Microsoft Tries To Censor Bing Vulnerability

An anonymous reader writes "Microsoft's Bing search engine has a vulnerability with its cash-back promotion, which impacts both merchants and customers. In traditional Microsoft fashion, the company has responded to the author of the breaking Bing cash-back exploit with a cease & desist letter, rather than by fixing the underlying security problem. It is possible for a malicious user to create fake Bing cash-back requests, resulting in not only fake cash-back costs for the merchant, but also blocking legitimate customers from receiving their cash-back from Bing. The original post is currently available in Bing's cache, although perhaps not for long. But no worries, the author makes it clear that the exploit should be painfully obvious to anyone who reads the Bing cash-back SDK."

And now thanks to /. and microsoft

[Shadow+of+Eternity]

it will probably be all over the rest of the internet and general common knowledge within the week.

Re:And now thanks to /. and microsoft

[u38cg]

That seems pretty unlikely to me.

~Barbara

Re:And now thanks to /. and microsoft

[Choozy]

it will probably be all over the rest of the internet and general common knowledge within the week.

The way you phrased this, it would seem to indicate that you are against slashdot for releasing this information. I fail to see how releasing this type of information is a bad thing. You would be better off believing in fairies than thinking only 1 person will find a way to exploit a bug. The more people who know about this issue the better as it will be more likely that microsoft will actually fix the bug instead of suppressing the author.

Re:And now thanks to /. and microsoft

Just wait for it.
-Barbra

Re:And now thanks to /. and microsoft

The phrasing seemed pretty neutral to me. How would you have phrased it so that it doesn't seem to indicate that it is a bad thing?

Re:And now thanks to /. and microsoft

[Shadow+of+Eternity]

GP just wants someone to hate on, you don't get much more neutral in phrasing than that without making a two word post saying only "Streisand effect."

Re:And now thanks to /. and microsoft

Except, by the time it turns up on slashdot, it already is all over the rest of the internet.

Even if bing removes it from their cahce.

Re:And now thanks to /. and microsoft

[BrokenHalo]

The thing that strikes me as odd is why anybody would bother taking the time to meddle with Bing. Does anybody actually use it? Really?

I know Google has its detractors, but surely no more than Microsoft. We can't all be Steve Ballmer...

Re:And now thanks to /. and microsoft

like this you mean?

Breaking Bing Cashback
Posted November 4th, 2009 by Samir

I've never bought anything using Bing Cashback, but the balance of my account is $2080.06. Apparently, I placed two $1 orders on January 24th of this year, and spent another $104,000 on October 24th. Let's see how these transactions might have "accidentally" got credited to my account.

First, we need to try to figure out how transactions get into Bing Cashback. Microsoft posted some documentation here. The explanation of how a merchant reports transactions to Bing starts on page 20. Merchants have a few options for reporting, but Bing suggests using a tracking pixel. Basically, the merchant adds a tracking pixel to their order confirmation page, which will report the the transaction details back to Bing. The request for the tracking pixel looks something like this:

https://ssl.search.live.com/cashback/pixel/index?
jftid=0&jfoid=&jfmid=
&m[0]=&p[0]=&q[0]=

This implementation, while easy for the merchant, has an obvious flaw. Anyone can simulate the tracking pixel requests, and post fake transactions to Bing. I'm not going to explain exactly how to generate the fake requests so that they actually post, but it's not complicated. Bing doesn't seem to be able to detect these fake transactions, at least not right away. The six cents I earned in January have "cleared," and I'm guessing the remaining $2080 will clear on schedule, unless there is some manual intervention.

Even if Bing detects these fake transactions at some point in the future, the current implementation might have another interesting side effect. I haven't done enough work to say it with confidence, but a malicious user might be able to block another user's legitimate purchases from being reported correctly by Bing (I only tried this once, but it seemed to work). Posting a transaction to Bing requires sending them an order ID in the request. Bing performs a reasonable sanity check on the order ID, and will not post a transaction that repeats a previously reported order ID. When a store uses predictable order ID's (e.g. sequential), a malicious user can "use up" all the future order ID's, and cause legitimate transactions to be ignored. Reporting would be effectively down for days, causing a customer service nightmare for both Bing and the merchant.

Based on what I've found, I wouldn't implement Bing Cashback if I were a merchant. And, as an end user and bargain hunter, it does not seem smart to rely on Bing Cashback for savings. In our next blog post, I'll demonstrate some other subtle but important reasons to avoid using Bing Cashback.

Re:And now thanks to /. and microsoft

[theurge14]

Wow, I didn't realize that there are people that still believe in that 'security through obscurity' nonsense.

Re:And now thanks to /. and microsoft

[mcvos]

Financial transactions based on a tracking pixel? Really? I just don't know where to start to point out how wrong that is.

PayPal has dozens of different ways to pay, and most of them suck, but at least they don't encourage people to rely on tracking pixels. Either you explicitly send the customer to the payment gateway (including login or entering credit card info there) to authorize the transaction, or you have your own server talk directly to the payment gateway. Relying on a hidden browser-side hack for a financial transaction is just amazingly stupid and unnecessary, even if you don't spot any obvious flaws right away (because someone else will).

Re:And now thanks to /. and microsoft

[TubeSteak]

Wow, I didn't realize that there are people that still believe in that 'security through obscurity' nonsense.

For all we know, the OP is a proponent of that 'responsible disclosure' nonsense.

Re:And now thanks to /. and microsoft

[buchner.johannes]

In traditional Microsoft fashion, the company has responded to the author of the breaking bing cashback expoit with a cease & desist letter, rather than by fixing the underlying security problem.

Maybe they are doing both?

The cease and desist letter seems partially reasonable:

Specifically, at this site you are providing information directing users how to misuse the microsoft Bing Cashback program through unauthorized technical means. Further, on this website you admit that you have personally misused the Cashback program in this regard.

It's pretty stupid to admit you violate a law on a blog that has your name on it. He should have used a anonymous blog for that or inform Microsoft of the issue in the first place.

Re:And now thanks to /. and microsoft

[commodore64_love]

>>>I placed two $1 orders on January 24th of this year, and spent another $104,000 on October 24th.

According to our idiotic U.S. law, you are guilty of hacking a computer service. It doesn't matter that you didn't actually do it - you are presumed guilty, and it's your job to prove innocence. (Kinda similar to that guy who was falsely accused of downloading child porn - he too was presumed guilty until he could prove that it was malware that did it.)

Re:And now thanks to /. and microsoft

[jack2000]

last i checked GP wasn't a security software ...

Re:And now thanks to /. and microsoft

[lorenlal]

Microsoft is working their Bing campaign hard. I'm seeing ads for it everywhere. I've got a feeling there are at least some folks who will try it out, and maybe even like it. Oh, and if you ever go to Microsoft.com and try searching for anything you're using Bing. There's a reasonable chance that you'll eventually accidentally use Bing.

Re:And now thanks to /. and microsoft

[Nesa2]

All press is good press.
I did not know about Bing merchant system, but now I do. They will fix the flaw in a little while and everyone will know about it. Knowing about this alternative merchant system, I might decide to try it out... and I guess that is the whole point why MS didn't decide to go about a quiet way...

Re:And now thanks to /. and microsoft

[QuoteMstr]

Relying on a hidden browser-side hack for a financial transaction is just amazingly stupid and unnecessary, even if you don't spot any obvious flaws right away (because someone else will).

And people often do precisely that for affiliate programs. Is it any wonder these programs make up one of the shadier areas of the internet?

Re:And now thanks to /. and microsoft

[Homburg]

I'm not sure how this is a sensible response to a poster complaining about security through obscurity: security through obscurity is exactly the problem here. We use information like SSN and address which are not in any way secret, merely obscure, as a way to supposedly verify identity, and that's why we have so much identity theft. The reason no-one wants to post their SSN and address on Slashdot is precisely because security through obscurity sucks.

Re:And now thanks to /. and microsoft

[AvitarX]

I keep an IE window open at work for the sake of an additional gmail account.

Sometimes I accidentally use its search box over Fire Fox's, and yuck, nobody will like it.

The results are so haphazard, it feels like their parody of google is what actually drives Bing.

I don't know how this late in the game a search engine can be so bad.

Re:And now thanks to /. and microsoft

[commodore64_love]

I just read the Cease-and-desist letter. The proper response to such a thing is to tell the lawyer to "fuck off".

But of course that would merely result in you being drug into court by that lawyer.

Freedom of speech is dead.
Corporations own us. Don't believe me?
Go watch the documentary Food Inc (especially the last half hour).

Re:And now thanks to /. and microsoft

[AftanGustur]

Yep !

Future Microsoft Vulnerability Announcements will be made on 4Chan !

Re:And now thanks to /. and microsoft

[IsThisWorking]

Security through obscurity is not about relying on secrecy of data, but about relying on secrecy of the algorithm or implementation. Those two things are different.

If you do not make the distinction between data/information secrecy and design/algorithm/protocol/implementation secrecy, then you do not understand what security is.

Re:And now thanks to /. and microsoft

[0100010001010011]

CashBack? Last Christmas Live cashback was up to 30%. I milked the hell out of that for Christmas presents.

Now it fluctuates between 5 and 10%, nothing big but it's not bad.

As far as actually using it for its intended purpose, nah.

Re:And now thanks to /. and microsoft

[Godji]

Someone please explain the joke to me :)

Re:And now thanks to /. and microsoft

[plague3106]

You sure? I've seen a paypal enabled site where each "add to cart" button is in its own form, with various input type="hidden" Guess what one of the fields was? That's right, it was the UnitPrice!

Re:And now thanks to /. and microsoft

[plague3106]

I've found myself using it a bit more lately. Not nearly as much as google, but for those times googling isn't working, bing has proven helpful. I'd say its better than yahoo at this point.

Oh, and bing maps work on a server restricted IE setup, whereas google maps no longer does.

Re:And now thanks to /. and microsoft

[tomhudson]

Search for "Streisand Effect" Barbra Streisand sued to prevent publication of some pictures; as a result, it became newsworthy.

Re:And now thanks to /. and microsoft

[ShadowRangerRIT]

You know, just because they make it easy doesn't mean it's not hacking. Is it not breaking and entering if a homeowner uses a flimsy lock? (don't get cute and try and say this is no lock at all; it's just a very bad one) If he intentionally exploited this flaw to register fake transactions, then yes, it would be a crime, and for good reason. This isn't some abuse of the hacking law, like trying to nail people for violating the ToS of a site and calling it hacking, this is basically the definition of the term (in the real world; I know some pedants want to call it cracking instead of hacking, but to the non-geek world, it's hacking).

Re:And now thanks to /. and microsoft

Right, but that is how the site is structuring the order that /the site/ will send to Paypal; Not relying on the customer to forward the payment information to it through an obscured mechanism. Full Disclosure: I know one of Paypal's security chiefs (And he provides me with free paypal tokens :P); I've read the API, though, and somebody thought it through.

Re:And now thanks to /. and microsoft

[commodore64_love]

Your comment about the "bloody knife in your hand" reminds me of a recent case in Baltimore. A man was presumed guilty and spent over 20 years in jail, because he was at the scene of the crime, and he *looked* guilty. But then a test was performed, and it was discovered that the DNA left-behind by the murderer (on the knife) was not the man in prison. Baltimore had caused an innocent man to lose 20+ years of his life.

This type of thing happens a LOT. We shouldn't be presuming guilt. We should be presuming innocence. Just because you have a knife in your hand, or child images on your PC, or $2000 suddenly appeared in your Bing Cash account, doe snot mean you committed the crime. You could have been framed (malware) or mistakenly identified (your neighbor downloaded the stolen songs, not you) or whatever.

The onus should be on the prosecutor, not to just provide evidence, but also proof that YOU committed the actual act. If he can't do the latter then you should presumed innocent and freed.

Re:And now thanks to /. and microsoft

[abigsmurf]

Wow. So you're saying that someone who is in possession of a computer with child porn shouldn't be brought to trial on possession of child porn charges? That someone who not only admits to doing something, but posts credible, detailed information on how he achieved it doesn't deserve to be brought to trial?

In case you didn't notice, both of these examples are incredibly damning evidence, just as seeing someone over a corpse with a knife and blood on his hands is pretty damning too.

You don't seem to understand the point of trials. Trials happen when there is convincing evidence that on it's own, if you didn't defend yourself, would be enough to find you guilty of a crime. The presumption of innocence at that point is irrelevant because the evidence trumps the presumption. For a case to get to court, there is a minimum burden of proof. Hence cases getting dismissed by judges when there isn't enough proof. The purpose of a trial is to provide defendants a chance to show the evidence against him doesn't prove guilt.

Re:And now thanks to /. and microsoft

Pardon me, but it seems from his blog that he DID do it. Any similarity to the child porn case from yesterday is limited at best, illusory at worst. This is a different situation.

Fortunately according to US Jurisprudence, there's a concept called Mens Rea. It's certainly an affirmative defense, but it may serve to eliminate culpability.

Not that the guy didn't behave stupidly in some ways, but that's another matter.

Re:And now thanks to /. and microsoft

[drinkypoo]

you are presumed guilty, and it's your job to prove innocence.

Destroying any checks paid/returning any electronic payments should prove intent nicely.

Re:And now thanks to /. and microsoft

[Daetrin]

Well clearly the poster meant to indicate that if the GP isn't happy with the security through obscurity used by our current banking and social security system then why hasn't he gone out and created his own banking and social security system? With blackjack! And hookers! In fact, forget the banking and social security system!

Re:And now thanks to /. and microsoft

[madcow_bg]

Obligatory quote from The Black Adder:

Perkins: Oh, your lawyer now, yes sir. Don't you think that might be a bit
          of a waste of money, sir.

Edmund: Not when he's the finest mind in English legal history. Ever heard
        of Bob Mattingburg?

Perkins: Oh, yes indeed, sir! A most gifted gentleman!

Edmund: I remember Mattingburg's most famous case, the case of the bloody knife.
        A man was found next to a murdured body, he had the knife in his hand,
        thirteen witnesses that seen him stab the victim, when the police
        arrived he said, "I'm glad I killed the bastard." Mattingburg not
        only got him off, but he got him knighted in the New Year's Honors
        list, and the relatives of the victim had to pay to have the blood
        washed out of his jacket.

Re:And now thanks to /. and microsoft

[FlyingBishop]

No, you get more neutral in tone by not blaming /. as you did in the title. If you had simply said "And now it will be all over the net." That would be neutral. However, you specifically chose to call out Slashdot and Microsoft as responsible for the Streisand Effect.

Re:And now thanks to /. and microsoft

[Sporkinum]

Yahoo will be bing soon.
http://www.eweek.com/c/a/Search-Engines/Microsoft-Yahoo-Delay-Search-Deal-to-Dot-Is-Cross-Ts-599609/

Re:And now thanks to /. and microsoft

[realityimpaired]

Wow, I didn't realize that there are people that still believe in that 'security through obscurity' nonsense.

It's not nonsense, it's just silly to expect it to be your only line of defense. By all means use an obscure platform, as long as you have people who can maintain and support it, but don't use it as a substitute for some common sense, and for securing your system, keeping it properly maintained and updated, limiting points of entry, blocking remote root access, using non-standard, non-root usernames with very secure passwords for system maintenance/root tasks, etc..

But security through obscurity does still offer an amount of extra security, and shouldn't be dismissed out of hand.

Re:And now thanks to /. and microsoft

[Svartalf]

I hate to tell you, but having kiddie porn ON YOUR COMPUTER is fairly good evidence you've done something wrong.

I hate to tell you, but that's not at all accurate.

Normally, you can say that the "virus framed me" line is akin to "the dog ate my homework". Unfortunately in this case, it really, really did do what they claimed on this one- and your line of reasoning is bogus. ANYTHING can happen, including having someone plant it on your machine without your knowledge- especially if you're using Windows as an OS.

Re:And now thanks to /. and microsoft

[FooAtWFU]

Heck, publicizing the thing is a pretty good show of his intent. If he'd wanted to defraud Microsoft, he'd be keeping quiet about it. This is pretty clearly about disclosing a vulnerability, not "bragging" about defrauding a large corporation.

Re:And now thanks to /. and microsoft

[rev_g33k_101]

The results are so haphazard, it feels like their parody of google is what actually drives Bing.

I don't know how this late in the game a search engine can be so bad.

answer:

Because
It's
Not
Google

It's all in the name :D

Re:And now thanks to /. and microsoft

[mweather]

They ARE responsible. Their responsibility wasn't presented as either a positive or a negative thing. The phrasing was entirely neutral.

Re:And now thanks to /. and microsoft

[FlyMysticalDJ]

If I painted your fence, and someone came along and said "now thanks to him, your fence is painted" would you assume it was bad thing? Citing a cause of something is not the same as placing blame.

Re:And now thanks to /. and microsoft

[FlyingBishop]

No, but let's take a car analogy, as this is Slashdot:

Say you leave your keys in your car, in plain view, and someone notices this, and goes into the conference center that you're at and informs several people that someone has left their keys in plain view out in the parking lot, and should deal with the situation. Soon everyone knows, and the conference management (Slashdot, we'll say) makes an official announcement.

Now, to make it a little more interesting, it isn't your car, but you were driving, and you tell the owner of the car (also at the conference) not to worry about it, it will be fine. The owner does not agree, but cannot leave, and you refuse to remedy the situation.

Now, there are three responsible parties here, should the car get stolen.
1) The moron who left the keys in the car (Microsoft)
2) The guy who went around describing the make, model, and location of the car (exploit publisher)
3) Everyone at the conference. (The Internet)

Now, Slashdot falls under #3, but why call out Slashdot to the exclusion of #2, or the internet at large? Slashdot is likely the first place many will hear of it, but if they hadn't published it that wouldn't have stopped anyone from reading and talking about the exploit writer's publicly available explanation.

In short, citing two causes of something as primary causes when there are clearly other actors with notable roles is the very definition of placing blame.

Re:And now thanks to /. and microsoft

[drinkypoo]

Normally, you can say that the "virus framed me" line is akin to "the dog ate my homework".

Yes, they say that in the article you link: "It's an example of the old `dog ate my homework' excuse," says Phil Malone, director of the Cyberlaw Clinic at Harvard's Berkman Center for Internet & Society. "The problem is, sometimes the dog does eat your homework." No, the real problem is that you're responsible for your homework, and that includes being responsible for keeping the dog from eating your homework. Possession of child pornography is a crime. While I think this is just wrong for reasons that we are discussing here (e.g. virus activity, malicious planting of data) I also think that just as you would try to secure your house, you should try to secure your computer. Making possession a crime leads to these slippery slopes, when in any case the real crimes are commited by those who create child pornography, and those who traffic in it (since the only currency some need to continue producing their work, however twisted, is the appreciation of an audience.) Yes, this makes the acquisition a crime; Yes, I understand that this is difficult, and it's why possession is illegal. It's still no solution.

Re:And now thanks to /. and microsoft

[plague3106]

You haven't pointed out a case where anyone was presumed innocent. In both instances a reasonable person looking at all the facts AT THE TIME concluded the person did it. The problem is not people being presumed guilty, the problem is we didn't have all the facts.

This type of thing happens a LOT. We shouldn't be presuming guilt. We should be presuming innocence. Just because you have a knife in your hand, or child images on your PC, or $2000 suddenly appeared in your Bing Cash account, doe snot mean you committed the crime. You could have been framed (malware) or mistakenly identified (your neighbor downloaded the stolen songs, not you) or whatever.

Yes you could have been framed. But being framed isn't a reasonable thing to believe unless you have something to lead me to believe you were. What you propose would not allow us to convict anyone.

There's a difference between a case throwing flimsy and circumstatial evidence at you and "wow, it really looks like he did it." The difference is the expectation that a jury can have "no reasonable doubt." Its not reasonable to assume everyone was framed, or that the far out story explaining the knife in your hand is true, etc.

Your explaination may be theoritically possible... but that's not enough. It has to be a reasonable explaination which counters the prosecution.

The onus should be on the prosecutor, not to just provide evidence, but also proof that YOU committed the actual act. If he can't do the latter then you should presumed innocent and freed.

Yes, and in all the cases you're talking about, the facts seem to indicate that the accused did it. If kiddy porn is on your computer, I'm inclined to believe one of the users put it there. That's not presuming guilty, its making a reasonable judgement based on the facts I have.

Re:And now thanks to /. and microsoft

[plague3106]

An exception does not prove a rule. You can't assert that a virus did it and not expect to be able to show you had a virus. Simply throwing out that it COULD happen doesn't mean it did.

Yes, in this case that's exactly what happened. A reasonable person would conclude he did it based on the fact that only he had access to the computer. Its fine to say "I'm innocent" in that case, but you need to show your story is in fact reasonable.

Otherwise you might as well say the FSM downloaded it.

Re:And now thanks to /. and microsoft

[RawsonDR]

Is it not breaking and entering if a homeowner uses a flimsy lock? (don't get cute and try and say this is no lock at all; it's just a very bad one)

In fact, the law is that it is still breaking and entering even if there is no lock. The point is that the door was closed for a reason and you knew what you were doing by "forcing" it open and entering. It is fairly analogous to this case where the blogger did not need any sort of secret 'key' to falsely use the system, but there's no question that it was intentional (in fact he admits it later and gives enough damning details for Microsoft to prove it's true).

On the other hand, we tend to notice that he did not seemingly intend to take anything. We have sympathy because we appreciate the merits of it as a mental exercise and for pointing out a security loophole. But we aren't Microsoft (or any of the thousands of third parties!) who actually depend on this system for legal and financial reasons.

It all boils down to intentions. It doesn't say in the blog post, but it doesn't look like the author made any attempts to inform Microsoft of the fraudulent transactions before he posted the info publicly, and we know that it's been almost a year since he first did it. He'd have a lot more ground to stand on had he at least done that.

Re:And now thanks to /. and microsoft

[NekSnappa]

Common man! This is /. so it has to be self-referencing
Bing
Is
Not
Google

Re:And now thanks to /. and microsoft

[Dishevel]

Time to burn some karma. I know this is flamebait but I feel the need.

No, you get more neutral in tone by not blaming /. as you did in the title. If you had simply said "And now it will be all over the net." That would be neutral. However, you specifically chose to call out Slashdot and Microsoft as responsible for the Streisand Effect.

Slashdot is running the story that Microsoft is trying to hide. Therefore they are in fact RESPONSIBLE.

You are an idiot and need to STFU and go away for the day.

Re:And now thanks to /. and microsoft

[amicusNYCL]

PayPal has a mechanism to send the transaction back to the originating server to verify that it actually took place on that site. And likewise, when your server receives a notification from PayPal you can send it back to PayPal to verify that they actually sent it.

Re:And now thanks to /. and microsoft

[amicusNYCL]

According to our idiotic U.S. law, you are guilty of hacking a computer service. It doesn't matter that you didn't actually do it - you are presumed guilty, and it's your job to prove innocence.

Nice troll, but that's not how it works. A confession tends to remove that whole notion of "presumed innocent". This guy confessed to exactly what he did. Frankly, he should be convicted and fined, at the very least this is fraud that he willfully perpetrated and then confessed to.

Probably not the most intelligent blog post he's ever made..

Re:And now thanks to /. and microsoft

[amicusNYCL]

This is pretty clearly about disclosing a vulnerability, not "bragging" about defrauding a large corporation.

That doesn't change the fact that he did indeed defraud Microsoft and that he also intended to do it. That's something he could easily get convicted on. It doesn't really matter why he defrauded them, if he did so and intended to then he's guilty of the crime.

Re:And now thanks to /. and microsoft

[FooAtWFU]

His screenshot showed it was all 'pending'. If a tree falls in the forest and no one is there to hear it or collect the money, is it fraud?

Re:And now thanks to /. and microsoft

[witherstaff]

There is a current case before the supreme court along this line. The argument is there is no constitutional right not to be framed. Oh and the Obama admin backs this stance, along with 28 states.

Re:And now thanks to /. and microsoft

[JWSmythe]

    Aw, you haven't read enough civil lawsuits, have you.

    It's rarely about who's right or wrong. It's about who can screw who for how much.

    In your car analogy, there would be plenty of other lawsuits.

    The car manufacturer would be sued for not providing a warning label on the keys.

    The key manufacturer (if not the car manufacturer) would be sued for providing an insecure system.

    The conference center would be sued for not providing adequate security to protect against said theft.

    Wackenhut (the security company for said conference center) would be sued for allowing the car to be stolen.

    The local police department would be sued because they failed to stop the theft.

    The list could go on and on, but you see it. Usually the prime targets are those with lots of money. Why go after the people attending the conference, when the real money lies with the car manufacturer, Wackenhut, and (possibly) the local government.

Re:And now thanks to /. and microsoft

[FlyingBishop]

See my reply to flymysticaldj above yours. There are other storytellers involved, notably the exploit writer. Why not call him out? The OP was making the tacit assertion that exploit writers aren't responsible for anything that happens when they publish their findings. I don't necessarily disagree, but his emphasis on Slashdot and Microsoft was not neutral.

Re:And now thanks to /. and microsoft

[amicusNYCL]

The six cents I earned in January have "cleared," and I'm guessing the remaining $2080 will clear on schedule

This has nothing to do with trees falling, it's still fraud. He specifically intended to commit fraud, and he was successful at it. And what's more, he even confessed to it on his blog. There's not a lot of grey area here.

Re:And now thanks to /. and microsoft

[shutdown+-p+now]

The thing that strikes me as odd is why anybody would bother taking the time to meddle with Bing. Does anybody actually use it?

It's effectively the default search engine for any version of IE up to and including IE7 (since all MSN/Live Search queries are now redirecting to Bing).

It's also the search engine that will be used if you pick "Recommended Settings" on first start of IE8 (I'm not calling that "default", because neither "recommended" nor "customize" options are selected, so you can't just click "Next" on that screen - you have to actually pick one first).

Yeah, I'd imagine it adds up to quite a few numbers. Also, it looks similar enough to Google that many people might not bother to switch from their default.

Re:And now thanks to /. and microsoft

[Blakey+Rat]

They could use a tracking pixel, but put it on HTTP and behind a user/password prompt. That way, it would have to be reported by the e-commerce site's back-end (making implementation more difficult), but the security would be there.

It's not the tracking pixel that's necessarily the problem, it's the completely unsecured generated-client-side tracking pixel.

Re:And now thanks to /. and microsoft

[jayme0227]

We should be presuming innocence. Just because you have a knife in your hand, or child images on your PC, or $2000 suddenly appeared in your Bing Cash account, doe snot mean you committed the crime.

Do you realize how difficult that would have made proving someone guilty in court, even just 20 years ago? With today's technology, it is becoming a lot easier to mesh "beyond a reasonable doubt" and "certainty," but that hasn't always been the case. Many of the tools that we have now, video surveillance, DNA analysis, cell phone records, etc. were not in existence, or at least not widely used just 20 years ago.

"Yes, I had the knife in my hand, and yes your witness saw someone wear similar clothing to me commit the murder, however it wasn't me. I heard a scream and felt the need to run over to the murder victim and pull the knife out of her chest. I then decided that I had to chase down the suspect. Unfortunately, running with the knife in my hand was slowing me down, so I decided to throw it in a nearby dumpster, so as to avoid having someone else hurt themselves on the knife. Unfortunately, all of my actions happened after the eyewitness went inside to call the police. I never did find the murderer, though, and I'm sorry for that."

How would you have "proven" this case before the advent of DNA evidence or video surveillance? You really couldn't. That's why the standard is set at "beyond a REASONABLE doubt." If a reasonable person hears that story and says "hogwash," it's likely that it is completely made up. Does this have the unfortunate effect of causing innocent people who did stupid things to be put in prison? Yes. But it also had the effect of stopping criminals from escaping prison time because there was no "proof" that they did it, only evidence that suggested it which could be explained away.

As I said earlier, we are fortunately moving in a direction where "certainty" and "beyond reasonable doubt" are meshing together and becoming the same thing, but until that point, there will be cases where judgment calls have to be made. Unfortunately that means innocent people will go to prison.

Re:And now thanks to /. and microsoft

[Blakey+Rat]

I meant to say "put it on HTTPS", not "HTTP."

Re:And now thanks to /. and microsoft

[CowTipperGore]

The onus should be on the prosecutor, not to just provide evidence, but also proof that YOU committed the actual act. If he can't do the latter then you should presumed innocent and freed.

When possession itself is a crime, it is easy to prove that the crime was committed.

Re:And now thanks to /. and microsoft

[cboslin]

All press is good press. I did not know about Bing merchant system, but now I do.

The only good reason not to publish, as promoting FUDly Microsoft is just bad. At least for 7 years... I restarted my 7 year clock last week, yet again.

I would say publish and publish often. The fact that the exploit exists and Microsoft is vainly attempting to hide its existence is the news worthy item in my book.

Re:And now thanks to /. and microsoft

[Khyber]

"then you do not understand what security is."

sayeth the person that TOTALLY IGNORES MENTIONING PHYSICAL SECURITY.

Re:And now thanks to /. and microsoft

[MostAwesomeDude]

Corbin D. Simpson

975 NW Garfield, Corvallis, OR 97330

I'll leave it up to you to deduce my SSN; it's not terribly difficult. I'm not posting it because I'd like to hold on to what little cash I've got, although if you're going to defraud a college student with empty pockets...

Re:And now thanks to /. and microsoft

[netsharc]

Ugh, why IE.. you can use Firefox with multiple profiles (Google it, or should I say "Bing it"), or do what I do, use Chrome, and jump into porn (aka private) mode if I want to login to another account.

Re:And now thanks to /. and microsoft

[netsharc]

But the user gets presented with Paypal's site and they say, "Confirm you want to pay nigerianprince@yahoo.com $25,000", so Paypal won't lie to you about the price.

But then, if it's actually paypa1.com, clueless users won't realize what's going on after all.

Re:And now thanks to /. and microsoft

[AvitarX]

Sorry, but a single instance of google applications for my domain is not significantly degraded by IE 7.

Though if the occasional accidental Bing search makes it into my postings maybe I am traumatized enough that it is worth the effort.

Re:And now thanks to /. and microsoft

[IsThisWorking]

One of these days someone might come around to explain to you the idea of conversation context. This whole thread is about software security. The OP mentioned security by obscurity, which is a concept usually used in the context of software security. Why would you bring a completely unrelated context to the thread?

Heck, if we wanted to be picky about it, we could say that your post is almost offtopic...

Re:And now thanks to /. and microsoft

[GasparGMSwordsman]

>>>I placed two $1 orders on January 24th of this year, and spent another $104,000 on October 24th.

According to our idiotic U.S. law, you are guilty of hacking a computer service. It doesn't matter that you didn't actually do it - you are presumed guilty, and it's your job to prove innocence. (Kinda similar to that guy who was falsely accused of downloading child porn - he too was presumed guilty until he could prove that it was malware that did it.)

The law is not idiotic. It is also not a guilty until proven innocent issue.

Every /. reader is sure of what he did. Why? Because of what HE WROTE. He makes it very clear what he did, just because he did not jump up and down and say "I committed wire fraud," does not mean it is not obvious.

What is stupid here is that Microsoft sent a cease and desist letter to the guy that even mentioned his writing. What they should have done is sent a cease and desist letter to him requesting that he STOP STEALING FROM THEM. Instead they mentioned a secondary issue and now the story is about Microsoft censoring someone. This was a simple and stupid PR move by Microsoft.

For those of you who question if he was stealing or not? Well please point out where he says he is going to return the $2080.06 or contact Microsoft about this issue. I didn't see a mention of the author doing either of those things. What was written was that $2080.06 that he had no right to was being transferred into his account...

Re:And now thanks to /. and microsoft

[ConceptJunkie]

I found a small site that did something similar and successfully put something in the shopping cart with a modified price as a proof of concept. I e-mailed the vendor and explained that this was a very easy vulnerability to exploit and they responded that it wasn't a problem since all orders were reviewed by a human as part of processing. Now possibly their volume or product selection was so small that it didn't matter, but it sounds insanely stupid to me. I also e-mailed the company that supposedly provided the software that ran the store but never heard back. This was quite a few years ago, but I don't doubt some people are still doing it.

In fact, I just pinged the idiots that they farmed out some software development to at my job that passing plaintext passwords in the URL probably wasn't a good idea. While this was part of an internal test, I wouldn't have put it past them to end up exposing this functionality to the public in some way. I don't know squat about web security, but I'd already found another serious security flaw.

Although I'd expect better from Microsoft, the fact that it happened doesn't surprise me.

Re:And now thanks to /. and microsoft

[GasparGMSwordsman]

We use information like SSN and address which are not in any way secret, merely obscure, as a way to supposedly verify identity, and that's why we have so much identity theft. The reason no-one wants to post their SSN and address on Slashdot is precisely because security through obscurity sucks.

Well that and if post your SSN it really isn't obscure anymore now is it...?

Re:And now thanks to /. and microsoft

[thetoadwarrior]

What did you expect. MS has proven time and time again that they're a bunch of incompetent tits.

Re:And now thanks to /. and microsoft

[theaveng]

What if, and please don't be shocked, the porn was actually put there by the district attorney, anxious to get re-elected next year because he's "tough on crime" or "protects the children", so he frames a bunch of people by filling their machines with child images. It's happened before.

Or what if the accused thinks 'Maybe it was a virus,' but has no way to prove it because the PC is locked-up in police custody. That could have EASILY happened in the linked case, with the result of that man being stuck in jail for 5+ years, since he couldn't prove his innocence.

And then there's the simple "my friend's a creep" factor. I've used friends' computers. It would be extremely easy for me to download some child porn during that time. And then THEY get the blame for it, even though they are innocent of wrongdoing. ----- Ye are too quick to presume "he's guilty" on extremely flimsy evidence (yes images on a Windoze computer, which can be easily hijacked, is flimsy).

Re:And now thanks to /. and microsoft

[mgblst]

What are you talking about, this sort of thing would never happen on the wire. He must have been in the game.

Re:And now thanks to /. and microsoft

[theaveng]

If kiddy porn is on your computer, I'm inclined to believe one of the users put it there

So in brief, your view is that the guy from yesterday's article, even though he had been framed by a bot program downloading child porn, should be sitting in jail for 5+ years. In your view, if somebody can not prove his innocence, then he's presumed guilty. The prosecutor has absolutely no obligation to prove the guy *actually* downloaded the images - the mere existence of the images is enough to deprive a man of his liberty for several years.

That's fucked up, and it's a violation of inalienable human rights.

In my view the mere existence of images should not be enough. The man should be presumed innocent, be presumed to Not have downloaded those images (unless the prosecutor can produce proof he did the actual act), and be left to go free. Better to let the man go, than to imprison an innocent men.

BTW:

This is why I'm also against the death penalty. The system makes mistakes, innocent people get charged, and you can't undo death.

Re:And now thanks to /. and microsoft

[Sir_Lewk]

Why did they mention slashdot in particular? Oh I don't know, maybe because this is slashdot?

As others have stated, you are a dumbass, just give it up.

Re:And now thanks to /. and microsoft

[tietokone-olmi]

Fool.

Re:And now thanks to /. and microsoft

[X0563511]

You do know that gmail allows imap now, over SSL even.

Set up thunderbird, and you could have 100s of gmail accounts being checked by a single application.

Re:And now thanks to /. and microsoft

[plague3106]

What if, and please don't be shocked, the porn was actually put there by the district attorney, anxious to get re-elected next year because he's "tough on crime" or "protects the children", so he frames a bunch of people by filling their machines with child images. It's happened before.

You really don't get it, do you? I'm not saying it CAN'T happen, I'm saying it DOESN'T HAPPEN OFTEN. There's a huge difference. If there's child porn on a computer, its not unreasonble to suspect the computers owner. The owner then can't say "well I might have been framed".. yes, its possible, but without reasonable evidence they were framed, the fact that it could happen isn't a reasonable argument that it DID happen like that.

Or what if the accused thinks 'Maybe it was a virus,' but has no way to prove it because the PC is locked-up in police custody. That could have EASILY happened in the linked case, with the result of that man being stuck in jail for 5+ years, since he couldn't prove his innocence.

The defense is entitled to ALL of the evidence the prosecution has. They should be able to get a clone of the hard drive to examine. If they fail to do so, or there's evidence of tampering, that's a good way to get the case thrown out.

And then there's the simple "my friend's a creep" factor. I've used friends' computers. It would be extremely easy for me to download some child porn during that time. And then THEY get the blame for it, even though they are innocent of wrongdoing. ----- Ye are too quick to presume "he's guilty" on extremely flimsy evidence (yes images on a Windoze computer, which can be easily hijacked, is flimsy).

Its the same thing as lending your car to your friend. If he gets a parking ticket, YOU'LL be the one responsible to pay. You'd have to prove it was your friend driving the car to get out of it (even then though, traffic laws are such that you're still responsible, its up to you to make sure you trust the person you lend your car to).

I'm not presuming he's guilty. I have a reasonable belief he is based on the evidence at hand. You say its flimsy, but its not. Just like the owner of a car would be the first one questioned about a hit and run where someone only got the plate, you'd have to actually show that your story is true, because we have REASONABLE evidence that you've done something. If it is how you say, then there should be something that at least says your story is reasonable as well.

Re:And now thanks to /. and microsoft

[Khyber]

Software security means JACK SHIT if there is no physical security protocols implemented.

It doesn't matter if you've got the best encryption on the planet, if I can gain physical access, YOU'RE FUCKED.

Re:And now thanks to /. and microsoft

[bobzaguy]

What fun is fixing bugs when you can fuck over someone in court? —W. Gates

Re:And now thanks to /. and microsoft

[bobzaguy]

What about the 800# gorilla in the room? The "anon" reader who wrote about it? Where does he-her fit in?

Re:And now thanks to /. and microsoft

[Alsee]

Bing
Is
Not
Gnu/gle

P.S.
Someone at Microsoft seriously needs to read my sig.

-

Re:And now thanks to /. and microsoft

[IsThisWorking]

It doesn't matter if you've got the best encryption on the planet, if I can gain physical access, YOU'RE FUCKED.

Shows how little you know. If I have the best encryption algorithm on the planet, and my data is encrypted, I can give you all of it (data and encryption algorithm). No amount of physical access to that encrypted data will get you closer to the plain text than knowing the key used for encryption. That is the whole point of encryption. The best you can do is crypto-analysis of the algorithms based on their mathematical formulas, and not on any particular set of data. I suggest you read more about attack models before spouting that kind of non-sense.

Heck, the whole idea of SSL/TLS is that you can have a secure, authenticated, private conversation over a completely unsecure, unauthenticated, compromised channel. Yes, you read it right: using SSL I can give you complete, 100% control of the communication channel. This will not give you any insight about the content of the conversation. The best you can do is deny service - which is, in fact, a physical security issue.

Another evidence of your ignorance about security: make a computer system completely secure from a physical point of view, so that no one can get physical access to it. If that system does not have also a strong layer of software security, your physical security is worth nothing. The botnets with millions of zombies PCs are an example of that. Or do you really think that whoever controls those botnets went from home to home to install the botnet software? I'm pretty sure that most of those PCs were safely locked in their owners' homes.

That is to say that I do acknowledge the need for physical security, but again, the whole thread was not about physical security, it was about software security. Which leads me back to my previous answer (which you quite conveniently ignored) that your rant is at best offtopic, if not just trolling. The unrestrained use of caps confirms that suspicion.

So there you go. My point was that indiechild was wrong to claim that security by obscurity was the same as hiding your personal info, since the definition of the term is about algorithms and not data. Then you came along and tried to shoehorn physical security in the conversation, for reasons unknown. I tried to tell you that in the scope of this conversation, physical security is irrelevant. And now you go even further out of topic, on some rant about how encryption cannot withstand scrutiny from physical access. In this post I showed that software security can resist some types of physical access attacks and that physical security is nothing without software security.

Ugh, just by reading your post again makes me cringe. What are "physical security protocols" anyways? I have heard about physical security policies, physical security mechanisms, but protocols? Is this when one spy says: "The polar bear collects spare change" and the other one answers "The cheese stands alone"? Seriously, for someone who is trying to criticize someone else's knowledge about a specific field, you should pay more attention to the terminology of the field.

By the way, those were rhetorical questions. I really do not need to read more half-baked, I-learned-it-from-teh-interwebs, non-sense about security.

Have a nice day.

Re:And now thanks to /. and microsoft

[Khyber]

You fail at one basic principle.

Man can make it, man can break it.

Until we get to quantum computing.

Re:And now thanks to /. and microsoft

[Khyber]

"By the way, those were rhetorical questions. I really do not need to read more half-baked, I-learned-it-from-teh-interwebs, non-sense about security."

No, I used to be a security officer, so it doesn't surprise me that you'd have no clue about the basics of any form of security. Security protocols are such that "This is not allowed to happen without x and y things agreeing or matching" and other things. You do know what a protocol is, yes? it's not just applied to a digital world, we've had protocols for most anything you can name for centuries before any computer was invented, tool.

How does he know MS isn't doing anything else?

[blankinthefill]

I'm curious how 'anonymous reader' knows that Microsoft is doing nothing to fix the problem. This has been bugging me for a long time. Its possible that a workable solution could take some time to get implemented, and in that time, doesn't it make sense to send a C&D letter in the interim? Hell, doesn't it make sense to send the letter anyways, so you don't have all these assholes trying to break your system? A C&D letter doesn't mean that other actions haven't been taken. Just a thought.

Re:How does he know MS isn't doing anything else?

Well - first at all they could simply say they will be working on it hm?

And secondly - to assume they are not working on it is just as viable as assuming they are working on it. Without any feedback anything can be assumed. This is why a C&D letter is so harmfull...

Re:How does he know MS isn't doing anything else?

Uh? Cash back is negative income for Microsoft, and as a lawyer who sends C&Ds for a living, I am offended by the fact that you call that "doing nothing".

Re:How does he know MS isn't doing anything else?

[MadnessASAP]

Ever heard of the Streisand effect? If you're trying to suppress information about something a C&D is the last thing you want to do. Furthermore many companies when put in an identical situation will respond with "Thank you we are aware of the problem and are currently working on it" rather then a C&D.

Also you sound like a schizophrenic jackass.

Re:How does he know MS isn't doing anything else?

[Chrisq]

If they had any sense they would have anticipated the Streisand affect. It would have been much more effective to tell him the situation, ask him to remove the post and offer him whatever they paid their lawyers to issue the injunction as a "good will" gesture. That way if he did release it then he'd look like an @sshole rather than a victim.

Re:How does he know MS isn't doing anything else?

[mdenham]

You're right, sending C&Ds isn't doing nothing.

It's actively producing negative work, turning productively spent time into wasted time.

So congratulations, you're doing less than nothing!

Re:How does he know MS isn't doing anything else?

[neothoron]

Problem is, sending a C&D letter is doubly ineffective:

• it barely has any effect in keeping potential exploiters from getting access to the vulnerability;
• someone who cared enough about MS so that they could better themselves is treated like a nuisance (at best).

In fact, compare that to the way the last TLS-related vulnerability was handled; in both cases, a critical flaw is revealed before a fix was ready. In the TLS case, it was handled with forthcoming and transparency. I'm not saying that MS should do the same (MS probably can't); but they would show more respect to Samir, and to all their bing cashback clients, by:

• Ask Samir to remove most of the "sensible" post information - you know, instead of threaten with litigation from the get-go.
• Take an official stance on that problem; what's the risk, who's affected, what should be done - instead of leaving bing cashback clients vulnerable to misinformation and abuse.

Re:How does he know MS isn't doing anything else?

[value_added]

As to your first point, most business are very secrative about potentially damaging things. I don't understand why it's surprising when MS acts just like every other large corporation in protecting itself.

It's a truism, if not a cliche, to point out business are secretive about potentially damaging things.

The difference here is that the scope of damage extends outside narrow corporate concerns. In such situations, it's both fair and reasonable for customers to expect a certain level of transparency. In many industries, disclosures that negatively affect third parties are mandated by law (cue the car analogies).

Microsoft has chosen, in historically typical fashion, the complete opposite of transparency. The criticisms are well deserved.

Re:How does he know MS isn't doing anything else?

C&Ds do work in two cases:

The first is if the C&D gets out fast enough that people are not unable to mirror the information, especially if it is stored in a dynamic database that can't just be grabbed completely with a wget. One example of this: Say someone makes a keygen app that runs on their webserver, and people submit forms to get bogus serial numbers. A C&D would completely smash this, preventing the information from getting released. Similar if people ran other services that could be nailed by an ACTA or DMCA takedown notice.

The second is that the information that does escape the C&Ds gets pushed from mainstream sites to the seedy corners of the Internet. These are the same areas that have the dubious filesharing programs, the warez "search engines" and "DDL" sites [1], the "bump all Abloy locks in 2 secs, lulz" [2] text files, and other dodgy sites which tend to be more of a test of browser security than a place to find anything useful. So, unless someone is willing to spend time looking for that exact information on a hardened computer, it effectively has vanished.

Don't underestimate the power of lawyers. They have the guys with guns on their side.

[1]: I have DDL, or direct download in quotes because I have yet to personally see a usable direct download other than a Trojan or a drive by browser exploit in all my years of cleaning malware off of people's PCs who do believe in such fantasies.

[2]: Yes, I know Abloy locks are unbumpable because of their design, but it is a good example. I don't know anything that defeats their latest PROTEC line of locks other than 12-14 hours of painstaking picking by dedicated speedpickers, or a good long session drilling the sucker out.

Re:How does he know MS isn't doing anything else?

[lkcl]

it's the lack of thought for consequences of censorship that has me confused. in this day and age, with the overwhelming occurrences of embarrassment that occurs repeatedly over censorship attempts and cover-up attempts, surely businesses would work out by now that a "thank you! we'll fix this IMMEDIATELY! and we'll even pay you some money, and, for anyone else who is listening, we'll pay a BOUNTY to anyone else who privately reports security problems in the future!" approach would make them appear to be a much more enlightened and responsible company. ... or am i just expecting too much?

.

Re:How does he know MS isn't doing anything else?

[DNS-and-BIND]

Incompetence is more than an adequate explanation. I, for one, am no longer shocked when huge companies admit to shamefully incompetent wrongdoing. And Microsoft has a history of such blind stupidity, so no surprises there either.

Re:How does he know MS isn't doing anything else?

[mcvos]

and as a lawyer who sends C&Ds for a living...

Wow, that's sad. That's almost like admitting to being a parking inspector...

Parking inspectors do important work. They keep parking spaces available for those who really need them. I feel sorry for the abuse they sometimes get.

Re:How does he know MS isn't doing anything else?

[mcvos]

Its possible that a workable solution could take some time to get implemented, and in that time, doesn't it make sense to send a C&D letter in the interim? Hell, doesn't it make sense to send the letter anyways, so you don't have all these assholes trying to break your system?

How the hell does a C&D prevent assholes from breaking your system? Only fixing your system can do that. They should have sent him a letter expressing their gratitude for pointing out this security hole.

But more than that, they shouldn't have enabled and encouraged merchants to rely on a horribly insecure payment method.

Re:How does he know MS isn't doing anything else?

[SimonTheSoundMan]

You obviously haven't seen parking inspectors or clampers in the UK at work.

Re:How does he know MS isn't doing anything else?

[vadim_t]

The first is if the C&D gets out fast enough that people are not unable to mirror the information, especially if it is stored in a dynamic database that can't just be grabbed completely with a wget. One example of this: Say someone makes a keygen app that runs on their webserver, and people submit forms to get bogus serial numbers. A C&D would completely smash this, preventing the information from getting released. Similar if people ran other services that could be nailed by an ACTA or DMCA takedown notice.

That's until it reappears on some site hosted in China or random servers that were broken into.

The second is that the information that does escape the C&Ds gets pushed from mainstream sites to the seedy corners of the Internet. These are the same areas that have the dubious filesharing programs, the warez "search engines" and "DDL" sites [1], the "bump all Abloy locks in 2 secs, lulz" [2] text files, and other dodgy sites which tend to be more of a test of browser security than a place to find anything useful. So, unless someone is willing to spend time looking for that exact information on a hardened computer, it effectively has vanished.

So great job, you managed to keep the information from the sysadmins and other upstanding people, but it's still available in the dark corners of the net, where people with questionable motivations can still get at it.

Now for the company it's all good, but from the global point of view, things are worse than before.

Don't underestimate the power of lawyers. They have the guys with guns on their side.

Yep, that worked really well with the AACS key.

Re:How does he know MS isn't doing anything else?

[mister_playboy]

I wrote parking tickets as a job in college... very easy. My rule was to let people go if they showed up during the ticketing, which resolves every single confrontation in a positive way. If I had to call a tow truck on the car, I had to stand my ground, but only once did I encounter someone who showed up during the process and was a real dick about it.

The parking services was second only to tuition and the football team in amount of revenue generated for the school. If anything, I could write more tickets by letting the few people I encountered during my work go and moving on to the 98% of cars whose owners don't show up rather than wasting 20 minutes arguing with each of them.

Easily the least stressful job I've ever had.

Re:How does he know MS isn't doing anything else?

[lorenlal]

I'm curious how 'anonymous reader' knows that Microsoft is doing nothing to fix the problem. This has been bugging me for a long time. Its possible that a workable solution could take some time to get implemented, and in that time, doesn't it make sense to send a C&D letter in the interim? Hell, doesn't it make sense to send the letter anyways, so you don't have all these assholes trying to break your system?

A C&D letter doesn't mean that other actions haven't been taken. Just a thought.

Obviously it's implied. But I think it's a reasonable implication.
1) If it was identified already as a problem on Microsoft's side, I don't think they would've gone through all the work to build the system as such. Their documentation indicated that this is how they suggest you setup your transaction. That tells me they thought they had a complete implementation and design.
2) Is there any indication in the C&D that corrective measures are being taken (other than squelching the whistle-blower)?

Re:How does he know MS isn't doing anything else?

[ElectricTurtle]

Your first example is an interesting thought experiment, except that it virtually never happens. People don't make the mistake of centralizing questionable material. Keygens are almost always stand-alone, and consequently spread like the wind through more methods than just the internet. (Plus, if they weren't stand-alone, where would all the sweet chiptunes go?)

I doubt the soundness of thought of your second position as well. You actually allude to the weakness yourself, but to expand it, just because you know the dangers of the internet's 'bad part of town' does not mean that Joe Jackass who really wants a free copy of MADDEN TENNNGH knows or cares about such dangers. What acts as a deterrent to a careful technician is not going to act as a deterrent to most people, even most technicians. I've worked in support for about a decade, and I take a 'I ain't afraid of no ghosts!' attitude toward such matters. I know how to recover from basically any malware assault, so I kind of take it as a challenge.

Re:How does he know MS isn't doing anything else?

[AvitarX]

Simultaneously, they keep the taxes down for those of us that pay the meter.

Re:How does he know MS isn't doing anything else?

[realityimpaired]

I've had to fight parking tickets in court, though, because they were unjustly given... If the parking space says, for example, that street parking is allowed until 4:00pm, and they write a ticket that's dated 4:01, then it's unreasonable... around here, they're supposed to give you 5 minutes' leeway to allow for differences in how your watch is set. (that's actually in the law in this part of the world).

Worse still is the time I was given a $300 parking ticket because the jackass who wrote it was more concerned with meeting his quota than he was looking for the accessible parking permit that was clearly displayed on the dashboard... at least, it was clearly displayed until your view of it was blocked by the parking ticket that the idiot put, quite literally, on top of the accessible parking permit. The ticket wasn't for going over time, it was because my car was parked in a handicapped spot, and he hadn't noticed the permit. That one was resolved by a trip to city hall with both the permit and the ticket, but I shouldn't have had to take an afternoon off work because of a blind parking warden.

I fully agree that parking inspectors do actually do some important work. And I accept that most of them are just trying to do an honest day's work, and trying to actually perform a civic service. But some of the parking wardens are clearly becoming jaded at being the furries of the law-enforcement community, and are taking it out on people by power tripping.

Re:How does he know MS isn't doing anything else?

[sagematt]

Parking inspectors do important work. They keep parking spaces available for those who really need them. I feel sorry for the abuse they sometimes get.

http://www.youtube.com/watch?v=R90XIy6QH7Q

Re:How does he know MS isn't doing anything else?

[ZorinLynx]

This reminds me of Warbird Adventures, an outfit here in FL that offered "experience" flights in WWII era trainers.

Back in 2005, one of their aircraft broke apart in flight and instructor and student were both killed.

Did they even post a tiny memorial on the site? Nope. Bad for business. But the disrespect shown for their former employee and customer was enough to keep me from ever recommending them again.

A little sympathy goes a long way towards a good reputation. The world isn't perfect, and there's no way they could have known about the structural flaw that caused the breakup. (the NTSB did not hold WA liable). Yet their complete cover-up of the incident on their own site has created a lot of resentment in my case.

Especially since the aircraft that broke up in flight was the one I had flown in months earlier, and the instructor who was killed was with me on my flight.

Companies need to be more open about these things.

Re:How does he know MS isn't doing anything else?

[BrokenHalo]

You obviously haven't seen parking inspectors or clampers in the UK at work.

Clamps are at least easy to deal with. You can just cut the lock off with bolt-cutters.

Re:How does he know MS isn't doing anything else?

[dissy]

I'm curious how 'anonymous reader' knows that Microsoft is doing nothing to fix the problem.

Probably because of the hundreds of thousands of times Microsoft has been informed of a vulnerability in their software, they Never go about fixing the problem right away, and frequently never go about fixing it at all. The number of high profile vulnerabilities that they have fixed in that manor is extremely low.

They are also known for often shooting the messenger. This alone is reason to NOT inform them and just let the public know first.

If the best case for telling them is nothing, and the worst case is jail time and lawsuits up the ass, it is clear MS does not want to be told about such things. You and I might not think that is the best way to handle security, but it is what Microsoft has chosen.

So to answer your question simply: History. A very solid track record of history.

Re:How does he know MS isn't doing anything else?

[Khyber]

Cop tried putting a boot on my pal's heavy-duty truck.

He just threw the truck into towing, and dropped the clutch. Boot broke clean off and off we went!

Powerful engine removes the need for lock cutters. :)

Re:How does he know MS isn't doing anything else?

[Khyber]

"Yes, I know Abloy locks are unbumpable because of their design, but it is a good example."

I have a Protec data safe with an abloy lock - just turn the safe upside-down, use gravity to assist - easily openable with a bump key, less than three minutes.

Man can make it, man can break it.

"I have DDL, or direct download in quotes because I have yet to personally see a usable direct download other than a Trojan or a drive by browser exploit in all my years of cleaning malware off of people's PCs who do believe in such fantasies."

Well, since you mention only in your sentence that you clean people's PCs off and it's apparent you've never been in the DDL scene, you need to spend more time on the internet or actually making connections instead of reading tech articles all day. I just finished getting MW2 online, DDL style.

Re:How does he know MS isn't doing anything else?

[Alsee]

The parking services was second only to tuition and the football team

Errrr.... wouldn't that make it THIRD to tuition and football? :D

-

Mirror

[Rufus211]

Ive never bought anything using Bing Cashback, but the balance of my account is $2080.06. Apparently, I placed two $1 orders on January 24th of this year, and spent another $104,000 on October 24th. Lets see how these transactions might have accidentally got credited to my account.

First, we need to try to figure out how transactions get into Bing Cashback. Microsoft posted some documentation here. The explanation of how a merchant reports transactions to Bing starts on page 20. Merchants have a few options for reporting, but Bing suggests using a tracking pixel. Basically, the merchant adds a tracking pixel to their order confirmation page, which will report the the transaction details back to Bing. The request for the tracking pixel looks something like this:

https://ssl.search.live.com/cashback/pixel/index? jftid=0&jfoid=<orderid>&jfmid=<merchantid> &m[0]=<itemid>&p[0]=<price>&q[0]=<quantity>

This implementation, while easy for the merchant, has an obvious flaw. Anyone can simulate the tracking pixel requests, and post fake transactions to Bing. Im not going to explain exactly how to generate the fake requests so that they actually post, but its not complicated. Bing doesnt seem to be able to detect these fake transactions, at least not right away. The six cents I earned in January have cleared, and Im guessing the remaining $2080 will clear on schedule, unless there is some manual intervention.

Even if Bing detects these fake transactions at some point in the future, the current implementation might have another interesting side effect. I havent done enough work to say it with confidence, but a malicious user might be able to block another users legitimate purchases from being reported correctly by Bing (I only tried this once, but it seemed to work). Posting a transaction to Bing requires sending them an order ID in the request. Bing performs a reasonable sanity check on the order ID, and will not post a transaction that repeats a previously reported order ID. When a store uses predictable order IDs (e.g. sequential), a malicious user can use up all the future order IDs, and cause legitimate transactions to be ignored. Reporting would be effectively down for days, causing a customer service nightmare for both Bing and the merchant.

Based on what Ive found, I wouldn't implement Bing Cashback if I were a merchant. And, as an end user and bargain hunter, it does not seem smart to rely on Bing Cashback for savings. In our next blog post, Ill demonstrate some other subtle but important reasons to avoid using Bing Cashback.

It seems like people have still not learned to never trust anything from the user. This reminds me of some trivially exploitable web merchants years ago. The would store the entire shopping basket, including prices, in the user's cookies. User simply modifies their cookies so that everything costs $1 or $0.01 and they could order a dozen cpus / t-shirts / whatever for a few bucks.

Re:Mirror

[Rufus211]

Also the guy who posted this is an idiot for placing a $100,000 transaction which would result in a $2,000 payment, and then bragging about it. His two $1 transactions proved the vulnerability and the $0.06 payment generated is easily ignored. The $100k transaction with $2k payment is just flat out wire fraud asking for federal PMITA prison.

Re:Mirror

[slimjim8094]

Parent is not a troll. This guy is seriously in for it - the FBI et.al frowns upon people who cheat companies out of literally thousands of dollars. The six cents would've been overlooked, and prove the point nicely.

$2k will certainly not be overlooked. Even if he never collects it... he's still fucked.

Re:Mirror

[TheWizardTim]

Another fun trick was to take a $1 and a $20 and cut them both in half. Then tape half of the $1 and the $20 to make two $21 dollar bills. Silly I know, but if you put them in a change machine, it would look for the numbers in the corners, it would read a 20 then a 1 and then give you $21 in change. You then took the other part and got $21 in change as well. Quick way to double your money. Now the machines check to make sure that all four numbers on the corners match up.

Re:Mirror

I'd just keep the two $21 dollar bills myself. Quick way to double your money!

Re:Mirror

[BrokenHalo]

That's an interesting approach. It exposes the idiocy of having all your currency bills with the same design except for the denomination. I think just about every other currency I've used has bills of different size as well as design for each denomination, so I doubt if your idea would work.

Re:Mirror

[jrumney]

it would read a 20 then a 1 and then give you $21 in change.

Sounds like an urban myth to me. Would it add 20 and 20 from the corners of a normal $20 bill and give you $40 change?

Re:Mirror

[QuoteMstr]

Maybe one rooted in truth, however. I can imagine a bill-reader using some simple image recognition against just one corner of the bill. You could get two $20 bills that way.

Re:Mirror

[Tapewolf]

You're assuming he stuck them together like this: [_ _] If it only read the number on the incoming edge, you might be able to attach them like this: [_ [_ Even if it didn't add them together and ignored the $1, you would still get $40 at a cost of $21.

Re:Mirror

[DNS-and-BIND]

Wrong! The feds won't get involved for anything less than $50,000. My company called them once and got turned down flat. They had to wildly exaggerate the amount of losses to get them to investigate.

Re:Mirror

[Shrike82]

I do love the way vague ramblings about evil corporations and the FBI (CIA or NSA would also have been acceptable) automatically gets moderated Insightful. Way to use those mod points my friend...

Re:Mirror

[Lakitu]

They should probably rename that sanity check.

Re:Mirror

[Skapare]

No, six cents does not prove a damned thing. There might be code in there to flag "high transactions" for further checks. They KNOW their system is insecure and could put that in there to deal with the less common riskier cases. THIS is a test to see if people can steal more than a few cents. That's what counts. If a system would allow people to steal six cents every now and then, but had means to prevent theft beyond that, I would feel safe with it as a merchant. I want to know if it is possible to steal a major amount. This is a test to determine whether or not they have added that additional security for less common transaction.

Oh, I'm sure they will pounce on him like crazy. But that's part of why our legal system is broken. As long as he stops at the point where he proves it is possible to steal a significant amount of money, then it is Microsoft that has committed the crime, and the entire chain of executives that were involved in this should be hauled off to prison for several years for fraud (except those who were already known to be informing the government of this crime taking place).

Re:Mirror

[AvitarX]

Well, in his defense he did publish what he did before receiving the money.

And the 100k transaction was probably the quickest way to actually get noticed, and therefore let them know about the problem.

Re:Mirror

[Boomerang+Fish]

Ive never bought anything using Bing Cashback, but the balance of my account is $2080.06. Apparently, I placed two $1 orders on January 24th of this year, and spent another $104,000 on October 24th. Lets see how these transactions might have accidentally got credited to my account.

Also the guy who posted this is an idiot for placing a $100,000 transaction which would result in a $2,000 payment, and then bragging about it. His two $1 transactions proved the vulnerability and the $0.06 payment generated is easily ignored. The $100k transaction with $2k payment is just flat out wire fraud asking for federal PMITA prison.

Has anyone here actually read the words he has posted at the begining of his post? At face value it looks like he "discovered" this when he noticed he had an account balance for SOMETHING HE CLAIMS TO HAVE NEVER USED.

But no, it's so much more fun for everyone here to ignore the words Ive never bought anything using Bing Cashback and Apparently, I placed... and call him an idiot for posted about committing a crime.

--
not wort it...

Re:Mirror

[Hatta]

And yet, the FBI pretty much looks the other way when companies routinely cheat ppl out of hundreds or thousands of dollars.

Or billions.

Re:Mirror

[misexistentialist]

He's mostly an idiot for getting only $2000, since cashback for some stores has been 50%. Really he is probably one of those bored and unenterprising hackers, who break into government networks just to look for UFO documents

Re:Mirror

I own a laundromat, and I have 2 change machines there that are quite old (but have had their firmware updated over time to read new bills). They do not look in the corners, they read the incredibly fine detail on the bill in certain areas (a strip of lines), and make sure they match known good parts.

Re:Mirror

[David+Chappell]

Also the guy who posted this is an idiot for placing a $100,000 transaction which would result in a $2,000 payment, and then bragging about it. His two $1 transactions proved the vulnerability and the $0.06 payment generated is easily ignored. The $100k transaction with $2k payment is just flat out wire fraud asking for federal PMITA prison.

It would presumably be necessary to prove intent to commit wire fraud. Cashing the check is generally considered good proof of intent. By publishing the results of his experiment before any check was even issued, he has rendered a possible prosecution frivolous.

Re:Mirror

[russotto]

Wrong! The feds won't get involved for anything less than $50,000. My company called them once and got turned down flat. They had to wildly exaggerate the amount of losses to get them to investigate.

Unfortunately, as Kevin Mitnick found out, such lying about the amount of losses results in additional penalties for the accused, not for the liar.

Re:Mirror

[noidentity]

I don't follow. Wouldn't it give you $201 in change, then $120 in change?

Re:Mirror

[Richy_T]

They had to wildly exaggerate the amount of losses to get them to investigate.

You are the RIAA and I claim my five dollars.

Re:Mirror

[Richy_T]

That does remind me of when I managed a change machine at university. It would change 20p, 50p and £1 coins into 10p pieces. Some bright spark worked out (or heard) that you could wrap a 10p coin with tin foil and put it in the machine. Most times it would recognize the coin as 10 and just spit it out but one time in however many, it would take the coin and give change for 50p.

The fix? The machine had dip switches for what coins it would accept and there was one for 10p that was set to off. I set it to on. The fraudsters would put in their wrapped 10p and receive a nice, shiny unwrapped 10p in change. I saw a few in the collection bin for a couple of weeks and then it stopped.

Most entertaining...

[netpixie]

is the line from the letter

"cease and desist the posting in any location of the material and information contained in this post"

Seeing as it is their SDK that contains the details of this "feature", are they going to send themselves a C&D and then pull the SDK?

Quote

[QuoteMstr]

Regarding the tracking pixel approach: H.L. Mencken once wrote, "there is always a well-known solution to every human problem -- neat, plausible, and wrong." I cannot think of a situation to which this sentiment better applies.

Use microsoft == get screwed

[1s44c]

After about 30 years is this still news?

Use Microsoft software and you get screwed. They don't design software they design the user interface and botch the software. They are now as always a marketing not an IT company. It's always been that way, it will always be that way.

Re:Use microsoft == get screwed

[slimjim8094]

In this case, it's Microsoft getting screwed by Microsoft. They are on the verge of paying, or have already paid, $2000 out-of-pocket to a guy who did a simple GET.

Entirely Microsoft's problem - except it'll become the guy's problem when he gets prosecuted for fraud. Faking a $100k transaction is not a smart move. The $1 transaction is a perfectly fine proof-of-concept.

Re:Use microsoft == get screwed

[jim_v2000]

Because online services that use open software allow anyone to come in and fix bugs?

Re:Use microsoft == get screwed

[kestasjk]

A marketing company which subcontracts out its marketing and makes billions from software sales. That's a pretty weird marketing company.

Re:Use microsoft == get screwed

[1s44c]

A marketing company which subcontracts out its marketing and makes billions from software sales. That's a pretty weird marketing company.

Agreed they are pretty weird. They don't sell software though, they sell the dream of software that 'just works' to people that for the most part don't believe there is an alternative to bug ridden and low quality code.

Re:Use microsoft == get screwed

[1s44c]

In this case, it's Microsoft getting screwed by Microsoft. They are on the verge of paying, or have already paid, $2000 out-of-pocket to a guy who did a simple GET.

They can't even validate user input where failing to do so directly costs them cash. They are not hiding behind some get out of everything license agreement and they still can't do the basics.

Re:Use microsoft == get screwed

[ProfessionalCookie]

Be fair, they botch the user interface as well.

Re:Use microsoft == get screwed

[gzipped_tar]

In this case, it's Microsoft getting screwed by Microsoft.

Reminds me of a piece of quotation often attributed to Freud: "The only thing about masturbation to be ashamed of is doing it badly."

Shame, Microsoft, SHAME!!!

Re:Use microsoft == get screwed

[QuoteMstr]

Say what you will about Microsoft's business practices, but incredibly smart people work there. The idea expressed by your comment and the ten million others just like it is a cop out: it's a lot easier to call Micro$oft stupid than to take a hard look at our society and thinking about why large software companies (and large companies in general) have strong economic incentives to produce shit, about why they're not accountable to society at large, and why they can accumulate so much power.

Microsoft is hardly stupid: on the contrary, its managers are quite savvy, and are the reason Microsoft is where it is today. Other large software companies would do exactly the same things in the same position.

The real reasons we're angry are political. Our antitrust enforcement is lax. Our politicians are corrupt. We don't hold our government responsible for passing laws that favor the very few over the very many, like the DMCA. Our income taxes aren't progressive enough. We're not willing to enforce open standards. We let anything under the sun be patented. We need to address the root causes of these problems.

But thinking about all that is hard. It's easier to just say Microsoft sucks, isn't it?

Re:Use microsoft == get screwed

[Alex+Belits]

Microsoft Research is not "people working for Microsoft", it's "people are paid by Microsoft not to work for Microsoft's competitors". Not a single meaningful Microsoft product or feature came from there.

Re:Use microsoft == get screwed

[QuoteMstr]

Not directly, anyway. Fair enough. But there are smart people at microsoft working directly on their retail products too.

Re:Use microsoft == get screwed

[kestasjk]

Microsoft software is good but their software isn't a dream, strictly speaking..

Re:Use microsoft == get screwed

[1s44c]

Right. And who exactly gives a shit about your opinion? Your mom?

The people who's computers and networks I look after and the people that pay for those computers and networks.

Microsoft don't pay for the virus scanners, antivirus software, or the extra bandwidth I need to deal with the results of their bad coding. They have never given me a problem I can't fix or work around but that doesn't mean that cleaning up their sloppy messes is cheap in money or in time I could be using to do something productive.

I don't think it's correct to call everyone who point out Microsoft's lack of code quality as a 'F/OSS Cheerleader'. Many of us were using commercial UNIX long before Linux was accepted in companies and OS/390 or VMS long before that.

Re:Use microsoft == get screwed

[1s44c]

Microsoft software is good but their software isn't a dream, strictly speaking..

Microsoft software is good for pay-for-reinstall PC shops and 'botnet hurders. It's a nightmare for everyone else.

Re:Use microsoft == get screwed

[elrous0]

Actually, I worry a LOT more about Apple than I do about MS in this regard. Apple is MUCH worse at suppressing information about security flaws (and pretty much everything else) and not fixing flaws for a long time than microsoft EVER was. And don't get me started on how aggressive and sneaky Apple software is compared to just about everyone else (anyone who has ever tried to completely remove iTunes or Quicktime from their system can attest that this). The main advantage Apple has traditionally enjoyed over MS is that Windows is such a popular target. But the idea that MS is uniquely weak or slow on security fixes is just not fair. And considering the number of cease-and-desist letters that come out of Apple each *day*, it's silly to cite MS as being particularly egregious in their secrecy either.

Re:Use microsoft == get screwed

[cenc]

Incredibly smart people also worked for the Nazi party. That ended well for them, and everyone else.

Re:Use microsoft == get screwed

[FlyingBishop]

Proprietary != Closed source

Re:Use microsoft == get screwed

[shutdown+-p+now]

Microsoft Research is not "people working for Microsoft", it's "people are paid by Microsoft not to work for Microsoft's competitors". Not a single meaningful Microsoft product or feature came from there.

Huge chunks of .NET came out of MSR - generics, LINQ, etc. F# came out of MSR. If I remember correctly, Surface came out of MSR.

Truth is, a lot of stuff actually does come out of there, but it changes a fair bit when it's being "productized". It's certainly rare to get full products like that (F# is a notable exception), but specific features and ideas are often integrated into shipping products.

On the other hand, I'm not sure what you mean by "not working for competitors". Is Haskell a competitor to Microsoft tech? I'd say so - it not a Microsoft-backed language, it portably runs on non-MS platforms (Linux, OS X), and a large number of people who use it tend to be affiliated with FLOSS. And yet, Simon Peyton Jones is one of the lead developers of Glasgow Haskell Compiler (GHC), and he's on MSR payroll.

Re:Use microsoft == get screwed

[jim_v2000]

What's your point in relation to this discussion?

Re:Use microsoft == get screwed

[Alex+Belits]

Surface came out of MSR.

Is that a product?

Re:Use microsoft == get screwed

[Alex+Belits]

They needed RESEARCH to implement an existing and well-known feature of programming languages?

Re:Use microsoft == get screwed

[shutdown+-p+now]

I'm not sure if you're genuinely asking, or it's a take on irony. In any case, yes, Microsoft Surface is definitely a product.

Re:Use microsoft == get screwed

[Alex+Belits]

It's not a product until it is being sold or at least ready to be sold. So far it's the other way around -- it's a "cool demo" that Microsoft exhibits and pays others to exhibit as some kind of expression of intellectual prowess.

Re:Use microsoft == get screwed

[shutdown+-p+now]

It's not a product until it is being sold or at least ready to be sold.

I'm not sure what you're implying. You can buy Surface today, and there are organizations out there that did so and are using it already. Please read the link in my previous post more carefully.

Re:Use microsoft == get screwed

[Alex+Belits]

I'm not sure what you're implying. You can buy Surface today

Where and how much does it cost?

and there are organizations out there that did so and are using it already. Please read the link in my previous post more carefully.

The link shows Surface being showcased on behalf of Microsoft, not actual use by paying customers.

Re:Use microsoft == get screwed

[shutdown+-p+now]

Where and how much does it cost?

Here. It'll cost you $12,500.

The link shows Surface being showcased on behalf of Microsoft, not actual use by paying customers.

Check again (end of the section).

Why is this troll?

[XanC]

Seems pretty spot-on to me.

Source of URL

[pgn674]

If anyone is quickly wondering exactly where he got the info to construct the request URL in his original post (like, how did he know about jftid, jfoid, and jfmid?), it looks like page 33 of the linked Integration Guide PDF gives the URL https://ssl.bing.com/cashback/javascripts/1x1tracking.js. That JavaScript file has info on constructing that URL.

No

[oGMo]

If you have a glaring vulnerability that lets people defraud your customers out of arbitrary amounts of money, the only sane thing to do is immediately disable the feature. Not wait for a solution. Not cover up the issue. You make coverage of the issue irrelevant. If one person figured it out and wrote about it, 100 other people also figured it out and are using it for personal gain.

Re:No

[tomhudson]

If you have a glaring vulnerability that lets people defraud your customers out of arbitrary amounts of money, the only sane thing to do is immediately disable the feature. Not wait for a solution. Not cover up the issue. You make coverage of the issue irrelevant. If one person figured it out and wrote about it, 100 other people also figured it out and are using it for personal gain.

In Soviet Russia, there are more than 100 people with computers, comrade.

Solution

[QuoteMstr]

All Microsoft needed to do was include a Message Authentication Code (such as, say, HMAC-SHA1) in the tracking image URL. Microsoft and the merchant obviously already have a shared secret they can use for the purpose. Using a MAC would have been practically free.

Given what Microsoft pays its programmers, I'm just appalled that nobody thought to include basic precautions in a brand-new interface written in this day and age. Whoever wrote the Bing API specification really should have known better.

Re:Solution

[mdenham]

Whoever wrote the Bing API was probably planning on exploiting it in exactly this fashion.

Re:Solution

[QuoteMstr]

A cleverer backdoor would have been a weak custom MAC (say, just the H(M) + secret). Then it'd still be exploitable, yet not obviously bad.

This article goes into the reasons why HMACs are constructed the way they are, and about how naive constructions can be exploited.

Re:Solution

[QuoteMstr]

You're absolutely right. SHA-1 is sturdy enough, and would still have been a responsible choice[1]. Nevertheless, moving to one of the SHA-2 algorithms (like SHA-256 or SHA-512) moves the mental confidence gauge from "damn sure" to "would bet my career on it".

One point worth mentioning is that if you're worried about the output size of one of the SHA-2 hash functions (64 bytes is a little heavy), you can just truncate the output. SHA-512 truncated to the size of SHA-1 (160 bits) shouldn't be any less secure than SHA-1 itself.

[1] Unlike MD5, which is as secure as a treehouse in a tornado. It still absolutely boggles the mind that people use raw, unsalted MD5 to store passwords, and use raw MD5s file authentication.

Re:Solution

[bjourne]

Can you elaborate on that? The tracking pixels are used to report transactions to Bing's api by having the customers web browser doing a GET request to Bing's cashback server. Since it is all done on the client side, a malicious user could just include the MAC for the merchant in the forged transaction. So I don't see how using a MAC would help at all.

Re:Solution

[QuoteMstr]

Can you elaborate on that?

Sure. A MAC actually can mean two things, depending on context: an algorithm or a value. I'm going to use "MAC" to mean the algorithm, and "authenticator" to refer to the output of the algorithm. YMMV.

The MAC takes as input the message to be authenticated, M, and a key S. Let's say that M is information about the item to be purchased, and S is a password the merchant set up with Microsoft. Running the MAC on M and S produces A. The sender of the message sends both A and M to the recipient. In more concrete terms, the tracking pixel's URL includes both information about the purchased item (like it does now) and the output of the MAC algorithm.

The recipient runs the MAC algorithm on the M' he receives (using the agreed-upon S), and compares its output, A' to the A it received along with the message. If A = A', M is authentic. If not, M is a forgery.

A malicious user could alter the tracking pixel URL, sure, but because she doesn't know S, she can't generate an authenticator A that the server will accept. She can choose to either send A and M unaltered, or not send anything at all.

One of the more popular MACs is called an HMAC, which stands for Hash MAC. Unsurprisingly, it's a MAC build out of a hash function. The Wikipedia article provides details about how an HMAC is actually constructed. It's important to use that construction, because simpler approaches to building MACs out of hash functions (like just concatenating S and M) are vulnerable to various attacks.

Re:Solution

[Rufus211]

It's pretty clear that whoever designed this API didn't even take an passing glance at the security or reliability implications. There are 2 ways (from the linked slides) for a merchant to report cashback activity to MS:

1) Tracking pixel: this gives instant update to the user, but is completely insecure and also fairly unreliable (image fails to load, cross site https issues, random network hickup, etc).

2) FTP upload of a plain text list: yes really, plain old FTP. This is at least reliable but is only authenticated by a plain-text user/pass. The list does not have any signature for authentication.

I'm not a web guy at all (I'm an ASIC hardware guy) and off the top of my head I can think of 2 real solutions:

The right way: SOAP. Gives instant update to the user, should be trivial in any backend web language, is reliable, is trivial to encrypt (https), is trivial to authenticate (a simple shared secret would be enough).

A reasonable way: both of the existing ones. The tracking pixel is used to provide instant user update in 99% of the cases, but the transaction is marked pending. At the end of the day the text list is uploaded to the FTP. Compare the 2 lists, approving all that match and flagging for review any that don't (extra, missing, or different). As an added bonus a cryptographic signature should be added to the list.

The problem with simply adding a MAC to the existing tracking pixel is that it doesn't fix the reliability issue. Also the advantage of the current tracking pixel is that it's stupidly easy to implement. If you're going to load in some libraries to do the MAC calculation on the server, you might as well load in a SOAP library and do the transaction properly.

It really boggles the mind that a bogus transaction could actually be paid out. That indicates there is absolutely no auditing or rationalization between what the e-tailer thinks should be paid out and what MS thinks should be paid out. Even something as stupid as end-of-month totals should flag that there are bogus transactions.

Re:Solution

[QuoteMstr]

The right way: SOAP

Yep. You don't need SOAP per se, though. The important thing is having the merchant talk directly to Microsoft. Some people are oddly resistant to that notion though, and if you're going to use the tracking pixel approach, you need a MAC.

That indicates there is absolutely no auditing or rationalization between what the e-tailer thinks should be paid out and what MS thinks should be paid out. Even something as stupid as end-of-month totals should flag that there are bogus transactions.

Agreed. The sad thing is that from a certain point of view, it can make more sense to limit the damage through audits than to try to make the system secure in the first place. Just look at the state of the credit card system.

Re:Solution

[guruevi]

The simplicity of this hack and the gaping hole in the system suggest that this 'feature' was entirely thought up and created by middle-to-upper management and a grunt working for HR or Accounting to implement it in Excel.

Re:Solution

[Otto]

The value of the MAC would change depending on the transaction, and part of the algorithm would involve a "shared secret". Basically a number shared between Microsoft and the merchant only.

A simplistic implementation would be to take the shared secret and the final price of the transaction, append them together, then run SHA over them to get a hash value. You can give the result to the client. If they change the price, then the hash doesn't match any more. They can't create a new hash, because they don't know the shared secret.

Obviously that approach is too simple, a real algorithm would be more complex, but you get the idea. Combine a secret code with values from the transaction, then use a one-way hashing function on them in some manner. The resulting hash is good only for those particular details, and can't be recreated by the untrusted client.

Re:Solution

[peterw]

A reasonable way: both of the existing ones. The tracking pixel is used to provide instant user update in 99% of the cases, but the transaction is marked pending. At the end of the day the text list is uploaded to the FTP. Compare the 2 lists, approving all that match and flagging for review any that don't (extra, missing, or different).

Exactly. And I wonder if they've done that already, and simply not updated their integration docs. There's no way to pass a transaction date with the pixel, so Bountii must've first played with this back in January. It would've been nice to know how long the Jan 24 forgeries took to clear. The fact that the Oct 24th purchase hadn't become Available by Nov 4th suggests that Bing might now require batch confirmation for all transactions. Or perhaps the merchant used the Merchant Center interface to flag the transaction -- I know in the ecommerce systems I've been involved with, staff review the transaction log for anything unusual.

There is still that Denial of Service problem -- a user claiming all "future" order IDs and preventing legitimate customers from getting their credits. I thought Bing might've simply prevented any given customer from submitting two claims with the same merchant ID & order ID (classic "transaction token"/page reload stuff), but the screenshots of the Merchant Center suggest that Bing isn't dong that (yet).

My favorite part is that on page 20 of the Bing Cashback integration guide they say that the pixel hack is "recommended" for reporting purchases. Recommended!

Second favorite: that Samir at Bountii posted this on his blog without contacting Bing first. He should've followed something like the RFPolicy protocol (http://www.wiretrip.net/rfp/policy.html).

mirrored post

[lkcl]

http://lkcl.net/reports/bing.censorship.attempt - additional mirrors will be added as i find them.

Re:mirrored post

[Jugalator]

I simply screenshot it and uploaded it to an image host. *shrug* The cat is already out of the bag now, and MS will have to fix this.

Re:mirrored post

[SharpFang]

fuck you. do not attempt to censor people's efforts to bring to your
attention your own stupidity. go fix the problem, and pay the guy who
found the problem a lot of money, as a thank you.

Microsoft's standard policy of thank-you for people who help them prevent multi-million losses is a free T-shirt.
You can't really hope for any better.

I'm not interested in fixing the bug...

[da5idnetlimit.com]

Just interested in keeping the extra income 8)

How is this a cheat?

This is no more a cheat than taking someone's money for a shell game and showing them afterwards how they were scammed.

If he's said "by the way, I managed to get 20 grand off you by this" then he's not defrauded them. If he'd kept quiet THEN he'd have defrauded them.

Re:How is this a cheat?

[abigsmurf]

Admitting a crime does not absolve you of it. In the first example, it's still technically a crime, it's just not worth anybodies time to report and prosecute it.

This guy has been seriously stupid. Not only is it clearly fraud, he's also up for conspiracy to defraud charges for telling other people how to do this.

It's called fraud

[cookd]

This is called "fraud". Look it up. It's been around for a long time, a lot longer than HTTP. There are standard business practices for dealing with it. Not all of them are technical. This system's technical defenses are probably sufficient to raise an alarm (delayed by a few weeks as the results are collated), and it will produce a pretty good paper trail leading to the owner of the Bing account. Some of the systems take into account minor details such as the existence of accountants, a police force, a paper trail, and a legal system. Obviously some stronger technical measures might have made it a bit more difficult to pull off this partucular fraud, or maybe it might have even stopped it, but the non-technical measures will also work just fine if they are called into play.

Whether or not the door is obviously guarded, it's still illegal to steal stuff from a store. The fact that the door was not protected with the latest and greatest in RFID theft detection systems doesn't change the fact that what you are doing is illegal. And perhaps the tracking process is slower than what you see in movies, people still get tracked down and arrested, days or weeks after the event. Moving from the streets onto the Internet doesn't really change the rules much (except that your case will probably wind up with Federal jurisdiction).

In this case, the poor "hacker" (I wish him/her luck!) appears to have done the following:
1. Used a specially formatted HTTP request to get a small fabricated purchase to show up as credited to his/her Bing account.
2. Noticed that the cash back did show up with no problem as "available for withdrawal".
3. Tried again with a much larger purchase. Again the purchase shows up in his account.
4. Hacker is hoping that the amount will soon become available for withdrawal.

On the other side of the world, the accounting systems for Microsoft and the associated merchant have likely compared invoices and noticed the discrepancies. The small ones got noted, but they were thrown out as "somebody is playing with the system, but it's not worth dealing with it". But this month, when going over the books, they're going to find a nice big 100,000 item that doesn't match up with any purchase recorded on the store's official records. However, they do have the account number of the buyer that should be getting the cash back. I'm not sure what typically happens at this point, but it probably involves cancelling dinner for the wolf pack so that by the time they're ready to send out the posse, the wolves are hungry.

In this case, Microsoft has apparently (I haven't looked into this) provided an API by which a store can report a sale and attribute the sale to a particular Bing account. The API has varying levels of security, depending on how much effort the store wants to put into preventing fake transactions from entering the system. Low effort might be fine and takes less time to set up, but it's easier to attack and that means more work to do when reconciling the accounts. Just like many other mechanisms for quickly distributing non-critical information between merchants, this isn't meant to be the authoritative information transmission system, just a way for people to keep status on accounts in between the regularly-scheduled account reconciliations. This way Bing can update your account balance within seconds of the purchase. Of course, the payback won't happen until they've gone back and checked Microsoft's records against the merchant's records and pulled out any differences. The differences go to the auditor and possibly to the police or FBI.

Could we maybe just think for a second before acting like jerks? Being a jerk means everybody suffers. I mean, just because I see a way to deface somebody's website doesn't mean I am obligated to do so. I walk by 100 cars a day, and I could easily spray shaving cream all over them and not get caught. But if everybody did that, quality of life would go down for everybody. Same thing on the internet.

I hate this attitude out there th

Re:It's called fraud

[sskinnider]

And meanwhile, only the other consumers are hurt over this incompetent programming. The cost of fraud is passed directly to the customer, it does not hurt Microsoft.

Re:It's called fraud

[RiotingPacifist]

This way Bing can update your account balance within seconds of the purchase. Of course, the payback won't happen until they've gone back and checked Microsoft's records against the merchant's records and pulled out any differences. The differences go to the auditor and possibly to the police or FBI.

Only he's $0.06 was already avalible for withdrawl, i.e it had passed all the checks.

I hate this attitude out there that "if it isn't nailed down, I have every right to grab it and take it home, and if it is nailed down, I have every right to destroy it". I don't want a world (or even an Internet) where everything is nailed down and/or destroyed.

Actually i think the attitude is, if you are going to deploy software that deals with real money make it secure, the posting wasn't a "howto steal money from microsoft", it was just a blog post detailing a security flaw. There is a big difference between some blag with pictures of kittens and an online shopping system, implemented by a major IT company, If you can deface the homepage of a major IT company it shows incompetence, if you can steal money from them then dear god what are they doing?

Re:It's called fraud

[RiotingPacifist]

The cost of fraud is passed directly to the customer, it does not hurt Microsoft.

People keep repeating this claim, but the truth is, 90% of the time, cost is not proportional to price, it may eat into MegaCrops margins but they will not increase the price of a product in response if it looses them sales. Say you shoplift a TV from MegaCorp, they just lost $1000, that's bad, but if they pull away from the idea price point they may loose 10 sales, or if they drop the price 10% they will lose $1000 per 10 sales.
The concept scales everywhere, prices are not set at cost*1.n, they are set at the point where num.sales*price is maximised irrespective of cost.

Re:It's called fraud

[leeosenton]

Well written and thought provoking.

Re:It's called fraud

[abigsmurf]

There's a big difference between "available for withdrawal" and actually withdrawn. I doubt money goes from Bing accounts to bank accounts without verification. Especially if said money has come from promotions.

There's also a big difference between defrauding a few c as a proof of concept then going on to defraud a few thousand once you're sure it works. This guy will very likely go to jail if Microsoft prosecute.

Re:It's called fraud

[Culture20]

In this case, the poor "hacker" (I wish him/her luck!) appears to have done the following: 1. Used a specially formatted HTTP request to get a small fabricated purchase to show up as credited to his/her Bing account. 2. Noticed that the cash back did show up with no problem as "available for withdrawal". 3. Tried again with a much larger purchase. Again the purchase shows up in his account. 4. Hacker is hoping that the amount will soon become available for withdrawal.

5. Notified Microsoft about the issue?

Meanwhile, MS allowed a system where someone could redirect money to *someone else's* account, even an innocent third party. Imagine walking out of a local jewelry store, and the gate drops around you, sirens blare... all because a pickpocket put jewels in your pants. Imagine that instead of all of the sirens and gates, the store owner could have implemented a less expensive alternative that would have completely prevented the thief from doing this. So, the jewelry store is paying more to harass its customers... the store owners must enjoy it.

But then they put the key in plaintext in JS

[originalhack]

Seriously.... they couldn't possibly assume that their affiliates can program, so the key would have to be in the users' web browser instead of on the affiliates' server.

Re:But then they put the key in plaintext in JS

[QuoteMstr]

Merchants must at least have some ability to program, otherwise they wouldn't be able to create sites at all. Creating a MAC authenticator isn't hard: all you need to do is call a hash function a few times. But as another poster mentioned, the better thing to do is to just have the merchant talk directly to Microsoft and sidestep the whole problem.

Hey Mercedes!

[tjstork]

Your car has an exploit, so I stole it and drove it into a wall to prove a point.

Re:Hey Mercedes!

[misexistentialist]

If Mercedes sold cars that all had the same key, many people would find it hard to resist stealing a few (and likely end up in jail), so writing an article about how you stole one might be doing everyone a favor.

MS Response

[TheVelvetFlamebait]

Microsoft has posted this page in response:

http://www.bing.com/search?q=bing+cashback+vulnerability&go=&form=QBLH&filt=all&qs=n

Bing vulnerability?

[selven]

What bing vulnerability?

Re:It isn't a crime

[abigsmurf]

Again, owning up does not stop it being a crime. I could send a letter to the bank saying they have problems with their security set up, come back a few days later, rob them, send a letter telling them I had indeed robbed them. Do you really think I wouldn't get arrested? Even if I went back a few days and gave them their money back I'd still be arrested.

Inaction by the victim is not permission, an unlocked door is not permission. This is an unauthorised attempt to abuse a system to knowingly trick someone out of their money. It is fraud.

Re:I'm not going to say I could have done better..

[rossjudson]

You are a funny boy! To misquote David Pogue, Microsoft will lose when businesses decide that computers are no longer useful.

It's good to have more than one ecosystem out there. There's every chance that the engineers at Microsoft knew about this vulnerability and, in the interests of simplification, decided to allow it for business reasons. Those happen sometimes ;). Credit card companies could engage mechanisms that would make it MUCH more difficult to do fraudulent charges against a card, but they elect not to because they don't want to impose a "drag" on sales of any kind. They're clearly calculated that their losses from "drag" would exceed their losses from fraud.

Re:A story for you

[abigsmurf]

And yet he successfully highlighted the issue of questionable ID checks around the palace and got it published in almost all the media without causing any pain or distress to anyone other than the embarrassed security staff. All the police said was that lives were never in danger at that party.

He achieved this through (largely) ethical methods. He could have possibly gone in with a bomb strapped to his chest, detonated it and sent a very strong message to security staff. However he didn't.

Using your comparison. He would have acheived acceptable results just abusing the system to give himself 6c. Instead he chose to strap a bomb to his chest and steal thousands, causing real hurt to victims. Just like the palace guests aren't to blame for the security, the businesses hurt by this aren't to blame for Bing's lack of security.

Hope he remembers

[harris+s+newman]

Don't drop the soap, if you do, don't bend over to pick it up. Don't look people in the eyes, and plead no-contest.

Not Wire Fraud

[rwv]

Lots of people are screaming "Wire Fraud" about this but I don't buy it. Microsoft needs to be accountable for their lack of security. They cost the world Billions of dollars (lost productivity plus value of the anti-virus/removal industry) because they're the leaders of a mentality where rushing products out the door is preferable to more reliable measures.

I mean... blame the person who exploited the crappy security all you want... but if Microsoft doesn't stop the $2k deposit from going into his account I don't think laws should give them a leg to stand-on. One poster noted that Microsoft probably has a team to review these large charges and I would agree that they do have resources to manually stop this large payment.

But if they don't stop it... well if MUST be more profitable to make that choice because Microsoft is a very, very smart business and they have historically made very, very ballsy and successful business decisions. So, as long as valuable taxpayer dollars don't get wasted on the case of whether it's morally right to exploit Microsoft for personal gain, I don't think there's much to talk about here. BUT if this becomes a court battle (Unreliable, Cheap Software v. John Doe) I hope the Unreliable, Cheap Software loses.

Re:Not Wire Fraud

[grrrgrrr]

I totally agree. I would go as far as saying it is Microsoft who is likely committing fraud here by trying to keep this under the cover. The most likely scenario is that they knew all along that it was flawed because it was so obvious. By releasing it anyway on the unsuspecting public borders on criminal behavior.

The masses will probably still flock to Bing

[gearloos]

It really doesn't matter. Seems like the dumber the m$oft coder, the more people migrate to it. You can't fix stupid.

Due Process should start before BEFORE the crisis

[psbrogna]

Developers make tactical & strategic errors, entire companies do the same and sometimes the response is poorly handled when either is caught ... yadda, yadda, yadda. Let's not dwell on a common-place phenomenon inherent to humans. What causes me the most concern is the QA/QC that should catch this sort of thing is failing. That's the larger problem to me. What buffoon, and presumably somebody senior was responsible for oversight of the review process, was responsible for looking at a tracking-pixel based mechanism and letting it pass muster? What other responsibilities does this joker have in Redmond?

Re:It isn't a crime

[David+Chappell]

Again, owning up does not stop it being a crime. I could send a letter to the bank saying they have problems with their security set up, come back a few days later, rob them, send a letter telling them I had indeed robbed them. Do you really think I wouldn't get arrested? Even if I went back a few days and gave them their money back I'd still be arrested.

Yes, but stopping before a crime has been committed does stop it from being a crime. Here is a better anology: He goes into a bank and makes out a withdrawal slip for $1,000,000 when he has only $100 in his account. He takes it up to the teller who gets $1,000,000 out of the safe and puts it on the counter. He then turns to everyone in the room, loudly says, "wow these people are gullible" and leaves without touching the money.

They might be able to get him under a computer crime statute (not that they should), but suggesting intent to fraud when it was he who made sure they would never send him the money is not rational.

In other news: /. now moderated by 'tards

[BattyMan]

I swear. Moderators can't read a /sarcasm tag anymore?

Posting anonymously, for obvious reasons....

Re:FOSS == Fix yourself

[jim_v2000]

My point is that Bing is a web service, and even if you had access to see their code, you couldn't just go onto their serves and fix it for them. So whether or not they use open source code is irrelevant to the end user.

!Censor

[AP31R0N]

Only gov'ts can censor. This is concealing.