Ethical Hackers Donate 1,000,000 Air Miles To Charity (offensi.com) 81
An anonymous reader writes:Certified ethical hackers at Offensi.com identified a bug allowing remote code execution on one of United Airlines' sites, and submitted their findings to the airline's "bug bounty" program. After a fix was placed into production, their team was awarded 1,000,000 Mileage Plus air miles, which they say was accompanied by an email informing them that the IRS would consider their award as $20,000 of taxable income. "If after evaluating the taxable amount you choose not to accept your award, you are also able to donate your award to charity," the e-mail explained. The hackers ultimately chose to distribute their air miles among three charities -- the Ronald McDonald house, the Muscular Dystrophy Association, and the Casa de Esperanza de los Ninos Organization.
Another security researcher complained in November that United failed to close a serious vulnerability he'd identified for almost six months.
Another security researcher complained in November that United failed to close a serious vulnerability he'd identified for almost six months.
Re:What's wrong with that? (Score:4, Insightful)
Re: (Score:2)
That doesn't mean we've eliminated barter. We just standardized its measurement with fungible certificates.
Re: (Score:2)
Re: (Score:2)
And then we wrote laws to close the loopholes which allowed people to get tax free compensation from their employer.
Except for health care, pensions, and vacation time. If there were no tax benefits, how many people would want their employer to choose their doctor?
Re: (Score:2)
Except for health care, pensions, and vacation time.
IIRC, the value of my health insurance (not health care -- my employer is not a hospital or doctor so I don't get my health care from them) was a line item somewhere on my taxes. I didn't bother checking what it did.
But for pension -- I haven't gotten that money yet, and I will be taxed on it when I do. It's not "tax free compensation". And the wages I am paid while on vacation are taxed at the same rate as wages while I am not. There is no "tax free compensation" there.
The closest that vacation is tax-fr
Re:What's wrong with that? (Score:5, Interesting)
I thought we invented money to fix the problems with barter?
Actually, not really. This is a myth made up by economists (well, specifically Adam Smith, though it ultimately goes back to Aristotle). Anthropologists have disputed this with exhaustive surveys for at least a century. It's really only economics textbooks that keep telling this fairy tale.
Money emerged in most societies as tokens to deal with pre-existing systems of credit. There's no historical evidence that barter in the classic sense (e.g., "I'll give you ten chickens for those two goats!" "Nah, but if you throw in twelve chickens and that nice basket, I'll take it!") has been a predominant form of exchange within a human society. It relies on a myth that people in primitive cultures would stockpile goods they didn't really need, ready to trade when a buyer arrived... but that sort of thing doesn't tend to happen in primitive societies. It also tends to depend on this weird idea that two people would always have exactly what others wanted -- e.g., "I'll give you bread for meat," but what if you don't need bread? So then you need a third or fourth or fifth party in this transaction until everybody gets something they want.
By the time you get people able to stockpile goods, you usually have a pretty elaborate system of credit going. Money then emerges as a way of denominating that credit. (Societies not advanced enough to have stockpiled goods generally just depend on gift transactions with elaborate notions of levels of indebtedness or rely on leaders to divvy up goods and resolve disputes, rather than requiring bartering for goods.)
Anthropologists have usually observed barter mainly in unusual transactions taking place BETWEEN societies, e.g., with a neighboring tribe you may not have much contact with and therefore can't trust within your usually systems of indebtedness. Barter sometimes also emerges on a limited scale in more advanced societies (who are used to money) when currency becomes scarce, though generally an alternative currency emerges and/or credit and debt-recording systems actually take over pretty quickly for most transactions.
Whether money emerged as a way of standardizing private debt transactions or as a leader/government-imposed way of regulating debt instruments is probably dependent on the society... but there's really no evidence that a full-fledged "barter economy" ever existed. (If you think I'm making all this up, there are plenty of articles and books out there -- mostly not written by economists, but by historians or anthropologists -- about this. A recent article in the Atlantic [theatlantic.com] is perhaps one place to start. One reason this probably hasn't caught on among economists is that it challenges fundamental notions of capitalism, which rely on the idea that "free markets" will work correctly because we're all just "bartering" in the end, with currency as a medium of exchange... and like these mythical bartering transactions, monetary imbalances should ultimately level out to fair "markets" without intervention. If currency instead emerges as a debt standardization instrument, sometimes related to government intervention or regulation, that's a vastly different story to the beginning of economics.)
Re: (Score:2)
Re: (Score:1)
Well hell! Then so is the discount you got on those new tennies. If you pay less than MSRP, then you must declare it and pay the tax, right? Sorry, we can't have people skimming from everything we do.
Re: (Score:2)
So they could have donated x air-miles to the IRS as payment in kind?
Otherwise, it's just a scam.
Gov't discouraging white-hat behavior (Score:4, Insightful)
the IRS would consider their award as $20,000 of taxable income
Yet another reason to sell exploits on the black market instead of disclosing them responsibly.
Re: (Score:2)
the IRS would consider their award as $20,000 of taxable income
Yet another reason to sell exploits on the black market instead of disclosing them responsibly.
Or the scumbags at United could pay them in actual money.
Re: (Score:2)
Or the scumbags at United could pay them in actual money.
Money is taxable. Also, FF miles can be exchanged for money (which is why they are taxable).
Re: (Score:3, Insightful)
You can pay the tax on money with part of the money.
You can't pay the tax on miles with miles.
Re: (Score:1)
I suspect that, by the time they would have converted the miles to dollars, their net profit was negligible. Can anyone point us to the exchange rate for United miles to USD (specifically, how much you can sell a million miles for)?
Re: (Score:2)
I suspect that, by the time they would have converted the miles to dollars, their net profit was negligible.
And had they actually used the miles, their profit would be negative. United has some very high co-pays for award travel. So much so that it is almost cheaper to just buy an economy ticket in the first place.
Re: (Score:2)
Why not complete the chain of logic and decide that people asking you to pay for stuff is yet another reason for you to just steal what you want instead?
Re: (Score:2)
The real bitch is the airline not actually paying in cash, but something they consider a cash equivalent.
Re: (Score:2)
Is Offensi.com a US entity? Because if they are foreign, the IRS doesn't get diddly. If they are Irish, tax (10%) only applies to income earned in Ireland.
Time to move your corporate 'home' overseas.
Re: (Score:1)
Not just white hat behavior, of course. Any mutually-beneficial exchange.
Well, any _documented_ mutually-beneficial exchange. Not a problem, if you operate in the underground, er, "undocumented", economy.
Unless you get caught not forking over a piece of the action. Then it can be a big problem.
Re: (Score:2)
I'm not familiar with United's specific program, but others I've seen would have United take the expense, then the hackers receive the $20,000 taxable income and immediately donate it to charity, allowing them to record a $20,000 deduction from their taxable income.
Re: (Score:2)
Limitations on Deductions
In general, contributions to charitable organizations may be deducted up to 50 percent of adjusted gross income computed without regard to net operating loss carrybacks. Contributions to certain private foundations, veterans organizations, fraternal societies, and cemetery organizations are limited to 30 percent adjusted gross income (computed without regard to net operating loss carrybacks), however. Exempt Organizations Select Check uses deductibility status codes to indicate these limitations.
Re: (Score:2)
Normally, yes - The tax rules around charitable donations provide exactly zero incentive to donate earned money to charity - By doing so, you've effectively given yourself a pay-cut, and nothing more.
In the case of something you won, by donating it directly to charity, you still get to keep the tax deduction. So basically, the current arrangement involves Offensi getting to "keep" roughly a quarter of that award in the form of deducti
Re: (Score:2)
I don't know about the American system but under the Canadian system the additional system the extra income would be taxed at whatever marginal rate your income bracket is, which gets higher as your income goes up. Charitable donations get a credit (or deduction - I'm not a tax accountant) equal to a fixed percentage of the donations no matter what your income is. I think it's about 15%. So unless you have almost no income to begin with taking the income and claiming the charitable deduction would still ha
Re: (Score:2)
Does United get the tax deduction for donating the miles, or do the hackers?
United can deduct the miles as a business expense once they are used, but only their actual costs of delivering the service, not the cash value of the miles. The hackers can deduct the charitable donation, but only if they also declare the receipt of the miles as income, so they would just cancel out. If the final recipients of the miles are 503c's, then they can use the miles tax-free as long as they use them for charitable purposes.
So the only net cost to the taxpayers would be United deducting the cost
taxable income for limited miles? (Score:2)
taxable income for limited miles?
Re: (Score:1)
Yes, if you get "10% off at Pennys", the IRS agent at the door will collect a tax on the money you saved.
Re: (Score:2)
How exactly does that compute? I mean they weren't getting a 10% discount on all future tickets, they were getting the equivalent to a cash card or a car. This is not to mention that there is usually a dollar threshold before the IRS actively cares about winnings being reported by people other than yourself.
If you must compare it to something other than work and compensation for the work, compare it to game show or casino winnings.
Re: (Score:1)
Facetious
Sorry, sometimes the magic works, sometimes it doesn't. Whatever, we are letting the IRS run out of control. And really, they can tax what they want, but they should have to do the paperwork, put the 'Service' back into the name.
what happens if the IRS says bug boueny are w2? (Score:2)
what happens if the IRS says bug boueny people are w2 employees?
United did disclose it... (Score:2)
The problem was the Flight that had the information was delayed to the point that it missed it's connecting flight so It's stuck somewhere wandering around the Denver Airport.
United has the WORST scheduling ever. they always try and schedule flights way too close together to ensure that any delays will result in missed flights.
Re: (Score:3)
United has the WORST scheduling ever. they always try and schedule flights way too close together to ensure that any delays will result in missed flights.
United doesn't schedule your connections, you schedule your connections (or your travel agent / website does on your behalf). Yes, United has many issues, and they have many delayed flights (along with the other airlines), but if you purchase trips with tight connections and don't expect to occasionally miss one, it is your own fault.
Re: (Score:2)
United doesn't schedule your connections, you schedule your connections (or your travel agent / website does on your behalf).
However, their website does offer flights with connections that are ridiculously short, usually as the cheapest or cheaper options. That may be a natural result of trying to help optimize YOUR travel time (shortest layovers are usually shortest trips overall), but I don't believe it is a conspiracy to try to get you to miss flights. Why would they do that? It costs them money. If they run out of standbys for the flight you missed, they have an empty seat. If they have to reimburse you, they lose money.
But
Re: (Score:2)
Why are ethical/white hat hackers not part of the solution? In what way are they prolonging problems?
They're not the ones inventing problems or creating them, they're just finding them and telling companies about them.
If someone points out that a bridge is going to collapse soon because he can clearly see fractured concrete and half-torn steel beams, will you call him a terrorist when the bridge falls down?
Re: (Score:3)
No, it is his house not him himself.
Actually, air miles are traded for lots of things other than travel. But that aside, the Ronald McDonald house likely could actually use the air miles for travel as it exists to help families be closer to children sent to hospitals far away for life saving medical treatments. This is so mom doesn't have to drive 4 hours a day to see little Sallie going through chemo treatment then drive another 4 hours back home only to get a few hours sleep and do it again or end up spen
Re: (Score:2, Insightful)
I really hate McDonald's from their anti smoking campaigns to the anti gun bullshit but this house charity is probably the only thing that allows me to patronize their restaurants.
- Hates anti-smoking campaigns
- Hates "anti-gun bullshit"
- Patronizes McDonalds' "restaurants"
This is the most subtly redneck trash comment I've ever seen on Slashdot. Well done!
Interesting valuation (Score:2)
Income and prizes (sweepstakes) have always been taxed, even if the prize is merchandise. So I don't see why this would be any differe
Re: (Score:2)
Usually, just donating the prize to charity is the simplest way to avoid it becoming a tax windfall for the government. The charity gets the full value of the donation, and you get a tax deduction for that value (even though you never actually received the value of the prize - another flaw in our tax code).
You only get a deduction to offset the income you had from the receipt of the prize. You don't end up any better off than if you'd never won the prize in the first place.
One million airline miles (Score:2)
That's enough for a business class upgrade!
Re: (Score:2)
Re: (Score:2)
Fake Currency as taxable income? (Score:3)
Re: (Score:2)
If the IRS didn't tax high dollar gifts then savvy people would legally avoid taxes by structuring income as gifts. In lieu of $40k income or bonus, an employer gives employee a $40k car and reduces their taxable income by $40k. Instead of $200/mo going to groceries, here's a $200 grocery store gift card. Etc, etc.
And this airline miles gift is effectively income in the same way a cash prize from a bug bounty program is income.
Now it may well be inconvenient to receive high-dollar gifts that are also tax
Welcome to consulting (Score:2)
Every dollar you receive is taxed. And you have to pay estimated taxes every quarter. And then you gotta pay the self-employment tax. [hrblock.com]
It makes me much more keenly aware of the difference between pre-tax dollars and post-tax dollars. When I have to pay say, 100 dollars for something, I know how much I have to make in order to net 100 dollars, after tax.
There is at least one exception (of which I'm aware, I'm sure there are more): house flipping. The first 250K (500K if married) of profit is tax free (exclu [irs.gov]
Re: (Score:2)
Re: (Score:2)
—Arthur N. Prior, Logic And The Basis Of Ethics
Re: (Score:1)
This brings new meaning to the phrase, "And by Prior Logic, ..."