One million and one Apple device IDs leaked

AntiSec – part of Anonymous – obtained the data by hacking an FBI agent's laptop.

The AntiSec group of hackers – one of many spun off from the sprawling leviathan that is the Anonymous movement – have released what they claim is a set of 1,000,001 unique device identifiers (UDIDs) for iPhones, iPads and iPod touches, which were stolen from the FBI.

The release also contains the device names and APNS tokens, which are key to getting push notifications onto devices, is in itself a pretty big security breach. It's bigger still given the fact that the default device name for Apple products is "[full name]'s iPhone". Even worse, AntiSec claim that the data is just a small part of a much large trove of personal information, which includes the UDIDs of 12,000,000 devices, and "full names, cell numbers, addresses, zipcodes, etc" for a smaller subset of them.

The group explain (at length) why they've leaked the data, and it boils down to trying to get people's attention that "FUCKING FBI IS USING YOUR DEVICE INFO FOR A TRACKING PEOPLE PROJECT OR SOME SHIT [sic]", though they are also aggreived at what they call the "hypocritical attempt made by the system" to encourage hackers to sign up:

You are forbidden to outsmart the system, to defy it, to work around it. In short, while you may hack for the status quo, you are forbidden to hack the status quo. Just do what you're told. Don't worry about dirty geopolitical games, that's business for the elite. They're the ones that give dancing orders to our favorite general, [NSA's general] Keith [Alexander], while he happily puts on a ballet tutu. Just dance along, hackers. Otherwise... well...

The method by which they claim to have got hold of the data is concerning as well – quite aside from whether or not the FBI ought to have the info, if they do, one would hope that they would store it more securely:

During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java, during the shell session some files were downloaded from his Desktop folder one of them with the name of "NCFTA_iOS_devices_intel.csv" turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc. the personal details fields referring to people appears many times empty leaving the whole list incompleted on many parts. no other file on the same folder makes mention about this list or its purpose.

AntiSec also expressed their desire that the leak would expose the flaws with the UDID system itself. Even without any extra info leaked, that breach exposes victims to a fair degree of damage. As one programmer, Aldo Cortesi, writes:

If you use an Apple device regularly, it's certain that your UDID has found its way into scores of databases you're entirely unaware of. Developers often assume UDIDs are anonymous values, and routinely use them to aggregate detailed and sensitive user behavioural information.

Apple has been quietly killing the methods by which developers can access UDIDs for the last year or so, removing their ability to directly read them; but that won't prevent at least some users suffering from this leak. A number of older apps and unsecure networks still allow users to log in using just the UDID as identification. Although this hasn't been recommended practice for some time, not everyone runs their companies the way they ought to.

Unfortunately, we won't be able to hear anything else from AntiSec until Gawker journalist Adrian Chen dresses up in a tutu with a shoe on his head. Yes, those are their demands:

no more interviews to anyone till Adrian Chen get featured in the front page of Gawker, a whole day, with a huge picture of him dressing a ballet tutu and shoe on the head, no photoshop. yeah, man. like Keith Alexander. go, go, go. (and there you ll get your desired pageviews number too) Until that happens, this whole statement will be the only thing getting out directly from us. So no tutu, no sources.

The AntiSec logo, in ASCII-art form.

Alex Hern is a technology reporter for the Guardian. He was formerly staff writer at the New Statesman. You should follow Alex on Twitter.

Amazon screenshot
Show Hide image

Amazon's unlikely role in the Calais relief efforts

Campaigners are using Amazon's wishlist feature - more commonly used for weddings and birthdays - to rally supplies for the thousands camped at Calais. 

Today and yesterday, relief efforts have sprung up across the web and IRL following the publication of shocking photos of a drowned refugee child. People are collecting second hand clothes and food, telling David Cameron to offer refuge, and generally funneling support and supplies to the thousands in Calais and across Europe who have been forced from their homes by conflict in Syria and elsewhere. 

One campaign, however, stuck out in its use of technology to crowdsource supplies for the Calais camp. An Amazon wishlist page - more familiar as a way to circulate birthday lists or extravagant wedding registries - has been set up as part of the  #KentforCalais and #HelpCalais campaigns, and is collecting donations of clothes, food, toiletries, tents and sleeping supplies. 

Judging by the Twitter feed of writer and presenter Dawn O'Porter, one of the list's organisers, shoppers have come thick and fast. Earlier today, another user tweeted that there were only six items left on the list - because items had sold out, or the requested number had already been purchased - and O'Porter tweeted shortly after that another list had been made. Items ordered through the list will be delivered to organisers and than transported to Calais in a truck on 17 September. 

This, of course, is only one campaign among many, but the repurposing of an Amazon feature designed to satiate first world materialism as a method of crisis relief seems to symbolise the spirit of the efforts as a whole. Elsewhere, Change.org petitions, clothes drives organised via Facebook, and Twitter momentum (which, in this case, seems to stretch beyond the standard media echo chamber) have allowed internet users to pool their anger, funds and second-hand clothes in the space of 24 hours. It's worth noting that Amazon will profit from any purchases made through the wishlist, but that doesn't totally undermine its usefulness as a way to quickly and easily donate supplies. 

Last year, I spoke to US writer and urbanist Adam Greenfield, who was involved New York's Occupy Sandy movement (which offered relief after after hurricane Sandy hit New York in 2011) and he emphasised the centrality of technology to the relief effort in New York:

Occupy Sandy relied completely on a Googledocs spreadsheet and an Amazon wishlist.  There was a social desire that catalysed uses of technology through it and around it. And if that technology didn't exist it might not have worked the way it did. 

So it's worth remembering, even as Amazon suffers what may be the worst PR disaster in its history and Silicon Valley's working culture is revealed to be even worse than we thought, that technology, in the right hands, can help us make the world a better place. 

You can buy items on the Amazon wishlist here or see our list of other ways to help here

Barbara Speed is a technology and digital culture writer at the New Statesman and a staff writer at CityMetric.