During the second week of March 2012, a Dell Vostro notebook, used by
Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action
Team and New York FBI Office Evidence Response Team was breached using the
AtomicReferenceArray vulnerability on Java, during the shell session some files
were downloaded from his Desktop folder one of them with the name of
"NCFTA_iOS_devices_intel.csv" turned to be a list of 12,367,232 Apple iOS
devices including Unique Device Identifiers (UDID), user names, name of device,
type of device, Apple Push Notification Service tokens, zipcodes, cellphone
numbers, addresses, etc.
From what I see, the NCFTA in "NCFTA_iOS_devices_intel.csv" looks like it stands for the National Cyber-Forensics & Training Alliance, which "functions as a conduit between private industry and law enforcement." (http://www.ncfta.net/)
Is Apple willingly sharing personal information with the FBI through the NCFTA?
UDIDs, APNS tokens (for push notifications), basic demographic information is something a popular social app or game might have. 12 million is a pretty good number, though.
edit: our iOS app has over 2 million of these type of device records (though we don't collect any demographic info, so just device ids, apns tokens, device names, device types -- standard for push notifications).
Just because I am ok with one organization having my information doesn't mean that I am ok with any others having the same.
>>Possibly most importantly, though, the FBI is now presumably in possession of a complete copy of the Instapaper database as it stood on Tuesday morning, including the complete list of users and any non-deleted bookmarks. (“Archived” bookmarks are not deleted. “Deleted” bookmarks are hard-deleted out of the database immediately.)
Instapaper stores only salted SHA-1 hashes of passwords, so those are relatively safe. But email addresses are stored in the clear, as is the saved content of each bookmark saved by the bookmarklet.
The server also contained a complete copy of the Instapaper website codebase, but not the codebase of the iOS app.
Linked Facebook, Twitter, or Tumblr accounts only store their respective OAuth keys. Linked Evernote accounts only store the Evernote email-in address. Linked Pinboard accounts, however, store plaintext usernames and encrypted passwords, and the encryption keys are present in the website source code on the server. <<
Possibly, the fact that personal data is missing so often actually might point to a non-apple leak, because they would have the link to personal data. Of course it could be fake, but it would be prsesent.
The FBI's mission is reasonably clear; it's a government-regulated organization; it's non-commercial. They have a certain amount of accountability. Alas, we can't say the same for "popular iOS developers". We've seen how sneaky some iOS app developers can be with respect to privacy, and with little remorse after they get caught.
(and yeah, I know this is probably going to hammer my HN karma all the way to the bottom but...lol man)
I'm just saying that you are unlikely to be successful in requesting more information for this file. Information that "could reasonably interfere" with law enforcement is exempt. Also, the FBI does not make it easy to request documents form them and, further, the turnaround on a request can be months or years.
But those types of actions are rare.
Plus for certain kinds of investigations, it would go against the court order to go public. I don't want to defend apple here but this is an American law enforcement problem, I'm certain ms, google and others have provided info to the government that would anger many and there are probably a lot of companies that do it without a court order... Trying to be good citizens.
Why the hell was that info on a laptop?
But again, if that were the case then it would be related to anti-terrorism efforts. Well I hope it would be. The FISA court exists for that reason (mostly).
I guess my paranoia depends on how much I trust the government :)
“The exchange of strategic and threat intelligence is really the bread and butter of the NCFTA,” said Special Agent Eric Strom, who heads the FBI unit—the Cyber Initiative and Resource Fusion Unit (CIRFU)—assigned to the NCFTA. “The success of this effort at every level comes down to the free flow of information among our partners.”
Dan Larkin (the FBI Agent who setup NCFTA in 1997)
Note that he used to be with CIRFU. LIkely that he still is with the CIRFU. They share office space:
"Mularski works for a little-known FBI division called the Cyber Initiative and Resource Fusion Unit, run out of the National Cyber-Forensics & Training Alliance in Pittsburgh, Pennsylvania. The unit is different from a typical FBI field office. It works hand in hand with industry and takes the time to do the deep research required to penetrate the world of online crimina
A bit of a dick way of putting it, but there's no evidence the FBI is involved in this other than some words in an announcement that could be by anyone with an axe to grind.
could anonymous have hacked this information from Apple or a carrier themselves? what information is present that they didn't do that?
we trimmed out other personal data as, full names, cell
numbers, addresses, zipcodes, etc. not all devices have
the same amount of personal data linked. some devices
contained lot of info.
And is there some way to validate these are real UDIDs?
However, I renamed my iPad around last November after I started using it more in public, yet its original name (easy to find if you search for my HN nick) is the name listed.
EDIT: Oh, and fwiw, law-abiding natural born US citizen here. But who am I kidding - LEAs don't give a toss about that.
Non-gov researchers I know also attribute this to a possible hacking of an iphone/ipad application backend DB before Apple put in the UUID storing restrictions to the IOS api.
I'm only bringing this to light because it is easy to fall for things you read on the Internet and get excited/theorize.
De-anonymizing UDIDs with OpenFeint: http://corte.si/posts/security/openfeint-udid-deanonymizatio...
A survey of how UDIDs are used: http://corte.si/posts/security/apple-udid-survey/index.html
Why the Apple UDID had to die: http://corte.si/posts/security/udid-must-die/index.html
I've often been asked what I thought the worst-case scenario is regarding the mis-management of UDIDs. My answer has always been that a large UDID database leaking would be a privacy catastrophe...
$ grep -c -i "titanic\'" iphonelist.txt
By the way, I think AntiSec needs to hire someone to write their releases for them. I struggled at times to make sense of the almost gibberish in their rant-filled sentences and at times some of the things they were saying read like the paranoid ramblings of a crystal meth addict. It wasn't until the end where everything they were saying was put into perspective and I understood what they were talking about.
"a monthly fee, forever until you die. That's the
future; nothing is really yours. LAAS - Life As A Service."
(1)For instance, the first recorded use of writing is not typically for poems or liturgy but for tax documentation for imperial states.
ccc presentation: http://www.youtube.com/watch?v=-b0Ta9h62_E
EDIT: also as grumpysimon says, it's a proud tradition going back decades.
(I've some really horrible examples to my credit too, but thankfully I don't think any of it has survived)
So? Pretty sure torture and car bombing innocent women and children is also illegal.
Lets not make this situation out to sound worse than it is. The FBI having access to 12 million UDID's and user information which apparently had holes in it anyway is nowhere near as bad as innocent civilians being killed and seriously injured. It's bad, but not that bad, calm down.
No I am not. I was talking about the executive branch of the our government.
> Lets not make this situation out to sound worse than it is.
I was commenting on the assertion that this is 'illegal' and thus how could FBI possibly do this. And my response was that it seems illegality isn't exactly stopping anyone, be it FBI, CIA or other agency.
...of course, the current administration insists that those are legal, but because they refuse to release a legal argument defending the practice, the best explanation they've given is 'Just trust us, okay?'. Not sure how that would hand up in a court of law.
I'd love to read the warrant that granted this disclosure. If one doesn't exist I'd love to hear Apple's reasoning for releasing a 12 million + user database to LE without being legally obliged to do so.
They are both part of the government and the culture of 'laws for us vs laws for them (the regular people)' is present in both.
I'm not saying that the FBI story isn't true, but so many comments here just assume it to be 100% factual - there's no evidence that it was taken from the FBI vs found on a USB Stick in the garbage.
It's a big story, yes, but I think maybe a deep breath is in order before we all accuse the FBI of leaking/losing/stealthily acquiring something!
(I'm not a US Citizen, btw)
Besides, what's the big deal... if they have nothing to hide then they have nothing to worry about!
What bothers most is that this data exists at all, and what it's used for.
Though, it must be curious why AntiSec have had 12 million UDID's, but only now are releasing them. Also, no one else from AntiSec is corroborating it?
(PS: I only use Installous if I need to trial an expensive app - I will buy the app if it does what I need :))
Twitter has started doing this lately as well (though allowing you to opt-out if you so choose).
Their US operations were shut down the FBI recently on bank fraud and money laundering charges.
My wild speculation, assuming what we're told is true - the application developer shared this information with the NCFTA, who in turn shared it with the FBI. (After all, that's what the NCFTA does.) The application developer may have shared this information because they wanted the FBI to investigate a 'cybercrime' of some sort against them - who knows what, in-app purchase fraud? That could explain why the data ended up on this FBI agent's desktop.
EDIT: I refreshed my own memory - APNS tokens are device-specific, not device+app specific. I still think this is a single application's data dump, if the statement about sparse personal info is true.
EDIT: unless... is it just a side effect of how the data was exported? Sorted on Username, then on UDID
Ya, the more I look at it, the more I think it's just secondary sorting on UDID
thea:Downloads admin$ cat ./iphonelist.txt | grep -i obama
<?xml version="1.0" encoding="UTF-8"?>
<last_played_game_name>Fishing Fun 2</last_played_game_name>
I know for a fact, the NSA protects all communications from the president (and most of the top level folk in his administration). If this turns out to really be the president (which I doubt) it would be a MAJOR breech.
Though I didn't hear anything about securing it when he got an iPad, I did see photos in the news of him carrying one. I would assume it would be equally vetted and locked down.
No I'm kidding of course. Obviously, I did work in that area, ages ago.
And it's been like this for a long time, by the way. Even back in ancient times when we all used dials.
The president lives in the ultimate bubble. Nothing gets in or out without being vetted.
Along with the UDIDs were other columns with an assortment of personal data, although there were a lot of holes.
Not sure how many bytes per entry, but it would be of the order of gigabytes.
It also causes all the data to be released atomically even if it took a while to upload to all the places.
I don't see what would stop you from stating the password to a file you didn't upload.
I sincerely hope both the U.S. government and Apple address this. I'd also be interested in hearing why Apple chose to have hardware coded unique ids for each device.
well we have learnt it seems quite clear nobody pays attention if you just come
and say 'hey, FBI is using your device details and info and who the fuck knows what
the hell are they experimenting with that', well sorry, but nobody will care.
Can anyone who can confirm they're on the list confirm that was one of their apps?
Putting a file of user data on a laptop is a fireable offense at at any reputable organization.
Even if they threw in a few fake rows to mess up the data, they could find the app that has the highest percentage of downloads from that entire data set.
I can't think of any apps that take a full address. Perhaps there are some, I just don't know them.
Apple could have been compelled to release this data to the FBI. Unfortunately, we're unlikely to ever know this and Apple are equally unlikely to want to shed light on it.
If the claim is true, that the source data included full postal address, then I find it hard to identify a better source for all of that than Apple themselves. And that the data was brought together from various systems, and that we're glimpsing data that was shared between Apple and the FBI.
Not to say that there's anything illegal about that, more that the laws that allow that are a bit screwed but that's another issue altogether.
5191 'iPod touch'
3136 '“Administrator”的 iPad'
2202 '“Administrator”的 iPhone'
1534 'Owner’s iPad'
1453 ' iPhone'
1309 'Administrator’s iPad'
1196 'Administrator’s iPhone'
1058 'John’s iPad'
So, the only significance of this name is that there are quite a few Chinese Apple devices in this sample. Perhaps they are over-represented in the whole dataset; it's hard to say without having the breakdown of Apple devices sold by country, as well as the entire dataset.
Primary sort is by username. Secondary sort is by UDID.
So if you have two apps on the same device they both share the same UDID and the same APNS token.
Whilst on the surface this may seem like a huge security issue it is not as bad as it seems, because in order to send push notifications to a device you must have the correct APNS .p12 certificate generated by Apple for the app AND the app must be installed on that device.
I would see the UDID's as more of a security breach given the fact that many developers are still using the now depreciated udid to interface with web services.
On a similar note, If you are developing an app and need to have a unique identifier you should be using Secure UDID or something similar https://github.com/crashlytics/secureudid and if you're sending data to you're own webservice, don't just use SSL, use encryption such SHA to prevent mitm sniffing of your data - Both iOS and Android both allow installation of root CA certs which is amazing for developing and sniffing API's but dangerous if your writing webservices and ONLY relying on SSL and no other encryption.
As an app developer, does this give me some benefit over just generating and saving a random UUID on first launch?
The "NCFTA" seems to deal with identity theft. (Ironic)
This isn't true, APNS device tokens are shared among apps on a device. The only time a device will have more than one device token is if it's being used for development.
This isn't to say that Apple couldn't correlate the device tokens by looking for shared apps with active APNS entitlements.
However, I'd hope any criminal with brains like that would find something to do that has higher yield and lower risk than housebreaking. I'd suggest working for a private equity company.
Am I missing something?
Guess all the verifying means they are afraid someone will distribute "altered" versions. Checking it twice is maybe a little drastic? Don't know how hard it is to generate a file that compresses to the same as their file (collision). But it's at least theoretically possible.
Then, one can hope, the government might actually be forced to engage in meaningful discussion about whether their ridiculously expensive and obviously damaging espionage programs make sense.
Not everything is a government conspiracy.
"...engage in meaningful discussion.."
It's hard to engage in meaningful dialogue with people who are so entrenched in their own views (BIG$$,BIGOIL,BIGGOVV-types) but we shall continue!
If they don't have it, it cannot leak.
Namely, why has AntiSec not provided any to substantiate their claim that the data was sourced from the agent's laptop? Surely if they had access to it they could have provided some additional files as supporting evidence?
Chen, a journalist at Gawker, actually did it:
Not even bothering to submit this as a story to HN because I'm pretty sure Gawker links get auto-killed (with good reason, the Gawker article is crap).
just a comment: we are still waiting for published news about the
$ 2 billions worth loans Assad has taken from Russia,
mentioned on the syrian mails
and also about the transfer of money to austrian banks etc....
and also cocks...
So, don't be lazy journos and look for them.
Any one have any additional info on that?
EDIT: Derp...thanks for the correction. I read too fast. Still intrigued if anyone knows anything more.
One of the best examples of a real Australian accent I've heard on American television is Dr. Chase [Jesse Spencer] from House, who is a real Australian and did not ham it up for an American audience. (Oddly though, the man who played his father in one episode had possibly the most embarrassingly bad fake Australian accent ever. Surprised Spencer didn't kick his arse during filming.)
You get what Americans think are foreign accents, i.e. lightly accented. The one exception is that Brits playing bad guys are allowed to use camp, pantomime villain accents. Alan Rickman has made his fame and fortune from this, a shame as he is rather a good actor.
Hugh Grant sounds nothing like he does/did before that series started.
I can't see a way out of spying it's own cytizen and keep them in the beleif they aren't to achive the goal.
One of the question to be asked is who is controlling the controllers ?
So now what does this all means? (and) I've never been to US.
that an FBI agent's laptop, let alone an agent in the "Cyber Action Team", was susceptible to a common Java vulnerability.
"Please complete this survey to continue"
$ tar -xvzf decryptedfile.tar.gz
tar: Unrecognized archive format
tar: Error exit delayed from previous errors.
..."shit HN says", right here.
No, I am not an Apple fanboy, quite the contrary. As a developer I am very critical of their attitude and decision making. I think they really suck at some things and have been very vocal about it on HN and elsewhere. That does not mean that I would automatically vilify them for everything.
HN is very interesting at times. Most of the time you get positive feedback when you are for Apple and for politically Liberal points of view. However, sometimes the poles reverse and North becomes South. This is rare when Apple is the subject. I guess in this case it was as simple as not understanding what the comment was referring to, which can happen if someone doesn't actually read the original article in the first place.
Note that the FBI is the supposed source of the leak here. So let's say Apple claims they gave up the data at the request of the FBI to supposedly help with a classified terrorist threat that the government won't have to reveal at trial. Who's going to sue Apple, and for what?
Unless Apple-or-any-company was seeking assistance from the FBI to track down fraud or something similar.
With the reply you've just sent and you seriously question if the parent is unbiased? Do you frankly consider yourself biased? Could it be that you're an anti-apple fanboy?
I indeed am, sometimes. And my post was biased, it was a bit of a bait. I can do the apple-fanboy as well though, if the topic calls for it.
On a more serious note though, I think Apple doesn't give a fuck about privacy- things like saving geolocations, the DRM in iTunes, unique device identifiers and stuff like that really makes it look like that at least.
How do you propose to make networks work?