
oh noes!
so big brother IS watching.
Now on to something that's actually new please!
Hackers have dumped online the unique identification codes for one million Apple iPhones and iPads allegedly lifted from an FBI agent's laptop. The leak, if genuine, proves Feds are walking around with data on at least 12 million iOS devices. The 20-byte ID codes were, we're told, copied from a file extracted from the Dell …
Thanks for your input, Dan.
My question is, since all that has been released is apparently a simple list of IDs, why do we trust that these talented hackers didn't just invent the whole story?
Anyone with basic IT skills could generate a list of strings which fit a known format in a matter of seconds - how do we know they didn't do just that?
What's more plausible- 1) The FBI is snooping on iOS Devices for some nefarious undisclosed reason or, 2) Some hackers made up this story for exactly what reason? Publicity? Attention? Ego? Doubtful. The FBI also is well known to have used a program named "Carnivore" to sniff this type of information off PC's. That they are paying this much attention to the entranced Koolaid drinkers of iOS, shouldn't surprise anyone.
If you don't believe that a significant number of these kids are motivated by publicity and attention-seeking, then you clearly haven't been paying much attention yourself these last few months.
Still, it's more troubling that you appear to accept whatever you read on the internet without the slightest shred of critical thought or evaluation. This world must be a very confusing place for you to live in.
Well with nearly 1% of the US population already incarcerated, there can really be only one explanation:
It's time to drive those numbers UP!!!.
Of course, we'll have to stuff all file-sharers and hacktivists into the same cells as drug users but they should get along just fine. Or maybe we can build some more prisons...... its the only way we will ever successfully compete with Chinese manufacturers again-
Whoops!! My UDID just popped up on that list.... gotta go.... it's time to buy a new iphone.
Anonymously...... I'm afraid
The data they've been gathering looks very much like it's being gathered by an app. So, have 12m people downloaded the FBI tracking app? Or is there an app out there that's basically a trojan for the FBI, or is a major (seeing as they have 12m downloads!) developer working with them or infiltrated by them?
Finding out which app was involved could be interesting ;)
Odds are, when the FBI had their DNS servers up in place of the large cluster of "DNS Changer" servers, they took advantage of the situation to gather information from anybody pointing to them.
DNSChanger only infected Windows and Mac OS/X systems. Therefore the only systems pointing to the FBI's replacement DNS servers were infected Windows and Mac OS/X systems. Therefore this could not have been used as a mechanism to gain information about Apple portable iOS-powered devices.
Remember that the stasi, the east german secret police, used to break into the homes of people they didn't like and steal their dirty underware and created an enormous collection of "smell samples" of people in case they ever needed to give hunting dogs a sent to track people.
This is no different.
Maybe this data had been sourced from the National Cyber-Forensics & Training Alliance (hence the filename) to assist current investigations, maybe investigations into LulzSec, Anonymous and others perhaps?
Maybe this data release is simply a smokescreen or diversionary tactic for those involved? Who knows? I don't.
>Feds are walking around with data on at least 12 million iOS devices.
Drop in the ocean compared to Flurry tracking data from iOS devices - and I'm guessing you can't buy access to the Fed's data.
Flurry claims 1.4 billion app session reports or 1.5 terabytes of data [that's per day BTW].
I'm intrigued that the laptop may have had some kind of direct access to the outside world, making this attack much more likely. I'd have thought the Feds would have forced all network traffic to go back to base via a VPN. Sloppy security for a hgh profile outfit, Unless it was the bloke's personal laptop in which case he shold be fired instantly if not prosecuted.
This post has been deleted by its author
It's interesting that people jump to the conclusion that the Feds must be monitoring people, in a case about the alleged hacking of an Agent's laptop, where that agent was working on a case investigating the activities of Anonymous/Lulz Sec. My first thought was, the "black hat" hackers may well be the same people that are being investigated and have got wind of that, they then released a file which they'd obtained (and had subsequently been obtained by the FBI, from them) and left Internet conspiracists to jump to the conclusion that the feds are watching everyone, not investigating a bunch of Internet vigilantes, who've got your ID for who knows what.
But he has a very sound point, why "jump to the conclusion that the feds are watching everyone?"
It's far more likely the file was sourced from the NCFTA (judging by the filename). Of course, most of this story and thus most of the comments here currently hinge on the words of miscreants, vagabonds and thieves. I for one would be hesitant to take anything LulzSec, Anon or similar groups say at face value.
It would be nice for the hackers to publish a website where you could look up a UDID and see if it's on the list. They don't need to publish any further details, just a "you're on the list"or "you.re not on the list"
Funny how there are lists you want to be on and lists you don't want to be on...
Could this just be a release coincidentalnto apple trying to destroy competition? It could be to embarrass mac ios ithing fans or raise their hackles or even to to slow the release of the iphone 5. Or, to embarrass apple before the next trial - after all, it could be argued, if apple cannot innove security they way they enerv, um, innovate products, then why do they get to win a payent on an inherently trojaned phone? Sure, such a release could happen to SAMSUNG and pthers, but, this may force apple to delay product launch in October if millions of cloying fans and hundreds of thousands of DOD, government, and key business people demand better privacy.
Which beggs the question: google, wtf are you going to do about our android security? We can buy a Linux disc and by default our desktops and laptops are rooted. But, our phones? Oh, hell no! You and the advertisers cannot sleep knowing we could blachole adverts if android by default were pre rooted prior to sale. So, you force us without the skills or patience or money to pay soneone to be at risk and just trust you. Hell, twice, here in shanghai, my google chat stream had malformed urls injected between me and a friend in SK. I should not HAVE to have a VPN if i choose not to, but i should not have to tear out my fucking hair because on my own i cannot root my droid devices, cannot find cheap, capable firewalls and IDS tools, and cannot peoperly near-forensically collect info from my device (not the LAN/WAN) to prosecute the fucktards insinuating in my private messages or chat. Thanks a lot, google. What is really scary isnthat it is NOT necessary for me to CLICK the link since transparent overlays and underlays can be clickable ANYWHERE ON THE PAGE!
I won’t be surprised if such a disclosure happens to android devices in the near term....
Even if they do (my AT&T issued android phone does in fact have a VPN app installed by default), you've got the problem that every g*damn IT department on the planet has a different, non-interoperating (by design, because "security by obscurity" is always best) proprietary VPN solution foisted on them by the modern version of the snake-oil salesman: the enterprise IT security vendor/consultancy. To really get where you want (and we should be), the swamp that is enterprise IT would first need to be drained and the crap that became visible dredged out. Not likely, leastways in our lifetimes.
Apparently some people think that I'm being unreasonable for not sending Google a photocopy of my passport, document which in the long term is far far worse than your credit card in the wrong hands.
http://furbian.blogspot.co.uk/2012/06/my-google-walletplaycheckoutwhatever.html
Oddly enough, Amazon, Apple, Sony (PSN), Xbox Live are just some people I do have paid accounts with, and do not want a copy of my passport.
Yeah. "Google's Plan for Total World Information Dominance".
Step 1: Create database containing images of all customer passports.
Step 2: Lease data gathered in Step 1 to U.S. and other interested national governments.
Step 3: Provide access to same data provided to governments in Step 2 to major banks and Fortune 500 corporations on a subscription basis.
Step 4: Create new product allowing customers to opt out of information sharing already done in steps 2 and 3 with no guarantee of effectiveness.
Step 5: Persuade governments referred to in Step 2 above to declare themselves allies of the Eastasia by refusing to renew their subscriptions to our data.
Sounds like a "really neat plan", doesn't it?
Now if we could just get a declaration that every bit of info about you is your own personal property, and then impose a minimum statutory transaction fee on every scrap of that data shared with third parties, say 5 cents a field, payable to the subject of the data, then maybe we might slow that train down (a data rights enforcing ASCAP or BMI for mere mortals?). Anything short of that isn't likely to have much of an impact.
Re: "Now if we could just get a declaration that every bit of info about you is your own personal property, and then impose a minimum statutory transaction fee on every scrap of that data shared with third parties, say 5 cents a field, payable to the subject of the data, then maybe we might slow that train down (a data rights enforcing ASCAP or BMI for mere mortals?). Anything short of that isn't likely to have much of an impact."
Exactly right. If legislators actually acted in our interests, something like this would go directly into law. I worked on a system for a while that would allow subjects of data to both give and revoke access whenever it pleased them on an element by element basis. It is possible to build a system that allows limited temporary access for legitimate purposes that expires upon use. Of course, such a system requires strong encryption and many roadblocks exist to prevent you from getting it.
If something of the sort happened to a mere mortal like this humble sysadmin working for a Fortune 200, I'd expect to be immediately terminated and put out to pasture -- possibly never to get a job in corporate IT again. Somehow I'm thinking this guy, like so many before, who either violated security policy, or, as a policy maker failed to promulgate one that sufficiently considered the risks of having such highly sensitive data on a mobile device, won't get more than a slap on the wrists. That's the problem, plain and simple. Bringing the hammer down would have two positive consequences: (1) it would serve as a warning to others similarly situated; and (2) it would take a defective piece off the board. But we shouldn't hold our collective breath waiting for that. "Too big to fail" doesn't apply just to monolithic nonhuman entities whose misconduct can result in suffering for millions (or billions).
I wonder, how do you effectively train a sysadmin to look for and squash security problems? Do you spend all day, every day testing java, flash or any of the other technologies that are currently in use at your organization, looking for attack vectors?
Are you a member of a hacking group so that when a vulnerability is found you can disable that path in your organization? Or, are you one of those morons that simply have Norton or Mcafee turned on and pray that the signatures update before you are hit?
Fact is, the best sysadmins are the ones who have been bitten and cleaned it up. Because now they have real world experience. Firing those with experience is what idiots do.
Of course, if they are a complete fuck up they should be fired anyway, but you'll know that well before an attack takes place.
But what i want to know is:
Will Apple let somebody upload the new Checklist App?
Because that would be 12,000,000 million downloads almost guaranteed.
Until then (and if you are too lazy to follow the pastebin decrypt instructions located at http://pastebin.com/nfVT7b0Z)
I suggest you go to
http://thenextweb.com/apple/2012/09/04/heres-check-apple-device-udid-compromised-antisec-leak/
Hopefully, someone dressed in an evening gown is bitch slapping the offending agent with a rubber hose by now.
Internet 1:
Forces of repression: ?