Hacker Warns Starbucks of Security Flaw, Gets Accused of Fraud

Andy Smith writes: Here's another company that just doesn't get security research. White hat hacker Egor Homakov found a security flaw in Starbucks gift cards which allowed people to steal money from the company. He reported the flaw to Starbucks, but rather than thank him, the company accused him of fraud and said he had been acting maliciously.

No good deed goes unpunished

[localroger]

He would have been better off helping himself to free coffee until the wankers fixed their system.

Re:No good deed goes unpunished

[infolation]

In the old days, he'd have posted it in 2600 and we'd ALL've got some free coffee.

No free lunches anymore :[

Re:No good deed goes unpunished

Indeed. The moral of the story here is SECRECY. In our post 9/11 America with its Patriot act and militarized police the best strategy for the individual citizen is to keep to himself and mind his own business. If it cannot benefit or help you, don't do it and never ever have anything to do with the police or government officials, it will only come to grief for you and your family.

Re:No good deed goes unpunished

Indeed. The moral of the story here is SECRECY. In our post 9/11 America with its Patriot act and militarized police the best strategy for the individual citizen is to keep to himself and mind his own business. If it cannot benefit or help you, don't do it and never ever have anything to do with the police or government officials, it will only come to grief for you and your family.

Secrecy?

Why in the fuck would you do that, so they can simply accuse you of some other crime related to withholding critical information? Hell, you're practically a terrorist these days if you do.

You seem to be wanting to paint a picture where the average citizen stands a chance in hell in maintaining privacy or secrecy. Those days are long gone. Those who still believe they're around or achievable anymore are morons being sold something.

Re:No good deed goes unpunished

No, he should have sold it to the highest bidder. Hacking is for hackers, stealing is for thieves.

Re:No good deed goes unpunished

[Nyder]

In the old days, he'd have posted it in 2600 and we'd ALL've got some free coffee.

No free lunches anymore :[

weird, I had a dream last night I was buying a 2600 from a bookstore. It's been a long time since I've bought one though. Long time since I bought any magazine actually.

Re:No good deed goes unpunished

[AmiMoJo]

The sad thing is that publishing the vulnerability anonymously, in 2600 or on one of the disclosure mailing lists, is now the responsible thing to do. Not great for the company involved, but it protects the researcher and it protects the user in some cases.

At this point I'd only even consider warning the company before anonymously publishing the vulnerability if they had a bug bounty programme. Not because I want money, but because it's the only way to be sure they will actually be thankful and not call the cops right away.

Re:No good deed goes unpunished

In the new days, he posts to Sacurity and 5000 bored coders implement his hack for the hell of it.

They start with $100 gift cards and double their money.

Starbucks is out half a million dollars on the first day. The second day it's 5x that.

Since it's a Saturday, this goes on until Monday, 11am Pacific time. Emergency meetings are held but the hole can't be plugged overnight.

Total loss to the company is about $5 million by Wednesday afternoon.

Re:No good deed goes unpunished

In the old days, he'd have posted it in 2600 and we'd ALL've got some free coffee.

No free lunches anymore :[

weird, I had a dream last night I was buying a 2600 from a bookstore. It's been a long time since I've bought one though. Long time since I bought any magazine actually.

I work in a bookstore and we still sell 2600 regularly.

Re:No good deed goes unpunished

Hell, you're practically a terrorist these days if you do.

Have you read the description that the US government gives for people it considers terrorists? In short, everyone that isn't part of the elite is a terrorist. There's nothing you can do to change it, either, as that would just make you a super-terrorist trying to undermine the elite.

Re:No good deed goes unpunished

Wow! I was in a bookstore once... Small world

Re:No good deed goes unpunished

Just as it should be. It's not called the Ruling Elite for nothing. It rules and all the lowlifes who are not part of it need to learn a lesson in following orders.

Re:No good deed goes unpunished

I looked at book once, just once.

Re:No good deed goes unpunished

[Bing+Tsher+E]

Do they sell 2600 on Amazon? I have these visions of adverts recommending 2600 to me popping up all over the web as I browse.

Re: No good deed goes unpunished

Lost it @ "the hole can't be plugged overnight"

Re: No good deed goes unpunished

Haha

Re: No good deed goes unpunished

Just get a few people taking turns on top of that

Re:No good deed goes unpunished

It would take less time to search Amazon for 2600 magazine than it would to ask someone on the internet if you can buy it on Amazon.

Re:No good deed goes unpunished

[vlueboy]

It would take less time to search Amazon for 2600 magazine than it would to ask someone on the internet if you can buy it on Amazon.

*Sigh*
Pot, kettle... ;)

I never did read 2600, but here's real info to break up the potential for recursive stove-fest The answer to whether Amazon sells it is "yes" with a "but"

TL;DR: All I see are kindle editions (makes sense, but why they don't they also carry the print edition another poster already confirmed has survived our turbulent digital-prone times?). Anything paperback there is just some "best of" compilation.

Re:No good deed goes unpunished

[Black+LED]

No, he'd be far worse off drinking that low grade swill.

Re:No good deed goes unpunished

If you really would like a physical copy and don't want to go to a store, you can still order backorders from previous years from their site.

Re:No good deed goes unpunished

[Meski]

He would have been better off helping himself to free "coffee" until the wankers fixed their system.

There, fixed. Starbucks don't do real coffee.

Re:No good deed goes unpunished

[mikeiver1]

Their coffee sucks anyway, I piss better coffee after drinking my vacuum brewed Kona or blue mountain. The guys needs to post the info anonymously now and let slip the dogs of war on the stupid assholes running starbucks. See just how reactive they are after that!

You stole too little

[rebelwarlock]

Everyone knows that you get a negative reaction for stealing a small amount. Steal a couple million and you'll be respected.

Re:You stole too little

[fahrbot-bot]

Everyone knows that you get a negative reaction for stealing a small amount. Steal a couple million and you'll be respected.

Not just stealing. As Eddie Izzard pointed out in his standup performance Dress to Kill:

You know, we think if somebody kills someone, that's murder, you go to prison. You kill 10 people, you go to Texas, they hit you with a brick, that's what they do. 20 people, you go to a hospital, they look through a small window at you forever. And over that, we can't deal with it, you know?

Someone's killed 100,000 people. We're almost going, "Well done! You killed 100,000 people? You must get up very early in the morning. I can't even get down the gym! Your diary must look odd: “Get up in the morning, death, death, death, death, death, death, death – lunch- death, death, death -afternoon tea - death, death, death - quick shower"

Re:You stole too little

Megadeth - Captive Honour

And when you kill a man, you're a murderer
Kill many and you're a conqueror
Kill them all...Ooh...Oh you're a God!

Best way to report security holes

Just do the black hat thing next time: steal a few hundred thousand dollars - anonymously. You'll still be accused of acting maliciously, but then they'll also address the flaw, which is better than just telling you to stop trying to help.

Starschmucks

[Morrighu]

Foamy the Squirrel nailed it.

Re:Starschmucks

[Bing+Tsher+E]

Buckstar.

Does anybody even go there? Do they have a clown and a burglar as mascots yet?

Re:Starschmucks

Fuck starbucks. There is much better coffee out there.

Re:Starschmucks

[Mikkeles]

I hear that and every time I try it, I get some sour shit (though I still look and taste). Now, I like sour: hot or sweet and sour, a squeeze of lemon in tap water, a tablespoon of apple cider or balsamic vinegar between the main course and dessert (or cheese) - when the salad is wrongly served at the start rather than the end; in coffee?, that's just evil. Coffee must be bitter (and black).

Re:Starschmucks

It's not sour, it's just that you are used to the crap coffee and BURNT beans that Starbucks has.

Even McDonald's has better coffee than Starbucks.

My email to press@starbucks.com

"Egor Homakov did you a favor, I think you owe him a thank you, and an apology for your response to his discovery of a security flaw in your system.

This will be your only hope if another security flaw is found, and the discoverer of the flaw now ponders between letting Starbucks know (less likely after your response to Egor Homakov), not letting anyone know (which leaves the security flaw available for anyone to use), or letting the wrong people know about this flaw!

I feel like I am explaining something to a child. You are a corporation, act like one!"

Re:My email to press@starbucks.com

Also forwarded to Starbucks CEO Howard Schultz (Howard.Schultz@starbucks.com).

Re:My email to press@starbucks.com

Sorry, hschultz@starbucks.com

Re:My email to press@starbucks.com

[freeze128]

It doesn't really matter if you got his email address right or not. Do you think he actually reads emails himself from random internet identities?

Re:My email to press@starbucks.com

[Cederic]

If he has any sense, yes he does.

Not all of them, but he should be reading some. Otherwise he's letting other people control his company.

Re:My email to press@starbucks.com

[Andy+Smith]

For most of my life I've worked freelance so I haven't had much experience of the corporate world. But I recently worked for a small newspaper company (approx 400 employees) for a year and it was an eye-opening experience. It amazes me how anything ever gets done in these blind, ignorant, slow-moving organisations.

I'll give you one example. The company's web filter had an issue with our own web sites, which prevented us from reading them. When I asked IT about it they knew what the problem was, but they couldn't authorise the fix and they suggested I raise the issue with my manager. But my manager was unapproachable -- asking for something to be done was the best way to make sure it didn't get done. It took over a YEAR for a small newspaper company to fix an IT issue that prevented staff from reading their own newspapers' web sites.

I dread to think what life must be like in big corporations. I don't want to ever experience it.

Re:My email to press@starbucks.com

Hey, here's an idea:

If you are not hired by Starbucks to do a security assessment of their system, maybe you shouldn't *ACTUALLY EXPLOIT* the hole you think you've found to steal from the company, and instead, report it as an unverified threat that you'd be happy to help them test, verify, and resolve?

This is like someone deciding to walk around my neighborhood "testing the locks on the doors." And then, if they find a door unlocked, they use that unlocked door to walk into my house, help themselves to some leftovers from the fridge,watch Maury Povich, and then leave. Oh, but when they leave, they leave me a note saying "Oh by the way, you left your door unlocked, that's a major security vulnerability, so I came in and had some food. You should fix that." I'm supposed to THANK them for trespassing and helping themselves to my lunch?

If you exploit a security hole - no matter how "white hat" you say you are - it's not okay. It's not okay in the real world, and it's not okay just because it happens on a computer. It's "malicious activity" to exploit the hole.

Re: My email to press@starbucks.com

There's a difference between assaulting someone by busting into their residence and sending funky bits to an online gift card system.

The difference is both practical and psychological.

Certainly, we could argue that the door locks are merely meant as a deterrent and an obstacle to a break in. Thus, breaking in to someone's house is not nearly impossible and breaking in only proves you had too much time on your hands and the disturbed will to do it.

Starbucks' card system is not a residence, so nobody will feel physically threatened when you break in. As the doorway to millions of gift card dollars, it had better be neigh-impossible to break into. This security hole is like securing a yacht with a sign that says "authorized users only."

Re: My email to press@starbucks.com

There's a difference between assaulting someone by busting into their residence and sending funky bits to an online gift card system.

Entering my house while I'm not home is not assault - it's trespass, and burglary. And nobody's busted in, they've just turned a doorknob and demonstrated that it's trivially easy to walk into my house, whether or not I've authorized you to do so. And the researcher in this case didn't "just send funky bits to an online gift card system" - he did that, and used it to walk into a Starbucks store with his "free money," and used it to purchase something. What do we call "taking something you didn't pay for" again? I know there's a word for it, but I forget...

Starbucks' card system is not a residence, so nobody will feel physically threatened when you break in.

No, instead, Starbucks will feel financially threatened when you break in. And to a corporation - whose reason for being is largely "to make money," a financial threat *is* an existential threat. And the point is not that "nobody was threatened" - the point is, regardless of how well or poorly secured it is, if it's not YOUR PROPERTY, you have NO RIGHT TO BE THERE.

As the doorway to millions of gift card dollars, it had better be neigh-impossible to break into. This security hole is like securing a yacht with a sign that says "authorized users only."

Yes, and if you waltz onto my yacht and steal a fistful of diamonds that I keep there, you have committed a malicious act - not "demonstrated for me that my security was inadequate."

By ALL MEANS - if you're a security researcher, and you think you've found some flaws, contact the company. But as soon as you cross the line from "I believe this attack vector would allow an attacker to steal a bunch of stuff," to "I've validated that this attack vector would allow an attacker to steal a bunch of stuff," then you are engaging in malicious behavior. As an "ethical" researcher, you should terminate your investigation at the point where it becomes clear that 'validating' any further would require exploiting the hole. Take your suspected hole to Starbucks, and ask them to hire you on as a consultant, to review all of their infrastructure and help close any additional holes you might find.

If they're unwilling - then you walk away. Ethics, remember? If they are willing, then you get paid and thanked for finding the security hole.

Better yet - before you start probing random companies' security infrastructure - get yourself hired to do JUST THAT.

Ethics, remember?

Re: My email to press@starbucks.com

I only meant to convey that the comparison of physical break-ins to gift card fraud is inadequate and stupid. I never said it was morally or ethically okay to steal gift card dollars.

Go scare children off your lawn.

Re:My email to press@starbucks.com

[sumdumass]

It's probably hit with a spam filter before it even reaches him.

In the email servers I administrate, we white list known addresses and segregate others for approval. Generally the higher ups will assign this approval process to their secretaries. However, in the chance that 100 emails come in saying the same things, this usually trips the spam filter and goes into a folder that is generally automatically deleted unless someone detects it as not spam first. This is why form letters and such are not really noticed until someone sends a PR release stating over so many have been sent. then they look at their spam filter logs and realize 200k people are pissed at them.

Re:My email to press@starbucks.com

You're far too kind.

My email would be: I don't want to consume products from a corporation which has such an incompetent IT security as to punish those who want to help.

My logic is "what if the purchase dept. is that incompetent, too? -- which is a possibility, given that IT sec was given so much leeway.

Thus, no Starbucks for me... until I'm convinced there's better management inside.

Re:My email to press@starbucks.com

[phantomfive]

The skill of working in large corporations is learning how to navigate the bureaucracy and get things done. That is the puzzle, it is a skill like any other, with it's own techniques.

If you read Dilbert, then you will find Wally is a master at this skill. Of course, he uses his abilities as a way to be lazy, it needn't always used for nefarious purposes.

Re:My email to press@starbucks.com

[CaptainDork]

The Dilbert® effect.

One time at band camp ...

No, wait.

One time at my review, the manager said, "The users love you, but your methods don't conform to corporate standards."

Re: My email to press@starbucks.com

If you don't exploit it as a test, how do you know it's actually an exploit to report? You aren't too smart, are you?

Re:My email to press@starbucks.com

No, Wally uses his skill in an attempt to get fired and receive a severance package. Read the character back-story.

Re:My email to press@starbucks.com

[phantomfive]

I do believe that counts as being lazy, but I admire his attempt.

Re:My email to press@starbucks.com

Whether he reads it or not, it took an additional three seconds to CC his address as well... "Random internet identities"? My email domain is a Fortune 100, signed with my actual name, you damn well better believe he, or someone in his office read it!

Do you honestly think that everyone who frequents /. is a nobody who lives in parents basement?

Re:My email to press@starbucks.com

[khchung]

But my manager was unapproachable -- asking for something to be done was the best way to make sure it didn't get done.

One has to wonder how you got hired in the first place.

Re: My email to press@starbucks.com

I know I am.

Re: My email to press@starbucks.com

If you exploit it as a test without the company's knowledge or approval, why are you at all surprised that the company would react as if you hacked their systems without their knowledge or approval?

Are you really that thick that you can't see an avenue for contacting Starbucks and saying, "Hey, I noticed this thing that I think might be a security flaw. In fact, security and penetration testing is sort of my thing. Maybe you and I could work something out where I'd actually test your entire infrastructure and report my findings, while you give me a few bucks for each actual flaw I help you find and close?"

If Starbucks hasn't solicited your help or hired you, then you're the IT equivalent of one of those stop-light windshield washers who spray shit on random cars' windows and then expect a couple bucks in return for "washing" the windows. If your entire business model relies on that sort of behavior, you might want to consider getting a real job, instead of being a scumbag con artist. White hat, my ass.

Re: My email to press@starbucks.com

[matria]

And the fact that he immediately paid it back is irrelevant? It's like somebody "waltzing onto your yacht" and taking a fistful of diamonds, then handing them back to you and saying that you ought to secure your valuables better.

Re:My email to press@starbucks.com

Well he certainly didn't ask for it!

Re:My email to press@starbucks.com

But my manager was unapproachable -- asking for something to be done was the best way to make sure it didn't get done.

One has to wonder how you got hired in the first place.

The interviewer said to the manager: "Don't hire this guy, whatever you do. He's a complete asshole!"

Re: My email to press@starbucks.com

[silentcoder]

ãWhat do we call "taking something you didn't pay for" again? I know there's a word for it, but I forget...

There are several. Depending on context it could be called 'public property', 'marketing material ', 'free samples', 'your birthday' or even 'copyright infringement '.

I find it odd that you only seem to know one name for it and apparently assume that all other variations are that name being euphemised. Doubly ironic when you realise that the name your thinking off actually isn't what that is called. The definition of stealing has nothing about payment anywhere in it. It's defined by lack of consent - which may or may not be gained with payment and it doesn't apply to all things. No amount of lack of consent will make copyright infringement "stealing" for example.

His actions may or may not be illegal but they sure as fuck weren't theft.

Re: My email to press@starbucks.com

[MemeRot]

I make all my coffee decisions based on the company's IT department. Glad to meet someone else who feels the same

Re:My email to press@starbucks.com

The skill of working in large corporations is learning how to navigate the bureaucracy and get things done.

No the skill is learning how to be paid while not doing anything because clearly a bureaucracy designed to prevent you from getting work done was put in place on purpose by higher ups. Or put in place by incompetence, but then the corporation deserves to die a quick or slow death.

If you read Dilbert, then you will find Wally is a master at this skill. Of course, he uses his abilities as a way to be lazy, it needn't always used for nefarious purposes.

It's hardly nefarious to comply with your own company's demands on how you should or shouldn't work. Now, if Wally had the real and reasonable opportunity to reform the system and chose not to to avoid doing work, that could be taken to be nefarious. But the general point is that the company obviously was designed more as a means of extract a pay check for employees than it ever was in achieving some end goal or delivering good or innovative products.

This is a large part of why people see large corporations as evil, all be it a necessary one. It's not some unified front by the workers to be lazy that prevents good things. It's that even with a large collection of overachievers at the bottom the bureaucracy setup by management is intentionally designed to crush the sort of innovation, growth, etc that would result in management having to do a decent amount of work. It's little wonder the overachievers end up leaving and the "lazy" take up their spot, just as management intended. And it's why we all feel sorry for Dilbert because he's too naive to realize that he can't fix the system--of course Dilbert has his own undesirable quirks (overly sarcastic to problems which is heavily equivalent to accepting those problems as a fact of life instead of a defect in the company) that he might realize which prevents him from joining all the other overachievers, but that's a different story.

Re:My email to press@starbucks.com

"Egor Homakov is a foreign criminal hacker who is trying to exploit not only Starbucks, but most likely other corporate and governmental systems. He is a potential terrorist and should be prosecuted to the fullest extent of the law to deter any further attempts at theft and to send a message to any other hackers still roaming free out there.

Vigilance and cooperation is important if we, together, are to imprison every one of these hackers so they cannot continue to damage our society. Hacking is illegal and for good reason, so good job Starbucks, I applaud and support your efforts to bring this scumbag to justice."

Re:My email to press@starbucks.com

That is so naively adorable.

Did your mommy help you to dress today too?

Re: My email to press@starbucks.com

[Lenny1791]

Wrong, wrong, wrong. I'll speak to the legal angle and see if you can extrapolate from that. Look up the definition of theft - as in, the statutory definition in your state. In most states, theft is defined something like "taking something which doesn't belong to with the INTENTION of PERMANENTLY depriving the owner of said property." Let's see how good my memory is on this using my state... MN statute 609.52s2: "intentionally and without claim of right takes, uses, transfers, conceals or retains possession of movable property of another without the other's consent and with intent to deprive the owner permanently of possession of the property" Yea I did pretty good. Taking something temporarily is not theft because intent is key. I actually learned this when I was younger and my step dad took my shotgun claiming he was scared of my state of mind or something after a verbal dispute. I called the cops out and of course they didn't want to side with the 20 year old guy and said they wouldn't press charges because "he said he'll give it back to you when he's comfortable." Seriously. Of course I flipped and said that's ridiculous and made the cops get it from him and give it back to me within a day. But then I looked up the statute and learned that is what the statute said, and it makes sense... However I'm sure court precedents establish it must be a reasonable amount of time. The more you know.

Funny

So docent this make starbucks liable for all damages this flaw causes to customers then since they knew and didint fix it?

Re:Funny

[Deadstick]

So docent this make starbucks liable

And the award for Worst Spellchecker of 2015 goes to...

Re:Funny

Judging by the "didint" at the end, I'd say his spellchecker was set to phonetic mode.

Re:Funny

> Judging by the "didint" at the end, I'd say his spellchecker was set to phonetic mode.

The English language is permanently set on phonetic mode... :-(

come on now!

The man's name is Egor! I've seen movies about this. You shouldn't get on his bad side.

Just sayin'.

Re:come on now!

[PPH]

It's pronounced "eye-gor."

The usual

He should have posted instructions via a proxy to different places.
So that everyone would get free coffee and Starbucks would get the message and act way faster.
What would they do then? Sue all their customers?

Re: The usual

If you care enough to take the trouble:
1 Buy a cheap sub$50 tablet for cash. Never power it on within a few miles of your home, work or cellphone unless the battery is removed.
2 Use public WiFi to post the vulnerability
3 Smash the tablet and throw it in the dumpster
4 If you don't feel like spending your own
money to help out, then screw it- the company will figure it out a few days after the Russians do.

Re:Israeli genocide?

[nicoleb_x]

I think Hitler tried something like that already.

disclosure

[Lehk228]

more proof that responsible disclosure is foolish unless you are delaing with an organization you already have a solid IT/security relationship with.

in any other situation, just post the exploit kit anonymously and make a bowl of popcorn

How many times

[ArchieBunker]

and people still don't learn? If you find something like this keep your mouth shut. No good will come from you bring it to their attention.

Re:How many times

Agreed. We get an article like this about once per year in Slashdot.

#RaceConditionTogether

[Phronesis]

Starbucks can have a new slogan.

I accuse /. of jumping the shark years ago

all bow and fear me

Re:Ziobucks

[tompaulco]

Starbucks is a nasty company. Its CEO Howard Schultz is a fanatical Zionist; if you patronize Starbucks, you're supporting Israeli genocide.

Being a publicly traded company, the financial information is available, so go ahead and show on their financials where they are sending money to support Israeli genocide.

Security wall of shame

[Kardos]

Looks like we need a security wall of shame that lists the response to flaw disclosures of each organisation, so people can quickly determine which companies will fix a flaw upon receiving a report, and which companies are hostile and should not be contacted.

Re:Security wall of shame

* are hostile and should be ripped off instead of contacted

FTFY

Re:Security wall of shame

[Em+Adespoton]

I think people on here are having a difficult time differentiating between two actions that have taken place here: 1) security research that discovered a hole and 2) unauthorized abuse of that hole to prove a point and demonstrate the severity of the flaw.

Starbucks is hostile to the second, not the first. If he'd stopped at discovering the flaw and bringing it to their attention, I doubt they'd be hostile.

If you parked your car and someone noticed the door was unlocked and the keys were in the ignition and came and told you, that'd be under 1) -- if instead, they got in, drove your car up to the door of your building and honked the horn to get your attention, that's under 2). And that's exactly what he did.

Looks like we also need a security researcher wall of shame that lists "researchers" who go beyond the research and commit federal crimes to demonstrate what the flaw allows them to do.

Any time you're inside a network you're not supposed to have access to, you've crossed the "hacker" line from "white" to "grey". If you don't immediately back out and report, you've slid all the way to "black".

Re:Security wall of shame

Looks like we need a security wall of shame that lists the response to flaw disclosures of each organisation, so people can quickly determine which companies will fix a flaw upon receiving a report, and which companies are hostile and should not be contacted.

This would be much easier if we actually had more social networking features. But journal pages on slashdot stopped interesting me or being used soon after introduction. Forums would be a start, giving us long-lasting threads rather than a dozen hours or however long the posts are visible to most of the world in the front-page river

Otherwise, someone small stands to lose the fight as cease-and-desist requests come-a-knocking at their private-hosted server.

No lessons learned 15 years after the Humpich case

[D4C5CE]

So being able to demonstrate a vulnerability is criminalized just like in the old days: http://www.parodie.com/english...

When responsible reporting is deterred to uphold an illusion of flawlessness and corporate infallibility, blackhats are the only ones who benefit.

Re: Ziobucks

Schultz sure made a point of distancing Starbucks from Israel.

He's clearly more concerned with raking in as much cash for Starbucks than supporting Israel using Starbucks, which is appropriate for his role and entirely ethical.

Besides, the Aroma (spelled phonetically in Hebrew) coffee chain in Israel is quite a bit better than Starbucks on quality, price, and customer service.

I Detect Spin.

[jklovanc]

As there is no transcript of the phone call we have no idea what was actually said. It could have been something along the lines of "We try to guard against fraud and malicious behavior" or "continuing to do this could be considered fraud or malicious behavior". There is no proof the reporter was ever accused of either of those. Being accused makes a better story though.

Idiot

That's why you let them eat shit and get sued. Why would you even volunteer this information? You deserve to be what you got.

Fuck Starbucks.

I vote with my dollars for the megacorps I want running the planet. I have not given Starbucks money in years and now have even more incentive to do so-- they're so fucking stupid they don't know when they're being helped.

Two Words:

Defamation lawsuit.

Re:Two Words:

[CaptainDork]

I enjoyed the movie, "100 Defamations."

Fraud?

A $20.00 double caffoo-express-mocca-with-strawberry-double-low-fat-high-density-provolone-cheese-Liquorice-hold-the-expresso-two-unbrella coffee
might be closer to fraud than you think...

dem haxx0rz

r in ur coffee na0, $tarbuck$

Nothing to worry about

[JoeCommodore]

They probably wrote something like Eager Homacake on the accusation anyway.

Cold Brew FTW

[foreverdisillusioned]

If you dislike acidic coffee, use a max dark roast (note that for darker roasts the quality of the beans doesn't matter quite as much, though Arabica will still be smoother) and cold brew that stuff overnight (you can buy a kit from a company like Filtron for pretty cheap, or just a DIY setup.)

The stuff comes out like motor oil--thicker than espresso. You store in the fridge, mix a shot of it with water and nuke it whenever you want a cup. Incredibly convenient, and in my experience it really cuts down on the acidity. The end result, when drunk black, has a "crisp" bitterness... not unlike a good beer.

Re:Cold Brew FTW

[lucm]

Interesting stuff, but I still struggle with putting in the correct amount of water when I prepare Kool-Aid, so cold brewing Arabica beans ain't happening anytime soon. In the meantime I'll keep buying my coffee at Starbucks.

Re:Cold Brew FTW

I still struggle with putting in the correct amount of water when I prepare Kool-Aid

If you're having trouble, Amazon has the solution to your Kool-Aid woes.

Re:Cold Brew FTW

[foreverdisillusioned]

Well, I don't want to sound like a shill here but the Filtron kit comes with a plastic bottle that has a secondary built-in measuring section up top: http://www.filtron.com/Filtron...

It's kinda cheaply made (mine cracked after 3 or 4 years), but it's extremely handy. You tilt the bottle around until the top section has as much as you'd like (there are measuring lines), then unscrew the lid on the top section and pour out exactly that amount into the cup. At first it's slightly more cumbersome than using a measuring cup, but much more convenient (no need to keep track of and wash the measuring cup) and you get the hang of it pretty quickly. Just don't constantly change coffee cup sizes and it's extremely easy to do even while half asleep.

It's also pretty nice to be able to make ice coffee on a whim, in under 20 seconds.

Gift cards suck

[lucm]

Why would anyone use those? There's no discount. A $25 gift card just entitles you to spend $25 worth of whatever that company has to sell. What's the point? To show someone that you know that they like coffee, so instead of giving them $25 you give them a $25 Starbucks gift card? It's not really more thoughtful than giving cash yet it's far less convenient for everyone involved. And why would you even refill those for yourself? Because you don't trust yourself with your own money?

And a Starbucks gift card is not like those gas credit cards, the last resort of degenerate gamblers, junkies and broke-ass idiots who offer you to fill up your car using their card in exchange for $20 cash. At least those are convenient if you happen to stop for gas at the right place and the right time.

Fuck gift cards.

Re:Gift cards suck

[Aqualung812]

Why would anyone use those? There's no discount.

Incorrect.
Using a Starbucks card counts towards a free drink or food item after 12 uses.
There is no minimum amount on what counts, as long as it is a drink or food item, and there is no max on what you can redeem it for, again as long as it is a drink or food item.

I have used this to great success by getting a $1.50 brew coffee, put in my own mug (-$0.10), and free refills while using their WiFi for a few hours.

Every 2 weeks, I would get a free treat, a 5-6 shot "candy coffee" with whip cream, caramel, etc... That would normally be $7-$8, but was free with that card.

For me, that was enough that I saved the money and calories of skipping those candy drinks most of the time, knowing I'd have it again soon enough.

Re:Gift cards suck

You are the reason why we can't have good things.

Most of stupid people are also assholes

[AqD]

And extremely short-sighted.

Just an observation from real life experience...

Do you even know what genocide means?

[clay_buster]

The Palestinian population in the occupied territories has gone from 1.03 million to 4.55 million since 1967. Either you don't know what the term means or the Israelis are the worst at implementing genocide.

Pride and Arrogance SUCK!

[hamsterz1]

When a BIG CO is confronted with a security flaw, by someone outside the CO, they react in anger first, then fear, then they turn one the person/persons who confronted them. When you distill all the emotional cruft, it's that their pride was hurt. Never mind someone did "their" homework for them. They want to"save face".It makes them angry that YOU did something they should have done. No sharing of information for the common good, with arrogant pricks.:)

Re:Pride and Arrogance SUCK!

[hamsterz1]

When a BIG CO is confronted with a security flaw, by someone outside the CO, they react in anger first, then fear, then they turn one the person/persons who confronted them. When you distill all the emotional cruft, it's that their pride was hurt. Never mind someone did "their" homework for them. They want to"save face".It makes them angry that YOU did something they should have done. No sharing of information for the common good, with arrogant pricks.:)

PS Starbuck$ is overpriced sludge anyway. Micky Dee's is better. :)

Starbucks

[brunnegd]

Starbucks makes Wal-Mart look like the good guys

If your neighbor said to you...

I noticed you accidentally left your front door unlocked last Monday. You should really remember to lock it everyday. By the way, you should not leave money in your underwear drawer. I counted three hundred dollars. I doubt you so called ethical hackers would be thrilled about it. In fact I bet you'd feel violated

Debit card service fee avoidance

[tepples]

Why would anyone use those? There's no discount.

Sometimes there is a discount. The local blood plasma collection center pays donors for their time on a debit card. The bank that issues this debit card charges a service fee for cash withdrawals at another bank's ATM, for bank account transfers smaller than $300, and for inactivity after so many days. So when I didn't feel like donating anymore for a while, to get my $190 balance out without having to pay a service fee, I used the debit card to buy $190 of gift cards at businesses I already frequent.