Microsoft Tries To Silence Revelation Of Bing Cashback Flaws; Leads To Revelation Of Other Problems

from the touchy-microsoft dept

I'd been meaning to write this up for about a week, but finally got it around to it, just in time to add some additional info. First up, though, comes the news that Microsoft's legal department demanded a blogger remove a blog post about flaws in Bing's Cashback offer (Microsoft's attempt to bribe users to search via Bing instead of Google). One of the methods for the cashback offer involved pixel tracking, and blogger Samir Meghani noted that this was easily gamed to post fake transactions to your account. He also noted problems with the way Microsoft used sequential IDs, allowing potential scammers to "deny cashback rebates to legitimate users by using up available order ID numbers." Instead of dealing with these flaws, Microsoft lawyers sent a cease-and-desist and forced the blog post offline. I'm actually quite surprised this hasn't received a lot more attention.

In the legal nastygram, Microsoft's lawyers claimed that because Meghani had tested the flaws out himself, he was likely guilty of violating "various laws relating to computer intrusion, unauthorized access and unauthorized use of information," while suggesting that his actions could result in criminal charges. That's ridiculous, of course. He didn't actually scam the company -- he was just exposing a flaw. This is legal bullying to silence someone for pointing out a rather basic security flaw in Microsoft's program.

But, of course, even though Meghani was silenced on that issue, it doesn't mean he has to be silent on all of the flaws in Bing's Cashback program, so his latest (found via Slashdot) is that various retailers that offer "cashback" via Bing purchases are showing higher prices if you search via Bing. In fact, the price people can pay if they do certain searches on Bing is higher than if they'd gone direct:

So, if I go directly to butterflyphoto.com, I pay $699 with 0% cashback. If I use Bing Cashback, I pay $758 with 2% cashback, or $742.84. Using Bing cashback has actually cost me $43.84, giving an effective cashback rate of -6.27%. Yes, negative cashback! Is this legal? False advertising? I don't know, but it's pretty sketchy.

The problem doesn't end there. Using Bing has tainted my web browser. Butterfly Photo set a three month cookie on my computer to indicate that I came from Bing. Any product I look at for the next three months may show a different price than I'd get by going there directly. Just clicking a Bing link means three months of potentially negative cashback, without me ever realizing it. I'm actually afraid to use their service even just to write this, because it may cost me money in the future. If you've been thinking about trying out Bing Cashback, you may want to rethink that.

Microsoft responded and called this "an isolated instance" that it had missed with its tools that try to prevent merchants from gaming the system this way. Still, perhaps rather than sending out legal nastygrams and PR pablum to people discussing these things, Microsoft should focus on actually making sure that Bing's Cashback bribery program actually works correctly and safely.

41 Comments | Leave a Comment..

Brazil E-Voting Machines Not Hacked... But Van Eck Phreaking Allowed Hacker To Record Votes

from the there's-an-issue-there dept

Last week, we noted that an attempt to let hackers crack e-voting machines in Brazil failed, but Slashdot points out that someone did use some Van Eck phreaking to figure out who people voted for. While that's not quite the same as hacking the results of an election, it could lead to questions about privacy and how anonymous voting really is. Of course, to some extent, this has always been a risk with e-voting systems, but it hasn't received that much attention.

15 Comments | Leave a Comment..

Brazilian Hacking Attempts Fail To Break Brazilian E-Voting, But Do Improve The Process

from the how-hard-was-that dept

We pointed out recently that Brazil was allowing groups of hackers and security experts to hack their e-voting machines, something that the e-voting industry has always resisted angrily. The e-voting companies have never been able to adequately explain why experts shouldn't be able to try to hack the machines, and all it did was lead to more distrust over the machines. However, the Brazil test has been concluded, and there's some good news: no one was able to crack the machines. However, with all the hack attacks, officials did learn a few things that are helping them to improve the overall process with the machines. It's really amazing that we still don't have something similar happening in the US.

16 Comments | Leave a Comment..

Dear Hulu: Stop Treating Me Like A Criminal

from the if-you-don't-want-me-to-watch... dept

I mentioned recently that, for some idiotic reason, Hulu has stopped letting me view any of its content. That's because I use WiTopia's VPN service for security reasons. It seems that plenty of other WiTopia users are discovering this, as well, and are getting annoyed. The issue is that Hulu wants to block people from outside the US from viewing its content (for licensing reasons, even if they're pretty pointless in today's world). But, for some bizarre reason, it's been decided that anyone who uses any sort of VPN or proxy can't use Hulu at all because they might be coming from a foreign country. I'm sitting here in California and Hulu tells me I might be illegally accessing its content, so it doesn't allow it. So, instead, I don't give Hulu any additional ad views and I don't watch the content I wanted to watch. How does that help anyone? It appears to make everyone worse off. And it's not like WiTopia is some free anonymous proxy -- it's a pay-service that has been around for ages and is used regularly for WiFi security purposes. Many of its users are US-based (the company is based in the US, and most of its servers are in the US as well). So, because (gasp!) a small group of people outside the US might dare to catch a video (with ads!!), all of Witopia's US customers can't watch any content at all? This is the same ridiculous content industry mindset that drives so many people to unauthorized file sharing: they treat you as a criminal first and force you to prove you're not (or sometimes, don't even let you prove otherwise). The problem the industry is facing isn't due to some guy in Europe catching The Colbert Report from across the sea. It comes from turning off legitimate customers and users who are sick of being treated like crap.

108 Comments | Leave a Comment..

Brazil To Let Hackers Try To Crack E-Voting Terminals

from the good-for-them dept

One thing that never made much sense was how vehemently the big e-voting manufacturers fought pretty much every single attempt to let outside computer security experts try hacking their machines. They often made excuses about how this wouldn't be fair under "non-real-world conditions," but never explained how it would be bad to at least let these hacks proceed to learn from them and use them to strengthen the overall security of the machines. Thankfully, it looks like voting officials in other countries are a bit more open to this concept. Slashdot points out that Brazil opened up a "challenge" allowing security experts and other hackers to request to take part in a big hack attempt on e-voting equipment. Not only that, but the government is going to give $5,000 to whoever successfully hacks into one of the e-voting systems. This seems like a much smarter way to check the security on these machines than the previous method of very basic gov't oversight and the e-voting firms issuing a big "trust us," answer to every question.

6 Comments | Leave a Comment..

Anti-File Sharing Propaganda Back To Focusing On That Horrible Malware You'll Get

from the unprotected-file-sharing-is-bad dept

The thing that you sort of need to admire about the copyright maximalist lobby is that they attack the problem from so many different directions on such a constant basis. It's almost impossible to keep up -- though, you do begin to notice some patterns. A particularly popular move is to alternate between the moral argument against copyright infringement (stealing! bad!) and the idea that file sharing is going to destroy your computer (we're just looking out for your safety!). It looks like the industry is back on that latter kick, as two recent stories indicate.

First, the BSA has its widely debunked "piracy" numbers -- but it's now getting news for focusing instead on how you're going to get malware if you file share. Since it can't actually back up its bogus numbers, instead it's hoping that most people don't know that correlation doesn't mean a causal relationship -- but at least we know that most of our readers know better. The report notes that there's a correlation between higher piracy rates and higher malware infections, but seems to totally ignore exceptions to that rule (the US) or delve into other variables that may explain either the piracy rate (already questionable) or the malware rate (education levels? poverty? shared computers? etc.). Even more amusing, they claim (with no actual evidence) that those who get malware have to spend more to repair their computers than it would have cost to get the legitimate software in the first place. I have no doubt that there are risks for those who file share, but this report does nothing to show the actual risks and is yet another in a long line of weak propaganda from the BSA, that despite being called on it for years, never seems to do anything to back up its reports with facts.

Then, we have the story of the MPAA apparently sending a bunch of anti-piracy comic books to New Zealand, home of one of many different fights on how to change copyright law. The comic book, like the BSA report, involves plenty of ridiculous and unsubstantiated claims about how file sharing will unleash nasty malware and viruses all over your computers -- but drawn in nice comic book form. Can we send those kids who got the MPAA comic book a copy of the Tales from The Public Domain comic books as well? There are free digital downloads for anyone who wants to hand them out in exchange for the bogus MPAA ones....

35 Comments | Leave a Comment..

Bank Sends Confidential Email To Wrong Address, Hauls Google To Court To Figure Out Who Got The Email

from the grab-some-popcorn dept

Everyone does it at some point: you send an email to the wrong person. Hopefully the content isn't that bad or important -- but it happens. However, when a Wyoming bank, Rocky Mountain Bank, accidentally sent confidential and sensitive information to the wrong Gmail account, the bank ended up taking Google to court to find out the identity of the individual. The bank had tried emailing the wrong address again, but got no response. Google, naturally, refused to just give up the name of the person without a court order -- so the bank went to court. It also tried to have the case sealed, but the judge has rejected that idea. You can certainly understand the bank's concern here, but it does seem a bit silly to have to bring someone else to court after you screwed up and sent the wrong email.

47 Comments | Leave a Comment..

Is It Identity Theft Or A Bank Robbery, Part II: Couple Sues Bank Over Money Taken

from the i've-still-got-my-identity dept

Last month, we posted an amusing discussion (and comedy act) concerning whether or not "identify theft" was really a crime, or if it was really a bank robbery where the bank was passing off the liability for its poor authentication system onto the bank customer. Apparently, just such an argument is already playing out in the courts. Steven Hoy alerts us to a story of a couple who are suing their bank, after someone masquerading as them accessed their account and transferred $26,000 to Austria. The details of the case are a bit complex, but basically, the couple claims that the bank did not live up to basic standards in authentication, and cite the Federal Financial Institutions Examination Council's claim that notes that "single-factor authentication is inadequate and calls on banks to implement two-factor systems." Thus, the argument goes, the fault was the bank's security, and thus, the bank should be liable. The judge found that to be convincing:

"In light of Citizens' apparent delay in complying with FFIEC security standards, a reasonable finder of fact could conclude that the bank breached its duty to protect Plaintiffs' account against fraudulent access.... If this duty not to disclose customer information is to have any weight in the age of online banking, then banks must certainly employ sufficient security measures to protect their customers' online accounts."

Chalk one up for those who believe "identity theft" is actually a "bank robbery."

37 Comments | Leave a Comment..

US Gov't Briefing For All Employees: All Music Downloads Are Stolen, Risky

from the accuracy-not-so-important dept

A bunch of folks have sent over a post on Slashdot detailing how a mandatory US gov't briefing on "information security" uses incredibly hyperbolic and inaccurate information, including the idea that all music downloads are theft and insecure. You can see the (flash-heavy) video briefing. The actual part with the music downloads is pretty far into the presentation (you can jump forward through the chapters), when it hits an interactive bit where you get to go through "real-life scenarios" of "threats." In the bottom left corner, there's a scenario involving a colleague who says he's found a "cool site" from which you can "download music" and asks you how do you respond:

The choices?

1. I'd rather download the music from home -- email me the link
2. Is it safe to download?
3. Since we're on our lunch hour, I see no harm. Here's my thumb drive!
4. That's stealing.

Choices one and three seem obviously wrong, but choice two actually does seem like the most relevant. After all, the "cool site" in question could be any number of "cool sites" that offer up legal free music, like Jamendo or CCMixter. But what happens if you select the second choice and ask if it's safe to download? You're told no, that's wrong: And then are scolded, saying that it's illegal and prohibited, followed up by another lecture about how not only is it illegal and prohibited, but unethical and "may result in criminal" liability. Someone should tell the folks at that cool Jamendo site.

Now, to be fair, it's rather obvious that the briefing is designed to keep gov't employees from using file sharing programs and potentially exposing confidential gov't documents via file sharing. And that's reasonable. But why not be accurate and honest about it? Lying about it makes no sense.

83 Comments | Leave a Comment..

Time For IT Guys To Unshackle Corporate Computers

from the can't-do-that dept

This one ought to infuriate some of the IT folks, but Farhad Manjoo, over at Slate, is making the case for why corporate IT folks should give up trying to control everyone's computers. He says it's silly for them to dictate which apps you can and cannot use, what websites you can and cannot visit and what mobile devices you can and cannot use. He argues that doing so only restricts employees from actually doing useful and innovative stuff and also can make employees significantly less productive.

The response from IT folks will always be about the cost of maintaining all of this -- noting (perhaps correctly) that any time there are any problems, people will call up IT folks who will have to try to service all sorts of things, rather than having a standard list. And, of course, they'll say that users are often dumb, and prone to doing things that put computers and networks at risk. Thus, locking stuff down isn't only cost effective, but it's prudent to protect the company.

In the end, though, if that prevents important work from getting done (or done quickly), that seems like a problem. In the past, we've pointed out study after study after study suggesting that those who are actually allowed to do personal surfing at work are happier and more productive. Manjoo makes that point as well, mentioning recent studies that have shown the same thing and suggesting that companies that trust their workers on these sorts of things tend to get much more out of those employees.

125 Comments | Leave a Comment..

Did People Think No One Would Recognize REAL ID If Introduced Under Another Name?

from the pass-id,-indeed dept

Last year, it became clear that REAL ID was dead on arrival as pretty much everyone was against it, and states were refusing to implement it. With the changing of the administration, it seemed like REAL ID was finally going to die completely... but apparently not just yet. EFF alerts folks to the fact that the same concept has basically been reintroduced under the name PASS ID, as if that would trick people:

The plan sounds equally as bad and unnecessary:

Proponents seem to be blind to the systemic impotence of such an identification card scheme. Individuals originally motivated to obtain and use fake IDs will instead use fake identity documents to procure "real" drivers' licenses. PASS ID creates new risks -- it calls for the scanning and storage of copies of applicants' identity documents (birth certificates, visas, etc.). These documents will be stored in databases that will become leaky honeypots of sensitive personal data, prime targets for malicious identity thieves or otherwise accessible by individuals authorized to obtain documents from the database. Despite some alterations to the scheme, PASS ID is still bad for privacy in many of the same ways the REAL ID was.

But why let that stop the gov't from coming up with more ways to keep tabs on you?

10 Comments | Leave a Comment..

Is It ID Theft Or Was The Bank Robbed?

from the which-one-seems-more-accurate dept

Via Clay Shirky, comes a very good point from Kevin Marks concerning claims of "identity theft," where he notes that identity theft is not actually an identity being stolen but is usually a bank/credit card company being robbed and passing off the blame for their own poor security on the victim. He point to a brilliant comedy routine by Mitchell and Webb that makes this all pretty clear:

"They took all the money? That sounds more like a bank robbery."
"No, no. If only. 'Cause we could take the hit. No, no. It was actually your identity that was stolen, primarily. It's a massive pisser for you."
"But, it's actually money that's been taken..."
"Yes"
"From you?"
"Kind of."
"I don't know what you want from me other than my commiserations."
"You see it was your identity. They said they were you!"
"And you believed them?"
"Yes, they stole your identity."
"Well, I don't know. I seem to still have my identity, whereas you seem to have lost several thousands of pounds. In light of that, I'm not sure why you think it was my identity that was stolen instead of your money."

The problem isn't "identity theft." It's bad security and verification processes by a financial institution.

31 Comments | Leave a Comment..

Reveal Poor Web Security... Have RSA Threaten You With Trademark Infringement

from the not-cool dept

Scott Jarkoff recently discovered a problem with the Navy Federal Credit Union website, in that it allows users to login from an unsecured webpage. That's the type of stuff that we thought pretty much all banks had figured out ages ago. However, what's fascinating is what happened after that. Scott received an angry email from RSA, the well-known security company, who apparently built the NFCU website, claiming trademark infringement and demanding that he take down the post. RSA was upset with the implication that the site was insecure, but rather than either fixing the problem or explaining why the site is actually safe (which they insist), they threaten Scott with a trademark claim because he has a small screenshot of the NFCU website. Doesn't that make you feel secure? Since when is RSA in the business of sweeping security concerns under the rug by threatening those who point out problems with a trademark infringement claim?

28 Comments | Leave a Comment..

Register A Complaint With The Indian Gov't; Have Your Private Info Revealed

from the um...-I-think-I've-got-a-complaint... dept

I think some folks in India may have multiple complaints with the government. That's because it's been revealed that the service that handles online complaints for the gov't just happens to be revealing all the private data of people who complain, including their passwords in plaintext. Apparently, when you looked at your own profile, you could see all of your own data (plus password) and then as you hit refresh you'd see others -- which you could edit if you wanted to. Not exactly a particularly secure system...

17 Comments | Leave a Comment..

A Look At The DMCA's Chilling Effects On Security Research

from the sad dept

Michael Scott points us to a column over at BetaNews recounting many of the examples of how the DMCA has created a chilling effect on security research. The column talks about the importance of hacking and tinkering, and then reminds us of all those stories we've heard: Ed Felten (threatened for both his research into DRM and e-voting), Alex Haldeman's DRM research. Seth Finklestein on censorware. Dmitry Sklyarov spending months in jail for discovering a security flaw. Eric Corley for daring to publish the basic DeCSS code in a magazine. Most of these stories you should already be familiar with, but it seems that the massive chilling effects of the DMCA on security research haven't been discussed in a while -- and it's certainly worth putting some of these famed cases together in one spot to remind people that the problems with the DMCA remain and are doing great damage to our security -- at exactly the time when the government claims we need to improve our cybersecurity.

27 Comments | Leave a Comment..

China Says Its Okay For Users To Delete Its New Censorware

from the wasn't-expecting-that dept

Well, this is certainly something of a surprise. Earlier this month, China required new censorware be installed on all computers sold there. Of course, this upset a bunch of people and also raised serious security concerns. Still, we didn't expect the Chinese gov't to back down. However, a variety of lawsuits and public protests in China has resulted in at least some backing down by the government. The gov't is now saying that while the software will come installed on all new PCs, there's no requirement that it be used. Of course, it's not at all clear how easy it is to disable the software. The software is apparently uninstallable (or so the makers claim), but this new statement from the government makes it clear that there shouldn't be sanctions against those who do go through with the uninstall.

9 Comments | Leave a Comment..

China's New Censorware Software Has Serious Security Flaws

from the is-that-a-surprise? dept

This probably doesn't come as much of a surprise to anyone, but China's new mandated censorware that is required to be installed on all new PCs sold in the country has serious security flaws that put users' computers (and their data) at risk. Of course, censorware/spyware type software almost always does that -- and, it seems likely that the Chinese government isn't all that concerned about the privacy of citizens and their computer usage. Still, the bigger fear is that the security flaws can (and will) be used to basically hijack all those computers and turn them into a botnet. That should certainly be a bigger concern, especially given the Chinese governments' insistence that it wants to crackdown on the widespread use of Chinese servers for spamming operations anyway.

11 Comments | Leave a Comment..

Security Pros Cheating During Audits?

from the oops dept

We were just discussing if a security auditor should be liable for giving a company a passing grade if there's later a security breach. Considering that it's pretty much impossible to be perfectly secure, and there were always some things that could go wrong, it seemed like a bad idea to hold auditors liable, except in situations where there was obvious fraud or gross negligence. And now, there's evidence that security professionals may try to trick auditors, raising even more questions about why auditors should be liable. Michael Scott points us to the news that a recent survey of security pros found that 20% admit to having cheated or knowing others who cheated in order to pass a security audit. Now, the phrasing can be misleading -- by saying that "they did or they know someone who did" it could (in theory) just be one guy who cheated... who happens to know a lot of other security professionals. So, it would certainly require a bit more research to determine how widespread the cheating is. It's also not clear how many times the cheating occurred. If it's every audit, that's one thing. If it just happened once and the issue was fixed, that's quite different. Still, it's more evidence that you can't just blame the auditors -- especially when the security pros at the company may not be completely truthful in providing info to the auditors.

5 Comments | Leave a Comment..

Is A Security Auditor Liable If There's A Security Breach?

from the we-may-find-out... dept

Wired is discussing the suddenly relevant legal question of whether or not a security auditor should be held liable if it claims a company's data is secure, and then there's a data leak. The specific lawsuit in the spotlight right now involves Savvis -- who had audited the security of CardSystems' computer systems and determined that the company "had implemented sufficient security solutions and operated in a manner consistent with industry best practices." As you may remember, CardSystems was later found to have had a massive breach of credit card data (for a while, until recently surpassed, it was considered the largest ever credit card data breach). So Savvis is now being sued for claiming that CardSystems' systems were secure. This is certainly a tough one. Obviously, it's no good if security auditors are simply rubberstamping things -- but it's impossible to be fully confident that a system is secure, and there can always be a leak somewhere. So holding auditors liable for any such leak could make it prohibitive to even be an auditor -- with the end result being fewer auditors, and potentially less actual security. But... at the same time, you certainly want there to be some incentive for the auditors to take their job seriously. It seems like in the absence of clear negligence on the part of the auditor, that it's a bit extreme to put any liability on the auditor.

25 Comments | Leave a Comment..

How The Lock Industry Put Its Head In The Sand, Rather Than Deal With Vulnerabilities To Locks

from the bump,-bump-away dept

We've discussed in the past how locksmiths are apparently upset that geeks online have revealed that lockpicking is really easy, but it's not just the locksmiths. It's the lock makers themselves. Wired has a fascinating article about one of the world's most well known lock picker, who makes it a practice to publicly expose how vulnerable certain locks are. Not so long ago, he and a colleague figured out how to quickly open Medeco locks, which many had considered to be the most secure locks of all -- and are used all over the world in gov't high security buildings. So how has Medeco responded? Basically by trying to ignore the guy... then to insult him and then to discount what he clearly has done. It's just like software companies who try to deny software vulnerabilities, except that it's much easier to patch some software that to patch a vulnerable lock. While many in the lock world are apparently pissed off at this guy, Marc Weber Tobias, they should be happy that he's making sure the locks are really secure. Because, you can pretty much be assured that he's not the only one doing all of this -- but the others who are figuring it out aren't talking about it, but are using the knowledge to their own advantage.

43 Comments | Leave a Comment..