One million and one Apple device IDs leaked

AntiSec – part of Anonymous – obtained the data by hacking an FBI agent's laptop.

The AntiSec group of hackers – one of many spun off from the sprawling leviathan that is the Anonymous movement – have released what they claim is a set of 1,000,001 unique device identifiers (UDIDs) for iPhones, iPads and iPod touches, which were stolen from the FBI.

The release also contains the device names and APNS tokens, which are key to getting push notifications onto devices, is in itself a pretty big security breach. It's bigger still given the fact that the default device name for Apple products is "[full name]'s iPhone". Even worse, AntiSec claim that the data is just a small part of a much large trove of personal information, which includes the UDIDs of 12,000,000 devices, and "full names, cell numbers, addresses, zipcodes, etc" for a smaller subset of them.

The group explain (at length) why they've leaked the data, and it boils down to trying to get people's attention that "FUCKING FBI IS USING YOUR DEVICE INFO FOR A TRACKING PEOPLE PROJECT OR SOME SHIT [sic]", though they are also aggreived at what they call the "hypocritical attempt made by the system" to encourage hackers to sign up:

You are forbidden to outsmart the system, to defy it, to work around it. In short, while you may hack for the status quo, you are forbidden to hack the status quo. Just do what you're told. Don't worry about dirty geopolitical games, that's business for the elite. They're the ones that give dancing orders to our favorite general, [NSA's general] Keith [Alexander], while he happily puts on a ballet tutu. Just dance along, hackers. Otherwise... well...

The method by which they claim to have got hold of the data is concerning as well – quite aside from whether or not the FBI ought to have the info, if they do, one would hope that they would store it more securely:

During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java, during the shell session some files were downloaded from his Desktop folder one of them with the name of "NCFTA_iOS_devices_intel.csv" turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc. the personal details fields referring to people appears many times empty leaving the whole list incompleted on many parts. no other file on the same folder makes mention about this list or its purpose.

AntiSec also expressed their desire that the leak would expose the flaws with the UDID system itself. Even without any extra info leaked, that breach exposes victims to a fair degree of damage. As one programmer, Aldo Cortesi, writes:

If you use an Apple device regularly, it's certain that your UDID has found its way into scores of databases you're entirely unaware of. Developers often assume UDIDs are anonymous values, and routinely use them to aggregate detailed and sensitive user behavioural information.

Apple has been quietly killing the methods by which developers can access UDIDs for the last year or so, removing their ability to directly read them; but that won't prevent at least some users suffering from this leak. A number of older apps and unsecure networks still allow users to log in using just the UDID as identification. Although this hasn't been recommended practice for some time, not everyone runs their companies the way they ought to.

Unfortunately, we won't be able to hear anything else from AntiSec until Gawker journalist Adrian Chen dresses up in a tutu with a shoe on his head. Yes, those are their demands:

no more interviews to anyone till Adrian Chen get featured in the front page of Gawker, a whole day, with a huge picture of him dressing a ballet tutu and shoe on the head, no photoshop. yeah, man. like Keith Alexander. go, go, go. (and there you ll get your desired pageviews number too) Until that happens, this whole statement will be the only thing getting out directly from us. So no tutu, no sources.

The AntiSec logo, in ASCII-art form.

Alex Hern is a technology reporter for the Guardian. He was formerly staff writer at the New Statesman. You should follow Alex on Twitter.

Cleveland police
Show Hide image

Should Facebook face the heat for the Cleveland shooting video?

On Easter Sunday, a man now dubbed the “Facebook killer” shot and killed a grandfather before uploading footage of the murder to the social network. 

A murder suspect has committed suicide after he shot dead a grandfather seemingly at random last Sunday. Steve Stephens (pictured above), 37, was being hunted by police after he was suspected of killing Robert Godwin, 74, in Cleveland, Ohio.

The story has made international headlines not because of the murder in itself – in America, there are 12,000 gun homicides a year – but because a video of the shooting was uploaded to Facebook by the suspected killer, along with, moments later, a live-streamed confession.

After it emerged that Facebook took two hours to remove the footage of the shooting, the social network has come under fire and has promised to “do better” to make the site a “safe environment”. The site has launched a review of how it deals with violent content.

It’s hard to poke holes in Facebook’s official response – written by Justin Osofsky, its vice president of global operations – which at once acknowledges how difficult it would have been to do more, whilst simultaneously promising to do more anyway. In a timeline of events, Osofsky notes that the shooting video was not reported to Facebook until one hour and 45 minutes after it had been uploaded. A further 23 minutes after this, the suspect’s profile was disabled and the videos were no longer visible.

Despite this, the site has been condemned by many, with Reuters calling its response “bungled” and the two-hour response time prompting multiple headlines. Yet solutions are not as readily offered. Currently, the social network largely relies on its users to report offensive content, which is reviewed and removed by a team of humans – at present, artificial intelligence only generates around a third of reports that reach this team. The network is constantly working on implementing new algorithms and artificially intelligent solutions that can uphold its community standards, but at present there is simply no existing AI that can comb through Facebook’s one billion active users to immediately identify and remove a video of a murder.

The only solution, then, would be for Facebook to watch every second of every video – 100 million hours of which are watched every day on the site – before it goes live, a task daunting not only for its team, but for anyone concerned about global censorship. Of course Facebook should act as quickly as possible to remove harmful content (and of course Facebook shouldn’t call murder videos “content” in the first place) but does the site really deserve this much blame for the Cleveland killer?

To remove the blame from Facebook is not to deny that it is incredibly psychologically damaging to watch an auto-playing video of a murder. Nor should we lose sight of the fact that the act, as well as the name “Facebook killer” itself, could arguably inspire copycats. But we have to acknowledge the limits on what technology can do. Even if Facebook removed the video in three seconds, it is apparent that for thousands of users, the first impulse is to download and re-upload upsetting content rather than report it. This is evident in the fact that the victim’s grandson, Ryan, took to a different social network – Twitter – to ask people to stop sharing the video. It took nearly two hours for anyone to report the video to Facebook - it took seconds for people to download a copy for themselves and share it on.  

When we ignore these realities and beg Facebook to act, we embolden the moral crusade of surveillance. The UK government has a pattern of using tragedy to justify invasions into our privacy and security, most recently when home secretary Amber Rudd suggested that Whatsapp should remove its encryption after it emerged the Westminster attacker used the service. We cannot at once bemoan Facebook’s power in the world and simultaneously beg it to take total control. When you ask Facebook to review all of the content of all of its billions of users, you are asking for a God.

This is particularly undesirable in light of the good that shocking Facebook videos can do – however gruesome. Invaluable evidence is often provided in these clips, be they filmed by criminals themselves or their victims. When Philando Castile’s girlfriend Facebook live-streamed the aftermath of his shooting by a police officer during a traffic stop, it shed international light on police brutality in America and aided the charging of the officer in question. This clip would never have been seen if Facebook had total control of the videos uploaded to its site.  

We need to stop blaming Facebook for things it can’t yet change, when we should focus on things it can. In 2016, the site was criticised for: allowing racial discrimination via its targeted advertising; invading privacy with its facial-scanning; banning breast cancer-awareness videos; avoiding billions of dollars in tax; and tracking non-users activity across the web. Facebook should be under scrutiny for its repeated violations of its users’ privacy, not for hosting violent content – a criticism that will just give the site an excuse to violate people's privacy even further.

No one blames cars for the recent spate of vehicular terrorist attacks in Europe, and no one should blame Facebook for the Cleveland killer. Ultimately, we should accept that the social network is just a vehicle. The one to blame is the person driving.

If you have accidentally viewed upsetting and/or violent footage on social media that has affected you, call the Samaritans helpline on  116 123 or email jo@samaritans.org

Amelia Tait is a technology and digital culture writer at the New Statesman.

0800 7318496