One million and one Apple device IDs leaked

AntiSec – part of Anonymous – obtained the data by hacking an FBI agent's laptop.

The AntiSec group of hackers – one of many spun off from the sprawling leviathan that is the Anonymous movement – have released what they claim is a set of 1,000,001 unique device identifiers (UDIDs) for iPhones, iPads and iPod touches, which were stolen from the FBI.

The release also contains the device names and APNS tokens, which are key to getting push notifications onto devices, is in itself a pretty big security breach. It's bigger still given the fact that the default device name for Apple products is "[full name]'s iPhone". Even worse, AntiSec claim that the data is just a small part of a much large trove of personal information, which includes the UDIDs of 12,000,000 devices, and "full names, cell numbers, addresses, zipcodes, etc" for a smaller subset of them.

The group explain (at length) why they've leaked the data, and it boils down to trying to get people's attention that "FUCKING FBI IS USING YOUR DEVICE INFO FOR A TRACKING PEOPLE PROJECT OR SOME SHIT [sic]", though they are also aggreived at what they call the "hypocritical attempt made by the system" to encourage hackers to sign up:

You are forbidden to outsmart the system, to defy it, to work around it. In short, while you may hack for the status quo, you are forbidden to hack the status quo. Just do what you're told. Don't worry about dirty geopolitical games, that's business for the elite. They're the ones that give dancing orders to our favorite general, [NSA's general] Keith [Alexander], while he happily puts on a ballet tutu. Just dance along, hackers. Otherwise... well...

The method by which they claim to have got hold of the data is concerning as well – quite aside from whether or not the FBI ought to have the info, if they do, one would hope that they would store it more securely:

During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java, during the shell session some files were downloaded from his Desktop folder one of them with the name of "NCFTA_iOS_devices_intel.csv" turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc. the personal details fields referring to people appears many times empty leaving the whole list incompleted on many parts. no other file on the same folder makes mention about this list or its purpose.

AntiSec also expressed their desire that the leak would expose the flaws with the UDID system itself. Even without any extra info leaked, that breach exposes victims to a fair degree of damage. As one programmer, Aldo Cortesi, writes:

If you use an Apple device regularly, it's certain that your UDID has found its way into scores of databases you're entirely unaware of. Developers often assume UDIDs are anonymous values, and routinely use them to aggregate detailed and sensitive user behavioural information.

Apple has been quietly killing the methods by which developers can access UDIDs for the last year or so, removing their ability to directly read them; but that won't prevent at least some users suffering from this leak. A number of older apps and unsecure networks still allow users to log in using just the UDID as identification. Although this hasn't been recommended practice for some time, not everyone runs their companies the way they ought to.

Unfortunately, we won't be able to hear anything else from AntiSec until Gawker journalist Adrian Chen dresses up in a tutu with a shoe on his head. Yes, those are their demands:

no more interviews to anyone till Adrian Chen get featured in the front page of Gawker, a whole day, with a huge picture of him dressing a ballet tutu and shoe on the head, no photoshop. yeah, man. like Keith Alexander. go, go, go. (and there you ll get your desired pageviews number too) Until that happens, this whole statement will be the only thing getting out directly from us. So no tutu, no sources.

The AntiSec logo, in ASCII-art form.

Alex Hern is a technology reporter for the Guardian. He was formerly staff writer at the New Statesman. You should follow Alex on Twitter.

exseada/DeviantArt
Show Hide image

Why Twitter is dying, in ten tweets

It's ironic that the most heated discussions of the platform's weaknesses are playing out on the platform itself. 

Twitter has been dying since 2009, and commentators have pre-emptively declared it deceased pretty much every year since. To declare that it's on the downturn has become a bit of a cliché. But that doesn't mean that it isn't also, well, true.

Grumbling among users and commentators has grown to a roar over the past few days, thanks in part to a Buzzfeed report (refuted by Jack Dorsey, Twitter's CEO) claiming the service will move away from a chronological timeline and towards an algorithmic one. Users coined the hashtag #RIPTwitter in response, and, tellingly, many of their complaints spanned beyond the apparently erroneous report. 

They join a clutch of other murmurings, bits of data and suggestions that things are not as they should be in the Twitter aviary. 

Below is one response to the threat of the new timeline, aptly showing that for lots of users, the new feed would have been the straw that broke the tweeters' backs:

Twitter first announced it was considering a new 10,000 character limit in January, but it's yet to be introduced. Reactions so far indicate that no one thinks this is a good idea, as the 140 character limit is so central to Twitter's unique appeal. Other, smaller tweaks – like an edit button – would probably sit much more easily within Twitter's current stable of features, and actually improve user experience: 

While Dorsey completely denied that the change would take place, he then followed up with an ominous suggestion that something would be changing:

"It'll be more real-time than a feed playing out in real time!" probably isn't going to placate users who think the existing feed works just fine. It may be hard to make youself heard on the current timeline, but any kind of wizardry that's going to decide what's "timely" or "live" for you is surely going to discriminate against already alienated users.

I've written before about the common complaint that Twitter is lonely for those with smaller networks. Take this man, who predicts that he'll be even more invisible in Twitter's maelstrom if an algorithm deems him irrelevant: 

What's particularly troubling about Twitter's recent actions is the growing sense that it doesn't "get" its users. This was all but confirmed by a recent string of tweets from Brandon Carpenter, a Twitter employee who tweeted this in response to speculation about new features:

...and then was surprised and shocked when he received abuse from other accounts:

This is particularly ironic because Twitter's approach (or non-approach) to troll accounts and online abusers has made it a target for protest and satire (though last year it did begin to tackle the problem). @TrustySupport, a spoof account, earned hundreds of retweets by mocking Twitter's response to abuse:

Meanwhile, users like Milo Yiannopolous, who regularly incites his followers to abuse and troll individuals (often women and trans people, and most famously as part of G*merg*te), has thrived on Twitter's model and currently enjoys the attentions of almost 160,000 followers. He has boasted about the fact that Twitter could monetise his account to pull itself out of its current financial trough:

The proof of any social media empire's decline, though, is in its number and activity of users. Earlier this month, Business Insider reported that, based on a sample of tweets, tweets per user had fallen by almost 50 per cent since last August. Here's the reporter's tweet about it:

Interestingly, numbers of new users remained roughly the same – which implies not that Twitter can't get new customers, but that it can't keep its current ones engaged and tweeting. 

Most tellingly of all, Twitter has stopped reporting these kinds of numbers publicly, which is why Jim Edwards had to rely on data taken from an API. Another publication followed up Edwards' story with reports that users aren't on the platform enough to generate ad revenue:

The missing piece of the puzzle, and perhaps the one thing keeping Twitter alive, is that its replacement hasn't (yet) surfaced. Commentators obsessed with its declining fortunes still take to Twitter to discuss them, or to share their articles claiming the platform is already dead. It's ironic that the most heated discussions of the platform's weaknesses are playing out on the platform itself. 

For all its faults, and for all they might multiply, Twitter's one advantage is that there's currently no other totally open platform where people can throw their thoughts around in plain, public view. Its greatest threat yet will come not from a new, dodgy feature, but from a new platform – one that can actually compete with it.

Barbara Speed is a technology and digital culture writer at the New Statesman and a staff writer at CityMetric.