|
During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java, during the shell session some files were downloaded from his Desktop folder one of them with the name of "NCFTA_iOS_devices_intel.csv" turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc. Source
Antisec has leaked 1,000,001 of these Apple Unique Device Identifiers online from a file an FBI agent had on his Desktop. Obviously this is a blatant disregard for privacy by the FBI, but the question is how did they get this information? People at hackernews postulate the FBI got the database from an App developer. They also guess, "the NCFTA in 'NCFTA_iOS_devices_intel.csv' looks like it stands for the National Cyber-Forensics & Training Alliance, which "functions as a conduit between private industry and law enforcement." (http://www.ncfta.net/)"
Antisec goes on to say,
"We have learnt it seems quite clear nobody pays attention if you just come and say 'hey, [the] FBI is using your device details and info and who... knows [why they are] experimenting with that'," the document read. "We could have released mail and a very small extract of the data. Some people would eventually pick up the issue but well, let's be honest, that will be ephemeral... Eventually, looking at the massive number of devices concerned, someone should care about it."
What's everyones thoughts on this? Conspiracy theorists don't go too nuts. Yes, it's a obvious privacy breach, but the US Gov't aren't Reptilian Humanoids who can transform.
Interesting facts
Top device names:
42797 'iPhone'
5191 'iPod touch'
3136 '“Administrator”的 iPad'
2202 '“Administrator”的 iPhone'
1534 'Owner’s iPad'
1453 ' iPhone'
1309 'Administrator’s iPad'
1196 'Administrator’s iPhone'
1141 'PdaTX.Net'
1058 'John’s iPad'
166 devices are named “Titanic” or “The Titanic” because of the “Titanic is syncing” joke.
Links
How to find out your UDID
Has your iPhone been compromised?Check here
List of all 1 Mil UDIDs and an alternate link to check
If you want to lookup your UDID but are afraid to expose it, use partial search here
Forbes article
ZdNet Article
Cnet Article
Gizmodo article
Video of FBI Agent Chris Stangl
Did they get Obama's iPad?Some say yes
Download Links for IDs
Edit:"What makes UDIDs important?"
They identify your own Apple devic as its a unique ID. The bigger part is the 12 million "user names, name of device,
type of device, Apple Push Notification Service tokens, zipcodes, cellphone
numbers, addresses" the FBI collected along with UDIDs. Antisec released the UDIDs to gain attention to this collection of information and not the other stuff due to personal information.
|
...John's iPad?
But on a serious note, I think the issue's more to do with why they had the information/thought they needed it as opposed to how. What could you possibly get from a UDID database that you couldn't get from a government one?
|
There are probably many Johns.
|
On September 04 2012 21:47 epicanthic wrote:
...John's iPad?
But on a serious note, I think the issue's more to do with ]why they had the information/thought they needed it as opposed to how. What could you possibly get from a UDID database that you couldn't get from a government one?
John is a very common name in the US.
|
3136 '“Administrator”的 iPad'
2202 '“Administrator”的 iPhone'
am I the only one seeing chinese character in that list? O.o
oh, and this is the same as "Administrato's Ipad" or "Administrator's Iphone" btw.
|
I'm quite happy I always kept my distance to Apple products right now.
|
On September 04 2012 21:51 Dranak wrote:Show nested quote +On September 04 2012 21:47 epicanthic wrote:
...John's iPad?
But on a serious note, I think the issue's more to do with ]why they had the information/thought they needed it as opposed to how. What could you possibly get from a UDID database that you couldn't get from a government one? John is a very common name in the US.
or maybe john has a lot of ipads
|
On September 04 2012 21:51 Dranak wrote:Show nested quote +On September 04 2012 21:47 epicanthic wrote:
...John's iPad?
But on a serious note, I think the issue's more to do with ]why they had the information/thought they needed it as opposed to how. What could you possibly get from a UDID database that you couldn't get from a government one? John is a very common name in the US.
That's right John.
Back to you John!
|
Another interesting fact: of this data set, 166 devices are named “Titanic” or “The Titanic” because of the “Titanic is syncing” joke. grep -c -i "titanic\'" iphonelist.txt
|
|
|
Brunei Darussalam566 Posts
On September 04 2012 21:56 ain wrote:
I'm quite happy I always kept my distance to Apple products right now.
To be fair, they probably have a database on other smartphones too.
|
I really like how an FBI guy got owned by a Java exploit. -_- That shouldn't be happening in the first place.
|
|
|
What makes UDIDs important?
|
On September 04 2012 22:19 Torte de Lini wrote:
What makes UDIDs important?
Isnt that the unique identifier that makes u able to track down single devices?
|
On September 04 2012 22:19 Torte de Lini wrote:
What makes UDIDs important?
They identify your own Apple devic as its a unique ID. The bigger part is the 12 million "user names, name of device,
type of device, Apple Push Notification Service tokens, zipcodes, cellphone
numbers, addresses" the FBI collected along with UDIDs. Antisec released the UDIDs to gain attention to this collection of information and not the other stuff due to personal information.
|
On September 04 2012 22:19 Torte de Lini wrote:
What makes UDIDs important?
Yeah, this would be good include in the OP. I sure don't know why it really matters. I mean, the Patriot Act was already passed a while ago (it's still active I think? not sure... I'm a bad American.)
|
On September 04 2012 22:19 Torte de Lini wrote:
What makes UDIDs important?
They're used to uniquely identify a device. Also they don't only have the UDIDs, but also the names, zip codes, adresses and what not...
I wonder if there's any information on Apples TOS that your information is forwarded to the FBI
|
Thanks, I dont have many portable electronic devices, so I had no idea!
|
On September 04 2012 22:27 Jonoman92 wrote:Yeah, this would be good include in the OP. I sure don't know why it really matters. I mean, the Patriot Act was already passed a while ago (it's still active I think? not sure... I'm a bad American.)
Sadly it was not only passed, but it expired and got RE-passed not too long ago. Still disgusted that it did.
|
On September 04 2012 21:56 nkr wrote:Show nested quote +On September 04 2012 21:51 Dranak wrote:On September 04 2012 21:47 epicanthic wrote:
...John's iPad?
But on a serious note, I think the issue's more to do with ]why they had the information/thought they needed it as opposed to how. What could you possibly get from a UDID database that you couldn't get from a government one? John is a very common name in the US. or maybe john has a lot of ipads
lol, this is golden.
|
Sooo, whats the bottom line? A million people's cell phone numbers are floating around the internet?
edit - and does it really matter? It used to be that you could get most of that information out of the phonebook.
|
On September 04 2012 22:28 PandaCore wrote:They're used to uniquely identify a device. Also they don't only have the UDIDs, but also the names, zip codes, adresses and what not... I wonder if there's any information on Apples TOS that your information is forwarded to the FBI
Pretty sure the government already knows our names, zip codes, addresses, social security numbers, and likely our favorite color/ice cream flavor as well. As someone above mentioned, perhaps it's a big deal because they can track you? I dunno, I'm sure I should care more about my personal liberties, but whatever... where I am is really not that interesting.
|
On September 04 2012 22:11 Romitelli wrote:Show nested quote +On September 04 2012 21:56 ain wrote:
I'm quite happy I always kept my distance to Apple products right now. To be fair, they probably have a database on other smartphones too.
I didn't say Apple products are the only ones I steered clear of, did I?
|
On September 04 2012 22:51 ain wrote:Show nested quote +On September 04 2012 22:11 Romitelli wrote:On September 04 2012 21:56 ain wrote:
I'm quite happy I always kept my distance to Apple products right now. To be fair, they probably have a database on other smartphones too. I didn't say Apple products are the only ones I steered clear of, did I?
then your post makes no sense. Even if it was only apple product ids leaked, that only means that the US government still has information on other smartphones (which they do btw) so it makes no sense that you are glad you didn't buy an iphone. The point is that this is hard evidence that mobile devices are being tracked. Not the actual leakage of the device info.
|
On September 04 2012 23:17 eu.exodus wrote:Show nested quote +On September 04 2012 22:51 ain wrote:On September 04 2012 22:11 Romitelli wrote:On September 04 2012 21:56 ain wrote:
I'm quite happy I always kept my distance to Apple products right now. To be fair, they probably have a database on other smartphones too. I didn't say Apple products are the only ones I steered clear of, did I? then your post makes no sense. Even if it was only apple product ids leaked, that only means that the US government still has information on other smartphones (which they do btw) so it makes no sense that you are glad you didn't buy an iphone. The point is that this is hard evidence that mobile devices are being tracked. Not the actual leakage of the device info.
Of course it makes sense in the context that Apple products were confirmed to be tracked and had their UDIDs leaked. What about that does not make sense to you?
To be clear, I'm rather happy to not have acquired a smartphone, but I'm especially happy that I didn't get a smartphone made by Apple.
|
WOW, The titanic is syncing.... Blew my mind.
|
Why the fuck does the American government even have this information to begin with?
|
On September 04 2012 22:19 Torte de Lini wrote:
What makes UDIDs important?
UDID's are Unique Device Identifiers, they are unique to each device made by Apple..
|
The Patriot Act pretty much enabled the government to get the UDIDs for your devices from phone companies whenever they damn well please. Apple is not the only smartphone developer who they can get UDIDs for. Nor are smartphones somehow special - they can get this information for regular phone (SIM card number) too. Zero people should be surprised by this.
A better question would be "What can the US government do with this information?"
Obviously, they can use it to filter through all the calls that are made every day,and find the ones which came from a device in question. However, it's much tougher to use it to "track" you.
The real difference between smartphones and regular phones is whether or not they have an onboard GPS, and whether or not it's active. Generally, phones are continually pinging, trying to look for the nearest cell phone tower and establish a connection. This can help give you a vague (in urban areas, cell towers are spaced about every quarter mile) idea of where a cell phone is, but can hardly be used to track you.
Likewise, GPS information is not, I believe, promptable from cell phones. So while the government can listen to your calls, and have a vague idea where you are if your cell phone is on, they can't find you in a city based on it.
-Cross
|
On September 04 2012 23:36 Pwnographics wrote:
Why the fuck does the American government even have this information to begin with?
Because as we all know Governments do not at all keep track of ones address, identity and personal information for the purposes of government normally so they do this. More realistically, people who break the law(be it not paying taxes to drug running) don't tend to tell the government where they actually live or how to get in contact with them for obvious reasons. Hence why something like this is done. I don't condone such actions but that's generally the reasoning that's put behind it.
I do wonder how many ipads they found named "Kirks Log" or "Datapad" or named after some fanciful anime character. I didn't honestly think about the jokes you could do with the Titanic is syncing.
|
On September 05 2012 00:05 Crosswind wrote:
The real difference between smartphones and regular phones is whether or not they have an onboard GPS, and whether or not it's active. Generally, phones are continually pinging, trying to look for the nearest cell phone tower and establish a connection. This can help give you a vague (in urban areas, cell towers are spaced about every quarter mile) idea of where a cell phone is, but can hardly be used to track you.
The larger part they can track is movement between places. The above can easily be used to see if you move from the western part of a city and the eastern part. Even if they don't know exact building in all cases. It can easily track if you travel from New York to Boston or similar.
|
Antisec has leaked 1,000,001 of these Apple Unique Device Identifiers online from a file an FBI agent had on his Desktop. Obviously this is a blatant disregard for privacy by the FBI,
FBI was the one who released them to the public? I see.
Irony! Blatant, disregarding irony.
|
On September 05 2012 00:13 Yurie wrote:Show nested quote +On September 05 2012 00:05 Crosswind wrote:
The real difference between smartphones and regular phones is whether or not they have an onboard GPS, and whether or not it's active. Generally, phones are continually pinging, trying to look for the nearest cell phone tower and establish a connection. This can help give you a vague (in urban areas, cell towers are spaced about every quarter mile) idea of where a cell phone is, but can hardly be used to track you. The larger part they can track is movement between places. The above can easily be used to see if you move from the western part of a city and the eastern part. Even if they don't know exact building in all cases. It can easily track if you travel from New York to Boston or similar.
Definitely. What I don't think is being appreciated is that there are already a half-dozen different ways to do this.
Do you use a subway pass? They know where you got on/got off.
Do you drive through tolls? They know when you were at each toll.
Take out money at an ATM? Use a credit card anywhere?
Broad "Where was this guy?" data was already plenty available, if the government wanted to look at it.
The problem is not that this data exists - it's that there's SO MUCH OF IT that it's incredibly difficult to do anything useful with it. If you _start out_ knowing which cell phone you want to follow, or driver's license, or license plate, or commuter rail card, you can track somebody (and have been able to for a decade). But phone device IDs don't do much to allow the FBI, or anybody else, to invade your privacy in any new and exciting way.
-Cross (In the spirit of full disclosure, I'm a DARPA researcher who works on Wide Area Surveillance - thus my familiarity and interest with these types of problems)
|
My god, I'm renaming my iphone to the Titanic.
|
does the UDID have anything to do with GPS and, for example, the find your iphone app?
|
On September 04 2012 21:56 JustPassingBy wrote:
3136 '“Administrator”的 iPad'
2202 '“Administrator”的 iPhone'
am I the only one seeing chinese character in that list? O.o
oh, and this is the same as "Administrato's Ipad" or "Administrator's Iphone" btw.
Yes, the Chinese character you see means possession
|
Are we really this cynical already, to not be outraged? Not that I'd be surprised at all.
|
On September 04 2012 23:36 Pwnographics wrote:
Why the fuck does the American government even have this information to begin with?
Presumably because the government asked and Apple complied. Normally there would be, you know, a warrant and such required, but Apple just handed the shit over.
|
|
|
Its the government spying on its citizens. The people in charge are acctualy Reptilian Humanoids from another planet here to analyze us and decide if we should be exterminated or not.
|
Well my UDID didn't pop up but what do you even do if it does pop up as compromised?
|
On September 04 2012 22:27 Jonoman92 wrote:Yeah, this would be good include in the OP. I sure don't know why it really matters. I mean, the Patriot Act was already passed a while ago (it's still active I think? not sure... I'm a bad American.)
Part of it is still around. Much of it has been struck down and/or rewritten.
|
My friend says that this is pretty much an open secret in the FBI.
As for the Chinese character stuff, it's because nearly all Apple devices shipped to China contain backdoors for US-based entities to access their data; he says it's helpful that so many Chinese officials like to give IPads to each other as gifts
|
How can someone not be bothered that the FBI has this much information on its citizens? Let alone this much info on one damned laptop. This instance proves a few things.
1) If they have this much info, just imagine how much more they have.
2) They can't even protect the info.
3) No one...seems to care.
I guess it might have been the "Oh shit" quadruple over-reaction from 9/11 and the subsequent shit storm of fear that was drummed up by our politicians/media personalities, but the sheer "Oh well," attitude some have over this is frightening. Having bots aimed at tracking who uses incredibly inflammatory language on the internet is one thing, keeping logs of 12 million Apple Users and their detailed personal information is something completely different.
|
Although this doesn't concern me because I don't have Apple products, it still probably wouldn't concern me if I did. If you didn't do anything wrong, then you have nothing to hide right? I suppose they are just monitoring that stuff for public safety. When I hear the case where the FBI takes your private info and sells it to companies, then I'll start getting concerned. Plus, haven't we known for a while now that the government spys on just about everyone?
Anyone else laugh at the Titanic is syncing thing haha.
|
On September 04 2012 22:49 TheFish7 wrote:
Sooo, whats the bottom line? A million people's cell phone numbers are floating around the internet?
edit - and does it really matter? It used to be that you could get most of that information out of the phonebook.
a phonebook lists your name, phone number and address usually at the consent of a person. This is a corrupt government's super detailed phonebook that they not only had, but LOST it due to a random exploit over the internet. I'm very certain that with the information that was leaked (god only knows what WASNT leaked), making the leap to any other additional personal information isn't going to be difficult at all.
Anyone who says "I don't have anything to hide, who cares" or "My number and address is boring whatever" is really just waiving their rights and any sort of privacy imaginable. If government wanted to raid your underwear drawer, do you still have nothing to hide? If they wanna flip your mattress to see what kind of naughty magazines you have, you still don't care? With all the corruption and lying that occurs in politics, should you really be so relaxed about your personal, private information being gathered by the government and then LOST through some java exploit? We're lucky it was lost to someone who released it online and didn't do anything more malicious although I'm sure there's some people aren't as generous.
|
If you didn't do anything wrong, then you have nothing to hide right?
I absolutely hate this argument. "Do you have anything to hide?" I have fucking LOADS to hide. None of it (bar some piracy) illegal! I'm not speaking of this specific case, but argument in itself and how it's used in all online privacy debates. For example: I have a long distance relationship atm, meaning lots of conversations I have with her are over the internet. They are private. So yes, I have something to hide. My private conversations with my girlfriend. They are not illegal. But what's said is STRICTLY between my and my girlfriend. Anyone listening is breaching our privacy.
This is just one example of many where the "If you don't do anything wrong you have nothing to hide" argument falls completely flat. It's a horrible argument, allowing for horrible decisions.
|
Lol. Am I the only one getting a huge ad for galaxy SIII when I enter the site? ^^
|
|
|
|
|
|
EPT
