Hacker News new | past | comments | ask | show | jobs | submit login
AntiSec leaks 1,000,001 Apple UDIDs, Device Names/Types (pastebin.com)
648 points by robbiet480 on Sept 4, 2012 | hide | past | favorite | 268 comments

Money quote for the people that don't want to wade through ten pages of rant:

  During the second week of March 2012, a Dell Vostro notebook, used by
  Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action
  Team and New York FBI Office Evidence Response Team was breached using the
  AtomicReferenceArray vulnerability on Java, during the shell session some files
  were downloaded from his Desktop folder one of them with the name of
  "NCFTA_iOS_devices_intel.csv" turned to be a list of 12,367,232 Apple iOS
  devices including Unique Device Identifiers (UDID), user names, name of device,
  type of device, Apple Push Notification Service tokens, zipcodes, cellphone
  numbers, addresses, etc.

This is very disturbing. How did the FBI gain access to all this information? It should be locked up in Apple.

From what I see, the NCFTA in "NCFTA_iOS_devices_intel.csv" looks like it stands for the National Cyber-Forensics & Training Alliance, which "functions as a conduit between private industry and law enforcement." (http://www.ncfta.net/)

Is Apple willingly sharing personal information with the FBI through the NCFTA?

Doesn't a popular iOS developer have the same information?

UDIDs, APNS tokens (for push notifications), basic demographic information is something a popular social app or game might have. 12 million is a pretty good number, though.

edit: our iOS app has over 2 million of these type of device records (though we don't collect any demographic info, so just device ids, apns tokens, device names, device types -- standard for push notifications).


Would all of those millions install an application from the FBI knowing it gave them that information?

Just because I am ok with one organization having my information doesn't mean that I am ok with any others having the same.

I'm presuming the FBI got the database from an App Developer. Not that the FBI released a popular iOS app.

The FBI stole an Instapaper server in an unrelated raid http://blog.instapaper.com/post/6830514157

So Marco Arment could go all CSI for us and let us know whether the sample corresponds to info he retained and which would have been on the server at the time.

I've been using Instapaper since pretty much the first day, and my information is not in the file. Not to say they don't have it, but, it's not in that file, FWIW.

According to one report [1], only 1 million of about 12 million stored records were released by AntiSec, so the absence of your record is not conclusive.

1: http://thenextweb.com/2012/09/04/antisec-hackers-leak-100000...

I couldn't even guess the episode, but Marco has stated on is 5by5 podcast that he doesn't collect user information and only dips into user information grudgingly. I'd be surprised if this came from him as according to his statements he finds holding any user information that could be described as private unpleasant. This is all based on recollection however.

Still cant find the podcast, but here is what Marco says the FBI tool, quoted from the Instapaper blog about a year ago: >>The server was used as a MySQL replication slave, handling read-only queries to speed up the site. Instapaper suffered no downtime as a result of its theft and no data has been lost.<<

Further down:

>>Possibly most importantly, though, the FBI is now presumably in possession of a complete copy of the Instapaper database as it stood on Tuesday morning, including the complete list of users and any non-deleted bookmarks. (“Archived” bookmarks are not deleted. “Deleted” bookmarks are hard-deleted out of the database immediately.)

Instapaper stores only salted SHA-1 hashes of passwords, so those are relatively safe. But email addresses are stored in the clear, as is the saved content of each bookmark saved by the bookmarklet.

The server also contained a complete copy of the Instapaper website codebase, but not the codebase of the iOS app.

Linked Facebook, Twitter, or Tumblr accounts only store their respective OAuth keys. Linked Evernote accounts only store the Evernote email-in address. Linked Pinboard accounts, however, store plaintext usernames and encrypted passwords, and the encryption keys are present in the website source code on the server. <<

So "FBI theft" should be a new failure mode to defend against in web applications, right after SQLi and XSS? I'm handling this by not having any servers in the USA, hopefully GB is safe.

Yeah, this gives a whole new meaning to having live backups/redundancy. I guess this is an advantage of hosting on EC2 since there would be difficult for the FBI to seize the physical server.

It would be easier on EC2 since the FBI could just have Amazon clone your EBS volume and you'd never be the wiser.

Absolutely, that wasn't my point. Since the FBI could do that, you are unlikely to get your server seized from an unrelated raid. Still, a crappy situation.

Other countries aren't that safe. https://www.eff.org/cases/indymedia-server-takedown

Uh, yes. I think that is a safe assumption that they did not compile the list themselves.

iOS developers don't have the Apple IDs nor ZIP codes nor addresses (unless they separately ask for them but at least the apple ID is very uncommon)

There are no "Apple IDs" in here. Just Apple device UDIDs.

You are right. I misread the announcement. That still leaves the issue of the personal data, but as I said: app developers could acquire that directly from the user.

Possibly, the fact that personal data is missing so often actually might point to a non-apple leak, because they would have the link to personal data. Of course it could be fake, but it would be prsesent.

When he said "a popular iOS developer" I assumed he meant Facebook.

I imagine it wouldn't be that difficult to extrapolate this information from your address book: I keep my own name, phone number, address, etc. all in there, and you can probably figure out which record is mine.

Could this data have been taken from the AT&T "breach" a while back where all the data for iPhone customers wasn't protected and crawled?

And 12 million is the number claimed. Only 1 million is shown.

Well, at least the FBI is not going to share your personal information with advertisers, or (opt-in) spam you to death trying to sell you something.

The FBI's mission is reasonably clear; it's a government-regulated organization; it's non-commercial. They have a certain amount of accountability. Alas, we can't say the same for "popular iOS developers". We've seen how sneaky some iOS app developers can be with respect to privacy, and with little remorse after they get caught.


(and yeah, I know this is probably going to hammer my HN karma all the way to the bottom but...lol man)

Couldn't an American request a FOIA for this to see what's the level of information gathering on iPhone users? Could EFF sue them for it or something to unveil more?

If there is indeed an ongoing investigation, FOIA would not apply (reasonably enough).

An ongoing investigation of 12 million people?

I have no idea. There are a lot of assumptions implicit in that question.

I'm just saying that you are unlikely to be successful in requesting more information for this file. Information that "could reasonably interfere" with law enforcement is exempt. Also, the FBI does not make it easy to request documents form them and, further, the turnaround on a request can be months or years.

>Is Apple willingly sharing personal information with the FBI through the NCFTA?

Define "willingly."

FBI: "Can we have this data? we can pay something" Apple: "Sure! In which format do you prefer to have it?"

FBI: "Just give it to us as CSV, kthxbai."

It wouldn't be "willingly". But If Apple was presented with an order from a court, then yes, they'd have no choice. They could fight it; but they'd lose, depending on the reason. Frankly the only reason would be some terrorism angle.

But those types of actions are rare.

I would be surprised if you could get a court order to turn over details on 12 million users.

I wish that Apple, if indeed presented with a court order, would've gone the Twitter route and publicized that fact.

It's a no win situation for them. Hand the info over and you're on msnbc for giving it up, don't hand it over and you're on fox news for helping the terrorists...

Plus for certain kinds of investigations, it would go against the court order to go public. I don't want to defend apple here but this is an American law enforcement problem, I'm certain ms, google and others have provided info to the government that would anger many and there are probably a lot of companies that do it without a court order... Trying to be good citizens.

Why the hell was that info on a laptop?

That would depend on which court the order came from. If it was from the FISA court, for example, then publicizing it would send people to jail.

But again, if that were the case then it would be related to anti-terrorism efforts. Well I hope it would be. The FISA court exists for that reason (mostly).

I guess my paranoia depends on how much I trust the government :)

The National Cyber Forensics and Training Alliance in Pittsburgh is the office where the FBI Agent who posed as a member of the carding community worked when he helped take down Max Ray Vision, née Butler.


http://www.fbi.gov/news/stories/2011/september/cyber_091611 “The exchange of strategic and threat intelligence is really the bread and butter of the NCFTA,” said Special Agent Eric Strom, who heads the FBI unit—the Cyber Initiative and Resource Fusion Unit (CIRFU)—assigned to the NCFTA. “The success of this effort at every level comes down to the free flow of information among our partners.”

Dan Larkin (the FBI Agent who setup NCFTA in 1997) http://www.linkedin.com/pub/dan-larkin/25/90/910

Note that he used to be with CIRFU. LIkely that he still is with the CIRFU. They share office space: http://www.itbusiness.ca/it/client/en/home/News.asp?id=51778... "Mularski works for a little-known FBI division called the Cyber Initiative and Resource Fusion Unit, run out of the National Cyber-Forensics & Training Alliance in Pittsburgh, Pennsylvania. The unit is different from a typical FBI field office. It works hand in hand with industry and takes the time to do the deep research required to penetrate the world of online crimina

Good thing the announcement didn't say "A large monster from Mars radioed these in" - Imagine how upset you'd have been at NASA!!!!

A bit of a dick way of putting it, but there's no evidence the FBI is involved in this other than some words in an announcement that could be by anyone with an axe to grind.

I'm not sure why you're getting downvoted here, it's a valid point. There is nothing to prove this list came from the FBI, and I wouldn't put it above Antisec/Anonymous to get into a database of some popular iOS app, release the info, and then say it was from the FBI both to slag on the FBI and to stroke their e-peni^H^H^H^H^H^H^H ego.

Neither am I, but I suppose the humour was a little too barbed.

A more likely source is neustar (a spinoff of Lockheed), who also has all that information and is actually in the intel business.

what kind of verification do you have that the file was pulled from an FBI computer?

could anonymous have hacked this information from Apple or a carrier themselves? what information is present that they didn't do that?

Are there any indication in the files that points towards a hack on apple or a carrier?

Another important money quote:

    we trimmed out other personal data as, full names, cell     
    numbers, addresses, zipcodes, etc. not all devices have 
    the same amount of personal data linked. some devices
    contained lot of info.
So the release "just" contains UDID's and zip codes.

Actually, it appears to only be UDID's, APNS tokens, device name, and device type.

Is there any evidence that this data comes from the source they claim?

And is there some way to validate these are real UDIDs?

Sure - me. Both my iOS devices are on this list - confirmed both by name and UDID match.

However, I renamed my iPad around last November after I started using it more in public, yet its original name (easy to find if you search for my HN nick) is the name listed.

EDIT: Oh, and fwiw, law-abiding natural born US citizen here. But who am I kidding - LEAs don't give a toss about that.

Does it have an APNS token? Is it possible to send yourself a push notification and see what app it appears to come from?

You need an appropriate cert for that.

...assuming this has any connection to LEA

It would be interesting if you and others with their device on the list could come up with a list of apps that you've had installed.

How does that prove that an FBI laptop was the source of this information (per the grandparent post's question)?

Your grandparent asked two questions. He answered the other one.

I have information this morning from source thats "in the know" that this is definitely a false-flag attack against the FBI.

Non-gov researchers I know also attribute this to a possible hacking of an iphone/ipad application backend DB before Apple put in the UUID storing restrictions to the IOS api.

I'm only bringing this to light because it is easy to fall for things you read on the Internet and get excited/theorize.

holy shit.

This is huge. I've been fearing this kind of leak for a long time. If you're unsure why this is huge, here are some posts of mine on this issue showing de-anonymization, complete takeover of social media accounts, and more:

De-anonymizing UDIDs with OpenFeint: http://corte.si/posts/security/openfeint-udid-deanonymizatio...

A survey of how UDIDs are used: http://corte.si/posts/security/apple-udid-survey/index.html

Why the Apple UDID had to die: http://corte.si/posts/security/udid-must-die/index.html

I've often been asked what I thought the worst-case scenario is regarding the mis-management of UDIDs. My answer has always been that a large UDID database leaking would be a privacy catastrophe...

One interesting thing I've found is that apparently 190 of those 1000001 people have named their devices "The Titanic", for that iTunes "The Titanic is syncing" pun. I'm curious if there's anything else interesting that might be found in this data.

I seem to see a disproportionate number of pro photographer accounts (grep for dot coms as device names) which might point to some commonality--some photo app? A quick search showed more female email addresses, but not sure if this is related to the source or if it is related to the likelihood of women using their email addresses as device names.

Actually, it’s more like 166:

    $ grep -c -i "titanic\'" iphonelist.txt 
It’s only 190 if you include names like “Titanic’s iPad”, but those aren’t funny.

There are a few phones named 'Venice', presumably for the 'Venice is syncing' pun. My iPhone is named Venice for a different reason, but it's not in the list.

This is troubling on so many levels. Why did an FBI agent have a document of user and device info on his desktop and the real question is why are the FBI tracking this information in the first place? Surely this is illegal.

By the way, I think AntiSec needs to hire someone to write their releases for them. I struggled at times to make sense of the almost gibberish in their rant-filled sentences and at times some of the things they were saying read like the paranoid ramblings of a crystal meth addict. It wasn't until the end where everything they were saying was put into perspective and I understood what they were talking about.

While yes, it was generally poor, I got a kick out of the following:

"a monthly fee, forever until you die. That's the future; nothing is really yours. LAAS - Life As A Service."

Not too poignant. When was living ever free?

The point isn't that life meant never having to work. To make a stylized sketch of it: life, or identity, is increasingly made more legible to the State. Legibility of information is the backbone of state power(1), moreso than even violence or popular support. Legibility of identity is therefore granting the state more power over the individual, which further undermines human autonomy by making the ability to live dependent on remaining in the good graces of the State, by paying our dues and contenting ourselves within the all-encompassing social system that develops.

(1)For instance, the first recorded use of writing is not typically for poems or liturgy but for tax documentation for imperial states.

I didn't enjoy it for its poignancy; I was simply delighted by the phrase "Life as a Service".

I was confused by the writing style as well. It seems to be almost intentional. I wonder if it's a way of avoiding any style or nuances that could be attributed to a single person. Almost like a cut and paste ransom note.

I wouldn't be surprised in the slightest. A lot of work has been done on adversarial stylometry recently, for precisely this reason.

ccc presentation: http://www.youtube.com/watch?v=-b0Ta9h62_E

EDIT: also as grumpysimon says, it's a proud tradition going back decades.

It's elite (or 1337 if you will). It's supposed to sound cool. All the underground computer groups have talked like that since the early warez/cracking/phreaking scene.

Are you sure they're not just really bad at writing?

A lot of the "scene" traditions and symbols has a lineage back to adolescent boys in the early 80's as that's when many of the influential groups exploded onto the scene, so even if they're emulating a traditional style, they're emulating one that arose out of kids who wrote badly who tried to sound cool.

(I've some really horrible examples to my credit too, but thankfully I don't think any of it has survived)

It struck me as well-written but highly in-jokey, and targeted at a very specific audience. If they were writing for the general reader, this would be terrible. But I took it as addressing other members of the hacker scene, hoping to prompt them into similar politically-focused action.

I thought it was quite well written, also noticed the "Life as a Service" part. Maybe it only works on me because I thought about those things before, but it wouldn't be an effective propaganda piece.

> Surely this is illegal.

So? Pretty sure torture and car bombing innocent women and children is also illegal.


There's always one person in the comments section that leaves a comment that couldn't be any further disconnected from the discussion. As pointed out you're getting confused with the CIA, it even quite clearly says in the Wikipedia article you linked: "...a failed assassination attempt organized by the American CIA and British intelligence"

Lets not make this situation out to sound worse than it is. The FBI having access to 12 million UDID's and user information which apparently had holes in it anyway is nowhere near as bad as innocent civilians being killed and seriously injured. It's bad, but not that bad, calm down.

> you're getting confused with the CIA

No I am not. I was talking about the executive branch of the our government.

> Lets not make this situation out to sound worse than it is.

I was commenting on the assertion that this is 'illegal' and thus how could FBI possibly do this. And my response was that it seems illegality isn't exactly stopping anyone, be it FBI, CIA or other agency.

No need to go that far back - we can talk about the warrent-less wiretaps, or the pre-trial assassinations of US citizens.

...of course, the current administration insists that those are legal, but because they refuse to release a legal argument defending the practice, the best explanation they've given is 'Just trust us, okay?'. Not sure how that would hand up in a court of law.

We're talking about the FBI, not the CIA. You know, the same FBI that walked from Gitmo because detainee constitutional rights were being violated when they were being tortured.

I'd love to read the warrant that granted this disclosure. If one doesn't exist I'd love to hear Apple's reasoning for releasing a 12 million + user database to LE without being legally obliged to do so.

> We're talking about the FBI, not the CIA

They are both part of the government and the culture of 'laws for us vs laws for them (the regular people)' is present in both.

I can't believe with nearly 100 comments I appear to be the only one to call the whole story of how these were acquired into doubt.

I'm not saying that the FBI story isn't true, but so many comments here just assume it to be 100% factual - there's no evidence that it was taken from the FBI vs found on a USB Stick in the garbage.

It's a big story, yes, but I think maybe a deep breath is in order before we all accuse the FBI of leaking/losing/stealthily acquiring something!

(I'm not a US Citizen, btw)

I guess we better start tracking everything the FBI does. You know, so we can prove their innocence.

Besides, what's the big deal... if they have nothing to hide then they have nothing to worry about!

Nitpick: While I agree with the idea (of accountability), the fact of the matter is that the FBI--being what they are and doing what they do--actually does have things to hide, often with good reason, even.

i think it's mainly because we'll never know, and it's not really the point that bothers most.

What bothers most is that this data exists at all, and what it's used for.

You're right, we should extend the courtesy of innocent until proven guilty. :)

Though, it must be curious why AntiSec have had 12 million UDID's, but only now are releasing them. Also, no one else from AntiSec is corroborating it?

http://news.ycombinator.com/item?id=4473755 says his device is on the list.

I have found my own UDID - I can confirm these are real UDID's - and now I want to know why an FBI agent had my (a brit) UDID on their laptop.

What apps do you have installed? This is interesting to know since the data might be from a popular app instead of Apple.

Whatsapp, ebuddy pro, ebuddy XMS, Angry Birds, Angry Birds Space, FML, XKCD, Facebook, Spotify, BBC News, Dropbox, Steam and PokerStars are the more popular ones official I have installed. I also have Cydia, a few tweaks and finally Installous (didn't want to admit that - I don't use it often - but thought it may spread some light here)

I run Cydia, and have determined only 16.7% of the UDIDs in that file are from jailbroken devices: I thereby do not believe that whatever managed to get this data is anywhere in our ecosystem.

Do you have similar information stored about the Cydia users? How many users do you have?

The question "how many users do you have" is impossible to answer, as all I can ever demonstrate is "X users used Cydia in the last Y period". As for your second question, the information I have for your average Cydia user (one that is not actively paying me money, in which case I obviously have tons of information) is purposely highly limited: I certainly do not have, for example, the "names" of devices that was included in these dumps from AntiSec (which often discloses the name of the user), or any of the other personal details that are claimed to be in the original file.


That's a good question, I was wondering the same thing?

Doesn't 16% sounds above the average ? Could it be related to app warez on jailbroken devices, somehow ?

One would not expect it to be at the average, because this information is going to have come from some popular app, and there will be high correlation between "people who have never used even a single app: they just wanted a phone" and "people who have never considered jailbreaking: they just wanted a phone"; this is even more the case once you consider that it might not be an app that "virtually everyone has": it might be an app that is either correlated with skill (you are slightly more likely to have the app, even controlling for people who have apps at all, if you are the kind of person who really cares) or negatively correlated with age (you are more likely to have the app if you are younger, which correlates better with the demographic of people who jailbreak).

Very interesting analysis. The question now is : which app/network exhibits such properties? Considering the data is recent, I suppose it eliminates big guys like Facebook/Apple. Thanks for sharing your numbers with the community.

I have Installous, so that could make this possible. However you need to jailbreak (which often involves Cydia) in order to even get access to Installous, so how about the other 84%?

(PS: I only use Installous if I need to trial an expensive app - I will buy the app if it does what I need :))

Honestly, I'm pretty sure it's Facebook. They are the ones tracking everyone, including non-FB users, via a tracking cookie the moment you visit their site after all... And you know the feds just love that data that FB can acquire.

> They are the ones tracking everyone, including non-FB users, via a tracking cookie the moment you visit their site after all

Twitter has started doing this lately as well (though allowing you to opt-out if you so choose).

What about Pokerstars?

Their US operations were shut down the FBI recently on bank fraud and money laundering charges.


There are far too many accounts leaked for them to be the source.

Jailbroken eh? Wonder if that is the common link?

Facebook...is the mostlikley source

Have you ever traveled to the US with that handset and did you buy it new?

I haven't traveled to the US with this particular handset. I got a replacement handset a few months ago on the insurance. The serial number makes it seem like it was assembled in week 31 of 2011, so what happened to it before it got into my hands I'm not quite sure.

Are you a member of the NCFTA, perchance?

Nope, just an average programmer/university student.

Refresh my memory - aren't the device tokens for the Apple Push Notification Service application-specific? That suggests this data comes from a single application, not Apple. The patchy personal information columns also suggests that this is a single (somewhat grabby) application's data store - presumably Apple would have more comprehensive records.

My wild speculation, assuming what we're told is true - the application developer shared this information with the NCFTA, who in turn shared it with the FBI. (After all, that's what the NCFTA does.) The application developer may have shared this information because they wanted the FBI to investigate a 'cybercrime' of some sort against them - who knows what, in-app purchase fraud? That could explain why the data ended up on this FBI agent's desktop.

EDIT: I refreshed my own memory - APNS tokens are device-specific, not device+app specific. I still think this is a single application's data dump, if the statement about sparse personal info is true.

I doubt that they are a single app's data. Look at the repeat of certain Device names (try "Abo Mossa") and check their UDIDs - those UDIDs show an incremental pattern in their first 3 digits. This tells me: (a) those devices were bought in bulk and (b) those devices were never sold to one person - since the Device names were unchanged [assumption is that a regular customer cannot own so many devices]. I just don't see how one app (not pre-installed) could be on all the devices bought in bulk by one person and dump all its data to FBI.

The UDID is a SHA1 of a few fields (including a couple MAC addresses): we actually know the exact algorithm; if you are seeing patterns in them it is either a trick your brain is playing on you or a trick the user is playing on you (some people modify their UDID occasionally to keep themselves from being tracked by apps).

How do you modify the UDID? Does it depend on the model?

At some point, the UDID is being processed by code, so you don't really need to permanently modify anything: you just edit the code that generates it and make that return something different. These kinds of changes are very simple using Substrate, the library we all use (that I developed) for changing code at runtime. For the UDID, the obvious candidates are "edit every app so [UIDrvice uniqueIdentifier] returns fake" and "edit lockdownd so it calculates the wrong value every time it is generated".

you're right. the pattern is weird. and it shows up a lot (see Admin's iPad, Ahmed's iPhone etc...)

EDIT: unless... is it just a side effect of how the data was exported? Sorted on Username, then on UDID

Ya, the more I look at it, the more I think it's just secondary sorting on UDID

Looks like they've got Obama's iPad:

thea:Downloads admin$ cat ./iphonelist.txt | grep -i obama '473d6e1ebf0b100ed172ce5f69c97ba6c8f12ad5','766a23201c6089be11845bfef624dbaada68be52155079850951836e9373e5cd','hobamain','iPad' 'c63e008e6271c3ac128eb6a242a9817528b6baef','b996a080e11265a0c93436ba0b13b7c07ee4e8eef6faeb8516917b015d7355fb','Obama','iPad'

Openfeint shows that 'Obama' last played 'Fishing Fun 2'

    curl 'https://api.openfeint.com/users/for_device.xml?udid=c63e008e6271c3ac128eb6a242a9817528b6baef

    <?xml version="1.0" encoding="UTF-8"?>
    <last_played_game_name>Fishing Fun 2</last_played_game_name>
    <profile_picture_source nil="true"></profile_picture_source>
    <profile_picture_updated_at nil="true"></profile_picture_updated_at>
    <profile_picture_url nil="true"></profile_picture_url>
    <status nil="true"></status>
    <uploaded_profile_picture_content_type nil="true"></uploaded_profile_picture_content_type>
    <uploaded_profile_picture_file_name nil="true"></uploaded_profile_picture_file_name>
    <uploaded_profile_picture_file_size nil="true"></uploaded_profile_picture_file_size>
    <uploaded_profile_picture_updated_at nil="true"></uploaded_profile_picture_updated_at>
    <name>Player 1479631313</name>

Seriously? Personal info about the President was leaked? Not that this particular instance looks like a big deal. Doesn't the NSA secure the President's communication? That must be carrer-impacting-embarrassing for someone.

Personal information about someone who had their device name set to "Obama". Let's not get all crazy now.

Yeah, pretty sure Mr. President's device would probably be called "Barack's iDevice", grepping for that, now that'd be something.

$ cat iphonelist.txt | grep c63e008e6271c3ac128eb6a242a9817528b6baef 'c63e008e6271c3ac128eb6a242a9817528b6baef','b996a080e11265a0c93436ba0b13b7c07ee4e8eef6faeb8516917b015d7355fb','“Administrator”的 iPad','iPad' 'c63e008e6271c3ac128eb6a242a9817528b6baef','b996a080e11265a0c93436ba0b13b7c07ee4e8eef6faeb8516917b015d7355fb','Obama','iPad'

Looks legit...

You do know that there are other people in world with the name Obama, right?

I know for a fact, the NSA protects all communications from the president (and most of the top level folk in his administration). If this turns out to really be the president (which I doubt) it would be a MAJOR breech.

For a fact? How so?

It was an issue widely covered in the press, or at least widely covered enough that I remember people joking about it in monologues. Obama wanted to keep his blackberry and other gadgets in opposition to what the Secret Service wanted. They finally compromised with security-enhanced versions of the devices such as his so-called "Blackberry One" a pun off of Air Force One.

Though I didn't hear anything about securing it when he got an iPad, I did see photos in the news of him carrying one. I would assume it would be equally vetted and locked down.

I'd have to kill ya if I told you. :)

No I'm kidding of course. Obviously, I did work in that area, ages ago.

And it's been like this for a long time, by the way. Even back in ancient times when we all used dials.

The president lives in the ultimate bubble. Nothing gets in or out without being vetted.

They had news articles about protecting his phone back when he was elected.

Is the address the white house?

why does an FBI agent have 12 million+ identification numbers for iOS devices?

This is the stated reason for the release - to have people ask why an agent has 12m UDID numbers on his laptop. They released 1m out of the 12m UDIDs so that they can guarantee a statistical sample that can be verified, while preserving a bit of privacy.

Along with the UDIDs were other columns with an assortment of personal data, although there were a lot of holes.

How large would a 12m line long .csv file be?

Not sure how many bytes per entry, but it would be of the order of gigabytes.

It would probably compress well

The 1,000,001 line file is 136MBs uncompressed, so 12M should be around 1.6GB

It might be a gigabyte if there were about 90 characters per line 1 or 2 gigabytes tops? "on the order of gigabytes" is a rather pretentious way of saying that.

The filename refers to NCFTA, which might seem in context to be http://www.ncfta.net — perhaps some bit of intel that's widely-traded in NCFTA circles for various uses? I mean, hey, pretty useful if you're tracking down pretty much anything in which an Apple device is used, right?

Perhaps Apple (or someone) is having them do an investigation:



Also, what's the point of releasing password protected files to public? I mean, they give you the password thus kind of making the whole password thing a moot point.

It proves that the author of the rant is the leaker of the data, not just some guy linking to data someone else posted.

It also causes all the data to be released atomically even if it took a while to upload to all the places.

> It proves that the author of the rant is the leaker of the data, not just some guy linking to data someone else posted.

I don't see what would stop you from stating the password to a file you didn't upload.

because you wouldn't know the password before the public announcement, and after the announcement it doesn't matter.

That's why for these types of archives the password actually contains the credentials.

true, but in this case the password contains "antis3c" [Antisec], the group that is responsible.

So download it, decrypt it, and pick a different password. Takes a couple minutes, tops. And if your 'release' gets more attention than the original, how does the original prove that's what happened, or even get heard?

You can see who came first, the internet knows.

The internet attributes much to the wrong sources. And forgets many redactions. I wouldn't trust such a thing to the internet.

Ah that makes sense. Thanks tlb.

It also allows the file to be widely disseminated and mirrored before revealing what it contains, as an anti-DDOS measure.

Question: is it possible for a malicious hacker to use this information for anything? E.g. sending rogue push notifications to a user, or tracking down a user's additional personal information by knowing his/her device UDID or APNs token?

I sincerely hope both the U.S. government and Apple address this. I'd also be interested in hearing why Apple chose to have hardware coded unique ids for each device.

If a webservice tries to send a push notification to a device that has not registered for push notifications for the entitlement requesting the notification to be sent, the notification gets discarded. Remember, all notifications are to be pushed to Apple using a certificate generated on a per-app basis, who in turn pushes the message to devices.

I like the card AntiSec is playing:

  well we have learnt it seems quite clear nobody pays attention if you just come
  and say 'hey, FBI is using your device details and info and who the fuck knows what
  the hell are they experimenting with that', well sorry, but nobody will care.
Arms race for attention, while the government races towards quieter actions and laws...

Marco Arment thinks that the All Clear ID app is responsible for this leak: http://www.marco.org/2012/09/04/fbi-udid-leak

Can anyone who can confirm they're on the list confirm that was one of their apps?

This guy says he's in the dump and didn't use AllClear ID. https://twitter.com/BFormations/status/243044444595687424

I didn't either, see my other post.

If you've been exposed take some time to help us identify who gave this UDID's to the FBI. (Already working with 3 exposed device owners) http://news.ycombinator.com/item?id=4473833

Putting a file of user data on a laptop is a fireable offense at at any reputable organization. Sad that the FBI is less careful about user data protection than consumer Internet companies.

    Putting a file of user data on a laptop is a fireable offense at at any reputable organization.
Correction, it's only a fireable offense if the employee of said reputable organization let's the file become compromised somehow, there's huge PR blow back, and the organization needs somebody's head on a platter in show of how serious they take the issue. Otherwise, m'eh.

The laptop was compromised while running. We do not know whether the disc was encrypted or not.

If it was exploited through the JRE, then it doesn't really matter...

On the other hand the disk or better said the partition with sensitive data should decrypted (mounted) only when needed. I doubt he needed that data during the conference.

Kinda odd isn't it. My organization issued me a laptop to store all the confidental financial data I work with.

One imagines it was bitlockered, and you were required to inform them the instant of a loss and hence possible data breach - where upon the company would have to pass the data on to any clients whose data might have been compromised (and the public body governing data security)

Apple could probably figure out if this data came from an app developer because I'd bet there's only exactly one app which every single one of those 1,000,001 devices downloaded.

Even if they threw in a few fake rows to mess up the data, they could find the app that has the highest percentage of downloads from that entire data set.

And if the data came from Apple?

I can't think of any apps that take a full address. Perhaps there are some, I just don't know them.

Apple could have been compelled to release this data to the FBI. Unfortunately, we're unlikely to ever know this and Apple are equally unlikely to want to shed light on it.

If the claim is true, that the source data included full postal address, then I find it hard to identify a better source for all of that than Apple themselves. And that the data was brought together from various systems, and that we're glimpsing data that was shared between Apple and the FBI.

Not to say that there's anything illegal about that, more that the laws that allow that are a bit screwed but that's another issue altogether.

A reasonable assumption, besides Apple, is Facebook. With all the information these services have the easiest part may be to acquire your home address.

Another more likely possibility would be to identify people who are on the list and compare all their installed apps and search for a common denominator.

People delete apps though, you'd need their entire history to cross reference that. Not to mention false positives - how many people have the Twitter or Facebook app installed, for example?

You might still be able to find an app that has a much higher installation rate for users on the leaked list that for users who aren't. Of course, that wouldn't be a proof but merely a first step to narrow the possibilities.

interestingly enough, top ten ios devices names:

  42797 'iPhone'    
  5191 'iPod touch'
  3136 '“Administrator”的 iPad'
  2202 '“Administrator”的 iPhone'
  1534 'Owner’s iPad'
  1453 ' iPhone'
  1309 'Administrator’s iPad'
  1196 'Administrator’s iPhone'
  1141 'PdaTX.Net'
  1058 'John’s iPad'

If you look at the UDID's for the '“Administrator”的 iPad's or '“Administrator”的 iPhone's, there seems to be an incremental pattern in their first 2-3 digits. Does that mean these devices were purchased/ordered in bulk and hence belong to some reseller? In which case, these must not have been sold to people and thus we don't see change in the Device names maybe? And thus the claim that this came from one or two apps seems a bit infeasible, no?

The Chinese character "的" is being used here as a possessive; it just means that the iPad belongs to the "Administrator", which is the default account name for many Windows XP computers [1]. Because iTunes activates iPods, iPhones, and iPads under the current user account name, and because the default user account names in many XP installations is "Administrator", there are a plethora of devices with the same name: '“Administrator”的 iPad'.

So, the only significance of this name is that there are quite a few Chinese Apple devices in this sample. Perhaps they are over-represented in the whole dataset; it's hard to say without having the breakdown of Apple devices sold by country, as well as the entire dataset.

1. http://www.mydigitallife.info/unhide-the-administrator-accou...

The UDID is a SHA1 of a few fields (including a couple MAC addresses): we actually know the exact algorithm; if you are seeing patterns in them it is either a trick your brain is playing on you or a trick the user is playing on you (some people modify their UDID occasionally to keep themselves from being tracked by apps).

I replied elsewhere. Isn't it possible this is just a side-effect of how the data was exported?

Primary sort is by username. Secondary sort is by UDID.

maybe an enterprise location or school that bought in bulk?

Wouldn't the devices' names still be changed when individual members of the enterprise/school activated them?

Devices being used in a kiosk-like or other setting in which they are mostly not being used by people who would be responsible for activating them?

Just made a page where you can check if your UDID is leaked: http://pastehtml.com/udid

We've recently discovered that even though the Apple docs suggest the APNS tokens may be unique to each app and may change over time they are NOT unique to an app and they also do not change (at least not over the last 18 months).

So if you have two apps on the same device they both share the same UDID and the same APNS token.

Whilst on the surface this may seem like a huge security issue it is not as bad as it seems, because in order to send push notifications to a device you must have the correct APNS .p12 certificate generated by Apple for the app AND the app must be installed on that device.

I would see the UDID's as more of a security breach given the fact that many developers are still using the now depreciated udid to interface with web services.

On a similar note, If you are developing an app and need to have a unique identifier you should be using Secure UDID or something similar https://github.com/crashlytics/secureudid and if you're sending data to you're own webservice, don't just use SSL, use encryption such SHA to prevent mitm sniffing of your data - Both iOS and Android both allow installation of root CA certs which is amazing for developing and sniffing API's but dangerous if your writing webservices and ONLY relying on SSL and no other encryption.

> you should be using Secure UDID or something similar

As an app developer, does this give me some benefit over just generating and saving a random UUID on first launch?

If you save the random number, what happens when they wipe the device and reinstall your app? No way to get that original number back. Secure UDID is deterministic, so you'd get the same ID, and can resume the original session.

One way around this is to store that number in iCloud. Then you can always get it back no matter the device.

Wow, this is bad, and an excellent example of how the security machine (in this case FBI) can always be turned on itself. The methods required for FBI to "protect" citizens can be misused (or hacked) to do the opposite. A gun can always be turned around, etc.

I'm better off listening to http://www.linux.fm/ .. it's more fun than listening to this guy

His delivery is painful to listen to.

Not everyone is a polished orator.

Practice in front of a mirror or video camera a few times. Write some notes. It's not too hard to get competent, even if you can't become phenomenal.

The fact that there is a column for APNS (Apple Push Notifications) suggests that this is a database dump from an iPhone app that supports push notifications. APNS tokens are generally tied to a specific app so it may be possible to figure out what app leaked their database.

The "NCFTA" seems to deal with identity theft. (Ironic)

APNS tokens are generally tied to a specific app so it may be possible to figure out what app leaked their database

This isn't true, APNS device tokens are shared among apps on a device. The only time a device will have more than one device token is if it's being used for development.

This isn't to say that Apple couldn't correlate the device tokens by looking for shared apps with active APNS entitlements.

I don't think so. The device token is even generated over the version of the app. Meaning: you get a new device token if the app version changes.

No: the APNS token is only changed if you get a new device (as it is tied to your device's certificate) or restore your phone (and not restore a backup: if you restore a backup it restores the token).


If the full file (including addresses) gets into the wild, and I fear that this may happen, it will be a really useful tool for burglars. Many iOS devices probably correlate with many valuables in a home. That's a lot of lawsuits against everybody involved...

Pretty sure that a smart burglar could figure out approximate addresses of people who own iPhones by looking at publicly available Instagram or Twitter or Facebook or Flickr locations. Not to mention people telling the world "I'm camping this weekend" which a burglar hears as "I'll be gone all weekend, steal my things!"

I think a smart burglar would just look at any commonly available database of home sales. Anybody who has moved in the last few years into a more-expensive-than-average house should correlate much better with valuables than iPhones.

However, I'd hope any criminal with brains like that would find something to do that has higher yield and lower risk than housebreaking. I'd suggest working for a private equity company.

Yeah i'm not really worried that burglars are going to use this data-set for harm. If they know about this data-set they likely know about databases of home sales or car sales or just plain old census data listing the average income by county.

There's a pretty nice power law in the names, which would support a real random sample. http://tinypic.com/r/11gmwjl/6 That PDATX.net business is really weird, though.

Has anyone here found their own UDID in the list?

I've tried all the UDIDs of the Provisioning Portal of my Company and I didn't find any.

I checked and didn't find my own iPhone, iPad or my wife's iPhone in the list.

Is there some good reason for all those steps to actually get the file after downloading? I don't see the point of encrypting it, or of having a tarball with just one file. They also suggest checking the file integrity of the download, and then also checking the integrity of the final extracted file--this seems completely pointless as the final extracted file is derived deterministically from the download so you've already checked it when you checked the download checksum.

Am I missing something?

Encrypting it, at least, makes sense: They can take their time distributing the file without anyone peeking at it before they're suppose to. Then, when they release the decryption key, the file is already copied all over the place and really hard to shut down.

Guess all the verifying means they are afraid someone will distribute "altered" versions. Checking it twice is maybe a little drastic? Don't know how hard it is to generate a file that compresses to the same as their file (collision). But it's at least theoretically possible.

MD5 is not the best cryptographic hash... it's weird that they would be so paranoid as to include two hashes but not use something harder to collide with.

While I agree there's better options, MD5 has no known preimage attacks. So it's stretching it a bit to imply that someone could easily cause a collision on an existing archive.

Theoretically, it is possible to create another file, which after encryption will give you the same checksum. I doubt that someone will be able to do it in a reasonable amount of time though.

Can someone tell me what the AntiSec can do with these UDIDs? I mean they are just phone identifiers, what harm can their exposure cause?

Haxxors, what can we lay people with no computationalizing skills do?

Get informed, and inform.

Then, one can hope, the government might actually be forced to engage in meaningful discussion about whether their ridiculously expensive and obviously damaging espionage programs make sense.

It's far more likely that this data was willingly shared by an application developer who was the victim of a crime the FBI is investigating.

Not everything is a government conspiracy.

"Get informed, and inform." Straight up manifesto material. Gratzi!

"...engage in meaningful discussion.." It's hard to engage in meaningful dialogue with people who are so entrenched in their own views (BIG$$,BIGOIL,BIGGOVV-types) but we shall continue!

Refuse to give personal information and carry minimal personal information in devices and websites outside of one's control.

If they don't have it, it cannot leak.

One question... where are these people usually, where do they talk? IRC? Random server in the outback? Encrypted channels?

Get pissed off.

The question of evidence is a very significant one.

Namely, why has AntiSec not provided any to substantiate their claim that the data was sourced from the agent's laptop? Surely if they had access to it they could have provided some additional files as supporting evidence?

UDID checklist: http://dazzlepod.com/apple/ Partial UDID search accepted, i.e. search "d565" instead of your full UDID "d56504ca3b268177f76fef0c2c446ba183afd12b"

so, any of you iOS guys find your device? it'd be interesting to know what apps you have in common (if any)

They wrote in the release that they wouldn't give any more interviews until they saw "Adrian Chen get featured on the front page of Gawker, a whole day, with a huge picture of him dressing a ballet tutu and shoe on the head, no photoshop."

Chen, a journalist at Gawker, actually did it: http://gawker.com/

Not even bothering to submit this as a story to HN because I'm pretty sure Gawker links get auto-killed (with good reason, the Gawker article is crap).

As an Australian I am intrigued by the following:

just a comment: we are still waiting for published news about the $ 2 billions worth loans Assad has taken from Russia, mentioned on the syrian mails and also about the transfer of money to austrian banks etc.... and also cocks... So, don't be lazy journos and look for them.

Any one have any additional info on that?

EDIT: Derp...thanks for the correction. I read too fast. Still intrigued if anyone knows anything more.

Austrian banks.

"Austrian, eh? <puts on australian accent> Let's put some shrimp on the barbie!"

Paul Hogan hammed up his Australian accent.

One of the best examples of a real Australian accent I've heard on American television is Dr. Chase [Jesse Spencer] from House, who is a real Australian and did not ham it up for an American audience. (Oddly though, the man who played his father in one episode had possibly the most embarrassingly bad fake Australian accent ever. Surprised Spencer didn't kick his arse during filming.)

You do not get real foreign accents on prime time American television, the viewers would be bemused and look for subtitles.

You get what Americans think are foreign accents, i.e. lightly accented. The one exception is that Brits playing bad guys are allowed to use camp, pantomime villain accents. Alan Rickman has made his fame and fortune from this, a shame as he is rather a good actor.

Hugh Grant sounds nothing like he does/did before that series started.

I'm still somewhat unclear on the dangers involved with this leak (other than the likelihood of being tracked), but this link seems relevant: http://www.cultofmac.com/160248/what-the-hell-is-a-udid-and-...

Hmmm, it seems that despite removal of the personal info, there may be ways to link it back to partial profiles via OpenFeint... http://corte.si/posts/security/openfeint-udid-deanonymizatio...

also: http://corte.si/posts/security/udid-must-die/index.html

Yep... well, based on this, I was able to fill in a UDID from the file and pull back an openfeint result. It didn't pull any sensitive information, but it worked. so seems to be real udids.

Find out if your udid has been compromised http://udid.afitnerd.com/

Didn't see this posted. Check to see if your UDID was on the list. Obviously it only checks the one million that were released. - http://thenextweb.com/apple/2012/09/04/heres-check-apple-dev...

508 email addresses (.com, .net, .org, .edu) used as iOS device names in this file, and several hundred phone numbers.

This demonstrate once again the antagonism of beeing able to ensure security as was complained to be lacking for the 9/11 and that no honnest citizen gets trampled by it.

I can't see a way out of spying it's own cytizen and keep them in the beleif they aren't to achive the goal.

One of the question to be asked is who is controlling the controllers ?

I think this leak plays for FBI in PR sense, not against it. All support slogans in the _anonymous message are exact description of the US foreign policy, so this message support distribution of wreck and havoc of people's lives in the third and second world. All this is rather strange.

Hi, first time here. I'm from Malaysia with a Jailbroken Ipad 2 as well. To my surprise, my device shows up on the http://pastehtml.com/udid link.

So now what does this all means? (and) I've never been to US.

They're coming for you. Run!!

I think there is another part of this alleged story that is equally as disturbing as the FBI having this data in the first place:

that an FBI agent's laptop, let alone an agent in the "Cyber Action Team", was susceptible to a common Java vulnerability.

O proprio Governo dos EUA nos Da essa BRexa eu sou Brasileiro e ja comsegui diverssas vezes invadir o site da aplle e Microsoft ee agora ireii tentar o do FBI em um COmputador Externo :D me Desejem Sorte

FACEBOOK? If I had to bet on any company I would bet on Facebook as the main/top source of this data. Where else can you easily be profiled so easily by liking or sharing content the Big Bro would deem as subversive. Followed by phone carriers since they have already been working with Big Bro, then apple and google. Combine these and you should be able to know everything you want. Govs probably won't deal with smaller companies lest increasing chances of leakage, etc.

If you want the list you can download it here, http://fileurl.me/41ld1


"Please complete this survey to continue"

What do I do wrong?

$ tar -xvzf decryptedfile.tar.gz tar: Unrecognized archive format tar: Error exit delayed from previous errors.

What's an easy way to figure out the UDID of a device (without hooking it up to a Mac to sync)?

Files in ~/Library/Application Support/MobileSync/Backup/ are named by UDID.

there's a bunch of UDID apps (free) that you can download from the App Store.

Don't iOS apps have the permission to use the internet without any hassle? In that case, I would assume by using such app, chances are, you are contributing to another entity's UDID collection.

If in doubt, download and turn flight mode on before running, then uninstall?

What does ofc stand for?

Ofc = of course

the only thing to quench the appetite for additional wealth is the dirt of the grave

ok, FBI have all information about us, and now? what we gonna do?? come on guys...


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact