订阅

多平台阅读

微信订阅

杂志

申请纸刊赠阅

订阅每日电邮

移动应用

专栏 - 苹果2_0

黑客曝FBI监控苹果移动用户

Philip Elmer-DeWitt 2012年09月06日

苹果(Apple)公司内部流传着一个老笑话,那就是史蒂夫·乔布斯周围是一片“现实扭曲力场”:你离他太近的话,就会相信他所说的话。苹果的数百万用户中已经有不少成了该公司的“信徒”,而很多苹果投资者也赚得盆满钵满。不过,Elmer-DeWitt认为,在报道苹果公司时有点怀疑精神不是坏事。听他的应该没错。要知道,他自从1982年就开始报道苹果、观察史蒂夫·乔布斯经营该公司。
反安全黑客组织发表声明称,FBI某特工的笔记本电脑遭到黑客入侵,导致里面保存的1,200万份苹果iOS设备ID被窃取,其中100万份据称已遭泄露。而FBI随后发表的否认声明相当无力。

    反安全黑客集团(AntiSec)发布了一段奇特的、慷慨激昂的公开声明。这份声明以拉什迪的《撒旦诗篇》(The Satanic Verses)中的诗句开头,以说给共和党总统候选人听的一句德语脏话结束(“不过,罗姆尼,告诉他,他可以去舔鞋!”)。在声明末尾,黑客们终于抛出了想要表达的观点:

    2012年3月的第二周,联邦调查局(FBI)地区网络行动小组(Regional Cyber Action Team)兼纽约FBI办公室证据响应小组(Office Evidence Response Team)的主管特工克里斯多夫•K. 斯坦格尔使用的一台戴尔Vostro笔记本被黑客入侵。黑客利用了Java语言中原子引用数组(Atomic Reference Array)的漏洞,在shell会话过程中从他的桌面上下载了一些文件。其中一个文件夹名为“NCFTA_iOS_devices_intel.csv”,里面有一份包含12,367,232个苹果iOS设备的清单,含有唯一设备标识(UDID)、用户名、设备名称、设备类型、苹果推送通知服务标识、邮编、手机号码、地址等信息。提及用户的个人细节字段出现了多次空白,致使整张清单留有多处未完成部分。这个文件夹中没有其他文件再提到过这份清单,也没有透露它的用途。

    这份声明称,这些数据是周二发布的,其中一些用于识别身份的信息已被删除。它们是用来警告公众的。声明称:“(不宜刊印)FBI正在利用你们的设备开展一个或数个人员跟踪项目(不宜刊印)。”请注意,这些黑客没说他们已经获得了苹果设备的注册号、密码或信用卡卡号。

    但是,如果该声明可信的话,广大苹果用户的地址、手机号码和iOS设备注册号到底是如何从苹果公司的服务器上流向FBI特工的笔记本的,这个问题需要有人给个解释。

    截至目前,苹果公司或FBI都还没有就此事发表评论。

    黑客们声称,暂时不会发表进一步声明,也不会接受媒体采访,除非明星八卦网站Gawker的狗仔队在Gawker首页上贴出狗仔记者身穿芭蕾短裙、头上顶着一只鞋子的照片。这支狗仔队报道了两大社交媒体网站——4chan(著名的匿名图片分享社区)和Reddit之间的混战。黑客在声明中说:“不穿上芭蕾短裙,就别想得到更多消息”(No tutu, no sources)。

    截至目前,Gawker尚未就此发表评论。

    点击这里可以阅读反安全集团声明的全文。必须提出警告的是:它含有不雅的语言。

    The Next Web发布了一个查找工具,可以用它弄清自己的UDID是不是在已公布的1,000,001个UDID中。

    最新消息:Gawker负责报道Reddit/4chan的狗仔阿德里安•陈已经在网站首页上贴出了自己身穿芭蕾短裙,头顶鞋子的照片。与此同时,FBI也通过科技博客AllThingsD发表了一项声明。

    FBI注意到,有公开报道声称FBI有一台笔记本电脑遭盗用,有关苹果UDID的私人数据已遭泄露。就目前而言,还没有证据表明FBI有一台笔记本电脑遭盗用,或FBI曾试图获取、或已经取得了这些数据。

    呃。“就目前而言……还没有证据……”也许是这样。不过要是回到水门事件(Watergate)发生的年代里,这就是我们称之为“非否认的否认”(nondenial denial)了。

    译者:清远

    Toward the end of a bizarre rant that begins with a quote from Salman Rushdie's The Satanic Verses and ends with an off-color suggestion -- in German -- for the Republican candidate for President ("Romney aber, sag's ihm, er kann mich im Arsche lecken!") the anonymous AntiSec hacking group gets to the point:

    During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the Atomic Reference Array vulnerability on Java, during the shell session some files were downloaded from his Desktop folder one of them with the name of "NCFTA_iOS_devices_intel.csv" turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zip codes, cellphone numbers, addresses, etc. the personal details fields referring to people appears many times empty leaving the whole list incompleted on many parts. no other file on the same folder makes mention about this list or its purpose.

    The statement says the data were released Tuesday -- with some identifying information removed -- to alert the public that, in its words,"[unprintable] FBI IS USING YOUR DEVICE INFO FOR A TRACKING PEOPLE PROJECT OR SOME [unprintable]" Note that the hackers don't say they have obtained Apple IDs, passwords or credit card numbers.

    Still, if the claims are to be believed, users whose addresses, cell phone numbers and iOS device IDs made their way from Apple's (AAPL) servers to an FBI agent's notebook computer deserve an explanation.

    No comment so far from either Apple or the FBI.

    The hackers, for their part, say that no further statements or press interviews will be forthcoming until Gawker's beat reporter for two rough-and-tumble social media sites, 4chan and Reddit, is pictured on Gawker's front page dressed in a tutu with a shoe on his head. "No tutu, no sources."

    No comment so far from Gawker.

    You can read the AntiSec post in fullhere. Warning: It contains language unsuitable for polite company.

    Via: The Next Web, which has posted a look-up tool here to determine if your UDID is one of the 1,000,001 that were released.

    UPDATE: Gawker's Reddit/4chan reporter, Adrian Chen, has complied, posting a photo of himself in tutu with a shoe on his head. Meanwhile, the FBI has issued a statement through AllThingsD:

    The FBI is aware of published reports alleging that an FBI laptop was compromised and private data regarding Apple UDIDs was exposed. At this time there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data.

    Hmm. "At this time... no evidence...." Perhaps. But back in the Watergate era, that's what we used to call a nondenial denial.

我来点评

  最新文章

最新文章:

中国煤业大迁徙

500强情报中心

财富专栏