The story is that AntiSec, a hacking group related to Anonymous, obtained 12 million records of Apple users, supposedly from the laptop of an FBI agent. Those who use Apple products will be aware of the type of information provided to Apple on purchase of their products. This is fairly basic stuff, but it’s also a healthy slice of personal ID.
AntiSec released user ID numbers, 40 character identifying numbers. These numbers are not of themselves a way of accessing information related to users. It looks more like they were used as proof of having obtained the information.
The New York Times
While the leaked identification numbers appeared to be real, security experts said the release posed little risk. They said that without more information on the devices’ owners — like e-mail addresses or date of birth — it would be hard for someone to use the numbers to do harm.
Not so much of a surprise. The “controlled release” of the Apple user information was apparently vetted by hacker group AntiSec to make a point, not damage user security. They had a lot more info than just user IDs to play with.
A little more information than was contained in The New York Times article comes from CBS News
Antisec claims that it breached the laptop of FBI special agent Christopher K. Stangl. The group says a spreadsheet on Stangl's computer contained a list over 12 million Apple devices and included UDIDs, user names, name of device, type of device, Apple push notification service tokens, zip codes, mobile phone numbers and addresses.
That is a hell of a lot of sensitive personal information. You could swipe 12 million identities with that material.
NYT apparently also had a few bones to pick with Anonymous, which recently targeted the newspaper.
In February, Anonymous hackers intercepted a call between the bureau and Scotland Yard. But the frequency of such attacks tapered off after several members of Anonymous and a spinoff group, LulzSec, were arrested in March.
Maybe not so unbiased. Global Post.com explains
Anonymous is targeting the New York Times for the “failure of the press” to give adequate coverage to Trapwire, what some say is a global system of surveillance run by the US government.
I counted over 1500 news articles on Google News
on the subject of Anonymous’ activities worldwide. If that’s tapering off, what’s not tapering off?
Why did the FBI have that information?
Meanwhile back on the subject which everyone seems to be trying very hard to blur as much as possible:
AntiSec did obtain those Apple user IDs.
1. If they were accessed from the FBI as claimed, how did they know where the files were?
2. If the FBI had those files, what the hell were they doing on a laptop?
3. That information, if used for law enforcement purposes, may require a warrant.
4. If not being used for law enforcement, why was it being acquired?
5. Who’s responsible for security of information held by the agency?
6. Is the FBI saying it really needs to have information on 12 million Apple users?
7. If so, why?
Denial, denial and more denial
Those questions have ramifications. The FBI denies it had the information at all. It wouldn’t look too good if it admitted it did. The denial didn’t wash with Anonymous.
Despite the FBI's denial, Anonymous was not deterred.
"You know you're doing something right if @FBIPressOffice throws caps at you on twitter to deny an #Anonymous statement," the @AnonymousIRC Twitter feed wrote yesterday evening.
"Also, before you deny too much: Remember we're sitting on 3TB additional data. We have not even started. #funtimes #fff," the group posted a few minutes later.
Some more spin, this time absolutely absurd, followed on ITProPortal's article.
However, security experts were sceptical.
"I personally think it is a PR scam by Anonymous," F-Secure security advisor Sean Sullivan said.
PR scam? Someone gets 12 million user information files with authentic ID numbers and it’s a PR scam for Anonymous? What are they trying to do, sell more cookies by forcing Apple users to buy them or they’ll release their info? Start a chat show and they need the publicity?
This is the other usual component of security excuse-making. The security that was breached, either the FBI’s, Apple’s or more likely both, is obviously is a major contract for somebody. Trivialize the security breach, and downplay the significance of the failure of security, however colossal. Someone will be dumb enough to believe the excuse.
This ridiculous crap is also pretty similar to the Wikileaks pattern of denial. The military dropped the ball on security of major information streams. The information was allegedly accessed by Bradley Manning, and was released by Wikileaks. Not one other person responsible for security has even been mentioned as having any sort of accountability for that colossal failure. The motives of the leaks were the first thing targeted by the spin factories.
The idea of a protest rarely gets through. All of this brings us back to Trapwire. If surveillance is the game, the information obtained by Trapwire obviously can’t be secure. Personal information can be obtained by security systems which are themselves insecure. Legitimate surveillance of actual criminals and terrorists could be compromised and made accessible to the people under surveillance. That information could also be “edited”.
What a joke. That would mean that the surveillance systems could be working for the people they’re supposed to be working against. The possibility of terrorists being aware of surveillance might not be so hilarious, though.
Where the game ends and reality begins
Reality is likely to become a bit tactless at some point regarding this cosy “do nothing and blame others” routine.
The fact that these “secure” systems can be hacked so easily shouldn’t much encouragement for the seat-warmers in these agencies. Fortunately for the US government, effective hackers who can obviously achieve much higher levels of penetration than even nationally-backed foreign hackers aren’t actually carrying out any destructive actions.
They could. The number of soft targets is multiplying in direct ratio to the security craze. The irony is that all the new security software and security systems are creating more holes. The “new” (you’re kidding!) keylogger software used by ultra-paranoid employers is a great template for anyone to make their own snooping kit. So are most of the other components of those software packages. Surveillance camera systems can be hacked. Data systems containing secret information are apparently very easy to access.
Anyone who thinks “surveillance” and “security” are the answers to anything is out of their minds.
The problem is that nobody’s even pretending to be trying to understand the basics. AntiSec made a valid point. The point was ignored and spun into a sort of cultural good guys/bad guys fluff response. Not one single issue related to the actual theft of information was even addressed. Even The New York Times stuck to “reporting” more than defining the issues.
When the messengers routinely won’t deliver the message, the law routinely won’t admit mistakes applying to itself and the experts make stupid statements, you have a problem. Combine that with a culture of denial of disasters.
These are the people who are supposed to be trusted to carry out massive surveillance?
They can’t even keep an eye on who’s stealing their own information.
They refuse to take responsibility for their own mistakes.
If a security guard makes a mistake, he’s usually fired. If a national agency, a global company and their security fail miserably and in theory put the personal information of millions of people at risk, it’s called “a PR scam.”
Just for the record, FBI, Apple, etc., what would happen if some naughty people got their hands on that information?
You’d be legally responsible.
Think about it, and get someone to explain to you what 12 million people filing a class action or several thousand class actions can do.
Now do you get the picture, and what’s wrong with this situation?
Doesn’t matter how thick your skins or your heads, this sort of thing can get you. You’re not doing your jobs even in theory, and nobody’s going to save your skins if anything hits the fan.