Re: [Fed-Talk] Whoa Nelly
Re: [Fed-Talk] Whoa Nelly
- Subject: Re: [Fed-Talk] Whoa Nelly
- From: "Pike, Michael (IHS/HQ)" <email@hidden>
- Date: Wed, 05 Sep 2012 15:29:31 +0000
- Thread-topic: [Fed-Talk] Whoa Nelly
The information as it is released now does not have a threat... if this group decides to release more (and they very well may) it is a different story.
"Logic would dictate that it came from an app developer, not from Apple"
I would say logic says the absolute opposite. And even if it did come from a developer, why is Apple allowing a developer to capture this information? Isn't the app store approval process supposed to protect us from this? Isn't this the whole reason for the app store? To make sure malware doesn't show up? Personal information isn't stolen?
I believe it was a year and half ago (give or take a few months) that Apple was caught with a "bug" storing GPS history and tracking information, even if location services were specifically disabled.... that fact alone shows that even if unintentional Apple might have inadvertently provided the information, even if by unauthorized intrusion.
Whether it came from the FBI or not is not the big issue, the big issue is where it came from, how, and why.
We will never know if it came from the FBI... government conspiracy theories last forever... remember Roswell, NM - 1947? That is still going on... this will be going on for 15 years..
But - the data is there, it was collected, it was obtained. I would think the FBI would open a case to find out how the information was obtained and from where. That would be my move anyhow.
Mike
On Sep 5, 2012, at 9:13 AM, Dave Schroeder wrote:
> This has nothing to do with a "blog". It has to do with common sense.
>
> Please outline the SPECIFIC, provable risks you believe originate from this information. (Please note that emails (i.e., contents) and passwords are not a part of the data.)
>
> And really? You're saying that by a guessed device name you might be able to track down the email address (assuming that information would be released at some point) of an ex-lover -- and that this would be the easiest way to do it?
>
> Give me a break.
>
> And yes, you're right: the information came from somewhere, but logic would dictate that it came from an app developer, not from "Apple", nor does it stand to reason that "the FBI" is using it to "monitor" iOS users -- was it a breach of a third party developer? Apple? Was this file a part of an active investigation? The general public will likely never know definitively.
>
> The conspiracy theorists will believe what they want to believe.
>
> - Dave
>
> On Sep 5, 2012, at 10:06 AM, Pike, Michael (IHS/HQ) wrote:
>
>> Well since it came from a blog and it says all is clear, I'm safe!!!
>>
>> The bottom line is, while the information that was released is fairly benign, the information that they claim to have and did not release has significant risks.
>>
>> Here is one such example... lets say I had a girlfriend, and boy did I love her... she left me, and I have no idea where she is but I want to get even...
>>
>> Well, I don't know her UDID, but I know she had a phone, and I know that her phone was probably named "Pink Penelope".. I could search that file, and if hers is one of the records with an address it's time for revenge.
>>
>> Of course the above is a hypothetical, but should the hacker group decide to release everything they claim they have (and there is no reason to NOT believe that they have it) it could be used in thousands of different ways...
>>
>> Oh, but wait... the blog says it's safe...
>>
>> The information came from somewhere... that we know.. where did it come from... we may never know... all we know is where they said they got it. And I doubt anyone is going to say "whoa... wait a minute, you know what? They got it from me...." - unless of course they are forced to say it so to speak.
>> mike
>>
>>
>> On Sep 5, 2012, at 5:25 AM, Dave Schroeder wrote:
>>
>>> http://bits.blogs.nytimes.com/2012/09/04/hackers-claim-to-have-12-million-apple-device-records/
>>>
>>> While the leaked identification numbers appeared to be real, security experts said the release posed little risk. They said that without more information on the devices’ owners — like e-mail addresses or date of birth — it would be hard for someone to use the numbers to do harm.
>>>
>>> And the actual source of the file was not clear. The F.B.I. said in a statement that “at this time there is no evidence indicating that an F.B.I. laptop was compromised or that the F.B.I. either sought or obtained this data.”
>>>
>>> The F.B.I. has been a frequent target of so-called hacktivists, hackers who attack for political causes rather than for profit. In February, Anonymous hackers intercepted a call between the bureau and Scotland Yard. But the frequency of such attacks tapered off after several members of Anonymous and a spinoff group, LulzSec, were arrested in March.
>>>
>>> Apple’s unique device identifiers — known as U.D.I.D.’s — are 40-character strings of letters and numbers assigned to Apple devices. Last year, Aldo Cortesi, a New Zealand security researcher, demonstrated how in some cases U.D.I.D.’s could be used in combination with other data to connect devices to their owners’ online user names, e-mail addresses, locations and even Facebook profiles.
>>>
>>> “A U.D.I.D. is just a jumble of digits,” said Jim Fenton, the chief security officer of OneID. “It is only powerful when it is aggregated with other information.”
>>>
>>> [...] security experts said the file could have come from a number of places.
>>>
>>> “There are a million ways this could have happened,” said Marcus Carey, a researcher at Rapid7. “Apple could have been breached. AT&T could have been breached. A video game maker could have been breached. The F.B.I. could have obtained the file while doing forensics on another data breach.”
>>>
>>> ---
>>>
>>> http://www.latimes.com/business/la-fi-iphone-hackers-20120905,0,6453566.story
>>>
>>> [...] the FBI disputed the allegation Tuesday, saying that "at this time, there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data."
>>>
>>> If the FBI's denials prove correct, the agency may have been the victim of a clever hoax by the group known as AntiSec that spurred thousands of headlines around the Web and left readers wondering how and why the FBI could have gotten access to Apple customer records.
>>>
>>> [...]
>>>
>>> Most security experts said that the release of UDIDs into the wild in and of itself did not pose much of a privacy or security risk. It was no more harmful than a list of car VIN numbers, they said.
>>>
>>> - Dave
>>> _______________________________________________
>>> Do not post admin requests to the list. They will be ignored.
>>> Fed-talk mailing list (email@hidden)
>>> Help/Unsubscribe/Update your Subscription:
>>>
>>> This email sent to email@hidden
>>
>
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden