back to article Hackers leak '1 MILLION records' on Apple fanbois from FEDS

Hackers have dumped online the unique identification codes for one million Apple iPhones and iPads allegedly lifted from an FBI agent's laptop. The leak, if genuine, proves Feds are walking around with data on at least 12 million iOS devices. The 20-byte ID codes were, we're told, copied from a file extracted from the Dell …

COMMENTS

This topic is closed for new posts.
  1. Danny 5
    Trollface

    oh noes!

    so big brother IS watching.

    Now on to something that's actually new please!

    1. Hieronymus Howerd

      Re: oh noes!

      Thanks for your input, Dan.

      My question is, since all that has been released is apparently a simple list of IDs, why do we trust that these talented hackers didn't just invent the whole story?

      Anyone with basic IT skills could generate a list of strings which fit a known format in a matter of seconds - how do we know they didn't do just that?

      1. Gil Grissum
        Pint

        Re: oh noes!

        What's more plausible- 1) The FBI is snooping on iOS Devices for some nefarious undisclosed reason or, 2) Some hackers made up this story for exactly what reason? Publicity? Attention? Ego? Doubtful. The FBI also is well known to have used a program named "Carnivore" to sniff this type of information off PC's. That they are paying this much attention to the entranced Koolaid drinkers of iOS, shouldn't surprise anyone.

        1. Miek
          Linux

          Re: oh noes!

          The first scenario sounds the most plausible.

        2. Hieronymus Howerd

          Re: oh noes!

          If you don't believe that a significant number of these kids are motivated by publicity and attention-seeking, then you clearly haven't been paying much attention yourself these last few months.

          Still, it's more troubling that you appear to accept whatever you read on the internet without the slightest shred of critical thought or evaluation. This world must be a very confusing place for you to live in.

  2. Anonymous Coward
    Anonymous Coward

    But the bigger question is WHY.

    >"by themselves they pose only a minimal privacy risk"

    But why on earth should the FBI have a list of all those users in the first place? What the hell was going on there?

    1. IglooDude

      Re: But the bigger question is WHY.

      Indeed. I was going to note that it covers roughly three percent of the US population, but I have a tough time believing that the list would only have iDevices owned by US residents in it.

      1. Anonymous Coward
        Anonymous Coward

        Re: But the bigger question is WHY.

        Well with nearly 1% of the US population already incarcerated, there can really be only one explanation:

        It's time to drive those numbers UP!!!.

        Of course, we'll have to stuff all file-sharers and hacktivists into the same cells as drug users but they should get along just fine. Or maybe we can build some more prisons...... its the only way we will ever successfully compete with Chinese manufacturers again-

        Whoops!! My UDID just popped up on that list.... gotta go.... it's time to buy a new iphone.

        Anonymously...... I'm afraid

    2. Anonymous Coward
      Gimp

      Re: But the bigger question is WHY.

      But why on earth should the FBI have a list of all those users in the first place? What the hell was going on there?

      Maybe it was an epidemiological study into outbreaks of fanboiism.

      1. Gil Grissum
        Pint

        Re: But the bigger question is WHY.

        Or perhaps it is the type of free wheeling approach to civil liberties that Facebook is famous for?

    3. Anonymous Coward
      Holmes

      Re: But the bigger question is WHY.

      The data they've been gathering looks very much like it's being gathered by an app. So, have 12m people downloaded the FBI tracking app? Or is there an app out there that's basically a trojan for the FBI, or is a major (seeing as they have 12m downloads!) developer working with them or infiltrated by them?

      Finding out which app was involved could be interesting ;)

      1. Anonymous Coward
        Anonymous Coward

        Game is afoot

        Odds are, when the FBI had their DNS servers up in place of the large cluster of "DNS Changer" servers, they took advantage of the situation to gather information from anybody pointing to them.

        1. Anonymous Coward
          Anonymous Coward

          No, it couldn't be DNSChanger

          Odds are, when the FBI had their DNS servers up in place of the large cluster of "DNS Changer" servers, they took advantage of the situation to gather information from anybody pointing to them.

          DNSChanger only infected Windows and Mac OS/X systems. Therefore the only systems pointing to the FBI's replacement DNS servers were infected Windows and Mac OS/X systems. Therefore this could not have been used as a mechanism to gain information about Apple portable iOS-powered devices.

      2. Anonymous Coward
        Anonymous Coward

        Re: But the bigger question is WHY.

        IOS is the tracking app.

        1. Field Marshal Von Krakenfart
          Devil

          Re: But the bigger question is WHY.

          Remember that the stasi, the east german secret police, used to break into the homes of people they didn't like and steal their dirty underware and created an enormous collection of "smell samples" of people in case they ever needed to give hunting dogs a sent to track people.

          This is no different.

    4. Anonymous Coward
      Anonymous Coward

      Re: But the bigger question is WHY.

      Because they might be communists, of course, silly!

    5. Anonymous Coward
      Anonymous Coward

      Re: But the bigger question is WHY.

      Maybe this data had been sourced from the National Cyber-Forensics & Training Alliance (hence the filename) to assist current investigations, maybe investigations into LulzSec, Anonymous and others perhaps?

      Maybe this data release is simply a smokescreen or diversionary tactic for those involved? Who knows? I don't.

    6. Anonymous Coward
      Megaphone

      Re: But the bigger question is WHY.

      Apparently the leak comes from the popular AllClearID app, who work with the FBI and the NCFTA in particular.

      Perhaps surprisingly it's an identity protection app...

  3. Anonymous Coward
    Anonymous Coward

    Amateurs

    >Feds are walking around with data on at least 12 million iOS devices.

    Drop in the ocean compared to Flurry tracking data from iOS devices - and I'm guessing you can't buy access to the Fed's data.

    Flurry claims 1.4 billion app session reports or 1.5 terabytes of data [that's per day BTW].

  4. Anonymous Coward
    Anonymous Coward

    Usual Windoze FAIL

    Seriously, not even the FBI can secure it?

    1. Anonymous Coward
      Anonymous Coward

      Re: Usual Windoze FAIL

      I get that people don't like to read articles but "vulnerability in Java" is in the second paragraph.

      1. Destroy All Monsters Silver badge
        Devil

        Re: Usual Windoze FAIL

        http://pentestlab.wordpress.com/2012/03/30/java-exploit-attack-cve-2012-0507/

      2. RonWheeler

        Re: Usual Windoze FAIL

        I'm intrigued that the laptop may have had some kind of direct access to the outside world, making this attack much more likely. I'd have thought the Feds would have forced all network traffic to go back to base via a VPN. Sloppy security for a hgh profile outfit, Unless it was the bloke's personal laptop in which case he shold be fired instantly if not prosecuted.

    2. This post has been deleted by its author

  5. Anonymous Coward
    Anonymous Coward

    Everything Everywhere

    Are we really surprised? The NSA allegedly collect everything that Americans do online, but they get round it by not looking at it without a warrant.

  6. Naughtyhorse

    Anon....

    Fanbois????

    I like to think not

  7. gnorville

    Where did the feds get the UDIDs? Are cell phone companies giving that info to them?

    1. Anonymous Coward
      Anonymous Coward

      Sounds like some game network sold it to them. Maybe OpenFeint, who were found to be de-anonymizing data last year.

      Cell companies don't use UDIDs, they use IMEI which completely unrelated.

      1. gnorville

        Ahh. Well thanks for the educational tip :)

  8. Anonymous Coward
    Anonymous Coward

    Interesting...

    It's interesting that people jump to the conclusion that the Feds must be monitoring people, in a case about the alleged hacking of an Agent's laptop, where that agent was working on a case investigating the activities of Anonymous/Lulz Sec. My first thought was, the "black hat" hackers may well be the same people that are being investigated and have got wind of that, they then released a file which they'd obtained (and had subsequently been obtained by the FBI, from them) and left Internet conspiracists to jump to the conclusion that the feds are watching everyone, not investigating a bunch of Internet vigilantes, who've got your ID for who knows what.

    1. chris lively
      FAIL

      Re: Interesting...

      Did you hurt your brain coming up with that one?

      1. Anonymous Coward
        Anonymous Coward

        Re: Interesting...

        But he has a very sound point, why "jump to the conclusion that the feds are watching everyone?"

        It's far more likely the file was sourced from the NCFTA (judging by the filename). Of course, most of this story and thus most of the comments here currently hinge on the words of miscreants, vagabonds and thieves. I for one would be hesitant to take anything LulzSec, Anon or similar groups say at face value.

        1. Anonymous Coward
          Anonymous Coward

          Re: Interesting...

          Otoh consider the history of the FBI, c. J. Eager Beaver. The question is: can a horse change it's spots mid-stream?

  9. Velv
    Black Helicopters

    It would be nice for the hackers to publish a website where you could look up a UDID and see if it's on the list. They don't need to publish any further details, just a "you're on the list"or "you.re not on the list"

    Funny how there are lists you want to be on and lists you don't want to be on...

    1. Anonymous Coward
      Anonymous Coward

      I don't want to be on any list.

      maybe I'm paranoid?

      1. Fibbles
        Trollface

        Re: I don't want to be on any list.

        Can I have your state pension then?

    2. chris lively
      FAIL

      Just by putting your I'd into such a site would mean you were on the list.

  10. dssf

    Could this just be a release coincidentalnto apple trying to destroy competition? It could be to embarrass mac ios ithing fans or raise their hackles or even to to slow the release of the iphone 5. Or, to embarrass apple before the next trial - after all, it could be argued, if apple cannot innove security they way they enerv, um, innovate products, then why do they get to win a payent on an inherently trojaned phone? Sure, such a release could happen to SAMSUNG and pthers, but, this may force apple to delay product launch in October if millions of cloying fans and hundreds of thousands of DOD, government, and key business people demand better privacy.

    Which beggs the question: google, wtf are you going to do about our android security? We can buy a Linux disc and by default our desktops and laptops are rooted. But, our phones? Oh, hell no! You and the advertisers cannot sleep knowing we could blachole adverts if android by default were pre rooted prior to sale. So, you force us without the skills or patience or money to pay soneone to be at risk and just trust you. Hell, twice, here in shanghai, my google chat stream had malformed urls injected between me and a friend in SK. I should not HAVE to have a VPN if i choose not to, but i should not have to tear out my fucking hair because on my own i cannot root my droid devices, cannot find cheap, capable firewalls and IDS tools, and cannot peoperly near-forensically collect info from my device (not the LAN/WAN) to prosecute the fucktards insinuating in my private messages or chat. Thanks a lot, google. What is really scary isnthat it is NOT necessary for me to CLICK the link since transparent overlays and underlays can be clickable ANYWHERE ON THE PAGE!

    I won’t be surprised if such a disclosure happens to android devices in the near term....

    1. dssf

      Optional, in fact...

      google, you should be busy embedding VPN tools in ALL of your products to enable people to enjoy secure, privileged communications. You can still submit to a valid subpoena by a valid court, but leaving us exposed by default is laughingly anti "Do No Harm", if you ask me.

      1. Anonymous Coward
        Anonymous Coward

        Re: Optional, in fact...

        Even if they do (my AT&T issued android phone does in fact have a VPN app installed by default), you've got the problem that every g*damn IT department on the planet has a different, non-interoperating (by design, because "security by obscurity" is always best) proprietary VPN solution foisted on them by the modern version of the snake-oil salesman: the enterprise IT security vendor/consultancy. To really get where you want (and we should be), the swamp that is enterprise IT would first need to be drained and the crap that became visible dredged out. Not likely, leastways in our lifetimes.

    2. Gil Grissum
      Pint

      The iPhone 5 needs to be slowed. Apple is a bigger satan than Google. One must wonder why the FBI is more interested in iOS use than Android, or Blackberry, especially considering BB's more secure nature, but then again, BB10 isn't due for release until first quarter of 2013.

      1. MD Rackham

        Still trying to unload that RIM stock, are we?

  11. Alan Denman

    Fair play.

    Apple playing fair obviously charged the feds a big fat fee.

  12. Anonymous Coward
    Anonymous Coward

    Feds saving files on the desktop?

    NCFTA_iOS_devices_intel.csv was found on the desktop, they say. So how did they effectively target him with the AtomicReferenceArray weakness, get the file and confirm that it was his file?

    I'm having a look at the file now. It's that or a coffee break

  13. SMFSubtlety
    Big Brother

    @Velv

    should they ask you for your name and credit card number on this site too?

  14. Furbian
    Meh

    .. and people think I'm paranoid for not giving Google my passport...

    Apparently some people think that I'm being unreasonable for not sending Google a photocopy of my passport, document which in the long term is far far worse than your credit card in the wrong hands.

    http://furbian.blogspot.co.uk/2012/06/my-google-walletplaycheckoutwhatever.html

    Oddly enough, Amazon, Apple, Sony (PSN), Xbox Live are just some people I do have paid accounts with, and do not want a copy of my passport.

    1. Anonymous Coward
      Anonymous Coward

      Re: .. and people think I'm paranoid for not giving Google my passport...

      Yeah. "Google's Plan for Total World Information Dominance".

      Step 1: Create database containing images of all customer passports.

      Step 2: Lease data gathered in Step 1 to U.S. and other interested national governments.

      Step 3: Provide access to same data provided to governments in Step 2 to major banks and Fortune 500 corporations on a subscription basis.

      Step 4: Create new product allowing customers to opt out of information sharing already done in steps 2 and 3 with no guarantee of effectiveness.

      Step 5: Persuade governments referred to in Step 2 above to declare themselves allies of the Eastasia by refusing to renew their subscriptions to our data.

      Sounds like a "really neat plan", doesn't it?

      Now if we could just get a declaration that every bit of info about you is your own personal property, and then impose a minimum statutory transaction fee on every scrap of that data shared with third parties, say 5 cents a field, payable to the subject of the data, then maybe we might slow that train down (a data rights enforcing ASCAP or BMI for mere mortals?). Anything short of that isn't likely to have much of an impact.

      1. btrower

        Re: .. and people think I'm paranoid for not giving Google my passport...

        Re: "Now if we could just get a declaration that every bit of info about you is your own personal property, and then impose a minimum statutory transaction fee on every scrap of that data shared with third parties, say 5 cents a field, payable to the subject of the data, then maybe we might slow that train down (a data rights enforcing ASCAP or BMI for mere mortals?). Anything short of that isn't likely to have much of an impact."

        Exactly right. If legislators actually acted in our interests, something like this would go directly into law. I worked on a system for a while that would allow subjects of data to both give and revoke access whenever it pleased them on an element by element basis. It is possible to build a system that allows limited temporary access for legitimate purposes that expires upon use. Of course, such a system requires strong encryption and many roadblocks exist to prevent you from getting it.

    2. Anonymous Coward
      Anonymous Coward

      Re: .. and people think I'm paranoid for not giving Google my passport...

      The irony of hosting your gripe on Blogspot.... LOL

  15. Anonymous Coward
    Anonymous Coward

    Time to pay the Piper

    If at first you hack, then you go to prison.

    1. Shades

      Re: Time to pay the Piper

      Morris! You're back!

      Now go away again.

    2. Anonymous Coward
      Anonymous Coward

      Re: Time to pay the Piper

      Yeah... just send out blanket warrants for all the UDIDs on the list. You can always argue it out in court...later... maybe,,,,

      Be careful of what you wish for.... when the Piper starts coming for too many people's children ... I suspect there will be a backlash.

  16. Anonymous Coward
    WTF?

    The best bit..

    "Meanwhile, AntiSec says it will not provide further statements or interviews until a mysterious request is fulfilled – to have a photo of a Gawker staff writer dressed in a tutu featured on the company’s homepage."

  17. Anonymous Coward
    Anonymous Coward

    To the glue factory

    If something of the sort happened to a mere mortal like this humble sysadmin working for a Fortune 200, I'd expect to be immediately terminated and put out to pasture -- possibly never to get a job in corporate IT again. Somehow I'm thinking this guy, like so many before, who either violated security policy, or, as a policy maker failed to promulgate one that sufficiently considered the risks of having such highly sensitive data on a mobile device, won't get more than a slap on the wrists. That's the problem, plain and simple. Bringing the hammer down would have two positive consequences: (1) it would serve as a warning to others similarly situated; and (2) it would take a defective piece off the board. But we shouldn't hold our collective breath waiting for that. "Too big to fail" doesn't apply just to monolithic nonhuman entities whose misconduct can result in suffering for millions (or billions).

    1. chris lively
      Facepalm

      Re: To the glue factory

      I wonder, how do you effectively train a sysadmin to look for and squash security problems? Do you spend all day, every day testing java, flash or any of the other technologies that are currently in use at your organization, looking for attack vectors?

      Are you a member of a hacking group so that when a vulnerability is found you can disable that path in your organization? Or, are you one of those morons that simply have Norton or Mcafee turned on and pray that the signatures update before you are hit?

      Fact is, the best sysadmins are the ones who have been bitten and cleaned it up. Because now they have real world experience. Firing those with experience is what idiots do.

      Of course, if they are a complete fuck up they should be fired anyway, but you'll know that well before an attack takes place.

  18. Richard Cartledge

    Facebook.app?

  19. Anonymous Coward
    Anonymous Coward

    Too bad, so sad

    More hackers off to prison or Siberia.

  20. Anonymous Coward
    Anonymous Coward

    Re: But the bigger question is WHY.

    the FBI ?

    aren't they good at two sorts of operations:

    the 'sting'

    and

    'honeypots 'r' us'?

    the truth is a representation of facts - which are themselves an interpretation of information

  21. Anonymous Coward
    Anonymous Coward

    Media duped again

    Not FBI data.

    1. Anonymous Coward
      Anonymous Coward

      Re: Media duped again

      You are right, it's everybody's data now

  22. Anonymous Coward
    Anonymous Coward

    is there an app for that, well almost....

    But what i want to know is:

    Will Apple let somebody upload the new Checklist App?

    Because that would be 12,000,000 million downloads almost guaranteed.

    Until then (and if you are too lazy to follow the pastebin decrypt instructions located at http://pastebin.com/nfVT7b0Z)

    I suggest you go to

    http://thenextweb.com/apple/2012/09/04/heres-check-apple-device-udid-compromised-antisec-leak/

    Hopefully, someone dressed in an evening gown is bitch slapping the offending agent with a rubber hose by now.

    Internet 1:

    Forces of repression: ?

  23. Anonymous Coward
    Anonymous Coward

    Antisec make fools of themselves

    Antisec is doing a good job of looking like morons with baseless claims. They must be anxious to visit their friends in prison?

This topic is closed for new posts.

Other stories you might like