Hacker News new | comments | show | ask | jobs | submit login

This is very disturbing. How did the FBI gain access to all this information? It should be locked up in Apple.

From what I see, the NCFTA in "NCFTA_iOS_devices_intel.csv" looks like it stands for the National Cyber-Forensics & Training Alliance, which "functions as a conduit between private industry and law enforcement." (http://www.ncfta.net/)

Is Apple willingly sharing personal information with the FBI through the NCFTA?

Doesn't a popular iOS developer have the same information?

UDIDs, APNS tokens (for push notifications), basic demographic information is something a popular social app or game might have. 12 million is a pretty good number, though.

edit: our iOS app has over 2 million of these type of device records (though we don't collect any demographic info, so just device ids, apns tokens, device names, device types -- standard for push notifications).


Would all of those millions install an application from the FBI knowing it gave them that information?

Just because I am ok with one organization having my information doesn't mean that I am ok with any others having the same.

I'm presuming the FBI got the database from an App Developer. Not that the FBI released a popular iOS app.

The FBI stole an Instapaper server in an unrelated raid http://blog.instapaper.com/post/6830514157

So Marco Arment could go all CSI for us and let us know whether the sample corresponds to info he retained and which would have been on the server at the time.

I've been using Instapaper since pretty much the first day, and my information is not in the file. Not to say they don't have it, but, it's not in that file, FWIW.

According to one report [1], only 1 million of about 12 million stored records were released by AntiSec, so the absence of your record is not conclusive.

1: http://thenextweb.com/2012/09/04/antisec-hackers-leak-100000...

I couldn't even guess the episode, but Marco has stated on is 5by5 podcast that he doesn't collect user information and only dips into user information grudgingly. I'd be surprised if this came from him as according to his statements he finds holding any user information that could be described as private unpleasant. This is all based on recollection however.

Still cant find the podcast, but here is what Marco says the FBI tool, quoted from the Instapaper blog about a year ago: >>The server was used as a MySQL replication slave, handling read-only queries to speed up the site. Instapaper suffered no downtime as a result of its theft and no data has been lost.<<

Further down:

>>Possibly most importantly, though, the FBI is now presumably in possession of a complete copy of the Instapaper database as it stood on Tuesday morning, including the complete list of users and any non-deleted bookmarks. (“Archived” bookmarks are not deleted. “Deleted” bookmarks are hard-deleted out of the database immediately.)

Instapaper stores only salted SHA-1 hashes of passwords, so those are relatively safe. But email addresses are stored in the clear, as is the saved content of each bookmark saved by the bookmarklet.

The server also contained a complete copy of the Instapaper website codebase, but not the codebase of the iOS app.

Linked Facebook, Twitter, or Tumblr accounts only store their respective OAuth keys. Linked Evernote accounts only store the Evernote email-in address. Linked Pinboard accounts, however, store plaintext usernames and encrypted passwords, and the encryption keys are present in the website source code on the server. <<

So "FBI theft" should be a new failure mode to defend against in web applications, right after SQLi and XSS? I'm handling this by not having any servers in the USA, hopefully GB is safe.

Yeah, this gives a whole new meaning to having live backups/redundancy. I guess this is an advantage of hosting on EC2 since there would be difficult for the FBI to seize the physical server.

It would be easier on EC2 since the FBI could just have Amazon clone your EBS volume and you'd never be the wiser.

Absolutely, that wasn't my point. Since the FBI could do that, you are unlikely to get your server seized from an unrelated raid. Still, a crappy situation.

Other countries aren't that safe. https://www.eff.org/cases/indymedia-server-takedown

Uh, yes. I think that is a safe assumption that they did not compile the list themselves.

iOS developers don't have the Apple IDs nor ZIP codes nor addresses (unless they separately ask for them but at least the apple ID is very uncommon)

There are no "Apple IDs" in here. Just Apple device UDIDs.

You are right. I misread the announcement. That still leaves the issue of the personal data, but as I said: app developers could acquire that directly from the user.

Possibly, the fact that personal data is missing so often actually might point to a non-apple leak, because they would have the link to personal data. Of course it could be fake, but it would be prsesent.

When he said "a popular iOS developer" I assumed he meant Facebook.

I imagine it wouldn't be that difficult to extrapolate this information from your address book: I keep my own name, phone number, address, etc. all in there, and you can probably figure out which record is mine.

Could this data have been taken from the AT&T "breach" a while back where all the data for iPhone customers wasn't protected and crawled?

And 12 million is the number claimed. Only 1 million is shown.

Well, at least the FBI is not going to share your personal information with advertisers, or (opt-in) spam you to death trying to sell you something.

The FBI's mission is reasonably clear; it's a government-regulated organization; it's non-commercial. They have a certain amount of accountability. Alas, we can't say the same for "popular iOS developers". We've seen how sneaky some iOS app developers can be with respect to privacy, and with little remorse after they get caught.


(and yeah, I know this is probably going to hammer my HN karma all the way to the bottom but...lol man)

Couldn't an American request a FOIA for this to see what's the level of information gathering on iPhone users? Could EFF sue them for it or something to unveil more?

If there is indeed an ongoing investigation, FOIA would not apply (reasonably enough).

An ongoing investigation of 12 million people?

I have no idea. There are a lot of assumptions implicit in that question.

I'm just saying that you are unlikely to be successful in requesting more information for this file. Information that "could reasonably interfere" with law enforcement is exempt. Also, the FBI does not make it easy to request documents form them and, further, the turnaround on a request can be months or years.

>Is Apple willingly sharing personal information with the FBI through the NCFTA?

Define "willingly."

FBI: "Can we have this data? we can pay something" Apple: "Sure! In which format do you prefer to have it?"

FBI: "Just give it to us as CSV, kthxbai."

It wouldn't be "willingly". But If Apple was presented with an order from a court, then yes, they'd have no choice. They could fight it; but they'd lose, depending on the reason. Frankly the only reason would be some terrorism angle.

But those types of actions are rare.

I would be surprised if you could get a court order to turn over details on 12 million users.

I wish that Apple, if indeed presented with a court order, would've gone the Twitter route and publicized that fact.

It's a no win situation for them. Hand the info over and you're on msnbc for giving it up, don't hand it over and you're on fox news for helping the terrorists...

Plus for certain kinds of investigations, it would go against the court order to go public. I don't want to defend apple here but this is an American law enforcement problem, I'm certain ms, google and others have provided info to the government that would anger many and there are probably a lot of companies that do it without a court order... Trying to be good citizens.

Why the hell was that info on a laptop?

That would depend on which court the order came from. If it was from the FISA court, for example, then publicizing it would send people to jail.

But again, if that were the case then it would be related to anti-terrorism efforts. Well I hope it would be. The FISA court exists for that reason (mostly).

I guess my paranoia depends on how much I trust the government :)

The National Cyber Forensics and Training Alliance in Pittsburgh is the office where the FBI Agent who posed as a member of the carding community worked when he helped take down Max Ray Vision, née Butler.


http://www.fbi.gov/news/stories/2011/september/cyber_091611 “The exchange of strategic and threat intelligence is really the bread and butter of the NCFTA,” said Special Agent Eric Strom, who heads the FBI unit—the Cyber Initiative and Resource Fusion Unit (CIRFU)—assigned to the NCFTA. “The success of this effort at every level comes down to the free flow of information among our partners.”

Dan Larkin (the FBI Agent who setup NCFTA in 1997) http://www.linkedin.com/pub/dan-larkin/25/90/910

Note that he used to be with CIRFU. LIkely that he still is with the CIRFU. They share office space: http://www.itbusiness.ca/it/client/en/home/News.asp?id=51778... "Mularski works for a little-known FBI division called the Cyber Initiative and Resource Fusion Unit, run out of the National Cyber-Forensics & Training Alliance in Pittsburgh, Pennsylvania. The unit is different from a typical FBI field office. It works hand in hand with industry and takes the time to do the deep research required to penetrate the world of online crimina

Good thing the announcement didn't say "A large monster from Mars radioed these in" - Imagine how upset you'd have been at NASA!!!!

A bit of a dick way of putting it, but there's no evidence the FBI is involved in this other than some words in an announcement that could be by anyone with an axe to grind.

I'm not sure why you're getting downvoted here, it's a valid point. There is nothing to prove this list came from the FBI, and I wouldn't put it above Antisec/Anonymous to get into a database of some popular iOS app, release the info, and then say it was from the FBI both to slag on the FBI and to stroke their e-peni^H^H^H^H^H^H^H ego.

Neither am I, but I suppose the humour was a little too barbed.

A more likely source is neustar (a spinoff of Lockheed), who also has all that information and is actually in the intel business.

what kind of verification do you have that the file was pulled from an FBI computer?

could anonymous have hacked this information from Apple or a carrier themselves? what information is present that they didn't do that?

Are there any indication in the files that points towards a hack on apple or a carrier?

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact