Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Crime Government Privacy Security United States Apple Your Rights Online

FBI Denies It Held iPhone UDIDs Stolen By AntiSec 216

judgecorp writes "The FBI has denied the UDID codes released yesterday came from an agent's laptop, as claimed by the AntiSec hacker group. The FBI says it does not hold such data, and the attack never happened. However, the agent named by AntiSec is real, and some of the published UDID codes have been found to be genuine. So where did they come from?"
This discussion has been archived. No new comments can be posted.

FBI Denies It Held iPhone UDIDs Stolen By AntiSec

Comments Filter:
  • by fustakrakich ( 1673220 ) on Wednesday September 05, 2012 @07:51AM (#41233525) Journal

    The FBI... What, does anybody expect them to admit it?

    • by siddesu ( 698447 )

      Nyet. J. Edgar Hoover.

    • by Sarten-X ( 1102295 ) on Wednesday September 05, 2012 @08:04AM (#41233605) Homepage

      On the other hand, finding the names of agents is pretty easy, and dropping one makes for a much juicier story than "AntiSec managed to get a UDID-sniffing trojan into the app store".

      In the absence of any further evidence, I must assume that everybody's lying. The real story is that the UDIDs were harvested wirelessly using petahertz radio scanners mounted on the invisible black helicopters flown by the lizard aliens who, due to their shared ancestry with birds, make excellent pilots, even in aircraft that are based on Martian stealth technology (which is why we're giving the Martians our nuclear-powered cars now).

      • by Anonymous Coward on Wednesday September 05, 2012 @08:13AM (#41233659)

        The FBI are lying about it not being theirs and ANON are lying it about it being theirs.

        Is this some sort of Schroedinger's laptop?

      • by crazyjj ( 2598719 ) * on Wednesday September 05, 2012 @08:27AM (#41233817)

        In the absence of any further evidence, I must assume that everybody's lying.

        Except that Anon has real evidence in this case, and specifics. The FBI is just issuing a blanket denial. And, for that matter, if this agent is real and doesn't do this, why aren't they hiding him and not making him available for interviews? Seems like he would be the most credible source to deny it.

        • Yes because I totally did not have sexual relations with that donkey.
        • by Sarten-X ( 1102295 ) on Wednesday September 05, 2012 @08:58AM (#41234145) Homepage

          I have a few agent business cards in my desk at home. I could claim any one of them gave me a receipt that proves Lee Harvey Oswald's innocence. I could show you a receipt dated November 22, 1963. The agent I name could deny it, of course, but then his denial could just as easily be dismissed as "protecting his job" or some other obvious ploy.

          Anon has shown only that they:

          1. have UDIDs, some of which are valid
          2. have the name of an FBI agent

          There is no evidence that the UDIDs actually came from the FBI. There is no evidence that Special Agent Stangl is related to the case in anything but name, and any statement from him must be considered questionable, just as any statement from Anonymous must also be questionable.

          As the saying goes, extraordinary claims require extraordinary proof, and there is very little actual proof available... just names and numbers mentioned in close proximity.

          • by Anonymous Coward

            There is no evidence that the UDIDs actually came from the FBI. There is no evidence that Special Agent Stangl is related to the case in anything but name, and any statement from him must be considered questionable, just as any statement from Anonymous must also be questionable.

            As the saying goes, extraordinary claims require extraordinary proof, and there is very little actual proof available... just names and numbers mentioned in close proximity.

            All absolutely valid points.

            Unfortunately, you cannot confirm or deny any of it, and therefore with regards to statements made by our Government, the sane majority must default to the history books and say that they're lying.

            All of them.

            Now prove me wrong.

          • by fadethepolice ( 689344 ) on Wednesday September 05, 2012 @10:18AM (#41235093) Journal
            This is likely to be true of every action of every whistleblower from now until the end of time. The very act of getting protected data from an organization by definition results in this situation. The only resort is to look at context and evaluate the information on the knowledge you have of the participants. http://en.wikipedia.org/wiki/Carnivore_(software) [wikipedia.org] http://en.wikipedia.org/wiki/NarusInsight [wikipedia.org] The FBI has a proven track record of secretly monitoring Americans for close to 100 years. Anonymous has a decent reputation as occasionally competent hackers. Given these facts I would tend to give more weight to the evidence presented by anonymous than the denials by the FBI.
        • Re: (Score:3, Insightful)

          by somersault ( 912633 )

          Why do they need to waste time getting a "credible source" to deny not very credible accusations? If I gave a list of accusations for 100 agents right now, should the FBI take those 100 agents off of whatever they're doing to give a press report?

          Really, who cares?

        • Anon has presented no evidence of how or where they got the data and refuse to give any more information on the subject. They listed an agents name but how did they know to target this individual? The exploit they claimed they used (the Java Atomic Array flaw) is not exploitable on every machine that has Java installed and requires a specific configuration and usage patterns before the flaw could be exploited. And the FBI would be wary of issuing a blanket denial because they could not be sure there was not

      • by blueg3 ( 192743 ) on Wednesday September 05, 2012 @10:53AM (#41235521)

        ...finding the names of agents is pretty easy...

        Yeah, especially when the agent stated his name in a well-known FBI PR video targeting hackers.

    • by crazyjj ( 2598719 ) * on Wednesday September 05, 2012 @08:23AM (#41233779)

      Wouldn't it be nice to think the FBI would ever release a press release with the header "Yes, We Screwed-Up and Yes, We're Illegally Spying on You." But inevitably, that's the kind of admission that only comes out decades after the fact. It's not like if you had asked J. Edgar Hoover "Hey are you spying on Martin Luther King with illegal wiretaps and recording devices?" back in the 60's he would have replied "Oh yeah, we're doing that."

      • by Lumpy ( 12016 )

        FBI can legally spy on you. It's the CIA that cant legally spy on you.

        • FBI can legally spy on you.

          Not without a warrant. Care to guess whether or not they had one when they were putting recording devices in Martin Luther King's motel rooms and home?

          If you answered "No," congratulations.

          • by tmosley ( 996283 ) on Wednesday September 05, 2012 @08:56AM (#41234121)
            Wow, a time traveler has come to us from some time before 9/11/2001. Tell me, friend, what is it like to live in a free society? It has been so long I have forgotten.
        • in theory, they still need FISA warrants.

          • by Lumpy ( 12016 )

            They have a roll of FISA warrants next to the sink. Many of the guys here at the office mistakenly use them as paper towels.

      • by Yvanhoe ( 564877 )
        Usually they blame a subcontractor.
        • From their perspective, this is no doubt a beneficial side-effect of the massive expansion [amazon.com] of the private national security industry since 9-11. I guess at least it's providing jobs.

    • Comment removed (Score:5, Interesting)

      by account_deleted ( 4530225 ) on Wednesday September 05, 2012 @08:26AM (#41233815)
      Comment removed based on user account deletion
    • by Anonymous Coward

      "NCFTA_iOS_devices_intel.csv'

      National Cyber-Forensics and Training Alliance(1) is that FBI-sponsored industry cybersecurity PR, lobbying, and info-sharing consortium that was going to replace CERT et al, make sure the Bureau's position on cybersecurity was advanced, and pass out a lot of white hats to all the "Walker, Cyber Ranger"s out there. Stangl (sic) apparently may have some role there. As others have pointed out, the data could have come directly from Apple.

      So maybe the Fibbies are *technically* tru

    • The FBI... What, does anybody expect them to admit it?

      FBI: Hello, Supervisor Special Agent Christopher K. Stangl, would you please step under this bus? We don't want to throw you.

  • Collection != leak (Score:4, Interesting)

    by AwaxSlashdot ( 600672 ) on Wednesday September 05, 2012 @07:54AM (#41233537) Homepage Journal

    There are 3 issues here:
    * who collected them ? (most probably an app)
    * who "lost" them ? (AntiSec claim they found it on a FBI agent laptop they compromised)
    * how the data went from #1 to #2 ?

    And the 3rd one is the most interesting.

    • by zill ( 1690130 )
      I see several people mentioning it was a Trojan app, but then where did the addresses and zipcodes come from?

      Do people actually store addresses and zipcodes on their phones?
      • Re: (Score:2, Funny)

        by Anonymous Coward

        > Do people actually store addresses and zipcodes on their phones?

        No grandpa, no one would ever have addresses and zip codes in a phone! That wouldn't make a lick of sense!

      • Yeah, that's the weird part. My phone has phone numbers, and that's it. Of course, I don't use my phone for much other than phone calls, so I'm pretty secure. I don't even download many apps, just some games now and then. Oh, and there was this one app a friend recommended to me, where I just download it and fill out a survey for a chance to win a $50 Wal-mart gift card! For each person I refer, I'll get another chance to win! Of course they wanted my mailing address for that, but that's okay. I'm expecting

  • Possibilities... (Score:4, Insightful)

    by Severus Snape ( 2376318 ) on Wednesday September 05, 2012 @07:57AM (#41233563)
    1. AntiSec is lying.
    2. FBI is lying.
    3. AntiSec is telling the truth and the FBI's methods of obtaining the UDID codes means they can't admit to it.
    • Re: (Score:3, Insightful)

      by jfdavis668 ( 1414919 )
      Another option, AntiSec hacked someone pretending to be an FBI agent. I have run across people like this, who are trying to con you or just getting their jollies.
      • by zill ( 1690130 )
        Wait, so you're saying there's a con man out there who pretends to be an FBI agent and he somehow has the personal information of a million iPhone owners?
      • by vlm ( 69642 )

        Another option, AntiSec hacked someone pretending to be an FBI agent. I have run across people like this, who are trying to con you or just getting their jollies.

        Infinitely more likely is they hacked a civilian employee or contractor of the FBI who merely happened to have the named agent log into the laptop once, or maybe the named agent worked closely with the civilian. That way the FBI can truthfully deny, yes, indeed, the FBI has no UDIDs...

        They also VERY SPECIFICALLY stated that no "FBI laptop was compromised". This is very important. The MIB might have copied the file onto his personal laptop, or it was technically a FBI leased laptop instead of being a FBI

    • by guises ( 2423402 )
      It seems possible to me that the FBI had the UDIDs but didn't know it. With warrantless searches now the norm and the unscrupulous attitude that that implies, agents don't have or expect the oversight that they used to. So it could easily be that an agent collected those, thinking it was no big thing.
    • 4. They're both lying
      5. AntiSec isn't deliberately lying, but were misinformed (eg. the list was actually used by $sinisterGovernmentAgency, but they were masquerading as FBI for some sinister reason)
      6. The FBI isn't deliberately lying, but those speaking were misinformed (eg. it was part of some project spearheaded by some upstart who didn't get authorization)

  • by Anonymous Coward on Wednesday September 05, 2012 @07:58AM (#41233569)

    From TFA: "At this time there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data"

    Saying there's no evidence isn't the same as saying it didn't happen.

    • Proving a laptop has not been hacked is impossible. If the FBI determines data that were on his laptop have been compromised they'll send him back to data security 404 and give him a new laptop.
    • by crazyjj ( 2598719 ) * on Wednesday September 05, 2012 @08:34AM (#41233881)

      Yeah, anytime you're dealing with a government press release or statement you have to CAREFULLY parse the language. These things are carefully crafted to imply things they don't actually say. "I personally have no knowledge of such an event happening" is NOT the same as saying "This event didn't happen." There are a million ways to imply things without saying them, and a dumb and gullible press will usually swallow them hook-line-and-sinker 99% of the time.

    • by JBMcB ( 73720 )

      No, but if you're claiming you hacked into an FBI laptop and stole data that the FBI claims doesn't exist, you'd better have *some* sort of proof.

      Maybe a script kiddie hacked into an AT&T server and got the UDIDs, but claiming that they hacked into the FBI would make them sound cooler.

    • by blueg3 ( 192743 )

      No shit. They don't have magic spy software on their own laptops that can provide absolute proof. How's someone at the FBI going to determine, without a doubt, that none of the laptops the FBI uses was hacked? How are they going to determine that absolutely zero agents requested or managed to get their hands on the information being discussed? They can't.

      So, while they're using weasel words, it's also the correct way to respond: They can't be absolutely sure of their statement, but they have no evidence tha

  • Which is more likely - the fbi just happened to lose a laptop with millions of UDIDs that it had no reason to have and anonymous just happened to find that particular laptop? Or that someone in anonymous wanted to make waves and so made a bold (but unverifiable) claim?

    Pardon me, I need to go shave.

    • by siddesu ( 698447 )
      In a perfect world, the second would be more likely. However, if you stack it againt the hundreds of cases every year where officials or executive lose equipment with mega or gigabytes of personal information, I'd say that IRL the first is at least as likely as the second.
    • Comment removed (Score:5, Insightful)

      by account_deleted ( 4530225 ) on Wednesday September 05, 2012 @08:07AM (#41233619)
      Comment removed based on user account deletion
      • "Chances are darn good"?

        I don't know the numbers, but I believe the formula would look something like this:

        (odds fbi collects apple udids) * (odds udids kept on agent's laptop) * (odds of fbi agent losing laptop) * (odds member of anonymous finds it)

        I think that product will be a pretty small number.

        • Actually it looks like this:

          (1) * (1) * (odds anon target well known fbi man and hack into his laptop over the evil internet)

        • The odds of them hacking an FBI laptop is pretty damn good considering:

          1. FBI is probably investigating AntiSec
          2. AntiSec knows that FBI are probably investigating them
          3. New security hole for Java released, not patched
          4. Lots of government'y stuff use Java

          AntiSec could just make a page using that security hole and "accidentally" let it slip to the FBI, and pronto, one (or many) hacked FBI box(es) served right up.

          So, the chance of them gaining access to a few FBI boxes are rather high, all considering. And

      • by JBMcB ( 73720 )

        Also, I'd say the chances are darn good for FBI to lie whenever something like this happens, just for the sake of looking good in the eyes of the general public and for painting anyone who disagrees in bad light.

        I find it very difficult to believe that this, the most *transparent* administration in recent history, would allow such lies to be promulgated.

      • As for unverifiability: apparently some of those UDIDs have already been verified.

        False conclusion. The fact that some UDIDs are valid does not verify they were taken from an FBI laptop.

        Some genuine UDIDs which were already known could have been included in a group of numbers which match the form of the others (I'll make you a script to generate them in a couple of minutes, if you like), but are in fact fakes, meaning only Apple could tell the two apart. As a lot of Anon's "work" is "for the lulz", I wouldn't put it past them to do something like that. Scruples are one thing they're lac

    • Anonymous targeted the FBI guy, he is moderately senior and very active + well known in white-hat circles; what goes around, comes around. .. or in your haste to fud did you skip the article, and all the articles yesterday, where it is made clear he was hacked and did not 'lose' his laptop.

    • There were quite a few apps that were caught collecting UDIDs, if I remember correctly. It's not actually all that far-fetched to believe that somebody, in order to gain some "street cred" actually obtained it in this manner, then released it saying it had come from the FBI to undeservingly inflate their reputation.
    • by wbr1 ( 2538558 )
      The FBI did not lose the laptop. According to Anonymous, it was broken into using a Java exploit.
    • I don't trust Anonymous more or less than the FBI, but the motivation to pull this story out of their ass seems smaller than an FBI stooge's motivation to deny and cover their ass.

      FBI brass might even be pitted against FBI agent: brass said don't get the UDIDs and the agent went and obtained them anyway. The FBI is a large bureaucracy with complicated relationships between semi-independent operatives, and it's possible there is low coordination between FBI spokesman and FBI worker. Anonymous may have more o

    • Whoa there Nellie! The data was released by AntiSec, not Anonymous.

      Anonymous has been in the news so much, I'm sure you just got a little confused.
  • "The FBI has denied the UDID codes released yesterday came from an agent's laptop, as claimed by the AntiSec hacker group. The FBI says it does not hold such data, and the attack never happened. However, the agent named by AntiSec is real, and some of the published UDID codes have been found to be genuine. So where did they come from?"

    Maybe from a soon to be blown case were the FBI is investigating an anonymous hacker group?

    • Maybe from a soon to be blown case were the FBI is investigating an anonymous hacker group?

      Or evidence that they're building a giant fishing net (with ALL of us in it) for future fishing trips. When there are 12 million entries in a database on a single laptop, all just from iPhones and iPads alone, I tend to think this is much larger than just some individual investigation. Shit, that's over 10% of Apple's *ENTIRE* active U.S. iPad and iPhone userbase, on that one laptop alone. That's not from any one investigation, or even several.

  • We all know that alien computers talk seamlessly to Apple devices.

    So the aliens have been collecting them for years.

    What took the aliens so long to publish them - was talking to a Dell Windows laptop.

  • Issue? (Score:3, Interesting)

    by symes ( 835608 ) on Wednesday September 05, 2012 @08:07AM (#41233621) Journal

    This is not something I know a great deal about, but surely the UDID is pretty easy to get hold of. Surely most suppliers will keep a record for warranty/insurance reasons. AFAIK, many apps can access this information. ITunes relies on it. These data could just be from the FBI looking for patterns of insurance fraud, or similar. And I wouldn't be surprised if a load or organizations hold this sort of data for a range of gadgets. I bought a fridge a while back and had to send the serial number off to some third party to have my warranty set up. I am happy to be corrected though, and told this is a huge privacy thing.

    • This is a huge privacy thing, just like any American's Social Security number. You know, that number where the last four digits are used frequently for identification to third parties, the first three are based on where you were born, and the middle two are based on when you were born...

      Being a privacy issue doesn't necessarily mean it's kept particularly secure.

    • Any app developers out there? If it is anything like Android, any app with sufficient privileges can send the phone's unique identifier to a server to be stored. Whether it be the hash looking thing for the phone itself, or the phone number for that account.
    • by Bogtha ( 906264 )

      Surely most suppliers will keep a record for warranty/insurance reasons.

      The UDID is separate to the serial number; there's no reason to use the UDID for this purpose.

  • This sort of fits... (Score:5, Informative)

    by Revotron ( 1115029 ) on Wednesday September 05, 2012 @08:09AM (#41233635)
    ...with the general attitude I saw from Slashdot regarding the original story. It almost sounds like a complete fake just because what the hell would the FBI possibly do with a deprecated SHA1 hash of a few device-unique identifiers? Verify that their super-secret gub'mint database of everyone's iPhone MAC addresses and MEIDs has no row errors?

    It's worth reiterating from the other story that Apple doesn't even accept apps that reference the UDID any more, and it was never used as a security or authentication feature in the first place. It's like saying "lol, you got pwned, I just got the MD5 hash of your entire hard drive, LULZ LULZ LULZ WE ARE ANON"

    If the FBI really wanted some useful information, they could swipe your ESN/MEID and track you down to a cellular level. Hell, they probably already have. Smile at the camera!
    • by wbr1 ( 2538558 )
      If the DB contained names and other person identifiers (which were supposedly stripped before release), then if an FBI agent snatched a phone briefly, it could be used to quickly verify the phones owner.
      In addition, even though its use as a device identifier is depreciated, apps still use it, and could be used to spoof authentication to certain apps central servers, thereby allowing the holder (if the UDID was used as the single form of ID), to mine data from the app, or log in as you from a jailbroken iD
      • other person identifiers (which were supposedly stripped before release)

        Hopefully you can understand why I have my doubts in this scenario. It's like Joseph Smith and the gold tablets. "Only I'm allowed to see them, so I'll stare into this top hat and read everything to you."

        Also, apps (and app updates) from the last year or so that use the UDID in any way have been rejected by Apple on that basis alone. Any app that uses the UDID as its sole authentication mechanism would hopefully not contain any sensitive personal information, and fortunately anyone that dumb probably

  • by tekrat ( 242117 ) on Wednesday September 05, 2012 @08:15AM (#41233693) Homepage Journal

    But I trust the hacker group more than I trust the FBI.

    It's more likely the FBI is lying to cover up something. I mean, we're talking about the *government* -- not exactly our best and brightest, but definitely good at the "cover your ass" game.

    • by PRMan ( 959735 ) on Wednesday September 05, 2012 @08:35AM (#41233895)
      Exactly. Anonymous and Antisec have seemingly been completely honest in the past, when it comes to claiming responsibility for hacks. The FBI is known to lie and cover up. Given past experience, Antisec is more likely to be telling the truth.
    • Maybe they had the UDIDs as part of an investigation into actual hackers/criminals (i.e. evidence), which would prevent them from commenting on it now. Just another possibility that seems more likely to me than the FBI somehow harvesting relatively useless phone IDs.
  • Sigh... What a relief!
  • Comment removed based on user account deletion
  • uhnnn.... is this the same FBI that was to be involved with the *deliberate* disinformation "strategy" - if it can be called that - to put out complete whopper lies and try to back-track where they came from in order to catch "terrorists" and other criminals?

  • Maybe the FBI agent (the laptop owner) moonlights as a hacker.
  • Now that the FBI basically rejected AniSec's claims and Adrian Chen put on a pink tutu with a shoe on top of his head (Source: Link [gawker.com]), AntiSec can now respond to the FBI's denied claims. I just threw some popcorn in the microwave.....
  • "There are no tanks in Baghdad!"

  • by realsilly ( 186931 ) on Wednesday September 05, 2012 @08:43AM (#41233969)

    ...based on the information they put out.

    And the disinformation tactics of Govt. agencies. I think the FBI is try to call the AntiSec bluff, to get them to release more info. And once more info is released, then the FBI will use this info to try to track back to source, arrest and use the info as evidence against AntiSec individuals.

    But this is my hunch.

  • It really depends on the application in question: The Push tokens are application specific, and Apple knows or can trivially find out which application vendor is the source of this information.

    If its a game, then the Anons are full of it, there is no reason for the FBI to have gotten that data.

    If its something like, well, who knows, then the Anons are probably telling the truth.

    If some slashdot reader's UUID is on the list, please contact me. It may be possible to use the phone backup file to determine whic

  • by jones_supa ( 887896 ) on Wednesday September 05, 2012 @09:16AM (#41234291)
    Also the F-Secure researcher Sean Sullivan was suspicious [pcmag.com] about the information really coming from FBI.
  • by onyxruby ( 118189 ) <onyxruby&comcast,net> on Wednesday September 05, 2012 @09:19AM (#41234329)

    This all a bunch of nonsense! This was probably just a list from a given vendor. Track this down by doing the following:

    Look for the ID's and find the most recent date one that you can. That gives you the date range that this is relevant for.
    Look at the ID's and match them to locations? Are they all from the US? That might give credence to FBI angle (which I think is bullocks).
    Look at the ID's and start matching users.
    Look for commonality between said users, this far too large of a list of users to simply be a list of OWS protestors (sorry, if OWS was ever that large on just apple users alone OWS would have succeeded instead of being a punch line). Your doing this just to exclude conspiracy theories like a national we spy on people with shiny toys conspiracy theory.

    Once you've concluded that there isn't anything in common between most of these people you can't start the real work:
    Start matching the common thing or applications between those users. You will probably discover something really benign like they they all have AT&T accounts that belong to the western part of the US or they all have the Twitter application or something really boring.

    ///sorry to ruin your conspiracy theories, have but have fun reverse engineering this

  • Now comes Crass and Curious, and effort to collect device UUIDs.

    Does anyone believe any department under Eric Holder?

Perfection is acheived only on the point of collapse. - C. N. Parkinson

Working...