During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java, during the shell session some files were downloaded from his Desktop folder one of them with the name of “NCFTA_iOS_devices_intel.csv” turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc.
Translation: the FBI is keeping trackable Apple device IDs, and enough other data to link each device to very personal information about its owners (beyond what app developers and ad networks typically have access to). And apparently, these are left lying around in a plain-text CSV file on someone’s laptop desktop. Troubling all round. Did these details come from Apple, from an app author, or somewhere else? In some ways, it doesn’t matter: the fact that it’s possible at all says a lot about the priorities of the tech industry. Creating products that serve users should mean creating products that have their interests in mind – and that make wide-scale tracking impossible. Even if you trust the FBI to be a force to good, this means other groups have this ability as well.
AntiSec just released a million rows of data, with the most personal details removed; more details, including their full statement, over here.