@mattblaze: So, instead of being tightly held data given to the FBI by Apple, UDIDs are widely available to random app developers you've never heard of.
@mattblaze: And thanks to Anonymous, if the FBI didn't have that list of UDIDs before, they do now.
Matt always has a great perspective on these things. At one of his talks I attended he commented on the difference between the 'security' business and the 'intelligence' business and noted that they both depended heavily on obfuscation and misdirection. Prior to that I had never really connected them in that way, but in hindsight it seemed amazingly obvious. Interesting times indeed.
I'm laughing my head off at all of those Apple haters and conspiracy theorists right now over the collective brain explosions when facts come out that Apple wasn't colluding with the government.
It's a reminder how powerful the combination of simple tools and a little reasoning can be.
I once found myself by chance with a customer just as they got smacked with a DDoS attack that they were completely unprepared for.
The security folks threw up their hands claiming that they couldn't do anything to stop the attack due to certain random elements. The executives panicked and everyone started pointing fingers while their site went offline. It was chaos.
I asked to have a look at logs on a hunch that the "random" element wasn't entirely random. One line of awk, grep and uniq later it was revealed that roughly 85% of the attack could be mitigated with a trivial change at the edge.
After reading through that blog post it seems that David himself still has some serious doubts as to whether Bluetoad was the source of the breach.
Reading through his analysis, it almost seems that he may have fallen victim to log file pareidolia as he doesn't make it clear how a device named "Hutch" or one named "Paul’s gift to Brad" a anything more than coincidences in a very large data set.
Doing some quick analysis of the file shows that there is a UDID that has the alternate names; "Hutch Hicken" (Bluetoad CTO), "Bluetoad Support" and "Customer Service iPad" among others, but could this also be representative of an older iPad that has been a pass-me down through the company?
Somewhat more interesting and possibly more revealing are the UDIDs 'ffffffffffffffffffffffffffffffffffffffff' (occurring three times) and the small number of records not conforming to the field size and format of other records (UDIDs > 42 characters, no APNS, device/iOS version number as fourth field).
For anyone interested the following ugly and slow one-liner will print out a summary of non-unique UDIDs along with their APNS and names.
Can we agree to stop using Anonymous as a collective noun? It's like saying "In other news, a site was vandalized by The Hackers."
All it means is that someone published something anonymously, with an intent to associate themselves with this larger collective. Maybe for those in the know, they can say that this particular hack was discussed in Anonymous' IRC chanels or something. Better to say "an Anonymous" or "a hacker claiming allegiance with Anonymous".
Of course, this is how the media is being hacked. Unlike the devil, Anonymous' greatest trick was convincing the world that it did exist.
> Can we agree to stop using Anonymous as a collective noun?
Then, can we agree to stop using:
"Scientists have just..."
"Al Qaeda destroyed..."
"Economists think that..."
"Experts believe..."
Tabloid-level writing at best. This is wrong in so many ways since in each case, you assume:
- the group is a consistent entity
- the group has no face and all members think alike
- your ignorance about how that entity is actually working.
We should never use such expressions - being specific is the right way to write about opinions and facts.
IIRC, wasn't this leak made by the group AntiSec? IIRC, they consider themselves separate from Anonymous and have their own very odd manifesto having to do with exploit disclosure.
But then we'd have to argue about what the word "hacker" means.
Seriously though, I'm actually quite OK with using "Anonymous" as a collective noun. Granted, it is a less accurate shorthand, but we all know what it means. For those who don't, I'm not sure using "a hacker claiming allegiance with Anonymous" would be any more enlightening. In fact, it may actually reinfornce the mistaken idea that so many in the non-tech media still seem to have, which is that Anonymous is some kind of more or less traditional, hierarchical, online terror organisation.
"An Anonymous", yeah, maybe. Still seems needlessly confusing to the less knowledgeable. But I'm open to being convinced.
Agreed. It seems that everyone thinks Anonymous is a contiguous group, as opposed to a bunch of loosely, if at all connected basement dwellers doing things under the same banner.
2. Anon tells other anons he got the UDIDs from a laptop.
3. Other anons tell more anons it was a government laptop.
4. Release group writes "FBI laptop" in their pastebin.
(5. ??? --> 6. Profit!)
The heterogeneity and disorder in Anonymous (at least it was like this back in the day) means that the chain from leaker to releaser -- usually passing through several people and IRC channels -- plays out a bit like a game of telephone. This serves to protect the leakers, but it can mess with some of the details.
I don't think it is helpful to make excuses for Anonymous. If you'll allow me to abuse the ethical alignment terms: They appear to be a chaotic neutral, not a chaotic good. I'm not sure it makes much difference if they lied or are incompetent. Especially since there really isn't a specific 'they'.
I cannot come up with a convincing reason that the 2% is missing however - or if the 2% is in addition to. Which would raise even more weird questions.
edit: [#] that seems a bit aggressive, but I am not aiming at the parent post here, apologies if it reads badly. I think I mean these guys would make it onto Americas Dumbest Hackers TV special if that were the case.
They also said the data was taken "in the past 2 weeks". Assuming that Blue Toad's data changes daily or so, getting a 98% match to their "current" data seems reasonable. If the data changes "real time" then it might be impossible to find the exact time when the data matches 100%.
So Blue Toad doesn't feel it's their responsibility to contact the people they exposed? The individual publishers assumed the risk of working with Blue Toad so they are partially responsible, but Blue Toad isn't going out of their way to make people feel sorry for them.
It seems like Blue Toad's customers were intermediaries between Blue Toad and the final end-users of Blue Toad's apps. Much like the RSA breakin a few years back, it makes sense for Blue Toad to make a general announcement and leave the direct customer communication up to Blue Toad's customers (who own the direct relationship with the customers).
Of course, this brings up the question of why Blue Toad should have Personally Identifying Information about its customers' customers.
BlueToad said they were able to confirm several of their own devices in the dataset which they go on to use as evidence that the dataset is their own. If antisec took this database from BlueToad why would they not trim out the BlueToad devices that could help confirm that this leak didn't come from the FBI? They trimmed out 11 million rows but left in the 19 used by the developer itself?
How would they do that? The data contained "Apple Device UDID, Apple Push Notification Service DevToken, Device Name,
Device Type." None of those fields necessarily indicate who owns any of the devices.
much of the argument against anonymous seems to rest on the march date. from the article:
The discovery of the theft casts serious doubt on Anonymous’ claims that the data
came from the FBI, and was pilfered in March.
"Timing-wise, (their) story doesn't make sense," he [the CIO] said.
but when you read the blog of the guy who tracked things down, he says:
While searching, I stumbled on a partial password dump for the company! And it was
dated March 14, the same week that the hackers claimed they’d hacked into the FBI
computer. Suddenly, I felt a lot more confident again, and I mentioned this
connection in the email.
He [the CIO] didn’t think the March leak (which they’d already been aware of) was
related, but that the rest of my findings were concerning.
so the only evidence against it not being march is that blue toad are saying otherwise. against that, there's the original claim plus the known password leak. and blue toad are going to look bad if this was from march and they didn't notice (not that they look so great right now in any case).
again from the blog:
I’m still not completely clear on all the technical details.
something doesn't seem right. the fact that the password dump comes from march seems like a huge coincidence, with no evidence against it, except the word of someone who may be motivated to deny that.
I don't see where it does either - until Blue Toad publishes information about the breach. But even then, as part of the breach investigation, that data may well have been provided to the FBI. That's one purpose of the NCFTA, AFAIK, to serve as a conduit during breach. I think it's irresponsible for journalists to say conclusively that one organization or other never touched the file when they don't have proof either way.
My original theory was that some ad service provider, analytics company, or app developer was working with the FBI on an investigation/attack and overzealously shared their customer's details (bad, bad--also horrific the amount of personal data collected, if Antisec's description of the original data set is true); but it could also follow that they were breached, hackers were circulating their database dump, and it was part of evidence in their investigation.
My point is to clarify the main thrust of the article. TLDR, if you will.
It sure looks like Anonymous lied. But they could still be telling the truth, if an FBI agent just happened to have Blue Toad's UDID list on his laptop. Which frankly doesn't sound as far fetched as alien overlords.
[+] [-] tptacek|13 years ago|reply
@mattblaze: So, instead of being tightly held data given to the FBI by Apple, UDIDs are widely available to random app developers you've never heard of.
@mattblaze: And thanks to Anonymous, if the FBI didn't have that list of UDIDs before, they do now.
[+] [-] ChuckMcM|13 years ago|reply
[+] [-] TheGateKeeper|13 years ago|reply
[+] [-] hrbrmstr|13 years ago|reply
http://intrepidusgroup.com/insight/2012/09/tracking-udid-src...
[+] [-] incision|13 years ago|reply
It's a reminder how powerful the combination of simple tools and a little reasoning can be.
I once found myself by chance with a customer just as they got smacked with a DDoS attack that they were completely unprepared for.
The security folks threw up their hands claiming that they couldn't do anything to stop the attack due to certain random elements. The executives panicked and everyone started pointing fingers while their site went offline. It was chaos.
I asked to have a look at logs on a hunch that the "random" element wasn't entirely random. One line of awk, grep and uniq later it was revealed that roughly 85% of the attack could be mitigated with a trivial change at the edge.
[+] [-] brittohalloran|13 years ago|reply
http://blog.bluetoad.com/2012/09/10/statement-from-bluetoad-...
[+] [-] j_s|13 years ago|reply
Another theory on the “FBI” UDID leak
http://news.ycombinator.com/item?id=4484547
http://www.marco.org/2012/09/06/udid-theory
[+] [-] ltp|13 years ago|reply
Reading through his analysis, it almost seems that he may have fallen victim to log file pareidolia as he doesn't make it clear how a device named "Hutch" or one named "Paul’s gift to Brad" a anything more than coincidences in a very large data set.
Doing some quick analysis of the file shows that there is a UDID that has the alternate names; "Hutch Hicken" (Bluetoad CTO), "Bluetoad Support" and "Customer Service iPad" among others, but could this also be representative of an older iPad that has been a pass-me down through the company?
Somewhat more interesting and possibly more revealing are the UDIDs 'ffffffffffffffffffffffffffffffffffffffff' (occurring three times) and the small number of records not conforming to the field size and format of other records (UDIDs > 42 characters, no APNS, device/iOS version number as fourth field).
For anyone interested the following ugly and slow one-liner will print out a summary of non-unique UDIDs along with their APNS and names.
[+] [-] brittohalloran|13 years ago|reply
[+] [-] neilk|13 years ago|reply
All it means is that someone published something anonymously, with an intent to associate themselves with this larger collective. Maybe for those in the know, they can say that this particular hack was discussed in Anonymous' IRC chanels or something. Better to say "an Anonymous" or "a hacker claiming allegiance with Anonymous".
Of course, this is how the media is being hacked. Unlike the devil, Anonymous' greatest trick was convincing the world that it did exist.
[+] [-] ekianjo|13 years ago|reply
Then, can we agree to stop using: "Scientists have just..." "Al Qaeda destroyed..." "Economists think that..." "Experts believe..."
Tabloid-level writing at best. This is wrong in so many ways since in each case, you assume: - the group is a consistent entity - the group has no face and all members think alike - your ignorance about how that entity is actually working.
We should never use such expressions - being specific is the right way to write about opinions and facts.
[+] [-] noamsml|13 years ago|reply
[+] [-] gaelian|13 years ago|reply
But then we'd have to argue about what the word "hacker" means.
Seriously though, I'm actually quite OK with using "Anonymous" as a collective noun. Granted, it is a less accurate shorthand, but we all know what it means. For those who don't, I'm not sure using "a hacker claiming allegiance with Anonymous" would be any more enlightening. In fact, it may actually reinfornce the mistaken idea that so many in the non-tech media still seem to have, which is that Anonymous is some kind of more or less traditional, hierarchical, online terror organisation.
"An Anonymous", yeah, maybe. Still seems needlessly confusing to the less knowledgeable. But I'm open to being convinced.
[+] [-] uvTwitch|13 years ago|reply
[+] [-] nvmc|13 years ago|reply
[+] [-] nodata|13 years ago|reply
You know Anonymous is a group, right?
Maybe you are thinking of anonymous? (lower case "a")
[+] [-] bo1024|13 years ago|reply
The chain of events could have been:
1. Blue Toad either gets hacked, or gives their data to the FBI or someone else.
2. Somehow this data ends up on an FBI agent's laptop.
3. Anonymous breaches the laptop and gets the data.
4. Anonymous sees all the UDIDs and mistakenly thinks, "Apple and the FBI must be in cahoots!", and publishes it.
[+] [-] scythe|13 years ago|reply
1. Anon breaches laptop, finds UDIDs.
2. Anon tells other anons he got the UDIDs from a laptop.
3. Other anons tell more anons it was a government laptop.
4. Release group writes "FBI laptop" in their pastebin.
(5. ??? --> 6. Profit!)
The heterogeneity and disorder in Anonymous (at least it was like this back in the day) means that the chain from leaker to releaser -- usually passing through several people and IRC channels -- plays out a bit like a game of telephone. This serves to protect the leakers, but it can mess with some of the details.
[+] [-] phsr|13 years ago|reply
[+] [-] naner|13 years ago|reply
I don't think it is helpful to make excuses for Anonymous. If you'll allow me to abuse the ethical alignment terms: They appear to be a chaotic neutral, not a chaotic good. I'm not sure it makes much difference if they lied or are incompetent. Especially since there really isn't a specific 'they'.
[+] [-] lamebrain|13 years ago|reply
[deleted]
[+] [-] zerovox|13 years ago|reply
[+] [-] lifeisstillgood|13 years ago|reply
edit: [#] that seems a bit aggressive, but I am not aiming at the parent post here, apologies if it reads badly. I think I mean these guys would make it onto Americas Dumbest Hackers TV special if that were the case.
[+] [-] al_biglan|13 years ago|reply
[+] [-] wvenable|13 years ago|reply
[+] [-] sukuriant|13 years ago|reply
[+] [-] ek|13 years ago|reply
[+] [-] freehunter|13 years ago|reply
[+] [-] jamesmcn|13 years ago|reply
Of course, this brings up the question of why Blue Toad should have Personally Identifying Information about its customers' customers.
[+] [-] angrydev|13 years ago|reply
[+] [-] lgg|13 years ago|reply
[+] [-] drcube|13 years ago|reply
[+] [-] tptacek|13 years ago|reply
[+] [-] andrewcooke|13 years ago|reply
much of the argument against anonymous seems to rest on the march date. from the article:
but when you read the blog of the guy who tracked things down, he says: so the only evidence against it not being march is that blue toad are saying otherwise. against that, there's the original claim plus the known password leak. and blue toad are going to look bad if this was from march and they didn't notice (not that they look so great right now in any case).again from the blog:
something doesn't seem right. the fact that the password dump comes from march seems like a huge coincidence, with no evidence against it, except the word of someone who may be motivated to deny that.[+] [-] jen_h|13 years ago|reply
My original theory was that some ad service provider, analytics company, or app developer was working with the FBI on an investigation/attack and overzealously shared their customer's details (bad, bad--also horrific the amount of personal data collected, if Antisec's description of the original data set is true); but it could also follow that they were breached, hackers were circulating their database dump, and it was part of evidence in their investigation.
[+] [-] drcube|13 years ago|reply
It sure looks like Anonymous lied. But they could still be telling the truth, if an FBI agent just happened to have Blue Toad's UDID list on his laptop. Which frankly doesn't sound as far fetched as alien overlords.
[+] [-] epo|13 years ago|reply
[+] [-] vhf|13 years ago|reply
Kudos to Mr. Schuetz who went through all these UDID to find out what seems to be the truth, for once.
[+] [-] jahewson|13 years ago|reply
Hate to say "I told you so" http://news.ycombinator.com/item?id=4473971 :)
[+] [-] ricardobeat|13 years ago|reply
[+] [-] andrewflnr|13 years ago|reply
[+] [-] geedee77|13 years ago|reply