Hacker Warns Starbucks of Security Flaw, Gets Accused of Fraud 107
Andy Smith writes: Here's another company that just doesn't get security research. White hat hacker Egor Homakov found a security flaw in Starbucks gift cards which allowed people to steal money from the company. He reported the flaw to Starbucks, but rather than thank him, the company accused him of fraud and said he had been acting maliciously.
No good deed goes unpunished (Score:5, Funny)
Re:No good deed goes unpunished (Score:5, Insightful)
No free lunches anymore
Re: (Score:1)
In the old days, he'd have posted it in 2600 and we'd ALL've got some free coffee.
No free lunches anymore :[
weird, I had a dream last night I was buying a 2600 from a bookstore. It's been a long time since I've bought one though. Long time since I bought any magazine actually.
Re:No good deed goes unpunished (Score:4, Informative)
In the old days, he'd have posted it in 2600 and we'd ALL've got some free coffee.
No free lunches anymore :[
weird, I had a dream last night I was buying a 2600 from a bookstore. It's been a long time since I've bought one though. Long time since I bought any magazine actually.
I work in a bookstore and we still sell 2600 regularly.
Re: (Score:1)
Do they sell 2600 on Amazon? I have these visions of adverts recommending 2600 to me popping up all over the web as I browse.
Re: (Score:2)
It would take less time to search Amazon for 2600 magazine than it would to ask someone on the internet if you can buy it on Amazon.
*Sigh* ;)
Pot, kettle...
I never did read 2600, but here's real info to break up the potential for recursive stove-fest The answer to whether Amazon sells it is "yes" with a "but" [amazon.com]
TL;DR: All I see are kindle editions (makes sense, but why they don't they also carry the print edition another poster already confirmed has survived our turbulent digital-prone times?). Anything paperback there is just some "best of" compilation.
Re: (Score:1)
Wow! I was in a bookstore once... Small world
Re:No good deed goes unpunished (Score:5, Insightful)
The sad thing is that publishing the vulnerability anonymously, in 2600 or on one of the disclosure mailing lists, is now the responsible thing to do. Not great for the company involved, but it protects the researcher and it protects the user in some cases.
At this point I'd only even consider warning the company before anonymously publishing the vulnerability if they had a bug bounty programme. Not because I want money, but because it's the only way to be sure they will actually be thankful and not call the cops right away.
Re: (Score:2, Interesting)
In the new days, he posts to Sacurity and 5000 bored coders implement his hack for the hell of it.
They start with $100 gift cards and double their money.
Starbucks is out half a million dollars on the first day. The second day it's 5x that.
Since it's a Saturday, this goes on until Monday, 11am Pacific time. Emergency meetings are held but the hole can't be plugged overnight.
Total loss to the company is about $5 million by Wednesday afternoon.
Re: No good deed goes unpunished (Score:1)
Lost it @ "the hole can't be plugged overnight"
Re: (Score:1)
Indeed. The moral of the story here is SECRECY. In our post 9/11 America with its Patriot act and militarized police the best strategy for the individual citizen is to keep to himself and mind his own business. If it cannot benefit or help you, don't do it and never ever have anything to do with the police or government officials, it will only come to grief for you and your family.
Re: (Score:1)
Hell, you're practically a terrorist these days if you do.
Have you read the description that the US government gives for people it considers terrorists? In short, everyone that isn't part of the elite is a terrorist. There's nothing you can do to change it, either, as that would just make you a super-terrorist trying to undermine the elite.
Re: (Score:2)
No, he'd be far worse off drinking that low grade swill.
Re: (Score:2)
He would have been better off helping himself to free "coffee" until the wankers fixed their system.
There, fixed. Starbucks don't do real coffee.
Re: (Score:2)
You stole too little (Score:5, Insightful)
Re: (Score:3, Insightful)
Everyone knows that you get a negative reaction for stealing a small amount. Steal a couple million and you'll be respected.
Not just stealing. As Eddie Izzard [wikipedia.org] pointed out in his standup performance Dress to Kill [wikipedia.org]:
You know, we think if somebody kills someone, that's murder, you go to prison. You kill 10 people, you go to Texas, they hit you with a brick, that's what they do. 20 people, you go to a hospital, they look through a small window at you forever. And over that, we can't deal with it, you know?
Someone's killed 100,000 people. We're almost going, "Well done! You killed 100,000 people? You must get up very early in the morning. I can't even get down the gym! Your diary must look odd: “Get up in the morning, death, death, death, death, death, death, death – lunch- death, death, death -afternoon tea - death, death, death - quick shower"
Starschmucks (Score:2)
Re: (Score:1)
Buckstar.
Does anybody even go there? Do they have a clown and a burglar as mascots yet?
Re: (Score:2)
I hear that and every time I try it, I get some sour shit (though I still look and taste). Now, I like sour: hot or sweet and sour, a squeeze of lemon in tap water, a tablespoon of apple cider or balsamic vinegar between the main course and dessert (or cheese) - when the salad is wrongly served at the start rather than the end; in coffee?, that's just evil. Coffee must be bitter (and black).
Cold Brew FTW (Score:2)
The stuff comes out like motor oil--thicker than espresso. You store in the fridge, mix a shot of it with water and nuke it whenever you want a cup. Incredibly convenient, and in my experience it really cuts down on
Re: (Score:2)
Interesting stuff, but I still struggle with putting in the correct amount of water when I prepare Kool-Aid, so cold brewing Arabica beans ain't happening anytime soon. In the meantime I'll keep buying my coffee at Starbucks.
Re: (Score:2)
It's kinda cheaply made (mine cracked after 3 or 4 years), but it's extremely handy. You tilt the bottle around until the top section has as much as you'd like (there are measuring lines), then unscrew the lid on the top section and pour out exactly that amount into the cup. At first it's slightly more cumbersome than using
My email to press@starbucks.com (Score:5, Insightful)
"Egor Homakov did you a favor, I think you owe him a thank you, and an apology for your response to his discovery of a security flaw in your system.
This will be your only hope if another security flaw is found, and the discoverer of the flaw now ponders between letting Starbucks know (less likely after your response to Egor Homakov), not letting anyone know (which leaves the security flaw available for anyone to use), or letting the wrong people know about this flaw!
I feel like I am explaining something to a child. You are a corporation, act like one!"
Re: (Score:2)
Re: (Score:2)
If he has any sense, yes he does.
Not all of them, but he should be reading some. Otherwise he's letting other people control his company.
Re:My email to press@starbucks.com (Score:5, Informative)
It's probably hit with a spam filter before it even reaches him.
In the email servers I administrate, we white list known addresses and segregate others for approval. Generally the higher ups will assign this approval process to their secretaries. However, in the chance that 100 emails come in saying the same things, this usually trips the spam filter and goes into a folder that is generally automatically deleted unless someone detects it as not spam first. This is why form letters and such are not really noticed until someone sends a PR release stating over so many have been sent. then they look at their spam filter logs and realize 200k people are pissed at them.
Re:My email to press@starbucks.com (Score:5, Insightful)
For most of my life I've worked freelance so I haven't had much experience of the corporate world. But I recently worked for a small newspaper company (approx 400 employees) for a year and it was an eye-opening experience. It amazes me how anything ever gets done in these blind, ignorant, slow-moving organisations.
I'll give you one example. The company's web filter had an issue with our own web sites, which prevented us from reading them. When I asked IT about it they knew what the problem was, but they couldn't authorise the fix and they suggested I raise the issue with my manager. But my manager was unapproachable -- asking for something to be done was the best way to make sure it didn't get done. It took over a YEAR for a small newspaper company to fix an IT issue that prevented staff from reading their own newspapers' web sites.
I dread to think what life must be like in big corporations. I don't want to ever experience it.
Re: (Score:2)
If you read Dilbert, then you will find Wally is a master at this skill. Of course, he uses his abilities as a way to be lazy, it needn't always used for nefarious purposes.
Re: (Score:2)
Re: (Score:3)
The Dilbert® effect.
One time at band camp ...
No, wait.
One time at my review, the manager said, "The users love you, but your methods don't conform to corporate standards."
Re: (Score:2)
But my manager was unapproachable -- asking for something to be done was the best way to make sure it didn't get done.
One has to wonder how you got hired in the first place.
Re: (Score:2)
And the fact that he immediately paid it back is irrelevant? It's like somebody "waltzing onto your yacht" and taking a fistful of diamonds, then handing them back to you and saying that you ought to secure your valuables better.
Re: My email to press@starbucks.com (Score:2)
ãWhat do we call "taking something you didn't pay for" again? I know there's a word for it, but I forget...
There are several. Depending on context it could be called 'public property', 'marketing material ', 'free samples', 'your birthday' or even 'copyright infringement '.
I find it odd that you only seem to know one name for it and apparently assume that all other variations are that name being euphemised. Doubly ironic when you realise that the name your thinking off actually isn't what that is calle
Re: My email to press@starbucks.com (Score:2)
I make all my coffee decisions based on the company's IT department. Glad to meet someone else who feels the same
Re: (Score:3)
So docent this make starbucks liable
And the award for Worst Spellchecker of 2015 goes to...
come on now! (Score:1)
The man's name is Egor! I've seen movies about this. You shouldn't get on his bad side.
Just sayin'.
Re:come on now! (Score:5, Funny)
It's pronounced "eye-gor."
The usual (Score:1)
He should have posted instructions via a proxy to different places.
So that everyone would get free coffee and Starbucks would get the message and act way faster.
What would they do then? Sue all their customers?
disclosure (Score:5, Interesting)
in any other situation, just post the exploit kit anonymously and make a bowl of popcorn
How many times (Score:2)
and people still don't learn? If you find something like this keep your mouth shut. No good will come from you bring it to their attention.
#RaceConditionTogether (Score:5, Funny)
Security wall of shame (Score:5, Interesting)
Looks like we need a security wall of shame that lists the response to flaw disclosures of each organisation, so people can quickly determine which companies will fix a flaw upon receiving a report, and which companies are hostile and should not be contacted.
Re: (Score:2)
I think people on here are having a difficult time differentiating between two actions that have taken place here: 1) security research that discovered a hole and 2) unauthorized abuse of that hole to prove a point and demonstrate the severity of the flaw.
Starbucks is hostile to the second, not the first. If he'd stopped at discovering the flaw and bringing it to their attention, I doubt they'd be hostile.
If you parked your car and someone noticed the door was unlocked and the keys were in the ignition and
No lessons learned 15 years after the Humpich case (Score:2)
When responsible reporting is deterred to uphold an illusion of flawlessness and corporate infallibility, blackhats are the only ones who benefit.
I Detect Spin. (Score:3)
As there is no transcript of the phone call we have no idea what was actually said. It could have been something along the lines of "We try to guard against fraud and malicious behavior" or "continuing to do this could be considered fraud or malicious behavior". There is no proof the reporter was ever accused of either of those. Being accused makes a better story though.
Re: (Score:2)
I enjoyed the movie, "100 Defamations."
Nothing to worry about (Score:2)
They probably wrote something like Eager Homacake on the accusation anyway.
Gift cards suck (Score:3)
Why would anyone use those? There's no discount. A $25 gift card just entitles you to spend $25 worth of whatever that company has to sell. What's the point? To show someone that you know that they like coffee, so instead of giving them $25 you give them a $25 Starbucks gift card? It's not really more thoughtful than giving cash yet it's far less convenient for everyone involved. And why would you even refill those for yourself? Because you don't trust yourself with your own money?
And a Starbucks gift card is not like those gas credit cards, the last resort of degenerate gamblers, junkies and broke-ass idiots who offer you to fill up your car using their card in exchange for $20 cash. At least those are convenient if you happen to stop for gas at the right place and the right time.
Fuck gift cards.
Debit card service fee avoidance (Score:2)
Why would anyone use those? There's no discount.
Sometimes there is a discount. The local blood plasma collection center pays donors for their time on a debit card. The bank that issues this debit card charges a service fee for cash withdrawals at another bank's ATM, for bank account transfers smaller than $300, and for inactivity after so many days. So when I didn't feel like donating anymore for a while, to get my $190 balance out without having to pay a service fee, I used the debit card to buy $190 of gift cards at businesses I already frequent.
Re: (Score:2)
Why would anyone use those? There's no discount.
Incorrect.
Using a Starbucks card counts towards a free drink or food item after 12 uses.
There is no minimum amount on what counts, as long as it is a drink or food item, and there is no max on what you can redeem it for, again as long as it is a drink or food item.
I have used this to great success by getting a $1.50 brew coffee, put in my own mug (-$0.10), and free refills while using their WiFi for a few hours.
Every 2 weeks, I would get a free treat, a 5-6 shot "candy coffee" with whip cream, caramel, etc.
Most of stupid people are also assholes (Score:1)
And extremely short-sighted.
Just an observation from real life experience...
Pride and Arrogance SUCK! (Score:2)
Re: (Score:1)
When a BIG CO is confronted with a security flaw, by someone outside the CO, they react in anger first, then fear, then they turn one the person/persons who confronted them. When you distill all the emotional cruft, it's that their pride was hurt. Never mind someone did "their" homework for them. They want to"save face".It makes them angry that YOU did something they should have done. No sharing of information for the common good, with arrogant pricks.:)
PS Starbuck$ is overpriced sludge anyway. Micky Dee's is better. :)
Starbucks (Score:1)
Re:Israeli genocide? (Score:3, Funny)
Re: (Score:3)
Starbucks is a nasty company. Its CEO Howard Schultz is a fanatical Zionist; if you patronize Starbucks, you're supporting Israeli genocide.
Being a publicly traded company, the financial information is available, so go ahead and show on their financials where they are sending money to support Israeli genocide.
Re: Ziobucks (Score:1)
Schultz sure made a point of distancing Starbucks from Israel.
He's clearly more concerned with raking in as much cash for Starbucks than supporting Israel using Starbucks, which is appropriate for his role and entirely ethical.
Besides, the Aroma (spelled phonetically in Hebrew) coffee chain in Israel is quite a bit better than Starbucks on quality, price, and customer service.
Do you even know what genocide means? (Score:1)