One million and one Apple device IDs leaked

AntiSec – part of Anonymous – obtained the data by hacking an FBI agent's laptop.

The AntiSec group of hackers – one of many spun off from the sprawling leviathan that is the Anonymous movement – have released what they claim is a set of 1,000,001 unique device identifiers (UDIDs) for iPhones, iPads and iPod touches, which were stolen from the FBI.

The release also contains the device names and APNS tokens, which are key to getting push notifications onto devices, is in itself a pretty big security breach. It's bigger still given the fact that the default device name for Apple products is "[full name]'s iPhone". Even worse, AntiSec claim that the data is just a small part of a much large trove of personal information, which includes the UDIDs of 12,000,000 devices, and "full names, cell numbers, addresses, zipcodes, etc" for a smaller subset of them.

The group explain (at length) why they've leaked the data, and it boils down to trying to get people's attention that "FUCKING FBI IS USING YOUR DEVICE INFO FOR A TRACKING PEOPLE PROJECT OR SOME SHIT [sic]", though they are also aggreived at what they call the "hypocritical attempt made by the system" to encourage hackers to sign up:

You are forbidden to outsmart the system, to defy it, to work around it. In short, while you may hack for the status quo, you are forbidden to hack the status quo. Just do what you're told. Don't worry about dirty geopolitical games, that's business for the elite. They're the ones that give dancing orders to our favorite general, [NSA's general] Keith [Alexander], while he happily puts on a ballet tutu. Just dance along, hackers. Otherwise... well...

The method by which they claim to have got hold of the data is concerning as well – quite aside from whether or not the FBI ought to have the info, if they do, one would hope that they would store it more securely:

During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java, during the shell session some files were downloaded from his Desktop folder one of them with the name of "NCFTA_iOS_devices_intel.csv" turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc. the personal details fields referring to people appears many times empty leaving the whole list incompleted on many parts. no other file on the same folder makes mention about this list or its purpose.

AntiSec also expressed their desire that the leak would expose the flaws with the UDID system itself. Even without any extra info leaked, that breach exposes victims to a fair degree of damage. As one programmer, Aldo Cortesi, writes:

If you use an Apple device regularly, it's certain that your UDID has found its way into scores of databases you're entirely unaware of. Developers often assume UDIDs are anonymous values, and routinely use them to aggregate detailed and sensitive user behavioural information.

Apple has been quietly killing the methods by which developers can access UDIDs for the last year or so, removing their ability to directly read them; but that won't prevent at least some users suffering from this leak. A number of older apps and unsecure networks still allow users to log in using just the UDID as identification. Although this hasn't been recommended practice for some time, not everyone runs their companies the way they ought to.

Unfortunately, we won't be able to hear anything else from AntiSec until Gawker journalist Adrian Chen dresses up in a tutu with a shoe on his head. Yes, those are their demands:

no more interviews to anyone till Adrian Chen get featured in the front page of Gawker, a whole day, with a huge picture of him dressing a ballet tutu and shoe on the head, no photoshop. yeah, man. like Keith Alexander. go, go, go. (and there you ll get your desired pageviews number too) Until that happens, this whole statement will be the only thing getting out directly from us. So no tutu, no sources.

The AntiSec logo, in ASCII-art form.

Alex Hern is a technology reporter for the Guardian. He was formerly staff writer at the New Statesman. You should follow Alex on Twitter.

Getty
Show Hide image

“Stinking Googles should be killed”: why 4chan is using a search engine as a racist slur

Users of the anonymous forum are targeting Google after the company introduced a programme for censoring abusive language.

Contains examples of racist language and memes.

“You were born a Google, and you are going to die a Google.”

Despite the lack of obscenity and profanity in this sentence, you have probably realised it was intended to be offensive. It is just one of hundreds of similar messages posted by the users of 4chan’s Pol board – an anonymous forum where people go to be politically incorrect. But they haven’t suddenly seen the error of their ways about using the n-word to demean their fellow human beings – instead they are trying to make the word “Google” itself become a racist slur.

In an undertaking known as “Operation Google”, some 4chan users are resisting Google’s latest artificial intelligence program, Conversation AI, by swapping smears for the names of Google products. Conversation AI aims to spot and flag offensive language online, with the eventual possibility that it could automatically delete abusive comments. The famously outspoken forum 4chan, and the similar website 8chan, didn’t like this, and began their campaign which sees them refer to “Jews” as “Skypes”, Muslims as “Skittles”, and black people as “Googles”.

If it weren’t for the utterly abhorrent racism – which includes users conflating Google’s chat tool “Hangouts” with pictures of lynched African-Americans – it would be a genius idea. The group aims to force Google to censor its own name, making its AI redundant. Yet some have acknowledged this might not ultimately work – as the AI will be able to use contextual clues to filter out when “Google” is used positively or pejoratively – and their ultimate aim is now simply to make “Google” a racist slur as revenge.


Posters from 4chan

“If you're posting anything on social media, just casually replace n****rs/blacks with googles. Act as if it's already a thing,” wrote one anonymous user. “Ignore the company, just focus on the word. Casually is the important word here – don't force it. In a month or two, Google will find themselves running a company which is effectively called ‘n****r’. And their entire brand is built on that name, so they can't just change it.”

There is no doubt that Conversation AI is questionable to anyone who values free speech. Although most people desire a nicer internet, it is hard to agree that this should be achieved by blocking out large swathes of people, and putting the power to do so in the hands of one company. Additionally, algorithms can’t yet accurately detect sarcasm and humour, so false-positives are highly likely when a bot tries to identify whether something is offensive. Indeed, Wired journalist Andy Greenberg tested Conversation AI out and discovered it gave “I shit you not” 98 out of 100 on its personal attack scale.

Yet these 4chan users have made it impossible to agree with their fight against Google by combining it with their racism. Google scores the word “moron” 99 out of 100 on its offensiveness scale. Had protestors decided to replace this – or possibly even more offensive words like “bitch” or “motherfucker” – with “Google”, pretty much everyone would be on board.

Some 4chan users are aware of this – and indeed it is important not to consider the site a unanimous entity. “You're just making yourselves look like idiots and ruining any legitimate effort to actually do this properly,” wrote one user, while some discussed their concerns that “normies” – ie. normal people – would never join in. Other 4chan users are against Operation Google as they see it as self-censorship, or simply just stupid.


Memes from 4chan

But anyone who disregards these efforts as the work of morons (or should that be Bings?) clearly does not understand the power of 4chan. The site brought down Microsoft’s AI Tay in a single day, brought the Unicode swastika (卐) to the top of Google’s trends list in 2008, hacked Sarah Palin’s email account, and leaked a large number of celebrity nudes in 2014. If the Ten Commandments were rewritten for the modern age and Moses took to Mount Sinai to wave two 16GB Tablets in the air, then the number one rule would be short and sweet: Thou shalt not mess with 4chan.

It is unclear yet how Google will respond to the attack, and whether this will ultimately affect the AI. Yet despite what ten years of Disney conditioning taught us as children, the world isn’t split into goodies and baddies. While 4chan’s methods are deplorable, their aim of questioning whether one company should have the power to censor the internet is not.

Google also hit headlines this week for its new “YouTube Heroes” program, a system that sees YouTube users rewarded with points when they flag offensive videos. It’s not hard to see how this kind of crowdsourced censorship is undesirable, particularly again as the chance for things to be incorrectly flagged is huge. A few weeks ago, popular YouTubers also hit back at censorship that saw them lose their advertising money from the site, leading #YouTubeIsOverParty to trend on Twitter. Perhaps ultimately, 4chan didn't need to go on a campaign to damage Google's name. It might already have been doing a good enough job of that itself.

Google has been contacted for comment.

Amelia Tait is a technology and digital culture writer at the New Statesman.