Sorry, I don't think this strategy is workable. Consider - 74% of apps I tested sent the UDID to one or more upstream servers. Furthermore, Flurry alone received UDIDs from 15% of apps I tested. That's just one aggregator, and they surely have nearly 100% of UDIDs on file. The APNS tokens narrow it down somewhat, but not too much. It's also not at at all clear that there is a single source involved - this could be an amalgamation of a number of sources.
Why do people keep assuming that the FBI is actually involved in this? The only evidence of that is from the pastebin page. They could just as easily be lying.
We know nothing. Other than that there are 1,000,001 leaked UDIDs. Everything else is just speculation and needs to be regarded as such until such time as proven otherwise.
I have followed these lines of thought before. They contain a fatal mistake.
Anonymous is not a group that can have a reputation. At best, it's a subculture. Anyone can call themselves anonymous. Whoever didn't lie in all the previous incidents may not be behind this one - this could be a totally different person or group of persons with totally different ideals.
Of course they may have ulterior motives. Any action performed by a human might have ulterior motives. Anything anyone say might be a intentional lie to mislead.
But to assume everyone is lying until proved correct will not work. Reading news would be impossible, as would most other actives involving other people. The only working method then is to assume people are telling the truth until indication (not proof) is presented of the opposite. Blind trust would be only if we disregarded indication of falsehood when said indications exist.
A file filled with identifiers is not extraordinary evidence to link this to the claim of being a FBI laptop. It is only what it is (a file of identifiers) and says nothing about where it came from.
I doubt it's Apple. I checked the list, and there're tons of German people in there too (one can see that by how they named their iPad). I really doubt that the FBI would be interested in tons of German girls, for example (many iPads seem to belong to girls named 'Sandra' (iPad von Sandra)). If Apple were the culprit here, they would have been able to just deliver the UUIDs from people residing in the states (since they know which UUID is connected to which app store).
I hardly think it's Apple that leaked the information. Even if it's hard to believe for some people: Apple values their users' personal information pretty high.
I personally believe that this is from a internal FBI job, so they got this information in a non-legal way.
The US Secret Service is apparently interested in busty Columbian girls, why wouldn't the FBI be interested in German girls? Fetishes come in all shapes, sizes and colors, even institutional fetishes.
Well, one piece of the puzzle is in the Lulzsec Pastebin itself. the hacked file's original filename is supposed to be "NCFTA_iOS_devices_intel.csv" and a quick Duckduckgo gave me http://www.ncfta.net/ those contractors as source of the data.
http://www.fbi.gov/news/stories/2011/september/cyber_091611
“The exchange of strategic and threat intelligence is really the bread and butter of the NCFTA,” said Special Agent Eric Strom, who heads the FBI unit—the Cyber Initiative and Resource Fusion Unit (CIRFU)—assigned to the NCFTA. “The success of this effort at every level comes down to the free flow of information among our partners.”
The whole FBI story is not credible, it's the least likely explanation. I'd start looking for the app that all these UUIDs have in common. This data is probably a dump of that app's server-side database. And what about the zip codes? GeoIP.
Which leads to an interesting question for me. Given that many web sites have more users than many countries, should there be a more proscribed relationship?
Maybe you're thinking of high treason? It's possible to be a traitor to things other than countries. Actually I think the reason more people are on FB than the US is because there are fewer obligations.
This is a question we should keep asking Apple until they give a proper, real answer: Who gave this information to FBI? If they say they gave it, then we know Apple gave this information and it will be a PR nightmare for them. If they say they didn't, then they will imply FBI obtained it illegally and we can focus our attention on FBI.
It's rather like the FBI having a list of 12,000,000 wifi MAC addresses. Would the mere possession of such a list by the FBI be illegal? What if the MAC addresses supplied by Starbucks are from customers who voluntarily connect their devices to Starbucks' network and transmit their MAC address as part of the connection negotiation?
Similarly, what if the UDIDs are from people who installed a common app on their devices and agreed as part of the terms and conditions to allow information about their hardware (including device name, UDID, etc.) to be transmitted to the app vendor and to other parties including law enforcement?
EDIT: the question of whether they should have this information is completely separate from whether it's illegal for them to have this information. And, as noted by others, no proof has been presented that it was obtained from the FBI.
Not that Apple would bother to answer your questions, but why couldn't a developer have willingly shared this information with the FBI, in order to help them investigate a crime against that developer?
The paranoia on these UDID threads is ridiculous. Investigating crimes is what the FBI primarily does, so if they've got any information it's most likely for that - not some broad-spread domestic surveillance scheme.
Some insecure apps and services use the UDID as a way to identify users. For example you can get some profile data from OpenFeint with the UDID. There are probably a ton of other small things like this, but overall I wouldn't worry too much.
And some secure ones used to use it for multi-factor authentication - e.g. you still username/password, but you can only do it on the device that you registered on.
However, use of UDID has been deprecated by Apple, and they are now rejecting some new apps that read it. You're meant to use a unique application-level ID instead.
You presented information which was wrong, thus the downvotes. Man up and take responsibility for your post rather than expecting others to correct your lack of research. Next time, don't guess what it means; look it up and present the correct information with a reference:
Disinformation implies wilful, and to a lesser extent malicious. I made an honest mistake and get patronised and abused.
I claimed nothing, I merely offered an answer, which happened to be incorrect. Being human, I make mistakes. FTR, Unique Data Item Description is what the military use the acronym UDID for, I made an innocent assumption. So I was hardly making false statements, as you claim.
Seeings as the second point sailed over your head, I'll spell it out. I proffered and answer without being patronising and snarky, I could've said to the OP "Google it...", but I made an effort to be a decent member of the community. What's your excuse?
See, nobody really cares that you got it wrong initially. What's annoying everybody, or at least me, is the extremely un-gracious way you handled being corrected. Instead of just looking it up, finding the answer, and saying thanks, you basically go nuts at everyone.
FWIW I didn't downvote. Another user already answered the question correctly, so a longer reply seemed redundant, but I wanted them to know which of the two answers was correct. I agree that wrong information does not necessarily merit a downvote, but it's to be expected.
Small datapoint: my iPhone and iPod aren't in this dump. The iPhone hasn't been used in about a year. And the iPod is infrequently used for playing games.
Negative datapoints are nearly completely useless in this scenario, as we only have ~8% of the leaked UDIDs.
Think about it this way: there are more than 250m iOS devices in the world[1]. I think 300m is a good, conservative estimate.
12m (~4%) of the world's UDIDs have leaked. 1m of those (~.33% of the total, 8% of the dump) have leaked.
A data point saying "my iOS device is in the dump" represents 1/1m of its group. Pretty significant, relative to 300m devices!
A data point saying "my iOS device isn't in the dump" has two possibilities; a 96% chance it isn't in the dump and a 3.66% chance it is but wasn't leaked.
As one of the 99.66% of iOS users, your data point represents just 1/299m of its group, and is thus ~300x less powerful than a positive data point.
It's an interesting question...but as someone who used to word in the survey world, I've gotta say it: the questions here are not going to give very useful data. Here's a couple of examples (& a tl;dr):
1) "Have you been to the US recently"?
The way this Q is worded suggests that the audience is not people who live in the US. Either way, the non-specificity of the Q makes me worry with what info will be extrapolated from the responses.
2) "I haven't installed the following apps: Facebook, LinkedIn...OTHER".
...there are a lot of apps I haven't installed. I hope you don't want me to list them all...?
tl;dr - when putting together a survey like this, be careful to look at it from all sides and see where you could be introducing a bias of some sort. Drawing conclusions from flawed data = FTL.
I love all the outrage and concern. All your information is for sale in the walled garden, outside the walled garden, everywhere! You don't deserve to expect anonymity and privacy because you offer up all your secrets willingly.
Rabble all you want over this traitor business, even clamor for new laws to protect us (although that just makes things worse and poisons the waters). In my humble opinion, you breathless bloggers are all just wasting energy.
Until we techies start designing networks and storage systems for anonymity and privacy, all your dirty laundry is money in the bank to these service providers and easily searchable by big brother.
For what it is worth, the languages used by users to name their devices are certainly not limited to US English. Out of the 1,000,001 device list, about 10,000 device names contain the Korean possessive "ui", about 5,000 contain the Japanese possessive "no", and a whopping 32,000 contained a Chinese possessive. Unsurprisingly, none contained all three. :-)
I recommend everyone to fill in this form, even if you don't own an iDevice. The person who leaked the information could be any ones son or daughter, we all know how careless we were ourselves when we were younger. The stakes have become higher, but that doesn't mean we should try to jail a kid with an Internet connection and deprive him/her of his/her future. We should all try to help ensure that incidents such as this leak cannot happen, in the simplest form by rejecting privacy policies which waive your privacy.
Actually, the notification tokens are a bigger threat, because they allow imposters to send notifications to apps. We know this from our own experience: http://www.ikangai.com/news/udids-leaks-and-push-notificatio...
However, there is also a good thing: sending notifications with the tokens from the data can be used to identify the apps which collected the UDIDs.
Finally it all depends on AntiSec. We have no idea wich 1'000'001 datasets they published (first 1m, last 1m or random). If they have access to all 12m UDIDs + the additional information (Country, Postal code, Addresses) they could at least release some statistics about it, this would make it a lot easier to find a (potential) source. (E.g. If we knew wich percentage of the UDIDs came from Europe etc.)
There are a lot more than 12 million iDevices out there, so why only 12,000,000?
The small number leads me to think that the UUIDs might belong to people the FBI are particularly interested in tracking. If your UUID is in there, fasten your tinfoil hat.
You might want to ask whether users have installed any game associated with OpenFeint. Some examples are listed on their Wikipedia page: http://en.wikipedia.org/wiki/OpenFeint.
Heh, I've been compiling the same list as you already did. My results look a lot like yours.
What do you mean that it is "very dangerous"?
As I posted in another thread... I wonder if it is significant that so many of the UDIDs are known to OpenFeint. If you took a random sample of UDIDs, how many would OpenFeint have data on?
Are any jailbreaked iphones with privacy patches installed being leaked?
Xhi2 analysis is not only about what triggers the correlation, what does not trigger the correlation is also important.
My guess is jailbreaked are underrepresented in leaked UDID either because jailbreak is shielding users or because users able to install a jailbreak are more aware of computer security issues. Regular Iphone are cell phones remotely controled by a 3rd party, jailbreaked iphones are computers you control.
I am no paranoid freak, I am just a regular sysadmin with a pretty low security awareness.
It would surprise me if intelligence organisations didn't make databases like this. I assume the CIA could get the user information from Apple, with or without Apple's consent.
I have no real problem if the UDID:s of my iPad/iPhone/iPod are stored with my name by intelligence organisations in democracies.
But... I do have problems with them being so incompetent that private information about me is leaked!!
You have no real problems with the secret police monitoring you? Is that an expression of acceptance to something you cannot control or that you really are ok with it?
We have to accept that we are being spied upon because we have no control over that, but we should always resent and resist it when possible.
Terrorism is quite easy in today's world. By definition terror scares people, hence a strong voter pressure to stop it. This results in a Big Brother society.
The number of stopped terror attacks in the West over the last decade is quite large, that would hardly have happened without spying on the citizens.
Is it worth the security? I don't really know. As long as it is in very stable democracies, it ought to be safe...
>The number of stopped terror attacks in the West over the last decade is
quite large
Bull. Fucking. Crap.
For example, according to this[1] source, there have been not even 50 terror
attacks against America in the last 90 years. And while the amount seems to
have increased recently, this surely has absolutely nothing to do with the US
playing world police and giving more and more people reasons to hate them (not
that this excuses terror attacks, but you get the point).
This whole bullshit is a gigantic pile of FUD and propaganda. There is no
terror threat. There never has been any. At least not more than randomly
getting shot on the street or dying in a car crash caused by a drunk driver. I
don't see people pushing for universal surveillance of the blood alcohol of all
drivers or some other nonsense.
The whole thing is so fucktardedly ridiculous that the FBI regularly invents
terror suspects[2], and arrests them "last minute" to then claim it has "once again
eliminated a threat to national security". Everything's fair game to continue
their bullshit pushes for more surveillance and less civil liberty. And what's
even more enraging: people like you buy it.
Conclusion: No, we don't need surveillance. No, we don't need fed agencies
spying on everyone and everything and no one to keep them in check (who watches
the watchmen?). No, we don't need bullshit laws that further and further
infringe on every human's civil liberties and human rights for no reason but
"um... well... uh... BUT TERRORISM!!!1!1oneoneeleven".
The down votes here are interesting. I don't argue an extreme position, imho?
No one has attempted to argue against my point about active terror threats imply high voter pressure for security.
But maybe the problem is that I'm Swedish.
Traditionally, Swedes trust the state uncritically to do the right thing (I've heard the explanation that the king historically was allied with the lower classes against the nobility).
I thought I was immune to those Swedish attitudes, after e.g. seeing oligopolies (food, building, etc) keeping prices high and hurting both individuals' economy and the country's, without getting any problems from either politicians or media.
But maybe I still have naive reflexes.
Edit: I wish I hadn't gone away for a while, so I could have added this comment while people still were reading and give feedback. :-)
i wonder if the FBI got the UDID list from Apple, or if the FBI has a stealth app in the App Store and people gave up their info voluntarily when they installed it...
See this post for the source of these figures: http://corte.si/posts/security/apple-udid-survey/index.html