One million and one Apple device IDs leaked

AntiSec – part of Anonymous – obtained the data by hacking an FBI agent's laptop.

The AntiSec group of hackers – one of many spun off from the sprawling leviathan that is the Anonymous movement – have released what they claim is a set of 1,000,001 unique device identifiers (UDIDs) for iPhones, iPads and iPod touches, which were stolen from the FBI.

The release also contains the device names and APNS tokens, which are key to getting push notifications onto devices, is in itself a pretty big security breach. It's bigger still given the fact that the default device name for Apple products is "[full name]'s iPhone". Even worse, AntiSec claim that the data is just a small part of a much large trove of personal information, which includes the UDIDs of 12,000,000 devices, and "full names, cell numbers, addresses, zipcodes, etc" for a smaller subset of them.

The group explain (at length) why they've leaked the data, and it boils down to trying to get people's attention that "FUCKING FBI IS USING YOUR DEVICE INFO FOR A TRACKING PEOPLE PROJECT OR SOME SHIT [sic]", though they are also aggreived at what they call the "hypocritical attempt made by the system" to encourage hackers to sign up:

You are forbidden to outsmart the system, to defy it, to work around it. In short, while you may hack for the status quo, you are forbidden to hack the status quo. Just do what you're told. Don't worry about dirty geopolitical games, that's business for the elite. They're the ones that give dancing orders to our favorite general, [NSA's general] Keith [Alexander], while he happily puts on a ballet tutu. Just dance along, hackers. Otherwise... well...

The method by which they claim to have got hold of the data is concerning as well – quite aside from whether or not the FBI ought to have the info, if they do, one would hope that they would store it more securely:

During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java, during the shell session some files were downloaded from his Desktop folder one of them with the name of "NCFTA_iOS_devices_intel.csv" turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc. the personal details fields referring to people appears many times empty leaving the whole list incompleted on many parts. no other file on the same folder makes mention about this list or its purpose.

AntiSec also expressed their desire that the leak would expose the flaws with the UDID system itself. Even without any extra info leaked, that breach exposes victims to a fair degree of damage. As one programmer, Aldo Cortesi, writes:

If you use an Apple device regularly, it's certain that your UDID has found its way into scores of databases you're entirely unaware of. Developers often assume UDIDs are anonymous values, and routinely use them to aggregate detailed and sensitive user behavioural information.

Apple has been quietly killing the methods by which developers can access UDIDs for the last year or so, removing their ability to directly read them; but that won't prevent at least some users suffering from this leak. A number of older apps and unsecure networks still allow users to log in using just the UDID as identification. Although this hasn't been recommended practice for some time, not everyone runs their companies the way they ought to.

Unfortunately, we won't be able to hear anything else from AntiSec until Gawker journalist Adrian Chen dresses up in a tutu with a shoe on his head. Yes, those are their demands:

no more interviews to anyone till Adrian Chen get featured in the front page of Gawker, a whole day, with a huge picture of him dressing a ballet tutu and shoe on the head, no photoshop. yeah, man. like Keith Alexander. go, go, go. (and there you ll get your desired pageviews number too) Until that happens, this whole statement will be the only thing getting out directly from us. So no tutu, no sources.

The AntiSec logo, in ASCII-art form.

Alex Hern is a technology reporter for the Guardian. He was formerly staff writer at the New Statesman. You should follow Alex on Twitter.

Getty
Show Hide image

“Like a lorry hitting you in the face”: When flashing gifs trigger seizures

Sufferers are urging social media users to think before they share.

Last week Lizzie Huxley-Jones stood stock still in her kitchen, unable to remember how to make a sandwich.  

“It’s like you’ve lost the instructions,” the 28-year-old tells me. “It's like you go to do a task and the file is missing for how you complete it… and you're like ‘Oh God, I don’t even remember how I do this’,” she says – referring to making a sandwich or a cup of tea. “It’s like a complete and utter sudden loss of independence.”

Lizzie is discussing the after-effects of having a seizure. A book blogger who lives in London, she is autistic and suffers from non-epileptic seizures (NES), also known as dissociative seizures. After her most recent seizure, she experienced eleven days of after-effects, including twitches, a loss of mobility, and aphasia (difficulty recalling words). Though Lizzie felt its repercussions for over a week, the seizure itself was just a few minutes long – and was caused by something that lasted only a second.

A brightly-coloured flashing gif of cats.

“It sounds pretty cutesy,” admits Lizzie, who saw the gif on the social network Twitter, “but it was very fast so what happened is I looked at it and then almost immediately went into a seizure. Luckily I was on my couch already but if I'd been elsewhere I could have just dropped.” No one was around to help her, but her dog – Nerys – comforted Lizzie by falling asleep on her lap.

Lizzie and Nerys

It is commonly acknowledged that certain gifs can cause seizures for people with photosensitive epilepsy. Just three per cent of epileptics suffer with photosensitivity – meaning flashing or flickering lights induce their seizures. Triggers include everything from ceiling fans, interactive whiteboards, and Christmas tree lights as well as, of course, gifs.

“Any flashing image between 5-25 Hertz (flashes per second) has the potential to trigger a seizure in someone who is photosensitive, although this is very rare,” says Professor Ley Sander, a medical director at the Epilepsy Society and professor of neurology at University College London. “People who are photosensitive should be very cautious when online as the internet and social media are full of flashing images.”

The account that tweeted the cat gif meant no harm, and went on to delete it after Lizzie and her friends asked for its removal. Lizzie describes the recent seizure as like a “sparking” in her brain and says that afterwards the pain was “like you've been hit by a lorry specifically to your face.” Though these consequences were accidental, many seizure-inducing gifs are deliberately designed to damage.

In March, a man was charged with aggravated assault after sending a flashing tweet to epileptic journalist Kurt Eichenwald which read: “YOU DESERVE A SEIZURE FOR YOUR POSTS.” Back in 2008, the charity Epilepsy Foundation was forced to shut down its message boards after internet users flooded them with flashing gifs. Lizzie says that on Twitter, people search for those who mention seizures in their tweets or bios, and deliberately send them strobing gifs.

Yet many online also refuse to believe sufferers like Eichenwald, because photosensitivity is rare and gifs have to flash at a certain rate to be a trigger. For Lizzie, this stigma is exacerbated by the fact that her seizures – which are non-epileptic (dissociative) – were once called “pseudo-seizures” by medical professionals.

“Dissociative seizures happen for psychological reasons rather than physical ones,” says Chantal Spittles of Epilepsy Action. While epileptic seizures occur because of abnormal electrical activity in the brain, NES are triggered by thoughts and feelings.

“It can be really tough to be told you have dissociative seizures. This is especially true if you have spent years thinking you have epilepsy. However, dissociative seizures are a real medical condition. And the dissociative seizures you experience can be just as disruptive or unsettling as epileptic seizures,” explains Spittles.

Professor Sander says it is “very hard to say” whether gifs can trigger non-epileptic seizures but for Lizzie, this is simply her reality. She believes that the stigma and lack of funding around NES mean that not enough is known about photosensitivity rates in NES sufferers. Anecdotally, she claims many with NES are triggered by flashing bike lights, like herself.   

“People don't believe or they don't think it's serious at all, it's almost like they think you've got a headache,” she says. “[It] starts to play on your mind that no one thinks this is real and everyone thinks you must be a liar.”

Regardless of the stigma, Lizzie – who lost a friend to SUDEP (sudden death in epilepsy) earlier this year – wants to raise awareness of the damage gifs can cause for epileptic and non-epileptic seizure sufferers, as well as people with autism (like herself) and photosensitive migraines. “It's sad that people don't think about it but I mean, I grew up with an epileptic sibling and an epileptic uncle, so my whole life has been spent thinking about this,” she says.

So which gifs are best avoided? Lizzie says to think before sharing any that change colour or change contrast (from light to dark) very quickly, as well as gifs with psychedelic colours and patterns. Spittles says most people with photosensitive epilepsy are sensitive to 16-25 Hertz, though some are sensitive to rates as low as 3 Hertz or as high as 60 Hertz.

Many might think the onus is on Lizzie and the journalist Eichenwald to change their computer settings so gifs don’t auto-play (Epilepsy Action has guidance on how to do this). Nonetheless, Lizzie believes it is imperative for people to think before they share a gif, and Epilepsy Action is now working with Twitter to improve reporting procedures should any targeted attacks occur in the future. In the meantime, Lizzie simply asks for a safer, less ableist internet experience. “We have a responsibility in our communication online to make it as accessible as possible,” she says.  

Amelia Tait is a technology and digital culture writer at the New Statesman.

0800 7318496