UDID Leak : Identifying the Traitor

Sorry, I don't think this strategy is workable. Consider - 74% of apps I tested sent the UDID to one or more upstream servers. Furthermore, Flurry alone received UDIDs from 15% of apps I tested. That's just one aggregator, and they surely have nearly 100% of UDIDs on file. The APNS tokens narrow it down somewhat, but not too much. It's also not at at all clear that there is a single source involved - this could be an amalgamation of a number of sources.<p>See this post for the source of these figures: <a href="http://corte.si/posts/security/apple-udid-survey/index.html" rel="nofollow">http://corte.si/posts/security/apple-udid-survey/index.html</a>

Why do people keep assuming that the FBI is actually involved in this? The only evidence of that is from the pastebin page. They could just as easily be lying.<p>We know nothing. Other than that there are 1,000,001 leaked UDIDs. Everything else is just speculation and needs to be regarded as such until such time as proven otherwise.

I doubt it's Apple. I checked the list, and there're tons of German people in there too (one can see that by how they named their iPad). I really doubt that the FBI would be interested in tons of German girls, for example (many iPads seem to belong to girls named 'Sandra' (iPad von Sandra)). If Apple were the culprit here, they would have been able to just deliver the UUIDs from people residing in the states (since they know which UUID is connected to which app store).<p>I hardly think it's Apple that leaked the information. Even if it's hard to believe for some people: Apple values their users' personal information pretty high.<p>I personally believe that this is from a internal FBI job, so they got this information in a non-legal way.

Well, one piece of the puzzle is in the Lulzsec Pastebin itself. the hacked file's original filename is supposed to be "NCFTA_iOS_devices_intel.csv" and a quick Duckduckgo gave me <a href="http://www.ncfta.net/" rel="nofollow">http://www.ncfta.net/</a> those contractors as source of the data.

The whole FBI story is not credible, it's the <i>least</i> likely explanation. I'd start looking for the app that all these UUIDs have in common. This data is probably a dump of that app's server-side database. And what about the zip codes? GeoIP.

<p><pre><code> I've Never Installed: ... Other [ ] </code></pre> This is a joke, isn't it? How could I possibly answer this question correctly?<p>(My deadpan-sarcasm filter isn't working very well right now.)

Traitor? Is Apple a nation state now?<p>Which leads to an interesting question for me. Given that many web sites have more users than many countries, should there be a more proscribed relationship?

This is a question we should keep asking Apple until they give a proper, real answer: Who gave this information to FBI? If they say they gave it, then we know Apple gave this information and it will be a PR nightmare for them. If they say they didn't, then they will imply FBI obtained it illegally and we can focus our attention on FBI.

What about PokerStars?<p>Their US operations were shut down the FBI recently on bank fraud and money laundering charges.<p><a href="http://www.tightpoker.com/news/pokerstars-shuts-down-2347/" rel="nofollow">http://www.tightpoker.com/news/pokerstars-shuts-down-2347/</a><p>Can anyone else confirm they have PokerStars installed? <a href="http://news.ycombinator.com/item?id=4473730" rel="nofollow">http://news.ycombinator.com/item?id=4473730</a>

Can someone explain what a UDID is (sounds like a MAC address or similar) and what the privacy or security implications are?

Small datapoint: my iPhone and iPod aren't in this dump. The iPhone hasn't been used in about a year. And the iPod is infrequently used for playing games.

It's an interesting question...but as someone who used to word in the survey world, I've gotta say it: the questions here are not going to give very useful data. Here's a couple of examples (&#38; a tl;dr):<p>1) "Have you been to the US recently"? The way this Q is worded suggests that the audience is not people who live in the US. Either way, the non-specificity of the Q makes me worry with what info will be extrapolated from the responses.<p>2) "I haven't installed the following apps: Facebook, LinkedIn...OTHER".<p>...there are a lot of apps I haven't installed. I hope you don't want me to list them all...?<p>tl;dr - when putting together a survey like this, be careful to look at it from all sides and see where you could be introducing a bias of some sort. Drawing conclusions from flawed data = FTL.

I love all the outrage and concern. All your information is for sale in the walled garden, outside the walled garden, everywhere! You don't deserve to expect anonymity and privacy because you offer up all your secrets willingly.<p>Rabble all you want over this traitor business, even clamor for new laws to protect us (although that just makes things worse and poisons the waters). In my humble opinion, you breathless bloggers are all just wasting energy. Until we techies start designing networks and storage systems for anonymity and privacy, all your dirty laundry is money in the bank to these service providers and easily searchable by big brother.

For what it is worth, the languages used by users to name their devices are certainly not limited to US English. Out of the 1,000,001 device list, about 10,000 device names contain the Korean possessive "ui", about 5,000 contain the Japanese possessive "no", and a whopping 32,000 contained a Chinese possessive. Unsurprisingly, none contained all three. :-)<p>$ grep 의 iphonelist.txt | wc 10682 23316 1469444 $ grep 的 iphonelist.txt | wc 32168 77171 4522336 $ grep の iphonelist.txt | wc 4838 15191 671159 $ grep 의 iphonelist.txt | grep 的 | grep の | wc 0 0 0

I recommend everyone to fill in this form, even if you don't own an iDevice. The person who leaked the information could be any ones son or daughter, we all know how careless we were ourselves when we were younger. The stakes have become higher, but that doesn't mean we should try to jail a kid with an Internet connection and deprive him/her of his/her future. We should all try to help ensure that incidents such as this leak cannot happen, in the simplest form by rejecting privacy policies which waive your privacy.<p>Please, why won't anybody <i>think of the children</i>?

Actually, the notification tokens are a bigger threat, because they allow imposters to send notifications to apps. We know this from our own experience: <a href="http://www.ikangai.com/news/udids-leaks-and-push-notification-token-security-threats/" rel="nofollow">http://www.ikangai.com/news/udids-leaks-and-push-notificatio...</a> However, there is also a good thing: sending notifications with the tokens from the data can be used to identify the apps which collected the UDIDs.

Finally it all depends on AntiSec. We have no idea wich 1'000'001 datasets they published (first 1m, last 1m or random). If they have access to all 12m UDIDs + the additional information (Country, Postal code, Addresses) they could at least release some statistics about it, this would make it a lot easier to find a (potential) source. (E.g. If we knew wich percentage of the UDIDs came from Europe etc.)

Is the formatting of this blog meant to be iPad unfriendly?<p><a href="http://pic.twitter.com/rLOyOHbh" rel="nofollow">http://pic.twitter.com/rLOyOHbh</a>

There are a lot more than 12 million iDevices out there, so why only 12,000,000?<p>The small number leads me to think that the UUIDs might belong to people the FBI are particularly interested in tracking. If your UUID is in there, fasten your tinfoil hat.<p>Just a thought.

FBI will just fill 1000 fake datapoints to cover its informator.

Let me know if you find other relevant questions to ask.

"I've never installed: Other" That's a looong list.

Why is "Facebook" pre-checked?

Are any jailbreaked iphones with privacy patches installed being leaked? Xhi2 analysis is not only about what triggers the correlation, what does not trigger the correlation is also important. My guess is jailbreaked are underrepresented in leaked UDID either because jailbreak is shielding users or because users able to install a jailbreak are more aware of computer security issues. Regular Iphone are cell phones remotely controled by a 3rd party, jailbreaked iphones are computers you control. I am no paranoid freak, I am just a regular sysadmin with a pretty low security awareness.

It would surprise me if intelligence organisations <i>didn't</i> make databases like this. I assume the CIA could get the user information from Apple, with or without Apple's consent.<p>I have no real problem if the UDID:s of my iPad/iPhone/iPod are stored with my name by intelligence organisations in democracies.<p>But... I do have problems with them being so incompetent that private information about me is leaked!!

i wonder if the FBI got the UDID list from Apple, or if the FBI has a stealth app in the App Store and people gave up their info voluntarily when they installed it...