This morning’s news reveals a story about how an FBI Agent’s Laptop was hacked into using a malicious java script exploit, and that a file of millions of iOS device users personal data was stolen from the hacked FBI laptop. Interestingly, perhaps even predictably, and irrationally; several websites have sprung up offering to compare the leaked list to your own UUID (which you are expected to enter into a webform) to let you know if your own information was part of the leaked set. I agree that it would be useful to know if your privacy is compromised, but publishing your private data to a website purporting to check for you is NOT the way to do this.
In fact, you are giving the private data away again; so please don’t do it.
We should instead be asking:
2) why was the FBI collecting this sort of data in the first place?
3) why was this sensitive data allowed to be on a laptop and not in a server that is harder to get to and can be audited?
If we feel we must check, it is better to download a leaked copy of the data yourself and then compare in the privacy of your own computer – of course that means you will have a copy of many other people’s private data too – and does that make you a criminal as well? I am not a lawyer – but the risks seem pretty high only to find out if your own data is in the leaked set.
The news I am talking about:
AntiSec hackers leak 1,000,001 Apple device IDs allegedly obtained from FBI breach
Update: Well, FBI is denying the allegations that their laptop was involved and that the data came from them; guess one needs to always verify the sources of the information. The basic advise not to submit your data to a webform still applies though.
Update 2: Wow! Turns out it was not initially the FBI at all, but an app developer that was the source of the leaked UUIDs – and this inquisitive person figured it out: Tracking Down the UDID Breach Source