Anonymous didn’t steal from the FBI after all – new conspiracy theories needed!

A techie named David Schuetz at security consultancy Intrepidus Group has done something so obvious, so simple, and so tellingly useful, that I’m going to go all out and call it a stroke of genius.

Here’s the story.

A week ago, a person called Anonymous published one-million-and-one stolen Apple device IDs. (There’s always room for numerological whimsy in hacking circles.)

This Anonymous person then blamed the FBI – crimes are always someone else’s fault if you’re a hacker – by claiming that the data was stolen from an FBI agent’s Windows desktop.

Conspiracy theories abounded. Even here on Naked Security we fell into the trap of believing Anonymous, noting, without the whiff of an if, that “why the FBI was collecting the UDIDs and personal information of millions of iPhone and iPad users is not yet clear.”

The FBI answered back to say that this was all poppycock. Not the crime, of course. The one thing which was certain was that data had been stolen and published unlawfully.

The Feds simply denied having had that data, having asked for it in the first place, and having been hacked at all.

Conspiracy theories then spiralled out of control. What could be more of an admission than a denial?

David Schuetz was made of sterner and more scientific stuff. In a fit of applied rationality, he turned his trusty Unix tools at the Apple Unique Device Identifier (UDID) dump, and quickly noticed that there weren’t 1,000,001 of them. That was just Anonymous marketing claptrap. There were only 985,117, giving about 15,000 repeats.

Schuetz – and learn from this! – quickly realised that the non-unique UDIDs weren’t just a contradiction, but the key to the whole thing. With help from a fellow Twitterer, who offered the explanation “seems like maybe a game or ad company,” Schuetz guessed that the repeated UDIDs might belong to developers, and went looking.

Many of the most-repeated UDIDs turned out to link back to the text string Bluetoad. And Bluetoad is a digital media company that creates iPhone and iPad apps. And after seeing Schuetz’s evidence, Bluetoad fessed up.

Bluetoad was hacked – just over a week ago, as it happened. A database of Apple device IDs was stolen. This list was, almost without doubt, the source of the data leaked by Anonymous.

Conspiracy theory won’t go away, of course. Perhaps the FBI stole the data from whomever stole it from Bluetoad? Perhaps the FBI paid for a cover-up which could be blamed on Bluetoad? Perhaps this is extreme guerilla marketing by Bluetoad?

The ironies in all of this?

Bluetoad’s speciality is software to convert one online format to another – notably from PDF to Flash, a concept perhaps best described as out of the frying pan, into the fire, and doubly ironic since PDFs are supported on iDevices, whilst Flash is not.

And Apple no longer accepts apps which collect UDIDs, following a privacy backlash.

So, if you were feeling uncharitable, you could blame this on a not-actually-necessary application that gathered no-longer-acceptable-to-collect data and sent it back to a not-secure-enough company that stored it in a needlessly-remotely-accessible database.

I hope you can make a good conspiracy theory out of that spectacularly hyphenated combination of circumstances.

Because if you can’t, we’re stuck with a depressingly familiar explanation where computer security is concerned: SNAFU.

Worse than that, you’re going to have to admit the ghastly possibility that Anonymous might not have been entirely truthful about its criminality.