$1.2 Million Worth of MS Points Taken After Hackers Figure Out Code Algorithm

The Save and Quit blog reports that a group of hackers figured out the algorithm behind a set of promotional codes that were each redeemable for 160 MS points, the currency used on Xbox Live. Quoting: "A person would just have to sit back and refresh over and over and rack up the 160MSP codes. Not every code would work, but a majority would. The site started to 404 due to the heavy traffic. If you have closer ties to the pirating community, you could find a program to get the codes for you. ... This method took a little more work out of the user, but it was still simple enough for a 12 year old to figure out. ... Microsoft found out about this exploit and put a stop to it immediately, but internet pirates still had enough time to steal $1.2 million worth of Microsoft Points."

$1.2 million worth of Microsoft Points

[elrous0]

Wow, that's almost a full tank of gas.

Re:$1.2 million worth of Microsoft Points

[adamofgreyskull]

Firstly, welcome to The Internet. Secondly, I believe elrous0 was using a rhetorical device, common in English, called "Hyperbole"

Re:$1.2 million worth of Microsoft Points

[semiotec]

In case you've never come across this before, it can also be used to point out when something is ridiculously low or worthless, as I believe is the intention of the original post, that at least in his/her opinions MS points are worthless, specifically that even though they are technically worth $1.2 million, there's very little you can buy with them.

Re:$1.2 million worth of Microsoft Points

[theillien]

Why do you keep putting gas in quotes?

Re:$1.2 million worth of Microsoft Points

[theillien]

Ah, well then, take your "petrol" and go smoke a "fag" or somesuch.

Re:$1.2 million worth of Microsoft Points

[mikkelm]

Yes, of course you would. Until you had to fill the huge gaps left in budgets that rely on that extra money you pay for your fuel. It isn't magically more expensive because it's consumed in the United Kingdom, you know.

But, please, continue to complain and make a fool of yourself.

Re:$1.2 million worth of Microsoft Points

[badboy_tw2002]

Ughhhh, I can just imagine your high pitched snotty voice as if you were actually saying that. I hope you get "shagged" by a "lorry" while chasing a "football", and thus your "jeans" don't "continue".

Re:$1.2 million worth of Microsoft Points

[easyTree]

Uhh not to mention the fact that it's not a gas, it's a liquid?

Re:$1.2 million worth of Microsoft Points

[FatdogHaiku]

Why do you keep putting gas in quotes?

Did you really want him to let it loose? I would prefer his gas be restrained, we can only hope double quotes are up to the job...

Re:$1.2 million worth of Microsoft Points

[pckl300]

Really? A full tank of "gas" only costs £70 (~$112 US) here.

If he drives a large American SUV, he is probably filling up a lot more often than your (likely) efficient European vehicle.

Re:$1.2 million worth of Microsoft Points

[Opportunist]

Well, you could always go to a real restaurant instead of a Starbucks and get coffee at a reasonable price.

Ok, might be different for you, I don't know how far along they came already in your area.

Re:$1.2 million worth of Microsoft Points

[TheThiefMaster]

Ask for a gas can in the UK and you'll most likely get a propane gas bottle.

Which is a gas.

Re:$1.2 million worth of Microsoft Points

[TheThiefMaster]

s'ok, I don't smoke.

Re:$1.2 million worth of Microsoft Points

[ian_from_brisbane]

Ask for a gas can in the UK and you'll most likely get a propane gas bottle.

Which is a gas.

They make the bottles out of gas now? And here I am using the old-fashioned metal ones like a sucker.

Re:$1.2 million worth of Microsoft Points

[tehcyder]

Because I'm British and think it's a stupid name.

I agree, "gas" is a specific word for a state of matte, "gasoline" is liquid, it is a silly abbreviation.

But then again I'm British too

Re:$1.2 million worth of Microsoft Points

[tehcyder]

Ask for a gas can in the UK and you'll most likely get a propane gas bottle.

Which is a gas.

They make the bottles out of gas now? And here I am using the old-fashioned metal ones like a sucker.

Don't be a wanker, the phrase "a propane gas bottle" will normally be undertood to mean "a bottle full of propane gas" unless you specifically say "an empty bottle for putting propane gas in."

Re:$1.2 million worth of Microsoft Points

[tehcyder]

Well done, your sentence makes no sense whatsoever. Shagged isn't a simple synonym of fucked, it's specific to the Act of Unpleasantness. You'd only get shagged by a lorry if it drove up one of your orifices, which is frankly implausible.

Still, keep watching the Dick van Dyke movies for an accurate insight into colloquial English.

Re:$1.2 million worth of Microsoft Points

[TheThiefMaster]

It's not as bad a name as LPG.

Liquid Petroleum Gas. Liquid Gas.

Re:$1.2 million worth of Microsoft Points

[badboy_tw2002]

What's British for woooooosh? Is it douuuuuuuuuche?

Dumb kids

[intellitech]

I doubt it'll be hard for Microsoft to figure out who redeemed an excessively large number of these codes.

Re:Dumb kids

[thebra]

I doubt it'll be hard for Microsoft to figure out who redeemed an excessively large number of these codes.

If they are valid codes I don't see how Microsoft could tell the difference.

Re:Dumb kids

[intellitech]

True, but I doubt everybody who visited the 404'd site redeemed only one code..

They might not ban people, but you can bet they'll be voiding some of those points.

Re:Dumb kids

[smelch]

The difference between redeeming 1 valid code and redeeming 10? Thats pretty easy. Most people learn how to count pretty early on. Or looking at how fast they redeemed them. "Oh, it only took them 1.28 seconds to type in this 25 character string of random numbers.... how odd!"

Re:Dumb kids

[uberjack]

The idiots are fucked. Unless the codes were sold for cash, the trail will be easy to follow. Expect a large number of console/account bans, followed by arrests fairly shortly.

Re:Dumb kids

[natehoy]

Don't the codes get associated with some sort of account somewhere? Could Microsoft not simply look for accounts with some arbitrarily reasonable amount of points on them, then query the purchasing/issuing database to see which of those accounts got most of their credit in short order in 160-point increments then drain those accounts?

Or just simply look for any issuance of points using these promo codes to any accounts, and make sure that credit is only given for ONE promo code per account, and remove all other credits but the first one issued to each account?

It's probably non-trivial, but would cost them far less than, say, a million bucks.

Either that or they just allow the hackers their little victory and consider it a lesson in predictability in promotional codes. After all, Microsoft really hasn't "lost" $1.2 million in cash. Take the department that is running that promo and tell them they lost $1.2M in next years' budget.

Re:Dumb kids

[natehoy]

why do you cower behind a chosen underwear based pseudonym? what are you afraid of?

Perhaps he meant a striped, horse-like animal, and he has a lisp, you insensitive clod.

Re:Dumb kids

you're an idiot.

And you have the social graces and sense of humor of a striped, horse like animal with a lisp.

Re:Dumb kids

[trollertron3000]

They aren't "valid" in the sense that although they meet the algorithm for validation they were not created by MS, who can in fact tie those codes back to SKUs and track the purchase. I know that's how I do it. But I also validate against that list on the fly because I'm not fucking retarded :P

Seriously this is like checking a credit card using Luhn but never actually validating it by doing a capture via a payment gateway. It's laughable and I bet someone got fired for it.

Re:Dumb kids

[Low+Ranked+Craig]

Aww... Someone shit in your Cheerios this morning?

Re:Dumb kids

[SuricouRaven]

Probably right, aside from the arrests. It sounds like most of the points were taken by script kiddies, who arn't worth the effort of arrest. Maybe if MS can find who wrote the code-generating program.

Re:Dumb kids

[yakatz]

English is a cruel language:

Perhapth he meant a thtriped, horthe-like animal, and he hath a lithp, you inthenthitive clod.

Fixed that for you

Re:Dumb kids

[scot4875]

What is the arrestable offense here? They put some numbers in a website text box, and it gave them "Microsoft Points" which have only the 'value' that Microsoft ascribes to them -- they aren't even redeemable for cash. If, instead, they had used a code to generate 1.2 million gold pieces in WoW, would that be worthy of arrest? If it were 1.2 million in gold in a single-player-only game, would that warrant arrest?

My point is that nothing was "stolen" -- there wasn't even any arguable "unauthorized computer access" that would warrant hacking charges. They just guessed some numbers that in turn incremented a counter somewhere. Microsoft didn't lose anything. None of Microsoft's customers lost anything. As far as I'm concerned, Microsoft can roll back the redeemed codes and be happy that no real damage was done.

--Jeremy

Re:Dumb kids

[Ben4jammin]

People have already used codes to buy games, according to some of the posts on the forum the story links to.

I don't know the law, but I think there may be something in this that would put you afoul of the law. There is probably a limit to the number of codes you can redeem within the context of the giveaway or whatever. Some forum posts claim as high as several thousand points redeemed.

And MS is losing money if someone uses an improper means to get the codes and then spends the points on games. Those are sales lost as the person would normally use real money to buy the points to get the game. The codes were for only 160 points. But if you redeem a thousand of them...

Re:Dumb kids

[lowrydr310]

If Microsoft is anything like the big record labels, they'll go after the individuals for huge sums of money claiming loss of profit.

Surely all these people who 'stole' several thousand dollars worth of MS Points would have purchased them, had they not been able to obtain them by generating codes, therefore Microsoft suffered financial damages.

Re:Dumb kids

[g3k0]

Those are sales lost as the person would normally use real money to buy the points to get the game. The codes were for only 160 points. But if you redeem a thousand of them...

NONSENSE! Stolen bits != lost sale. Obviously if a persons wallet is not tied to their spending they will spend a lot more. Do you work for the RIAA? Though I am against piracy now, back when napster/limewire were cool, I may have downloaded some music/games. If the limewire option wasn't available to me, I promise I would not have had any interest in buying them. Honestly, it created interest in me for some music and I ended up buying some CDs because I like owning an original CD with a cover not made with a Sharpie.

Re:Dumb kids

[JTsyo]

The difference between redeeming 1 valid code and redeeming 10? Thats pretty easy. Most people learn how to count pretty early on. Or looking at how fast they redeemed them. "Oh, it only took them 1.28 seconds to type in this 25 character string of not-so-random numbers.... how odd!"

FTFY

Re:Dumb kids

[Demonantis]

I don't think so they probably didn't use the codes themselves and were smart setting up the web page. They just wanted to thumb their noses at microsoft and they managed to do it. The people able to refresh a web page will probably get the third degree. But only because of the agreement they have with microsoft for using the xbox "ecosystem". It is unlikely criminal charges could be laid.

Re:Dumb kids

[ConceptJunkie]

What is the arrestable offense here?

Making fools of a company rich and powerful enough to buy your arrest and punishment.

Re:Dumb kids

[adamofgreyskull]

"Those are sales lost as the person would normally use real money to buy the points to get the game."

Small point perhaps, but: maybe. This argument is used a lot when calculating the harm of music/film/video game piracy but it doesn't hold much water. If Pw|\|3rB01_13 is some 14 year old peon who gets $10 a month pocket money and $100 at Christmas, Microsoft might sell him one or two games a year. Or $100 worth of MS points, whatever. If he gets his hands on $1600 worth of free MS points and goes on a spending spree, Microsoft hasn't lost $1600 in sales because there was never any chance of him buying $1500 of those points and only some chance that he'd buy $100. This isn't a physical good that will run out either, so the "theft" of these MS points won't stop MS selling millions of other MS point codes.

Re:Dumb kids

[Sir_Sri]

After all, Microsoft really hasn't "lost" $1.2 million in cash

Careful now. Microsoft points can be used to purchase things from the MS store. Not all of which are owned by MS. If I developed and XBLA game, or DLC for something I expect my 70% (I think it's 70%, steam is 70%, I haven't worked with anyone using MS points in a while), whether the points where legitimate or not is MS's problem. The deal I have is to be compensated, in cash, for downloads of my product through their store.

If they give away 10 million MS points for the hell of it, I still expect to be paid, and it's their pocket it comes out of. If someone hacks the MS algorithm and uses that to buy my stuff either my stuff should be pulled from their account (a non trivial, but perhaps necessary thing to do), or I get paid.

There's a much deeper discussion here about points versus a cash wallet. Points they can give away, take back etc. all for free. But if it's real money there are all sorts of tax implications and so on to giving away, or winning 1000 free 'points'. Which is why they use points in the first place. But on the other side, if someone spends 800 points on my DLC, I expect to be paid the $7 or whater that works out to now.

Re:Dumb kids

[Ohrion]

In this case, stolen bits doesn't == lost sale. In this case, stolen bits == sale for the publisher. Microsoft has to pay the publisher of the game with real money that was bought with stolen bits. Also, congratulations on your ethics, that allows you to rationalize your behavior to this degree.

Re:Dumb kids

[RMingin]

Is that you, Charlie Sheen?

Re:Dumb kids

[RMingin]

Bi-winning! Fists of fire! You get down with your insane self!

Re:Dumb kids

[RMingin]

Hypocrite? You're so funny! You use words that sound menacing, while not realizing that they actually have meanings, which you ignore! You're so funny! I loved your work in Hot Shots! Part Deux!

Re:Dumb kids

[shentino]

Have the hackers arrested and thrown in prison for fraud.

Re:Dumb kids

[ToasterMonkey]

In this case, stolen bits doesn't == lost sale. In this case, stolen bits == sale for the publisher. Microsoft has to pay the publisher of the game with real money that was bought with stolen bits. Also, congratulations on your ethics, that allows you to rationalize your behavior to this degree.

I don't get the "stolen bits" argument at all, but an even better comparison is generating gift card activation codes. Plain and simple fraud, bit or no bits.

Re:Dumb kids

[im_thatoneguy]

The codes were generated I believe on a MS service that was tricked into generating codes based on existing codes.

From Kotaku:

With Microsoft able to track the generated codes, that means they can also track accounts that cashed in the generated codes for points.

And since they can track the damage, they are qualified to tell us that the $1.2 million figure being thrown about is far from the actual number. "We can't share specific numbers, but the figure is nowhere near the amount that has been reported."

[...]

"We take safety and security very seriously and require that Xbox LIVE members use the service in compliance with applicable laws and specifically prohibit people from engaging in illegal activity as a part of our Terms of Use and Code of Conduct," the statement continued. Our Policy and Enforcement team is evaluating whether or not certain individuals have violated the Terms of Use for Xbox LIVE and will take the appropriate enforcement on an individual basis."

http://kotaku.com/#!5780686

Re:Dumb kids

[Imrik]

Except that some of the things he buys may not be MS products, meaning MS would have to pay for the goods he purchased.

Re:Dumb kids

[innerweb]

Cheaters never win

Obviously, you don't play on XBox Live.

Re:Dumb kids

[Alsee]

I don't have a lithp! My keyboard doeth, you inthenthitive clod!

-

Re:Dumb kids

[Opportunist]

And how many kids will come crying after they got nothing but MS-Points for their birthday (because they wanted them, remember, kids aren't really the most reasonable people on the planet) and now are accused of cheating?

Could you see how this could maybe ruin a few kids' birthdays?

Re:Dumb kids

[Opportunist]

Do you arrest the CEO of Smith&Wesson for a bank robbery?

Outlawing a tool and incriminating its maker for its abuse is a dangerous slippery slope.

Re:Dumb kids

[Opportunist]

This is, sadly, not illegal.

Re:Dumb kids

[tehcyder]

I doubt it'll be hard for Microsoft to figure out who redeemed an excessively large number of these codes.

If they are valid codes I don't see how Microsoft could tell the difference.

I think the guy with $1.2m worth might be a bit of a stand out..

Re:Dumb kids

[g3k0]

Considering the circumstances, I highly doubt Microsoft will have to pay the publishers a dime. Especially considering that it is promotional credit. I know Facebook doesn't pay for promotional credit, and would not be the least bit surprised if Microsoft had a similar clause. Really depends on the fine print the publisher agreed to which I am way too lazy to find so I will just concede. As far as rationalization is concerned, I was not trying to rationalize anything. Piracy is wrong. The argument I replied to was just very similar to what you see coming from companies upset over piracy and I don't agree with it.

Re:Dumb kids

[uninformedLuddite]

After all, Microsoft really hasn't "lost" $1.2 million in cash.

They have employed the RIAA lawyer team over this outrage. The numbers will rise.

Re:Dumb kids

[petermgreen]

Do you arrest the CEO of Smith&Wesson for a bank robbery?

There is a line between making a device that can potentially be used in a crime and making a device whose only substantial use is to commit a crime. The only substantial use for a points code generator is to fraudulently obtain points.

Guns do have legal uses. Nevertheless most civilised countries regulate them heavily (afaict even the US regulates them though not as strictly as other places) because the danger from their illegal use is perceived (rightly or wrongly) to outweigh the legitimate uses.

IANAL but as I understand it making something with both legal and illegal uses is generally OK unless explicity banned/regulated. Making something with only illegal uses or actively promoting illegal use of your device/service is not (this is what has got many torrent sites into trouble).

only 160 points worth of microsoft funny money?

[RyuuzakiTetsuya]

I wonder if they're just going to ban everyone who redeemed a code worth such a small amount. Why the hell do amounts that small exist? must be for fast food promos or something.

Re:only 160 points worth of microsoft funny money?

[AndrewNeo]

It pretty much is. They never sold anything outright less than 500 points.

Re:only 160 points worth of microsoft funny money?

[nedlohs]

No, but if you redeemed 50,000 of them might be an issue..

Exchange rate

[DrugCheese]

What's the exchange rate from MS points to Schrute Bucks?

Re:Exchange rate

[Dayofswords]

Same as the ratio of unicorns to leprechauns

Re:Exchange rate

[pvera]

Same as Unicorns to Leprechauns.

Not hard to track down

[Drakkenmensch]

Just look who made more than one purchase of MS points to their account in the last week or two, that will cut down the list of possible suspects significantly. Cross-reference the transactions for which there was payment. You'll find that you have a handy list of those people who will soon find a huge "CHEATER" banner on their Xbox account.

Re:Not hard to track down

[thebra]

Just look who made more than one purchase of MS points to their account in the last week or two, that will cut down the list of possible suspects significantly. Cross-reference the transactions for which there was payment. You'll find that you have a handy list of those people who will soon find a huge "CHEATER" banner on their Xbox account.

I purchase MS points a few times a week, and I have a feeling I'm not alone. I don't see how that would help narrow down the evil doers.

Re:Not hard to track down

[Drakkenmensch]

I purchase MS points a few times a week, and I have a feeling I'm not alone. I don't see how that would help narrow down the evil doers.

Read my whole post. Once you've narrowed down people who made multiple purchases in a row (a hacker who finds this trick working repeatedly is likely to do it as long as it will work) all they need to do is make sure every one of those names has PAID for his purchases. The idea here was merely to narrow it down to make the payment double-checking part go faster.

Re:Not hard to track down

[thebra]

I purchase MS points a few times a week, and I have a feeling I'm not alone. I don't see how that would help narrow down the evil doers.

Read my whole post. Once you've narrowed down people who made multiple purchases in a row (a hacker who finds this trick working repeatedly is likely to do it as long as it will work) all they need to do is make sure every one of those names has PAID for his purchases. The idea here was merely to narrow it down to make the payment double-checking part go faster.

I read your post in its entirety but it is still in the end a mostly education guess. I just don't see how Microsoft could punish based off a good guess. I realize they can ban whomever they want for what ever reason but it would just end up causing more headaches and added cost. I don't see the real payoff.

Re:Not hard to track down

[goose-incarnated]

At which point does the "guessing" come in? This is how double-entry book-keeping works ... you reconcile the stock (in this case points) with the bank statements of deposits. There is no guessing. What OP said was that you could narrow it down so you don't have to reconcile for the entire population, just reconcile for a subset of them.

Re:Not hard to track down

[Drantin]

I purchase MS points a few times a week, and I have a feeling I'm not alone. I don't see how that would help narrow down the evil doers.

In 160MSP increments?

Re:Not hard to track down

[EdZ]

Because MS point are not only sold directly: you can buy printed codes worth x points from brick&mortar stores, or online via non-MS resellers. MS have no way to tell if code XXXXXXXXX was purchased legitimately or generated algorithmically.

Re:Not hard to track down

[goose-incarnated]

Yes they do. A reseller brick-and-mortar store would have *printed* tickets. Unless MS is deliberately neglecting to keep track of which codes have been printed, they have a record of which codes have been already printed - those codes would be exempt from the double-checking.

It's quite possible that the set of generated codes on the website overlap with the set of codes on printed tickets, in which case I happily concede the argument to your favour, but my understanding is that the codes are different (due to being only 160 points on the website, but no 160 points on any printed tickets)

(I'm actually quite drunk at this point, so perhaps I'm missing your argument, if so - forgive me - I'm not being deliberately obtuse! Also, consider that an excuse if I'm not making much sense right now - sorry :-))

Kind Regards

Pirates

[UninformedCoward]

internet pirates

Thank you for the clarification. I thought the story was talking about pirates hijacking transport ships on the high seas for Microsoft game card booty.

Re:Pirates

[nschubach]

I imagine seeing a ship off in the distance with a Microsoft Windows logo flag flapping in the wind. A cool breeze from the East and the sails go up. The pirates raise their colors and proceed to bombard the ship with cannon balls. They pull aside the ailing ship to seize their booty while off in the distance they see an armada of Microsoft ships coming their way. They act quickly, taking everything they can manage before re-boarding their ship and setting sail.

Re:Pirates

[hairyfeet]

Then they find out all the booty requires Games For Windows Live and they dump it overboard and break out the oars because the wind just ain't fast enough to get them away from the stench of failure, wafting like a bad chili fart in the ocean breeze.

Comment removed

[account_deleted]

Comment removed based on user account deletion

They didn't steal anything.

[jeremymiles]

It's not like MS ran out of codes.

Re:They didn't steal anything.

[BradleyUffner]

It's not like MS ran out of codes.

Tell that to someone who legitimately had one of these codes that couldn't redeem it because someone else used it.

Re:They didn't steal anything.

[MyFirstNameIsPaul]

If I understand those point things correctly, if points are used to purchase something, say, a game, then Microsoft has to pay the developer. So, in a certain sense, it is stealing, and could be a good source of revenue for a developer.

Re:They didn't steal anything.

[RightSaidFred99]

Yeah, man! Like, information totally wants to be free! Down with our corporate, like, overlords man!! Waaaavvvyyy Graaaavy!

Idiocy. Those codes were currency tokens, exchanged for goods or services. What they stole was the services they purchased with fraudulent currency.

Didn't hack the algorithm

[russotto]

It appears the algorithm wasn't actually determined. Rather, Microsoft essentially left a code generator which took unencrypted parameters available on a web page. Amateur mistake.

Re:Didn't hack the algorithm

[anyGould]

$1.2 Million is pretty cheap to learn that lesson, all considered.

And I'll be very surprised if they take any action against the lucky winners - the bad publicity (and risk of accidentally tagging someone who just happened to redeem their three codes at the wrong time) won't be worth the hassle.

Re:Didn't hack the algorithm

[wbav]

Microsoft has taken action already:
http://kotaku.com/#!5780686

Re:Didn't hack the algorithm

[HeavyAl]

Exactly what I was trying to figure out. The story is /.ed, but last I checked figuring out an algorithm was a far cry from refreshing a page over and over.

Re:A 12 year old?

[hedwards]

Yeah, really, when I was 11, the most likely place to go for computer help was from us 11 year old kids, as it seemed that a huge portion of the computer literate population was that age at that time. I'm not sure why today's kids would be so feeble intellectually as to make that true.

Re:A 12 year old?

[jdgeorge]

"This method took a little more work out of the user, but it was still simple enough for a 12 year old to figure out."

Huh? When I was 12, I was programming in assembler.

So... this would have been simple enough for you to figure out when you were 12. Right?

Read that wrong the first time.

[XxtraLarGe]

At first glance I thought it said "$1.2 Million worth of MS PowerPoints", which made me wonder "Who would pay $1.2 million for PowerPoints?"

Re:Read that wrong the first time.

[tippen]

Apparently you've never worked with venture capitalists before...

Re:Read that wrong the first time.

[proverbialcow]

Does it include support? Might be an easier sell than installing OpenOffice.

Re:A 12 year old?

[2names]

I'm not sure why today's kids would be so feeble intellectually as to make that true.

Go spend some time with a group of "today's kids." Then watch Idiocracy. Then weep as the truth becomes clear to you.

Re:Oh deary me

[Sparks23]

In fairness to Gates, he's willingly given away something like $39 /billion/ dollars of his own money through philanthropic and charity efforts. Even as a stockholder in MS, I doubt he cares much about $1.2 million. But there were probably some chairs thrown in Ballmer's office...

Re:A 12 year old?

[CannonballHead]

Well, to be fair, I don't think it's an intellect issue. I'd say most kids have an intellect that's just fine.

They just don't use it.

If anything, it's laziness (partially due to lack of necessity), lack of ... ambition, one might say... lack of interests in anything but [insert wastes of time here], etc.

In short, it's kind of a parenting issue, I suppose.

Re:Was the code

[smbarbour]

Actually, for that format, you could use all of any repeating number. For the more "advanced" CD Key which had 4 digits in the first group, you just had to change the 4th digit until it worked (i.e. 9990-999999999, 9991-999999999, etc.)

Just like Pepsi iTunes codes. All you hadda do..

[RevWaldo]

...to find the caps with the codes was to tilt the bottle.

.

Re:Banned from Live

I didn't realize MS points gave people unfair advantage on XBL.

Re:Just like Pepsi iTunes codes. All you hadda do.

[wbav]

Gotta say, it was much easier to do this with crystal clear Pepsi.

Curisous and Furious

[140Mandak262Jamuna]

Curiously, the top executives are furious that their secret sauce algorithm to rack up USpoints has been leaked to this hacker. The CEO of Morgan Stanley was seen throwing a tantrum, curses and a few chairs, "This is our trick. This is what we have been doing to create money in the Federal Reserve accounts. And now some stupid hacker is using it to rack up real money? I wanna know who is responsible and heads are goin' to roll"

Re:A 12 year old?

[Kaenneth]

I met my elementry school bully as an adult once; the last thing I said to him was "No", when he asked if I wanted fries with that. (true story)

Boggles the mind

[TheSpoom]

Why weren't these codes completely random? Why don't they have a database of valid and used codes, where codes only get inserted when they're printed on cards that are then shipped to stores? Perhaps most importantly, why would you EVER have a public web-accessible interface to generate codes on the fly?

Re:Boggles the mind

[thebra]

Because that would cost a lot more money to operate than a piece of software.

Re:Boggles the mind

[geekoid]

Cost and reuse.

Re:Boggles the mind

[tlhIngan]

Why weren't these codes completely random? Why don't they have a database of valid and used codes, where codes only get inserted when they're printed on cards that are then shipped to stores? Perhaps most importantly, why would you EVER have a public web-accessible interface to generate codes on the fly?

You're confusing this article and the prepaid points cards. First, they were 160 points at a time. No prepaid card comes with such little points - I think the smallest I've every seen was 400 as part of some pack.

160 is $2 US. This sounds more like the website was for some points promo thing - do X, get 160 points free. What happened then was people figured out how to get 160 points without doing X, and with enough hackery, figure out the algorithm behind it.

I'm fairly certain Microsoft doesn't blanket enable all codes - when you redeem them, the backend checks to see what the code is for and if it's been issued. Problem is, if you have the algorithm, you just have to wait for someone to activate your code and use it before they do.

And we do know Microsoft does have a database of codes - you can't redeem a code twice, for example, and since the keys are the same as the CD-keys you get with other Microsoft software, they probably do check to make sure the code is issued first (of course, there's often lag between when the code is issued and when the code is used).

It has happened before - various websites do offer points from time to time and they're usually hammered quite hard and out of codes within a minute or two. This one was probably a longer promo...

Re:Boggles the mind

[shipbrick]

I'm relatively ignorant, but AFAIK, it is common for "random number generators" with computers to not really be random at least via software because there will be underlying code based on an algorithm, since they are logical devices. So if you figure out the algorithm you can predict the "randomness". However, I think you can add some kind of specialized hardware device that does something truly random like measure radioactive decay from a radioactive element or roll some physical dice or something, and then it would be truly random... Someone please correct me if I'm mistaken.

Re:Boggles the mind

[plover]

What happened then was people figured out how to get 160 points without doing X, and with enough hackery, figure out the algorithm behind it.

According to TFA it doesn't appear that they ever figured out the algorithm. They just figured out how to get 160 points by refreshing web page X, and then repeated until they had a lot of points.

As usual the /. headline is sufficiently lacking in factual basis. The "hackers" figured out a URL, not an algorithm.

Re:Boggles the mind

[Seth+Kriticos]

Only if you believe in a deterministic universe. Otherwise you get pretty good results with TRNG's and quantum mechanics.

http://www.random.org/randomness/
http://en.wikipedia.org/wiki/Quantum_cryptography

Re:Boggles the mind

[Dhalka226]

That really doesn't change his point, though.

The API still should have been secured with some sort of credentials. They don't have to be rocket science and they don't have to be so complex they get in the way of the third parties, but I don't think a username/password passed with HTTP Auth or something would be overly burdensome if you're already asking partners to connect with an API. And a couple of Microsoft developers could probably pump out libraries for most major languages to do that in only a few days' times if they wanted.

More to the point, the API could--and should--still generate the code on the fly but randomly, be dropped into the database, and removed or marked inactive when used. It would still be a nearly instantaneous process of Request to API -> Generate/Store Code -> Return Code to Requesting Client, and the codes could still be passed along instantly to the end user -- there's just no algorithm to figure out. Combine with some sort of short-term lockout or slowdown for repeated attempts to use invalid codes to take care of brute force attempts and you have a fairly secure system with a minimum of effort expended.

Re:Boggles the mind

[NemosomeN]

I'm going to double fist this one. It returns a 404 when it's overloaded because Microsoft doesn't gaf about standards. Also, "Refreshing" doesn't refer to refreshing a MS site, it refers to refreshing a page that has an auto-incrementing iframe of some sort that tries codes over and over again. Both of you should have known better.

Re:Boggles the mind

[yuhong]

Perhaps most importantly, why would you EVER have a public web-accessible interface to generate codes on the fly?

Because they sent emails with a link to it passing an ID. The problem is that the ID is easily guessable.

Re:Boggles the mind

[TheSpoom]

Random and pseudorandom are functionally equivalent under these circumstances. I think if you have access to the hardware states that seed the specific pseudorandom generator that generates the codes, Microsoft has already lost (and you're already root).

Re:Boggles the mind

[TheSpoom]

So then the problem is that the ID should have also been a random long alphanumeric string, like a longer YouTube video ID. Primary keys don't usually have to be integers and don't usually have to be sequential, they just have to be unique.

Re:Boggles the mind

[TheSpoom]

Yeah, apparently I missed that these codes were generated from some sort of internet marketing exercise (probably getting the user to fill out a survey), so the idea was that after the user finished the survey, this URL would be accessed to generate a code. Unfortunately the server-side generation code behind that URL had little in the way of security. My points about randomness and a public web-accessible interface stand.

Re:Boggles the mind

[petermgreen]

I'm relatively ignorant, but AFAIK, it is common for "random number generators" with computers to not really be random at least via software because there will be underlying code based on an algorithm, since they are logical devices. So if you figure out the algorithm you can predict the "randomness".

Generally to predict the "random numbers" you need to know.

1: what algorithm is in use
2: either the internal state of the random number generator or the combination of seed value(s) and how many random numbers have been generated.

The difficulty of figuring these out varies hugely. If you can get hold of a copy of the software you can obviously see what algorithm it's using (a little harder with binaries than with source but far from impossible). If you can't then depending on the algorithm you may be able to identify it from what the output looks like or by trial and error in trying attacks for various algorithms. You can try and guess the seed data but provided it is sufficient in quantity and competently sourced this is also highly unlikely. Really the OS needs to be involved in this collection as it is difficult for many user level applications to collect sufficient seed data on their own.

Once you know the algorithm then things depend hugely on what sort of algorithm you are dealing with. Some algorithms either have so little internal state that the internal state can simply be brute forced or have mathematical weaknesses that allow calculation of the state from a sample of this output.

Unfortunately most programming languages come with a default random number generators that is insecure. Sometimes there is a secure one as well but often users who require secure random number generators are forced to turn to third party libraries and/or platform specific interfaces. The result is that often coders end up using insecure random number generators in situations where a secure one should be used.

IMO the default random number generator in a language should be one designed for security. IMO it's better that people use a secure random number generator when an insecure one would do than they use an ordinary random number generator where a secure one is needed.

Enjoy your fake money!

[DarthVain]

Wait! We were talking about the US Dollar right?

Re:Enjoy your fake money!

[ConceptJunkie]

Hey, the U.S. Dollar isn't fake as long as we all agree it isn't fake. Even if it is.

Re:Enjoy your fake money!

[witherstaff]

It's not fake! The creature from Jekyll Island says it's just fine.

Re:A 12 year old?

[Amouth]

i point it at society's need for instant gratification.. most kids and people now days don't want to do something that might not work or takes time/energy/brains/effort to complete, when there is something easier to do.

It's not so much being lazy because they are doing something most of the time.. even if it is just playing a game/watching tv/talking/texting/surfing the net.

it's kinda sad really

Re:A 12 year old?

[Cryolithic]

Heh same, mine was pumping my gas :D

Re:Banned from Live

[geekoid]

Don't hate the farmers, hate the MMO. It's their fault.

Re:A 12 year old?

[ConceptJunkie]

Not my kids. They're plenty smart and technically literate (mostly self-taught too).

But we are not a typical family... in good ways and bad,

Rick

Re:Technical skills

[ConceptJunkie]

You're implying MS has management skills?

I think reality is the opposite: MS has plenty of technical skills but management is so utterly incompetent the company is unable to put most of the technical skill to good use.

Re:Just like Pepsi iTunes codes. All you hadda do.

[demonbug]

...to find the caps with the codes was to tilt the bottle. .

Totally, completely, 100% off topic, but... this reminded me that when I looked at a map of Tripoli the other day I noticed this:

Pepsi-Cola Road.

I've been hoping to hear something about anti-government protesters on Pepsi-Cola Road ever since.

Just like, you know... stolen Microsoft Points. Or something.

Re:A 12 year old?

[plover]

Huh? When I was 12, I was programming in assembler.

Huh? When I was 11 I was bitbanging RS-232 at 300bps using a telegraph straight key. Got to the point where I could emulate a TTY well enough that I could launch vi and edit a file. We won't go into my privilege escalation exploits... ah, misspent youth.

Luxury. When I was 11 we used to dream of 300bps. We had to whistle FSK sounds directly into the 110bps modem, and if we failed two sign-ons in a row our teachers would thrash us with their belts.

Whoa, for once...

[Patman64]

... a program that CLAIMED to give MS Points ACTUALLY gave MS Points. Phishing hell just froze over.

Re:A 12 year old?

[gangien]

the ratio of kids that can do such things is probably the same, it's just that computers are everywhere now.

So i submit that you are wrong. and so is idiocracy... atleast in the regard that we're getting dumber.

Personally I would suspect that as far as strictly intelligence is concerned, we're the exact same as we were whether you compare to gen y/x/baby boomers/ 500 years ago. Just that knowledge and how quickly knowledge is available upon demand, has changed.

404? really?

[ruiner13]

When sites are under load, they 500 or 503. I've never seen a server 404 under load. Plus, this wasn't a case of just hitting F5 to refresh and get a new code. URLs had to be uniquely tampered with. At least read the source article, editors, before posting sensationalist summaries. Sheesh. And according to other links posted in this thread, MS was able to track the "hackers" and ban them. So, it seems their system worked. If anything, perhaps it was a honey pot they put up to try to see what players would be happy to scam their way into getting points just to thin the herd. I'd be more than happy with fewer cheating scum on XBox Live.

Re:A 12 year old?

[Viperpete]

Huh? When I was 12, I was programming in assembler.

Huh? When I was 11 I was bitbanging RS-232 at 300bps using a telegraph straight key. Got to the point where I could emulate a TTY well enough that I could launch vi and edit a file. We won't go into my privilege escalation exploits... ah, misspent youth.

Luxury. When I was 11 we used to dream of 300bps. We had to whistle FSK sounds directly into the 110bps modem, and if we failed two sign-ons in a row our teachers would thrash us with their belts.

Well, when I was 11 we had to mind link with our living quarters nano-bot hivemind just to get the wall display to turn on the ultra-porn and we only did that for the ironic nostalgia of it when we're bored of watching the 3D vids on our retinal implants. Pardon me, while I matter make up some popcorn and consider uploading myself to the compumatter dyson sphere or just getting that extra thumb on each hand upgrade, I hear it only takes a minute. TTFN, apeman.

Re:Go read a dictionary

[squiggly12]

Damn, you got fucked over by the Apple Fanbois. :(

Re:A 12 year old?

[innerweb]

When I was 12, I wrote a decompiler for the Z80, I reverse engineered the Model III Rom and I networked the computers using tape cassettes. What this kid did was probably easier, and I don't think I am really that smart. I had time and focus on my side. No way I could have done the same today. I have no time and no time to focus.

This is why you have corporate america

[jonaskoelker]

They have to set a president

You're against campaign finance reform, I take it? ;-)

A correction

[jonaskoelker]

Someone please correct me if I'm mistaken.

While you are correct that computers are deterministic, there are ways to generate pseudo-random numbers based on cryptography, where the "figure out the algorithm" step essentially is the same as breaking the cryptography.

(Actually what you figure out is not the algorithm---which can be publicly known---but a secret input, i.e. a secret key and/or seed.)

So while you are correct in principle, it is possible to make numbers which look so random that their pattern is in practice undetectable.

Awesome...

[hesaigo999ca]

Finally getting what their due, MS points as any other points are useless.....just give out gift certificates when you make the purchase to used later, in person, so no one does any automation, which could lead to human error.