Microsoft Tries To Silence Revelation Of Bing Cashback Flaws; Leads To Revelation Of Other Problems

from the touchy-microsoft dept

I'd been meaning to write this up for about a week, but finally got it around to it, just in time to add some additional info. First up, though, comes the news that Microsoft's legal department demanded a blogger remove a blog post about flaws in Bing's Cashback offer (Microsoft's attempt to bribe users to search via Bing instead of Google). One of the methods for the cashback offer involved pixel tracking, and blogger Samir Meghani noted that this was easily gamed to post fake transactions to your account. He also noted problems with the way Microsoft used sequential IDs, allowing potential scammers to "deny cashback rebates to legitimate users by using up available order ID numbers." Instead of dealing with these flaws, Microsoft lawyers sent a cease-and-desist and forced the blog post offline. I'm actually quite surprised this hasn't received a lot more attention.

In the legal nastygram, Microsoft's lawyers claimed that because Meghani had tested the flaws out himself, he was likely guilty of violating "various laws relating to computer intrusion, unauthorized access and unauthorized use of information," while suggesting that his actions could result in criminal charges. That's ridiculous, of course. He didn't actually scam the company -- he was just exposing a flaw. This is legal bullying to silence someone for pointing out a rather basic security flaw in Microsoft's program.

But, of course, even though Meghani was silenced on that issue, it doesn't mean he has to be silent on all of the flaws in Bing's Cashback program, so his latest (found via Slashdot) is that various retailers that offer "cashback" via Bing purchases are showing higher prices if you search via Bing. In fact, the price people can pay if they do certain searches on Bing is higher than if they'd gone direct:
So, if I go directly to butterflyphoto.com, I pay $699 with 0% cashback. If I use Bing Cashback, I pay $758 with 2% cashback, or $742.84. Using Bing cashback has actually cost me $43.84, giving an effective cashback rate of -6.27%. Yes, negative cashback! Is this legal? False advertising? I don't know, but it's pretty sketchy.

The problem doesn't end there. Using Bing has tainted my web browser. Butterfly Photo set a three month cookie on my computer to indicate that I came from Bing. Any product I look at for the next three months may show a different price than I'd get by going there directly. Just clicking a Bing link means three months of potentially negative cashback, without me ever realizing it. I'm actually afraid to use their service even just to write this, because it may cost me money in the future. If you've been thinking about trying out Bing Cashback, you may want to rethink that.
Microsoft responded and called this "an isolated instance" that it had missed with its tools that try to prevent merchants from gaming the system this way. Still, perhaps rather than sending out legal nastygrams and PR pablum to people discussing these things, Microsoft should focus on actually making sure that Bing's Cashback bribery program actually works correctly and safely.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: bing, bribes, cashback, cease and desist, flaws, security
Companies: microsoft


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Anonymous Coward, 24 Nov 2009 @ 9:44am

    "Microsoft Lawyers..."

    Microsoft's legal department demanded a blogger remove a blog post about flaws in Bing's Cashback offer. But no one is thinking of those poor Microsoft Lawyers.

    Please, guys, don't you know that they only do these things to win coolness points with their kids?

    http://www.law.com/jsp/cc/PubArticleCC.jsp?id=1202435771956&Vroom_Vroom_Microsofts_Hard _Driving_Lawyer_Makes_Some_Noise

    link to this | view in thread ]

  2. icon
    senshikaze (profile), 24 Nov 2009 @ 9:52am

    And then we find out why people like me refuse to buy their products.

    Why fix it when you can extinguish the news about it?

    link to this | view in thread ]

  3. identicon
    Anonymous Coward, 24 Nov 2009 @ 10:02am

    Really, Microsoft?

    I thought Bing was supposed to save me money by buying my loyalty.

    Now I kinda feel like a chump.

    link to this | view in thread ]

  4. identicon
    Kazi, 24 Nov 2009 @ 10:05am

    Re:

    He should be sued for violating Tesla's copyrighted vechicle sounds. We must report him.

    link to this | view in thread ]

  5. identicon
    John Doe, 24 Nov 2009 @ 10:07am

    Similar to Best Buy

    Seems like they are getting caught with the "double website" trick Best Buy pulled several years back. Go in the store and see a higher price, tell them it was cheaper on the web, they pull up the website and it isn't cheaper. Only problem was, they saw different prices from the in-store website than the external facing site.

    When will people realize this does more harm than good?

    link to this | view in thread ]

  6. identicon
    Andrew T, 24 Nov 2009 @ 10:08am

    Re: Really, Microsoft?

    That's rich- I also paid for my own discount!

    Microsoft,
    Can I have all my personal information back for discounts not rendered?

    link to this | view in thread ]

  7. identicon
    Anonymous Coward, 24 Nov 2009 @ 10:18am

    Everything I needed to know, I learned from the Songsmith video

    "Microsoft, huh? So it must be pretty easy to use?"

    ...God, that's really never going to stop being funny.

    link to this | view in thread ]

  8. identicon
    James, 24 Nov 2009 @ 10:19am

    To microwsoft

    Epic fail

    link to this | view in thread ]

  9. icon
    Hephaestus (profile), 24 Nov 2009 @ 10:33am

    What else is new ...

    "This is legal bullying to silence someone for pointing out a rather basic security flaw in Microsoft's program."

    Man if they did this everytime someone found a flaw in something Microsoft has coded they would top RIAA in legal filings.

    link to this | view in thread ]

  10. identicon
    drkkgt, 24 Nov 2009 @ 10:40am

    Sad thing is..

    this probably was started by some tech at microsoft that read it and actually wanted to help.

    Tech: This guy found a bug and I would like to talk to him so we can get it fixed.

    Supervisor: This guy was checking out our website and may have found a loophole

    Manager: A computer blogger is messing with our website and is trying to cheat us.

    Exec: A hacker is trying to break our system and ruin our profits

    Lawyer: I "$chaching$" will "$chaching$" get "$chaching$" right "$chaching$" on "$chaching$" that. "$chaching$" "$chaching$" "$chaching$"

    link to this | view in thread ]

  11. identicon
    Anonymous Coward, 24 Nov 2009 @ 10:46am

    "Microsoft should focus on actually making sure that Bing's Cashback bribery program actually works correctly and safely."

    This is Microsoft and what you do not realize is that the program is working correctly. Microsoft collects monopoly rent money; the customer gets screwed.

    link to this | view in thread ]

  12. identicon
    interval, 24 Nov 2009 @ 10:49am

    Typical. Blame the poor monopoly. When will you people realize that what's good for Microsoft is good for the World.

    link to this | view in thread ]

  13. icon
    Skout (profile), 24 Nov 2009 @ 11:10am

    lol@interval

    Too funny.

    I don't think anyone in my family uses Bing, but if they do, I bet they'll stop after they read my email about this. ;)

    link to this | view in thread ]

  14. identicon
    Anonymous Coward, 24 Nov 2009 @ 11:24am

    Perhpas next time the individual should try first contacting Microsoft and letting it know about any problems he may have discovered.

    I have not seem his original blog, but based upon the contents of the letter from Microsoft's cousel it does appear as if it was the dissemination of information over the net that raised concerns.

    link to this | view in thread ]

  15. icon
    tg7160 (profile), 24 Nov 2009 @ 11:40am

    Microsoft Tries To Silence Revelation Of Bing Cashback Flaws; Leads To Revelation Of Other Problems

    Bada Bing Bada Bang !!!

    Microsoft is back to their old ways but now while Bill's boys slice you up in the ally they have Murdock sucker punching you first.

    I'm removing all cookies and not using IE or Bing anymore.

    link to this | view in thread ]

  16. identicon
    Anonymous Coward, 24 Nov 2009 @ 11:53am

    Ridiculous, of course.

    "In the legal nastygram, Microsoft's lawyers claimed that because Meghani had tested the flaws out himself, he was likely guilty of violating "various laws relating to computer intrusion, unauthorized access and unauthorized use of information," while suggesting that his actions could result in criminal charges. That's ridiculous, of course. He didn't actually scam the company -- he was just exposing a flaw. This is legal bullying to silence someone for pointing out a rather basic security flaw in Microsoft's program."

    Apparently you're not very familiar with basic law in information security. The laws are very real, and very enforceable.

    There's a very real reason that legitimate Penetration Testers, or other Ethical Hackers know that the first step before they even consider *looking* for flaws is to have a written contract, often referred to as their "get out of jail free card", giving them express permission to look for vulnerabilities, bugs, etc. Even looking for such things, when you are not expressly given permission to, can be found in violation of several different computer related crimes.

    I realize you love to spout how you're not a reporter, and you just give your opinions. I realize I probably can't influence your opinions, but wouldn't you feel better if your opinions were of the 'informed' nature?

    Did you take the 30 seconds to read the "nastygram"? I personally felt it was very kindly worded and written, given that it does in fact contain legal information. You may think it's "ridiculous", seeing as how your knowledge of information security laws seems to be lacking, but weren't you just Curious to find out what he was being accused of? Your post seems to imply something to the effect of "there's no way he broke any laws, they're just trying to bully him", but you're just oh-so-wrong.

    The "nastygram" very directly and kindly explained the legal position against his actions, and essentially said "if you take it down, we won't press it". Pretty nice, given how severe the charges can actually be. Unauthorized access to data can be a pretty significant crime. Especially when tied in to his "gaming" of a system for monetary return. (Hint: It's called Fraud.)


    The letter also clearly spells out the laws which he may be tried on. Since you're not a reporter, and you don't know laws of this nature, you probably didn't bother to read the actual legislation clearly cited in the "nastygram":

    (c)(1) Knowingly accesses and without permission alters, damages,deletes, destroys, or otherwise uses any data, computer, computer system, or computer network in order to either (A) devise or execute any scheme or artifice to defraud, deceive, or extort, or (B) wrongfully control or obtain money, property, or data.
    ...
    (d) (1) Any person who violates any of the provisions of paragraph (1), (2), (4), or (5) of subdivision (c) is punishable by a fine not exceeding ten thousand dollars ($10,000), or by imprisonment in the state prison for 16 months, or two or three years, or by both that fine and imprisonment, or by a fine not exceeding five thousand dollars ($5,000), or by imprisonment in a county jail not exceeding one year, or by both that fine and imprisonment.


    And there's much more than that, as computer crimes like this are very good area for "double dipping" several charges for the same crime. I just don't feel like doing any more research for you.

    http://en.wikipedia.org/wiki/Ignorantia_juris_non_excusat



    Write opinions as much as you want. That's fine. But you sure do write a lot of opinions about things you know nothing about.

    link to this | view in thread ]

  17. identicon
    Patty, 24 Nov 2009 @ 12:04pm

    Microsoft's Latest Screw up

    I was talking about the difference between Microsoft and Google with a friend this morning re the Murdoch deal.

    Microsoft, like Murdoch and the entertainment industry and so much Old School America, is always looking for a way to leech every last penny from the populace.

    Google looks for ways to be helpful and makes money as a by product. This is so revolutionary that I doubt The Borg and Mr. Burns will ever be able to understand why they are becoming slowly irrelevant.

    link to this | view in thread ]

  18. identicon
    Ilia, 24 Nov 2009 @ 12:07pm

    Re: Ridiculous, of course.

    I may not be a law student....
    "..in order to either (A) devise or execute any scheme or artifice to defraud, deceive, or extort, or (B) wrongfully control or obtain money, property, or data.".

    This person did none of these things.
    Just a thought.

    link to this | view in thread ]

  19. icon
    Bob Bunderfeld (profile), 24 Nov 2009 @ 12:17pm

    Re: Ridiculous, of course.

    Why is it that everyone that wants to prove someone wrong here, they refuse to identify themselves?

    Do you know how much people listen to "Anonymous Coward" posts here? Do you really think you are making any grand points, even if you are right, when you refuse to identify yourself?

    Until you, and others like you, are willing to be known, I will, quite frankly, think of you as nothing more then a dimwitted twit, who has Issues with Identification Envy; much like the Microsoft Laywer that wants to be "COOL" to his son, instead of his "Parent".

    link to this | view in thread ]

  20. icon
    anymouse (profile), 24 Nov 2009 @ 12:18pm

    Re: Ridiculous, of course.

    So shouldn't Microsoft and Bing be sued under the same laws?

    Sounds like Bing's being used to, "A) devise or execute any scheme or artifice to defraud, deceive, or extort, or (B) wrongfully control or obtain money, property, or data." the website in question is using Bing data to deceive and defraud customers, therefor both Bing and Microsoft are a party to the fraud that is being perpetuated on Bing users (yet another reason to avoid MicroSoft products).

    link to this | view in thread ]

  21. identicon
    Anonymous Coward, 24 Nov 2009 @ 12:18pm

    Re: Ridiculous, of course.

    And all of your rambling still doesn't change the fact that responding to someone pointing out critical flaws in your product with lawyers isn't a smart idea.

    link to this | view in thread ]

  22. icon
    Mike Masnick (profile), 24 Nov 2009 @ 12:33pm

    Re: Ridiculous, of course.

    Apparently you're not very familiar with basic law in information security. The laws are very real, and very enforceable.

    Actually pretty familiar, but thanks for your concern.

    There's a very real reason that legitimate Penetration Testers, or other Ethical Hackers know that the first step before they even consider *looking* for flaws is to have a written contract, often referred to as their "get out of jail free card", giving them express permission to look for vulnerabilities, bugs, etc. Even looking for such things, when you are not expressly given permission to, can be found in violation of several different computer related crimes.

    Heh. Tons of security research is done without such contracts, because most good security researchers know quite well that companies won't agree to such deals (or agree to them with all sorts of annoying caveats). Doesn't mean you can't still explore security holes.

    Security through obscurity may seem like a good idea to you, but it just means that hackers have the info and the company does not.

    Did you take the 30 seconds to read the "nastygram"?

    More than that, actually.

    I personally felt it was very kindly worded and written, given that it does in fact contain legal information.

    I don't consider a letter on legal stationary listing out all sorts of criminal things you may be charged with as "kindly worded." I'm surprised you do, but perhaps we have different upbringings.

    The "nastygram" very directly and kindly explained the legal position against his actions, and essentially said "if you take it down, we won't press it". Pretty nice, given how severe the charges can actually be.

    You have a funny definition of kindly.

    (c)(1) Knowingly accesses and without permission alters, damages,deletes, destroys, or otherwise uses any data, computer, computer system, or computer network in order to either (A) devise or execute any scheme or artifice to defraud, deceive, or extort, or (B) wrongfully control or obtain money, property, or data.

    The blogger in question did none of the above. Details. Details.

    link to this | view in thread ]

  23. icon
    btr1701 (profile), 24 Nov 2009 @ 12:35pm

    Re: Legality

    > it does appear as if it was the dissemination
    > of information over the net that raised concerns.

    They can have raised concerns all they want. The fact that they have concerns does not translate to a legal obligation on my part to abide by those concerns.

    link to this | view in thread ]

  24. icon
    ilia (profile), 24 Nov 2009 @ 12:44pm

    Re: Re: Ridiculous, of course.

    Hi all, just created this account :)

    I very much like this site, and it does a good job of presenting and discussing info.

    (Sorry if this is the wrong place to put this :P)

    Regards,
    Ilia

    link to this | view in thread ]

  25. icon
    MadJo (profile), 24 Nov 2009 @ 1:29pm

    Re:

    I take it, you are not a fan of full disclosure.. I am, and I think it should be everyone's duty to report on flaws such as these.
    If MS hadn't been such bullies and actually solved the problem, they wouldn't have had the black eye, that they have now.

    I, for one, will shun the Bing search service like the plague.

    link to this | view in thread ]

  26. identicon
    vastrightwing, 24 Nov 2009 @ 1:41pm

    Dear retailers

    Dear retailers,

    If you want my business, please stop making buying so difficult. It takes me too much time to figure out if buying from you is worth it. I’ve been abused by you many times. I don’t like it. Therefore, I’ve stopped all my impulse purchases and I buy only from people I trust. If you want me to spend money with you, please consider my requests below:

    Please
    1) Sell things for the price advertised. Don’t add hidden fees or make it necessary to buy something else.
    2) Stop baiting me with a deal you won’t deliver and switching me to something I will regret later.
    3) Stop lying about your prices. Advertise one price. You’re now making it necessary for me to cross check prices using different coupon codes, price search engines, clearing my cache and cookies, etc. I just don’t trust you.
    4) Remove that tiny hidden check box so you don’t hand my credit card information to one of your “partners”, which then enrolls me in some automatic monthly subscription I don’t want. If I want an added service from your “partner” let me go to them myself and let me decide if I want to give them my credit card info.
    5) If you sell me a warranty, please respect the contract and make good on your promise, or stop up selling me stuff I can’t effectively use anyway.
    6) Don’t ask me to auto debit my credit card or bank account for a subscription.
    7) Stop up selling me at checkout. If I’m interested in extras, I’ll buy them on my own. I don’t like wasting time figuring out what button is the one that takes me to the end without adding that extra item I don’t want or need.
    8) Tell me the truth about your service, if it’s unlimited, then don’t limit me after the fact and say I am being unreasonable. Simply explain there is a maximum amount of service I can use and tell me what it is.
    9) Don’t give me a store credit that expires or has a fee. Either give me my money back or let me exchange my product. If I give you money it’s not yours until I get what I paid for.
    10) Tell me the truth about your product or service in English I can understand. I know you want to make it sound better than it is so I will buy it, but why make me regret my purchase after I find out I was made a fool?
    11) Stop making me feel like I’m at fault if something goes wrong. Simply fix the problem and make me glad I did business with you.
    12) Stop invading my privacy and then making money by selling my browsing/buying habits. That’s my data. If you want it, perhaps I will agree to sell it to you.

    link to this | view in thread ]

  27. icon
    senshikaze (profile), 24 Nov 2009 @ 1:54pm

    Re:

    this, children, is a classic case of sarcasm fail.

    link to this | view in thread ]

  28. identicon
    Anonymous Coward, 24 Nov 2009 @ 2:02pm

    Re: Re: Ridiculous, of course.

    Hello Bob Bunderfeld,

    I am sorry if you feel that the credibility of one's thoughts or the facts they describe is directly related to their name. I don't know you Bob, but I can assure you that knowing your name does not make me any more likely to believe a word that you say, than to read some other "annonymous coward"'s thoughts. In fact, I find that when it comes to comments on one of the millions of blogs on the internet, the message is much more important than the name.

    Do you really think you are making any grand points, even if you are right, when you refuse to identify yourself?

    Yes, I believe there are people out there who are able to read a post for its content, and not be blinded by the fact that they don't know who wrote it. If you feel that having "Bob Bunderfeld" next to your post is any more identifying than "Annonymous Coward" is next to mine or lends your thoughts any more credibility, you are mistaken. Are you really "Bob Bunderfeld"? And who is "Bob Bunderfeld"? I know neither of these answers, nor is either one relevant to the discussion at hand. I can read your post for your message and take it for what it's worth. On the other hand, you're too arrogant to consider someone else's view even if they are right, as you say.

    Until you, and others like you, are willing to be known, I will, quite frankly, think of you as nothing more then a dimwitted twit, who has Issues with Identification Envy;

    The internet must be a difficult place for you. There is an awful lot of wonderful information annonymously scattered throughout the internet, blog comments included. If you open yourself to the thoughts and ideas of other posters, isntead of blindly focusing solely on their screen name, you may find yourself in a much bigger and more exciting world.

    Unless, of course, you get off on the superiority you feel by attempting to bash someone who put time and thought into a comment, just because they didn't include their name. A name which, in all likelihood, is just as irrelevant and unimportant as your own.

    link to this | view in thread ]

  29. identicon
    Anonymous Coward, 24 Nov 2009 @ 2:45pm

    Re: Re: Ridiculous, of course.

    I haven't done a ton of research personally into the issue at hand, but my very quick impression is that you have it backwards.


    Bing isn't selling a product at a higher cost, butterflyphoto.com is. Although the computer crime statutes wouldn't seem to apply here, the guilty party would be Butterflyphoto.com and not Bing/Microsoft. One could look into false advertising on behalf of Butterflyphoto.com, or perhaps some other laws for deceptive practices.

    It's important to note that Bing isn't adjusting prices here, but rather Butterflyphoto.com is logging the fact that you were referred from Bing, and they charge a higher price as a result.I don't know enough about it to factfully ensure that Bing/MS has zero part in this, but on the surface is seems that the finger is pointed at the wrong party.

    link to this | view in thread ]

  30. identicon
    Anonymous Coward, 24 Nov 2009 @ 2:53pm

    Re: Re: Ridiculous, of course.

    You fail to describe how it is "not smart" to ask someone to take down the information that describes how to game the system illegally for monetary gain. You also fail to realize that my post was not in defense of Microsoft in any way, and therefore was not intended to "change the fact" that you feel it was a poor move.


    You might claim "Streisand Effect!!" as is popular on this site, and has *some* merit, but the reality is that it does make security sense for Microsoft to have the details taken offline as they attempt to 'fix' the potential exploits.

    link to this | view in thread ]

  31. identicon
    Anonymous Coward, 24 Nov 2009 @ 3:26pm

    Bing where News Corp goes to die.

    As far as I am concerned. If and when New Corp goes exclusive with Bing it is gone. If it ain't on Google it doesn't exist.

    link to this | view in thread ]

  32. identicon
    Anonymous Coward, 24 Nov 2009 @ 3:53pm

    Re: Re: Re: Ridiculous, of course.

    Hi, I see you're new to the internet. The details can't be "taken offline."

    link to this | view in thread ]

  33. identicon
    Anonymous Coward, 24 Nov 2009 @ 3:54pm

    Re: Bing where News Corp goes to die.

    Yep. As print circulation continues to fall, it makes better sense for newspapers to adopt an online distribution strategy themselves.

    WSJ is the only paper that increased circulation last quarter, and remains profitable. I'm quite concerned that Rupert is willing to entrust a third party over its own people.

    I suggest Rupert re-read the Findings of Fact in USA vs Microsoft Antitrust case to be up-to-date on some tactics used by IBM, Netscape, Apple, Sun and others.

    I think the strategy was called "Embrace, Extend, Extinguish".

    link to this | view in thread ]

  34. identicon
    ralphg, 24 Nov 2009 @ 4:08pm

    Points programs charge more

    The discounts aren't free, and so rebate and points programs charge more.

    Here in Canada, AirMiles.com offers points towards flights for buying things off their site. But they cost more; an Apple iPod is $24 more on AirMiles than at Apple.ca.

    The extra $24 goes towards paying for the "free" points.

    link to this | view in thread ]

  35. identicon
    Anonymous Coward, 24 Nov 2009 @ 4:11pm

    Re: Re: Ridiculous, of course.

    Actually pretty familiar, but thanks for your concern.

    Sure thing.


    Heh. Tons of security research is done without such contracts, because most good security researchers know quite well that companies won't agree to such deals (or agree to them with all sorts of annoying caveats). Doesn't mean you can't still explore security holes.

    Security through obscurity may seem like a good idea to you, but it just means that hackers have the info and the company does not.


    Interesting attempt at a weak logical straw man, Mike. I was under the impression that the original point was about the legality, and not about my personal opinions on security. I put effort into the original post because, coincidentally, I'm in Information Security for a living. If you really want to talk security, I'd be glad to have an intelligent discussion on the topic. I'm guessing, from your weak attempt to spout a security101 keyword as if it made you sound informed, or that it somehow affected the law of the matter, that you don't wish to have such a discussion.

    Ignoring the fact that you wish to use plenty of very subjective, and unsubstantiated terms ("tons" of research, "good" researchers), and seem only focused on attempting to make it sound like you know what you're talking about, and that Annonymous Coward here knows nothing, there is a very real problem with saying that it "[d]oesn't mean you can't still explore security holes."

    You see, the initial topic was law. And the law can essentially be boiled down to something to the effect of "if it's not yours, don't touch it". "Good" security researchers do this, and in practice you'll find that "tons" of security research is done in controlled environments by professionals who know they need to cover their asses or jeopardize their career. So, you can in fact explore security holes, but to imply that it's legal to do so without permission, or that the "good" security researchers work undercover for nothing but fun, is an incredible claim. People with no knowledge in the field may be lead to believe you, which is what scares me most.

    As they say, "don't try this at home." As the initial point was, it is in fact illegal.


    More than that, actually.

    Alright then.


    I don't consider a letter on legal stationary listing out all sorts of criminal things you may be charged with as "kindly worded." I'm surprised you do, but perhaps we have different upbringings.

    Yes, it is a legal letter. But the wording and personality of the letter are very professional, and worded as kindly as a legal letter can be worded. You might notice that the letter does not issue demands, it offers requests. The letter does not threaten, it states its legal position, why it feels this way, and where the recipient can look if they're interested in self-assessing the claims given. The letter expresses the views of the company presenting it, but does not attempt to be the ultimate authority on the matter, and invites the recipient to challenge them if they feel so inclined.

    The letter is indeed intended to get the user to remove the content. If that is what you find "nasty" about it, then I respectfully disagree with you. It is my opinion that the letter carries a very professional, mature, and polite nature to it, while still maintaining its ability to represent a legal matter. I know I certainly have seen much more rude and disrespectful letters, and I naturally assumed that you had too. If you find this "nasty", then you're entitled to that opinion. I feel this letter is not.


    You have a funny definition of kindly.

    As stated above, I feel this is certainly one of the more polite and professional letters one could hope to receive on a legal matter. Your mileage may vary.


    The blogger in question did none of the above. Details. Details.

    It is difficult for me to continue in a manor that is reasonably professional, without resorting to the same sort of sarcastic, insulting nature that you attempt to deal with my response. I fully understand you get your fair share of internet trolls, and may have grown cold to the genuine responses you may receive that disagree with you. However, at this point in your response, I have to reiterate my original point that you just do not seem to know what you're talking about. I'm not sure if it's because you really don't understand law, even though it concerns 80% of your posts, or if it's just a general quickness to publish articles that you don't have the opportunity to understand the subject matter before typing. I just don't know which it is. However, I hate how many people will read your BS and not know the truth, potentially coming to believe the same things you say because they read it on an internet blog. This is why I felt the need to post in the first place, and am wasting the beginning of my Thanksgiving vacation responding to someone who likely doesn't care what I have to say. My hope is, however, someone else will be able to read it and think about the matter before blindly trusting the things you say.



    You claim the blogger did not break the law. This is absolutely not true. Security people know it, the blogger knows it, Microsoft knows it, and if it were to go to court the Judge/Jury would know it. Mike, however, doesn't. Hopefully your readers will know it too.

    The article that you supposedly read very clearly describes how Mr. Meghani not only found the security flaws, but exploited them to result in $2080.06 in his Bing account, from at least 3 separate fake orders. Not only did he fraudulantly exploit this system for personal gain, he published this method for others to examine and exploit. It would be very difficult to convince someone that this was done "to help Microsoft and make them aware of the problem". Those type of vulnerabilities are taken directly to the company, and often not known about until they've been fixed. You may call this "security through obscurity" all you want, it's truly the only respectable and professional way to deal with such vulnerabilities.

    I will again post the first section of the quoted law, so you can put this into context:
    (c)(1) Knowingly accesses and without permission alters, damages,deletes, destroys, or otherwise uses any data, computer, computer system, or computer network in order to either (A) devise or execute any scheme or artifice to defraud, deceive, or extort, or (B) wrongfully control or obtain money, property, or data.

    If you still do not see how Mr. Meghani knowingly, without permission, used any data, computer computer system, or network in order to devise or execute a scheme for fraid, or wrongfully controlled or obtained money or data, then I'm afraid it's time to take your RSS off my page and never look back. I come here for something to do to take mini-breaks at work, but when you're this far off base with a topic I know much better than you, then I'm afraid to read your opinions on things I know less about, for fear that you're just as wrong and I won't know it.


    I don't feel there's a court in the world that wouldn't find Mr. Meghani guilty of the violating the cited law. A law which, as I said earlier, is just one of *many* that they could pursue and win on. He very clearly exploited a system without permission to steal money. The fact is, his motives do not matter. Maybe he was trying to help. But he broke a very real, very serious set of laws, published it so others could more easily commit fraud, and then acted surprised that a lawyer got in touch with him.



    And when you know how serious the law is, and how easily he could be prosecuted for the accused crimes, the letter seems much more polite than you seem to realize ;)


    Either way, I'm done. Have a Happy Thanksgiving.

    link to this | view in thread ]

  36. identicon
    Anonymous Coward, 24 Nov 2009 @ 4:20pm

    Re: Re: Re: Re: Ridiculous, of course.

    Hi, I see you're new to the internet. The details can't be "taken offline."

    While it's true to say that you can not guarantee that content is gone from all hands forever, you cannot deny that said content is much more difficult, if not impossible, to find.

    Please test this by linking us to the location of all of these details. It probably isn't impossible to find a source, but it is certainly more difficult than if the original page stayed up.


    While those who are truly determined to find more information on this exploit may be able to do so, the overall exposure of the details is lessened, and thus less likely to be exploited. Much like locks to the front door to your house or your car, it's not about global protection, it's about "keeping honest people honest". Fewer people are likely to attempt the exploit when it's harder to find, than if you throw it in people's faces and tempt people who otherwise wouldn't have even considered it.



    Either way, your sarcasm was totally cool and you'll probably get laid now.

    link to this | view in thread ]

  37. identicon
    Anonymous Coward, 24 Nov 2009 @ 4:59pm

    Re: Re: Re: Re: Re: Ridiculous, of course.

    The specific details of the flaw were never posted, but the details that were are available on hundreds of blogs/etc. rehashing the story.

    Again, go learn about the internet please.

    link to this | view in thread ]

  38. identicon
    Luci, 24 Nov 2009 @ 6:34pm

    Re: Re: Re: Ridiculous, of course.

    'I don't feel there's a court in the world that wouldn't find Mr. Meghani guilty of the violating the cited law. A law which, as I said earlier, is just one of *many* that they could pursue and win on. He very clearly exploited a system without permission to steal money. The fact is, his motives do not matter. Maybe he was trying to help. But he broke a very real, very serious set of laws, published it so others could more easily commit fraud, and then acted surprised that a lawyer got in touch with him.'

    I'm sorry, what? First you have to PROVE that he did what you suggest he did. Pointing out a security flaw to a company is a pretty stupid way of covering up an actual illegality. I'm sorry you're such a troll, and obviously can't see both sides of an argument, but perhaps it's better that you aren't going to come back. The fact is that this /is/ a 'nastygram' since it uses legal bullying to pull down information that they should use /themselves/ to fix their problems. Instead, they just come off looking the fool, and have further alienated a lot of people. Good job! That's so very /NICE/! And professional to boot!

    link to this | view in thread ]

  39. icon
    Sneeje (profile), 24 Nov 2009 @ 7:33pm

    Re: Re: Re: Ridiculous, of course.

    Thank goodness. I was beginning to think I was going to have to read five more pages of your arrogant, close-minded, diatribe. Oh, and by the way, while you clearly believe your posts are of the highest professional and fair-minded nature (while denigrating Mike for being sarcastic, etc.)--you actually come across as equally obnoxious.

    Oh, and I'm an information security professional too and found Mike's assessment to be pretty spot on.

    So there.

    link to this | view in thread ]

  40. identicon
    Bob, 24 Nov 2009 @ 11:08pm

    It's not Bing's problems, it's the retailers problems. For instance, go to bing.com and search for Sony DCR-SR47. Going through bing.com, you can get it for $322.95 from butterflyphoto.com for $322.95 (before cashback). If you directly to butterflyphoto.com and type in Sony DCR-SR47, it will cost you $399.99. Make sure you click on the Sony DCR-SR47 silver model. In this case, this is a good thing as you are getting a lower price by going through bing.com.

    link to this | view in thread ]

  41. identicon
    Anonymous Coward, 25 Nov 2009 @ 6:34am

    "I'm actually quite surprised this hasn't received a lot more attention."

    Perhaps if Bing was truly relevant, there would be more coverage, since more people would care.

    link to this | view in thread ]

  42. identicon
    sTuck, 29 Nov 2009 @ 9:57pm

    wow

    you all sound like college students arguing with the emotions of a 5th grader ...

    reminds me of elections ...

    link to this | view in thread ]

  43. identicon
    thedude, 29 Nov 2009 @ 10:05pm

    derelict

    this whole subject just makes me want hang my head in shame at what we have all become....

    link to this | view in thread ]

  44. identicon
    techdirtReader, 4 Dec 2009 @ 11:30am

    Buyer beware

    I discovered this thread from a google search. I instigated the search because I encountered the same pricing inconsistencies that Meghani encountered - products found through Bing were more expensive than they outside of Bing for the same merchant, even after the cash back. Obviously, Meghani's findings weren't a one time isolated instance.

    link to this | view in thread ]

  45. identicon
    Anonymous Coward, 3 Jan 2010 @ 7:29pm

    Bing is hands down the worst search engine ever!!!!! I hate it. I dont know why they make up this craphole prapaganda about making easier finds. They are liars and they will one day they will feel the wrath of God for being full of shit!!!!!!!!!!!!!

    link to this | view in thread ]

  46. identicon
    Anonymous Coward, 29 Nov 2014 @ 8:36pm

    Re: Re: Re: Re: Re: Ridiculous, of course.

    "linking us" - uh, you sort of gave yourselves away there, dudes. Bummer.

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.