Hacker News new | comments | show | ask | jobs | submit login

Doesn't a popular iOS developer have the same information?

UDIDs, APNS tokens (for push notifications), basic demographic information is something a popular social app or game might have. 12 million is a pretty good number, though.

edit: our iOS app has over 2 million of these type of device records (though we don't collect any demographic info, so just device ids, apns tokens, device names, device types -- standard for push notifications).


Would all of those millions install an application from the FBI knowing it gave them that information?

Just because I am ok with one organization having my information doesn't mean that I am ok with any others having the same.

I'm presuming the FBI got the database from an App Developer. Not that the FBI released a popular iOS app.

The FBI stole an Instapaper server in an unrelated raid http://blog.instapaper.com/post/6830514157

So Marco Arment could go all CSI for us and let us know whether the sample corresponds to info he retained and which would have been on the server at the time.

I've been using Instapaper since pretty much the first day, and my information is not in the file. Not to say they don't have it, but, it's not in that file, FWIW.

According to one report [1], only 1 million of about 12 million stored records were released by AntiSec, so the absence of your record is not conclusive.

1: http://thenextweb.com/2012/09/04/antisec-hackers-leak-100000...

I couldn't even guess the episode, but Marco has stated on is 5by5 podcast that he doesn't collect user information and only dips into user information grudgingly. I'd be surprised if this came from him as according to his statements he finds holding any user information that could be described as private unpleasant. This is all based on recollection however.

Still cant find the podcast, but here is what Marco says the FBI tool, quoted from the Instapaper blog about a year ago: >>The server was used as a MySQL replication slave, handling read-only queries to speed up the site. Instapaper suffered no downtime as a result of its theft and no data has been lost.<<

Further down:

>>Possibly most importantly, though, the FBI is now presumably in possession of a complete copy of the Instapaper database as it stood on Tuesday morning, including the complete list of users and any non-deleted bookmarks. (“Archived” bookmarks are not deleted. “Deleted” bookmarks are hard-deleted out of the database immediately.)

Instapaper stores only salted SHA-1 hashes of passwords, so those are relatively safe. But email addresses are stored in the clear, as is the saved content of each bookmark saved by the bookmarklet.

The server also contained a complete copy of the Instapaper website codebase, but not the codebase of the iOS app.

Linked Facebook, Twitter, or Tumblr accounts only store their respective OAuth keys. Linked Evernote accounts only store the Evernote email-in address. Linked Pinboard accounts, however, store plaintext usernames and encrypted passwords, and the encryption keys are present in the website source code on the server. <<

So "FBI theft" should be a new failure mode to defend against in web applications, right after SQLi and XSS? I'm handling this by not having any servers in the USA, hopefully GB is safe.

Yeah, this gives a whole new meaning to having live backups/redundancy. I guess this is an advantage of hosting on EC2 since there would be difficult for the FBI to seize the physical server.

It would be easier on EC2 since the FBI could just have Amazon clone your EBS volume and you'd never be the wiser.

Absolutely, that wasn't my point. Since the FBI could do that, you are unlikely to get your server seized from an unrelated raid. Still, a crappy situation.

Other countries aren't that safe. https://www.eff.org/cases/indymedia-server-takedown

Uh, yes. I think that is a safe assumption that they did not compile the list themselves.

iOS developers don't have the Apple IDs nor ZIP codes nor addresses (unless they separately ask for them but at least the apple ID is very uncommon)

There are no "Apple IDs" in here. Just Apple device UDIDs.

You are right. I misread the announcement. That still leaves the issue of the personal data, but as I said: app developers could acquire that directly from the user.

Possibly, the fact that personal data is missing so often actually might point to a non-apple leak, because they would have the link to personal data. Of course it could be fake, but it would be prsesent.

When he said "a popular iOS developer" I assumed he meant Facebook.

I imagine it wouldn't be that difficult to extrapolate this information from your address book: I keep my own name, phone number, address, etc. all in there, and you can probably figure out which record is mine.

Could this data have been taken from the AT&T "breach" a while back where all the data for iPhone customers wasn't protected and crawled?

And 12 million is the number claimed. Only 1 million is shown.

Well, at least the FBI is not going to share your personal information with advertisers, or (opt-in) spam you to death trying to sell you something.

The FBI's mission is reasonably clear; it's a government-regulated organization; it's non-commercial. They have a certain amount of accountability. Alas, we can't say the same for "popular iOS developers". We've seen how sneaky some iOS app developers can be with respect to privacy, and with little remorse after they get caught.


(and yeah, I know this is probably going to hammer my HN karma all the way to the bottom but...lol man)

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact