Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ethical Hackers Donate 1,000,000 Air Miles To Charity (offensi.com)

Posted by EditorDavid on from the certified-charitable dept.

An anonymous reader writes:Certified ethical hackers at Offensi.com identified a bug allowing remote code execution on one of United Airlines' sites, and submitted their findings to the airline's "bug bounty" program. After a fix was placed into production, their team was awarded 1,000,000 Mileage Plus air miles, which they say was accompanied by an email informing them that the IRS would consider their award as $20,000 of taxable income. "If after evaluating the taxable amount you choose not to accept your award, you are also able to donate your award to charity," the e-mail explained. The hackers ultimately chose to distribute their air miles among three charities -- the Ronald McDonald house, the Muscular Dystrophy Association, and the Casa de Esperanza de los Ninos Organization.
Another security researcher complained in November that United failed to close a serious vulnerability he'd identified for almost six months.

46 of 81 comments (clear)

  1. Gov't discouraging white-hat behavior by Anonymous Coward · · Score: 4, Insightful

    the IRS would consider their award as $20,000 of taxable income

    Yet another reason to sell exploits on the black market instead of disclosing them responsibly.

    1. Re:Gov't discouraging white-hat behavior by PvtVoid · · Score: 1

      the IRS would consider their award as $20,000 of taxable income

      Yet another reason to sell exploits on the black market instead of disclosing them responsibly.

      Or the scumbags at United could pay them in actual money.

    2. Re:Gov't discouraging white-hat behavior by wonkey_monkey · · Score: 1

      Why not complete the chain of logic and decide that people asking you to pay for stuff is yet another reason for you to just steal what you want instead?

      --
      systemd is Roko's Basilisk.
    3. Re:Gov't discouraging white-hat behavior by Ogive17 · · Score: 1

      They do work, get paid, pay taxes.. that's life.

      The real bitch is the airline not actually paying in cash, but something they consider a cash equivalent.

      --
      "Action without philosophy is a lethal weapon; philosophy without action is worthless."
    4. Re:Gov't discouraging white-hat behavior by ShanghaiBill · · Score: 1

      Or the scumbags at United could pay them in actual money.

      Money is taxable. Also, FF miles can be exchanged for money (which is why they are taxable).

    5. Re:Gov't discouraging white-hat behavior by Anonymous Coward · · Score: 3, Insightful

      You can pay the tax on money with part of the money.
      You can't pay the tax on miles with miles.

    6. Re:Gov't discouraging white-hat behavior by PPH · · Score: 1

      Is Offensi.com a US entity? Because if they are foreign, the IRS doesn't get diddly. If they are Irish, tax (10%) only applies to income earned in Ireland.

      Time to move your corporate 'home' overseas.

      --
      Have gnu, will travel.
    7. Re:Gov't discouraging white-hat behavior by PetiePooo · · Score: 1

      This.

      I suspect that, by the time they would have converted the miles to dollars, their net profit was negligible. Can anyone point us to the exchange rate for United miles to USD (specifically, how much you can sell a million miles for)?

    8. Re:Gov't discouraging white-hat behavior by Obfuscant · · Score: 1

      I suspect that, by the time they would have converted the miles to dollars, their net profit was negligible.

      And had they actually used the miles, their profit would be negative. United has some very high co-pays for award travel. So much so that it is almost cheaper to just buy an economy ticket in the first place.

    9. Re:Gov't discouraging white-hat behavior by eric_harris_76 · · Score: 1

      Not just white hat behavior, of course. Any mutually-beneficial exchange.

      Well, any _documented_ mutually-beneficial exchange. Not a problem, if you operate in the underground, er, "undocumented", economy.

      Unless you get caught not forking over a piece of the action. Then it can be a big problem.

      --
      There's no time like the present. Well, the past used to be.
  2. taxable income for limited miles? by Joe_Dragon · · Score: 1

    taxable income for limited miles?

    1. Re:taxable income for limited miles? by fustakrakich · · Score: 1

      Yes, if you get "10% off at Pennys", the IRS agent at the door will collect a tax on the money you saved.

      --
      “He’s not deformed, he’s just drunk!”
    2. Re:taxable income for limited miles? by sumdumass · · Score: 1

      How exactly does that compute? I mean they weren't getting a 10% discount on all future tickets, they were getting the equivalent to a cash card or a car. This is not to mention that there is usually a dollar threshold before the IRS actively cares about winnings being reported by people other than yourself.

      If you must compare it to something other than work and compensation for the work, compare it to game show or casino winnings.

    3. Re:taxable income for limited miles? by fustakrakich · · Score: 1

      Facetious

      Sorry, sometimes the magic works, sometimes it doesn't. Whatever, we are letting the IRS run out of control. And really, they can tax what they want, but they should have to do the paperwork, put the 'Service' back into the name.

      --
      “He’s not deformed, he’s just drunk!”
  3. Re:What's wrong with that? by K.+S.+Kyosuke · · Score: 3, Insightful

    I thought we invented money to fix the problems with barter?

    --
    Ezekiel 23:20
  4. Re:but who gets the tax deduction by Sarten-X · · Score: 1

    I'm not familiar with United's specific program, but others I've seen would have United take the expense, then the hackers receive the $20,000 taxable income and immediately donate it to charity, allowing them to record a $20,000 deduction from their taxable income.

    --
    You do not have a moral or legal right to do absolutely anything you want.
  5. Re:What's wrong with that? by Sarten-X · · Score: 1

    That doesn't mean we've eliminated barter. We just standardized its measurement with fungible certificates.

    --
    You do not have a moral or legal right to do absolutely anything you want.
  6. Re:What's wrong with that? by tomhath · · Score: 1

    And then we wrote laws to close the loopholes which allowed people to get tax free compensation from their employer.

  7. Re:What's wrong with that? by fustakrakich · · Score: 1

    Well hell! Then so is the discount you got on those new tennies. If you pay less than MSRP, then you must declare it and pay the tax, right? Sorry, we can't have people skimming from everything we do.

    --
    “He’s not deformed, he’s just drunk!”
  8. what happens if the IRS says bug boueny are w2? by Joe_Dragon · · Score: 1

    what happens if the IRS says bug boueny people are w2 employees?

  9. United did disclose it... by Lumpy · · Score: 1

    The problem was the Flight that had the information was delayed to the point that it missed it's connecting flight so It's stuck somewhere wandering around the Denver Airport.

    United has the WORST scheduling ever. they always try and schedule flights way too close together to ensure that any delays will result in missed flights.

    --
    Do not look at laser with remaining good eye.
    1. Re:United did disclose it... by Nkwe · · Score: 2

      United has the WORST scheduling ever. they always try and schedule flights way too close together to ensure that any delays will result in missed flights.

      United doesn't schedule your connections, you schedule your connections (or your travel agent / website does on your behalf). Yes, United has many issues, and they have many delayed flights (along with the other airlines), but if you purchase trips with tight connections and don't expect to occasionally miss one, it is your own fault.

    2. Re:United did disclose it... by Obfuscant · · Score: 1

      United doesn't schedule your connections, you schedule your connections (or your travel agent / website does on your behalf).

      However, their website does offer flights with connections that are ridiculously short, usually as the cheapest or cheaper options. That may be a natural result of trying to help optimize YOUR travel time (shortest layovers are usually shortest trips overall), but I don't believe it is a conspiracy to try to get you to miss flights. Why would they do that? It costs them money. If they run out of standbys for the flight you missed, they have an empty seat. If they have to reimburse you, they lose money.

      But ultimately, it is the traveller's responsibility to scroll further down the page and pick an itinerary that has adequate layover time. Personally, an hour his my minimum, and I always go for three when it's an international connection.

  10. Re:You can say you're ETHICAL and a hacker too... by U2xhc2hkb3QgU3Vja3M · · Score: 1

    Why are ethical/white hat hackers not part of the solution? In what way are they prolonging problems?

    They're not the ones inventing problems or creating them, they're just finding them and telling companies about them.

    If someone points out that a bridge is going to collapse soon because he can clearly see fractured concrete and half-torn steel beams, will you call him a terrorist when the bridge falls down?

  11. Re:Ronald McDonald? by sumdumass · · Score: 2

    No, it is his house not him himself.

    Actually, air miles are traded for lots of things other than travel. But that aside, the Ronald McDonald house likely could actually use the air miles for travel as it exists to help families be closer to children sent to hospitals far away for life saving medical treatments. This is so mom doesn't have to drive 4 hours a day to see little Sallie going through chemo treatment then drive another 4 hours back home only to get a few hours sleep and do it again or end up spending a months rent on 5 days hotel stays to avoid the multiple drives.

    I really hate McDonald's from their anti smoking campaigns to the anti gun bullshit but this house charity is probably the only thing that allows me to patronize their restaurants.

  12. Re:but who gets the tax deduction by CanadianMacFan · · Score: 1

    I don't know about the American system but under the Canadian system the additional system the extra income would be taxed at whatever marginal rate your income bracket is, which gets higher as your income goes up. Charitable donations get a credit (or deduction - I'm not a tax accountant) equal to a fixed percentage of the donations no matter what your income is. I think it's about 15%. So unless you have almost no income to begin with taking the income and claiming the charitable deduction would still have you end up paying some additional taxes.

  13. Re:What's wrong with that? by ShanghaiBill · · Score: 1

    And then we wrote laws to close the loopholes which allowed people to get tax free compensation from their employer.

    Except for health care, pensions, and vacation time. If there were no tax benefits, how many people would want their employer to choose their doctor?

  14. Interesting valuation by Solandri · · Score: 1

    Most people who trade miles (risky, wouldn't recommend it, but it exists) value United miles at around 1.4 cents/mile. It used to be 2+ cents because United is a member of Star Alliance, arguably the best airline partner program out there. But the last few years they've added a lot of restrictions on how you can use miles from one partner airline on a different partner.

    Income and prizes (sweepstakes) have always been taxed, even if the prize is merchandise. So I don't see why this would be any different. It has the unfortunate side-effect where someone may win a half million dollar home, and because they're unable to afford the taxes on it they're forced to immediately sell it. At which point they're taxed again because the money from the sale is "new" income - gotta love the government. AFAIK, American Express is the only company which will also pay your taxes on prizes they award you. So if you win a $100,000 BMW from them in one of their prize contests, they will also give you enough cash to pay the tax on that. Plus more cash to pay the taxes on the cash they gave you to pay the taxes for the prize. Plus more cash to pay the taxes on the cash they gave you to pay taxes on the cash they gave you to pay the taxes for the prize. etc.

    Usually, just donating the prize to charity is the simplest way to avoid it becoming a tax windfall for the government. The charity gets the full value of the donation, and you get a tax deduction for that value (even though you never actually received the value of the prize - another flaw in our tax code).

    1. Re:Interesting valuation by jratcliffe · · Score: 1

      Usually, just donating the prize to charity is the simplest way to avoid it becoming a tax windfall for the government. The charity gets the full value of the donation, and you get a tax deduction for that value (even though you never actually received the value of the prize - another flaw in our tax code).

      You only get a deduction to offset the income you had from the receipt of the prize. You don't end up any better off than if you'd never won the prize in the first place.

  15. Re:but who gets the tax deduction by rmdingler · · Score: 1
    The maximum federal corporate tax rate on income in the U.S. is just 35%, and though the state corporate income tax can vary(N.Carolina 4% to Iowa 12%), taxable income is after deductions.

    Limitations on Deductions

    In general, contributions to charitable organizations may be deducted up to 50 percent of adjusted gross income computed without regard to net operating loss carrybacks. Contributions to certain private foundations, veterans organizations, fraternal societies, and cemetery organizations are limited to 30 percent adjusted gross income (computed without regard to net operating loss carrybacks), however. Exempt Organizations Select Check uses deductibility status codes to indicate these limitations.

    --
    Happiness in intelligent people is the rarest thing I know.

    Ernest Hemingway

  16. Re:but who gets the tax deduction by ShanghaiBill · · Score: 1

    Does United get the tax deduction for donating the miles, or do the hackers?

    United can deduct the miles as a business expense once they are used, but only their actual costs of delivering the service, not the cash value of the miles. The hackers can deduct the charitable donation, but only if they also declare the receipt of the miles as income, so they would just cancel out. If the final recipients of the miles are 503c's, then they can use the miles tax-free as long as they use them for charitable purposes.

    So the only net cost to the taxpayers would be United deducting the cost of the extra fuel from their taxable income, and even then, the fuel would still be subject to excise tax.

  17. Re:Ronald McDonald? by Anonymous Coward · · Score: 2, Insightful

    I really hate McDonald's from their anti smoking campaigns to the anti gun bullshit but this house charity is probably the only thing that allows me to patronize their restaurants.

    - Hates anti-smoking campaigns
    - Hates "anti-gun bullshit"
    - Patronizes McDonalds' "restaurants"

    This is the most subtly redneck trash comment I've ever seen on Slashdot. Well done!

  18. One million airline miles by Applehu+Akbar · · Score: 1

    That's enough for a business class upgrade!

    1. Re:One million airline miles by Fire_Wraith · · Score: 1

      Great! We'll put you on the upgrade request list. You're currently #523 on the wait list for upgrade for your flight.

    2. Re:One million airline miles by demonlapin · · Score: 1

      To be fair, hitting 1M miles is usually enough to automatically put you in the highest catgeory of elite status - for life. Not a bad thing for whatever your taxes would be on $20k.

  19. Re:What's wrong with that? by AthanasiusKircher · · Score: 5, Interesting

    I thought we invented money to fix the problems with barter?

    Actually, not really. This is a myth made up by economists (well, specifically Adam Smith, though it ultimately goes back to Aristotle). Anthropologists have disputed this with exhaustive surveys for at least a century. It's really only economics textbooks that keep telling this fairy tale.

    Money emerged in most societies as tokens to deal with pre-existing systems of credit. There's no historical evidence that barter in the classic sense (e.g., "I'll give you ten chickens for those two goats!" "Nah, but if you throw in twelve chickens and that nice basket, I'll take it!") has been a predominant form of exchange within a human society. It relies on a myth that people in primitive cultures would stockpile goods they didn't really need, ready to trade when a buyer arrived... but that sort of thing doesn't tend to happen in primitive societies. It also tends to depend on this weird idea that two people would always have exactly what others wanted -- e.g., "I'll give you bread for meat," but what if you don't need bread? So then you need a third or fourth or fifth party in this transaction until everybody gets something they want.

    By the time you get people able to stockpile goods, you usually have a pretty elaborate system of credit going. Money then emerges as a way of denominating that credit. (Societies not advanced enough to have stockpiled goods generally just depend on gift transactions with elaborate notions of levels of indebtedness or rely on leaders to divvy up goods and resolve disputes, rather than requiring bartering for goods.)

    Anthropologists have usually observed barter mainly in unusual transactions taking place BETWEEN societies, e.g., with a neighboring tribe you may not have much contact with and therefore can't trust within your usually systems of indebtedness. Barter sometimes also emerges on a limited scale in more advanced societies (who are used to money) when currency becomes scarce, though generally an alternative currency emerges and/or credit and debt-recording systems actually take over pretty quickly for most transactions.

    Whether money emerged as a way of standardizing private debt transactions or as a leader/government-imposed way of regulating debt instruments is probably dependent on the society... but there's really no evidence that a full-fledged "barter economy" ever existed. (If you think I'm making all this up, there are plenty of articles and books out there -- mostly not written by economists, but by historians or anthropologists -- about this. A recent article in the Atlantic is perhaps one place to start. One reason this probably hasn't caught on among economists is that it challenges fundamental notions of capitalism, which rely on the idea that "free markets" will work correctly because we're all just "bartering" in the end, with currency as a medium of exchange... and like these mythical bartering transactions, monetary imbalances should ultimately level out to fair "markets" without intervention. If currency instead emerges as a debt standardization instrument, sometimes related to government intervention or regulation, that's a vastly different story to the beginning of economics.)

  20. Fake Currency as taxable income? by wardrich86 · · Score: 2

    Sooo, I can pay my taxes in coupons, Air Miles, and other loyalty points? Awesome!

    1. Re:Fake Currency as taxable income? by MattskEE · · Score: 1

      If the IRS didn't tax high dollar gifts then savvy people would legally avoid taxes by structuring income as gifts. In lieu of $40k income or bonus, an employer gives employee a $40k car and reduces their taxable income by $40k. Instead of $200/mo going to groceries, here's a $200 grocery store gift card. Etc, etc.

      And this airline miles gift is effectively income in the same way a cash prize from a bug bounty program is income.

      Now it may well be inconvenient to receive high-dollar gifts that are also taxable so you have to pay money to accept the gift... but going the other way and not taxing gifts has worse problems.

  21. Re:What's wrong with that? by Mikkeles · · Score: 1

    So they could have donated x air-miles to the IRS as payment in kind?

    Otherwise, it's just a scam.

    --
    Great minds think alike; fools seldom differ.
  22. Welcome to consulting by Beeftopia · · Score: 1

    Every dollar you receive is taxed. And you have to pay estimated taxes every quarter. And then you gotta pay the self-employment tax.

    It makes me much more keenly aware of the difference between pre-tax dollars and post-tax dollars. When I have to pay say, 100 dollars for something, I know how much I have to make in order to net 100 dollars, after tax.

    There is at least one exception (of which I'm aware, I'm sure there are more): house flipping. The first 250K (500K if married) of profit is tax free (exclusions apply). And then it's taxed as a capital gain (at a 15% rate). Tax rules are a big source of politicians' power, and are thus heavily influenced by donations and lobbying.

    1. Re:Welcome to consulting by Fire_Wraith · · Score: 1

      This is correct. It's still capital gains (i.e. investment) income though, meaning that as long as you held the asset for more than a year, you pay the 15% rate, rather than the 39% rate.

  23. Re:What's wrong with that? by K.+S.+Kyosuke · · Score: 1

    That is actually very interesting. I do not think you're making this all up. Pretty good points for a long-dead guy!

    --
    Ezekiel 23:20
  24. Re:but who gets the tax deduction by pla · · Score: 1

    Isn't that the same as just not making the money in the first place?

    Normally, yes - The tax rules around charitable donations provide exactly zero incentive to donate earned money to charity - By doing so, you've effectively given yourself a pay-cut, and nothing more.

    In the case of something you won, by donating it directly to charity, you still get to keep the tax deduction. So basically, the current arrangement involves Offensi getting to "keep" roughly a quarter of that award in the form of deductions against their "real" income (assuming they have enough to matter).

    Totally fuck United for giving out their scammy in-house currency rather than real money, but at least the good guys get something for their trouble here.

  25. Re:Ethical hacking is wrong. by xvan · · Score: 1

    ...the assumption that because some quality or combination of qualities invariably and necessarily accompanies the quality of goodness, or is invariably and necessarily accompanied by it, or both, this quality or combination of qualities is identical with goodness. If, for example, it is believed that whatever is pleasant is and must be good, or that whatever is good is and must be pleasant, or both, it is committing the naturalistic fallacy to infer from this that goodness and pleasantness are one and the same quality. The naturalistic fallacy is the assumption that because the words 'good' and, say, 'pleasant' necessarily describe the same objects, they must attribute the same quality to them.
    —Arthur N. Prior, Logic And The Basis Of Ethics

  26. Re:Ethical hacking is wrong. by guardian-ct · · Score: 1

    This brings new meaning to the phrase, "And by Prior Logic, ..."

  27. Re:What's wrong with that? by Obfuscant · · Score: 1

    Except for health care, pensions, and vacation time.

    IIRC, the value of my health insurance (not health care -- my employer is not a hospital or doctor so I don't get my health care from them) was a line item somewhere on my taxes. I didn't bother checking what it did.

    But for pension -- I haven't gotten that money yet, and I will be taxed on it when I do. It's not "tax free compensation". And the wages I am paid while on vacation are taxed at the same rate as wages while I am not. There is no "tax free compensation" there.

    The closest that vacation is tax-free is when I choose to take a vacation while on business travel, so the employer pays for the travel to and from and I am not taxed on that money, but he's paying that money anyway. The rest of the vacation is on my own dime, taxes at the standard rates when it was income.

    If there were no tax benefits, how many people would want their employer to choose their doctor?

    I can get a tax break if I let my employer choose my doctor? Wow. News to me.