Microsoft Tries To Silence Revelation Of Bing Cashback Flaws; Leads To Revelation Of Other Problems
from the touchy-microsoft dept
I'd been meaning to write this up for about a week, but finally got it around to it, just in time to add some additional info. First up, though, comes the news that Microsoft's legal department demanded a blogger remove a blog post about flaws in Bing's Cashback offer (Microsoft's attempt to bribe users to search via Bing instead of Google). One of the methods for the cashback offer involved pixel tracking, and blogger Samir Meghani noted that this was easily gamed to post fake transactions to your account. He also noted problems with the way Microsoft used sequential IDs, allowing potential scammers to "deny cashback rebates to legitimate users by using up available order ID numbers." Instead of dealing with these flaws, Microsoft lawyers sent a cease-and-desist and forced the blog post offline. I'm actually quite surprised this hasn't received a lot more attention.In the legal nastygram, Microsoft's lawyers claimed that because Meghani had tested the flaws out himself, he was likely guilty of violating "various laws relating to computer intrusion, unauthorized access and unauthorized use of information," while suggesting that his actions could result in criminal charges. That's ridiculous, of course. He didn't actually scam the company -- he was just exposing a flaw. This is legal bullying to silence someone for pointing out a rather basic security flaw in Microsoft's program.
But, of course, even though Meghani was silenced on that issue, it doesn't mean he has to be silent on all of the flaws in Bing's Cashback program, so his latest (found via Slashdot) is that various retailers that offer "cashback" via Bing purchases are showing higher prices if you search via Bing. In fact, the price people can pay if they do certain searches on Bing is higher than if they'd gone direct:
So, if I go directly to butterflyphoto.com, I pay $699 with 0% cashback. If I use Bing Cashback, I pay $758 with 2% cashback, or $742.84. Using Bing cashback has actually cost me $43.84, giving an effective cashback rate of -6.27%. Yes, negative cashback! Is this legal? False advertising? I don't know, but it's pretty sketchy.Microsoft responded and called this "an isolated instance" that it had missed with its tools that try to prevent merchants from gaming the system this way. Still, perhaps rather than sending out legal nastygrams and PR pablum to people discussing these things, Microsoft should focus on actually making sure that Bing's Cashback bribery program actually works correctly and safely.
The problem doesn't end there. Using Bing has tainted my web browser. Butterfly Photo set a three month cookie on my computer to indicate that I came from Bing. Any product I look at for the next three months may show a different price than I'd get by going there directly. Just clicking a Bing link means three months of potentially negative cashback, without me ever realizing it. I'm actually afraid to use their service even just to write this, because it may cost me money in the future. If you've been thinking about trying out Bing Cashback, you may want to rethink that.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: bing, bribes, cashback, cease and desist, flaws, security
Companies: microsoft
Reader Comments
Subscribe: RSS
View by: Time | Thread
"Microsoft Lawyers..."
Please, guys, don't you know that they only do these things to win coolness points with their kids?
http://www.law.com/jsp/cc/PubArticleCC.jsp?id=1202435771956&Vroom_Vroom_Microsofts_Hard _Driving_Lawyer_Makes_Some_Noise
[ link to this | view in chronology ]
Why fix it when you can extinguish the news about it?
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Really, Microsoft?
Now I kinda feel like a chump.
[ link to this | view in chronology ]
Re: Really, Microsoft?
Microsoft,
Can I have all my personal information back for discounts not rendered?
[ link to this | view in chronology ]
Similar to Best Buy
When will people realize this does more harm than good?
[ link to this | view in chronology ]
Everything I needed to know, I learned from the Songsmith video
...God, that's really never going to stop being funny.
[ link to this | view in chronology ]
To microwsoft
[ link to this | view in chronology ]
What else is new ...
Man if they did this everytime someone found a flaw in something Microsoft has coded they would top RIAA in legal filings.
[ link to this | view in chronology ]
Sad thing is..
Tech: This guy found a bug and I would like to talk to him so we can get it fixed.
Supervisor: This guy was checking out our website and may have found a loophole
Manager: A computer blogger is messing with our website and is trying to cheat us.
Exec: A hacker is trying to break our system and ruin our profits
Lawyer: I "$chaching$" will "$chaching$" get "$chaching$" right "$chaching$" on "$chaching$" that. "$chaching$" "$chaching$" "$chaching$"
[ link to this | view in chronology ]
This is Microsoft and what you do not realize is that the program is working correctly. Microsoft collects monopoly rent money; the customer gets screwed.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
lol@interval
I don't think anyone in my family uses Bing, but if they do, I bet they'll stop after they read my email about this. ;)
[ link to this | view in chronology ]
I have not seem his original blog, but based upon the contents of the letter from Microsoft's cousel it does appear as if it was the dissemination of information over the net that raised concerns.
[ link to this | view in chronology ]
Re: Legality
> of information over the net that raised concerns.
They can have raised concerns all they want. The fact that they have concerns does not translate to a legal obligation on my part to abide by those concerns.
[ link to this | view in chronology ]
Re:
If MS hadn't been such bullies and actually solved the problem, they wouldn't have had the black eye, that they have now.
I, for one, will shun the Bing search service like the plague.
[ link to this | view in chronology ]
Microsoft Tries To Silence Revelation Of Bing Cashback Flaws; Leads To Revelation Of Other Problems
Microsoft is back to their old ways but now while Bill's boys slice you up in the ally they have Murdock sucker punching you first.
I'm removing all cookies and not using IE or Bing anymore.
[ link to this | view in chronology ]
Ridiculous, of course.
Apparently you're not very familiar with basic law in information security. The laws are very real, and very enforceable.
There's a very real reason that legitimate Penetration Testers, or other Ethical Hackers know that the first step before they even consider *looking* for flaws is to have a written contract, often referred to as their "get out of jail free card", giving them express permission to look for vulnerabilities, bugs, etc. Even looking for such things, when you are not expressly given permission to, can be found in violation of several different computer related crimes.
I realize you love to spout how you're not a reporter, and you just give your opinions. I realize I probably can't influence your opinions, but wouldn't you feel better if your opinions were of the 'informed' nature?
Did you take the 30 seconds to read the "nastygram"? I personally felt it was very kindly worded and written, given that it does in fact contain legal information. You may think it's "ridiculous", seeing as how your knowledge of information security laws seems to be lacking, but weren't you just Curious to find out what he was being accused of? Your post seems to imply something to the effect of "there's no way he broke any laws, they're just trying to bully him", but you're just oh-so-wrong.
The "nastygram" very directly and kindly explained the legal position against his actions, and essentially said "if you take it down, we won't press it". Pretty nice, given how severe the charges can actually be. Unauthorized access to data can be a pretty significant crime. Especially when tied in to his "gaming" of a system for monetary return. (Hint: It's called Fraud.)
The letter also clearly spells out the laws which he may be tried on. Since you're not a reporter, and you don't know laws of this nature, you probably didn't bother to read the actual legislation clearly cited in the "nastygram":
(c)(1) Knowingly accesses and without permission alters, damages,deletes, destroys, or otherwise uses any data, computer, computer system, or computer network in order to either (A) devise or execute any scheme or artifice to defraud, deceive, or extort, or (B) wrongfully control or obtain money, property, or data.
...
(d) (1) Any person who violates any of the provisions of paragraph (1), (2), (4), or (5) of subdivision (c) is punishable by a fine not exceeding ten thousand dollars ($10,000), or by imprisonment in the state prison for 16 months, or two or three years, or by both that fine and imprisonment, or by a fine not exceeding five thousand dollars ($5,000), or by imprisonment in a county jail not exceeding one year, or by both that fine and imprisonment.
And there's much more than that, as computer crimes like this are very good area for "double dipping" several charges for the same crime. I just don't feel like doing any more research for you.
http://en.wikipedia.org/wiki/Ignorantia_juris_non_excusat
Write opinions as much as you want. That's fine. But you sure do write a lot of opinions about things you know nothing about.
[ link to this | view in chronology ]
Re: Ridiculous, of course.
"..in order to either (A) devise or execute any scheme or artifice to defraud, deceive, or extort, or (B) wrongfully control or obtain money, property, or data.".
This person did none of these things.
Just a thought.
[ link to this | view in chronology ]
Re: Re: Ridiculous, of course.
I very much like this site, and it does a good job of presenting and discussing info.
(Sorry if this is the wrong place to put this :P)
Regards,
Ilia
[ link to this | view in chronology ]
Re: Ridiculous, of course.
Do you know how much people listen to "Anonymous Coward" posts here? Do you really think you are making any grand points, even if you are right, when you refuse to identify yourself?
Until you, and others like you, are willing to be known, I will, quite frankly, think of you as nothing more then a dimwitted twit, who has Issues with Identification Envy; much like the Microsoft Laywer that wants to be "COOL" to his son, instead of his "Parent".
[ link to this | view in chronology ]
Re: Re: Ridiculous, of course.
I am sorry if you feel that the credibility of one's thoughts or the facts they describe is directly related to their name. I don't know you Bob, but I can assure you that knowing your name does not make me any more likely to believe a word that you say, than to read some other "annonymous coward"'s thoughts. In fact, I find that when it comes to comments on one of the millions of blogs on the internet, the message is much more important than the name.
Do you really think you are making any grand points, even if you are right, when you refuse to identify yourself?
Yes, I believe there are people out there who are able to read a post for its content, and not be blinded by the fact that they don't know who wrote it. If you feel that having "Bob Bunderfeld" next to your post is any more identifying than "Annonymous Coward" is next to mine or lends your thoughts any more credibility, you are mistaken. Are you really "Bob Bunderfeld"? And who is "Bob Bunderfeld"? I know neither of these answers, nor is either one relevant to the discussion at hand. I can read your post for your message and take it for what it's worth. On the other hand, you're too arrogant to consider someone else's view even if they are right, as you say.
Until you, and others like you, are willing to be known, I will, quite frankly, think of you as nothing more then a dimwitted twit, who has Issues with Identification Envy;
The internet must be a difficult place for you. There is an awful lot of wonderful information annonymously scattered throughout the internet, blog comments included. If you open yourself to the thoughts and ideas of other posters, isntead of blindly focusing solely on their screen name, you may find yourself in a much bigger and more exciting world.
Unless, of course, you get off on the superiority you feel by attempting to bash someone who put time and thought into a comment, just because they didn't include their name. A name which, in all likelihood, is just as irrelevant and unimportant as your own.
[ link to this | view in chronology ]
Re: Ridiculous, of course.
Sounds like Bing's being used to, "A) devise or execute any scheme or artifice to defraud, deceive, or extort, or (B) wrongfully control or obtain money, property, or data." the website in question is using Bing data to deceive and defraud customers, therefor both Bing and Microsoft are a party to the fraud that is being perpetuated on Bing users (yet another reason to avoid MicroSoft products).
[ link to this | view in chronology ]
Re: Re: Ridiculous, of course.
Bing isn't selling a product at a higher cost, butterflyphoto.com is. Although the computer crime statutes wouldn't seem to apply here, the guilty party would be Butterflyphoto.com and not Bing/Microsoft. One could look into false advertising on behalf of Butterflyphoto.com, or perhaps some other laws for deceptive practices.
It's important to note that Bing isn't adjusting prices here, but rather Butterflyphoto.com is logging the fact that you were referred from Bing, and they charge a higher price as a result.I don't know enough about it to factfully ensure that Bing/MS has zero part in this, but on the surface is seems that the finger is pointed at the wrong party.
[ link to this | view in chronology ]
Re: Ridiculous, of course.
[ link to this | view in chronology ]
Re: Re: Ridiculous, of course.
You might claim "Streisand Effect!!" as is popular on this site, and has *some* merit, but the reality is that it does make security sense for Microsoft to have the details taken offline as they attempt to 'fix' the potential exploits.
[ link to this | view in chronology ]
Re: Re: Re: Ridiculous, of course.
[ link to this | view in chronology ]
Re: Re: Re: Re: Ridiculous, of course.
While it's true to say that you can not guarantee that content is gone from all hands forever, you cannot deny that said content is much more difficult, if not impossible, to find.
Please test this by linking us to the location of all of these details. It probably isn't impossible to find a source, but it is certainly more difficult than if the original page stayed up.
While those who are truly determined to find more information on this exploit may be able to do so, the overall exposure of the details is lessened, and thus less likely to be exploited. Much like locks to the front door to your house or your car, it's not about global protection, it's about "keeping honest people honest". Fewer people are likely to attempt the exploit when it's harder to find, than if you throw it in people's faces and tempt people who otherwise wouldn't have even considered it.
Either way, your sarcasm was totally cool and you'll probably get laid now.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Ridiculous, of course.
Again, go learn about the internet please.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Ridiculous, of course.
[ link to this | view in chronology ]
Re: Ridiculous, of course.
Actually pretty familiar, but thanks for your concern.
There's a very real reason that legitimate Penetration Testers, or other Ethical Hackers know that the first step before they even consider *looking* for flaws is to have a written contract, often referred to as their "get out of jail free card", giving them express permission to look for vulnerabilities, bugs, etc. Even looking for such things, when you are not expressly given permission to, can be found in violation of several different computer related crimes.
Heh. Tons of security research is done without such contracts, because most good security researchers know quite well that companies won't agree to such deals (or agree to them with all sorts of annoying caveats). Doesn't mean you can't still explore security holes.
Security through obscurity may seem like a good idea to you, but it just means that hackers have the info and the company does not.
Did you take the 30 seconds to read the "nastygram"?
More than that, actually.
I personally felt it was very kindly worded and written, given that it does in fact contain legal information.
I don't consider a letter on legal stationary listing out all sorts of criminal things you may be charged with as "kindly worded." I'm surprised you do, but perhaps we have different upbringings.
The "nastygram" very directly and kindly explained the legal position against his actions, and essentially said "if you take it down, we won't press it". Pretty nice, given how severe the charges can actually be.
You have a funny definition of kindly.
(c)(1) Knowingly accesses and without permission alters, damages,deletes, destroys, or otherwise uses any data, computer, computer system, or computer network in order to either (A) devise or execute any scheme or artifice to defraud, deceive, or extort, or (B) wrongfully control or obtain money, property, or data.
The blogger in question did none of the above. Details. Details.
[ link to this | view in chronology ]
Re: Re: Ridiculous, of course.
Sure thing.
Heh. Tons of security research is done without such contracts, because most good security researchers know quite well that companies won't agree to such deals (or agree to them with all sorts of annoying caveats). Doesn't mean you can't still explore security holes.
Security through obscurity may seem like a good idea to you, but it just means that hackers have the info and the company does not.
Interesting attempt at a weak logical straw man, Mike. I was under the impression that the original point was about the legality, and not about my personal opinions on security. I put effort into the original post because, coincidentally, I'm in Information Security for a living. If you really want to talk security, I'd be glad to have an intelligent discussion on the topic. I'm guessing, from your weak attempt to spout a security101 keyword as if it made you sound informed, or that it somehow affected the law of the matter, that you don't wish to have such a discussion.
Ignoring the fact that you wish to use plenty of very subjective, and unsubstantiated terms ("tons" of research, "good" researchers), and seem only focused on attempting to make it sound like you know what you're talking about, and that Annonymous Coward here knows nothing, there is a very real problem with saying that it "[d]oesn't mean you can't still explore security holes."
You see, the initial topic was law. And the law can essentially be boiled down to something to the effect of "if it's not yours, don't touch it". "Good" security researchers do this, and in practice you'll find that "tons" of security research is done in controlled environments by professionals who know they need to cover their asses or jeopardize their career. So, you can in fact explore security holes, but to imply that it's legal to do so without permission, or that the "good" security researchers work undercover for nothing but fun, is an incredible claim. People with no knowledge in the field may be lead to believe you, which is what scares me most.
As they say, "don't try this at home." As the initial point was, it is in fact illegal.
More than that, actually.
Alright then.
I don't consider a letter on legal stationary listing out all sorts of criminal things you may be charged with as "kindly worded." I'm surprised you do, but perhaps we have different upbringings.
Yes, it is a legal letter. But the wording and personality of the letter are very professional, and worded as kindly as a legal letter can be worded. You might notice that the letter does not issue demands, it offers requests. The letter does not threaten, it states its legal position, why it feels this way, and where the recipient can look if they're interested in self-assessing the claims given. The letter expresses the views of the company presenting it, but does not attempt to be the ultimate authority on the matter, and invites the recipient to challenge them if they feel so inclined.
The letter is indeed intended to get the user to remove the content. If that is what you find "nasty" about it, then I respectfully disagree with you. It is my opinion that the letter carries a very professional, mature, and polite nature to it, while still maintaining its ability to represent a legal matter. I know I certainly have seen much more rude and disrespectful letters, and I naturally assumed that you had too. If you find this "nasty", then you're entitled to that opinion. I feel this letter is not.
You have a funny definition of kindly.
As stated above, I feel this is certainly one of the more polite and professional letters one could hope to receive on a legal matter. Your mileage may vary.
The blogger in question did none of the above. Details. Details.
It is difficult for me to continue in a manor that is reasonably professional, without resorting to the same sort of sarcastic, insulting nature that you attempt to deal with my response. I fully understand you get your fair share of internet trolls, and may have grown cold to the genuine responses you may receive that disagree with you. However, at this point in your response, I have to reiterate my original point that you just do not seem to know what you're talking about. I'm not sure if it's because you really don't understand law, even though it concerns 80% of your posts, or if it's just a general quickness to publish articles that you don't have the opportunity to understand the subject matter before typing. I just don't know which it is. However, I hate how many people will read your BS and not know the truth, potentially coming to believe the same things you say because they read it on an internet blog. This is why I felt the need to post in the first place, and am wasting the beginning of my Thanksgiving vacation responding to someone who likely doesn't care what I have to say. My hope is, however, someone else will be able to read it and think about the matter before blindly trusting the things you say.
You claim the blogger did not break the law. This is absolutely not true. Security people know it, the blogger knows it, Microsoft knows it, and if it were to go to court the Judge/Jury would know it. Mike, however, doesn't. Hopefully your readers will know it too.
The article that you supposedly read very clearly describes how Mr. Meghani not only found the security flaws, but exploited them to result in $2080.06 in his Bing account, from at least 3 separate fake orders. Not only did he fraudulantly exploit this system for personal gain, he published this method for others to examine and exploit. It would be very difficult to convince someone that this was done "to help Microsoft and make them aware of the problem". Those type of vulnerabilities are taken directly to the company, and often not known about until they've been fixed. You may call this "security through obscurity" all you want, it's truly the only respectable and professional way to deal with such vulnerabilities.
I will again post the first section of the quoted law, so you can put this into context:
(c)(1) Knowingly accesses and without permission alters, damages,deletes, destroys, or otherwise uses any data, computer, computer system, or computer network in order to either (A) devise or execute any scheme or artifice to defraud, deceive, or extort, or (B) wrongfully control or obtain money, property, or data.
If you still do not see how Mr. Meghani knowingly, without permission, used any data, computer computer system, or network in order to devise or execute a scheme for fraid, or wrongfully controlled or obtained money or data, then I'm afraid it's time to take your RSS off my page and never look back. I come here for something to do to take mini-breaks at work, but when you're this far off base with a topic I know much better than you, then I'm afraid to read your opinions on things I know less about, for fear that you're just as wrong and I won't know it.
I don't feel there's a court in the world that wouldn't find Mr. Meghani guilty of the violating the cited law. A law which, as I said earlier, is just one of *many* that they could pursue and win on. He very clearly exploited a system without permission to steal money. The fact is, his motives do not matter. Maybe he was trying to help. But he broke a very real, very serious set of laws, published it so others could more easily commit fraud, and then acted surprised that a lawyer got in touch with him.
And when you know how serious the law is, and how easily he could be prosecuted for the accused crimes, the letter seems much more polite than you seem to realize ;)
Either way, I'm done. Have a Happy Thanksgiving.
[ link to this | view in chronology ]
Re: Re: Re: Ridiculous, of course.
I'm sorry, what? First you have to PROVE that he did what you suggest he did. Pointing out a security flaw to a company is a pretty stupid way of covering up an actual illegality. I'm sorry you're such a troll, and obviously can't see both sides of an argument, but perhaps it's better that you aren't going to come back. The fact is that this /is/ a 'nastygram' since it uses legal bullying to pull down information that they should use /themselves/ to fix their problems. Instead, they just come off looking the fool, and have further alienated a lot of people. Good job! That's so very /NICE/! And professional to boot!
[ link to this | view in chronology ]
Re: Re: Re: Ridiculous, of course.
Oh, and I'm an information security professional too and found Mike's assessment to be pretty spot on.
So there.
[ link to this | view in chronology ]
Microsoft's Latest Screw up
Microsoft, like Murdoch and the entertainment industry and so much Old School America, is always looking for a way to leech every last penny from the populace.
Google looks for ways to be helpful and makes money as a by product. This is so revolutionary that I doubt The Borg and Mr. Burns will ever be able to understand why they are becoming slowly irrelevant.
[ link to this | view in chronology ]
Dear retailers
If you want my business, please stop making buying so difficult. It takes me too much time to figure out if buying from you is worth it. I’ve been abused by you many times. I don’t like it. Therefore, I’ve stopped all my impulse purchases and I buy only from people I trust. If you want me to spend money with you, please consider my requests below:
Please
1) Sell things for the price advertised. Don’t add hidden fees or make it necessary to buy something else.
2) Stop baiting me with a deal you won’t deliver and switching me to something I will regret later.
3) Stop lying about your prices. Advertise one price. You’re now making it necessary for me to cross check prices using different coupon codes, price search engines, clearing my cache and cookies, etc. I just don’t trust you.
4) Remove that tiny hidden check box so you don’t hand my credit card information to one of your “partners”, which then enrolls me in some automatic monthly subscription I don’t want. If I want an added service from your “partner” let me go to them myself and let me decide if I want to give them my credit card info.
5) If you sell me a warranty, please respect the contract and make good on your promise, or stop up selling me stuff I can’t effectively use anyway.
6) Don’t ask me to auto debit my credit card or bank account for a subscription.
7) Stop up selling me at checkout. If I’m interested in extras, I’ll buy them on my own. I don’t like wasting time figuring out what button is the one that takes me to the end without adding that extra item I don’t want or need.
8) Tell me the truth about your service, if it’s unlimited, then don’t limit me after the fact and say I am being unreasonable. Simply explain there is a maximum amount of service I can use and tell me what it is.
9) Don’t give me a store credit that expires or has a fee. Either give me my money back or let me exchange my product. If I give you money it’s not yours until I get what I paid for.
10) Tell me the truth about your product or service in English I can understand. I know you want to make it sound better than it is so I will buy it, but why make me regret my purchase after I find out I was made a fool?
11) Stop making me feel like I’m at fault if something goes wrong. Simply fix the problem and make me glad I did business with you.
12) Stop invading my privacy and then making money by selling my browsing/buying habits. That’s my data. If you want it, perhaps I will agree to sell it to you.
[ link to this | view in chronology ]
Bing where News Corp goes to die.
[ link to this | view in chronology ]
Re: Bing where News Corp goes to die.
WSJ is the only paper that increased circulation last quarter, and remains profitable. I'm quite concerned that Rupert is willing to entrust a third party over its own people.
I suggest Rupert re-read the Findings of Fact in USA vs Microsoft Antitrust case to be up-to-date on some tactics used by IBM, Netscape, Apple, Sun and others.
I think the strategy was called "Embrace, Extend, Extinguish".
[ link to this | view in chronology ]
Points programs charge more
Here in Canada, AirMiles.com offers points towards flights for buying things off their site. But they cost more; an Apple iPod is $24 more on AirMiles than at Apple.ca.
The extra $24 goes towards paying for the "free" points.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Perhaps if Bing was truly relevant, there would be more coverage, since more people would care.
[ link to this | view in chronology ]
wow
reminds me of elections ...
[ link to this | view in chronology ]
derelict
[ link to this | view in chronology ]
Buyer beware
[ link to this | view in chronology ]
[ link to this | view in chronology ]