iTunes hack warning!

My iTunes account was hacked on Friday, I didn’t find out until Sunday night though because that was when I tried to log in to my account after it had happened.

Watch out for these signs (Apple support didn’t even consider that I had been hacked when I contacted them):
The hackers changed my account ID and my e-mail address to something similar to what they had been before but different. This allowed them to charge two $50 iTunes gift certificates to my card without me being notified (because they had changed the e-mail address on the account).

When I tried to log into my account on iTunes, I got weird errors about my account id or password being incorrect. When I tried to recover my password on Apple.com, I got an error saying that my account ID was not in the system. When I tried to get my account ID, they couldn’t find it (since the hackers changed my e-mail address). Of course, I could not log into the support site to try to report the issue since it requires my Apple ID. Luckily I found the iTunes store form that let me contact support via the web without logging in and they were able to tell me that I had changed my account ID and e-mail address. I was able to log into the new ID that the hackers made with my old password, which was really lucky since Apple support was clueless about what had happened.

Why didn’t Apple notify my previous e-mail address when the change was made? That is a basic security process that many other sites use. There is a pretty clear pattern of fraud here as well, account information is changed and then large purchases are immediately made. Shouldn’t Apple be looking for this kind of thing?

I have contacted support to find out if they have a process for dealing with fraud, but I can’t help but feel that Apple’s security is somewhat to blame here. I’ll let you know what Apple suggests I do.

I also posted the above on the Apple support site here. Please spread the word so that others aren’t ripped off.

On a side note, I can’t help but wonder how my account got hacked. I’m pretty wary of phishing scams, and that kind of thing. I’m always extremely careful with this kind of stuff. The only thing that occurs to me is that the same day my iTunes account got hacked, I created an account on artaculous.com. I used the same e-mail address (of course) and in this case I was lazy and used the same password as my iTunes account. I generally try to avoid using the same password twice, but it does get hard to remember them all without reusing them sometimes. I have since gone and changed every password on every site that I have accounts on, just in case. I’m not saying that artaculous.com is some phishing scam, but the coincidence is rather odd…

I’ll update this post as I get more info from Apple. Please add a comment if you have heard about this scam or have more information or suggestions.

[Update: 6/29/09, 11:26pm]
Of course, I changed all my passwords on every site I could find an account on today. My e-mail is full of account update notices from a zillion large and tiny companies… Except Apple. I changed my Apple ID (Twice!), my password (Twice!), my security question, my mailing address. Exactly zero messages from Apple letting me know in case it wasn’t me. This really is pretty weak security on Apple’s part.

[Update: 6/30/09 9:09am]
One of the iTunes gifts certificates had been sent to a gmail address. I tried to find a way on the gmail site to let them know that an account was being used or involved in a crime, but couldn’t find a way to do it. Seems weird because I don’t think you need the certificates mailed to you to use them, just the code. The second certificate had not been mailed or had the e-mail addy cleared. Can’t Apple track the IP address of whomever uses the gift certificates to track back to the people who hacked my account? Will they bother? Still waiting to hear back from Apple on letting them know that my account was hacked. Would call their number or try to see a genius, but I’m in jury duty right now.

[Update: 6/30/09 2:04pm]
Apple has responded (excerpt):
I understand you are concerned about purchases that were made with your iTunes Store account without your permission or knowledge.

I know it can be discouraging when fraudulent charges are made on any type account whether it’s your bank or iTunes.

I urge you to contact your financial institution as soon as possible to inquire about canceling the card or account and removing the unauthorized transactions. You should also ask them to launch an investigation into the security of your account. Your bank or credit card company’s fraud department should then contact the iTunes
Store to resolve this issue. The iTunes Store cannot reverse the charges.

Basically, they are pushing this back onto me to deal with my credit card company on. Not overjoyed with this, but fair enough, most people thought that was what they would do. I am a bit concerned that they believe that my credit card could also have been compromised because of this. I thought that my credit card info wasn’t exposed. If credit card info is exposed through iTunes and their security is so lax, I’m going to be wary of giving them any info in the future. I’m also concerned that they aren’t saying that they will do anything to pursue the person who did this. I would like to feel that Apple actually cares about this instead of just blowing it off.

[Update 6/30/09 10:36pm]
Found these links with more info about iTunes account hacks:

[Update 7/2/2009 9:43am]
Apple (correctly) disabled my iTunes account when I reported that it was hacked. They didn’t actually tell me this though, so I didn’t find out until I tried to use it to update my iPhone apps. What did they need to re-enable it? My billing address. Where was my billing address info stored? In my iTunes account. Since that was pretty unlikely to change after a hack, it seems a pretty weak way to verify my identity. I pointed that out in my return mail, but so far iTunes support has ignored all my questions and comments in my messages to them. I guess that is policy, but also a bit lame. I also may have figured out why the hackers didn’t change my iTunes password. I did find a message from Apple in my spam folder notifying me that my password had changed (from when I changed it after getting my account back).

There was enough info in my account that I’ve had to cancel my credit card, and I’m going to need to be extra vigilant for identity theft moving forward. Since then, I’ve changed my payment method to none in the iTunes store. I may have to enter credit card info each time, but that now seems like a minor inconvenience. I have also changed all my other info to be completely bogus so that if someone does hack it again, they won’t have any useful info on me. Why does Apple need by birthday (not birth date for age verification, but birthday)? I’m going to do the same with my other accounts and would suggest it to anyone else concerned about this kind of stuff.

[Update 7/6/2010]
A year later, tons of reports of other accounts being hacked, including several on this blog. Thanks for adding your voices. Meanwhile, Apple has changed NOTHING on their iTunes security processes. They continue to push the blame and responsibility on their customers and the credit card companies. Now, there are reports that iTunes store and account hacking is not only more widespread than has been thought, but also very well organized. When will Apple take some responsibility?

Seriously, set your payment method to None now if you want to avoid having to deal with this pain. It sucks to have to enter in the data every time you make an iTunes purchase, but it sucks a lot less that having to get a new credit card because someone hacked your iTunes account. Trust me on this one.

[Update 12/26/2010]
I was buying some apps on iTunes today. I still keep my payment info set to none and my address set to my non-billing address as a rule and change them when I want to actually buy anything. It is still a massive PITA, but probably helps me avoid dumb impulse purchases ūüôā

I noticed something different today, when I changed my payment and address info, I immediately got a message from Apple about the change, and then another one when I changed it back. This is new, and this is good. A trivial change from Apple, and certainly long overdue, but a very positive step.

[Update 3/22/2013]
Apple has now enabled two-factor authentication on Apple accounts. If you are worried about your account being hacked, it would be a good idea to take advantage of this. Here are instructions from lifehacker on how to turn it on.

Server-based DRM solutions are hostile to consumers

I have a long history with DRM (Digital Rights Management): I worked on the Windows Media 7 Encoder team; I worked at two different internet video startups; and as the owner of record label, I experimented with some of the very first paid digital download solutions (all long lost to internet history at this point).

When I first learned about the DRM mechanism where the player would “phone home” periodically to make sure that you were still licensed to the content, I immediately realized that this was a really fragile way to license media. I’m not talking about subscription content (like Rhapsody), streaming media (like Hulu/YouTube/Flash Media Server) or rentals (like Amazon/iTunes rental), I’m talking about content that is purchased by the consumer. The issue is that there are 1000 ways that the user can lose access to their content without any ill intent on their part. This isn’t an issue if the licenser of their content is still in business and supporting the licensing mechanism. However, even large companies sunset their DRM technology support, screwing over their customers (see Google Video and Microsoft Plays For Sure for example). Depending on how onerous the original licensing scheme is and how it was implemented, buying a new computer, changing the hardware configuration, upgrading system software, the company dropping support for the DRM, the licensing company’s servers going down or just the user being without the internet can cause a user to lose access to the content that they paid for and legally own.

Maybe the user got some warning and could back up their content to some other format (if allowed by the licensing scheme, it often isn’t); but maybe they didn’t see or understand the warning. Then it is too late. Is it the consumer’s fault? No, it is never the consumer’s fault. They purchased digital content with the expectation of owning it forever, just like when they purchased their media as hard goods.

Onerous DRM has been put in place by media companies desperate to avoid piracy, but as it has been written about in so many other places, DRM makes more pirates than it avoids. It makes it more difficult for the people who want to get their content legally by adding roadblocks between them and their purchases and it doesn’t stop the pirates who avoid the whole thing. I wonder how many Plays For Sure customers went to an illegal site to re-download the content that they had already purchased when they lost access to it. I wonder if any of them felt like they were breaking the law at that point. I doubt it. They had paid for something and had been denied access to it. Maybe they were mad at Microsoft, but they were probably more mad at the record labels, because that was the product they purchased. Microsoft was just the store.

I was thinking about this again today when I went to purchase a song off of iTunes and found that Apple had lost my Apple ID. This was the Apple ID that I had spent years buying content from iTunes with. Sure, Apple has moved to make their music DRM free, but I haven’t completely updated my catalog yet, and there is a lot of video that I have paid money for as well that is still subject to Apple’s DRM. While their mechanism still allows me to play my content on my authorized computers (as far as I can tell so far), it will not permit me to authorize a new computer. If Apple isn’t able to fix this problem, what happens to the content I purchased over time? If I can’t access it anymore through no fault of my own, am I in the wrong legally to download it off a file-sharing site?

DRM models have continued to evolve over the years, but I think that the audio model has shown the way for purchased content. It is high time for media owners to allow the people that pay for a full copy of their content to own that content outright, with nothing that could prevent the consumer from having access to the content that they paid for, including transcoding as media formats change over time. Otherwise, they will alientate their consumers as they find they cannot have what they paid for.

note: I avoided mentioning the new licensing models that have sprung up, where when you “buy” a copy of a song or movie the license agreement says that you don’t really own it, which is becoming more common as a way to avoid legal issues when user’s circumvent DRM to make fair-use copies or so that they cannot sue if they cannot access their content. I avoided mentioning it because:
A) it muddies the discussion.
B) I think it is evil.

Creative Destruction in the Newspaper Industry

I saw two things today that somehow connected in my mind. The first was an advert for scholarships for computer programmers to Northwestern’s journalism school (link):
Are you a skilled programmer or Web developer? Are you interested in applying your talents to the challenge of creating a better-informed society? Do you want to learn how to find, analyze and present socially relevant information that engages media audiences? Do you see possibilities for applying technology as a way to connect people and information on the Web or new delivery platforms?

The second item was the announcement that one of Seattle’s two major daily newspapers is up for sale and that it will probably cease as a printed paper no matter what happens:
For sale: The P-I

There are a few things to think about here. A simple one is that the printed newspaper as a product is obviously headed for oblivion. The web is far superior at news delivery, especially extended coverage of breaking news (television isn’t good at the “extended” part). Even the bad part of electronically delivered news (reading off a computer screen) has solutions on the near term horizon (e-book readers). You could say that the journalism school is ahead of the game here, looking to turn programmers into journalists who “get” the future of journalism.

I wonder why anyone would be looking to journalism as a second career at this point though. I can understand that the current upheaval in the computer industry would make a career change attractive, but what we got going in IT ain’t nothin’ compared to the outright carnage happening in journalism.

There is an open question about what is the future of journalism: is it trained journalists researching stories or is it bloggers and “citizen journalists” doing it on their own? I’ve never been one to think that interested amateurs can completely replace experienced professional writers, and I still feel that way. The big stories require real journalists, sniffing out the stories over long periods of time and really getting to the bottom of the issues. However, 95% of professional journalism isn’t that. It’s coverage of city council meetings and the daily reportage that some people care a lot about, some people care a little about and the rest of the people care very little about. Those kinds of things are perfect for the interested and excited amateurs and it is that where the blogging community has been eating away at the journalism community. Without young reporters getting their start on that daily grind kind of stuff, however, I’m not sure how folks become the in-depth-extended-research kinds of reporters.

I honestly don’t think that the future of journalism is going to come from the programmers (even those with masters degrees in journalism). I think it is going to come from the thousands of laid-off reporters being released into the world. I hope that many will start to explore the possibilities and I expect at least one will end up changing what journalism is as we know it.

I guess it is still too early… Lively bites the dust

There is a bit of schadenfreude here on my part. Lively was reviving concepts from the mid to late 90s and passing them off as something new (including one I worked on). All of the efforts of that time died a slow death, and the thought was that we (they) were ahead of the curve. Lively’s lack of uptake slams the door on graphical chat once and for all, I guess.

Official Google Blog: Lively no more

That’s why, despite all the virtual high fives and creative rooms everyone has enjoyed in the last four and a half months, we’ve decided to shut Lively down at the end of the year. It has been a tough decision, but we want to ensure that we prioritize our resources and focus more on our core search, ads and apps business. Lively.com will be discontinued at the end of December, and everyone who has worked on the project will then move on to other teams.

We’d encourage all Lively users to capture your hard work by taking videos and screenshots of your rooms.

freebie iPhone app idea for the real estate websites

yes, this one is for you redfin, windermere, et al. Normally, I’d sit on idea like this, but lets be real. I’m not going to write this one. So, as a customer, I’m asking you guys to do it for me.

I want an iPhone app version of your websites.

Obvious:

  • Get me details on the houses presented for the iPhone screen size
  • Show me houses for sale near my current location

Less Obvious

  • Let me pick a bunch of houses to view on the website: give me a tour, in-order, with turn-by-turn directions
  • Show me how far and the way to get to the nearest: school, park, etc.

Go for it, I’ll use it, and if you want to toss me a commission or make me VP of product development, I’m cool with that.

where does StumbleAudio get their music from?

I saw a post today on TechCrunch about StumbleAudio, a Pandora-like service for finding music. I gave it a try, I entered “Godspeed You Black Emperor” into the search field. The first track it decided to play was “Uniform Random Variables” from the Intonarumori “Material” album. MY ALBUM. This was especially funny because my major complaint with the TechCrunch article was the assertion that Pandora tended to play music that you already knew and StumbleAudio did not. Not only did I know the first song, I WROTE IT.

While I like that SumbleAudio is recommending my music, I’m a bit concerned. You see, I didn’t license it to StumbleAudio. As far as I can tell, neither did CDBaby (my digital distributor). So where are they getting their music from? In their “AboutUs” they claim to pay the artists whose music is played. If they aren’t pulling tracks from other services and they aren’t pulling them from CDBaby, that isn’t going to be true in my case.

Interestingly enough, if I put “Intonarumori” into their search box, I get no matches found.

Also, interesting is that their is very little info on their site and their WHOIS is private, so no way to contact them.

We’ll see what develops with this company, but they better get way more transparent very fast…

Is this a good or bad thing?

I was washing my hands just now and something struck me.

How does a submarine achieve negative buoyancy by flooding tanks with water when it is still filled with oxygen?

If this had struck me 20 years ago, I would have probably tried to reason it out. Given how little I know about submarines, I may have come up with an elaborate, creative, and definitely incorrect solution. This would have tided me over until I went down to the basement to look it up in the Encyclopedia Britannica or went to the library to get a book on submarines. My answer may have even satisfied me completely.

Today, I go to google, and I type “submarine buoyancy”, the first article is “How Submarines Work” on howstuffworks.com, and I’m done. My intellectual curiosity is satisfied. Maybe I’ll read more about submarines, maybe I won’t. I definitely won’t spend too much time trying to figure it out myself when the answer is so close to hand.

Am I richer or poorer for the instant access to all knowledge? I don’t know, at least in this case.

What I want from data portability

I want to rate my books, music and DVDs once on netflix, Amazon, Facebook visual bookshelf, iTunes and I want the data shared across all of them.

However, I want complete control over how each of them uses every bit of that data and I want to approve who gets to see it, even among my friends. I don’t want to have to give any service my login for any other service in order to share that data.

I want to eliminate all my current log ins for each service so that I can use the OpenID service I created for myself.

However, I don’t necessarily want anyone to be able to track me around the net using that single sign-on.

I only want to map my social graph once, and I want it to be available for any service that I use.

However, I want to control who in my social graph has access to what information on each website that I use.

Until the privacy aspects of the different data portability are really well thought out, I can’t support any of them. I haven’t seen a single proposal yet that adequately balances utility with privacy. I honestly don’t know if there would a proposal that would offer users decent privacy since that would come at the expense of companies’ ability to market to them.

I think that I’m finally figuring out this social web stuff for myself

I’m a Generation X geek. This means that all this web 2.0 and social networking stuff doesn’t scare me (I was on BBSes before the internet y’all), but it also means that I’m not into giving away all my creative output for free or sharing personal details with strangers. It also means that I’m experienced enough to know that stuff I put out online can come back to haunt me (there are net news posts from 1988 that I can still find in searches that make me cringe). So, I give a thought to what I put out into the inter-ether.

With all that in mind, it is a bit tough to figure out what is appropriate to post on all the various social networks that I am continually dragged into and websites that I have (like this one).¬† After some serious thought, I think I’m figuring out a taxonomy that works for me: I post nearly no personal details in public forums. That may not make sense given that you are reading my opinions right now on my blog. However, my opinions are free to the world, the details of my personal life are my own business.¬† You want to write a blog about the intimate details of your personal life, that is great. I just like to choose who I talk about that stuff. Reading this blog, you can figure out a lot of what I care about and you can see who I am as a person, but you don’t really know me (unless you know me). That means that if I share those details of my life with you, it is a statement about our relationship.

Sites like Facebook are a bit different. There, I have an explicit trust circle that can only see details once we are connected. I really like this. I only add people as friends on Facebook if I really know them off-line. This means I can share more, although I still have to be careful because of the mixture of business and personal contacts in that environment.

The way I use twitter actually surprises me a bit. I put way more personal stuff into twitter than I do in other social networks. This is weird given how public my tweets are. However, with Twitter, the messages are so short that they are pretty meaningless without the context of a personal relationship. So a tweet may be meaningless to someone that doesn’t know me, but provides fascinating details to a friend.

These are just some of my thoughts that have been evolving around this. I’d be interested in hearing what other people’s takes on this are. Especially from my generation or older.