is to generate a file that compresses to the same as their file (collision). But it's at least theoretically possible.
MD5 is not the best cryptographic hash... it's weird that they would be so paranoid as to include two hashes but not use something harder to collide with.
While I agree there's better options, MD5 has no known preimage attacks. So it's stretching it a bit to imply that someone could easily cause a collision on an existing archive.
Theoretically, it is possible to create another file, which after encryption will give you the same checksum. I doubt that someone will be able to do it in a reasonable amount of time though.
Then, one can hope, the government might actually be forced to engage in meaningful discussion about whether their ridiculously expensive and obviously damaging espionage programs make sense.
"Get informed, and inform."
Straight up manifesto material.
Gratzi!
"...engage in meaningful discussion.."
It's hard to engage in meaningful dialogue with people who are so entrenched in their own views (BIG$$,BIGOIL,BIGGOVV-types) but we shall continue!
The question of evidence is a very significant one.
Namely, why has AntiSec not provided any to substantiate their claim that the data was sourced from the agent's laptop? Surely if they had access to it they could have provided some additional files as supporting evidence?
UDID checklist: http://dazzlepod.com/apple/ Partial UDID search accepted, i.e. search "d565" instead of your full UDID "d56504ca3b268177f76fef0c2c446ba183afd12b"
They wrote in the release that they wouldn't give any more interviews until they saw "Adrian Chen get featured on the front page of Gawker, a whole day, with a huge picture of him dressing a ballet tutu and shoe on the head, no photoshop."
Not even bothering to submit this as a story to HN because I'm pretty sure Gawker links get auto-killed (with good reason, the Gawker article is crap).
just a comment: we are still waiting for published news about the
$ 2 billions worth loans Assad has taken from Russia,
mentioned on the syrian mails
and also about the transfer of money to austrian banks etc....
and also cocks...
So, don't be lazy journos and look for them.
Any one have any additional info on that?
EDIT: Derp...thanks for the correction. I read too fast. Still intrigued if anyone knows anything more.
One of the best examples of a real Australian accent I've heard on American television is Dr. Chase [Jesse Spencer] from House, who is a real Australian and did not ham it up for an American audience. (Oddly though, the man who played his father in one episode had possibly the most embarrassingly bad fake Australian accent ever. Surprised Spencer didn't kick his arse during filming.)
You do not get real foreign accents on prime time American television, the viewers would be bemused and look for subtitles.
You get what Americans think are foreign accents, i.e. lightly accented. The one exception is that Brits playing bad guys are allowed to use camp, pantomime villain accents. Alan Rickman has made his fame and fortune from this, a shame as he is rather a good actor.
Hugh Grant sounds nothing like he does/did before that series started.
Yep... well, based on this, I was able to fill in a UDID from the file and pull back an openfeint result. It didn't pull any sensitive information, but it worked. so seems to be real udids.
This demonstrate once again the antagonism of beeing able to ensure security as was complained to be lacking for the 9/11 and that no honnest citizen gets trampled by it.
I can't see a way out of spying it's own cytizen and keep them in the beleif they aren't to achive the goal.
One of the question to be asked is who is controlling the controllers ?
I think this leak plays for FBI in PR sense, not against it. All support slogans in the _anonymous message are exact description of the US foreign policy, so this message support distribution of wreck and havoc of people's lives in the third and second world. All this is rather strange.
O proprio Governo dos EUA nos Da essa BRexa eu sou Brasileiro e ja comsegui diverssas vezes invadir o site da aplle e Microsoft ee agora ireii tentar o do FBI em um COmputador Externo :D me Desejem Sorte
FACEBOOK? If I had to bet on any company I would bet on Facebook as the main/top source of this data. Where else can you easily be profiled so easily by liking or sharing content the Big Bro would deem as subversive. Followed by phone carriers since they have already been working with Big Bro, then apple and google. Combine these and you should be able to know everything you want. Govs probably won't deal with smaller companies lest increasing chances of leakage, etc.
Don't iOS apps have the permission to use the internet without any hassle? In that case, I would assume by using such app, chances are, you are contributing to another entity's UDID collection.
If you look at line #'s 3741 through 3845, you will see they all (105) belong to one Abo Mossa. Is Abo Mossa some kind of an iPhone/iPad reseller or is there something else going on?
Why all the buzz? I thought that the people who buy Apple products or use centralized social networks knowingly sacrifice their privacy and already expect things like this to happen.
Wait, are syou serious? I didnt know anyone could be _that_ delusional about Apple. You _really_ think Apple cares about privacy? They aren't "that kind of company"? Where the hell do you get the idea that Apple cares about the morality of their decisions? Could it be that you are a fanboy? Wait, I know the answer to that already.
The accusation is that Apple INTENTIONALLY gave the FBI a database with twelve million records. That is what my comment refers to. It is preposterous to propose that Apple --or any company for that matter-- would willingly do that. The liability hole this would open up would be massive. They are a business and you can bet your ass that every decision with potential liability consequences is well considered by managers and their legal teams.
No, I am not an Apple fanboy, quite the contrary. As a developer I am very critical of their attitude and decision making. I think they really suck at some things and have been very vocal about it on HN and elsewhere. That does not mean that I would automatically vilify them for everything.
HN is very interesting at times. Most of the time you get positive feedback when you are for Apple and for politically Liberal points of view. However, sometimes the poles reverse and North becomes South. This is rare when Apple is the subject. I guess in this case it was as simple as not understanding what the comment was referring to, which can happen if someone doesn't actually read the original article in the first place.
Precisely what liability do you think Apple should be afraid of? I'm having trouble imagining what they could be sued for here.
Note that the FBI is the supposed source of the leak here. So let's say Apple claims they gave up the data at the request of the FBI to supposedly help with a classified terrorist threat that the government won't have to reveal at trial. Who's going to sue Apple, and for what?
With the reply you've just sent and you seriously question if the parent is unbiased? Do you frankly consider yourself biased? Could it be that you're an anti-apple fanboy?
I indeed am, sometimes. And my post was biased, it was a bit of a bait. I can do the apple-fanboy as well though, if the topic calls for it.
On a more serious note though, I think Apple doesn't give a fuck about privacy- things like saving geolocations, the DRM in iTunes, unique device identifiers and stuff like that really makes it look like that at least.
Apple has everything to do with this. They're the ones who decided to put UDIDs on all their devices to begin with. And they know they've royally screwed up too - that's why they've deprecated UDIDs in iOS 5 and have started rejecting applications that access it. But that hardly fixes the problem since everyone will just use the Bluetooth or wireless MAC addresses instead - its not guaranteed to be unique, but close enough
So, essentially, you're saying whatever Apple does or doesn't do is a bad decision in the end since it would always fall back to the hardware identifiers, then. Right?
Not quite. Part of the point was that "hardware coded IDs for devices concept should be erradicated from any device on the market in the future." I'd place MAC addresses in that bucket as well. A company like Apple that's been changing the status quo for years should be striving to do the same when it comes to their user's privacy and anonymity