One million and one Apple device IDs leaked

AntiSec – part of Anonymous – obtained the data by hacking an FBI agent's laptop.

The AntiSec group of hackers – one of many spun off from the sprawling leviathan that is the Anonymous movement – have released what they claim is a set of 1,000,001 unique device identifiers (UDIDs) for iPhones, iPads and iPod touches, which were stolen from the FBI.

The release also contains the device names and APNS tokens, which are key to getting push notifications onto devices, is in itself a pretty big security breach. It's bigger still given the fact that the default device name for Apple products is "[full name]'s iPhone". Even worse, AntiSec claim that the data is just a small part of a much large trove of personal information, which includes the UDIDs of 12,000,000 devices, and "full names, cell numbers, addresses, zipcodes, etc" for a smaller subset of them.

The group explain (at length) why they've leaked the data, and it boils down to trying to get people's attention that "FUCKING FBI IS USING YOUR DEVICE INFO FOR A TRACKING PEOPLE PROJECT OR SOME SHIT [sic]", though they are also aggreived at what they call the "hypocritical attempt made by the system" to encourage hackers to sign up:

You are forbidden to outsmart the system, to defy it, to work around it. In short, while you may hack for the status quo, you are forbidden to hack the status quo. Just do what you're told. Don't worry about dirty geopolitical games, that's business for the elite. They're the ones that give dancing orders to our favorite general, [NSA's general] Keith [Alexander], while he happily puts on a ballet tutu. Just dance along, hackers. Otherwise... well...

The method by which they claim to have got hold of the data is concerning as well – quite aside from whether or not the FBI ought to have the info, if they do, one would hope that they would store it more securely:

During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java, during the shell session some files were downloaded from his Desktop folder one of them with the name of "NCFTA_iOS_devices_intel.csv" turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc. the personal details fields referring to people appears many times empty leaving the whole list incompleted on many parts. no other file on the same folder makes mention about this list or its purpose.

AntiSec also expressed their desire that the leak would expose the flaws with the UDID system itself. Even without any extra info leaked, that breach exposes victims to a fair degree of damage. As one programmer, Aldo Cortesi, writes:

If you use an Apple device regularly, it's certain that your UDID has found its way into scores of databases you're entirely unaware of. Developers often assume UDIDs are anonymous values, and routinely use them to aggregate detailed and sensitive user behavioural information.

Apple has been quietly killing the methods by which developers can access UDIDs for the last year or so, removing their ability to directly read them; but that won't prevent at least some users suffering from this leak. A number of older apps and unsecure networks still allow users to log in using just the UDID as identification. Although this hasn't been recommended practice for some time, not everyone runs their companies the way they ought to.

Unfortunately, we won't be able to hear anything else from AntiSec until Gawker journalist Adrian Chen dresses up in a tutu with a shoe on his head. Yes, those are their demands:

no more interviews to anyone till Adrian Chen get featured in the front page of Gawker, a whole day, with a huge picture of him dressing a ballet tutu and shoe on the head, no photoshop. yeah, man. like Keith Alexander. go, go, go. (and there you ll get your desired pageviews number too) Until that happens, this whole statement will be the only thing getting out directly from us. So no tutu, no sources.

The AntiSec logo, in ASCII-art form.

Alex Hern is a technology reporter for the Guardian. He was formerly staff writer at the New Statesman. You should follow Alex on Twitter.

PewDiePie
Show Hide image

"Death to all Jews": Why Disney dropped YouTube's biggest star PewDiePie

The Minecraft vlogger turned internet celebrity's taste for shock comedy was too much for the family-focused corporation. 

Disney has cut ties with YouTube’s most-subscribed star after he paid two Sri Lankan men five dollars to hold up a sign that read “DEATH TO ALL JEWS”.

Feel free to read that sentence again, it’s not going anywhere.

A still from PewDiePie's video, via YouTube

PewDiePie, real name Felix Kjellberg, has over 53 million subscribers on YouTube, where his videos about gaming earned him over $15m last year. The 27-year-old, whose content is popular with children, came under fire this month after the Wall Street Journal investigated anti-Semitic comments in his videos. In one video, a man dressed as Jesus says “Hitler did absolutely nothing wrong”, while in another Kjellberg used freelance marketplace Fiverr to pay two men to hold up the offensive sign. The videos have since been deleted.

Jumpcut.

The Walt Disney Company became affiliated with PewDiePie after they bought Maker Studios, a network of YouTube stars, for nearly $1bn in 2014. Following the WSJ’s investigation, Maker dropped the star, stating: “Although Felix has created a following by being provocative and irreverent, he clearly went too far in this case and the resulting videos are inappropriate. Maker Studios has made the decision to end our affiliation with him going forward.”

When you sack a YouTube Star, makes no difference who they are.

Via Wall Street Journal

But why should the story stop there? Neo-nazi website The Daily Stormer are now defending PewDiePie, while the notoriously politically-incorrect 4Chan forum /pol/ have called him “our guy”.  

In his defence, Kjellberg wrote a blog post denying an affiliation with anti-Semitic groups and explained his actions, writing: “I was trying to show how crazy the modern world is, specifically some of the services available online.” In a video last December the star also said: "It's extremely annoying how I can't make jokes on my channel without anyone quoting it as actual facts, like something I actually said", before dressing as a soldier and listening to one of Hitler's speeches while smiling. 

Pause.

(If all of this sounds familiar, recall when disgraced YouTuber Sam Pepper claimed a video in which he groped unsuspecting females was a “social experiment”).

Play.

And yet the story still isn’t over. Disney have learned a hard lesson about assuming that YouTubers are the squeaky clean fairy-tale princes and princesses they often appear to be. Shay Butler, one of the original founders of Maker Studios, yesterday quit the internet after it was alleged he sent sexual messages to a cam girl via Twitter.

Butler is one of the original "family vloggers", and has spent nine years uploading daily videos of his five children to YouTube. A practicing Mormon, Butler has become emblematic of family values on the site. “My heart is sick,” he wrote on Twitter, neither confirming nor denying the allegations of his infidelity, “I have struggled with alcoholism for years… My purpose is to rehab.” 

The result is a very dark day for YouTube, which has now dropped Kjellberg from its premier advertising network, Google Preferred, and cancelled the second series of the star's reality show, Scare PewDiePie

Amelia Tait is a technology and digital culture writer at the New Statesman.