iTunes hack warning!

My iTunes account was hacked on Friday, I didn’t find out until Sunday night though because that was when I tried to log in to my account after it had happened.

Watch out for these signs (Apple support didn’t even consider that I had been hacked when I contacted them):
The hackers changed my account ID and my e-mail address to something similar to what they had been before but different. This allowed them to charge two $50 iTunes gift certificates to my card without me being notified (because they had changed the e-mail address on the account).

When I tried to log into my account on iTunes, I got weird errors about my account id or password being incorrect. When I tried to recover my password on Apple.com, I got an error saying that my account ID was not in the system. When I tried to get my account ID, they couldn’t find it (since the hackers changed my e-mail address). Of course, I could not log into the support site to try to report the issue since it requires my Apple ID. Luckily I found the iTunes store form that let me contact support via the web without logging in and they were able to tell me that I had changed my account ID and e-mail address. I was able to log into the new ID that the hackers made with my old password, which was really lucky since Apple support was clueless about what had happened.

Why didn’t Apple notify my previous e-mail address when the change was made? That is a basic security process that many other sites use. There is a pretty clear pattern of fraud here as well, account information is changed and then large purchases are immediately made. Shouldn’t Apple be looking for this kind of thing?

I have contacted support to find out if they have a process for dealing with fraud, but I can’t help but feel that Apple’s security is somewhat to blame here. I’ll let you know what Apple suggests I do.

I also posted the above on the Apple support site here. Please spread the word so that others aren’t ripped off.

On a side note, I can’t help but wonder how my account got hacked. I’m pretty wary of phishing scams, and that kind of thing. I’m always extremely careful with this kind of stuff. The only thing that occurs to me is that the same day my iTunes account got hacked, I created an account on artaculous.com. I used the same e-mail address (of course) and in this case I was lazy and used the same password as my iTunes account. I generally try to avoid using the same password twice, but it does get hard to remember them all without reusing them sometimes. I have since gone and changed every password on every site that I have accounts on, just in case. I’m not saying that artaculous.com is some phishing scam, but the coincidence is rather odd…

I’ll update this post as I get more info from Apple. Please add a comment if you have heard about this scam or have more information or suggestions.

[Update: 6/29/09, 11:26pm]
Of course, I changed all my passwords on every site I could find an account on today. My e-mail is full of account update notices from a zillion large and tiny companies… Except Apple. I changed my Apple ID (Twice!), my password (Twice!), my security question, my mailing address. Exactly zero messages from Apple letting me know in case it wasn’t me. This really is pretty weak security on Apple’s part.

[Update: 6/30/09 9:09am]
One of the iTunes gifts certificates had been sent to a gmail address. I tried to find a way on the gmail site to let them know that an account was being used or involved in a crime, but couldn’t find a way to do it. Seems weird because I don’t think you need the certificates mailed to you to use them, just the code. The second certificate had not been mailed or had the e-mail addy cleared. Can’t Apple track the IP address of whomever uses the gift certificates to track back to the people who hacked my account? Will they bother? Still waiting to hear back from Apple on letting them know that my account was hacked. Would call their number or try to see a genius, but I’m in jury duty right now.

[Update: 6/30/09 2:04pm]
Apple has responded (excerpt):
I understand you are concerned about purchases that were made with your iTunes Store account without your permission or knowledge.

I know it can be discouraging when fraudulent charges are made on any type account whether it’s your bank or iTunes.

I urge you to contact your financial institution as soon as possible to inquire about canceling the card or account and removing the unauthorized transactions. You should also ask them to launch an investigation into the security of your account. Your bank or credit card company’s fraud department should then contact the iTunes
Store to resolve this issue. The iTunes Store cannot reverse the charges.

Basically, they are pushing this back onto me to deal with my credit card company on. Not overjoyed with this, but fair enough, most people thought that was what they would do. I am a bit concerned that they believe that my credit card could also have been compromised because of this. I thought that my credit card info wasn’t exposed. If credit card info is exposed through iTunes and their security is so lax, I’m going to be wary of giving them any info in the future. I’m also concerned that they aren’t saying that they will do anything to pursue the person who did this. I would like to feel that Apple actually cares about this instead of just blowing it off.

[Update 6/30/09 10:36pm]
Found these links with more info about iTunes account hacks:

[Update 7/2/2009 9:43am]
Apple (correctly) disabled my iTunes account when I reported that it was hacked. They didn’t actually tell me this though, so I didn’t find out until I tried to use it to update my iPhone apps. What did they need to re-enable it? My billing address. Where was my billing address info stored? In my iTunes account. Since that was pretty unlikely to change after a hack, it seems a pretty weak way to verify my identity. I pointed that out in my return mail, but so far iTunes support has ignored all my questions and comments in my messages to them. I guess that is policy, but also a bit lame. I also may have figured out why the hackers didn’t change my iTunes password. I did find a message from Apple in my spam folder notifying me that my password had changed (from when I changed it after getting my account back).

There was enough info in my account that I’ve had to cancel my credit card, and I’m going to need to be extra vigilant for identity theft moving forward. Since then, I’ve changed my payment method to none in the iTunes store. I may have to enter credit card info each time, but that now seems like a minor inconvenience. I have also changed all my other info to be completely bogus so that if someone does hack it again, they won’t have any useful info on me. Why does Apple need by birthday (not birth date for age verification, but birthday)? I’m going to do the same with my other accounts and would suggest it to anyone else concerned about this kind of stuff.

[Update 7/6/2010]
A year later, tons of reports of other accounts being hacked, including several on this blog. Thanks for adding your voices. Meanwhile, Apple has changed NOTHING on their iTunes security processes. They continue to push the blame and responsibility on their customers and the credit card companies. Now, there are reports that iTunes store and account hacking is not only more widespread than has been thought, but also very well organized. When will Apple take some responsibility?

Seriously, set your payment method to None now if you want to avoid having to deal with this pain. It sucks to have to enter in the data every time you make an iTunes purchase, but it sucks a lot less that having to get a new credit card because someone hacked your iTunes account. Trust me on this one.

[Update 12/26/2010]
I was buying some apps on iTunes today. I still keep my payment info set to none and my address set to my non-billing address as a rule and change them when I want to actually buy anything. It is still a massive PITA, but probably helps me avoid dumb impulse purchases 🙂

I noticed something different today, when I changed my payment and address info, I immediately got a message from Apple about the change, and then another one when I changed it back. This is new, and this is good. A trivial change from Apple, and certainly long overdue, but a very positive step.

[Update 3/22/2013]
Apple has now enabled two-factor authentication on Apple accounts. If you are worried about your account being hacked, it would be a good idea to take advantage of this. Here are instructions from lifehacker on how to turn it on.

Server-based DRM solutions are hostile to consumers

I have a long history with DRM (Digital Rights Management): I worked on the Windows Media 7 Encoder team; I worked at two different internet video startups; and as the owner of record label, I experimented with some of the very first paid digital download solutions (all long lost to internet history at this point).

When I first learned about the DRM mechanism where the player would “phone home” periodically to make sure that you were still licensed to the content, I immediately realized that this was a really fragile way to license media. I’m not talking about subscription content (like Rhapsody), streaming media (like Hulu/YouTube/Flash Media Server) or rentals (like Amazon/iTunes rental), I’m talking about content that is purchased by the consumer. The issue is that there are 1000 ways that the user can lose access to their content without any ill intent on their part. This isn’t an issue if the licenser of their content is still in business and supporting the licensing mechanism. However, even large companies sunset their DRM technology support, screwing over their customers (see Google Video and Microsoft Plays For Sure for example). Depending on how onerous the original licensing scheme is and how it was implemented, buying a new computer, changing the hardware configuration, upgrading system software, the company dropping support for the DRM, the licensing company’s servers going down or just the user being without the internet can cause a user to lose access to the content that they paid for and legally own.

Maybe the user got some warning and could back up their content to some other format (if allowed by the licensing scheme, it often isn’t); but maybe they didn’t see or understand the warning. Then it is too late. Is it the consumer’s fault? No, it is never the consumer’s fault. They purchased digital content with the expectation of owning it forever, just like when they purchased their media as hard goods.

Onerous DRM has been put in place by media companies desperate to avoid piracy, but as it has been written about in so many other places, DRM makes more pirates than it avoids. It makes it more difficult for the people who want to get their content legally by adding roadblocks between them and their purchases and it doesn’t stop the pirates who avoid the whole thing. I wonder how many Plays For Sure customers went to an illegal site to re-download the content that they had already purchased when they lost access to it. I wonder if any of them felt like they were breaking the law at that point. I doubt it. They had paid for something and had been denied access to it. Maybe they were mad at Microsoft, but they were probably more mad at the record labels, because that was the product they purchased. Microsoft was just the store.

I was thinking about this again today when I went to purchase a song off of iTunes and found that Apple had lost my Apple ID. This was the Apple ID that I had spent years buying content from iTunes with. Sure, Apple has moved to make their music DRM free, but I haven’t completely updated my catalog yet, and there is a lot of video that I have paid money for as well that is still subject to Apple’s DRM. While their mechanism still allows me to play my content on my authorized computers (as far as I can tell so far), it will not permit me to authorize a new computer. If Apple isn’t able to fix this problem, what happens to the content I purchased over time? If I can’t access it anymore through no fault of my own, am I in the wrong legally to download it off a file-sharing site?

DRM models have continued to evolve over the years, but I think that the audio model has shown the way for purchased content. It is high time for media owners to allow the people that pay for a full copy of their content to own that content outright, with nothing that could prevent the consumer from having access to the content that they paid for, including transcoding as media formats change over time. Otherwise, they will alientate their consumers as they find they cannot have what they paid for.

note: I avoided mentioning the new licensing models that have sprung up, where when you “buy” a copy of a song or movie the license agreement says that you don’t really own it, which is becoming more common as a way to avoid legal issues when user’s circumvent DRM to make fair-use copies or so that they cannot sue if they cannot access their content. I avoided mentioning it because:
A) it muddies the discussion.
B) I think it is evil.

The coming Seattle-area traffic disaster?

Is there something that the Washington State Department of Transportation isn’t telling us?

Simultaneously, there are several large-scale transportation projects in planning or preparation stages: replacement of the 99 viaduct with a tunnel, replacement of the 520 bridge, and construction of the East Link of the light rail project. These projects individually would have significant impacts on traffic during their construction, however there will be many years of overlap between them which will cause a serious traffic nightmare. If you read the WSDOT pages, you don’t see any mention of any of these projects in relation to each other.

The legislature just approved tolling for the 520 bridge, this is a necessary and correct step. It will have the effect of diverting some traffic to 522 and I-90. At some point in the near future, construction will begin on the new 520 bridge further diverting traffic to the alternate routes.

The east link of the new light rail will run in the express lanes of I-90 removing two lanes of traffic in the peak directions. Currently, on many days, I-90 is stop and go even with these extra lanes. Diverting the current express lane traffic into the existing lanes (even with the additional proposed HOV lane in each direction) will already significantly slow down traffic on this corridor. Add to this the extra traffic diverted from 520 and I-90 will be a parking lot for several hours a day for many years.

I-90 feeds a significant amount of traffic to 99. When the viaduct is being replaced over several years, some amount of its traffic will be diverted to I-5. I-5 will also be getting additional traffic from cars diverting around 520 on 522. I-5 is already pretty bad, this will definitely make it ridiculous.

There are no definitive dates yet for a lot of these projects, but we’ll start seeing some of the first effects in the next few months. There doesn’t seem to be any real coordination going on around these projects or any acknowledgment on their cumulative effects to traffic in the short term from the state. If the duration of these projects were months or even a year, this would be somewhat reasonable. However, WSDOT estimates are for these projects to happen over the next 5-10 years. That isn’t reasonable for this to proceed without serious mitigation plans (even if they were to add significantly to the cost or the time lines).

Right now, it just seems like everything is up in the air so WSDOT isn’t addressing the potential issue. That makes it seem more like they just hope that no one notices…

An idle thought on date naming in the new millenium

Let us pretend that you have a yearly festival, Awesome Fest. You’ve been doing it forever. Awesome Fest ’87 was insane, this year’s Awesome Fest ’09 will be crazy.

What do you call next year’s Awesome Fest? Awesome Fest ’10 sounds weird to me. Don’t you need to start using he whole year for a while (eg. Awesome Fest 2010)?

Maybe we’ll come up with something new?

Just a random thought…

Bennett’s Pure Food Bistro

Bennett’s has an interesting concept (from their website):

At Bennett’s we are committed to serving pure, all natural, additive free food. You won’t find artificial preservatives, colors or sweeteners. No flavor enhancers, hydrogenated oils or processed foods. What you will find, are the freshest most authentic ingredients we can offer.

Most of our ingredients are deeply rooted in the Cascadia region – an area extending from northern California to southern Alaska, and the coast to the continental divide, taking in Washington, most of Oregon and Idaho and part of Montana

For the modern foodie, this is very attractive: Slow Food, sourced locally, organically grown. An interesting concept around the quality of the ingredients doesn’t make for an interesting restaurant, however, unless they can back it up with the quality of their cooking. Bennett’s, for the most part, delivers. Our party of four was unanimous on our appetizers and deserts, all quite good. The entrees themselves were somewhat less consistent. I had a razorclam linguine (razorclams being fresh and available that day). The linguine included some cooked greens that were flavorful, but overwhelmed the rest of the plate, the clams themselves contributed little to the dish. Also, it was served luke warm. The rest of my party was happy with their entrees, although the small portion sizes were commented on.

The one serious issue with Bennett’s is that it has a bit of an identity crisis. The environment feels like a nice family restaurant. It has a bar area that runs into the restaurant. On a Saturday night, there were as many families there as there were couples. The ceilings are high and the lights are bright. The room isn’t large, but in tone it feels more like the Five Spot than Rover’s, including the volume of the conversations in the room. This is not a bad thing in itself. As we were there with our infant daughter, it actually felt comfortable, like we didn’t need to worry about disturbing other patrons. The service isn’t formal, although it isn’t completely informal either. The food itself is more formal in presentation, portion-size and pricing. Our 3 course dinner for four including wine came to around $50 per person. So, you have formal food and prices and informal ambiance; hence, identity-crisis. I’m not the first to point this out, this is a consistent issue in their other reviews.

Based on the pricing and the quality of my entree, normally I would suggest avoiding Bennett’s; but I like their concept, and my other courses and the rest of my party’s meals convince me that I shouldn’t judge them too hastily. Another comparison worth making would be Tilth, their ideolical peer in Wallingford. I can’t make that comparison yet, but I hope to soon.

The question is “Is Bennett’s worth the trip?” I’d say, if you like Slow Food without the pretention and you have that kind of money to spend on a good meal (that isn’t a special event), yes. We will be returning. If our food is at least as good next time as it was this time, Bennett’s will certainly be added to our collection of eateries worth visiting.

Bennett's Pure Food Bistro on Urbanspoon

Update – April 18, 2009
We returned to Bennett’s for a brunch last weekend (and a second opinion). Again, I thought the food was a bit uneven: the french toast was amazing; the salmon benedict, less so, but not horrible. The breakfast prices were much more reasonable though, $8-$12 for an entree. The second opinion is about the same as the first. With the more reasonable prices, we will definitely return for brunch and will hope to find other dishes as awesome as the French Toast. We will probably return for another dinner as well, but I don’t know yet if this will become a regular occurrence. We’re still figuring this place out.

Joel Spolsky’s love letter to program management

Joel Spolsky wrote a love letter to program management on his blog. For the most part, it is a pretty reasoned and reasonable description of what a “good” program manager at Microsoft (and Fog Creek) is like. In my career at Microsoft, about 25% of the program managers fit that bill. The problem was that they had too many conflicting roles and required skillsets to be effective. At Microsoft, Program Managers are not only responsible to be user advocates, they are also responsible for functional specifications, user interfaces and schedules. A single person can’t be a user representative, a UI designer/interaction specialist, and a project manager. Combining them into a single role worked for Microsoft initially, but in the modern world each of these roles are full disciplines of their own.

Joel claims that PMs are partners with development and that developers have the upper hand over PMs because they write the code. This might have been true of Microsoft in Joel’s (and my) time, but as MS switched from being an engineering-driven company since Ballmer took over to a program management-driven one, it isn’t true any more. PMs took the upper hand because they had far too much control over the final look and feel of the product and could essentially name themselves the final arbiters. Development and QE were isolated from the customers. PMs dictated the features; meaningless meetings and committees abounded and the products suffered (every MS product in the last 8 years for example).

How to be a program manager – Joel on Software

Writing a functional specification is at the very heart of agile development, because it lets you iterate rapidly over many possible designs before you write code. Compared to code, a written spec is trivial to change. The very act of writing a specification forces you to think through the design you thought you had in your head, and helps you see the flaws in it quickly so that you can iterate and try more designs. Teams that use functional specifications have better designed products, because they had the opportunity to explore more possible solutions quickly. They also write code faster, because they have a clearer picture when they start of what’s going to be needed.

This claim is just wrong, or rather, doing this in the large scale is just wrong. I’ve worked under that system at Microsoft for years and I never saw it be very successful in practice. Maybe for a small part of a product, or a small iteration in a larger cycle it might work; but at the product level it is nearly always a bust. Why? Because you will not anticipate everything in your functional specs. Ever. A competing product will be released with better features. Flange A will not fit Bracket B. User testing will hand you your hat. Beta testers will tell you that it wasn’t really what they needed. And then you are back to the drawing board. Except you are two-thirds of the way through the cycle because you spent a huge amount of time iterating over the spec and then building to that spec. Now everything is screwed up, but QE needs to start testing to the spec RIGHT NOW. So what do you do? You hack. The spec goes out the window and development codes for dear life while program management throws out ideas and changes like pieces of spaghetti against the wall. At the end of the cycle you have a tarball mess of code with incongrous, hacked, features that came crashing onto the deck of the carrier and just caught the last wire. Watefall development is resistant to change, agile development embraces it. Change happens faster in our industry every year, why lock your developers into software methodologies from the 70s?

Is there a role for Program Management? Absolutely. Not for the Microsoft-style Program Manager, but certainly for the jobs that the Microsoft Program Manager has. UI design and look and feel is best managed by professional user interaction specialists working with a project manager and development. The project manager can also be the primary representative of the client, but not the sole conduit. One of the primary jobs of QE is to be a user representative. Isolating development from the users just means that they don’t understand why they are doing what they do. Isolating QE from the users mean that they can’t represent a user of a product in their testing. The Program Manager can also work with development and QE to manage the schedule.

My experience with great program mangers post-Microsoft are folks that coordinate across all the functional groups to make sure that development has what they need, QE understands the user, experience design is delivering on time and all the clients are feeling well represented. In this view, the program manager acts as a lynchpin connecting development, QE and XD to their customers. Do they set the schedule? no. Do they write the specs? Maybe (in a non-agile team, working with the other groups). Is that less fun for the program manager? Maybe, but it produces much better products in my experience.