One million and one Apple device IDs leaked

AntiSec – part of Anonymous – obtained the data by hacking an FBI agent's laptop.

The AntiSec group of hackers – one of many spun off from the sprawling leviathan that is the Anonymous movement – have released what they claim is a set of 1,000,001 unique device identifiers (UDIDs) for iPhones, iPads and iPod touches, which were stolen from the FBI.

The release also contains the device names and APNS tokens, which are key to getting push notifications onto devices, is in itself a pretty big security breach. It's bigger still given the fact that the default device name for Apple products is "[full name]'s iPhone". Even worse, AntiSec claim that the data is just a small part of a much large trove of personal information, which includes the UDIDs of 12,000,000 devices, and "full names, cell numbers, addresses, zipcodes, etc" for a smaller subset of them.

The group explain (at length) why they've leaked the data, and it boils down to trying to get people's attention that "FUCKING FBI IS USING YOUR DEVICE INFO FOR A TRACKING PEOPLE PROJECT OR SOME SHIT [sic]", though they are also aggreived at what they call the "hypocritical attempt made by the system" to encourage hackers to sign up:

You are forbidden to outsmart the system, to defy it, to work around it. In short, while you may hack for the status quo, you are forbidden to hack the status quo. Just do what you're told. Don't worry about dirty geopolitical games, that's business for the elite. They're the ones that give dancing orders to our favorite general, [NSA's general] Keith [Alexander], while he happily puts on a ballet tutu. Just dance along, hackers. Otherwise... well...

The method by which they claim to have got hold of the data is concerning as well – quite aside from whether or not the FBI ought to have the info, if they do, one would hope that they would store it more securely:

During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java, during the shell session some files were downloaded from his Desktop folder one of them with the name of "NCFTA_iOS_devices_intel.csv" turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc. the personal details fields referring to people appears many times empty leaving the whole list incompleted on many parts. no other file on the same folder makes mention about this list or its purpose.

AntiSec also expressed their desire that the leak would expose the flaws with the UDID system itself. Even without any extra info leaked, that breach exposes victims to a fair degree of damage. As one programmer, Aldo Cortesi, writes:

If you use an Apple device regularly, it's certain that your UDID has found its way into scores of databases you're entirely unaware of. Developers often assume UDIDs are anonymous values, and routinely use them to aggregate detailed and sensitive user behavioural information.

Apple has been quietly killing the methods by which developers can access UDIDs for the last year or so, removing their ability to directly read them; but that won't prevent at least some users suffering from this leak. A number of older apps and unsecure networks still allow users to log in using just the UDID as identification. Although this hasn't been recommended practice for some time, not everyone runs their companies the way they ought to.

Unfortunately, we won't be able to hear anything else from AntiSec until Gawker journalist Adrian Chen dresses up in a tutu with a shoe on his head. Yes, those are their demands:

no more interviews to anyone till Adrian Chen get featured in the front page of Gawker, a whole day, with a huge picture of him dressing a ballet tutu and shoe on the head, no photoshop. yeah, man. like Keith Alexander. go, go, go. (and there you ll get your desired pageviews number too) Until that happens, this whole statement will be the only thing getting out directly from us. So no tutu, no sources.

The AntiSec logo, in ASCII-art form.

Alex Hern is a technology reporter for the Guardian. He was formerly staff writer at the New Statesman. You should follow Alex on Twitter.

Show Hide image

Doing a Radiohead: how to disappear online

The band has performed an online Houdini in advance of its ninth album – but it’s harder than it looks. 

At the beginning of May, the band Radiohead’s web presence – well, its Twitter, Facebook, and website, at least – went offline.

Lead singer Thom Yorke has repeatedly criticised streaming, and the future of online music in general, and it's clear that his opinion fed into this month's decision to reject social media in favour of sending individual cards to the band's fans in the post. 

However, it’s also a clever publicity stunt in the run up to the rumoured release of the band's ninth album, since it plays into a growing paranoia around the lives we live online, and quite how permanent they are. In reality, though, Radiohead has done a pretty terrible job of disappearing from the internet. Its Facebook and Twitter accounts still exist, and widely available caching services actually mean you can still see Radiohead.com if you so wish. 

These are the steps you’d need to take to really disappear from the internet (and never be found).

Delete your acccounts

Radiohead may have deleted its posts on Facebook and Twitter, but its accounts – and, therefore user data – still exist on the sites. If this was a serious move away from an online presence, as opposed to a stunt, you’d want to delete your account entirely.

The site justdelete.me rates sites according to how easy they make it to delete your data. If you only hold accounts with “easy” rated sites, like Airbnb, Goodreads and Google, you’ll be able to delete your account through what justdelete.me calls a “simple process”. JustDelete.me also links you directly to the (sometimes difficult-to-find) account deletion pages.

Failing that, delete what you can

If, however, you’re a member of sites that don’t allow you to delete your account like Blogger, Couchsurfing or Wordpress, you may be stuck with your account for good. However, you should at least be able to delete posts and any biographical information on your profile.

If this bothers you, but you want to create an account with these sites, Justdelete.me also offers a “fake identity generator” which spits out fake names and other details to use in the signup process.

Go to Google

Search results are the hardest thing to erase, especially if they’re on sites which published your details without your permission. However, thanks to the European Commission “Right to be forgotten” ruling in 2014, you can now ask that certain search results be deleted using this online form.  

Ditch your smartphone

Smartphones tend to track your location and communicate with app and web servers constantly. For true privacy, you’d want to either disconnect your phone from all accounts (including iCloud or Google) or else get a basic phone which does not connect to the internet.

Give out your passwords

The artist Mark Farid decided in October 2015 to live without a digital footprint until April 2016, but was aghast when he realised quite how often our data is collected by our devices. As a result, he decided to live without bank accounts, use a phone without internet connectivity, and use an unregistered Oyster.

When I saw him speak at an event just before his off-grid experiment was due to begin, he announced that he would also be handing out the passwords to all his online accounts to the public. The kind of “bad data” which randomly hacked accounts would show would actually make him less traceable than a radio silence – a bit like how words written over other words mask them more than simply erasing them or scribbling on them would.

Accept that it probably won’t work

Even if you managed all this, the likelihood is that some of your daily activities would still leave a trace online. Most jobs require internet activity, if not an internet presence. Bank accounts are, let's face it, fairly necessary. And even Radiohead will, I’m willing to bet, reappear on the internet soon after their album arrives.

Barbara Speed is a technology and digital culture writer at the New Statesman and a staff writer at CityMetric.