Apple Plays Cat And Mouse With In-App Purchase Hacker

from the what-if-I-change-this-setting dept

Piracy has been considered the bane of game developers for as long as games have existed. Over the years, many methods of fighting piracy or turning those who play for free into paying customers have come and gone. Some methods focused deterring pirates while others instead focused on maximizing profits. One of these profit maximizing endeavors, which recently gained traction with game developers, is the use of micro-transactions -- or as they are often called in the mobile world, "in-app purchases." This method of revenue generation was quickly accepted by many game developers, as it provided a way to distribute the game for free to as many people as possible with the prospect that enough of those free users would then buy in-game items with real money.

Because of this model of doing business, mobile phone producers (mainly Apple) have developed APIs that allow game developers to easily tie their in-game stores to Apple's payment processing and authentication services. While this method is not without its issues, it has been accepted as a relatively secure method of monetizing a game. That is, until one hacker named Alexey V. Borodin figured out a relatively simple way to spoof the purchases of in game items. Using this exploit, Alexey claims that as many as 30,000 transactions have been made since instructions went live.

In a follow up article, The Next Web reports that Apple has begun efforts to prevent the spread of this exploit. These efforts include blocking the IP address of the server Alexey was using, requesting the server be taken down by the Russian hosting company which owned it, sending take down notices to Youtube over videos providing instructions, and getting PayPal involved in shutting down the account Alexey was using to generate donations (a whopping $6.78 was raised according to that report). Apple also included the following statement:
The security of the App Store is incredibly important to us and the developer community. We take reports of fraudulent activity very seriously and we are investigating.
Even with all these attempts at taking down Alexey's service, it still remains up and running for all willing iPhone users to take advantage of; that is, if those users are willing to risk their privacy and iTunes accounts to use it, something Alexey claims is not an issue.

While this exploit is very troubling on many levels, it really highlights the folly of relying on security through obscurity. Apple had the chance to secure its APIs long before this exploit happened. It has an opportunity to do so now. In fact, Alexy states that he is more than willing to talk about the issue with Apple. Unfortunately, Apple has not contacted him. While I can understand Apple's unwillingness to work directly with someone who openly exploits its services, it would be prudent to use all available options to end this exploit.

One would hope that game developers who feel threatened by this exploit will pressure Apple to fix the security issues in its APIs as well as provide some kind of training in best practices in securing in-app purchases. Of course game developers should also be doing their part to use all available tools to protect the integrity of their games as well -- something all software developers should do from the beginning.


Reader Comments (rss)

(Flattened / Threaded)

  •  
    icon
    Ninja (profile), Jul 20th, 2012 @ 6:04am

    Warning, somewhat not related rant ahead.

    I don't like the way things are heading now. You are being FORCED to be online even if the game can be played offline. Suppose you want to play the game or use the app 10 years from now and the company doesn't exist anymore or doesn't support the piece of software anymore? And the extras you bought online, even if you have the installation files how are you supposed to keep them for posterior use? Oh well.

    More on topic, at least Apple didn't let their users information go out in the wild and no customer was affected, only the developers. As more and more of our lives are online, this security issue will get more and more central in the discussions. What amazes me is that the companies should be clear and transparent when there's data being compromised and most of them tend to leave the customers, developers or not, in the shadows and refuse to acknowledge the problem till there's a good amount of irreversible damage. This culture has to change.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Jul 20th, 2012 @ 6:19am

      Re:

      Arrggg!! Buy nutin', Matey! Solves awl ye sturches!

       

      reply to this | link to this | view in chronology ]

    •  
      icon
      Wally (profile), Jul 20th, 2012 @ 7:02am

      Re: What happens 10 years from now?

      " Suppose you want to play the game or use the app 10 years from now and the company doesn't exist anymore or doesn't support the piece of software anymore?"

      I asked myself that about OSX. I used to play the mostly obscure games on what is considered by today "Classic Mac". My games included Marathon (Bungie), Glider Pro (Casedy and Greene), Warcraft (it ran perfectly on Quadra 605). I have to emulate a lot of old Mac stuff now to get the titles I really want to play.

       

      reply to this | link to this | view in chronology ]

    •  
      icon
      John Fenderson (profile), Jul 20th, 2012 @ 10:24am

      Re:

      And the extras you bought online, even if you have the installation files how are you supposed to keep them for posterior use?


      Hmm, I've never considered using my digital purchases as a part of ass-play before. Thanks! You've opened my eyes to a whole new world of possibilities!

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Jul 20th, 2012 @ 6:25am

    > sending take down notices to Youtube over videos providing instructions

    This one goes too far.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Sad Mac, Jul 20th, 2012 @ 6:43am

      Re:

      When you realize that the exploit required you to give out your personal information to unknown entities. Being a Steam user, i know exactly how these scams work. I think you would appreciate that for once, the takedown notices have nothing to do with copyright issues and is in the interest of both Apple's customers, and the independent developers that make apps for Macs and iOS devices.

       

      reply to this | link to this | view in chronology ]

      •  
        icon
        AdamBv1 (profile), Jul 20th, 2012 @ 7:54am

        Re: Re:

        I think you would appreciate that for once, the takedown notices have nothing to do with copyright issues and is in the interest of both Apple's customers, and the independent developers that make apps for Macs and iOS devices.

        Actually I think that's his point, these takedowns have nothing to do with copyright so what right exactly do they have to get them taken down? If they are using the DMCA to get it taken down they obviously have no valid copyright claim to do it by and are abusing the process.

        If they are just asking Youtube to get the videos taken down because they want them disappeared and Youtube is taking them down then this really reflects badly on Youtube more than it does Apple. This is a valid security issue that Apple needs to fix, not just try to hide so taking these videos down is the wrong solution.

         

        reply to this | link to this | view in chronology ]

      •  
        identicon
        Lawrence D'Oliveiro, Jul 20th, 2012 @ 9:32pm

        Re: I think you would appreciate that for once, the takedown notices ... [are] in the interest of ... Apple's customers

        Two wrongs don’t make a right.

        Remember, DMCA takedowns have to be submitted “under penalty of perjury”. Do you know what “perjury” means? It’s a legal term for “lying”.

         

        reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Jul 20th, 2012 @ 6:33am

    Hey Apple, the lawyers say just fix your API. Do you really think Apple hasn't considered this? It may be a case where securing the API may require all the apps that use it to make changes as well. Maybe you should stick to the lawyer-ing and leave app development up to the people that know what they are talking about.

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      Rick Smith (profile), Jul 20th, 2012 @ 7:51am

      Re:

      And do you really think I care if the fix for the app is to update the app to use a new API? The alternative is to not fix and leave the exploit open.

      Not something that I want as a customer. Even though at the moment it appears to only be affecting the developers, what’s to say that there isn't something in there that allows the device to be exploited?

      And as a developer myself, I would definitely want to change an app with the problem, especially if this was my main source of revenue.

       

      reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Jul 20th, 2012 @ 8:41am

      Re:

      Imagine if Windows had a security exploit and their solution was to try and censor information about the exploit because fixing the exploit may break some software suits and require them to update. As a Windows customer, I don't care about any of the technical details or the difficulty in fixing the exploit, I want it fixed.

       

      reply to this | link to this | view in chronology ]

      •  
        identicon
        Anonymous Coward, Jul 20th, 2012 @ 8:52am

        Re: Re:

        If my T.V. doesn't work as advertised, do I care about all the technical reasons why it's not working and the cost of fixing it? No, if I buy x and I get y where y < x then, as a customer, I want the problem fixed.

        Likewise, when we purchase operating systems, apps, etc... there is a reasonable, implied, expectation that our transactions will be secure and we should be able to expect a reasonable degree of security in the process. How Apple or the T.V. manufacturer manages to deliver what they deliver, all the technical details, is their problem, not mine. Just fix it, OK.

         

        reply to this | link to this | view in chronology ]

  •  
    icon
    Wally (profile), Jul 20th, 2012 @ 6:34am

    Steam

    I recall a similar instance with Valve's Steam. A few hackers had made login sites that were fake to obtain users' passwords and hijack accounts. This being said, the exploit compromises the security of the developers and I will slap anyone using it upside the head. People need to realize that with most iTunes apps, there are almost no 3rd Party publishers in the way. Roughly 7% of a developer's profit on an App is paid to Apple to host. So in this case, if you use the exploit, you are not protesting Apple or being cool for pirating something, you are mostly hurting independent developers trying to scrape a living from it.

    I am very glad that Apple is so secure about Apple ID's, your credit card numbers, and they NEVER sell your personal information to advertisers.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward With A Unique Writing Style, Jul 20th, 2012 @ 7:50am

      Re: Steam

      "I am very glad that Apple is so secure about Apple ID's, your credit card numbers, and they NEVER sell your personal information to advertisers."

      I guess you've NEVER heard about people having charges made to their Apple ID's and credit cards associated with said IDs that they weren't aware of, right?

      I only ask it in the form of a question, but I mean it as a general and factual statement. There are tons of reports of people having their Apple accounts hacked and then having trouble getting Apple to even admit there's a problem, which isn't to say Apple representatives weren't helpful in reversing the charges or crediting their accounts (just that Apple isn't acknowledging that there very much is a problem on their end). Which suffice it to say there is, but like all things just because most people don't know about it doesn't mean it isn't happening. The whole "see no evil" quote comes to mind.

      In fact, let's just play a game. Let's Google (gasp!) the words "apple account hacked" and then let's see how recent some of the things that will show up are, shall we?

      Hmm. That's curious. The first 6 entries all have dates that are within the past 2 months and it's worth noting that the first 6 entries ALL are being discussed on Apple discussion boards.

      A further search will turn up even more related events. Suffice it to say Apple's security isn't up to snuff. And that's not me taking a shot at Apple, that's me stating a fact. The simple thing would be for Apple to review their security and perhaps advise people to be more cautious with their accounts, I'd hate to see another "You're holding it wrong" fiasco. Despite that not having been said, it still went around the web quick, fast and in a hurry and did nothing to help their reputation.

       

      reply to this | link to this | view in chronology ]

      • This comment has been flagged by the community. Click here to show it
         
        icon
        Wally (profile), Jul 20th, 2012 @ 7:57am

        Re: Re: Steam

        Fuck off . You take everything I write as a personal attack towards you and to what end? I mean seriously, you tear everything apart just to critique something? Youre nothing but an angry son-of-a bitch with nothing better to do than critcise an opinion. I have a right to be happy. You're nothing more than an eloquently writting troll.

         

        reply to this | link to this | view in chronology ]

        •  
          identicon
          Anonymous Coward With A Unique Writing Style, Jul 20th, 2012 @ 8:26am

          Re: Re: Re: Steam

          I don't take it as a personal attack, I just find it odd how quick you are to critique other things like Android (and usually with incorrect information) and then you say things about Apple that aren't necessarily correct.

          I did however point out that Apple is not necessarily securing people's Apple IDs or credit card information as well as you might believe or as well as you might try and lead others to believe. I then stated that this is something that has been going on for years now, there are tons and tons of discussion boards filled with people who have had issues arise where someone had hacked their account, and despite this going on for years Apple has still done nothing about it for the most part.

          Also, wtf. Someone's angry, and it isn't me. Perhaps you should take the time to cool off and realize that people are going to take apart piece by piece things you say when you say things that aren't correct. Is it my fault you tend to state things that aren't correct? No. It is your fault. It is however my duty to correct your incorrect statements, as to prevent others from believing something that is false. That's what we should all do though, correct false statements. If you have a problem with being corrected then perhaps you should go out of your way to make sure you have all the information needed before you say something.

          And it might seem like a personal attack on you me doing this, but that's because you're one of the few stating things on Apple and Android articles on a regular basis and doing so with not so up to date or accurate information. (See previous point about getting all the facts and things correct before clicking "Submit".)

          And no, I am very much not a troll. If I was a troll I'd just write, "You're wrong, iSheep. Apple sucks." Then I'd disappear from the comments. I don't do that though.

          Seriously, don't like being corrected then perhaps you should stop posting or at least stop posting incorrect things. But by all means, be happy all you want. But as someone who knows plenty of people who use Apple products, I don't want them believing statements made by guys like you saying, "Apple and Apple products are SOOOOO secure and nothing bad could ever breach Apple's walled gardens." Shit like that leads to more work for guys like me. And I for one won't have it.

           

          reply to this | link to this | view in chronology ]

        •  
          icon
          Gwiz (profile), Jul 20th, 2012 @ 9:06am

          Re: Re: Re: Steam

          Fuck off . You take everything I write as a personal attack towards you and to what end? I mean seriously, you tear everything apart just to critique something?


          Hmmm. We might have a new debate tactic here.

          "You effectively rebutted everything I said, so fuck off!"

          What do want to call it? Any ideas?

           

          reply to this | link to this | view in chronology ]

        •  
          icon
          John Fenderson (profile), Jul 20th, 2012 @ 10:38am

          Re: Re: Re: Steam

          I have a right to be happy.


          Indeed you do! I might suggest, however, that if the comments of others on the internet detracts from your ability to be happy, then perhaps the internet isn't for you. It's a rough-and-tumble place.

          Happiness is a choice. It comes from how you relate with the things your encounter in your life, not from what those things actually are. I've known people living hellish lives who were fundamentally happy, and I've known people living blessed and gilded lives who were absolutely miserable.

           

          reply to this | link to this | view in chronology ]

      •  
        identicon
        Sad Mac, Jul 20th, 2012 @ 8:11am

        Re: Re: Steam

        "Hmm. That's curious. The first 6 entries all have dates that are within the past 2 months and it's worth noting that the first 6 entries ALL are being discussed on Apple discussion boards."

        Links and comparison please...I could use a laugh at your efforts to discredit something you have no clue about....

         

        reply to this | link to this | view in chronology ]

        •  
          identicon
          Anonymous Coward With A Unique Writing Style, Jul 20th, 2012 @ 8:30am

          Re: Re: Re: Steam

          You want me to link to all the discussions on the topic? Are you too lazy to do a search yourself? I even provided the key words I used and said what the first things I found were. In fact, the entire first page of search related entries is the same thing, and the "oldest" just on that page was from April of this year.

          I'm not trying to discredit anything, I'm just pointing out Apple IDs and linked credit cards are not as secure as someone else, Wally, made them out to be. I honestly have no clue because I don't have a legit Apple ID. I made a throwaway account using a throwaway email account one time to get subscribed to a free podcast I wanted that I could at the time only get through iTunes. I DO NOT have a linked credit card to any account anywhere I use online though. If I do, it's a pre-paid card and I add money to it when I need to, the rest of the time it's inactive or only has one cent on it.

          Seriously, you guys get all butthurt whenever anyone points out that Apple has problems or has failed in some way. That's your problem not mine. As I said, do the search yourself and read. The information's there, it's not my job to spoon feed it to you.

           

          reply to this | link to this | view in chronology ]

        •  
          identicon
          mischab1, Jul 20th, 2012 @ 9:49am

          Re: Re: Re: Steam

          For the lazy, here are the search results based on his query. At the time that I write this, the top 7 links have the following dates: May, June, May, July, April, May, & June.

           

          reply to this | link to this | view in chronology ]

      •  
        identicon
        Wally, Jul 20th, 2012 @ 8:30am

        Re: Re: Steam

        "Hmm. That's curious. The first 6 entries all have dates that are within the past 2 months and it's worth noting that the first 6 entries ALL are being discussed on Apple discussion boards."

        -Anonymous Coward With A Unique Writing Style

        You hear that Ninja, two anonymous people, and Sad Mac? It appears that we the "Apple Fanboy Spies" have been caught. I guess we should definitely cover our tracks with something better than to totally unrelated dates and articles from the past two months...especially if the comments are unrelated to ANY Apple discussion boards.

        This is the result of me reading your statement word for word. I would've taken the statement as constructive criticism, but the quotation above provides enough information to prove that you're nucking futz.

         

        reply to this | link to this | view in chronology ]

        •  
          identicon
          Anonymous Coward With A Unique Writing Style, Jul 20th, 2012 @ 8:37am

          Re: Re: Re: Steam

          https://discussions.apple.com/message/18407944#18407944

          https://discussions.apple.com/message/185 80124#18580124

          https://discussions.apple.com/message/18537761#18537761

          https://discussions.app le.com/message/18909301#18909301

          https://discussions.apple.com/message/18077328#18077328

          That' s just a quick handful of links. So you're claiming that those discussions ARE NOT taking place on Apple Support Community boards, is that correct?

          Yeah, I'm fucking nuts. /s

          You're the one refusing to believe what is clearly being pointed to. I even told you how to find the info and a real quick summary of what is being discussed.

          Now, that information is unrelated as it pertains to this article. But it is NOT unrelated to my pointing out that Apple IDs and credit cards aren't being as secured as YOU said they were. I responded to a comment you made. It's up to you to prove that Apple is securing them. Seriously, don't shoot the messenger. Man, you guys seriously have anger issues when someone points out Apple might not be doing as great a job as you think they are.

          Here if it makes you feel better. Unrelated info. I'm glad Google is upping the security in Jelly Bean to prevent hackers from installing malware on people's phones. I take care of my stuff and am quite security conscious, but others aren't. If this helps them, more power to Google and the end users. Problems should be fixed and that's been done. Yay for everyone! There. Happy now?

           

          reply to this | link to this | view in chronology ]

          •  
            icon
            Wally (profile), Jul 21st, 2012 @ 7:41am

            Re: Re: Re: Re: Steam

            "Legit Apple Website": You've won a free game from iTunes.

            Uninformed User: AWESOME ^_^ A FREE GAME ^_^

            "Legit Apple Website": Sign in here using your Apple ID

            Uninformed User: *signs in using Apple ID login information*

            Uninformed User (1 week later): HALP! MY ACCOUNT HAS BEEN HACKED :-(

            Other reasons include pisspoor passwords, the occasional (and extremely rare) Apple server D-base hacked, not deactivating a device before transferring to a new computer to allow your iDevice onto a new one.

            Now I am willing to bet, that the scenario depicted above is the most likely candidate for why users get their accounts hacked.

            As for those dates on the commentaries, how many correlate with the length of time Alexy's exploit video was up?

             

            reply to this | link to this | view in chronology ]

        •  
          icon
          Chuck Norris' Enemy (deceased) (profile), Jul 20th, 2012 @ 9:14am

          Re: Re: Re: Steam

          Wally==Sad Mac
          Didn't I warn you about the snowflake ID yesterday...stop trying to pretend you are two people.

           

          reply to this | link to this | view in chronology ]

          •  
            icon
            Wally (profile), Jul 20th, 2012 @ 9:44am

            Re: Re: Re: Re: Steam

            Warning noted.

            Anonymous Coward With A Unique Writing Style,
            Those links you provided have absolutely no similarities to comments on here. Yeah it is being discussed but that doesn't mean the comments there are coppied and rewritten here.

            ""Hmm. That's curious. The first 6 entries all have dates that are within the past 2 months and it's worth noting that the first 6 entries ALL are being discussed on Apple discussion boards."

            Think out of the box on that and look what it looks like through other people's eyes before you post. I had interperated "entries" as comments.

             

            reply to this | link to this | view in chronology ]

            •  
              identicon
              Anonymous Coward With A Unique Writing Style, Jul 20th, 2012 @ 9:52am

              Re: Re: Re: Re: Re: Steam

              I don't understand what you're saying. So the links I provided have no bearing on what I stated or what you stated, is that correct?

              K. Let me put this really simply. You stated Apple makes sure Apple IDs and credit cards are secure. I said basically, "Nuh uh, and there's proof." Which I then presented. You threw a shit fit. You/Sad Mac then went off your rails a bit more.

              So you interpreted "entries" to mean "comments", despite the fact that I said this (?):

              "In fact, let's just play a game. Let's Google (gasp!) the words "apple account hacked" and then let's see how recent some of the things that will show up are, shall we?

              Hmm. That's curious. The first 6 entries all have dates that are within the past 2 months and it's worth noting that the first 6 entries ALL are being discussed on Apple discussion boards."

              I don't know how you interpreted it incorrectly, but again, that's not my problem. Either way, you stated something that wasn't factually true. I then stated something to correct you, presented proof and you flipped out. Like I said, don't like it... that's fine, but don't get upset when people correct you because that's how life is. People will tell you things you don't want to hear. And stop taking things so personally. I'll correct anyone and I myself have been corrected on this. I usually even say, "Hey, if I'm off on something feel free to correct me." I then thank people who do correct me, I do not flip out like you did.

              Now that this has all been cleared up, I look forward to doing this again. But try out what I said, stop stating things as fact before you have all relevant information at hand (and your personal experience, as great and important as it can be, DOES NOT translate to making what you've experience an automatic fact for the rest of the world). That's your problem and I've pointed it out before. I'm not trying to be mean or a jerk.

               

              reply to this | link to this | view in chronology ]

              •  
                icon
                John Fenderson (profile), Jul 20th, 2012 @ 12:07pm

                Re: Re: Re: Re: Re: Re: Steam

                I don't know how you interpreted it incorrectly


                I think that when you said "the first 6 entries," he thought you meant "the first 6 comments on this TD post." He just had a simple reading comprehension failure.

                 

                reply to this | link to this | view in chronology ]

                •  
                  icon
                  Wally (profile), Jul 20th, 2012 @ 9:43pm

                  Re: Re: Re: Re: Re: Re: Re: Steam

                  He also failed to specify what the entries were. So I assumed that it was the TD post.

                   

                  reply to this | link to this | view in chronology ]

                  •  
                    identicon
                    Anonymous Coward With A Unique Writing Style, Jul 21st, 2012 @ 5:33am

                    Re: Re: Re: Re: Re: Re: Re: Re: Steam

                    No, he did not fail to specify what the first 6 entries were. It was a reading comprehension fail on your part. In fact, that much was clearly evident by your first flip out and continued others. You even quoted me at one point and what you interpreted from a handful of sentences in no way matched up even remotely to anything I said. But... for those just tuning in, let me quote exactly what I said as it regards the "6 entries".

                    "In fact, let's just play a game. Let's Google (gasp!) the words "apple account hacked" and then let's see how recent some of the things that will show up are, shall we?

                    Hmm. That's curious. The first 6 entries all have dates that are within the past 2 months and it's worth noting that the first 6 entries ALL are being discussed on Apple discussion boards."

                    I quite clearly stated, hey let's do a Google search. I then quite clearly stated the words I was and did end up using in the search. I then said let's see what I find/found. I then stated that first 6 entries all had dates and they were all taking place on Apple discussion boards. Now, this is insanely easy to follow.

                    Why would you assume the 6 entries refer to Techdirt, when I quite clearly said they were on Apple discussion boards? It was a reading fail on your part, possibly brought on by a quick and irrational surge of anger/"stop being a meanie"-ness on your part.

                    I often go out of my way to be very specific and clear in what I'm saying to avoid having others twist my words around or read things into them that aren't there.

                     

                    reply to this | link to this | view in chronology ]

                    •  
                      icon
                      Wally (profile), Jul 21st, 2012 @ 7:21am

                      Re: Re: Re: Re: Re: Re: Re: Re: Re: Steam

                      The two words "He also" mean that we were both at fault. Your statements are becoming a lot more rant-like. Please just chill.

                       

                      reply to this | link to this | view in chronology ]

                    •  
                      icon
                      Wally (profile), Jul 21st, 2012 @ 7:54am

                      Re: Re: Re: Re: Re: Re: Re: Re: Re: Steam

                      I am offering you a bit of kindness with some constructive criticsism. Please don't answer back to me with my faults, I have no way to help them.

                      "I often go out of my way to be very specific and clear in what I'm saying to avoid having others twist my words around or read things into them that aren't there."

                      1. Nobody is here to twist your words. That thought is a bit paranoid. But if they are, they are likely trolling.

                      2. Tons of written information = clutter =/= (does not equal) simple and clear. Try to be specific and short at the same time.

                      3. Someone will always read too far between the lines. It's human nature. Just quickly write what you mean and explain what you said is "as is".

                      Now would you please calm down?

                       

                      reply to this | link to this | view in chronology ]

      •  
        identicon
        Anonymous Coward, Jul 20th, 2012 @ 2:23pm

        Re: Re: Steam

        I don't see why they'd necessarily be great at security, but can see why they might have fallen into the habit of security through obscurity.

        They'll have to learn to change that strategy. It's not a workable strategy when your platform is a dominant player by usage volume.

         

        reply to this | link to this | view in chronology ]

        •  
          icon
          Wally (profile), Jul 20th, 2012 @ 10:05pm

          Re: Re: Re: Steam

          Honestly, I only meant that the credit card transactions are secure in that the user usually doesn't have to worry most of the time (admittedly that dies create a false sense of security). Apple fails at security, but to their credit, they really never had to worry about viruses in the pre-OSX days.

          Flashback Virus was an interesting case though. I recall Apple being in a huge flurrie of denial about it. A lot of the statistics showed that of the some odd 300,000 computers affected, 90% of them had Windows partitions and got it that way from booting between the two OS's. The users with the partitions assumed that since all these years Apple hadn't gotten viruses on their systems, they wouldn't need an antivirus (oh the arrogance of iSheep). Of course Apple does completely fail at acknowledging security issues. Anyone remember hearing about a PDF exploit that could be used to make iDevices a carrier? Took Apple a full 6 months to update iOS to correct it.

          There have been many viruses and WORMs throughout the history of the old MacOS days (pre-OS8).

           

          reply to this | link to this | view in chronology ]

  •  
    icon
    ahow628 (profile), Jul 20th, 2012 @ 7:01am

    Saw this coming

    Apple doesn't negotiate with terrorists. Mostly because it doesn't like the competition.

    See also: Samsung.

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      Wally (profile), Jul 20th, 2012 @ 7:19am

      Re: Saw this coming

      And now the trolling begins......please no more mention of this folks as it has nothing to do with the article.


      The server he was using was Russian....most of the scams I've seen where there is a "Free Game" exploit on Steam had turned out to be Russian and if you participated, your Steam Account got hijacked.

      Samsung vs Apple has absolutely nothing to do with it. Apple kept their user clients safe, and are now working on an API to secure the exploit.

      Oh, and by the way, what's stopping Alexy from selling your personal information to spammers? That's exactly what's happening to independent developers who work hard to deliver apps to the iTunes store.

      So now that I have you back on subject, quit trolling unless you have something relavent to the article to joke about.

       

      reply to this | link to this | view in chronology ]

      •  
        icon
        ahow628 (profile), Jul 20th, 2012 @ 7:38am

        Re: Re: Saw this coming

        It is relevant, Wally. The joke was that Apple won't talk directly to this hacker and instead is trying to plug holes in the least efficient way possible. This guy is taking advantage of them, just like they take advantage of their users.

        "what's stopping Alexy from selling your personal information to spammers?"
        What's stopping Apple from selling your personal information to spammers? I guess I fail to see the point here.

        And Apple doesn't sell your info to advertisers? While sort of true, they are more than happy to harvest your info and sell iAds to developers. Same difference.

        As for the Samsung comment, Apple doesn't like competing in a straight-forward manner against Samsung (hence patent suits and injunctions), just like it doesn't want to take a straight-forward approach to this dude who is taking advantage of their security flaws.

         

        reply to this | link to this | view in chronology ]

        •  
          icon
          Wally (profile), Jul 20th, 2012 @ 8:01am

          Re: Re: Re: Saw this coming

          "As for the Samsung comment, Apple doesn't like competing in a straight-forward manner against Samsung (hence patent suits and injunctions), just like it doesn't want to take a straight-forward approach to this dude who is taking advantage of their security flaws."

          This isn't about competition with Samsung. It's about someone hacking developer Accounts to get free games.

           

          reply to this | link to this | view in chronology ]

          •  
            icon
            ahow628 (profile), Jul 20th, 2012 @ 8:44am

            Re: Re: Re: Re: Saw this coming

            It is about competition (or lack thereof) with Samsung. Apple wants to lawyer its way around problems. With Samsung, it wants to use the ITC and patent office to stifle competition. With this hacker, instead of confronting the hacker and working out a solution, it wants to pull youtube videos, shutdown websites, and other passive "fixes".

             

            reply to this | link to this | view in chronology ]

            •  
              icon
              Wally (profile), Jul 20th, 2012 @ 9:27am

              Re: Re: Re: Re: Re: Saw this coming

              You missed my point, I will clarify. The Article above mentions nothing of competition with Samsung. It's about an EXPLOIT in the API, found by a Russian hacker, that gets around a developer's payment validation for in app purchases which Apple doesn't use or own. The developers are making more money with in game purcahses and Apple doesn't care. Apple's main concern is that people are getting ripped off.


              The word "Samsung" is nowhere to be found in the article. The subject of Apple's anticompetitive nature isn't even mentioned or brought up.

               

              reply to this | link to this | view in chronology ]

              •  
                icon
                John Fenderson (profile), Jul 20th, 2012 @ 12:10pm

                Re: Re: Re: Re: Re: Re: Saw this coming

                Apple's main concern is that people are getting ripped off.


                Maybe that's true, maybe not, but I see no reason to assume that it is. Apple is no angel.

                 

                reply to this | link to this | view in chronology ]

              •  
                icon
                ahow628 (profile), Jul 20th, 2012 @ 3:34pm

                Re: Re: Re: Re: Re: Re: Saw this coming

                You cannot really be this dense.

                I know the above article isn't about Samsung. I was however point out that Apple is lawyering this situation and pointing out that they love lawyering everything they do. I pointed out that the Samsung is a prominent situation in which they lawyer the shit out of shit.

                Good god.

                 

                reply to this | link to this | view in chronology ]

                •  
                  icon
                  Wally (profile), Jul 20th, 2012 @ 10:13pm

                  Re: Re: Re: Re: Re: Re: Re: Saw this coming

                  Lawyering or not, in this case they needed to lawyers to issue the takedown request of the videos as required by US law.

                   

                  reply to this | link to this | view in chronology ]

                  •  
                    icon
                    ahow628 (profile), Jul 21st, 2012 @ 5:20am

                    Re: Re: Re: Re: Re: Re: Re: Re: Saw this coming

                    Wait, what US laws require that videos be taken down? There was no copyright infringement. They were videos showing how to get free apps by utilizing an exploit. No different than the millions of videos showing how to root your Android or jailbreak your iPhone, both of which are legal.

                     

                    reply to this | link to this | view in chronology ]

                    •  
                      icon
                      Wally (profile), Jul 21st, 2012 @ 8:04am

                      Re: Re: Re: Re: Re: Re: Re: Re: Re: Saw this coming

                      This wasn't a copyright case at all. Lawyers are hired to protect interests. Comparing this exploit to rooting and Jailbreaking is like comparing apples to oranges. The takedown request over was someone who found the exploit and created a phishing scam out of it harming users. That itself is a legal matter and the use of a lawyer is quite prudent. It's not as if they came in busting down the doors demanding the takedown, and Google wouldn't have complied if it was not without a legitimate reason. The end goal was simply stopping people from falling into a trap.

                       

                      reply to this | link to this | view in chronology ]

                      •  
                        icon
                        Wally (profile), Jul 21st, 2012 @ 8:11am

                        Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Saw this coming

                        "No different than the millions of videos showing how to root your Android or jailbreak your iPhone, both of which are legal."

                        But the exploit is teaching people how to do something completely illegal. Developers, who work very very hard to create this content, are loosing their money. Apple's hosting fee is 7% of the profit, so they have little to loose.

                        Also, unlike Jailbreaking and rooting, the exploit requires you to use a server to log into your Apple ID account. That server is in Russia. Alexy set up the server himself. That's not something very many cautious people would risk doing.

                         

                        reply to this | link to this | view in chronology ]

        •  
          identicon
          Anonymous Coward, Jul 20th, 2012 @ 2:52pm

          Re: Re: Re: Saw this coming

          No, no, no!

          Selling info to a third party very is different to using it yourself to deliver adverts for a third party. Very, very different.

          The two are crucially different.

          When you give information to a party, you know they've got your information. You might choose to give them info A, C, and Z and from this, they can't work out anything about you that you don't want them to.

          You might give some other party information C, D, K, and M, and from this it's impossible to work out anything about you that you don't want them to.

          However if information A, C, D, K and Z are correlated, it might be possible to work out things about you that you don't want known, and this might be an information that you'd never have given to any single party.

          This has huge privacy implications and it's really important that people understand that correlating information given to different parties can form a new set of information that when altogether violates privacy.

          Not understandiing this often creates a barrier, not only to protecting one's own privacy, but to recognizing and taking privacy concerns seriously, (which is a barrier to getting broader, legal based protections, because it's hard to get people to see that there is a privacy issue).

          People tend to think if you give information casually, there's no problem when that information is correlated, but correlating information makes it more the sum of the fragmented parts. It's crucial that people understand this both to protect their own privacy and so that they can be the kind of informed citizens we need people to be if privacy is to be sufficiently protected legally.

          Correlation takes harmless sets of information and associates them in ways that can violate the privacy of the end user.

          It's really important to draw a line between using information customers to provide an advert service to other parties, all while sheilding the information itself from the advert buyer, and handing over the information itself to third parties.

          The two are very distinct because of the implications of correlating information into a single set.

           

          reply to this | link to this | view in chronology ]

          •  
            icon
            Wally (profile), Jul 20th, 2012 @ 10:34pm

            Re: Re: Re: Re: Saw this coming

            My big question is what's stopping the servers that are up in Russia being run by Alexy from gathering the information of those who followed the instructions on the "A,C,K,Z" structure?

            The big huge red flag that I saw in this whole exploit is that the servers were in Russia, one of the largest providers of SPAM messages in the world. A similar situation happened on Steam where hackers had offered a free game by logging in using that website (which looked almost exactly like Valve Software's Steam Forum login page). Some of the offers were along the lines of "Get Half-Life 2 completely free" and it had provided instructions on how to exploit the payment system. They provided a link. Several people on my friends list had their accounts hijacked and just for security (and blind curiosity) I went to the website. I didn't log in, but man alive did I see a lot of errors....spelling errors...very obvious spelling errors.

             

            reply to this | link to this | view in chronology ]

  •  
    identicon
    Vigilante, Jul 20th, 2012 @ 7:20am

    My 7 year old racked up nearly $800 (in $99 increments) with Pocket Gems one day before I knew Apple defaults in app purchases to enabled. $800 worth of tiny animal pictures. Apple did courteously reverse the charges, and I'm not saying Apple should police value, but if they don't somebody will.

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      Wally (profile), Jul 20th, 2012 @ 10:57pm

      Re: Charges

      What's most annoying to me is that when I purchase something on iTunes, and I have a credit card used as a payment, and I get a gift card and use the credits on that, Apple STILL processes the credit card transaction by default without touching the credit stored by the gift card.

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Steve, Jul 20th, 2012 @ 7:31am

    How come.....

    ....... Wally and Sad Mac always have the same picture thingy?

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      Wally (profile), Jul 20th, 2012 @ 8:02am

      Re: How come.....

      The avatars are randomized.

       

      reply to this | link to this | view in chronology ]

      •  
        icon
        The Groove Tiger (profile), Jul 20th, 2012 @ 8:21am

        Re: Re: How come.....

        Clearly you don't know how these avatars work.

         

        reply to this | link to this | view in chronology ]

        •  
          identicon
          Anonymous Coward, Jul 20th, 2012 @ 9:00am

          Re: Re: Re: How come.....

          Neither does Steve apparently.

           

          reply to this | link to this | view in chronology ]

          •  
            icon
            The Groove Tiger (profile), Jul 20th, 2012 @ 9:45am

            Re: Re: Re: Re: How come.....

            Apparently he does. He pointed it out accurately.

            Wow, what are the chances, an Anonymous Coward just happens to have the same avatar as Wally and Sad Mac. Must be random.

             

            reply to this | link to this | view in chronology ]

            •  
              icon
              Atkray (profile), Jul 20th, 2012 @ 10:53am

              Re: Re: Re: Re: Re: How come.....

              Wally should take that randomness to Vegas.

               

              reply to this | link to this | view in chronology ]

              •  
                icon
                The Groove Tiger (profile), Jul 20th, 2012 @ 11:18am

                Re: Re: Re: Re: Re: Re: How come.....

                You mean, those three totally different people should go to Vegas together...

                 

                reply to this | link to this | view in chronology ]

                •  
                  identicon
                  Anonymous Coward With A Unique Writing Style, Jul 20th, 2012 @ 11:35am

                  Re: Re: Re: Re: Re: Re: Re: How come.....

                  You mean those three totally different people who we didn't know already were the same person should go to Vegas together...

                   

                  reply to this | link to this | view in chronology ]

                  •  
                    icon
                    Wally (profile), Jul 21st, 2012 @ 8:17am

                    Re: Re: Re: Re: Re: Re: Re: Re: How come.....

                    Actually, Sad Mac and I were the same person. Check the avatars, they should be the same if the same IP address was used. Ninja, and the 2 anonymous cowards are not the same avatars. You're just mad at me still.

                     

                    reply to this | link to this | view in chronology ]

            •  
              icon
              Wally (profile), Jul 21st, 2012 @ 8:29am

              Re: Re: Re: Re: Re: How come.....

              None of the avatars match between me or any Anonymous coward. Go see for yourself.

               

              reply to this | link to this | view in chronology ]

      •  
        icon
        Gwiz (profile), Jul 20th, 2012 @ 8:51am

        Re: Re: How come.....

        The avatars are randomized.

        Umm not quite.

        The same IP address on the same article equals the same avatar.

        Wally = Sad Mac

         

        reply to this | link to this | view in chronology ]

      •  
        icon
        The eejit (profile), Jul 20th, 2012 @ 8:54am

        Re: Re: How come.....

        nope.mov

         

        reply to this | link to this | view in chronology ]

        •  
          icon
          Wally (profile), Jul 20th, 2012 @ 9:03am

          Re: Re: Re: How come.....

          Just changed my WiFi passwords.....Thanks for the reminder folks :-)

           

          reply to this | link to this | view in chronology ]

          •  
            icon
            Gwiz (profile), Jul 20th, 2012 @ 9:30am

            Re: Re: Re: Re: How come.....

            Just changed my WiFi passwords.....Thanks for the reminder folks :-)

            LOL. Funny.

            What are the odds that someone who is piggybacking your WiFi connection without authorization would be commenting on the exact same Techdirt article at the exact same time as you?

            Slim to none and slim left town.

             

            reply to this | link to this | view in chronology ]

            •  
              identicon
              Anonymous Coward, Jul 20th, 2012 @ 1:47pm

              Re: Re: Re: Re: Re: How come.....

              What are the chances that both the Internet subscriber and the Wifi leach both visit Techdirt, or are both even aware of Techdirt.

               

              reply to this | link to this | view in chronology ]

          •  
            identicon
            Anonymous Coward, Jul 20th, 2012 @ 1:52pm

            Re: Re: Re: Re: How come.....

            If you were any smart you would have probably said that you were using TOR and the IP addresses that you get are randomized. Though Mike could tell if you are using Tor so that might not always work. But the probability of you getting the same IP address and posting under the same Identicon as someone else is actually quite high, I've posted using Tor before (less than a hand full of times) and noticed someone else who posted with the exact same Identicon, I even checked the hash tag to make sure and they were the same.

             

            reply to this | link to this | view in chronology ]

    •  
      icon
      John Fenderson (profile), Jul 20th, 2012 @ 12:12pm

      Re: How come.....

      Because they're both commenting on a machine with the same IP address.

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Jul 20th, 2012 @ 8:00am

    This is a developer problem

    Apple has a way to validate the payment. It's just that some developers aren't using it. That's why it only works in some cases.

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    Wally (profile), Jul 20th, 2012 @ 10:02am

    I have taken a dose of humility. No more pretending. I'm done being 2 people at once.

     

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This