Yesterday, our very own Graham Cluley wrote about anonymous claims by Anonymous that 12 million users’ worth of Apple-related PII (personally identifiable information) had been hacked.
According to the self-declared hackers, a Java exploit – so last month! – was used to penetrate an FBI agent’s laptop. The data was lying around in a CSV file on his PC desktop, from where the crooks stole it.
Conspiracy theorists quickly took over.
The fact that the FBI got hacked immediately faded into the background – who hasn’t been hacked lately? – and the story became why the Feds had the data in the first place. As commentators on Techdirt opined:
* What were the the feds doing with the personal information of 12 million iPhone users in the first place? Certainly they can't all be involved in cyber-crime. Looks to me like they were gathering data on huge numbers of innocent people without probable cause.
* Just knowing that one FBI laptop had all this personal info sitting there raises serious alarms.
Ten out of ten for a PR bait-and-switch by Anonymous!
Of course, if you genuinely insist on probable cause, if you consider yourself scientific in your approach to life, if you require evidence to a stronger standard than “I read it on the internet”, and if you keep “know” to imply that you have genuine knowledge about something, then you might equally well conclude that it is presumptuous to believe that the Feds ever had the data, whether they got hacked or not.
(That was quite a sentence! In modern Twitterglish, “FBI pwned? Had UDID data? Sez who?”)
The FBI quickly took to the Twittersphere to MAKE THAT VERY POINT:
Statement soon on reports that one of our laptops with personal info was hacked. We never had info in question. Bottom Line: TOTALLY FALSE.
This was soon followed by a LESS DRAMATIC statement, delivered soberly on fbi.gov, with a degree of brevity that PR agencies everywhere would do well to emulate. Here is the press release in full:
The FBI is aware of published reports alleging that an FBI laptop was compromised and private data regarding Apple UDIDs was exposed. At this time, there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data.
But then the FBI would deny it. As a commentator on Techdirt put it:
But then the FBI would deny it.
Or, as a commentator on Naked Security pointed out wittily, if admittedly in respect of something else entirely, namely Mac malware – another topic that attracts a conspiracy-theoretical crowd:
I was completely on the opposite side of the field. I was nowhere near the cottage.
...not that it was a cottage -- it was a river. But, then, I wouldn't know, of course, because I wasn't there. But, apparently, some fool cut his head off... or at least killed him in some way... perhaps... took an ear off or something.
Yes, yes, in fact, I think he was only wounded! er, or was that somebody else? Yes, I think it was. Why, he wasn't even wounded! [*]
So few facts! So many opinions!
Whatever you feel, or think, or want to think, please use this as an opportunity to embrace some scientific method in your attitude to computer security.
Don’t say you “know” something unless you have knowledge about it:
knowledge [noun]: facts, information, and skills acquired through experience or education.
But then I would say something like that.
[*] With apologies to Messrs Curtis and Atkinson. From The Black Adder – Episode 1 – “The Foretelling”.