One million and one Apple device IDs leaked

AntiSec – part of Anonymous – obtained the data by hacking an FBI agent's laptop.

The AntiSec group of hackers – one of many spun off from the sprawling leviathan that is the Anonymous movement – have released what they claim is a set of 1,000,001 unique device identifiers (UDIDs) for iPhones, iPads and iPod touches, which were stolen from the FBI.

The release also contains the device names and APNS tokens, which are key to getting push notifications onto devices, is in itself a pretty big security breach. It's bigger still given the fact that the default device name for Apple products is "[full name]'s iPhone". Even worse, AntiSec claim that the data is just a small part of a much large trove of personal information, which includes the UDIDs of 12,000,000 devices, and "full names, cell numbers, addresses, zipcodes, etc" for a smaller subset of them.

The group explain (at length) why they've leaked the data, and it boils down to trying to get people's attention that "FUCKING FBI IS USING YOUR DEVICE INFO FOR A TRACKING PEOPLE PROJECT OR SOME SHIT [sic]", though they are also aggreived at what they call the "hypocritical attempt made by the system" to encourage hackers to sign up:

You are forbidden to outsmart the system, to defy it, to work around it. In short, while you may hack for the status quo, you are forbidden to hack the status quo. Just do what you're told. Don't worry about dirty geopolitical games, that's business for the elite. They're the ones that give dancing orders to our favorite general, [NSA's general] Keith [Alexander], while he happily puts on a ballet tutu. Just dance along, hackers. Otherwise... well...

The method by which they claim to have got hold of the data is concerning as well – quite aside from whether or not the FBI ought to have the info, if they do, one would hope that they would store it more securely:

During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java, during the shell session some files were downloaded from his Desktop folder one of them with the name of "NCFTA_iOS_devices_intel.csv" turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc. the personal details fields referring to people appears many times empty leaving the whole list incompleted on many parts. no other file on the same folder makes mention about this list or its purpose.

AntiSec also expressed their desire that the leak would expose the flaws with the UDID system itself. Even without any extra info leaked, that breach exposes victims to a fair degree of damage. As one programmer, Aldo Cortesi, writes:

If you use an Apple device regularly, it's certain that your UDID has found its way into scores of databases you're entirely unaware of. Developers often assume UDIDs are anonymous values, and routinely use them to aggregate detailed and sensitive user behavioural information.

Apple has been quietly killing the methods by which developers can access UDIDs for the last year or so, removing their ability to directly read them; but that won't prevent at least some users suffering from this leak. A number of older apps and unsecure networks still allow users to log in using just the UDID as identification. Although this hasn't been recommended practice for some time, not everyone runs their companies the way they ought to.

Unfortunately, we won't be able to hear anything else from AntiSec until Gawker journalist Adrian Chen dresses up in a tutu with a shoe on his head. Yes, those are their demands:

no more interviews to anyone till Adrian Chen get featured in the front page of Gawker, a whole day, with a huge picture of him dressing a ballet tutu and shoe on the head, no photoshop. yeah, man. like Keith Alexander. go, go, go. (and there you ll get your desired pageviews number too) Until that happens, this whole statement will be the only thing getting out directly from us. So no tutu, no sources.

The AntiSec logo, in ASCII-art form.

Alex Hern is a technology reporter for the Guardian. He was formerly staff writer at the New Statesman. You should follow Alex on Twitter.

Show Hide image

Age verification rules won't just affect porn sites – they'll harm our ability to discuss sex

Relying on censorship to avoid talking about sex lets children down.

The British have a long history of censoring sex. In 1580, politician William Lambarde drafted the first bill to ban "licentious" and "hurtful... books, pamphlets, ditties, songs, and other works that promote the art of lascivious ungodly love". Last week, the UK government decided to have another crack at censorship, formally announcing that age verification for all online pornographic content will be mandatory from April 2018.

It is unclear at this point what this mandatory check will entail, but it's expected that you will need to submit your credit card details to a site before being allowed to access adult content (credit cards can’t be issued to under-18s).

The appointed regulator will almost certainly be the British Board of Film Classification who will have the authority to levy fines of up to £250,000 or shut down sites that do not comply. These measures are being directly linked to research conducted by the NSPCC, the Children’s Commissioner and the University of Middlesex in 2016, which surveyed more than 1,000 11 to 16-year-olds about viewing online pornography and found over half had accessed it. 

Digital minister Matt Hancock said age verification "means that while we can enjoy the freedom of the web, the UK will have the most robust internet child protection measures of any country in the world". And who can argue with that? No sane adult would think that it’s a good idea for children to watch hardcore pornography. And because we all agree kids should be watching Peppa Pig rather than The Poonies, the act has been waved through virtually unchallenged.

So, let’s put the issue of hardcore pornography to one side, because surely we are all in agreement. I’m asking you to look at the bigger picture. It’s not just children who will be censored and it’s not just Pornhub and Redtube which will be forced to age check UK viewers. This act will potentially censor any UK site that carries adult content, which is broadly defined by the BBFC as "that it was produced solely or principally for the purposes of sexual arousal".

I am a UK academic and research the history of sexuality. I curate the online research project www.thewhoresofyore.com, where academics, activists, artists and sex workers contribute articles on all aspects of sexuality in the hope of joining up conversations around sex that affect everyone. The site also archives many historical images; from the erotic brothel frescoes of Pompeii to early Victorian daguerreotypes of couples having sex. And yet, I do not consider myself to be a porn baron. These are fascinating and important historical documents that can teach us a great deal about our own attitudes to sex and beauty.

The site clearly signposts the content and asks viewers to click to confirm they are over 18, but under the Digital Economy Act this will not be enough. Although the site is not for profit and educational in purpose, some of the historical artefacts fit the definition of  "pornographic’" and are thereby liable to fall foul of the new laws.

And I’m not the only one; erotic artists, photographers, nude models, writers, sex shops, sex education sites, burlesque sites, BDSM sites, archivists of vintage erotica, and (of course) anyone in the adult industry who markets their business with a website, can all be termed pornographic and forced to buy expensive software to screen their users or risk being shut down or fined. I have contacted the BBFC to ask if my research will be criminalised and blocked, but was told "work in this area has not yet begun and so we are not in a position to advice [sic] you on your website". No one is able to tell me what software will need to be purchased if I am to collect viewers' credit card details, how I would keep them safe, or how much this would all cost. The BBFC suggested I contact my MP for further details. But, she doesn’t know either.

Before we even get into the ethical issues around adults having to enter their credit card details into a government database in order to look at legal content, we need to ask: will this work? Will blocking research projects like mine make children any safer? Well, no. The laws will have no power over social media sites such as Twitter, Snapchat and Periscope which allow users to share pornographic images. Messenger apps will still allow users to sext, as well as stream, send and receiving pornographic images and videos. Any tech savvy teenager knows that Virtual Private Network (VPN) software will circumvent UK age verification restrictions, and the less tech savvy can always steal their parents' credit card details.

The proposed censorship is unworkable and many sites containing nudity will be caught in the crossfire. If we want to keep our children "safe" from online pornography, we need to do something we British aren’t very good at doing; we need to talk openly and honestly about sex and porn. This is a conversation I hope projects like mine can help facilitate. Last year, Pornhub (the biggest porn site in the world) revealed ten years of user data. In 2016, Brits visited Pornhub over 111 million times and 20 per cent of those UK viewers are women. We are watching porn and we need to be open about this. We need to talk to each other and we need to talk to our kids. If you’re relying on government censorship to get you out of that tricky conversation, you are letting your children down.

The NSPCC report into children watching online pornography directly asked the participants about the effectiveness of age verification, and said the children "pointed out its limitations". When asked what intervention would most benefit them, this was the overwhelming response: "Whether provided in the classroom, or digitally, young people wanted to be able to find out about sex and relationships and about pornography in ways that were safe, private and credible." I suggest we listen to the very people we are trying to protect and educate, rather than eliminate. 

Dr Kate Lister researches the history of sexuality at Leeds Trinity University