I'm inclined to believe the FBI on this occasion, although the reasoning is getting confusing ("But you've also bested my Spaniard...Surely I cannot chose the wine in front of me")
If the Antisec account is accurate (that they popped this agent's computer), then they most likely possess further evidence that they could release to corroborate their claim (The .csv file may have been the only interesting file, but presumably they copied off lots of uninteresting ones as well).
So if the FBI is lying, they have to assume that Antisec's next move would be to release more corroborating evidence (because who wouldn't be upset over being called a liar), which would then make the FBI look incredibly foolish (as well as now on record as having given false statements).
This leads me to believe that the FBI is telling the truth, and that Antisec obtained the list from somewhere else, and is just having a laugh at the FBI's expense.
Sadly, I don't think either of these groups have built up an immunity to Iocane powder.
I wouldn't be inclined to trust anything the FBI has to say on this, not because I have my tinfoil hat on, but within the context of the allegation they are an unreliable witness, so to speak.
The question is, are these UDIDs real? If so, then where did AntiSec get them from if not a compromised FBI laptop? If they'd hacked Apple or a carrier, surely they'd be quite as happy to crow about that as anything else.
I can understand the idea of pinning the leak on the FBI, I'm just unsure as to how plausible that is. They and their contractors have shown themselves leaky enough to not need any fabrication of evidence in the pursuit of lulz.
We checked our app's push notification token database against the leaked list, and there are intersections (who we then notified). So I'm inclined to believe that the list is genuine.
However, the story as to how they got released and from where is anyone's guess at this point.
The "van" is striking; it's the Dutch version of the German "von". The fact that the former is larger than the latter indicates that the list contains more Dutch UDIDs than German, interesting.
Not necessarily, because "van" is much more common in Dutch names than "von" is in German names. (One reason for this is that "von" used to be restricted to German nobility, while there was no such restriction for "van", and as a result "von" is still relatively rare in German names.)
Additionally, "van" and "von" are possessive pronouns in Dutch and German respectively, which might explain why they are used (e.g. "iPod van Mike" means "Mike's iPod" — the owner may still be Dutch but "van" is not part of his name). Again I think this is relatively less common in German, where the genitive case could be used instead.
The frequency of van/von as part of last names is irrelevant because this is mostly about first names plus possessive markers. Dutch has genitive case on names as well (name + s), so I don't see why 'von' should be less frequent than 'van'.
How does that hellban thing work? I wasn't notified, and that's a pity because I think I have made some valuable comments, and now I realize no one was able to read them? And probably will never try to contribute again since it's a waste of time and is not appreciated.
Not to say the FBI didn't get hacked, but the filename "NCFTA_iOS_devices_intel.csv" is very strange to me.
It's almost exactly what I would pick if I were making up a filename to incriminate the FBI/NCFTA. However, it seem's much too long for a usual filename. Especially the "intel" part: if you work for the FBI, everything about your job is intel. Why would you put it in the filename?
Because putting "topsecret" in the file name seems even more childish? It's an interesting double tap kind of announcement, hacking an FBI lapper seems like a pretty big win in and of itself, because he had java in his browser and went to a contaminated website... All very topical stuff.
If you were disgruntled and made off with that kind of data from a carrier or Apple or perhaps even an app vendor, how would you put it out to screw them?
Clearly the data is real. It leaked out from somewhere. I think some other aspects around it are just window dressing though.
When I read that, I thought "intel" referred to the company, rather than being short for "intelligence." Then again, it's not capitalized, so maybe I'm mistaken.
One other comment has me thinking, though. If it's fake, can you go to jail for just pretending to hack the FBI if they never really did it?
You clearly don't hang out with a lot of old Windows users. its all 8LETTERS.txt or "Lots of Letters & stuff.doc" but never, ever conforms to a consistent convention. I'm pretty sure an exuberant Anon declared this was "intel".
"The FBI is aware of published reports alleging that an FBI laptop was compromised and private data regarding Apple UDIDs was exposed. At this time, there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data."
We currently only have it on AntiSec's word that the information came from an FBI laptop, so technically their statement is true.
According to this blog, several organizations aggregate said information[1] so it's possible that one of them was hacked. I wouldn't expect AntiSec to frame the FBI, but then again they're not exactly buddy-buddy.
Evidence is just stuff. It's not some magic object sprinkled with truth and certainty pixie dust.
The connection between a given explanation and any evidence is a probabilistic inference (Bayes Rule actually). You always have to weigh the likelihood of the evidence occurring due to other reasons, be it accident or fraud.
Considering that a number of folks with large UDID lists have stated they've found intersections, it seems the data itself is the real deal.
The only thing that's left is to debate the likelyhood of how they got it.
At the moment the burden is on the FBI. It'll take time to find the truth. Even if the FBI release was written in good faith, they're a large organization, and it takes time to figure out what's going on.
Yes, also if someone leaks 1 million people's private data onto the internet I'd think it would be FBI's responsibility to investigate how that happened.
If it really is from a compromised FBI laptop, you can assume they nabbed more than just this one file. All they would need to do is release another file that would be much harder to deny as "evidence."
The thing that really makes me wonder is why not come out and say that a) they do/do not an agent named Christopher Stangl and b) If they do, that his equipment is secure.
Yes, I know, saw his LinkedIn profile too. Not that either of those could be faked but lets not go there. I was agreeing with the comment that this denial was a very weak statement from the FBI. There were specific facts in the accusation which the FBI chose not to directly contradict, which I found somewhat odd on their part. That doesn't help the FBI convince me that they weren't caught with their floppy out if you know what I mean.
As I've learned from the TV show "The Newsroom," ask the follow-up! Have they looked for evidence? Could the data have been on an FBI agent's personal laptop rather than an "FBI laptop?" Do they consider data in the class of Apple UDIDs to be "private?"
I'm certainly more inclined to believe them over the kids who posted the file. AntiSec could be deliberately misleading people (for the lulz, I suppose), or perhaps just simply didn't understand what they were looking at and what it meant.
Though, of course, it wouldn't be the first time in recent memory that the FBI flatly denied a damaging fact.
And yet they flatly deny it instead of say they're investigating or they're not sure.
They don't deny it. They say that "At this time there is no evidence indicating that an FBI laptop was compromised". That's different. The evidence is just not here at this time.
> That takes some hubris. And that's a trait that has gotten more than one organization owned by Anonymous/*sec in the past.
That would require acknowledging them as a real threat. I don't think the government is really there yet. They seem to perpetuate the opinion of the parent post:
That's probably true. The whole thing smacks of grasping for straws. It's just spreading FUD. UDID data has been flying around WiFi hotspots and in plaintext over networks for years. Harvesting them is like harvesting names and addresses from postcards. I wouldn't put it past people to aggregate a bunch of them, then pin it on some well known government agency to pull a publicity stunt like this.
The first people to fail to protect the privacy of app users: iOS app developers and the folks at Apple who wrote that part of the SDK. (Who should've known the result of counting on hordes of hobbyist devs to "do the right thing" with the UDID.)
Given the weasely non-denial denial, it's probably safer to assume the FBI is the source. If they were sure it couldn't come back to them why would they leave room to mea culpa?
While you can read that claim as being "we are too clueless/dumb to even realize we were hacked" an equally valid explanation is that they know that they either do not have the dataset being distributed, have sufficient canaries in said datasets that they know which ones come from them (for finding leaks, etc), and/or know that no one person has access to a broad non-targetted list with this info.
or they may know that there's no agent with the name/job description specified, or they may know the true origin of the information in question. There are a lot of ways the FBI could be sure the information didn't come from them.
I find it most interesting that Apple hasn't mentioned a word as to this leak at all. The FBI has denied, NCFTA has refused to comment, but why hasn't anyone asked Apple as to their comments? This much data floating around had to have come from someone with lots of info, and if it isn't apple, then who?
And I don't quite know what they could do: everyone knows UDIDs aren't the greatest idea in the world now, which is why they've already been deprecated and will be replaced by application specific tokens in the future.
All we have is a claim, and a disclaim - both being equal likely to be false.
What is left to do is find out the original source. was it apple (can 12 million devices really be all devices from date X?), a carrier (is 12 million apple customers reasonable), or is it from an app?
“The FBI is aware of published reports alleging that an FBI laptop was compromised and private data regarding Apple UDIDs was exposed. At this time there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data.”
it doesn't actually deny that the laptop was compromised, or that the FBI asked for and received the data - it just say "at this time there is no evidence" of that.
The twitter statement "Statement soon on reports that one of our laptops with personal info was hacked. We never had info in question. Bottom Line: TOTALLY FALSE" is a lot clearer.
I wonder why they had to move from "TOTALLY FALSE" to "at this time we have no evidence."
There's also a lot of wiggle room there for them to say that the laptop was not an FBI laptop (perhaps it belonged to the NCFTA), or that the NCFTA requested/received the information from Apple, not the FBI.
The FBI may not be lying, but they're awfully good at telling the truth very carefully.
The kind folks at thenextweb have a set up a CGI script running against queries against the csv file and are encouraging people to submit their device ID's to "see if they're one the list".
Isn't this the same as when in the aftermath of massive password leaks, people set up websites where you can "check and see if your password was leaked"? What am I missing here?
Isn't the whole point is not to share the device ID or password with anyone? Why should someone send their device ID to thenextweb? What will they do with it?
Q: "Here's my password/device ID. Can you tell me if it's leaked?"
A: "It is now."
I've been fetching results from the openfeint api for a bunch of the UDID's. I'm not sure, but it may be significant that so many of the UDIDs get a result from the API. Shouldn't openfeint only know about the UDID if the user has played some game in their network? And wouldn't we expect that to be a distinct minority of the total population of all ipad/iphone owners?
It's well known that the FBI's IT infrastructure is an unparalleled disaster and its agents are tragically unskilled when it comes to technology, even the ones tasked with technology related investigations.
Therefore, there's no reason to believe the FBI even knows if they had that data, if they had stored that data on a particular laptop, or if their laptop had been compromised.
In their shoes that's exactly what I would say. I would give as little information for as long as I could.
What else are we expecting them to say? That the data belongs to people being investigated for X or Y? The phone of the special agent? The bar where he was drinking when the laptop got compromised? "Oops, we messed up"?
But don't worry, more than 200 million iOS devices are out there. 12 million is only 6% of the key-space so, you're probably not in the original dump that's in the hands of "anonymous".
If the Antisec account is accurate (that they popped this agent's computer), then they most likely possess further evidence that they could release to corroborate their claim (The .csv file may have been the only interesting file, but presumably they copied off lots of uninteresting ones as well).
So if the FBI is lying, they have to assume that Antisec's next move would be to release more corroborating evidence (because who wouldn't be upset over being called a liar), which would then make the FBI look incredibly foolish (as well as now on record as having given false statements).
This leads me to believe that the FBI is telling the truth, and that Antisec obtained the list from somewhere else, and is just having a laugh at the FBI's expense.
Sadly, I don't think either of these groups have built up an immunity to Iocane powder.