Slashdot Mirror
iTunes Gift Card Key System Cracked, Exploited
moonbender writes "Fake but working iTunes gift cards are being sold on Chinese auction sites for a fraction of their value: 'The owner of the Taobao shop told us frankly that the gift card codes are created using key-generators. He also said that he paid money to use the hackers' service. Half a year ago, when they started the business, the price was around 320 RMB [about $47] for [a] $200 card, then more people went into this business and the price went all the way down to 18 RMB [about $2.60] per card, "but we make more money as the amount of customers is growing rapidly."' The people at Chinese market researcher Outdustry have apparently confirmed this by buying a coupon and transferring it into an iTunes account. Oops."
It's still easier to use BitTorrent.
There's no -1 for "I don't get it."
"but we make more money as the amount of customers is growing rapidly."
Brilliant business model there, Taobao. I used to feel bad that Amazon's MP3 Service only worked inside the United States but now it's pretty clear: I doubt Apple will have much luck prosecuting anyone in this case whereas it would have been different had it happened on American soil.
... hahahaha sorry, couldn't quite say that with a straight face. Seriously, we must look like ripe-for-the-picking rubes to places like China. They're sitting there with free copies of Vista, Adobe Suites and now cheap "legal" music. I guess it will forever remain a mystery to them why their nation isn't home to prosperous software & music industries while the status quo is free for the taking with no repurcussions.
I'm sure the Chinese government will help protect Apple's
My work here is dung.
use safari on your iPhone to buy the fake iTunes card.
It's like curb stomping apple after you kick them in the nuts.
More seriously, there's a good chance that if Apple does decide to change their key system that a lot of legitimate iTunes cards are gonna be rendered worthless.
And that would suck.
Sent from your iPad.
I'd be interested to know what algorithm was being used for the keycards. Did Apple use a weak scheme, did someone leak the secret, or (most interestingly) has someone managed to crack a good encryption algorithm.
(Alas, I'd guess it's probably a weak scheme. As recently as two years ago I noticed a bike products retailer was actually using sequential codes for its gift cards)
Possibility 1:
Apple doesn't use a database for cards, they use a hash even though that would be stupid.
That hash and algorithm for arranging the data before the hash was cracked even though all the verification is done on the server and thus there is no code out there to reverse-engineer.
Someone is generating and selling cards using that hash.
Possibility 2:
Someone is simply buying the largest email iTMS gift certificate allowed (I checked) with fake or stolen credit card numbers.
Possibility 1 is possible but unlikely.
Possibility 2 is very common, very easy and very likely.
Occam's Razor says people likely people are jumping to an unwarranted conclusion here.
http://lkml.org/lkml/2005/8/20/95
The other side to this is that when a legitimate customer buys a card that's code has already been found using a keygen their card won't work, I hope Apple has a refund system. The joys of security through obscurity in action.
No, kicking Apple in the nuts would be buying a fake iTunes card using MyFox on a jailbroken, unlocked iPhone 3G using a different carrier than the one the phone was sold from/for.
Even Microsoft has a process if you buy a Microsoft Points card and the code doesn't work. Given the request has to go through an approval process that normally takes several days and possibly multiple contacts to verify information. But still....
You can already get basically anything you can get off Itunes from torrent files for free. You don't have to pay for a card. If you're going to pirate material, you might as well be sensible about it.
The real comedy will happen when someone in China actually comes up with some IP that they want to make a buck off of. Hopefully an entire cottage industry will pop up in the rest of the world that's devoted to doing nothing but cranking out copies of whatever it is that China suddenly values, and even more hopefully that cottage industry will be named "Fuck You Chinaman, Inc.!"
Personally, I think that will become the downfall of our county.
Our main products that we're making here are things that can be easily recreated at no cost. Sure, we've got laws that attempt to stop it, but many places don't.
We've shipped most of our jobs making actual products overseas. And we wonder why China is becoming so powerful? They're making physical goods, and freely recreating our virtual goods.
So, if one were so inclined and was not bothered by the moral ramifications, would NOW be the time to buy and redeem a bunch of these? And, since you have to use your Apple iTunes account to redeem them, could you be threatened by legal people at Apple?
Where can I buy them?
Shut up brain or I'll stab you with a Q-Tip. - Homer Simpson
Americans and Europeans contribute to the economic downfall of Western Civilization every time they purchase a product made in the third world.
Possibility 1: Apple doesn't use a database for cards, they use a hash even though that would be stupid. That hash and algorithm for arranging the data before the hash was cracked even though all the verification is done on the server and thus there is no code out there to reverse-engineer. Someone is generating and selling cards using that hash.
Let's assume that Apple cryptographers are at least half way competent.
You could use Brand's eCash scheme in this situation. But, since Apple plays the role of both the Shop and the Bank in this scheme, you can do some simplification. So, what's the specification of this hash?
I think the simple solution is for Apple to generate unique strings (either random, or increasing integers) and sign them using some signature system, concatenating the value onto the plaintext.
To redeem a certificate, Apple checks that it hasn't been redeemed before, then stores in its database that it has been redeemed. For compactness using increasing integers, store that "all integers less that n have been redeemed".
Everyone knows Apple's public key and can verify the certificate. Only Apple knows the private key necessary to create certificates. Apple knows its own public key so it can verify certificates. It also knows to only accept each certificate once.
I'd guess that if I can cook this up in five minutes, Apple can afford hiring someone who can cook it up at least once during their development cycle (I'm not that leet :p).
(proof of security in the universal composability model is coming straight away; that's called proof by forward reference and it works great in the cookies)
1. hire hackers 2. get keygen 3. ??? 4. profit!
Any lawyers in here wanna weigh in on this?
If I were to buy some of these giftcards, apple could absolutely terminate my account, I would expect that, but am I breaking any laws? This doesn't seem to be "breaking in" to anything (although I'm sure a judge would see it that way) so is it still considered some sort of cyber-trespass?
Doesn't this fall in to the same category as "the vending machine gave me an extra candy bar. I told the maintenance guy, but he didn't care". What if you even went as far as to email steve@mac.com (or whatever his address is) to show that you tried to contact apple?
NewslilySocial News. No lolcats allowed.
If they're going to pirate, why do they bother paying $2 to a crook to get music with DRM which they could get for free from BitTorrent? The only advantage iTunes has over piracy is that it is legal - so what's the point of ripping them off with a fake gift card?
Even ethically, that way they'd at least not be supporting the criminal industry like the RIAA is (in this case accurately) claiming.
Honestly though, what other choice do you have in most situations? Even many of the high end products now are made in third world countries. Many parts for American cars are built in other countries, even many of the cars are assembled in Mexico now. Japanese cars are often made here, but are assembled using parts made in a foreign country. It's the same situation for almost all electronics.
Why prosecute? If you can identify the illegitimate cards, you can revoke the license to all the downloaded music. Isn't this what DRM is for?
09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
is apple doing even offering a $200 gift card. It seems to me to be an open invitation to fraud.
Nullius in verba
I guess it probably depends on how valuable Apple's manufacturing business is to China. I'm willing to bet that iPods, laptops and pretty every other physical item in Apple's line is significant enough for them to pay attention. Some people might get disappeared.
But really, maybe Apple has learned a lesson here. Don't just validate cards using an algorithm. Keep track of which numbers you've sold, same as a credit card issuer.
don't worry . . .they're buying fake Apple products.
Everyone Chinese wins!
I believe itunes is DRM free as of Jan 6/09
http://apple.slashdot.org/article.pl?sid=09/01/06/1840225
If I were God, wouldn't I protect my churches from acts of me?
I think it may even be simpler. I went to the site and, though I couldn't understand the language, it seemed as though you had to buy the iTMS certificate with a credit card! So all they have to do is use your card (or in the more elaborate scenario a previous idiot's card) to buy your gift certificate. And they buy whatever else they want with it.
"No tunes for you!" is better than "Broken tunes for you!"
"Believe me!" -- Donald Trump
When it comes to international copyright it is no surprise to me that across borders people are far less inclined to respect copyright laws of another country.
It reminds me of something that I read once that stated that back in the 19th century before the US had established it's own home-grown authors and publishing industry, it was common place for Americans to simply copy and republish without consent the work of European authors and publishers. That was of course despite the constant complaints of European publishers and governments.
Of course eventually the US publishers had grown to a position where they themselves realized that they needed copyright in order to continue growing with the now booming local literature scene, hence the "true" birth of enforced US copyright.
(History repeating itself. Hmm, now how often does *that* ever happen - sarcasm)
Unfortunately I have no original sources to this 'tale', I would appreciate if anyone can either confirm or deny this with some evidence, as it is such a compelling story I would like to believe that it is true!
I would really think twice about using your credit card!
http://search1.taobao.com/browse/0/n-g,nf2hk3tfom-------2-------b--40--commend-0-all-0.htm?at_topsearch=1&ssid=e-s1
You can't identify the illegitimate cards. Each individual card isn't kept track of. The bar code on each of them is more like the answer to a math problem. If you know how to solve the problem, you get in, no questions asked. The only thing they can do is change the math problem and eventually get rid of the old one as a valid question to answer.
"Common sense will be the death of us all"
Isabella Bird, in her book The Englishwoman in America (1856) mention this copying causally, as something everyone knows.
When you buy goods (gift certificates) with stolen funds (credit cards) so you would sell those goods to a third party and thereby make a profit - THAT IS money laundering.
And just imagine such a crazy scenario where they would spend not just $200.00 at a time, but drain the entire card to buy items such as jewelry, luxury items, or even iPhones or iPods - anywhere else on the internet.
You know... items that can be sold almost immediately if you sell it for a right price.
Or if you use ebay or amazon to sell items for "clean money" - while you pay for them with "dirty money".
Mit der Dummheit kämpfen Götter selbst vergebens
If the Chinese government doesn't start some kind of law enforcement, China is going to be a giant Black Hole. Blacklisting IP blocks from Chinese ISPs is the best thing I've ever done in terms of spam and malware control.
The US only recognized domestic copyrights until 1891. Prior to that, foreign works were considered public domain. Mark Twain became a US citizen to protect his writings and lobbied for the International Copright Act.
http://en.wikipedia.org/wiki/International_Copyright_Act_of_1891
Gilbert and Sullivan had a big problem with this; people would come to their London openings, write down as much of the words and music as they could, take the boat to America, and put on knock-off productions. For this reason, The Pirates (!) of Penzance premiered in New York, not London.
Honestly though, what other choice do you have in most situations? Even many of the high end products now are made in third world countries. Many parts for American cars are built in other countries, even many of the cars are assembled in Mexico now. Japanese cars are often made here, but are assembled using parts made in a foreign country. It's the same situation for almost all electronics.
In a lot of cases, with research, you can actually choose where your goods are made. Sometimes it means they're of much higher quality, too. Other times (LCD televisions, for example) it means you get a mid-range product instead of the more fully featured version made in Korea.
"I zero-index my hamsters" - Willtor (147206)
how the gift cards work.
http://www.apple.com/support/itunes/store/giftcard/
http://store.apple.com/us/help/gifting#cards
Lars T.
To the guy who modded me down from perfect to terrible Karma - Apple haters still suck
If I was detailing the whole gift/certificate scheme for apple, I would make sure to record every generated key before it reaches the customer - be it on a plastic card or in email. This way nobody will be able to use a code not issued by me, even if it's valid (based on the codes are really some crypto product).
However, if this is in place and we still have the Chinese selling keys - there is a serious issue with my security:
1) some broke and stole my generated numbers - very bad, I'm f0ked cause I'll have to disable all cards & recall all cards.
2) even if someone got the algorithm to generate valid numbers he's able to test huge amount of keys for validity under my radar, and only sells the one found valid. Bad stuff, customers will buy already emptied cards.
However the mentioning of keygen in the news means to me Apple does not have any means to distinguish key they really issued from a key issued by Chinese hackers - bad stuff for them in the long run.
I guess it will forever remain a mystery to them why their nation isn't home to prosperous software
WHAT?
Guess who wrote code that runs on your Digital Picture Frame, your Camcorder, mp3 player, or your big screen LCD TV.
Maybe you missed the story about 'Shanzai'?
http://hardware.slashdot.org/article.pl?sid=09/02/27/049245&from=rss
Wanna know how Chinese are able to go from design on a napkin to working product ready to ship in ONE month? They share, rip, mash-up, copy.
Here is one of the sites used by Chinese Engineers/Developers to share brainpower
http://www.pudn.com/
There is no value in producing IP without a product, IP alone is worth zero. Chinese recognized it long ago.
Who logs in to gdm? Not I, said the duck.
i don't want to be the guy in china who download a copy of "Chinese Democracy" off iTunes.
not cause of the govt wordfilter or anything, just because its a horrible album.
At least you can't spend it on drink...
The US only recognized domestic copyrights until 1891. Prior to that, foreign works were considered public domain. Mark Twain became a US citizen to protect his writings and lobbied for the International Copright Act.
Wait, Mark Twain (Samuel Clemens) was born in Missouri.
-- I have monkeys in my pants.
"Fake but working iTunes gift cards
Yes, we have a word for that. The word is counterfeit.
I'll use it in a sentence for you:
"The RIAA attempts to convince the public that downloading music is the same as counterfeiting CD's."
Mark Twain was born in Missouri - what other steps did he need to take to become a citizen?
Warning: Apple/Nintendo fangirl. Likes her electronics cute & cuddly. May be rabid.
Well,
Thanks very much for those links, they're really, really useful! Full of technical detail on the algorithm used.
For instance, check out these facts in the article Lars T linked to:
* The following letters and numbers can look very similar:
The letter A and the letter H
The letter B and the number 8
* Apple Gift Cards can be purchased from the Apple Online Store in any amount between $25-$2500
* To report a lost or stolen Apple Gift Card, please contact Apple at any Apple Retail Store location or by telephone at 1-800-MY-APPLE.
It's exciting technical comments like yours (without even a whiff of smug self-congratulatory superiority) that make slashdot what it is. Thanks for educating all of us on slashdot!
Well, given that he _was_ Mark Freaking Twain, he got to choose where he was born!
Awesome furniture, accessories and cabinetry in Santa Rosa, CA: http://humanity-home.com/
Apple will get all their money back, the cards will be strengthened and best of all, greedy stupid people are going to jail over this and removed from our internet!
Win-win!
[End Of Line]
I once received a gift certificate in a Christmas card that was delivered accidentally to my address, and I was able to go ahead and use it.
You just admitted to comitting a Federal crime, son, and a Felony at that. If I were you, I'd shut the hell up and never mention your this "freebie" to anybody.
?? I don't think spending somebody else's gift card is a felony, or a Felony. It's definitely not a Felony when the mailman messes up.
Ah...but that costs money!
Apple took a shortcut perhaps thinking no one would figure it out but once again 'security through obscurity' fails in a wonderfully fun way. I really don't have much sympathy for them though.
You can get rich if you own a politician, but you have to be rich to buy one in the first place.
The paragraph in Wikipedia you got that from was a freaking disaster zone. Incomplete sentences, jumbled meanings, utter crap. (Mark Twain had to establish Canadian residency to have at least one of his works protected there. (That was in the linked article.))
I've (likely badly) fixed that up, using information from the linked article.
Wikinuts could say this shows the strength of the model, since I, Joe Nobody, was able to correct it. I can counter that with the fact that not even a mere copy editor would have let that utter nonsense through.
refresh my memory, did China have something I wanted?
lick the cancle button (at least thats what our Chinese QA says)
A shop owner said that the vendor told us that they cracked the code.
Now...WTF does the shop owner know?
Would he sell them if the vendor told him "we buy them using stolen credit cards and sell them to you?"
Here's a close analogy:
ISBN numbers are made out of a series of numbers identifying the language, publisher, imprint and title/edition. The last digit is the mod 11 of the sum of the numbers, each multiplied by a weighting digit based on its position in the string. To make a barcode you have three different image patterns for each digit. The last six are all represented by type "R". The first one is not represented, except for defining a pattern of "L" and "G" types for the first six numbers, and encoding itself in the process. Interesting programming exercise in the language of your choice.
So all you have to do is reverse engineer the method used and you're there..although I suspect Apple's system is somewhat more technically challenging.
Please consider this account deleted, I just can't be bothered with the spam anymore.
How do you know the cards work? Has anyone bought one?
What if the whole thing is a scam whereby you send your couple of dollars over only to find out the cards really are fake. What will you do? Tell the police you got ripped off trying to buy a $200 card for a couple of dollars?
If there's enough idiots out there buying into this scam it could generate a tidy sum.
You can't identify the illegitimate cards. Each individual card isn't kept track of.
If what you say us true, and I have no knowledge to the contrary, how dopey is that?
The Multi-State Lottery's "Mega Millions" jackpot recently reached $212,000,000US and within two hours, it was known a winning ticket was sold and where it was sold. Lottery systems know which numbers are printed and where and the Mega Millions games typically sells 100,000,000 tickets when the jackpot hits huge numbers.
Would it be so hard for Apple to do the same?
== First cross river, then insult alligator.
It is a federal crime to open mail shipped through the United states postal service that has not been delivered to the addressee.
http://www4.law.cornell.edu/uscode/html/uscode18/usc_sec_18_00001702----000-.html
when the mail man messes up they don't open it (and there are exemptions somewhere to allow them to open it when required). If you receive something not meant for you then you should give it back to the post office, don't open it.
YANAL
What Apple should have done was create a large database with random numbers, and each random number is cross references to a currency value such as USD 10, 5 Euro, etc. This database is used to print numbers and kept offline. Each number is then hashed with a SHA-512 hash, and that hash is stored on the validation server.
Of course, a cryptographically secure random number generator is used to generate the numbers so one can't obtain one number by knowing the value of its predecessor and sucessor.
This would allow iTunes to validate numbers, but prevent people from generating new numbers other than actively hacking the backend database and adding new numbers. Nobody who has no access to the database would be able to generate bogus numbers.
Of course, perhaps add a check digit or checksum to stop typos.
Failing to do a system like this and relying on an algorithm system will end up just having it cracked and a keygen available.
What do you use to blackhole them? I think many people would like to, but I was under the impression the IP ranges were not contiguous/simple...
As others have noted, the US has had federal copyrights since 1790, and state copyrights slightly before that. But for quite a while we only granted them to US citizens. When foreign authors would complain that they wanted US copyrights, the standard reply was to invite them to emigrate to the US.
Personally, while I loathe the idea of copyright treaties, since they hinder important reforms, such as shorter terms, lesser protection, registration formalities, etc., I do think that the US ought to unilaterally grant national treatment (i.e. treating foreign authors just the same as domestic ones). After all, the point of copyright is to promote the progress of science, and the nationality of the author really isn't important in that light.
-- This and all my posts are in the public domain. I am a lawyer. I am not your lawyer, and this is not legal advice.
Because they don't create cards on the fly through electronic terminals. They are sold from the shelve of Apple stores, grocery stores, corner stores.... They are pre-printed and usable without activation. There is no way to follow a card.
Your job?
Each individual card isn't kept track of.
Why not?
And we wonder why China is becoming so powerful? They're making physical goods, and freely recreating our virtual goods.
Yeah, it couldn't be the 1.3 billion citizens...
ZuluPad, the wiki notepad on crack
there is a very simple way to do this - use a public key system - using a 2k rsa key encrypt numbers 1 to 100 million - any random number is potentially a key, but only those below the threshold of the number sold are valid - and once it has been used once, remove it from the list. there is no (practical*) chance of anyone ever guessing a valid number, and if anyone breaks the system you have bigger worries than a few free vouchers ....
thats how i'd run serial numbers for anything i did - you can have the code to check a serial publicly available, but knowing how that doesn't help generate real ones. - you could even use a 4k key, and use the upper 2k bits as flags to indicate what specific features a particular serial number is valid for.
*practically impossible is anything less than 1 in 10^100 : the number of atoms in the universe (10^80) * number of second universe would be in existence (10^18) (the factor of 100 is added in just to make sure, and because 100 is a nice round number and 98 isn't)
in the example given the chance of guessing a code correctly is 10^8/2^2048, or slightly more than 3 in 10^608
yeah, a very large (and increasing) fraction of the worlds manufacturing capacity.
Doesn't this cost apple money big time? I don't mean lost sales, I mean apple has to pay developers / artists monetary value for every song "purchased". If your not contributing into's apples "royalty fund" then its coming out of their own pockets. This is probably theft in the truest form.
Of course, "lets only allow verified codes" probably went into the same idea bin as "lets allow copy and paste for the iphone".
Even though its free I still won't use it.
Liberte, Egalite, Fraternite (TM)
Just to add little contrast. You can read what happens in US here
http://openbts.blogspot.com/2009/01/open-source-and-self-interest.html
Corporations think they OWN you and your work for the rest of your life, even in California where non-compete agreements are illegal.
Basically either you decide to share and build your business model around it just like Chinese did, or you wont be able to do anything other than work "for the man" in a cubicle.
Who logs in to gdm? Not I, said the duck.
I agree that would be funny. But the real comedy here is that nothing is actually being stolen here. What is really happening is that a new unit of currency is being counterfeited. But that currency is backed by value in digital media, which in and of itself is ephemeral and can be obtained by other means for free. What a bizarre situation.
No, there is no currency exchange going on, the 'gift card' tells iTunes to exempt you from paying for the tracks as you have already presumably payed apple for the gift card. Apple is still paying the artist 70% of the cost of the music being downloaded, and they are paying in real currency.
For lack of a better signature...
Apparently credit card processing is now offline. This means I can't watch last nights "House"? *cry*
what DRM level? iTunes completely eliminated DRM from their music store a while ago...
For lack of a better signature...
I'm pretty sure that the lottery makes way more money than Apple does, even after paying out a prize. Remember, for every ticket that wins even a paltry $5, think of how much money is spent on losing tickets. While I'm sure it's technically possible, somebody in the company probably brought up "cost effectiveness" and bought the idea that these things couldn't be forged. The whole idea that you can keep information publicly accessible and always a secret via encryption is at best naivete at it's worst or marketing up to it's normal BS.
You don't have to attempt every possibility when trying to break a code. Stop when you get lucky and find a match. That's why it's a lie when they say you'd need 10,000,000 computers and a thousand years to break the latest and greatest file encryption. It's highly unlikely that the very last possibility is also correct one. And figure that this analogy only applies to brute force attacks, the time scale goes down once you start bringing in shortcuts such as dictionary attacks, system flaws and the like.
"Common sense will be the death of us all"
You bastard! Do you have any idea how hard it is to find replacement tubes for my sarcasmometer?
One does have to sit down and think about whether you can actually call this stealing or not. Yes, obviously you are using merchandise that would have costed considerably more in a retail setting, but you have to think about the mechanics behind this.
.70 per track and 7.00 per album) Apple is going to continue to pay the artists for purchases whether they were made with a gift card or not. This means that all of the fraudulent gift cards are essentially just making Apple give the artists free money. When you consider this fact, this is a much more interesting means of pirating music than usual p2p and bit torrent clients, which obviously give the artists nothing at all. And considering the billions Apple has in the bank, the costs to them are honestly pretty negligible.
For every track and album bought on iTunes, Apple pays 70% to the artist or label who submitted the tracks (generally
It's not that I'm condoning this practice, but if you are stealing music anyways (which, lets face it, most of us are to an extent) at least this way you would really be stealing from Apple, who has a lot more money than the artist, while still actually helping the artist by creating revenue for them.
Just something to consider.
For lack of a better signature...
This comment is not just funny, it is silly and obviously from someone who knows nothing about China.
For one, the Chinese themselves come up with a lot of IP. This ranges from music productions to technical innovations (yes also that, believe it or not). And yes they are copied big time, even though the Chinese government does try to enforce the protection of this IP. And yes it does so much more vigilantly than the protection of foreign IP. Mind that many US and other overseas patents are not valid in China in the first place, patents after all are limited to the countries/areas where they have been applied for and issued.
If someone comes with a new product in China and has some success, everyone will jump on the bandwagon and make it as well. Even if there is no protected IP involved. If someone starts making plastic coffee cups for example, and makes a good buck out of it, dozens of other factories will spring up and do the same. They all copy one another.
If you come up with some innovation in China and you really want to keep it for yourself you will have to keep it a secret. Don't tell anyone how you do it. This is why many Chinese are very reluctant to show you their production lines, and often you won't get access there at all. Taking photos of machines is also something that many Chinese really don't like. At trade shows many booths also have a no-photo-taking policy because otherwise within a few days they will find their newly designed jewellery at half the price all over the place. At their neighbour's booth for example (not joking).
IP in China is as if there is effectively no IP. Everyone copies from everyone with impunity. There is little enforcement, and what enforcement takes place is largely showing off to the outside world, staged media events making it look like something is being done. China can as such be used as case study for what happens if IP would be abolished. And it is overall not a pretty picture.
Then you are talking about counterfeiting currency, that is considered a far more serious crime than copyright infringement. In China at least that is, I don't know about in the US where it seems the other way around.
All of the iTunes gift cards in the world can't buy you a copy of Abbey Road.
That sounds like a cause that is better than BitTorrent! Finance the artist through counterfeit gift cards!
I guess it will forever remain a mystery to them why their nation isn't home to prosperous software & music industries
No mystery at all. Just doing what the US did historically did in similar circumstances. Current US copyright fanatics complaining about third world piracy are just hypocrites. China is a sovereign country and can create+implement whatever "intellectual property" law they please.
In any case China gets copies that cost the US almost nothing to produce and the US gets a large volume of amazingly cheap consumer products that cost China a lot of man hours to produce. The US is getting the better end of the deal.
our English works of good repute being a wanting The facility with which English books are reprinted in America and the immense circulation which they attain in consequence of their cheapness greatly increases the responsibility which rests upon our authors as to the direction which they give whether for good or evil to the intelligent and inquiring minds of the youth of America minds ceaselessly occupied both in religion and politics in investigation and inquiry in overturning old systems before they have devised new ones The Englishwoman in America By Isabella Lucy Bird
pbhj
That's the silliest claim I've ever heard. If they're not tracking each card individually, that would cause at least two major problems:
When a card is redeemed, how do they know it hasn't been redeemed before?
When a card is manufactured, how do they know it hasn't been manufactured before?
Now that's not to say that they might have difficulty identifying an illegitimate card. Especially if it's a fake that has been manufactured, and has not yet been redeemed. Or maybe their manufacturing folks don't talk with the iTunes folks, and they don't know whether a card has been manufactured - just whether it has been redeemed.
The real question is, is this Apple's own KeyGen? Are they generating codes that belong on valid gift cards and rendering those cards useless as apparent duplicates?
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
Do you want a PC/laptop? Do you wear shoes, clothing? Do you buy anything at a supermarket?
If you can answer "No" to all those, then you're okay to boycott Chinese goods.
Why would they do that? Produce "IP" I mean.
The real wealth and power in the world is being the worlds manufacturing base, just like the US once was.
Now China is, after been *given* that enormous power base by the short sighted and increasingly decadent and bankrupt west are very close to being the worlds new powerhouse. And while people in the west will whinge and moan about China not respecting the wests mass delusion of "IP" laws, China will continue laughing all the way to the bank producing physical goods from nuts and bolts to electronics to massive and complex machines and tools of industry, an income stream and power base that can't be taken without mass violence. Unlike "IP". And given that there's a billion of them to protect their factories and industry...good luck with that anyway.
So the west will just have to suck it up now wont they? If people in the west want things, physical things like cars and computers and fridges and TVs and most of the tools and parts for the tiny industry that they do have left, they're going to have to play by Chinas rules. Just like everyone else has had to play by the US's rules for the last 100 years, and just like the US, whatever China wants to do, China does.
Not quite there yet, but in 10 years that will be the state of the world.
At least for 20-30 years that it would take to rebuild the manufacturing base in the west if the desire ever took hold again. Which is somewhat doubtful for the current generations, given it was them who gave away the manufacturing base to start with.
I won't even go into the irony of Americans bitching about the upstart country gaining dominance by making use of the old countrys "IP". The parallels to history are uncanny. Problem is this time, the new powerhouse isn't even pretending that it's going to try the whole individual sovereignty over state thing. In fact many in power in China see that as one of the wests weaknesses and something that holds the west back.
Fascism (to call a spade a spade) is an excellent economic and governance model for production, making money and getting a country to become an industrial powerhouse. That is, if you can keep the lowest citizens in line. Which as we've seen time and time again, China can - hell western business even helps them.
And the gift cards are good for more than just music...
Join the Free Software Foundation
Tracking the cards before redemption is different than tracking redeemed cards. If they track everything before shipping it out, then they have to manage one massive database for every card. Add in a second database to manage everything that's been redeemed and then make the two have to sync with each other... headaches. On the other hand, having a secret password of sorts embedded in the code and only having to verify that means you can eliminate the first database.
In security terms, yes. It is more secure to have a list of authorized numbers. It is less work to have have a "secret knock" as it were and just make sure that matches. It's like having an exclusive club where one can get in by saying "Macman sent me" versus having you make a list of everybody that can get in. The first is better for larger groups but allows for some fraud, the second is better for small groups when you can spare the time to verify.
And honestly? Those cards aren't worth anything as is. I'm guessing there's some sort of business tax advantage to having it that way. Anybody familiar with that?
"Common sense will be the death of us all"
This is in contrast to when someone messes up but it is actually addressed to you, such as a retailer sending you extra items accidentally, or when they send you "promotional" items that want you to agree to shrink wrap licenses to open them.
At least in California, if it is shipped to you (shipped as in to your name + address) it is your property.
Wouldn't happen. It'd cost more to manufacture elsewhere. Said copies would still have to be made in China.
And you wonder why China isn't terribly interested in the whole "intellectual property" idea.
"If a nation expects to be ignorant and free in a state of civilization, it expects what never was and never will be."
I bought a UK gift card off e-bay to use with my UK itunes account. it sold at a discount to value, but not a massive discount.
I got the seller just to send me photos of the card, and tried to credit my account, and it said "card has not been activated". So it seems that in the UK, at least, there is a system whereby retailers "activate" individual serial numbers at the point of sale, and unless this takes place they are not accepted.
Having said that, I bought a U.S. one which worked, and was actually sold at a premium (I imagine lots of foreign buyers wanting cheap dollar-based prices). I hate to think that was fake, I never even saw the card.
Apple has gift-card by e-mail as a service, too. If you've received a number like this and used it in good faith who to sue? By the time you enter it, you cold be 5 links away from the scamming perpetrators.
j'ai découvert une démonstration vraiment admirable (de ce théorème général) que cette si
Yeah. Webster, of Webster's Dictionary fame, was instrumental in getting US copyright law passed federally.
If they track everything before shipping it out, then they have to manage one massive database for every card. Add in a second database to manage everything that's been redeemed and then make the two have to sync with each other... headaches.
And yet that's how every other gift card works! Apple thought they could get away with cutting corners. Now they're seeing why everyone else doesn't.
Visual IRC: Fast. Powerful. Free.
I think my uncle said something like that when a Chinese inventor came up with the same thing he'd already patented years before. I'm not sure it would have been any different if my uncle had the idea after the other guy.
Are you sure every other gift card works like that? It might just be that "I want Steve Jobs to have my baby" wasn't the best passphrase to secure the encryption.
(I'd like to see your proof on this, even if just for the sake of curiosity.)
"Common sense will be the death of us all"
"You can't identify the illegitimate cards. Each individual card isn't kept track of."
Why not?
Except that I am sure Apple has to hand over a certain amount of money to the record labels. So a $200 card, they may have to hand over $180, and they get nothing from the consumer.
So actually something is being stolen, from Apple to the Music companies. They don't miss out, they would be loving this. All of a sudden, they are getting millions from Apple due to China.
While I, as you, am preparing to welcome my new Chinese overlords, there is one area of weakness in China's global domination plan you may not considered in your post:
China's arable land barely above critical minimum
Shrinking Arable Lands Jeopardizing China's Food Security
China not to Sacrifice Arable Land for Infrastructure Construction
Dude, chinaman is NOT the prefered nomenclature.
Well,
Thanks very much for those links, they're really, really useful! Full of technical detail on the algorithm used.
Well, honey, I was talking about the fact that these guys had no idea how the cards were used. Do you believe they could handle an actual algorithm?
Lars T.
To the guy who modded me down from perfect to terrible Karma - Apple haters still suck
I picked up a free iTunes/Nike workout mix card from Best Buy a few weeks ago. When I entered the code, I received a message stating that the code I was trying to use was already used. Most likely someone wrote down the number on my card but I guess it is possible that the number was cracked.
Well,
Thanks very much for those links, they're really, really useful! Full of technical detail on the algorithm used.
For instance, check out these facts in the article Lars T linked to:
* Apple Gift Cards can be purchased from the Apple Online Store in any amount between $25-$2500
Case in point - you can't tell the difference between Apple Gift Cards and iTunes Gift Cards - and you want the algorithm? I have the feeling you'd be stumped if it said "add 1" and would try a way to add l.
Lars T.
To the guy who modded me down from perfect to terrible Karma - Apple haters still suck
Yes, just imagine a bunch of companies, freely competing with each other to drive prices down and serve consumers better. I'm glad we don't do that here in the capitalist West. Wait, wat?
[FUCK BETA]
Well, honey, I was talking about the fact that these guys had no idea how the cards were used.
Next time, you might want to consider replying to one of the people you think was wrong, specifically telling them why they were wrong.
You got the balls to link to one?
In UK law, at least, which is what 90% of the world base their law systems on:
No it's not, most of the world's law systems are based on Roman Law, as established by emperor Justinian in the 6th century. Only a few of the world's law systems are based on anglo-saxon style common law (essentially the former British colonies), and anyways all of them owe a big debt to the romans.
I'm sure your explanation of how these cards works is correct but I can't help wondering why they don't / can't use private key encryption? Apple are the only people that need to read what is on the card so if each card carried some unique information (e.g. a GUID, a time stamp, value, distributor sold to) encrypted with a key they kept secret it would be damn near impossible to counterfeit. The end user would simply send the encrypted information back to Apple when they wanted to use the card and it would be marked off the list of available card.
I used to have a better sig but it broke.
On the other hand, I could imagine the record companies to have a good case against Apple ... because they left the door right open if this is true.
Yeah, and noone seems to detect the sarcasm.... If you're handing out gift cards, you're handing out money. You'd better be sure it can't be duplicated. Either apple have built an algorithm that is simple to guess, or the activation checks were done client side and someone stepped through the code.
09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
China will continue laughing all the way to the bank producing physical goods from nuts and bolts to electronics to massive and complex machines and tools of industry, an income stream and power base that can't be taken without mass violence.
What utter nonsense. It doesn't take any violence to build a factory in the USA, and when we abandon the asinine tax incentives for sending work offshore, we'll increase domestic manufacturing again. There's still quite a lot of manufacturing going on here, as it happens.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
Instead of having 2 databases you could also simply have 1 with 1 bit of mutable data per key.
Passkey hash + 1 bit times a billion, 400 bucks worth of memory. System capable of performing radix searches to match the hash to the correct entry millions of times per second, 4000 bucks. Avoiding a headache from having to spend 2 minutes not being an idiot ... priceless
If this kind of stuff gives you a headache then you should not be a programmer working on a system which pushes through more than a billion dollars worth of revenue a year!
Honestly, I think they are. Think of it like this. Each card key is basically an encrypted signature by Apple saying that somebody bought a card worth however much money. Somebody figured out Apple's private key and now is forging signatures so as to defraud the iTunes store. Sure, Apple can revoke the signature (and is probably doing so on the replacement generation of iTunes gift cards), but the problem is they can't invalidate the faked cards as it would cause all the legitimate, paid for, cards to be invalidated as well. One thing I didn't see in the article is if this problem is only in China or applies to other regions as well.
:P
I'm guessing that the key was obtained by simple bribery or theft rather than actual computer skills. Somebody where the cards are printed probably got copies of the important files and sold the data to counterfeiters. I'm sure ask.slashdot.cn had a thread about the best place to sell such information was
"Common sense will be the death of us all"
For every dollar lost, Steve Jobs cries one, single tear.
Somebody get him a couple pallets of Kleenex, 'cause I'm sure not going to.....
Knowing Google's lust for data collection, the Soviet Union is still alive and well inside the psyche of Sergey Brin....
Orientals are great at putting a new slant on things.
"I guess it will forever remain a mystery to them why their nation isn't home to prosperous software & music industries while the status quo is free for the taking with no repurcussions."
I guess you missed the whole outsourcing thing that has been affecting the software industry in America and the West for the last decade or so then as companies move all their development jobs overseas to China/India which has allowed these two countries economy's to grow at an astounding rate?
It's not like Chinese music isn't popular and profitable in China either, sure it's not exported much but when you have 1.3billion or whatever people as a customer base, expanding it isn't too big a worry.
Saying China doesn't have a prosperous software industry is a bit odd in the face of it being one of the major drivers of their economy's growth. Saying they don't have a prosperous music industry is a little odd too.
I suppose it's the same thing as that there are more Chinese internet users than any other nation- we just don't see them because they have their own products, their own groups and so on, but that doesn't mean they don't exist.
On the other hand, I could imagine the record companies to have a good case against Apple
The record companies aren't even involved. Apple pays them the relevant royalties for each track sold; the fact that the tracks were bought with fake gift cards is irrelevant.
It's no different to the situation where someone uses forged currency to buy a physical CD; the shop loses out, the wholesaler/record company etc. still get paid.
Why don't you read the replies? Just search for "activate" or "number comes up".
Lars T.
To the guy who modded me down from perfect to terrible Karma - Apple haters still suck
AC: You got the balls to link to one?
LT: Why don't you read the replies?
Clearly, you don't have the balls.
Ha! Try making a buck off my IP: 192.168.0.1
No it takes capital and the *want* and *desire* to. And I think it's more the dollar an hour wages and virtual slave labour that entice companies to China rather than tax incentives.
Why would anybody ever invest huge amounts of money to build a factory in the USA or the UK or France, when there is state sanctioned slave labour across the other side of the worldand western governments are happy to allow it? Or have you been asleep for the past 30 years as the people who have the ability to build factories in the west have shut them down and moved them to...China.
My point which you seem to have completely missed, is that IP can't be controlled by physical force. If your countries main industry is the production of ideas and entertainment - "IP" then China can take the product of that industry and sell it or make use of it for free, and there's *nothing* you can physically do to stop that. Or to put it another way, China can pillage your industry at will without shedding a drop of blood. On the other hand your country can't just magic up a thousand factories and start mass producing a million types of widgets and items that are required for any modern country to function. And if you want to pillage Chinas (as they can do to yours at will), you'll have to shed a fair bit of blood first.
"And it is overall not a pretty picture." Why not, they are prospering pretty well overall - don't you think? I agree that to the inventors of IP it's a hassle, but the argument that patents in it's current form are a benefit from an overall systemic point of view has yet to be provided. Imho it would probably be more effective overall if we had no IP protection at all. The argument that no-one would take the financial risk to innovate does not hold - if I look at the local Chinese market where someone steals a jewellery design it kind of seems a proven point to me.
Idempotent operation: Like MS software, wether you run it once or often, that doesn't make it any better.
we all know the answer is 43
I'm pretty sure that the lottery makes way more money than Apple does, even after paying out a prize. Remember, for every ticket that wins even a paltry $5, think of how much money is spent on losing tickets.
In fact, Apple grosses substantially more than the one lottery I checked on, the Mass Lottery grossed only 4.4 billion in FY2005. Apple, on the other hand, grossed $5.4 billion in the 3rd quarter of 2005.
You mentioned "someone brought up cost effectiveness" and I'd believe that. It just seems strange that the iTunes system is so easy to beat, especially when one considers who is operating it.
I guess the engineers got left out when this was being developed.
== First cross river, then insult alligator.
The US patent system with its patents on business models and software is botched, but that is not the whole world. The idea and original implementation of patents is pretty good.
There is at the moment at least relative little innovation in China. It is a very small amount of money that gets invested in research and design. The West invests much more, as % of turnover/profits.
Furthermore the Chinese industry is not in a very good shape. Most of them are plain workshops doing assembly, and thus easily replaced by other companies. They don't have much if anything that makes a factory stand out, they don't have many own products. Mostly the design is done overseas, and the assembly in China. And workshops are of course easily replaceable by another.
I don't know how it works in the US but certainly in the UK iTunes gift cards are activated at the checkout to prevent shoplifting.
This could be what itunes needs, trying to compete with torrents, wake up, i guess some people are still using vhs and others 8 track for nostalgic effect, but i swear those that do not get with the program will be left behind, even Metallica ended up finally bending over for torrent industry.
Lars even downloaded his own album!
That's something I will never install on my computer, even if it gave out free music I rather download my music from reputable and accountable sources.
I totally agree, but even thou American products can be easily recreated at no cost, but the American product quality is hardly recreated by the Chinese. I haven't seen any Chinese product that has the same quality as the old American products. I think American should open their factories again and compete with Chinese factories. Even the product might costs a little more, but MADE IN USA still give people the impression of higher quality product. And I *LOVE* MADE IN USA high quality product!
I think that bribes or outright theft were more likely involved than any particular technical skills. I'm guessing iTunes has it's own online store hosted in China, yes? Or at least the card presses are there, so that means the key for that region is stored on the computer involved with the printing.
"Common sense will be the death of us all"
The Chinaman is not stealing anything from apple. Apple are freely handing their money away without managing the appropriate checks at their end.
That'd be a pretty nice deal except "serving consumers" is not what their goals are.
I'd always guessed this was the case in the US too, as every other gift card I've ever purchased has had to be activated prior to use...
If you can't see the value in jet powered ants you should turn in your nerd card. - Dunbal (464142)
Samuel Langhorne Clemens, "Mark Twain", was born in Florida, Missouri on November 30, 1835 to a Tennessee country merchant, John Marshall Clemens (August 11, 1798 â" March 24, 1847), and Jane Lampton Clemens (June 18, 1803 â" October 27, 1890).
Twain was born in a Missouri 12 years after statehood to american citizens. How was he not a citizen?
Actually that is still useful, I think.
On a flight there were TVs in the seats where they charge like $15 to use it. So I took out a gift card I had that had about $0.15 on it and swiped it. The TV started right up, it can't process those transactions while its in the air.
They still could charge you back for the missing amount of money since they know who was seated where... It's still unprobable they will do, though.
http://www.boston.com/news/globe/ideas/articles/2007/08/26/a_nation_of_outlaws/?page=full
Samuel Langhorne Clemens, "Mark Twain", was born in Florida, Missouri on November 30, 1835 to a Tennessee country merchant, John Marshall Clemens (August 11, 1798 Ã" March 24, 1847), and Jane Lampton Clemens (June 18, 1803 Ã" October 27, 1890).
Twain was born in a Missouri 12 years after statehood to american citizens. How was he not a citizen?
We've shipped most of our jobs making actual products overseas.
Like that one company that comes to mind. The one that brings us MacBooks, iMacs, iPods.
Reply to That ||
I was actually a bit worried about that for a while, next time I'll just move to a different seat.
So basically it would be in the interests of music companies to crack the iTunes gift cards. Since they will make more money this way.
the bandwidth in China and India and most 3rd world countries is 1/1000 of what we get here in the US. (think downloads at 8kbps)
If that gets fixed someway somehow, its game over
Slashdot - I went there to fix their grammar that they're so bad at.
Maybe they could, gee, I dunno, generate a random number or string, store it into the iTunes database, and then print a card to match?
Forget magic. Any technology distinguishable from divine power is insufficiently advanced.
How does anyone know Apple doesn't do it the other way arround? Pay 70% of the sales of gift-cards? Doing this, they would completely get arround the problem you describe. This way, the downloading and use of the card would simply be an accounting change on the apple servers.
Sure, they would not get the money they would get if you actually payed for the stuff in the first place, but there won't be the real currency transfer error that you describe.
The only reason I could see for Apple not doing this is that they get free interest on the money people pay for the card before they actually use them. I guess it's left as an exercise to the reader, or the people running Apple, to actually figure out which one is the better move.
Karma: 2.71828182846 (Mostly due to small, fun pills)
Even better cause: bankrupt Apple!
No it takes capital and the *want* and *desire* to
Of course.
I think it's more the dollar an hour wages and virtual slave labour that entice companies to China rather than tax incentives.
You're leaving out the relative productivity difference between the USA and China. Lower wages aren't as much of a draw as you think they are; the USA still has some of the highest productivity anywhere. That's one of the reasons why it makes sense for Toyota to have plants here instead of building all their cars in China and shipping them over.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
What an idiotic way to look at it? So you don't believe in fraud then?
Great free advertising for the thieves guys...
Much more likley these cards are purchased with stolen CC's. See forums on ebay as well as toucharcade, this
has been going on for months.
The shelves are full of these cards, all useless until the get authorized, so unless the hackers have hacked the auth system it's very likley these are stolen. When Apple figures it out, they'll disable your iTunes account. (see TA post for example)
Also, you've given personal info and/or CC info to a site that is likley using stolen CC's, seems like a perpetual money mahcine for the theives. you guys know how to sing the "free credit reports.com song?" hoe so.
Best of luck
Rich
Go to any place (grocery store, convenience store, etc.) that sells gift cards or phone cards. Read the packaging on the cards and notice that it says the cards have no value until they're activated at the register. Now buy one of the cards and watch the register activate it; you'll probably see a serial number or such on your receipt. If you're feeling lucky, try stealing one of the cards and then using it; you'll find that it has no value.
This system is meant to protect against shoplifting: there's no point in stealing cards that can't be used. It also has the side effect of preventing people from generating their own gift card numbers.
(You can still attack the system by writing down a bunch of card numbers from the rack and waiting a few days/weeks for someone else to buy them. But you have to use the cards in the window between the time they're activated and the time they're used up.)
Visual IRC: Fast. Powerful. Free.
BitTorrent is very popular in China. Many young people use it to get music, movies and TV shows, both American and Chinese.
They call it BT.
"how can they call it a MINE if everything here is THEIRS?!?!" -Straight Jacket
The serial number is the checksum used for validation. It's not "live" until it's paid for. Then it gets added to the database rather than being in the database and marked payed for. That's why the Apple cards could be forged. They basically don't know the card number exists until activation. As long as it meets the cryptographic standard set out by the vendor it's fine. If it was a strictly a basis of make one, sell one, then a key generator would be of limited use as it'd be too easy to get numbers that weren't usable. The cards weren't made yet. The approach you give will work, but is distinctly different than what the article outlines.
"Common sense will be the death of us all"
Case in point - you can't tell the difference between Apple Gift Cards and iTunes Gift Cards
I was just listing the interesting & informative facts in the article you linked to.
If you've got problems with the articles you linked to, then why did you link to them?
That's why the Apple cards could be forged. They basically don't know the card number exists until activation.
Yes, exactly, assuming that by "activation" you mean redemption.
That's the flaw in their plan. When you give them a gift card number, they don't bother to ask "does this number actually belong to a real gift card that we manufactured and sold", they only ask "does the algorithm say this number is valid". Once the algorithm stops being a secret, the system falls apart.
It's not much of a hassle to "manage one massive database for every card". Even if we generously posit that they need to track 1 billion cards, storing 100 bytes of data for each one, that's still only ~100 GB: the storage cost is trivial, and a billion-row database hardly makes Oracle flinch. There's no reason that every gift card vendor shouldn't be tracking the numbers of the cards they manufacture, and any who don't are begging to get burned the same way Apple is.
Visual IRC: Fast. Powerful. Free.
I brought up this topic with some friends and one of them has used software to this effect. It seems to support the pre-inventoried idea in that the keys you get give random quantities of items or amounts. Assuming the key generator in the article is the same, then yes, you've been right (thanks for the conversation. Fun). This fact doesn't really change the fact that theft can occur, but does dramatically increase the possibility that you can buy a pre-used card.
As a consumer I'd rather have Apple take the loss than me. I can't imagine how you could try getting your money back without getting rolling eyes and a canned "no refunds" speech.
"Common sense will be the death of us all"
Well I'll give you the US model: rip-off IP like mad while you are developing and then when you have something you want to protect force the world to adopt draconian laws to your benefit.
Don't see how anyone in the US can whine about this when they pioneered that development model.
Bad analogies are like waxing a monkey with a rainbow.
Or on the opposite hand you can see what happens when copyrights don't exist. Just look at how Chinese inventions changed the world. It'd be a sad state had copyright existed back then. You wouldn't even be able to talk about this problem.
What's needed is a better balancing system.