Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
The Current State of E-commerce Security

By Jizzbug in Internet
Mon Dec 02, 2002 at 08:18:06 PM EST
Tags: Security (all tags)
Security

This afternoon I decided to undertake a quick case study on the current state of security in relation to online shopping cart solutions. I powered up Google and searched the known digital universe for shopping cart software, studying the systems I found and their design principles as I went along.


My search revealed a prime target for my test: a flexible—although seriously insecure—shopping cart design method, in which each shopper's web browser would control many elements of the product details when placing orders. In order that the software could accommodate things such as temporary changes in product details, many of the variables relating to the products {c,w}ould be sent to, and controlled by, the user's browser—via data in the HTML sent from the merchant's web server down to the customer's computer, and HTTP GET or POST encoded data then sent from the customer back up to the merchant.

Among these browser-controlled details are: product's name, price, catalog number, and quantity; order's shipping and tax charges; and customer's name, address, contact information, and payment method (credit card information). When shoppers browse products, these details are stored and manipulated on the shopper's computer. When the customer "checks out" using this shopping cart, the customer's computer feeds this information to the server for order processing.

Essentially, the merchant is providing an API (via HTTP GET/POST [URLs and HTML forms]) by which customers can dynamically, on the client-side, generate and submit order requests to the merchant's electronic storefront. Perhaps unintentionally, this offers shoppers the electronic equivalent of going to a store, picking something up, and saying, "I'd like to purchase this for this much."

I wondered how exploitable these types of carts were with respect to the human factor involved in order verification and processing. As is allowed by this method of interaction with the customer, one can certainly send any arbitrary data one wishes when submitting order requests—however, at some point along the line, all orders must be verified and processed by human beings. This is the point at which the data sent by the customer to the merchant in the order request must make sense, and be approved and accepted.

I wondered what types of order requests the humans working for these virtual merchants might approve. If the process of order verification, approval, and processing was atomized enough (i.e., if the merchant was big enough, fragmented enough, and departmentalized enough), would a web-based "offer" to buy their products at my price get through the bureaucracy? How successful could you be in saying, "I'd like to purchase this widget for 20 percent of its suggested retail price"?

I resolved I'd find someone to put to the test. Being a technologist at heart, I sought out an online computer merchant utilizing such a vulnerable style of e-commerce solution as has been discussed. One was discovered in no time at all—a merchant operating out of Canada.

I browsed through their catalog of products, wondering what I might like to order. I ended up deciding I'd see if I could order a Wacom tablet. Computer graphics have been a hobby of mine ever since I got involved in computers, and I've always desired to one day possess one of Wacom's fine pressure-sensitive computer drawing pen tablets. But Wacom's products that are actually worth owning have always been just slightly out of my price range. Perhaps not anymore with my new bargaining tool: poorly implemented e-commerce solutions.

I opted to purchase a higher-grade Wacom Intuos2 tablet, a fine product indeed. This product ran for about CAD$725.00, which is a fair market price. In terms of the importance of my hobby in relationship to my current financial situation, such a coveted piece of equipment must still be deemed out of my price range. While CAD$725.00 might be too heavy for my wallet, CAD$125.00 certainly isn't.

I got a hold of the documentation for the software this particular merchant was running, and I whipped up a few URLs and HTML forms that would submit my order request for the purchase of a Wacom Intuos2 9x12 USB tablet at the price of about CAD$125.00. Submission of the order request went off without a hitch.

I received contact from a living representative of this merchant. My order had been approved and accepted, and it was scheduled to go out in the mail the next morning. In their words, "Your special order ... has been sent to you via Canada Post and your payment processed. Thank you for your business." *smile*

In the end, I had successfully managed to purchase a USD$475.00 order of computer equipment for about USD$100.00. Not too shabby. And people have said that the negotiation and bargaining power of individuals is nil.

With the transaction completed and legal (I don't see how this can constitute computer fraud, as a human ultimately reviewed and approved my order request, and as I did nothing more than place an order request via the merchant's open and published order request placement API), I shall enjoy my new toy.

Addendum

I received the graphics tablet in mid-April via U.S. Postal Service. My order was handled personally by several humans at the Canadian supplier. They actually had to type my credit card number into a machine by hand, and someone wrote "web order" on the signature line of the credit card machine's receipt. There were also some handwritten corrections on the invoice I'd received. All in all, I've enjoyed playing around with my tablet—it's quite useful (although try as I may, I can't seem to get it to be happy under Linux and X)—and I've even managed to put it to some legitimate use. On top of that, I've yet to hear anything at all from the merchant. However, the invoice states, "All sales are final." That's fine by me.

And my legal counsel had this to say: "From first year contracts law, all law students know (or should know) that a catalog does not constitute an offer, but is rather a solicitation for bids, in other words, offers from prospective buyers. A buyer, in response to the bid price suggested by the catalog, may in fact offer the merchant that price for the goods advertised in the catalog; on the other hand, a buyer may make an offer at a lower or higher price (usually lower). It is up to the merchant to accept the offer, usually by shipping the goods and depositing the tendered funds, or to refuse the offer, either by asking for more money or by refusing the tender of funds or returning the payment instrument to the offeror. In your case, the correspondence you had the next morning with the representative seems to mark the point at which the merchant accepted your offer... Contracts for the sale of goods appear to be made when the representative contacts prospective customers..."

Addendum for K5

I wrote this article quite a few months ago this year, as is implied by my mention of "mid-April". I was writing my own shopping cart software at the time in PHP4 and PostgreSQL, solely as an exercise in self-education. As I was auditing the security of my application, I began to wonder what the security of other shopping cart systems might be like. I decided I'd audit a few systems to see what I might find. I hadn't gotten very far when I realized that a good number of commercial solutions were still susceptible to the old and fairly well-known exploit that I described in this article. I resolved that I ought not waste my time meticulously searching for obscure weaknesses when such a huge hole was already staring me in the face. At that point, I became less intrigued by the technical particulars of the experiment and more concerned about the social aspects.

Upon testing out the article on several laypeople, and receiving favorable responses, I decided to submit it to 2600: The Hacker Quarterly. Several months later, my article was published in the Fall 2002 issue (19:3, the most recent issue). Ironically, I didn't even know it had been published until I went to Barnes and Noble to read 2600's newest issue. I was sitting in B&N's infamous comfy chairs flipping through the pages when all of the sudden: *gasp*, there's my article! It was a fairly pleasant surprise, to say the least.

Anyways, I just thought I'd submit the article to K5, and see how well it fares here.

By the way, next time you place an order through a mail order catalog, try writing your own price in the "price" column of the order form. It's perfectly legal, and who knows, your order might actually get approved.

Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Poll
Have you ever cheated a merchant (shoplifting, etc.)?
o Yes, but I was young. 18%
o Yes, and I feel bad about it. 6%
o Yes, and I'd do it again. 6%
o Yes, but never locally owned merchants. 7%
o No, I'm honest. 43%
o No, I'm a ninny. 5%
o No, I don't need to, I'm rich. 6%
o No, I'm a primitivist, I abstain from engaging in trade and commerce. 4%

Votes: 138
Results | Other Polls

Related Links
o Google
o Wacom Intuos2
o Wacom Intuos2 9x12 USB
o 2600: The Hacker Quarterly
o Also by Jizzbug


Display: Sort:
The Current State of E-commerce Security | 275 comments (270 topical, 5 editorial, 1 hidden)
cool (2.85 / 7) (#1)
by tps12 on Mon Dec 02, 2002 at 04:31:49 PM EST

Just in time for Christmas shopping. Something tells me Santa's elves will be hammering out a whole bunch of Canadian tablets for the s12 family this year...

Hm. (3.75 / 16) (#2)
by graal on Mon Dec 02, 2002 at 04:34:24 PM EST

This is no different than switching price tags at a traditional retail establishment. It's theft, plain and simple.

--
For Thou hast commanded, and so it is, that every
inordinate affection should be its own punishment.
-- St. Augustine (Confessions, i)

Analogy is nigh equivalent to fallacy (4.57 / 7) (#8)
by aminorex on Mon Dec 02, 2002 at 04:54:06 PM EST

Clearly there are substantial differences and substantial similarities. The analogy to a mail-order catalogue is much more accurate, and it is on this theory that the author believes his actions to be entirely legal, to the best of my understanding.

And I think he's right. Can you propose any substantive counterargument?

[ Parent ]

Legal or not, it's still sneaky. (3.66 / 3) (#10)
by Hired Goons on Mon Dec 02, 2002 at 04:57:37 PM EST

Almost as sneaky as all those EULAS floating about.
You calling that feature a bug? THWAK
[ Parent ]
All I can tell you... (4.75 / 8) (#12)
by graal on Mon Dec 02, 2002 at 04:59:29 PM EST

...is that where I live, the offenses listed under the heading of "shoplifting" include "wrongfully causing the amount paid to be less than the merchant's stated price".

In other jurisdictions, YMMV.

--
For Thou hast commanded, and so it is, that every
inordinate affection should be its own punishment.
-- St. Augustine (Confessions, i)
[ Parent ]

Legal or not... (3.33 / 6) (#13)
by jmzero on Mon Dec 02, 2002 at 05:03:42 PM EST

This is morally wrong.  You are deceiving a retailer's employees in order to get goods at a lower price.  That's the only important fact from a moral standpoint.

Unless said retailer eats kittens or something...
.
"Let's not stir that bag of worms." - my lovely wife
[ Parent ]

Deceiving the retailer... (4.00 / 4) (#14)
by Jizzbug on Mon Dec 02, 2002 at 05:32:56 PM EST

In the case of the order I discuss in this article, I'm not so sure I deceived the merchant.  They did refer to my order as "special".  Maybe they realized that I was only offering USD$100.  I've been wondering about the significance of the word "special" ever since I received the email.  Is "special" a word that Canadians use more generally than the rest of us?  I have a sneeking suspicion that the merchant knew what was up, maybe had an overstock of the item, or maybe just wanted the money because of current economic hardships among computer retailers, or maybe a combination of the two.

I say unto you: one must still have chaos in oneself to be able to give birth to a dancing star. I say unto you: you still have chaos in yourselves.
 -- Friedrich Nietzsche, Thus Spoke Zarathustra: A Book for All and None

[ Parent ]
My guess.. (4.25 / 4) (#16)
by jmzero on Mon Dec 02, 2002 at 05:55:49 PM EST

I'm guessing that some employee saw that the price was wrong and thought "Well, it came through the machine so it must be right.  Odd.".  Then maybe the guy from the next cubicle looked at it.  Then they decided it wasn't worth the hassle of figuring out (at minimum wage), wrote "special" on it, and put it through.

Maybe they realized that I was only offering USD$100.

I'm sure they don't think of those things as "offers".  They see them as orders that come from the website, and that they fill.  I'm pretty sure they don't pay someone to review the orders or think about them in any way - they trust the computer to let them know how much ordered goods are worth.  And if it looks really goofy one day, they write "special" on it.

I have a sneeking suspicion that the merchant knew what was up, maybe had an overstock of the item, or maybe just wanted the money because of current economic hardships among computer retailers, or maybe a combination of the two.

What if you had got it for $1.50? Would it have been wrong then?

In any case, what they did with it doesn't change whether the attempt was wrong.

.
"Let's not stir that bag of worms." - my lovely wife
[ Parent ]

It's their responsibility (3.20 / 5) (#20)
by llimllib on Mon Dec 02, 2002 at 06:23:06 PM EST

I'm sure they don't think of those things as "offers". They see them as orders that come from the website, and that they fill. I'm pretty sure they don't pay someone to review the orders or think about them in any way - they trust the computer to let them know how much ordered goods are worth. And if it looks really goofy one day, they write "special" on it.

So? If the law requires that they treat orders as offers, and they ignore their responsibility under the law, how does that make him responsible?



Peace.
[ Parent ]
Uhhhh (4.00 / 4) (#23)
by jmzero on Mon Dec 02, 2002 at 06:46:31 PM EST

So? If the law requires that they treat orders as offers, and they ignore their responsibility under the law, how does that make him responsible?

The law may say that what was done was legal.  But that doesn't make it right.  

Morally, this is open-and-shut.  He deceived a company in order to get goods for a lower price.  
Didn't your mother teach you anything?

...

Soon I will be able to defeat my own conscience completely - and I owe it all to moral lawyering:

"Sorry son, but you should have known that what you saw as a verbal promise to attend your baseball game was really meant as an offer conditional on your acceptance.  Without that acceptance, there's no real basis for calling it a verbal contract.  It's your job to be up on this kind of law if you're going to be expecting your parental service providers to fulfill their contracts.  I'm doing you a service, really."
.
"Let's not stir that bag of worms." - my lovely wife
[ Parent ]

you sure? (4.00 / 1) (#136)
by llimllib on Tue Dec 03, 2002 at 03:31:02 PM EST

I know it sounds stupid, but what if he called them up, offered them $100 for it, and humans accepted his offer? How is that *at all* different from what he did?

He deceived a company in order to get goods for a lower price

This is my point of contention: I don't think it's decietful to use an open API to make an offer on some goods, especially when it's reviewed by several humans.


Peace.
[ Parent ]
It would be different (5.00 / 1) (#213)
by Dephex Twin on Wed Dec 04, 2002 at 11:57:53 AM EST

I know it sounds stupid, but what if he called them up, offered them $100 for it, and humans accepted his offer? How is that *at all* different from what he did?
I think it is pretty obvious how this is different.

If he called up the merchant and said "I'd like to order this Wacom tablet", they would have said "Okay, item 12345, that is $400". And then he would say "Okay, I'll give you $100 for that". They would say "Pardon me?" or "I'm sorry, this isn't an auction" or something like that. It would have been obvious what the situation was.

I think it is completely reasonable to take as given that 99% of people who would be in charge of processing those orders wouldn't understand how the info can be altered to change the price as described, given how new and complicated it is. If the article author were honestly making an "offer", as he spun it, he would have called or emailed to make his offer.

I understand he was testing the flaws of online transactions. Well, if there wasn't any deception, and if what he did was morally and legally acceptable, why couldn't he just have confirmed with the company about the nature of the transaction afterward? Because they almost certainly would have taken it back if they knew it was an "offer", and possibly attempted prosecution.


Alcohol: the cause of, and solution to, all of life's problems. -- Homer Simpson
[ Parent ]
They probably thought it was a bug in the software (4.00 / 2) (#37)
by porkchop_d_clown on Mon Dec 02, 2002 at 09:33:58 PM EST

They may have experienced this sort of thing several times and thought it was a rare bug that the price on some items occasionally displayed incorrectly.

They may have decided to honor the price rather than deal with complaints.


--
Once one sock is sucked, the other sock will remain forever unsucked.


[ Parent ]

Call (5.00 / 1) (#60)
by nevertheless on Mon Dec 02, 2002 at 11:12:39 PM EST

I'm not so sure I deceived the merchant. They did refer to my order as "special". Maybe they realized that I was only offering USD$100. I've been wondering about the significance of the word "special" ever since I received the email.

Then call them up and ask them. Certainly there's nothing to be afraid of since this is all on the up and up. Right?

Did you pay the $100 with a bad check, too?



--
This whole "being at work" thing just isn't doing it for me. -- Phil the Canuck


[ Parent ]
Ethical treatment of unethical persons (none / 0) (#87)
by 47 ginger headed sailors on Tue Dec 03, 2002 at 09:01:59 AM EST

"Unless said retailer eats kittens or something..."

That's irrelevant. The ethical value of A's action towards B cannot be based on B's unethical behavior if A's actions have nothing to do with the unethical behavior of B.

Suppose B is a kitten-eater. A may be justified in stopping B from eating kittens, even by physical assault.

But if A had picked B's pocket, that act would have been unrelated to B's anti-kitten actions, and must be judged alone, without reference to kittens, or the eating thereof.

[ Parent ]

Don't you love kittens?!? (none / 0) (#94)
by jmzero on Tue Dec 03, 2002 at 09:57:00 AM EST

I'm, joking... you are, of course, very correct.  Swindling a kitten eater would only be ethical under the most extreme of circumstances.  

.
"Let's not stir that bag of worms." - my lovely wife
[ Parent ]
It's called (4.00 / 5) (#26)
by nevertheless on Mon Dec 02, 2002 at 08:30:40 PM EST

"Intent to defraud". It's illegal and quite possibly a felony, depending on the amount he defrauded the merchant of.

This was not a negotiation in good faith. It was "gee, let's see if I can trick them on the price by doing something out of site."

Is it OK to pay with fake money if there's another person involved? Is it OK to switch tags on merchandise if a human checker cashes you out the door? I think you're in for a rude awakening if you think it is. This is *exactly* like switching tags on merchandise. Is it OK to switch tags if the tag is easy to peel off? No. Likewise it is not OK to switch prices if it's easy to do as, apparently, it was in this case.

Slice and dice and finesse it all you like, but the fact remains the intent is to defraud the merchant which easily demonstrable by the extraordinary effort the person went through to change the price (as opposed to exploiting an accidental flaw in the code like the $1 air fares that happened a while ago). And that makes it illegal.



--
This whole "being at work" thing just isn't doing it for me. -- Phil the Canuck


[ Parent ]
And theft by deception (4.00 / 3) (#35)
by porkchop_d_clown on Mon Dec 02, 2002 at 09:27:59 PM EST

I think that blaming the merchant is no different than blaming the victim of any other crime.

The blame here is shared between a negligent software company - no different from a company who sold simple luggage locks by passing them off as deadbolts - and the criminals who exploit that negligence.


--
Once one sock is sucked, the other sock will remain forever unsucked.


[ Parent ]

My intent. (5.00 / 2) (#39)
by Jizzbug on Mon Dec 02, 2002 at 09:39:17 PM EST

Actually, my intent was to write an article about the current state of e-commerce security, and make it good. I undertook the whole effort so I could write an article on the issue for 2600.

Also, there was no "extraordinary effort" involved. I didn't even edit any data that was sent to me by their server. I created, with the help of the software's documentation, two URLs that submitted the entire order. I believe the section of the documentation I referenced was "Creating orders with URLs" or something to that effect. I suppose if I didn't know all I know about web development, it would have taken "extraordinary effort". It would have taken much more effort to find and exploit an accidental flaw in the code.

I say unto you: one must still have chaos in oneself to be able to give birth to a dancing star. I say unto you: you still have chaos in yourselves.
 -- Friedrich Nietzsche, Thus Spoke Zarathustra: A Book for All and None

[ Parent ]

Once the point is proven... (4.40 / 5) (#44)
by cavalier on Mon Dec 02, 2002 at 10:11:22 PM EST

...the merchandise need not be stored.

Actually, my intent was to write an article about the current state of e-commerce security, and make it good. I undertook the whole effort so I could write an article on the issue for 2600.

Good. I'm glad you got published, really, good for you!

However, expose writing, even for a kiddie rag like 2600, runs that fine ethical line where you point out the flaw -- even damage the merchant if necessary to point out the flaw -- then correct the damage.
To continue on with the damage inflicted is immoral. Simple. Fraud is fraud.

Now, I realize I am speaking to the wrong audience here. I realize I've already offended you by calling 2600 a "kiddie rag." However, the older, and perhaps more cynical readership, will recognize that your attempt to "damn the man and his bad shopping cart software" did nothing but halfheartedly justify your $300+ USD thievery from a store.

Oh, yes, it was an "analysis of their security."

Let's try another picture. You've discovered a certain deadbolt lock seems to open if you jiggle it this way and that with any old key. Now, you're going to demonstrate this by walking into a TV store late at night and taking a TV. Sure, there was a kid sweeping the floor when you walked in. Sure, you showed him the key, he shrugged, and kept sweeping. Yes, you got away with the TV.

Are you now going to tell me your purpose was to show off the failure of the deadbolt to the deadbolt company? No, you're a kiddie bragging about the TV you just walked off with. Can you believe it -- the kid just kept on sweeping!

Why not give us the name of the vendor? Why not send them a copy of the article? You were just doing an analysis, right?

It's not like you were stealing or anything, right? I mean, they approved it!

[ Parent ]
reply (4.75 / 4) (#59)
by Jizzbug on Mon Dec 02, 2002 at 11:12:18 PM EST

I realize I've already offended you by calling 2600 a "kiddie rag."

No, you haven't offended me. I can see why some would consider it as such. But 2600 is a lot more like K5 than some K5ers will probably want to admit. It really is a decent publication, even if some o' the articles are of the "kiddie" variety. Personally, my favorite part of 2600 is the letters. They're usually very good, very interesting, and will make you think quite a lot. 2600 also has a very broad readership. I'm sure some kiddies read it, but there isn't much of use to kiddies. A lot of lawyers, educators, etc., subscribe to 2600. That's why I was interested in submitting an article to them, because of their broad reach (and because of what seems to be a recent drop in the quality of their articles).

Why not give us the name of the vendor?

I highly doubt they would appreciate that. My intent from the beginning was to keep all such details confidential.

Why not send them a copy of the article?

Actually, that's the plan. I haven't yet for a few reasons: 1) I was waiting for the article to be published, 2) I just recently found out it was published, 3) I'm finishing up work on the materials and information to send to them.

I have a feeling they'll be sayin', "Uh, we knew all along." Due to the nature of the correspondence I had with them initially, I tend to think that they were aware of the discrepency. But I was originally, from the start, planning on contacting and informing the merchant, as there may be the possibility of landing some sort of contracting gig with them to fix up their website.

On the other hand, if they were aware of the lowered price (which I tend to think they were), then that kind of invalidates a few assumptions I make in my article. But it brings to light something maybe more revealing: computer merchants are willing to sell some of their wares for 20% their suggested retail price. The economic insight about the computer industry it offers would itself make for another good article (some more research would be require, though, to fill up the body of that article).

I say unto you: one must still have chaos in oneself to be able to give birth to a dancing star. I say unto you: you still have chaos in yourselves.
 -- Friedrich Nietzsche, Thus Spoke Zarathustra: A Book for All and None

[ Parent ]

Need a wheelbarrow for those? (4.00 / 1) (#82)
by cavalier on Tue Dec 03, 2002 at 07:00:19 AM EST

Actually, that's the plan. I haven't yet for a few reasons: 1) I was waiting for the article to be published, 2) I just recently found out it was published, 3) I'm finishing up work on the materials and information to send to them.
Well then! Certainly you've managed to keep your head through these long winded holier than thou replies. You might even really be doing this. If so, bravo! Sally forth! All that jazz.

Why not post a followup story? Half of me wonders if you're posting this here (it's 2600 and here so far, yes?) because like any guilty conscience you're looking for people to tell you "you done wrong."

We're a lot of smart people. Us geeks. Can rationalize a whole lot of shit. I appreciate that you've taken it this far and haven't broken. I do hope you're serious about following through with contacting the merchant. Likely, they recognize they're not in a position to demand anything. All the same, it would be awfully meaningful in the whole social-karma-we-are-all-one jive if you offered some form of reparation for them.

That is, unless, all these replies have been another confidence scheme. Two articles from you thus far on K5, both essentially confidence games. I think you're really smart and you've found that humans are hackable. I hope you learn the rest of the lessons without much pain.

Cheers.


[ Parent ]
Please find enclosed my CV (none / 0) (#102)
by QuickFox on Tue Dec 03, 2002 at 11:26:41 AM EST

My intent from the beginning was to keep all such details confidential.
[...]
I was originally, from the start, planning on contacting and informing the merchant, as there may be the possibility of landing some sort of contracting gig with them to fix up their website.

Dear Sirs,

I would like to apply for a job at your company fixing up your website's security. I have the best of qualifications: I have discovered and exploited a serious security hole in your webshop.

This huge security hole allows your customers to negotiate the prices on your products. Now, I want to point out that negotiating the prices with you is perfectly normal. I mention this just so you don't get any ideas of bringing criminal charges against me. It's just an ordinary price negotiation, perfectly honest, perfectly open. Still, I'm sure you'll realize the serious security consequences and the exploits that become possible when your customers are allowed to negotiate the prices.

I think I'm well qualified, in fact I'm quite the elite if I may say so myself, because to exploit your security hole I managed to seek out an modify a price in an URL.

I can even boast that I'm a published researcher on webshop security issues. I have published an article on your security hole in the magazine 2600 and on the discussion site Kuro5hin.

Of course I'm aware that normally one would inform you before anyone else, but in this case I felt that publishing first was better, since I planned to eventually seek employment with you.

I am well aware of the sensitivity and confidentiality of working with a company's security issues. You can rest assured that I did not mention the name of your company when I disclosed your security hole. I even declined a request from someone who wanted to know, which I think proves that I'm a responsible and reliable person.

Well, I did tell my readers to try the same security hole exploit themselves. In fact, I also tried to convince them that it's just a perfectly legal price negotiation. Of course I realize that if this were true I would have no need to keep the details confidential, nor would I talk about it as a security hole in the first place. In fact, in that case seeking amployment for fixing security wouldn't make much sense. But considering the fact that it's not only perfectly legal but also a serious security hole exploit I decided to prove how responsible I am by publishing first while keeping it perfectly confidential. This time.

Best regards,

Jeeez Buggy Thinking

Give a man a fish and he eats for one day. Teach him how to fish, and though he'll eat for a lifetime, he'll call you a miser for not giving him your fi
[ Parent ]

Irrelevant (4.00 / 1) (#55)
by nevertheless on Mon Dec 02, 2002 at 10:57:57 PM EST

Actually, my intent was to write an article about the current state of e-commerce security, and make it good.

You could easily have written an article and "made it good" without fraud. It's done all the time. It's called "empirical analysis."

Oh, it was most certainly an "extraordinary effort." Extra: beyond. Ordinary: usual. In order to be "ordinary" this would have had to happen without any effort on your part. But there was effort. You coded it! It's not even like you picked it up and said "gee, I wonder what this does." You sat down, read the manual, designed a solution, and wrote code. That is not "ordinary" by any definition. Spin it whatever way you like, but that fact remains. And it's not like you even stole from the people who wrote the code! You went out and found a totally innocent third party!

So, when whoever it was palmed my credit card number and called up Tiger Direct and ordered two 21-inch monitors (true story) it was Tiger Direct's fault for, uh, what, taking the order over the phone? For not insisting whoever it was drive to Miami to buy the stuff in person? What? I take it that the tablet was returned with the explanation of what you were trying to prove? Or did you somehow rationalize the theft as being, what? they used the wrong software so they deserved to be stolen from?

Man, that's some fucked up thinking there.



--
This whole "being at work" thing just isn't doing it for me. -- Phil the Canuck


[ Parent ]
In GA, the breakpoint for felony shoplifting... (3.00 / 1) (#45)
by graal on Mon Dec 02, 2002 at 10:25:43 PM EST

...is $300.

More info here. The author mentioned Kansas. Their definition of 'shoplift' can be found here. For Canada, all I could easily find was at this site.

--
For Thou hast commanded, and so it is, that every
inordinate affection should be its own punishment.
-- St. Augustine (Confessions, i)
[ Parent ]

Fraud (4.50 / 4) (#68)
by sigwinch on Mon Dec 02, 2002 at 11:59:19 PM EST

This was not a negotiation in good faith.
Fraud requires an untrue statement. In this case, the purchaser made a true statement: they wanted to pay a particular price. And the merchant's agents reviewed that price, accepted it, and executed the transaction.
Is it OK to pay with fake money if there's another person involved?
That is different. Counterfeiting requires the creation of an item with misleading resemblance to currency. In this case every cognizant person was fully aware of the exact truth.
Is it OK to switch tags on merchandise if a human checker cashes you out the door?
That is different. Picking up tagged merchandise creates a bailment, and therefore a responsibility to protect the property. Altering the tag before purchase therefore constitutes a damage to another's property.
Slice and dice and finesse it all you like, but the fact remains the intent is to defraud the merchant which easily demonstrable by the extraordinary effort the person went through to change the price (as opposed to exploiting an accidental flaw in the code like the $1 air fares that happened a while ago).
As far as the law is concerned, a misdesigned computer program is no different than a mistrained employee. Going to an employee at the merchant's warehouse and saying "I'll pay $15 for this Learjet" is no different than going to the merchant's data connection and making the same request. The merchant is responsible for their own procedures, whether those procedures are implemented by man or machine.

This case is indistinguishable from the stock market, where systematic flaws involving computers have resulted in accidental billion dollar transactions.

--
I don't want the world, I just want your half.
[ Parent ]

Thank you! (none / 0) (#77)
by Jizzbug on Tue Dec 03, 2002 at 02:30:39 AM EST

Thank you very much for your post. I couldn't have put it better myself. (Seriously! I couldn't! Even I was begining to wonder if I was the evil criminal everybody was saying I am. *grin*)

I say unto you: one must still have chaos in oneself to be able to give birth to a dancing star. I say unto you: you still have chaos in yourselves.
 -- Friedrich Nietzsche, Thus Spoke Zarathustra: A Book for All and None

[ Parent ]
Oh, take some responsiblity, for cryin' out loud (none / 0) (#130)
by mech9t8 on Tue Dec 03, 2002 at 03:10:00 PM EST

Even I was begining to wonder if I was the evil criminal everybody was saying I am.

The merchant wanted to sell it for a given price.  He went and paid for a web site to give the functionality to buy the item at the specified price.  And then he hired some minimal-wage drones to process those orders.

And you bypassed the mechanism he provided in order to get a lower price.  Should the drone at the other end have got it?  Perhaps.  (Maybe he'll get fired when the deception in revealed.)  Should the software have caught it?  Certainly.  Is it possible he caught it but let it go anyway?  Unlikely, but possible.  If he did, it's probably because he thought the website screwed up and he didn't want to deal with the complaints.  It's rather unlikely he knows what an URL is and deliberately left that loophole available for people to conduct negotiations.

It may or may not have been illegal; I'm sure you can grab a dozen real lawyers and get a dozen different opinions (depending on what you pay them to say), never mind all the IANAL postings here.  It doesn't matter.  Legality is not morality.

By most standards of morality, what you did is wrong.  Deal with it.  It's not hugely wrong.  It's not like you tortured kittens or something.  There are varying degrees of wrongness, and people do things of minor wrongness every five minutes (not refilling the coffee machine at work... driving an SUV instead of carpooling... download MP3s from artists that didn't intend to distribute MP3s for free... etc etc etc)  It's not like "wrong" is an absolute that means you're going to hell or something.

But be a man (or woman<g>) and admit it, instead of clinging to the flimsy pretenses that the order was labelled "special" or that he might have let it go through or that maybe he intended to negotiate or that you were doing it for "noble" reasons.

Or just admit that part of your morality is that "stupid people get what they deserve".  In which case, the store owner, by making a stupid choice in choosing his web site developer or order processing drone, got what he deserves.  Or when the deception is revealed and the order processing drone get fired, he deserved that.  No moral problem; case closed.

--
IMHO
[ Parent ]

getting fired (none / 0) (#148)
by Jizzbug on Tue Dec 03, 2002 at 05:03:12 PM EST

(Maybe he'll get fired when the deception in revealed.)

That was one of my worries from the beginning. I would rather steal $300 from a company than cause a "minimum wage drone" to be fire. By all accounts, that "minimum wage drone" probably really needs that job. However, from the correspondence I had with the sales rep, and from my experience working with other computer parts distributors, I doubt he was a minimum wage drone, and was instead your standard, intelligent, decently paid, computer-parts-distributor sales rep.

However, the "getting fired" thing was also a reason I wanted to wait 'til the article was published before I contacted the merchant. If the fulfillment of the order was a mistake on their part, it would hopefully allow enough time to pass that they wouldn't be able to point fingers and fire somebody. (Aside from that, I'm also pretty sure that it wasn't a mistake, that they weren't deceived. I've explained my reasons for believing this elsewhere, so I won't bother to do so again here.)

I say unto you: one must still have chaos in oneself to be able to give birth to a dancing star. I say unto you: you still have chaos in yourselves.
 -- Friedrich Nietzsche, Thus Spoke Zarathustra: A Book for All and None

[ Parent ]

Quit deluding yourself. (none / 0) (#219)
by Dephex Twin on Wed Dec 04, 2002 at 12:22:53 PM EST

(Aside from that, I'm also pretty sure that it wasn't a mistake, that they weren't deceived. I've explained my reasons for believing this elsewhere, so I won't bother to do so again here.)
Because of this one word "special", you think it's possible they knew what was going on. If this is a normal way to go about business, why would they have called it "special"? It wasn't a special price they set. Why wouldn't they have said "We accepted your offer" or something along those lines?

Yes, there is a CHANCE they intended to sell it at a special lower price, just like there is a CHANCE that a cashier who gives you back a $10 bill instead of a $1 bill for change is giving you a special deal. Any person that assumes this 0.000001% chance is true and doesn't check with the merchant is not being honest. Think about it.


Alcohol: the cause of, and solution to, all of life's problems. -- Homer Simpson
[ Parent ]
Whew! (none / 0) (#216)
by Dephex Twin on Wed Dec 04, 2002 at 12:12:48 PM EST

(Seriously! I couldn't! Even I was begining to wonder if I was the evil criminal everybody was saying I am. *grin*)
That was a close one! Even though you have dozens of people telling you and explaining to you why it is morally wrong and very possibly illegal, you did have one person's specious arguments saying it wasn't all that bad. Now you know you probably did an okay thing.


Alcohol: the cause of, and solution to, all of life's problems. -- Homer Simpson
[ Parent ]
Re: Fraud (none / 0) (#81)
by KILNA on Tue Dec 03, 2002 at 06:36:40 AM EST

Counterfeiting requires the creation of an item with misleading resemblance to currency.

However, it is morally correct to create an "offer" with a misleading resemblance to an standard order gerenated by their web site? Everyone defending the author keeps trying to make some sort of case that the intent behind altering the URLs wasn't to mislead, but to make an alternative offer. I was born at night, but I wasn't born LAST night.

If the intent wasn't personal gain, and the author actually saw worth in performing this study, then why not purchase the item for more than its price? Purchasing a $1 item for $100 would have the same effect of detecting the effacity of the human factor in the fulfillment process, and would show the intent was not personal gain. But no, the author simply wanted to cheat a merchant, and unfortunately he got away with it. If honesty and curiousity were his actual motivators he'd at least return it for a refund of the price paid. Nope, the greedy SOB is bitching about the lack of drivers for his platform. Bah.

If you want to make an alternative offer in good faith, you simply use the proper channel one would use to make such an offer. Key words if you don't like jail: good faith. In the case of a grocery store, you find someone you know is likely to have the authority to sell you something at a discounted price, like the store manager, and negotiate the price through them. You are not acting in good faith if you intentionally avoid the manager and arrange pricing for that keg with the pimply baggage boy or Ms. Down Syndrome Clean-Up on Aisle Three. You do not swap the "offered" price on the tag with your own "offer" price, and attempt to weasel it by the checkout drone.

At both the supermarket and the web site, it is immoral and illegal to spoof the system with the intent of personal gain at the company's expense. If one knowingly sidesteps or tampers with a transaction in bad faith, as is obviously the case here, then fraud is being committed and it should be punished accordingly.



[ Parent ]
because (none / 0) (#115)
by ph0rk on Tue Dec 03, 2002 at 01:41:35 PM EST

offering more money than the merchant was asking would not properly control for an actively monitoring, but greedy, merchant.

i.e. he sees the transaction, and accepts it anyway, then runs off to the liquor store to blow his $99.

and also, likewise, you'd probably never get out of the deal, you'd never get your $99 back.  Ethics? Morals? fuck that, i want my fucking $99.

.
[ f o r k . s c h i z o i d . c o m ]
[ Parent ]

Curiousity (none / 0) (#119)
by KILNA on Tue Dec 03, 2002 at 02:17:18 PM EST

The merchant should have to pay for your curiousity regarding their business processes? That should be $99 you're willing to give up to satisfy your itch. To address this morally the author should either a) give the product back in exchange for the price, or, b) make the price just as rediculous but in the merchant's favor. Particularly if you want to publish the results and be taken seriously, as opposed to being thought of as a petty thief. I suppose that's the whole point of getting into 2600, I would hope that one wouldn't seek the same from K5. There is no "control" here, because this is a single anectdotal prodding of a specific merchant's system, with the only greed involved coming from the the author. By all appearances he is seeking credibility and possibly absolution from apologists like yourself. Bah. It is *fraud*.

[ Parent ]
apologists? hardly. (none / 0) (#236)
by ph0rk on Wed Dec 04, 2002 at 03:22:51 PM EST


If the author wants to make it 'right', he should return the product (depending entirely on your definition of right).

My point stands that offering more than the item is worth is not as accurate a test, as it is entirely possible a merchant that happens to see the order will let it through, and likely.

If you were as interested in doing what was 'right' as you sound, why didn't you suggest that the author contact the merchant and inquire about their practices, as that would have been enough information without 'testing' his theory.

And also, I fail to see how being a selfish bastard has anything to do with being an apologist, but thanks anyway.  You suggested a different method, and I think your suggestion is a waste of time, the end.

.
[ f o r k . s c h i z o i d . c o m ]
[ Parent ]

At least you're honest about the dishonesty. (none / 0) (#257)
by KILNA on Wed Dec 04, 2002 at 05:39:24 PM EST

In other responses I have questioned the author's intent based on the fact that he hasn't returned the booty and that he hasn't contacted the merchant. In this particular one I was attempting to make the point that one could design an experiment to test the same theory in a fashion that doesn't screw the merchant... so I apologize for the apologist thing, I let my emotions get the better of me a couple of times over this. It's just wrong. You have at least admitted that the motivations are those of a "selfish bastard", but a great deal of the folks here seem to think it's socially acceptable behavior to con a business.

[ Parent ]
Correction. (none / 0) (#122)
by Jizzbug on Tue Dec 03, 2002 at 02:31:17 PM EST

Nope, the greedy SOB is bitching about the lack of drivers for his platform. Bah.

Oh, the drivers are there. They just don't work worth a damn. Upon moving the mouse or stylus, the kernel reports per event:

wacom_intuos_irq: received unknown report #1

I say unto you: one must still have chaos in oneself to be able to give birth to a dancing star. I say unto you: you still have chaos in yourselves.
 -- Friedrich Nietzsche, Thus Spoke Zarathustra: A Book for All and None

[ Parent ]

You are incredible! (none / 0) (#125)
by KILNA on Tue Dec 03, 2002 at 02:44:51 PM EST

Congratulations, you have very eloquently corrected the minutia of my comment while completely avoiding the primary point! I'm quite sure that by now you're only responding to strike peoples' ire... keep up the good work. Perhaps you can call them and get another discount since it isn't working up to snuff?

[ Parent ]
Wacom Tablets (none / 0) (#205)
by Ranieri on Wed Dec 04, 2002 at 10:17:17 AM EST

My Graphire 2 (usb) works perfectly under linux, and is detected by mandrake upon installation without extra hassles. In fact, this is one of the few points imo where Mandrake outshines windows.

PS: This tablet was paid for in full :-D
--
Taste cold steel, feeble cannon restraint rope!
[ Parent ]

And another thing... (none / 0) (#83)
by KILNA on Tue Dec 03, 2002 at 07:48:36 AM EST

On the strictly legal front, wouln't downloading a web page containing all of the pertinent information regarding a product constitute a online bailment for the product in question? If you agree to make a transaction with a quoted product, you're just as fraudulent in modifying that product's price data as you would its price tag, seeing as there is a clear and present parallel of a "shopping cart" and a "checkout" process in an online store. I see no significant practical distinction between a physical product and its price tag, and a product's information page and a hidden price form field. I doubt a judge would either, since both require intentional and covert replacement of pricing information in order to make the terms of the purchase more favorable to the buyer. It all rests on the fact that the change to the product trusted to the consumer was made without due notification to the seller, which indicates willful deception. This shows the purchaser had some knowledge that the merchant would not agree to the changed terms. I'd say most reasonable people would call the changing pricing information without the seller's knowledge fraudulent.

[ Parent ]
You missed the whole point (none / 0) (#95)
by rhino1302 on Tue Dec 03, 2002 at 10:34:43 AM EST

A "price tag" is a physical attribute of an item, and by modifying it you are damaging the property.

However, a "price" is not a physical attribute of an item. It's just a sum of money that both the buyer and the seller agree to exchange for the item. As the price exists only in the minds of buyer and the seller, it cannot be modified or damaged.



[ Parent ]
The physicality of the price tag is irrelevant (none / 0) (#110)
by KILNA on Tue Dec 03, 2002 at 12:57:20 PM EST

So you're saying that because it's bits instead of a sticker, serving the exact same purpose, it is morally justifiable? Please tell me you're not a surgeon in real life, I'd hate to be under your blade.

The price tag is not merely a physical attribute of the product, we both know this... and few would argue that it was part of the product's worth itself or has any value beyond the data it conveys. It is there for one purpose, to be the de facto agreement between vendor and purchaser as to purchase price. Unless it has been explicitly excepted by someone with the obvious authority to do so, it is THE agreement. Modifying that agreement without the vendor's knowledge is fraud.

The exception the author created by engineering a misleading order was neither explicitly specified as an "offer" to the vendor, nor was it authorized by anyone with obvious authority to do so. Negotiating a price and completing the order are two separate steps, and he excluded involving the merchant in negotiation in order to defraud them. Just becuase the order was shipped doesn't mean someone with authority agreed to the price, and he made it a point to place the order in such a way to avoid that authority and choose his own price when there was already an explicit de facto price associated with the product.

The aspect where the price tag analogy is the strongest is that the author modified the price indication with the sole purpose of gaining the product at a lower price than a person with proper authrority would grant. He sidestepped the negotiation process by passing the order through people with less authority, exploiting the implicit authority of the price indicator, which he covertly modified. By his own admission he did this knowingly, and with the intent of gaining a good in a way he knew wouldn't be agreed upon otherwise.

I think pretty much everyone would agree that this behaviour is immoral. It is lying, stealing, and cheating all at once. You contend that it is legal, but I doubt this specific problem has been addressed in a court of law. I think my view will be supported, especially since we are discussing a shopping experience that so directly models itself after real-world "shopping carts" and "checking out". The "price tags" in online stores have the same explicit authority to determine the de facto price for an item, and will likely be granted the same protection from modification.

Don't get me wrong, software engineered in this way is not ideal. But just because the price tags slide off easy or are written in pencil doesn't justify modifying the price information. What matters here is not the physicality of the tag but the fact that it conveys important information for the merchant's representatives to close the transaction. How would this be different than using, say, an Apache exploit to the same end? Or spending a few minutes at an unattended price-changing terminal in a grocery store? Or if the price info was stored in an RF tag or mag stripe in the product and you re-wrote it with the proper equipment?

There has to be some level of legal protection for the merchant against scammers making end-runs around negotiation by misrepresenting themselves to a business. Should the price tag analogy fail, a good prosecutor will find some other way to pin fraud on those exploiting merchants by fabricating bad-faith transactions when they have no reasonable expectation that the merchant would knowingly agree to. The merchant completing the transaction is NOT consent to a change of agreement, since they were given no indication that the agreement was modified. This is the same whether the de facto price agreement is on a sticker or in the bits.



[ Parent ]
reply (5.00 / 1) (#140)
by Jizzbug on Tue Dec 03, 2002 at 03:59:25 PM EST

Please tell me you're not a surgeon in real life, I'd hate to be under your blade.

As long as {,s}he's the best surgeon in the land, I could care less about h{is,er} moral character.

nor was it authorized by anyone with obvious authority to do so. Negotiating a price and completing the order are two separate steps, and he excluded involving the merchant in negotiation in order to defraud them.

This is pretty much the brunt of your argument. You seem to mostly reword it and repeat it several times.

It's apparent that you have no idea how their order system worked, so a large amount of your argument hinges upon speculation of how you imagine it may have worked. (I'd like to note that hopefully no merchant's business processes are as negligent as you imagine them to be. I highly doubt that most merchants operate in the manner you specified; if they do, they'll be out of business soon enough anyway.) Here's how this merchants processes worked:

I created a URL. I didn't change or alter anything given to me by the server, I simply created a URL as the manual for their software instructed me to. My URL specified the price that I was willing to pay.

My URL started a chain reaction. It created an email, nothing more, nothing less. An email with all the details of the order request that I'd placed was sent to a sales representative; nothing is processed, verified, or approved yet--it's just a crappy lil' plaintext email. The sales rep had to transfer all the information from that email by hand into their accounting system. My credit card information and my offered price had to be entered by hand into a credit card machine. As most accounting systems work, the MSRP of the tablet should have initially shown up on the invoice once the sales rep selected the proper product. This would require the sales rep to change the value of the price on the invoice to match the price that was specified by the email. This seems to me to be quite a lot of merchant involvement in pricing issues. Obviously the sales rep had the authority to change prices, and apparently decided in my case to accept my specified price. Next, I received a human-generated email thanking me for my "special order" and business.

I'm sure you still think I'm a criminal. And that's fine by me. I think you have no clue as to how merchants operate. And hopefully that's fine by you.

I say unto you: one must still have chaos in oneself to be able to give birth to a dancing star. I say unto you: you still have chaos in yourselves.
 -- Friedrich Nietzsche, Thus Spoke Zarathustra: A Book for All and None

[ Parent ]

As a matter of fact... (none / 0) (#155)
by KILNA on Tue Dec 03, 2002 at 05:36:34 PM EST

As to the moral fiber of your physicians, I wish you the best of luck. The experimental drugs may work out fine, and I'm sure that you can rest comfortably knowing the surgeon sees you as a pile of organs ripe for the harvest. Morality is about giving a shit about your fellow man, I should hope that the one slicing me open would have a bit of ethical resolve. But to each their own, suppose. Can I have your spleen?

As far as the store issue, I can speak to to this subject with a degree of authority. I work for an e-commerce company with nearly a thousand clients with various online order fulfillment models ranging from a single person doing everything, to full-blown businesses with separate shipping, accounting, recieving, etc., to ones that don't stock anything and use external fulfillment houses via EDI. Many of those clients, mostly the smaller ones, migrated from what we refer to as "soft cart" systems such as the one you described... PayPal and the like. Soft cart systems carry every bit of information regarding the product which is relevant to completing the transaction in the source HTML. We do not use this model for our cart system, and in fact we use the weaknesses of this model as a selling point for our product.

A problem for many businesses is that a practical implication of success is that one man shops don't scale well. They hire an intern to start shipping the packages because there's too much work to be done, but the knowledge transfer isn't there. It's especially difficult for stores with a wide product line and subtle distinctions between things that should cost a bunch, and things that shouldn't (say, collectible cards for instance). So attempting to pass a intentionally re-priced web order by an intern who doesn't know better is no different than attempting to pass an intentionally re-priced physical item in a real store past a clerk... with the excpetion that you'd likely never have to look the person you're screwing in the eyes.

As far as human intervention into fulfillment, I have rarely seen a system where the fulfillment person (be it a clerk or a shipping intern) is aware of the MSRP or cost to the business. In fact, the shipping intern is told to trust the output of the web order system in the exact same way that a clerk is told to trust price tags. Yes, they have a degree of discretion if they feel something is wrong, and yes the business could move the pricing data into a domain where the buyer cannot modify it (by determining the pricing at the end of the process instead of the beginning, for either a web or a real store). But just because that order filler has discretion and that business chose price tags over UPCs, it does not in any way absolve you from attempting to covertly change the price. You are still the one responsible for that action.

You seem fairly certain that billing was not automatic in this case. Does it really make a difference whether you slipped your "special price" by a machine or a human? You are creating a fabrication that you know is defrauding the business, otherwise you would have used the ability to modify the product's description to say "This is an offered price bid for this item", or given the product back after all was said and done.

When you went through the browsing, adding to cart, and checkout processes, did any of the verbiage indicate that the price was in any way variable? Did the subsequent email indicate such (other than the word "Special")? Amazon tells me how special my orders are to them, It doesn't mean I think there's a human being validating the price on every order and typing every confirmation email. And say you're 100% sure it was handled completely by humans, it's still the equivalent of switching price tags in a meatspace store since 100% of the transaction is handled by humans. In both instances the price indicator was changed not with the intent to negotiate, but to defraud. Negotiating the price was the last thing on your mind or you would have spent 1 minute drafting an email instead of 5 minutes viewing the source and hacking out a URL. Or you would have moved on to ebay, a marketplace where bidding is the actual price structure. Or you would have called. You ended up calling it an experiment to feel better about it... whatever.

There were a million ways you could have made an obvious good faith counter-offer to their published, de facto price. But you chose to smugly outsmart a poorly written shopping cart and a $5/hr. box stuffer, then post about your triumph on the net. Congratu-fucking-lations, I'm so happy for your newfound ability to rationalize petty theft.

Real people run businesses. The described action is feeding intentionally tampered information into a business process with the hope that nobody of consequence would notice, so you could get a new toy. It doesn't matter if it is in hidden fields or price stickers, if it's in a meatspace store or across the net, if the victim is Safeway or your Gramma's craft business. The result is the same, you have committed fraud.



[ Parent ]
Responsibility (none / 0) (#172)
by sigwinch on Tue Dec 03, 2002 at 07:45:50 PM EST

But you chose to smugly outsmart a poorly written shopping cart and a $5/hr. box stuffer, then post about your triumph on the net.
People who create computer-based systems that can be destroyed by simply asking are the enemies of the human race. If someone doesn't stop them, one day we're going to wake up to find that $100 billion has disappeared and the global economy is in a shambles.

--
I don't want the world, I just want your half.
[ Parent ]

Moral relativism (none / 0) (#179)
by KILNA on Tue Dec 03, 2002 at 08:17:29 PM EST

So it's incorrect to steal from people... well, that is, unless they're ill prepared for a robbery. Are you running for president in 2004? I'd like to place my vote now.

[ Parent ]
wait a minute... (none / 0) (#188)
by Jizzbug on Wed Dec 04, 2002 at 12:51:46 AM EST

one day we're going to wake up to find that $100 billion has disappeared and the global economy is in a shambles.

Wait a minute... That's already happening! We just haven't woken up to the fact yet (or been told about it). (Except I've hear of figures on the order of $15 trillion.)

I say unto you: one must still have chaos in oneself to be able to give birth to a dancing star. I say unto you: you still have chaos in yourselves.
 -- Friedrich Nietzsche, Thus Spoke Zarathustra: A Book for All and None

[ Parent ]

physicality is the whole point (none / 0) (#159)
by rhino1302 on Tue Dec 03, 2002 at 06:29:00 PM EST

IANAL, but sigwinch's point was that modifying a price tag is illegal because it is damaging property. Jizzbug did not modify anything, he just submitted a URL. If that is true, he is not legally vulnerable on that account.

As for the morality aspect, I didn't address that one way or the other, and you have no basis to attack me. Morality and legality are two separate issues.



[ Parent ]
You are correct (none / 0) (#165)
by KILNA on Tue Dec 03, 2002 at 07:11:50 PM EST

Your point made no assertion with regards to morality, and I made and incorrect assumption by reading more into your assertions that I should have. My sincerest apologies, I regret that my zeal for righteousness came out as an attack on your character.

As far as legality goes, I think there are more parallels between a hidden form field and meatspace price tags than there are between it and a paper catalog. In a paper catalog human error is expected in orders (and are therefore checked), though price haggling should still be explicit to be considered made in good faith. Whether that is a legal neccessity for "good faith" in all cases I cannot speak to with authority, but I can say that morally one should indicate prices one is bidding vice the catalog prices. Paper catalogs aren't designed to handle the entrie transaction from initiation to invoice, they are there merely there to start it. Web stores handle the entire transaction, perform all the calculations based on the data the system feeds itself through the user's browser (an important distinction), and they often include processing the credit card in real-time and immediate forwarding to fulfillment. This is much closer to a real store experience, especially considering haggling rarely occurs in meatspace stores where prices are labeled in such a way that it is obvious they aren't meant to be tampered with. Hiding HTML form fields is a way of making it obvious that the indicated price isn't intended to be negotiated, and I think this can be made obvious to even a layman in a courtroom setting if prosecuted.



[ Parent ]
<input type="hidden"> (none / 0) (#168)
by Jizzbug on Tue Dec 03, 2002 at 07:29:47 PM EST

I made no use of hidden form fields in the submission of the product to the shopping cart. I used something like "cart.cgi?action=add&productid=123&price=321" in a URL. As URLs aren't hidden, are very readable and very malleable, they're not a very good indication that the price isn't intended to be negotiated or altered.

I say unto you: one must still have chaos in oneself to be able to give birth to a dancing star. I say unto you: you still have chaos in yourselves.
 -- Friedrich Nietzsche, Thus Spoke Zarathustra: A Book for All and None

[ Parent ]
Hidden-ness of the pricing (none / 0) (#177)
by KILNA on Tue Dec 03, 2002 at 08:10:08 PM EST

The point is you went outside of the intended interface with the express goal of tricking the merchant into giving you a deal they normally wouldn't. In fact, if I saw a URL like that I would likely poke it to see what happened. But poking for curiousity is completely different than exploiting for personal gain. When you made the lie of omission regarding the modified price and took the product, you wronged them. I do not think the same actions would have wronged them any less had it been a catalog, but according to some here it is not illegal. Legality is not morality. Though I would hope not, perhaps deceptive URL modification will be found to be completely kosher in trial some day. But if it's legal to do it, does that make it right? I don't think so.

[ Parent ]
Price Tag Analogy Sucks (none / 0) (#212)
by Fat Tony on Wed Dec 04, 2002 at 11:55:25 AM EST

I have seen the price tag analogy made several times in the replies to this article, and it's starting to piss me off. In 99.9% of transactions, there is the price tag on the item, and then the UPC code which identifies the product in the company database. Even if I write $1 on the price tag, when the UPC code is scanned, the correct price will show up on the computer. Essentially, what he has done is tell the software he wants to pay $125 for the product. When the human processes the order, he should LOOK at the MSRP of the product when he scans it in to take it out of inventory. The fact that this product ever shipped shows that either 1) the retailer doesn't CARE about price changes, or 2) his entire order processing and shipping process is broken.

[ Parent ]
So it's OK... (none / 0) (#224)
by KILNA on Wed Dec 04, 2002 at 01:18:59 PM EST

...to change tags if they don't use UPC codes? The system the author describes is one where the price is not looked up in a databse, it is kept in the HTML source along with other product data. The merchant made a business decision to trust customers browsing through the store not to change prices. This is a bad business decision in meatspace or online, we can all agree on this. The problem I have is with customers modifying the authoritative price indicator and calling it "negotiation" when they don't give any indication to the merchant they've changed it. I don't think this is morally correct, and I don't think it should be legal. Nobody has presented any case law specific to a the web as to its legality, but I think most reasonable judges/jurors would see the deception and avoidance of other more direct means of negotiation as acting in bad faith.

[ Parent ]
Bailments (none / 0) (#164)
by sigwinch on Tue Dec 03, 2002 at 07:09:25 PM EST

On the strictly legal front, wouln't downloading a web page containing all of the pertinent information regarding a product constitute a online bailment for the product in question?
A bailment constitutes possession of, or dominion over, chattels owned by another. Chattels are movable, material possessions. Information is not chattels because it is not physical.
I'd say most reasonable people would call the changing pricing information without the seller's knowledge fraudulent.
Read up on the concept of "due diligence". I'm not familiar with all the fine points, but it basically amounts to this: a party who does not give reasonable care and attention to a matter can be considered negligent if something goes wrong.

In my opinion, merely saying "I want to sell things on the Internet" to a web company does not constitute due diligence. If you are delivered an auction system with the opening price set to your catalog price, it's your own fault, and that is essentially what happened in this case. If you want absolute control of the sale price, you ought to have written that into the web services contract.

--
I don't want the world, I just want your half.
[ Parent ]

You sir! (none / 0) (#184)
by KILNA on Tue Dec 03, 2002 at 09:50:18 PM EST

You have made the only argument that seems likely to hold water legally, and may even provide a moral ground. Negligence on the part of the store owner surely must be punished! It should be considered negligent to use pencil-written price tags or grease-pen markings in a day and age when UPC driven point fo sale systems are available. It is obviously gross negligence, seeing as the price can be modified without damaging the product... the store owner has not done due dilligence, and can expect every bit of what he gets.

I contend that a lack of due dilligence on the part of the seller does not absolve a buyer who has willfully modified prices. The primary fault is still with the buyer.

It is my opinion that online representations of products used for the purpose of conducting a sale should be afforded the same practical guarantees against tampering that physical products in real stores have.



[ Parent ]
Meatspace price tags (none / 0) (#200)
by Chakotay on Wed Dec 04, 2002 at 09:30:02 AM EST

It is my opinion that online representations of products used for the purpose of conducting a sale should be afforded the same practical guarantees against tampering that physical products in real stores have.

On many e-commerce websites, thare are statements that the prices are only an indication and are not binding until they are mentioned on the bill. Obviously, that disclaimer is there to prevent problems caused by typos and such. But, legally, if the demanded price is only an indication, does the customer not have the right to indicate any other price he would like to offer?

This ofcourse presumes that the site has such a disclaimer. Maybe they have a disclaimer warning specifically against typing errors. But even then the vendor has the obligation to _check_ all orders to make sure no such errors occur.

In fact, an online shops is somewhere inbetween a catalog and a meatspace shop, and I think it's actually closer to the catalog, with an automatic order form. This is also because in a meatspace shop you pick up the product and physically walk out the door with it. In an online shop, you order the product, and wait for the vendor to ship it to you, not unlike ordering from a catalog. Besides, most catalog order forms sent up by snail mail are processed by computers too. That's why there are these nice little squares to put the product numbers into, so they can be easily read by an automated character recognition device. So I don't really see the difference between that and an e-commerce order form...

--
Linux like wigwam. No windows, no gates, Apache inside.

[ Parent ]
my code (4.72 / 11) (#5)
by mattw on Mon Dec 02, 2002 at 04:47:55 PM EST

My shopping cart software (actually, StorePhront is more of a full PHP E-commerce system) tries to follow some simple rules:

  • Assume users can and will attempt to maliciously manipulate anything.
  • Trust nothing the users input. Assume they can and will attempt to override any and every variable in your code if they can.
  • Assume users know your code intimately, and want to exploit it


That last point may require some explanation. Many people assume very stupid things, like users not understanding what fields in a GET request are. For example, when an item is deleted from a cart, you see a URL like:

www.somestore.com/cart.php?a=deleteitem&item=1353593

People assume users, and worse people intentionally malicious, might not go and replace the item=XXX with item=YYY. What could be more fun than deleting all items in all carts? Cancelling orders? Etc.

I can't speak for any and every E-commerce package available, but I've certainly tried to be vigilant while coding. That said, I've occasionally made gross errors. A few months ago, someone created an account that had no name on it, at all. They input an email, but NO NAME. I looked in the code, and somehow (maybe while doing CVS merges?) the check on the name had been totally dropped. Not only was it not checking for the EXISTENCE of the name, it would have permitted ANY characters, so a name like "' or 1=1 or foo='" would have been valid. You can imagine how that might end up causing ugly problems.

It's quite often ignored in many disciplines; look at the game industry, and how many simple vulnerabilities were in games like Diablo II because the server either trusted on valid input from the client, or sent the client too much information.


[Scrapbooking Supplies]
Automated testing (3.50 / 2) (#40)
by lakeland on Mon Dec 02, 2002 at 09:42:09 PM EST

Your case study was a perfect example of the problems that can be saved by automated testing. Enumerate every single stupid input that should be caught by sanity checks and have it run automatically on the code whenever you run make test. Personally I write the test cases as soon as I've written the function, and then when the function passes all the test cases I consider it debugged. That way it isn't any effort to get long term reliability.

Unfortunatly it doesn't work so well with a highly stateful programming, yet another advantage of stateless programming I guess.

[ Parent ]

I wonder... (3.71 / 7) (#6)
by dissonant on Mon Dec 02, 2002 at 04:48:04 PM EST

...what might happen if you were to put a negative price on an item? Do you suppose (assuming the order was *ahem* "approved") that you would not only recieve the item, but have money added to your account? For instance, if I "buy" a widget for -$300.00, would I get the widget + a $300 credit on my credit card bill?

depends. (4.00 / 2) (#56)
by Work on Mon Dec 02, 2002 at 11:01:30 PM EST

some parsing scripts would barf at the site of a '-' sign. Others wouldnt.

I'd be more interested in what would happen if you put in something totally bogus like "ajklsdfj!" instead of a number. If the system were REALLY poorly designed, it could take down the whole site from some type of cast exception.

This depends on a variety of factors, but I could see it happening with some old software.

[ Parent ]

I've always wondered (none / 0) (#88)
by tzanger on Tue Dec 03, 2002 at 09:19:56 AM EST

"ajklsdfj!"

I've always wondered what Dvorak keyboard users type for garbage...



[ Parent ]
OT: Not Dvorak (none / 0) (#101)
by nlaporte on Tue Dec 03, 2002 at 11:23:21 AM EST

If you look at the middle row of a QWERTY board, all the keys he hit were there.


--
John Shydoubie. Shydoubie. John Shydoubie. John Shydoubie.
[ Parent ]
you misunderstand (none / 0) (#109)
by tzanger on Tue Dec 03, 2002 at 12:49:09 PM EST

I know what QWERTY garbage looks like, and I quoted it. I was saying "I wonder what Dvorak garbage looks like." It wasn't the clearest statement, I know. :-)

[ Parent ]
it looks something like this: (4.00 / 1) (#131)
by skullY on Tue Dec 03, 2002 at 03:10:52 PM EST

uaonuhntoeahunoa

I think it's a lot prettier, personally.

--
I'm not witty enough for a sig.
[ Parent ]

Thanks. (3.60 / 5) (#9)
by Hired Goons on Mon Dec 02, 2002 at 04:55:31 PM EST

As if the e-tailer business needed any more help collapsing.
You calling that feature a bug? THWAK
Heh. (4.37 / 8) (#11)
by valeko on Mon Dec 02, 2002 at 04:57:38 PM EST

That's quite funny. :-)

I personally wouldn't do that, and not necessarily because of legal concerns, but moral ones. Oh, rest assured, I have not turned over a new leaf; I am still me, with my ever-present contempt toward property rights and lucrative commerce. But I wouldn't rape a merchant because of the lack of security in his online cart backend. I just wouldn't. There's just that element of dishonesty and cunning that doesn't appeal to me; I seem to have a very strong sense of the need to obey laws, conventions, and norms on the personal level, except for some things I guess.

I suppose my logic here would be based on the idea that our commercial interactions, as fundamentally unjust as they may be on the macro level, still do contain human elements of trust, cooperation, and mutual respect. In other words, I wouldn't refuse to modify the CGI/session parameters to the cart not because of some overriding sense of moral obligation toward maintaining the honesty and integrity of business (and certainly not a respect of property), but just because it would be dishonest and mean toward the merchant on the personal level.

I would feel bad. Perhaps that's why I never do anything creative like shoplift or "negotiate" my own price.

"Hey, what's sanity got going for it anyways?" -- infinitera, on matters of the heart

The Law (3.00 / 3) (#15)
by The Solitaire on Mon Dec 02, 2002 at 05:46:00 PM EST

When you talked with your legal counsel, did you look at Canadian law, US law, or both? I'm assuming you're from the US, otherwise (obviously) US law doesn't apply.

I need a new sig.

U.S. law. (3.75 / 4) (#17)
by Jizzbug on Mon Dec 02, 2002 at 06:02:10 PM EST

Yes, I'm from the U.S.  A genius friend o' mine gave me the legal counsel.  He's a Ph.D. in physical organic chemistry, and recently he decided to get a degree in law.  He's passed the Kansas Bar and Patent Bar.  He wants to be able to practice in intellectual property law because he thinks intellectual property is an oxymoron, and he despices the patenting of software methods, mathematics, chemical compounds, and science and knowledge in general.

I say unto you: one must still have chaos in oneself to be able to give birth to a dancing star. I say unto you: you still have chaos in yourselves.
 -- Friedrich Nietzsche, Thus Spoke Zarathustra: A Book for All and None

[ Parent ]
So in other words.. (4.80 / 5) (#72)
by Kwil on Tue Dec 03, 2002 at 01:32:44 AM EST

..you're relying on a lawyer trained in general and patent law to give you advice regarding international consumer/contract & electronic commerce (DMCA anyone) law?  Well, I suppose his advice is probably better than the standard IANAL Slashdot troll, but I'm not going to hazard a guess as to how much.

However, I honestly fail to see how you can differentiate what you have done from price-tag switching. I can only assume that you can somehow tell from the e-mail that it was actually created by a human and not by an automated e-mailing system (simply shipping to the States may well make it a "special order") in order to justify your claim that "somebody looked at it, so it must be okay" idea.  Yet even so, there is still the problem, that, like the human cashier who actually takes your money and counts it - there is no way for the human cashiers at this store you defrauded who run your credit card numbers through know that you've gone and changed the price on them.

Had you notified them that you were not using their specific weblinks in order to make your order and they still accepted it, that would be something different. What you've done however is just slip the price change through - exactly as if you'd written up your own price tag and replaced theris on the physical item.

Of course, seeing as how you only did this for research, you are of course planning to return the tablet and explain to them what has happened, if you haven't already, correct?

Yeah..didn't think so.

That Jesus Christ guy is getting some terrible lag... it took him 3 days to respawn! -NJ CoolBreeze


[ Parent ]
What you did there.... (3.66 / 6) (#18)
by ultimai on Mon Dec 02, 2002 at 06:11:20 PM EST

What you did there are as bad as click-through EULAs and other such things of dishonesty.  Yes they may be legal (or unchallenged) for now, but that is because the law has not caught up with technology.   Other things of this nature would probably be legislated on in the future.

If you were going to go with the "secuirty hacker ethic", you would of reported it as a flaw and not exploited them as a result. Maybe publish it publicly to pressure the software maker to make a patch for it.

human factor (3.50 / 4) (#19)
by llimllib on Mon Dec 02, 2002 at 06:15:40 PM EST

How is what he did a security exploit? He submitted an order request to the catalog company in a manner that was not automated, all via an open interface. His order was reviewed by several humans and accepted as valid by them. Just because the website didn't offer the chance to bargain automatically doesn't mean that it's invalid to do so.

Hypothetically speaking, how would you make that particular bargain illegal?


Peace.
[ Parent ]
Uhhh (4.20 / 5) (#24)
by jmzero on Mon Dec 02, 2002 at 06:54:56 PM EST

How is what he did a security exploit? He submitted an order request to the catalog company in a manner that was not automated, all via an open interface.

Similarly, IIS is an open interface to run code of your choice on the server.  But it wasn't intended to be.  Just because the flaw is in design or business process doesn't mean it's not a flaw.

Hypothetically speaking, how would you make that particular bargain illegal?

You're confusing "illegal" and "unethical" (which is what the parent was alleging).  I hope those two words mean different things to you.

Just because the website didn't offer the chance to bargain automatically doesn't mean that it's invalid to do so.

So why not just call them up and bargain?  Oh yeah, because this wasn't bargaining this was deception.  They wouldn't have sold this item for this price without what they saw as validation from the web site.  Pretending otherwise might be valid as a legal excuse, but makes for a pretty weak moral argument.  
.
"Let's not stir that bag of worms." - my lovely wife
[ Parent ]

Assuming too much. (2.80 / 5) (#25)
by Jizzbug on Mon Dec 02, 2002 at 07:17:00 PM EST

They wouldn't have sold this item for this price without what they saw as validation from the web site.

You're assuming too much. We can debate the {ethics,morality} of what I did all day long, and I'm cool with that. But I don't think you can say some of the things you're saying as matter-of-factly as you are.

We can speculate, that's cool. But you shouldn't act like you know exactly what was going through these people's heads.

Personally, I find my theory of the "special order" to be more likely and logical than yours. First of all, I know a lot more about the situation than you, since I did it and all, and since it was I that had the corresponce with them, etc. So I'd like to think I'm in a better position than you to speculate anyways. But in the end, we're both speculating.

Let's be honest (and ethical and moral), and not go around pretending we can assume more than we can.

After all, being all high and mighty, better-than-thou, and all-assuming is, I would say, ethically shakey ground.

I say unto you: one must still have chaos in oneself to be able to give birth to a dancing star. I say unto you: you still have chaos in yourselves.
 -- Friedrich Nietzsche, Thus Spoke Zarathustra: A Book for All and None

[ Parent ]

Courage of your convictions (5.00 / 8) (#28)
by pmc on Mon Dec 02, 2002 at 08:52:49 PM EST

You're assuming too much.

Really? This is what you said earlier:

I hadn't gotten very far when I realized that a good number of commercial solutions were still susceptible to the old and fairly well-known exploit that I described in this article. I resolved that I ought not waste my time meticulously searching for obscure weaknesses when such a huge hole was already staring me in the face.

You are talking about an exploit and holes. Now, it may just be that the shop did think you were negotiating. But you don't think that, and neither does anybody else. If you did you would not be talking about exploits and holes.

Sophistry never has been a replacement for morals and ethics. But if you are sure your story is correct - that you did negotiate - then ante up. Name, address, what store you stole from...sorry negotiated with, order number, and so on. Let the store know for certain what you did, and see if they consider it negotiation or fraud. And no weaseling out - if there was a true meeting of minds (required for a contract - ask your lawyer friend) then there will be no risk to you at all.

If, on the other hand, there is some room for doubt about the store's reaction then you did not negotiate an adjusted price.

Your call - let us know if you have the courage of your convictions.

[ Parent ]

The Author Defrauded and Robbed a Vendor (3.50 / 2) (#32)
by HidingMyName on Mon Dec 02, 2002 at 09:10:41 PM EST

These guys operate a high volume business. What this guy did was equivalent to going into a brick and mortar store, and switching the pricetag on an item and sneaking it through the checkout. If he defrauded a brick and mortar store that way, he would need to hope the authorities did not get wise to it, otherwise he would be in serious jeapardy of becoming a convict. what the author did was very dodgy.

Sure he got something cheap, but did he openly negotiate price? No, he changed an obscure bit of information and slid through on a vendor that was doing enough orders that their help didn't catch the irregularity. If a store silently changed a price on you, and took your money, I think you would be pissed and have all kinds of self righteous indignation (as would the author of the story). Situational ethics suck, its better to step up and show some integrity.

[ Parent ]

Ordinary commonsense thinking (3.50 / 2) (#34)
by QuickFox on Mon Dec 02, 2002 at 09:25:16 PM EST

After all, being all high and mighty, better-than-thou, and all-assuming is, I would say, ethically shakey ground.

This is in no way being all high and mighty or better-than-thou. This is quite ordinary thinking. Ordinary nothing-special commonsense thinking that most people have. If you're losing that ordinary common sense, then you're losing something valuable.

Give a man a fish and he eats for one day. Teach him how to fish, and though he'll eat for a lifetime, he'll call you a miser for not giving him your fi
[ Parent ]

Well... (4.00 / 2) (#41)
by jmzero on Mon Dec 02, 2002 at 09:46:46 PM EST

Who cares what they did with it?  You were doing something wrong as soon as you made the attempt (whether it was rejected, noticed, or shipped without notice - that was out of your control and doesn't change whether what you did was wrong)... unless you intended to not accept the merchandise and inform them of their problem.  

If they would have sent it to you without "special" written on it, would you have sent it back?  Have you yet told them about the problem - even anonymously?

I'm not claiming you're evil, and it's true that I don't know all the details of the situation.  However, you are in effect advocating using this kind of exploit - and people should at least understand that doing so is "shaky".
.
"Let's not stir that bag of worms." - my lovely wife
[ Parent ]

IIS exploits aren't confirmed by victims (3.50 / 2) (#30)
by CanSpice on Mon Dec 02, 2002 at 08:58:56 PM EST

Similarly, IIS is an open interface to run code of your choice on the server. But it wasn't intended to be. Just because the law is in design or business process doesn't mean it's not a flaw.
Actually, your analogy fails when you realize that someone who exploits a hole in IIS runs programs without the knowledge or possibly consent of the owner of the IIS machine. If there was an exploit in IIS such that every time someone tried to use that exploit the owner of the machine had to approve the jobs it ran, then your analogy would be fitting. As it is, it's an incorrect analogy.

[ Parent ]
Uhhhh (none / 0) (#38)
by jmzero on Mon Dec 02, 2002 at 09:38:27 PM EST

In order for this to be moral, you would have to count on this order going through normal channels - ie, they would respond to it the same way they would respond to it if I called up and asked for the product for $100.  Otherwise, you are deceiving the staff into thinking somehow this $100 offer is more legitimate than other $100 offers.  

The whole point of the article is that they don't treat this the same way as they treat someone calling up and offering $100 (otherwise it wouldn't be a security problem, it would be a legitimate alternate mode to use their website - this is obviously not the case).

I don't understand why I have to keep explaining this.  It seems really obvious.
.
"Let's not stir that bag of worms." - my lovely wife
[ Parent ]

Collected Responses: (5.00 / 1) (#139)
by llimllib on Tue Dec 03, 2002 at 03:41:26 PM EST

You're confusing "illegal" and "unethical" (which is what the parent was alleging). I hope those two words mean different things to you.
Thanks for the insult, but here's what the parent said:
they may be legal (or unchallenged) for now, but that is because the law has not caught up with technology

So why not just call them up and bargain?
Exactly. I find that to be morally equivalent to using an open API to submit an order request to humans. Who cares whether the request was made via text or voice? He made an offer, they accepted it.

Similarly, IIS is an open interface to run code of your choice on the server.
Besides the snide jokes about Microsoft's (lack of) security, IIS is not an open interface to run code of your choice on the server. In fact, it tries very hard to be secure. On the other hand, the mail order company has exposed a communications API, and therefore there is nothing deceitful about communicating with them.


Peace.
[ Parent ]
Bah.. (none / 0) (#143)
by jmzero on Tue Dec 03, 2002 at 04:27:02 PM EST

Thanks for the insult...

You are suggesting that this action was moral - and your reasoning is still tied to this silly lawyering "accepted offer" crap.  I rescind no insult.

Exactly. I find that to be morally equivalent to using an open API to submit an order request to humans. Who cares whether the request was made via text or voice? He made an offer, they accepted it.

This is, to that retailer, a bug in their system.  They obviously had no intention of allowing free form offers via the web.  The fact that their software did this for them is, to them, a bug.  It's not a feature, or an Open API, or anything else.  The author clearly thought of it as a security exploit, I think of it that way, and I'm guessing you do too.  

He made an offer, they accepted it.

He used deception to make his "offer" seem more valid than a similar offer made over the telephone would be.  This is wrong, and was done for gain.

The only moral thing to do is to contact the store.  If this was a real accepted offer, he has nothing to fear.  If it wasn't, he should return the product.
.
"Let's not stir that bag of worms." - my lovely wife
[ Parent ]

Unethical (4.00 / 1) (#27)
by bugmaster on Mon Dec 02, 2002 at 08:44:14 PM EST

I agree; cheating e-tailers out of their money is wrong. However, I don't think it should ever become illegal, because the law that makes it illegal will ultimately take one of two forms:
  1. Outlaw stupidity
  2. Outlaw consumer freedoms
While stupid people exist, they will make stupid mistakes in their software. While consumer freedoms exist, consumers will be free to buy what they want however they want. Unfortunately, here in the US we are rapidly heading toward solution #2 (DMCA/Palladium) -- solution #1 being a bit too impractical. However, I think almost everyone here would agree that solution #2 is worse than the problem it tries to solve...
>|<*:=
[ Parent ]
heh (4.33 / 3) (#29)
by Work on Mon Dec 02, 2002 at 08:56:19 PM EST

most of these ecommerce softwares are pretty old, and fairly crappy. written before concepts like sessions help minimize the exposure to this kind of fraud.

Nonetheless, sessions are no silver bullet to it either. This software serves as a shining example of how to program properly: ALWAYS, for the love of god, check any kind of input, even if its 'supposed' to be generated by the server software.

Even then, I can think of one very large security flaw I discovered in Resin when handling sessions. The flaw was easily fixed by end users. The default config file that was distributed with resin had a developer flag still enabled that saved sessions to the harddrive. But the problem was the location it saved them was an accessible directory, so if you knew the location, you could get a listing of all current sessions and the data they contained. This meant you could access credit card #'s and anything else the session held.

The solution was to go toggle the flag off in the config, but I only found it one day by pouring over the thousand or so lines that was in there. I even went to their 'who's using resin' listing, and found about 2/3rds the sites listed had their sessions completely available to anyone who wanted them.

Not so easy... (4.00 / 1) (#47)
by spcmanspiff on Mon Dec 02, 2002 at 10:29:47 PM EST

Smalltime ecommerce sites often use a third party website to process credit card information -- it's cobranded (same logo and design) but what ultimately happens is a form post or get, with order and price details, from the catalog website to the processing website.

All the credit card processor has access to is a store and order identifier, a list of items, and the total amount -- so it's impossible to do verification, and it sounds like that's what got tinkered with in this article.

Oh, and by the way, what the hell were credit card numbers doing being stored, ever?

In a vanilla ecommerce site there is one and only one time a credit card number needs to be kept around: When it needs to be submitted for processing. It should never go into memory, or a database, or anywhere else outside of that single form post handler. If you think you need it for something else, then you're wrong.

The only use I ever saw for stored credit card numbers was for regularly repeating orders, and then we made sure to public-key encrypt them into the database with the private key held on a seperate, completely firewalled and locked-down machine used only for the repeating orders.

... this is why I rarely* order anything online ...

[*] I say rarely, because from a real world security perspective, this is more-or-less analagous to handing the card to a stranger or throwing a receipt with the full number into the trash. I can either be super-paranoid both online and in the real world about credit cards, or try to keep a bit of perspective -- in both places.

 

[ Parent ]

storing cc's (4.00 / 1) (#51)
by Work on Mon Dec 02, 2002 at 10:39:29 PM EST

CC's are stored for one highly important reason: Fraud prevention.

Fraud is a HUGE problem with online orders. A few bad cases can bring a small company down.

As part of some fraud prevention code I did CC's were stored and cross referenced - sometimes someone would create multiple accounts and use the same credit card. With widely varying mailing addresses and what not. This is a sure sign of something fishy going on, and usually leads to a phone call to the card company to find out if the card had been reported stolen or had a bad history.

Another site (investment type) used CC's as a means of authenticating identity by comparing site records to CC company records. It worked surpisingly well. Fraud became quite rare, and the type of investment market it was involved in was one where fraud has a fairly high incidence.

[ Parent ]

This would be a textbook situatation for... (4.66 / 3) (#57)
by spcmanspiff on Mon Dec 02, 2002 at 11:03:47 PM EST

checksums!

We would md5 credit cards, as well as store the last four digits plaintext, for fraud detection.

No need to store the actual numbers, though -- better to keep it safe from crackers and disgruntled employees.

The only downside here, I guess, is that you don't have a number in hand to call with when you do suspect fraud. Maybe a 2-tier system, where you can flag a checksum and then the next time it's matched, the actual number is stored?

----

Additionally, although e-commerce sites never (should) store card numbers, the third party credit card processors need to and do keep the numbers around. These companies were the ones that really had to worry about fraud, and they'd be able to produce evidence if necessary.

It sounds like your situation was somewhere between a small e-commerce site and a big credit card clearinghouse...
 

[ Parent ]

hmm (4.00 / 2) (#61)
by Work on Mon Dec 02, 2002 at 11:14:40 PM EST

I'm not following on how md5 will help prevent fraud... credit card numbers are already checksummed in their very design. For example, you cannot just go randomly type in a 16 digit number and expect it to be valid. Look up 'credit card verification algorithm'. There is a simple routine that can be used to determine if the number entered is even valid.

That is step one in credit card verification, and is usually done the instant the user presses the Submit button.

Secondly, even if by luck you happen to enter a mathematically valid number, chances are its not issued to anyone. The CC companies deliberately issue numbers spread across the possible combinations of billions and billions. Thus 'real' cards make up only a tiny fraction of the available number. This even further reduces chances of randomly getting a number right. This check will be done upon talking to the CC clearinghouse.

Encrypting the card numbers one way won't do you any good when you need to call the credit card company and ask for verification of information. And its not true at all that third party processors are the ones who have to worry about fraud.

Suppose a person gets their card stolen and used to purchase a $3000 camera. Then they get their bill and dispute the charge and say they never bought that. The credit card company will take it off their bill - and then charge the camera shop $3000 for the trouble. It's not the credit card company that loses to fraud - its the business that sold the item.

[ Parent ]

Well, um, sort of ... (4.80 / 5) (#64)
by spcmanspiff on Mon Dec 02, 2002 at 11:31:19 PM EST

Instead of storing the actual credit card number itself, we would store a checksum.

Then, if that same card was used again, it would generate the same checksum -- which means that we now know, without ever keeping the card number around, that it was the same card being used again.

This was used for fraud detection -- whacky addresses, strange orders, etc.

The procedure to follow if there was suspected fraud was to use the transaction ID from the CC processor (also stored) to flag the card and, if necessary, get the actual number from the processor, who keeps them around.

That way, the site never potentially compromises its customers' cards (where else do you think these warez-ish databases of 10,000+ card numbers come from?) but can track repeat uses of the same card, report suspected fraud, etc etc etc.

In terms of preventing fradulent charges from happening in the first place, storing/not storing the number is a non-issue. Using real-time billing address verification and the verification number help a lot, but it will always be a problem.

 

[ Parent ]

My God man! (none / 0) (#124)
by Jetifi on Tue Dec 03, 2002 at 02:40:32 PM EST

What is this? I am an amateur webhead compared to most people, and I don't even store passwords in plaintext!

A hash like MD5 will fulfill exactly the role that your un-protected cc numbers will. The only reason you might want the number is if the CC company are stupid enough to require a number before you check the number of the history etc.

Another site (investment type) used CC's [...] It worked surpisingly well. Fraud became quite rare.

Now ask yourself this: how many people have at any point worked for this company, and know that they have a database of CC numbers? What's your risk of fraud when you take into account malfeseance by current or ex- employees?

You've lowered the chance of small-scale fraud against the company, and opened the way for large-scale fraud by the company or it's officers, exposing them to massive liability.

In addition to this, all banks prohibit storage of credit card numbers upon completion of a transaction. ALL of them. No matter whether you're a bricks and mortar shop or an online one. Get caught breaking that rule and you're in trouble. Only if you're big enough to have your own transaction center (think Amazon) do you get any leeway. And Amazon are sure as hell smart enough to use hashes.



[ Parent ]
this won't work, think it through. (none / 0) (#162)
by Work on Tue Dec 03, 2002 at 07:01:26 PM EST

On passwords, think of it from a practical pragmatic point of view.

Suppose Joe Blow creates an account on your system. Joe forgets loses his password so what to do? If it's hashed, how can he get it back? He cannot. The only answer is to have it reset to something else - by an employee of the company. And just in case you want to say 'well not why have a script that does this automatically?' - what if someone besides joe blow decides to reset his password?

The hashing type thing might work if you're a small website. But what if you have thousands of clients and accounts? People forget their passwords all the time. You will need customer service to reset them. This requires low-paid, and thus, easily bribed people.

Other solution? Plaintext (or 2-way encrypted, maybe) storage, and when they lost their password, have it e-mailed automatically to them. Most people who've used the net for awhile are used to, and expect this method. Not having to pick up the phone and call.

Your so-called ultrasecure method of one-way hashing is defunct if the person loses their password and then has to call the company to have it reset for them.

[ Parent ]

Addressed (5.00 / 1) (#194)
by Jetifi on Wed Dec 04, 2002 at 04:41:55 AM EST

If it's hashed, how can he get it back? He cannot.

That's the idea. The password should exist in one place only: the user's head.

There's no need for an employee of the company to be involved in something as simple as a forgotten password. Most sites have a simple password changing mechanism that is automated. It simply requires an email address for the user (which is almost always the case) and it generally goes something like this:

  1. User forgets password.
  2. User goes to login screen, enters username/whatever, clicks ''forgot my password''
  3. The user is emailed a link such as http://site/user?id=1234&confirm=ff5192b7692cd60d0d18091f435f97b8. On recieving the GET, the site checks the UID, (or whatever unique identifier you use for users), checks to see if the confirm param is valid (ideally it should expire after 24 hours or so), and presents an ''enter a new password'' screen.
  4. The user enters a new password, the confirm param is invalidated, and everybody is happy.
What if someone besides joe blow decides to reset his password?

Step 2 in the above procedure is the only action a malicous attacker can carry out without access to the user's email account. The resulting emailing of the hyperlink does not delete the old password, is simply gives the user the ability to change his password.

If the attacker has access to the user's email account, then they have problems anyway. Safeguards such as secret questions (hotmail does this) can provide some measure of protection against this.

This is the standard method for accommodating users who've forgotten their password. If a user has forgotten a password, whether it's for Linux, Windows, Kuro5hin, Amazon or whatever, the standard procedure is to give the user a new password, because neither Linux, Windows, Kuro5hin or Amazon store their passwords in plain text or encrypted forms. This can be automated very easily.



[ Parent ]
not so easy indeed... (5.00 / 2) (#79)
by radish on Tue Dec 03, 2002 at 03:24:46 AM EST

Oh, and by the way, what the hell were credit card numbers doing being stored, ever?

assuming that wasn't a rhetorical question...

1) when you order, we authorize the amount (verify that you have that much credit available and reserve it for future collection), but we don't actually collect it until we ship (I believe that this is actually an FTC requirement which is largely ignored, but anyway that's what we do). that means we have to keep the card number around at least until the last shipment goes out, because we need to send the card number to the clearinghouse at least twice: once when we authorize and again when we collect. sometimes those transactions are only an hour or two apart but sometimes it's days or even weeks...

2) since we don't charge for what we haven't shipped, and inevitably things are sometimes out of stock, we then have to do more than two transactions: authorization, shipment 1, shipment 2, occasionally shipment 3 or 4. I think it might be possible to get around item 1 above, but this is definitely not possible without the card number handy.

3) we have a 100% satisfaction guarantee, and as a rule, people do not send their card number with their returns. if we didn't keep the card numbers on hand we would have to ask them to send the card number again in order to get their refund, and guess what: 80% of them would send it via plaintext email despite being asked not to, and another 10% would give us a big raft of shit about why do we have to ask since we already have it. better that we keep the number locked down but accessible to the admins (hell, there's only three of us anyway).

4) it's not uncommon for people to order stuff, then call or email to ask for a change to their order, in which case we need to be able to re-authorize, etc.

of course the downside of all this is that keeping the DB secure is a never-ending pain in the ass...

[ Parent ]
Aaah. (none / 0) (#120)
by spcmanspiff on Tue Dec 03, 2002 at 02:17:40 PM EST

My experience with 'vanilla' e-commerce sites is that they mostly always use a third-party credit card processor.

The processor will:

  • Take a credit card, pre-auth charges, and return a transaction id to you.
  • Commit a transaction when you've shipped some goods
  • Abort a transaction and unlock the authorized funds
  • Return funds to a card based on the transaction id
  • In matters of last resort, you can call them up / use their interface and get the card# used for a transaction and do what you want with it.
I think that covers your list of items fairly well... If you're not using a processor, then you'd need to be providing all that functionality yourself, which of course means that card numbers get stored -- but the seperation of catalog operations from credit card storage seems like a good one, security-wise.

 

[ Parent ]

A tale about how such holes may appear (3.66 / 3) (#31)
by QuickFox on Mon Dec 02, 2002 at 09:04:29 PM EST

I once wrote a simple webshop. To me it seemed obvious that there are two prices, one received from the browser and one in the database. Normally they're identical but in some rare cases they can differ. The solution seemed simple: Compare them, and if they are identical show the shop people a single price, but if they differ show both prices, maybe with some extra markings so people will notice and can decide.

My boss, also owner of the little company, had a different opinion. "Our customer who is buying this shop didn't pay for that. You don't code things the customer didn't pay for."

"But they know nothing about these things. It would never occur to them to ask for it."

"If they want extra features they'll have to pay for them. That's the only way to survive in this business. You sell features, you don't give them away."

"If this wasn't included in the sale it means the sale is wrong. It's our duty to know these things and solve them. Without this it'll be broken and crappy amateur work."

"It would cost time that we don't get paid for."

"It's just a single if(...) and a single extra string! In this huge mass of code it's two lines! It takes less time than we've spent talking about it."

"I don't care how quick it is, you must not waste any time at all on extra features that the customer won't see and won't ever know anything about."

I understand his company isn't doing very well. I wonder why.

Give a man a fish and he eats for one day. Teach him how to fish, and though he'll eat for a lifetime, he'll call you a miser for not giving him your fi

whenever i wrote a chunk.. (3.00 / 1) (#33)
by Work on Mon Dec 02, 2002 at 09:18:45 PM EST

i'd ask myself 'would I want to use this?' and then try and think of all the various ways I could hack it.

[ Parent ]
403 Forbidden (4.00 / 1) (#36)
by QuickFox on Mon Dec 02, 2002 at 09:32:25 PM EST

All such thinking was more or less forbidden.

Of course I ended up doing everything I could to keep my boss unaware of all details. That's the only solution when your boss is a micromanager. Especially when crap is mandated.

Give a man a fish and he eats for one day. Teach him how to fish, and though he'll eat for a lifetime, he'll call you a miser for not giving him your fi
[ Parent ]

Hmm.. (3.00 / 1) (#71)
by Kwil on Tue Dec 03, 2002 at 01:03:14 AM EST

While the company might not be doing very well, I'd bet your boss is making out handsomely on all these holes he's actively preventing his employees from blocking.

While I do partially agree with what your boss was saying, he missed out on the very important next step: "Let me tell the customer about this and see if they want to pay for us to fix it."

That way, you fix the holes, the company gets more money, and the customer has a more secure product.

That Jesus Christ guy is getting some terrible lag... it took him 3 days to respawn! -NJ CoolBreeze


[ Parent ]
Call for new security tool (4.00 / 3) (#42)
by sludge on Mon Dec 02, 2002 at 10:05:40 PM EST

I would be interested in seeing someone code up a browser proxy that rewrote all form related tags that passed through it into TEXTAREAs. How many web programmers out there actually rely on hidden tags returning what they should? How about drop down menus having one of the selected choices being returned?

I understand the need for sanity checks, but frankly, I'm curious to see what I could dig up with such a proxy.

Anyone want to give it a swing? Is there one already?
SLUDGE
Hiring in the Vancouver, British Columbia area

alot. in fact, probably the majority (4.00 / 1) (#48)
by Work on Mon Dec 02, 2002 at 10:31:33 PM EST

its only been within the past couple of years that sessions have been technically feasible for most systems. And then it depends on what language you're using for it. I only have experience with java servlets/jsp's, which have sessions built in natively and are ridiculously easy to use.

There are ALOT of old backend apps out there that have never been updated to take advantage of sessions, simply because it would mean a pretty large rewrite of the app. Some programmers are also ignorant of sessions, and cop out with the 'easy' way, which is to put data in the page and pull from it. Though with java I personally feel its easier just to use sessions..the lines of code required are roughly the same.

Judging from my own experience with backend web apps, I'd say the vast majority are inherently insecure piles of junk that didn't even consider basic input security upon initial design.

Thankfully, all web apps I do are built around a secure input platform that i've generalized enough to make simple security fixes like this a one or two line operation.

[ Parent ]

Just out of curiousity, (4.00 / 1) (#50)
by spcmanspiff on Mon Dec 02, 2002 at 10:39:20 PM EST

Do java servlets transparently share their sessions across a cluster of webservers?

That was one of the major stumbling blocks of most session technology, back in the day when I was working with it a lot...

 

[ Parent ]

its been awhile for me too. (3.00 / 1) (#53)
by Work on Mon Dec 02, 2002 at 10:43:28 PM EST

Its been several months since I was employed as a servlet programmer, but last february or so, most of servlet containers supported that. At the very least, the Big Enterprise ones did.

I never wrote anything that was used on more than a single webserver though, so no experience there..

[ Parent ]

I learned the hard way (4.00 / 1) (#58)
by spcmanspiff on Mon Dec 02, 2002 at 11:09:52 PM EST

when the client decided that their site would be super-popular, so they needed to launch with jacked-up hardware.

We gave up on making the sessions transparent and instead used a pricey stateful session-aware load balancer that would keep a browser at the same (load-balance chosen) server for every request.

Kind of a hack, but it was an okay last-minute solution.

 

[ Parent ]

re. Just out of curiousity (4.00 / 1) (#70)
by schwar on Tue Dec 03, 2002 at 12:55:00 AM EST

Not having access to session state within the webserver is still not an excuse.

All you need to do is store the session information in a database against a unique identifier. This identifier can then be passed around in hidden form fields.

You still need to put in protection against people hijacking the session but the scenario described in the article coulnt happen

my 2c

[ Parent ]
re: Just out of curiosity (3.00 / 1) (#73)
by spcmanspiff on Tue Dec 03, 2002 at 01:41:55 AM EST

All you say is true; it's just that roll-your-own sessions are a moderate PITA and I was wondering if servlets took care of that particular problem as well.

 

[ Parent ]

Yes but... (none / 0) (#206)
by dreamquick on Wed Dec 04, 2002 at 10:44:08 AM EST

Once you get into the whole "create a session" area you find that you have to re-invent the wheel or else you quickly find that your sessions can be abused quite easily.

For example if the session ids are not random enough then you run the risk of someone being able to hijack sessions by guessing the next ID.

Potentially this might let an attacker get a variety of information which you have living inside the session...  names?  addreses? cc numbers?

If you operate on a credit account principle then all I need to do is to get hold of a suitable session.

Admittedly it is less useful unless you can subvert the delivery details or are talking about electronic downloads but it still poses a risk.

- Tony

/* #include <comedy_sig.h> */
[ Parent ]
They exist. (none / 0) (#52)
by Jizzbug on Mon Dec 02, 2002 at 10:42:45 PM EST

I've heard of the existence of such a plugin for IE.  Supposedly it offers a little window or something that shows you all the input tags of type hidden and allows you to edit their values.  I don't know its name, and I've never used it myself.  But it's certainly an interesting idea.

I say unto you: one must still have chaos in oneself to be able to give birth to a dancing star. I say unto you: you still have chaos in yourselves.
 -- Friedrich Nietzsche, Thus Spoke Zarathustra: A Book for All and None

[ Parent ]
Mozilla has it (4.66 / 3) (#65)
by janra on Mon Dec 02, 2002 at 11:32:01 PM EST

right-click on the page and select page info. The second tab is "forms" and tells you all the forms present on the page, the element names, and their values, if any.


--
Discuss the art and craft of writing
That's the problem with world domination... Nobody is willing to wait for it anymore, work slowly towards it, drink more and enjoy the ride more.
[ Parent ]
There are a few already... (none / 0) (#199)
by dreamquick on Wed Dec 04, 2002 at 08:21:25 AM EST

These types of proxies have been around a while because, as you figured out, they are very useful for both debugging and attacking web-apps.

The one I started out using was Achilles but at the moment I'm using Paros because Achilles had a number of flaws and wasn't being updated.  There are likely to be others, but these are the main ones I know of and have used...

Paros (Java based)
http://draco.mine.nu/

Really the only thing it lacks are decent logging options so the data can be replayed at a later date.

- Tony

/* #include <comedy_sig.h> */
[ Parent ]
The lawyer must get a bonus for favorable opinions (4.69 / 13) (#43)
by spcmanspiff on Mon Dec 02, 2002 at 10:08:19 PM EST

Unlike a catalog order via phone or mail, your computer tinkering intentionally bypassed anyone able to act as an agent and accept or reject your bid.

It would be like calling up a particularly dim-witted warehouse worker and having him start your order through the fulfillment process for a number of expensive goods, saying "I'll pay the full $1.00!" -- except in this case, you're using a computer instead. You can hardly think of your malformed URL as an "offer" since you knew they would be passed along to fulfillment with no chance for a human to accept or reject it.

Another way to interpret this is like the grocery deli -- you ask the clerk for two pounds of turkey, and they hand it to you in a bag with the price written on it. (You browse a web catalog and it sends you a final confirmation page with items and prices in hidden form elements.) You have every opportunity to switch bags and write your own price on it (Write a new html page full of items and prices of your choice), but is the cachier (fulfillment center) responsible for noticing the discrepancy and rejecting your 'offer'? No; you're just being a theiving little turkey-hound.

Even if the 'catalog' nature of a web transaction is completely correct, how do you know that your use of identifying information published with a 'suggested bid' (like a SKU) doesn't convey an implicit acceptance of that suggested bid price? In that case, it seems that you're guilty of fraduently taking advantage of flaws in the system to pay less than the agreed amount, doesn't it?

I could go on, but I hope you get the point by now. I am no lawyer, but I'm not a friggin' idiot, either. Apparently your lawyer is both. :)

 

Just a few things. (4.00 / 5) (#49)
by Jizzbug on Mon Dec 02, 2002 at 10:39:08 PM EST

Unlike a catalog order via phone or mail, your computer tinkering intentionally bypassed anyone able to act as an agent and accept or reject your bid.

I actually touched upon this issue in my article, though maybe not clearly enough. I knew the order would be seen by humans. I did not at any point think it would be processed automagically. I was interested in finding out if the humans that would be intervening (and they did) would verify and process the order (and they did). So to clarify, I didn't bypass any agents, they were perfectly able to accept or reject my bid.

You can hardly think of your malformed URL as an "offer" since you knew they would be passed along to fulfillment with no chance for a human to accept or reject it.

Again, I knew it would be passed on to a human before it was fulfilled. All the shopping cart software did was generate an email which was sent to a sales representative. I was entirely expecting my order to be rejected. Instead, I got an email from the sales rep saying that my "special order has been accepted".

I do have to award you with the prize for the best analogy thus far, though. I rather like your deli and turkey analogy. It comes to closest to doing me in as an evil bastard. *grin* While I wouldn't say it's entirely applicable to the situation, it's the best so far.

In that case, it seems that you're guilty of fraduently taking advantage of flaws in the system to pay less than the agreed amount, doesn't it?

Kinda like what Enron did in California? *grin* But seriously, though, I do think you're stretchin' it a bit on the "implicit acceptance" part.

Okay, I'm done now.

I say unto you: one must still have chaos in oneself to be able to give birth to a dancing star. I say unto you: you still have chaos in yourselves.
 -- Friedrich Nietzsche, Thus Spoke Zarathustra: A Book for All and None

[ Parent ]

Oh, I don't know. (4.50 / 2) (#54)
by spcmanspiff on Mon Dec 02, 2002 at 10:53:26 PM EST

All the shopping cart software did was generate an email which was sent to a sales representative.

That is completely true, but the email to the representative from the software is hardly an offer from you.

  1. You send information to an automated system, telling it what you ordered, what you should pay for it, and your payment information.
  2. The automated system assumes this information is coming directly from the catalog and has not been tampered with, and so it debits your account and sends an email to the next step:
  3. An associate receives an email stating: "Joe Schmoe's order for a bunch of expensive stuff has gone through and his credit card has been successfully debited. Please ship the stuff via FedEx to: ___." The price you paid is present there, but it's unimportant since you've already paid it and the purpose of this email is fulfillment, not approval.
  4. You get your stuff.
While your order was indeed passed onto a human being before it was fulfilled, at that point it was not longer an "order" in the sense of "bid from a prospective buyer," but instead it had already passed through that stage. Some companies will even have a different name at this point, calling the order a "fulfillment ticket" or other more warehousy-type terms.

If you can point out where this differs substantially from stealing turkey, I'd like to see it.

 

[ Parent ]

Assumption of an automated system. (4.33 / 3) (#62)
by Jizzbug on Mon Dec 02, 2002 at 11:25:43 PM EST

You're assuming an automated system that didn't exist. My account was debited by a human, a human typed my account information and the price I offered into a standard credit card machine (like the ones you see in restaurants). Their shopping cart didn't interface with their accounting system, so the sales rep had to do that part by hand as well; at which point he should have noticed the discrepancy between the price in the {accounting,invoicing,inventory,billing} system and the price in the email he recieved from the shopping cart software.

I say unto you: one must still have chaos in oneself to be able to give birth to a dancing star. I say unto you: you still have chaos in yourselves.
 -- Friedrich Nietzsche, Thus Spoke Zarathustra: A Book for All and None

[ Parent ]
Regardless, (4.40 / 5) (#67)
by spcmanspiff on Mon Dec 02, 2002 at 11:49:10 PM EST

You sent no email to this company making an offer; instead, you sent a few special HTTP requests to a server that, in turn, sent an email along to someone who had no idea that this was anything other than a standard website order using standard website prices.

It's not the cashier's responsibility to verify the prices they get from their own internal price tracking system, be it a webmailed form or a brown paper deli bag.

If you wanted to make a different bid for the product than what they'd published, then it's your responsibility to make it clear to them that's what you're doing, and to do it outside of the channels established for regular sales. After all, you can't break out a bar-code printer in a retail store and expect the clerk to notice and be responsible for your price manipulations.

 

[ Parent ]

"Special Order" (5.00 / 1) (#92)
by Kintanon on Tue Dec 03, 2002 at 09:44:10 AM EST

The fact that they had the phrase "Special Offer" written in numberable places in regards to his order indicates that they KNEW it was not the regular price and that they KNEW it was not a standard catalog order. So I think he has a legitimate position that he succesfully negotiated a lower price than they were asking for.
Remember, the US and Canada are pretty much the only places in the WORLD where haggling for merchandise at stores isn't common place. Well, and I guess some of the countries in europe.

Kintanon

[ Parent ]

Special Offer (none / 0) (#114)
by KILNA on Tue Dec 03, 2002 at 01:34:52 PM EST

I can very easily write a shopping cart in such a way that any price that comes through as less than my retail price is labeled as a special offer in my automatic emails. The wording does not explicitly indicate the order was processed a human with the clear authority to negotiate the price. Furthermore, the order was placed in such a way to obscure the fact that the price was modified, leaving the person processing it with the only logical assumption... that the price was NOT a negotiation, but a standard price properly authorized by someone in their organization. Exacly like a price tag in a meatspace store. Changing the price indicator covertly is a misrepresentation with the intent to defraud.

[ Parent ]
Pricetags and bids (none / 0) (#127)
by hershmire on Tue Dec 03, 2002 at 02:46:38 PM EST

You're not realizing that this is not a "meatspace" store. There is no pricetag on the product. Sure, there is a price on the webpage, but that is only the merchants offer. If you complete the web page with the form, you are accepting the merchant's suggested price.

The author did not use the form on the webpage. Instead, he sent his own POST information that contained his personal bid for an item, which is independent of the webpage form and the merchant's offer. A human sales representative reviewed the bid, approved it, and processed it, thereby accepting his bid for the product. Otherwise, they would have rejected the offer. Simple as that.

FIXME: Insert quote about procrastination
[ Parent ]
No indication of modified price (none / 0) (#128)
by KILNA on Tue Dec 03, 2002 at 02:56:15 PM EST

What makes the HTML like a meatspace price tag is the fact that it is the de facto agreement between the merchant and the purchaser. No negotiation occurred, because no human was ever exposed to the change from the de facto price. This is the same as changing price tags and cruising through the checkout at the supermarket. If you wanted a different price you should talk to the manager. The author modified the de facto price agreement in a way that explicitly avoided authority, with the intent to defraud the merchant. This is both illegal and immoral.

[ Parent ]
Huh? (none / 0) (#145)
by Jizzbug on Tue Dec 03, 2002 at 04:41:37 PM EST

I don't understand where you're coming up with this "de facto agreement between two parties" thing. Is the price listed in a mail order catalog a "de facto agreement between two parties"? No, it is not. It is a solicitation for bids, and the price listed is the suggested bid price, the price which you are guaranteed they will accept. You are free to write whatever price you wish on the order form when you send off for the item(s).

No negotiation occurred, because no human was ever exposed to the change from the de facto price. ... The author modified the de facto price agreement in a way that explicitly avoided authority

I've already rebutted you on this point elsewhere. You can safely stop assuming that no humans of authority were involved.

I say unto you: one must still have chaos in oneself to be able to give birth to a dancing star. I say unto you: you still have chaos in yourselves.
 -- Friedrich Nietzsche, Thus Spoke Zarathustra: A Book for All and None

[ Parent ]

"Bids" (none / 0) (#157)
by KILNA on Tue Dec 03, 2002 at 05:51:32 PM EST

You've already rationalized your crime, so this will do little good, but I try to do every little bit I can. The site you were using no doubt used a shopping cart / shopping basket / etc. metaphor. How many places to you shop at with a shopping cart which allow you to "bid" on a price? The metaphor is not the law, but the metaphor would set the legal precedent of how the shopping process will be considered. Shopping online in a "soft cart" is somewhere between paper catalog sales and a real-life shopping experience, in that online you are given temporary custody of information ciritical to their business practices, much like a price tag on a product is in meatspace. Modifying the pricing information is not a morally sound judgement, and is likely to be illegal.

[ Parent ]
paper catalog sales (none / 0) (#163)
by Jizzbug on Tue Dec 03, 2002 at 07:02:16 PM EST

Shopping online in a "soft cart" is somewhere between paper catalog sales and a real-life shopping experience, in that online you are given temporary custody of information critical to their business practices, much like a price tag on a product is in meatspace. Modifying the pricing information is not a morally sound judgement, and is likely to be illegal.

The same goes for mail order catalog sales, then. You're given custody of information (the catalog) temporarily (catalogs certainly aren't permanent, we throw them away) that is critical to their business practices. Is the pricing information in a mail order catalog much like a price tag on a product in meatspace, then? Then why is it completely customary to write in whatever price you wish when using mail order catalogs?

The e-commerce industry needs to realize that it's a catalog industry, just with a slightly different interface. It appears that if you talk about taxes, those in the e-commerce industry will insist that they're no different from mail order catalogs. Talk about bids and offers, and they'll insist they're just like a brick and mortar store, and that, unlike catalogs, their pricing information is equivalent to price tags.

The whole "shopping cart" analogy that e-commerce sites use is purely semantics and marketing-speak. If mail order catalog companies start calling their order forms "shopping carts" and their pages "aisles", does the pricing information of catalogs instantly become equivalent to meatspace price tags? What about the e-commerce sites that refer to their catalog as a catalog and their order form as an order form? Is their pricing information now unlike other e-commerce pricing information and subject to bids? Using marketing-speak to establish legal precedence doesn't sound very legal to me.

I say unto you: one must still have chaos in oneself to be able to give birth to a dancing star. I say unto you: you still have chaos in yourselves.
 -- Friedrich Nietzsche, Thus Spoke Zarathustra: A Book for All and None

[ Parent ]

This is uncharted territory (none / 0) (#167)
by KILNA on Tue Dec 03, 2002 at 07:27:11 PM EST

I believe that there isn't any existing case law regarding your exploits. I can tell you what my morals indicate, and I think most people would agree with me. I can tell you how I'd argue the case were I a lawyer prosecuting you. I can tell you how I'd analyze the case were I a judge or a juror on it. But, in the end, it is inconsequential. You are the one who has to live with your actions, and if you feel it's A-OK to trick businesses into making deals they normally wouldn't by hacking a web form, there's nothing I can do about it. You're the one who has to sleep with it.

[ Parent ]
Obviously (none / 0) (#166)
by salsaman on Tue Dec 03, 2002 at 07:16:36 PM EST

Since the site allowed the customer to alter the price for the order, then the bid price was not fixed.

If the bid price were fixed, then the client should not have been given the opportunity to amend it, before submitting the order. You are assuming that the owner of the site was not aware of this facility, but do you have any evidence to back this up ?

[ Parent ]

E-commerce site owners (5.00 / 1) (#170)
by KILNA on Tue Dec 03, 2002 at 07:44:25 PM EST

My experience has been that fewer than 10% of e-commercce site owners have any technical expertise with the web beyond the most basic HTML. Forms are a mystery to them, and if they do muddle through somehow, it's all copy-paste. The client was not given the opportunity to ammend the order via its intended interface. Yes, going outside of the intended interface is wrong, if it is done with the intent of decieving the merchant. Altering hidden fields or changing URLs (which requires viewing/editing source) is altering the mechanics of how the web site was designed to work. You could probably get whacked for a DMCA violation, not that I condone that method... my concern is the intent to defraud, not the intent to disassemble. If you had an .exe for placing orders that was not a web browser, and you modified the .exe or one of its data files to place a "discounted" order, you would be tricking the merchant into giving you a deal they normally wouldn't. Whether the design allowed easy modification of prices or not is just as irrelevant as whether the keys were in the car when you stole it. The ease of the crime does not justify committing it. The modification of the price, with no clear indication that it has been tampered with, is at minimum deceptive, and is likely to be considered fraud in a court.

[ Parent ]
Well (none / 0) (#178)
by salsaman on Tue Dec 03, 2002 at 08:12:37 PM EST

Nowhere in the article does the author mention that the site's terms and conditions specified using an 'approved browser' to place orders.

In that case, it is up to the customer what means they use to place an order with the site, whether that be an html browser, a WAP enabled phone, or a handwritten perl script.

And since the source is, by definition downloaded to the customer's computer, the website owner can only *assume* that the code will be executed in the way he/she intended it to be.

[ Parent ]

Just like... (none / 0) (#182)
by KILNA on Tue Dec 03, 2002 at 08:33:06 PM EST

...a storefront clerk can only *assume* that a price tag is the actual monetary value the boss wants her to sell it for. Clerks are rarely given the authority to negotiate prices, and sending through a web order with a tampered price is no different than purchasing a product in a store with a tampered price tag. You are intentionally sidestepping the negotiation process by exploiting the authority of the price indicator. Typing a different number in a price field of a URL is exactly analagous to punching up a new sticker on a price gun you found in the store.

[ Parent ]
No! you are obviously american. (none / 0) (#147)
by Kintanon on Tue Dec 03, 2002 at 04:54:10 PM EST

There is no "de facto agreement" to pay a specific price for the merchandise. The price listed is what the business is asking. You are well within your rights to ask for a lower price. It has been stated already that many humans reviewed the order before it was sent to him, he did not trick the computer into sending him merchandise. He submitted a bid and it was approved and the merchandise was sent to him. Haggling is a normal procedure in most countries, if the business had wanted to reject the price or make him a counter offer they had his information and are very able to do so. For all we know they bought the items wholesale for 20$ apiece and are still making a profit from the sale and don't mind being offered less in exchange for the business. They may assume they are buying a repeat customer likely to pay full price for more merchandise or something. But either way, the price was reviewed by humans at multiple steps, so it was obviously valid. For another thing, I assure you that some lineworker who sees an item normally price at 750$ come across his screen for 125$ will mention it to his supervisor. If nothing else, everyone involved in that procedure will want to cover their own asses about it. So the person who verified the order and saw the price first almost certainly asked their supervisor, who gave the OK, and on down the line.

Kintanon

[ Parent ]

In what way did he indicate it was a bid? (nt) (none / 0) (#156)
by KILNA on Tue Dec 03, 2002 at 05:37:40 PM EST



[ Parent ]
By submitting it. (none / 0) (#202)
by Kintanon on Wed Dec 04, 2002 at 09:47:01 AM EST

Any submission of a request for the item at a price lower than that listed is by definition a bid. Simply be submitting the request he was following all of the rules and protocols that the website had established. If their rules are bad, they should change them. It would be like me walking into a jewelry store, picking up a 7000$ diamond watch, and telling the salesperson that I'm not willing to pay more than 1500$ for it. And them saying, "ok, deal." nothing wrong with that, right?

Kintanon

[ Parent ]

That's a cop out (none / 0) (#223)
by KILNA on Wed Dec 04, 2002 at 01:10:01 PM EST

The whole reason for calling this mess a "security issue" is the fact that he had no reasonable expectation that the order would have been filled through any sort of actual negotiaion. He intentionally exploited the implicit authority of their web order system to get a deal he knew he would never get otherwise, ostensibly for the goal of "experimentation". If he were actually interested in being a good Samaratin, he wouldn't have the spoils of his curiousity right now. If he went and actually got a two-way handshake on the modification of the price from them, I'd be happy... but he didn't. He himself is calling this a security issue, which means he did what he considered to be a risk for those running the business... he intentionally exploited the authority of an automated business process to sidestep the proper negotiation and autorization of the sale. That is not acting in good faith. If there was a proper "OK, Deal", then why is this a security issue at all? Negotiation by modifying URLs is business as usual! Bullshit. If that were the case, it wouldn't be in 2600 or here. It's a disingenious social engineering hack, and it isn't right beccause real people pay for the results of these actions.

[ Parent ]
Stop it with the ethnic slurs already. (none / 0) (#253)
by jubilation on Wed Dec 04, 2002 at 05:13:18 PM EST

No! you are obviously american
Please stop using the term "American" as an insult. That's an ethnic slur, and not very nice. Phbhbhbt!

[ Parent ]
uh (none / 0) (#113)
by ph0rk on Tue Dec 03, 2002 at 01:26:46 PM EST

>>  It's not the cashier's responsibility to verify the prices they get from their own internal price tracking system, be it a webmailed form or a brown paper deli bag.

It damn sure is if they let the client change the value. (Or submit their own).  

What is the difference between letting the client submit their own price, or having a horridly incorrect price on a web page?  (mind you, advertising an incorrect price puts the company under -no- obligation to fill orders at that price).
[ f o r k . s c h i z o i d . c o m ]
[ Parent ]

Not a lawyer? Indeed. (none / 0) (#103)
by Afty on Tue Dec 03, 2002 at 11:30:06 AM EST

It would be like calling up a particularly dim-witted warehouse worker and having him start your order through the fulfillment process for a number of expensive goods, saying "I'll pay the full $1.00!"

If the warehouse worker, as an agent of the supplying company, agrees to your offer, takes payment and ships the transaction to you then a legal transaction has taken place.

You can hardly think of your malformed URL as an "offer" since you knew they would be passed along to fulfillment with no chance for a human to accept or reject it.

What? There is no way he could *possibly* have known this. I've produced many e-commerce and e-business sites, and I have never come across a single one where a financial transaction took place resulting in physical goods being shipped without any kind of human oversight at least one, if not two or three, levels.

Another way to interpret this is like the grocery deli -- you ask the clerk for two pounds of turkey, and they hand it to you in a bag with the price written on it. (You browse a web catalog and it sends you a final confirmation page with items and prices in hidden form elements.) You have every opportunity to switch bags and write your own price on it (Write a new html page full of items and prices of your choice), but is the cachier (fulfillment center) responsible for noticing the discrepancy and rejecting your 'offer'? No;

This is not a good way to interpret it at all. A better way would be to say after getting the two pound bag of turkey, you walk to the cachier and say "I'd like to take this two pound bag of turkey for one pound, here are my card details.". Again, if the cashier accepts your offer, a legal sale has been made.



[ Parent ]
Not quite apt (none / 0) (#104)
by Control Group on Tue Dec 03, 2002 at 11:46:25 AM EST

Sorry, but I simply can't buy into your turkey analogy. It comes close, but simply isn't accurate. If the store was using a checkout system such that you rang up your own items by scanning them, but there was also a keypad present for you to enter whatever price you wanted, that would be closer. In this case, there's even a cashier at the end of the aisle who reviews your order, and gives you the OK to leave the store with the goods. Frankly, I can't see all that much wrong with doing that. It would be nice if you were friendly enough to point out what you were doing...but then, it would be nice if grocery stores didn't collect and track all your consumer information to give you "deals" on groceries with your store card.

But I've gone a bit off track, I think. The point is there was human interaction involved; someone processed the order. If a company implements grossly flawed software, and hires people who aren't competent to complete sales to process the orders, I have no sympathy for them. Having worked in a grocery store for a few years, I can say that neither of those is the case in a grocery store. The system is fairly well tested to make sure it rings up what it's supposed to, and if it doesn't, it is the cashier's responsibility (at $6USD/hr) to catch the discrepancies. They focus more on the former than the latter, of course, since you can't expect all that much of $6/hr, but the point remains.

I assure you, as a cashier, if someone walked up with two carts full of groceries which I let the customer ring up for me, and it came to a whopping $23 total, I would damn sure call a manager. I don't think that's too much to ask.

In a similar vein, say I walk into a Best Buy, and get a clerk to help me haul a 36" TV to the cashier. I then tell the cashier, "I'm going to pay you $50 for this, here's my Visa," I'm not going to feel guilty if he rings it up for $50 and I walk out of the store.

***
"Oh, nothing. It just looks like a simple Kung-Fu Swedish Rastafarian Helldemon."
[ Parent ]

I can't believe... (4.00 / 4) (#46)
by quartz on Mon Dec 02, 2002 at 10:25:48 PM EST

there are e-tailers out there who still use this broken shopping cart technology. It's never a good idea to trust the client with critical data, even moreso when the transaction involves relatively large sums of money. I mean, come on, this has been common knowledge in the developer community for so long it's considered common sense. There's no excuse IMO for both the developers who keep selling this kind of flawed technology and the retailers who don't do their research before choosing a solution for their e-commerce website.

On the other hand, what the author did is, again IMO, rather unethical. If there's a difference between taking advantage of the security vulnerabilities in e-commerce software to get stuff for a price that the seller would never willingly agree on (I think that can be safely assumed, considering the rather hefty "discount" the author gave himself) and taking advantage of someone's ignorance in order to rip him off, I don't see it. There never was an open dialog with the seller regarding the price of the item, the ability for the buyer to alter the price is really a bug, not a feature (if the seller intended it as a feature, wouldn't it be, um, featured more proeminently on the website?), so no actual negotiation took place.


--
Fuck 'em if they can't take a joke, and fuck 'em even if they can.

Legal Troll? (2.00 / 3) (#63)
by omegadan on Mon Dec 02, 2002 at 11:27:33 PM EST

Is this some kind of law-enforcement troll? :)

Religion is a gateway psychosis. - Dave Foley

Hmm... (2.00 / 1) (#66)
by Jizzbug on Mon Dec 02, 2002 at 11:43:28 PM EST

You may very well be the smartest of the bunch! *grin*

I say unto you: one must still have chaos in oneself to be able to give birth to a dancing star. I say unto you: you still have chaos in yourselves.
 -- Friedrich Nietzsche, Thus Spoke Zarathustra: A Book for All and None

[ Parent ]
[nt] this wasn't obvious already? :) j/k (1.00 / 1) (#75)
by omegadan on Tue Dec 03, 2002 at 02:14:16 AM EST


Religion is a gateway psychosis. - Dave Foley
[ Parent ]

What on earth (none / 0) (#86)
by Craevenwulfe on Tue Dec 03, 2002 at 08:41:45 AM EST

is a law enforcement troll?

He was looking to provoke people into saying "Bad boy"? Jeez, what a total fucking waster.

[ Parent ]
well... (none / 0) (#180)
by omegadan on Tue Dec 03, 2002 at 08:19:11 PM EST

we already know the Secret Service reads k5. I am wondering if this guy is trying to provoke a visit from a law-enforcement agency. Hes clearly stating he commited fraud.

Religion is a gateway psychosis. - Dave Foley
[ Parent ]

this is a great time... (3.50 / 4) (#69)
by Work on Tue Dec 03, 2002 at 12:05:53 AM EST

to get into the web-app business. During the dot-com days things were so rushed to get on to the web, even basic security checks were forsaken in the interest of getting a functioning web presence.

Go around to sites, point out their flaws and offer to fix them. Eventually this kind of fraud will become so prevalent and common they'll have to.

I appreciate the hacking value of this exercise; (4.75 / 12) (#74)
by amarodeeps on Tue Dec 03, 2002 at 02:09:49 AM EST

...however, I can't help think of a little saying that goes more or less like this: if you let the law determine your moral attitude toward an act, your morality is pretty worthless.

There is probably a more eloquent way to say it, but I can't come up with it right now.



Here's one... (5.00 / 3) (#227)
by janra on Wed Dec 04, 2002 at 02:40:12 PM EST

The Superior man is governed from within.
The Inferior man is governed by law.
The choice is yours.

There are a lot of different ways of saying it, but I think that one covers it nicely.


--
Discuss the art and craft of writing
That's the problem with world domination... Nobody is willing to wait for it anymore, work slowly towards it, drink more and enjoy the ride more.
[ Parent ]
yes, thanks. (none / 0) (#234)
by amarodeeps on Wed Dec 04, 2002 at 03:11:36 PM EST

I've heard other good forms too, methinks.



[ Parent ]
Thoughts (4.57 / 14) (#78)
by izogi on Tue Dec 03, 2002 at 02:46:01 AM EST

Pointing out security holes and finding this sort of shoddy software is a good thing. Being unethical and abusing shoddy software for personal gain is a bad thing. Please, if you really have to do this just to write a "good article" in the interests of security, do it ethically.

At the very least, tell the merchant about the problem, and either pay them the difference or return the product. Pulling this sort of stunt and boasting about it as if getting away with it is so great reflects badly on everyone. People who make laws don't trust or listen to people like you, and it encourages draconian and badly thought-out legislation based on knee-jerk reactions.

I don't really care for this sort of thing and whether it's legal or not, I also wouldn't care if Jizzbug is tracked down and criminally investigated for posting an article boasting that he intentionally tricked a business into undercharging him.


- izogi


I don't get it (5.00 / 2) (#174)
by Rogerborg on Tue Dec 03, 2002 at 07:51:22 PM EST

Why do you think there's a responsibility for the purchaser to tell the seller what price they're supposed to be selling it?

How is this different from you mailing a cheque for $100 to a seller that's offering goods at $400?  If they accept that as full payment and dispatch the goods, that's their choice.  You seem to be saying that it should be different for online transactions.  Why, exactly?

"Exterminate all rational thought." - W.S. Burroughs
[ Parent ]

Merchants have rights as well. (none / 0) (#191)
by Kwil on Wed Dec 04, 2002 at 01:22:27 AM EST

Why do you think there's a responsibility for the purchaser to tell the seller what price they're supposed to be selling it?

There isn't. On the other hand, what makes you think the customer has the right to change the merchant's stated price and not tell the merchant about it?  The merchant has a reasonable expectation that if you decide to negotiate, you'll have the courtesy to let the merchant know, and not try to quietly slip it past them. After all, a negotiation requires an agreement between two parties, not one.

You ask how this is different from mailing a cheque with the wrong amount -- it isn't any different at all, to be honest. Both are wrong if you're doing it in such a way that the merchant does not notice you've provided the wrong amount.

Let's turn this around, say a merchant has an item that he lists for a certain price. You click on the item and it puts it into your basket and you go on shopping. Unbeknownst to you, when you go to the checkout, it silently boosts the price on some of the items. You finish your shopping trip with eight or twelve things in your basket and go on to the checkout. Is the merchant not in the wrong if you fail to notice that the price on some items has been jacked up?

That Jesus Christ guy is getting some terrible lag... it took him 3 days to respawn! -NJ CoolBreeze


[ Parent ]
They have the right not be lazy... (none / 0) (#228)
by Pac on Wed Dec 04, 2002 at 02:40:55 PM EST

As it is, all power to the author. Such a situation was ridiculous 3 years ago, it has only got more ridiculous. Putting up a web sales front-end that accepts prices from the external clients without any check whatsoever is probably more than enough to show the merchant has dumb IT and Accounts Receivable departments. Accepting the said prices and sending the products for the proposed price is more than enough to prove the whole operation is screwed. And yes, I believe the merchant was informed many times the price was changed: they were informed once when the price was send by the browser to the front-end application, they were informed twice when they sent an order confirmation and they were informed thrice when Accounting had to deal with it. Three strikes, they are out...

Evolution doesn't take prisoners


[ Parent ]
That doesn't change what was done (none / 0) (#231)
by Dephex Twin on Wed Dec 04, 2002 at 03:02:49 PM EST

That makes the merchant foolish, and perhaps even deserving to go out of business.  But does that make what the author did in any way moral or legal?

If a department store has ridiculously bad security, does that make stealing from them less wrong, or legal?  If someone absent-mindedly leaves their car unlocked with the keys in the ignition, does that mean anyone who drives off with it shouldn't be considered to be doing anything wrong?

Leaving these holes open makes the owners naive/lazy/foolish.  But the dirty thief that takes advantage of these fools is *still a dirty thief*.


Alcohol: the cause of, and solution to, all of life's problems. -- Homer Simpson
[ Parent ]

Moral. legal (none / 0) (#238)
by Pac on Wed Dec 04, 2002 at 03:33:45 PM EST

I will leave alone your references to non-business situations (stealing a car, shop-lifting). But pay attention to the thread. I am just reinforcing sensible the point made by the topmost poster: if I go to a store, take a U$ 1000.00 stereo system to the cashier, give him U$ 100.00, ask him to have it delivered to my house (leaving my address) and a week later I receive the system without further problems, what does this means? This means the store checked the transaction and considered it legal. The same goes for the online merchant. Claiming the author "deceived" the merchant is ridiculous. In brick-and-mortar situations, a wrong charge (for or against the store) will almost always be corrected along the way. Why would it be different in an online store? To make moral accusations one have to believe that if the online store contacted the client afterwards about the wrong price he (the client) would refuse to pay the right price. Since it hasn't happened (the contact), these accusations are at least uninformed.

Evolution doesn't take prisoners


[ Parent ]
Ah, but no... (none / 0) (#242)
by KILNA on Wed Dec 04, 2002 at 04:01:06 PM EST

Instead of a stereo shop, consider an antique shop using only price tags as indicators. Leave out the bad business decision to use old-fasioned price tags, it is irrelevant since it is the morality of the purchaser that I'm questioning. If I change that price indicator before going to the register, without letting anyone know, I have hijacked the implicit directive by the store owner to the employee as to the cost of the item. Changing the cost in a URL is exactly the same overriding of authority as altering the price tag, and both tamper with the ability for the merchant's representative to make informed business decisions on the company's behalf. This is acting in bad faith, and should be punished.

[ Parent ]
Upon leaving brick-and-mortar... (none / 0) (#255)
by Pac on Wed Dec 04, 2002 at 05:22:27 PM EST

There should be a warning at the entrance of the Internet: "Abandon all certainties ye who enter here".

It is obvious that the situation you describe is a [crime/misdemeanor/something] that may lead to immediate arrest upon discovery. A stream of bytes may be harder use as evidence. Networks fail, applications have bugs.

Let us look at the morality. I do not think morality plays any part whatsoever in the current business environment. Actually, it never did. Business rules and laws exist exactly because trust is not an option. A store will always keep an attentive eye at its costumers. Government agencies should (and the many recent scandals show it clearly) always keep an attentive eye at business. All things considered, I wouldn't say the buyer is a moral person, but I won't throw stones at him also, because what he did is excessively funny.

Evolution doesn't take prisoners


[ Parent ]
Morality and business (none / 0) (#258)
by KILNA on Wed Dec 04, 2002 at 10:01:36 PM EST

I completely disagree with your sentiment that morality has no place in business, especially with regards to business to consumer sales. A business that never lies to its customers never has to worry about keeping its stories consistent. A business that treats its one-time customers with respect is likely to turn them into loyal return buyers. Morality for business is not a legal requirement, but a practical one since you are ultimately serving people. Nice guys may finish last in the context of short term goals (making money at any human cost), but nice guys finish first for long term success provided by repeat business and customer referrals. Yes, a business should always keep an eye on its customers... but it should look for fulfilling customer demands just as diligently as filtering out the undesirables like this guy.

I have a problem with people who do intentionally unethical things... but cutting me off on the freeway isn't going to get the kind of rants I've been spewing here. If someone posts an ostensibly serious K5 article on cutting people off for fun and profit, I'm likely to take them to task for trying to convince everyone it's not immoral. My beef is that the author of this article wants his disingenious social engineering stunt seen as morally justifiable and legitimate research. Furthermore his legal grounding is specious, it's far from clear how the courts would treat him if caught.



[ Parent ]
My morals, your morals, his morals, Bush's morals (none / 0) (#261)
by Pac on Wed Dec 04, 2002 at 10:58:32 PM EST

"Moral" is clearly a very local concept unless you want to admit absolutes into the reasoning. But this causes more problems than it solves, so the whole subject would be better left alone. I understand that upon being presented with a real example of relativeness most people will go back to safer, cosier places.

Alas, I would really like to live in a simpler world where I could believe that "Nice guys may finish last in the context of short term goals (making money at any human cost), but nice guys finish first for long term success provided by repeat business and customer referrals". That is not what I see.

As for business mostly telling the truth, I suggest you turn on the television and watch only commercials for a couple of weeks. Then we can talk about this other concept called truth.

Anyway, his legal ground is probably very firm. He modified a byte stream in his own computer using his own software and transmitted it legally to a server willing to receive the said byte stream. The server and the whole organisation behind it acted upon the byte stream at their own peril. Comparisons with the "real" world here do not hold much water because he never touched anyone's else property.

Evolution doesn't take prisoners


[ Parent ]
All morality is relative (none / 0) (#270)
by KILNA on Fri Dec 06, 2002 at 03:46:37 AM EST

Just because morality is relative doesn't mean it's not a worthy personal and professional goal. I'm an atheist, and ever since I came to that conclusion my theist friends have been trying to tell me I'm immoral because of it. In the process of arguing some debates on the subject, I've discovered a bit about myself and my place in the world.

Painting a bleak picture of the state of morality, and using that as a grounding for being immoral doesn't quite cut it. References pointing to themselves may fool a computer, but my 10 pounds of grey matter won't get pulled into that loop. If you're looking for a reason to be depressed there will always be plenty of fodder in the human condition, but that's no excuse to make it worse by screwing someone.

It's not an "absolute" as you put it, but we are biologically and socially programmed to do right by our peers. We have an innate sense of the golden rule, some more than others, but we all have it. It's what makes us human on an individual scale, and a society on a larger one. Those who lose touch with the biological and social imperitives end up as... sociopaths.

As far as you not having personal experience with businesses which are both honest and successful, it is unfortunate that you're as jaded as you appear. I can tell you from my first hand experience that there are quite a few businesses out there that turn a profit and do good by their clients.

On the legal issues, we're not lawyers and there's no case law regarding this. In other words, we're blowing smoke. The two words my argument stands on are "bad faith", and I would hope that's enough to tip the blind lady's scales.



[ Parent ]
Okay, in a business situation then. (none / 0) (#246)
by Dephex Twin on Wed Dec 04, 2002 at 04:14:44 PM EST

if I go to a store, take a U$ 1000.00 stereo system to the cashier, give him U$ 100.00, ask him to have it delivered to my house (leaving my address) and a week later I receive the system without further problems, what does this means? This means the store checked the transaction and considered it legal.
This means you have taken advantage of a company that is poorly organized/is overly trusting/has a bad computer system. From a moral standpoint, have you still used deception to pay 1/10th of the actual price for the product? Yes-- you are still a dirty thief. Is the company going to have a lot of trouble if that's how they normally do business? Very possibly. Doesn't change what you (hypothetically) did.

From a legal standpoint, are you in the clear? Maybe (through a loophole, if at all), but very possibly not. Just because you say this means a legal transaction took place, end of story, doesn't mean it would really work that way. Was this a contract in good faith? No. I'm sure that has some bearing on the legality.

So, whether we are talking about a business or not, you are still doing something morally wrong and legally gray (but probably only gray because we aren't lawyers).


Alcohol: the cause of, and solution to, all of life's problems. -- Homer Simpson
[ Parent ]
Theft (none / 0) (#252)
by Pac on Wed Dec 04, 2002 at 05:06:22 PM EST

Theft has precise definitions in almost every country body of law. And the situation described is certainly not theft. So if we are going to appeal to precision here, you can't really call the author a "dirty thief".

As for the legal situation, there are some pretty clear indications that the brick-and mortar buyer has the high hand here. At the point we left the stereo buyer he had a product, less money and certainly some proof of purchase. There is nothing much to be done here.

As for morals, there are no morals out there. And I say it as someone who has been paid many times to prevent exactly the kind of situation described in the article. Both sides of this pathetic coin will cheat one another given half-a-chance. So I won't point my finger to a buyer knowing full well how the average seller acts.

And while the procedure described here probably cannot be prosecuted, the person executing it probably can, given a willing Attorney - almost no one can resist a close enough investigation of every aspect of his/her life. I think I can agree with only one point made elsewhere by someone, the author should eventually email the store about the whole thing.

Evolution doesn't take prisoners


[ Parent ]
Yeah, theft (none / 0) (#259)
by Dephex Twin on Wed Dec 04, 2002 at 10:04:15 PM EST

Theft has precise definitions in almost every country body of law. And the situation described is certainly not theft. So if we are going to appeal to precision here, you can't really call the author a "dirty thief".
Well, first of all, "dirty thief" was supposed to be semi-humorous, but whatever.

Theft may have a precise legal definition, but it has much broader usage in real language. I'm not saying "legally, this person is a thief", I'm saying I consider them to be robbing the merchant of money. I consider them to be stealing. Just like when you kill someone, it's murder, even if the "legal" definition might be manslaughter, 2nd degree murder, etc. I'd hate to only think about life and morals in terms of legality.
As for morals, there are no morals out there.
People steal and commit fraud, etc. every day, yes, but of course there ARE morals out there. It's ignorant to say not to. The whole system would fall apart if there wasn't a general morality. People do things for people all the time. 99% of legal transactions in businesses don't involve anyone trying to screw anyone over. Besides, even if a business were just as likely to do it as a customer... how does that justify anything you might do? It just means that when the business does it, they are also being bastards. The whole "get them or they'll get you" mentality just helps perpetuate the whole thing.

To me, it seems like your cynicism is there to justify your own selfishness.


Alcohol: the cause of, and solution to, all of life's problems. -- Homer Simpson
[ Parent ]
My cynicism is pretty much stand-alone (none / 0) (#260)
by Pac on Wed Dec 04, 2002 at 10:18:43 PM EST

"To me, it seems like your cynicism is there to justify your own selfishness."

Hmm. Nah. I not very selfish. Actually I am one of the good guys. I would never do such a thing, not for fear of getting caught but for knowing how much harm such an act can cause to strangers. But I am not yet so old that I can't understand and laugh along, even if in the end I must take part in bringing such youngsters down.

This whole moral issue misses the whole point: there a technological gap out there that must be filled. This must be one of the lowest tech attacks at a website one can conceive and we lose our time criticising the teenager morals when a much more productive discussion is lying around untouched.

Evolution doesn't take prisoners


[ Parent ]
Think about it this way (none / 0) (#268)
by Dephex Twin on Thu Dec 05, 2002 at 12:23:03 PM EST

This whole moral issue misses the whole point: there a technological gap out there that must be filled.
No, it's just that I am trying to make a different point than you.

As I have said... yes, it was naive for the merchant to leave a huge exploit in his software. However, his technology is very new in the grand scheme of things. It is likely that the merchant had no idea that such an exploit existed. It is very possible that he didn't even fully understand how such an exploit could exist. Most people will never be computer experts and it is unreasonable for us to say that he should have just known it wouldn't work. It would be much like expecting someone to check out and discover a flaw in the engine of their car when they get it from the dealership.

So the problem with this whole situation is, the author happens to be one of the people who is knowledgeable enough to notice. He wanted to test it out to see if it really was there. Okay, understandable. I don't think he had to test it by paying a fraction of the cost-- he could have altered it by a few dollars. Or, if he felt he needed to alter it significantly, then either after the "special" order was confirmed, or after it was received, he should have informed the company of the problem, and in any case voided the transaction or paid full price for the product. And, above all, he should have absolutely informed the company.

You say the larger issue of the security problem is being ignored. How the heck do you expect people to remedy the problem unless you help them out? Point it out to them, even offer to fix it (-- then you get something out of it). If you don't, then you are ignoring the problem, because complaining about security holes does nothing, and actually telling the companies does something. And if you use the hole to hurt the company for your gain, then you are part of the problem that leads to the need for the security in the first place! And there is no way to justify that.


Alcohol: the cause of, and solution to, all of life's problems. -- Homer Simpson
[ Parent ]
Yes, exactly. (none / 0) (#269)
by amarodeeps on Thu Dec 05, 2002 at 05:56:00 PM EST

That's the whole thing that's bothering me; Jizzbug wants us somehow to consider this some sort of security disclosure on his part, but he is not aware that the methodology he is using is damaging his credibility, and the credibility of such security research! It is unethical, it should be pointed out, and an effort should certainly be made to educate or if necessary push someone out of the security community who would have us believe this is a responsible way to go about doing things.

Granted, kuro5hin is not the security community, which is probably why people are taking this at all seriously.

I think it's kind of ridiculous in a way; the people I know who could _really_ hack circles around this person wouldn't do this sort of thing in a thousand years, and I bet if he posted this same story as some sort of 'whitepaper' on bugtraq he'd get thrown out in a second. I just don't understand why anybody else doesn't see this. I guess they haven't been paying attention or something.



[ Parent ]
Reverse the analogy (none / 0) (#265)
by izogi on Thu Dec 05, 2002 at 05:37:13 AM EST

I am just reinforcing sensible the point made by the topmost poster: if I go to a store, take a U$ 1000.00 stereo system to the cashier, give him U$ 100.00, ask him to have it delivered to my house (leaving my address) and a week later I receive the system without further problems, what does this means? This means the store checked the transaction and considered it legal.

And if you used a $100 note to purchase a $10 item but the cashier gave you $40 change instead of $90 as well as a $60 receipt, then you stuff the notes into your pocket and leave, what does this mean? This means that the cashier has successfully charged you $60 instead of $10 and it's your own stupid fault for not noticing you'd been short changed. Meanwhile a cashier's probably happy to've found another gullible customer.

Yeah, right. In a dream world. As long as you could show that the switch was made in bad faith, you'd have every right to go back into the shop and demand to be refunded the overcharged amount. Obviously where possible the system should be designed so that the cashier can't rip you off so easily. But just because the system has flaws doesn't make it okay to abuse them.

It's a two way transaction. The vendor gets the money, you get the item. With reference to your underpayment example, please tell me how this doesn't apply when you intentionally short-change the vendor in bad faith.


- izogi


[ Parent ]
Excuse me? (none / 0) (#232)
by Kwil on Wed Dec 04, 2002 at 03:07:13 PM EST

So you're of the opinion that if someone should chance to leave their garage door open, it's perfectly fine for you to walk on in? Should they let you into their kitchen and leave you unattended for a moment, there are no problems with you pocketing their silverware? After all, they had every chance to close their garage door, not leave you unattended, or check their cupboards before you left, but they didn't.

To reduce this further, should a person not train themselves in self-defence, not wear any sort of protective clothing, and not cross the street when they see you coming, it's entirely that person's fault if you beat them up?

Get serious. One party's mistake, or even string of mistakes, does not justify another party's actions, which is what you are suggesting.

That Jesus Christ guy is getting some terrible lag... it took him 3 days to respawn! -NJ CoolBreeze


[ Parent ]
You are on a wrong track (3.00 / 1) (#240)
by Pac on Wed Dec 04, 2002 at 03:41:07 PM EST

I thought we are talking about business situations. Leave the open garage door or beating up situations out, they are completely different issues.

The store invited the author to buy, accepted the money offered and delivered the goods ordered. This, my friend, is a perfect transaction. As it is, the store system accepts prices from the clients. This means it is a bidding system. If it is intentional or not, it is not for the costumer to guess.

Evolution doesn't take prisoners


[ Parent ]
Ye ol' garage-sale switcheroo! (4.60 / 5) (#80)
by dagg on Tue Dec 03, 2002 at 05:43:35 AM EST

You got a bunch of crap. You wanna sell it. You have a garage sale. joy. So you stick price tags on all the crap, set a date, and start selling stuff. The cheap stuff is selling pretty well, but your beloved $10 vinyl records aren't selling. You debated whether to sell them (they are beloved), but you figured $10 a piece would be a good price.

You take a break from the sale to catch a bite to eat, and let your mother-in-law take over as cashier. When you get back from lunch, all the records are gone. Your mother-in-law happily reports that your beloved records were purchased for the full price-tag price of 20 cents a piece.

You notice your once-carefully-placed $10 price tags blowing in the wind next to the bright yellow sprinkler system in your front yard. You are pissed. Son of a bitch. Somebody ripped you off!

But hey... your mother-in-law accepted the "offer". It's legal. Right?


--
Find Yer Sex Gateway
Possibly (4.50 / 2) (#100)
by Afty on Tue Dec 03, 2002 at 11:21:23 AM EST

But hey... your mother-in-law accepted the "offer". It's legal. Right?

This very much depends. An employee is authorised to act on behalf of a company - to varying degrees. In the case the author cited, one of three scenarios has happened:
1] An employee has been negligent, and has accepted a transaction they were not authorised to do. In this case, the sale was legal and the company has no reproach with the buyer, only with the employee.
2] The employee has been negligent and has accepted a transfer they were authorised to accept, but would not normally be expected to authorise. In this situation the company has no legal reproach with the employee or the buyer (but in reality, the employee can expect stern words).
3] The employee has accepted the offer to sell, and has done so knowingly, either because the item is still being sold profitably, or for loss-leader or good faith reasons. There is no recourse with the buyer.

In all three situations above, the selling company can take NO action whatsoever with the buyer.

Your mother-in-law on the other hand sold those items at that price - while doing so she warranted that she was authorised to do so. You would probably be able to bring a case of theft against her, based around her not being authorised to sell them. Of course, a court may rule that there was an implied or verbal contract.

Finally, the people who changed the price tags (assuming in your analogy that it was the buyers who did so) may have acted illegally. Note that your buyers *changed the price tags on products for all to see* whereas our authors online buyer has left the price alone - not even changed them to change them back. He has simply offered a price, privately, through a communications method offered and endorsed by the seller.



[ Parent ]
So in your world.. (4.50 / 2) (#106)
by Kwil on Tue Dec 03, 2002 at 12:27:27 PM EST

..price tag switching is perfectly legal, so long as you don't get caught til you're past the cashier?

Keen.

That Jesus Christ guy is getting some terrible lag... it took him 3 days to respawn! -NJ CoolBreeze


[ Parent ]
Another Comment Covered This (5.00 / 1) (#196)
by Afty on Wed Dec 04, 2002 at 05:42:15 AM EST

In the physical world, until you have completed a contract to buy the goods, the goods are still property of the store - therefore removing or changing the "price tag/sticker" is an act of vandalism (or in some jurisdictions is covered under special laws very similar to vandalism) because you deliberately damaged something which was not your property.

On the other hand, in the example the original author cited, he has changed no details regarding any products in the database, or on the web server, of the vendor - all he has done is sent a product identifier, price and his payment details directly to an employee at the vendor.

Case in point : If you ring up a mail order catalogue shop, and say "I just saw your special offer for the big 32 inch TV for 500 USD instead of the normal price of 650 USD and I'd like to buy it, here are my details..." and the person on the other end of the phone acknowledges your offer to purchase, charges your credit card and ships you the TV, their employer (the vending company) has no recourse with your whatsoever, despite the fact you lied - this is at least the case in the UK. I know - I've gone into stores before now, and claimed "there was a sale on last week / there was a sale on at another store in your chain / your competitore is selling this for 50 UKP less than you" and you *do* get lower prices doing this - it is also perfectly legal. Furthermore the vendor is given every opportunity to refuse your offer to sell at any point.

We could discuss the morality - I imagine that many people are thinking "that may be legal, but its' immoral" - just think for a second. By offering money for a product, and giving the vendor every opportunity to refuse, investigate your claims etc. what immoral act have you committed?

All you did was lie - and whether or not lieing is *always* immoral is a massive debate. Do you tell your best friends wife her husband loved her dearly and died quickly and painlessly or do you tell her the truth, that he cheated on her repeatedly, and died painfully?

[ Parent ]

truth, lies, and tact (none / 0) (#230)
by janra on Wed Dec 04, 2002 at 02:51:58 PM EST

Yes, lying is immoral. And in your (poor, IMO) example, tact also comes into play - telling the truth would be hurtful to no purpose, but that doesn't mean your only other choice is to lie. Saying "it's not my place to say" or saying nothing is the more moral choice. When saying something important that is also hurtful, tact is extremely important, to try to minimize the hurt while still passing along the information.

Jizzbug lied and deliberately deceived the merchant, and my opinion of the character of those defending him has lowered immensely. They may not care what I think of them, but I still think it.


--
Discuss the art and craft of writing
That's the problem with world domination... Nobody is willing to wait for it anymore, work slowly towards it, drink more and enjoy the ride more.
[ Parent ]
Petty (none / 0) (#235)
by Dephex Twin on Wed Dec 04, 2002 at 03:18:43 PM EST

All you did was lie - and whether or not lieing is *always* immoral is a massive debate.
Okay, agreed. So let's not argue if it is absolutely immoral or not. Why would we, when we have specific information? Let's actually look at the entire situation as you explained (otherwise, this is a strawman, right?).
I've gone into stores before now, and claimed "there was a sale on last week / there was a sale on at another store in your chain / your competitore is selling this for 50 UKP less than you" and you *do* get lower prices doing this
Okay, so you lied, with the intention of causing financial harm to the merchant for your own gain. Yup, I'd say that's immoral.
it is also perfectly legal
So is cutting in front of people in line, giving a stranger fake directions somewhere, telling random people they are ugly, and many other petty acts. But you have to live with yourself. You're the one that needs laws to tell you what is right and wrong without coming to your own conclusions.


Alcohol: the cause of, and solution to, all of life's problems. -- Homer Simpson
[ Parent ]
Actually, yes it is legal. (3.66 / 3) (#108)
by dvchaos on Tue Dec 03, 2002 at 12:46:03 PM EST

The grandma selling all those records at a knock-off price unbenownst to the real owner sucks, as far as sense and a making a bad choice goes, but did the person who purchased at such a low price know about that ? and is it even that persons responsibilty to know about or care about that minor detail ? no. of course not. It is the responsibility of the seller/owner to make sure they won't get ripped off, just as much as it is the responsibility of the purchaser to not get ripped off and get a good deal. I agree with the guy who wrote the story, their is no crime being committed here.

--
RAR.to - anonymous proxy server!
[ Parent ]
Actually.. (4.00 / 1) (#141)
by jmzero on Tue Dec 03, 2002 at 04:07:33 PM EST

Doing this exact thing would be illegal in a store - at least in most states/provinces.  It's covered under shoplifting laws.
.
"Let's not stir that bag of worms." - my lovely wife
[ Parent ]
sounds like theft to me too (4.00 / 4) (#84)
by khallow on Tue Dec 03, 2002 at 07:56:39 AM EST

If you did that to me and I had enough evidence, I'd bring criminal charges and attempt to recover the missing amount plus damages from you. Most likely, I wouldn't have enough evidence (after all my system is pretty shoddy) so I'd pout and just block you and your IP. I noticed in your interactions with this business that you never informed them that you were offering less than the asking price of the item. It indicates a lot of bad faith on your part. I think that rules out any legal grounds you might think you're standing on.

Stating the obvious since 1969.

Theft? Why? (4.50 / 4) (#96)
by greenrd on Tue Dec 03, 2002 at 11:10:00 AM EST

That's a bizarre argument. Does that mean if an Indian street merchant sells a clueless tourist a rug for twice its normal selling price, he has "stolen" money from the tourist? How would you ever show that in a court of law? And if you couldn't, how is this case any different?

Newsflash: It is not the customer's responsibility to remind sellers of their own sale prices. They should know, it's their products!


"Capitalism is the absurd belief that the worst of men, for the worst of reasons, will somehow work for the benefit of us all." -- John Maynard Keynes
[ Parent ]

Not bizarre at all (4.50 / 2) (#126)
by spcmanspiff on Tue Dec 03, 2002 at 02:46:33 PM EST

If I walk up to a salesclerk and tell them I'd like to purchase an item for $X, that's an offer. It's clear to both of us that we're negotiating.

If I sneak into the bathroom and break out a trenchcoat bar code printer and change the price, then walk up to the checkout and say nothing while I'm being rung up, even while the clerk says "Hm. That's weird," I've made no offer. If he lets the sale go through, he's not accepted an offer I've made -- he's decided to ignore a computer glitch, or that maybe there's a new sale he didn't know about, etc etc etc.

Shame on him for missing it, but his ignorance doesn't give my criminal deception a green light.

 

[ Parent ]

So why is this on the FP? (3.50 / 2) (#138)
by ODiV on Tue Dec 03, 2002 at 03:41:11 PM EST

Should I write an article next time I get a really good deal because the cashier screwed up?

--
[ odiv.net ]
[ Parent ]
The asking price (4.00 / 2) (#98)
by Afty on Tue Dec 03, 2002 at 11:20:17 AM EST

I noticed in your interactions with this business that you never informed them that you were offering less than the asking price of the item.

At the point when he transmitted his credit card details, address and desired product ID and price, he informed them of his intent to pay that price.

Once this was done, someone at the suppliers end looked at the order, OKed it, typed the credit card details in and sent it.

How, exactly, is this different from walking into a store, and saying to a salesman "here's my credit card, I'll pay 200 USD for that sound system" which is marked at 300 USD? If the salesman accepts, there is no legal grounds for criminal charges. A potential customer is not required by law when making an offer whether that offer is below, at, or above the publically notified asking price.

In case you weren't aware, an "asking price" is just that - what the seller is asking for - they are free to sell at whatever price they agree with the potential buyer.



[ Parent ]
I find you reprehensible. (2.00 / 6) (#85)
by Craevenwulfe on Tue Dec 03, 2002 at 08:33:00 AM EST

You knowingly decided to rip off some guys in the hope that they didn't notice, and you feel smug about it.

Why do i have this xenophobic, stereotypical thought of greedy americans in my head.

I don't know, why? (none / 0) (#91)
by porkchop_d_clown on Tue Dec 03, 2002 at 09:34:55 AM EST

Are hackers always american? Why isn't he Canadian?


--
Once one sock is sucked, the other sock will remain forever unsucked.


[ Parent ]

Yes (none / 0) (#93)
by Big Dogs Cock on Tue Dec 03, 2002 at 09:53:31 AM EST

And what's more, many of them look like Angelina Jolie.

People say that anal sex is unhealthy. Well it cured my hiccups.
[ Parent ]
Heh. (none / 0) (#121)
by porkchop_d_clown on Tue Dec 03, 2002 at 02:27:06 PM EST

I must need new glasses.


--
Once one sock is sucked, the other sock will remain forever unsucked.


[ Parent ]

btw i just decided to repo your car (2.66 / 3) (#89)
by turmeric on Tue Dec 03, 2002 at 09:27:00 AM EST

its legal. dont mess with me ill get johnny cochran.

btw you have chosen sides in class warfare (2.00 / 2) (#90)
by turmeric on Tue Dec 03, 2002 at 09:34:35 AM EST

there are the scum sucking bottom feeders, and then there are the workers. the miners and steel workers and oil drillers and refinery workers, all of whom generated the metal and plastic in your lovely tablet, they poured their heart out. and what have you done? ROBBED THEM.

do not come crying home to papa when these folks decide to pound their big meaty fists into your purile waifish face.

[ Parent ]

So which side is he on? (4.00 / 1) (#97)
by X3nocide on Tue Dec 03, 2002 at 11:18:16 AM EST

He managed to acquire a fairly expensive item while in the process of evaluating competing vendor security. While I agree he should have returned the item, he's also creating software at the time. Is he a member of the working class or a robber baron?

pwnguin.net
[ Parent ]
Yes, I have chosen sides. (4.00 / 3) (#135)
by Jizzbug on Tue Dec 03, 2002 at 03:25:10 PM EST

I participate in Food Not Bombs pretty much every Sunday. I'm involved in the local IWW chapter. I've organized several local and regional direct actions, and have participated energetically in national ones. I've worked with many IMCs, and am workin' on setting up an IMC for my area with the help of a few others. I really believe I'm doin' my part to better this world, and nothin' (aside from death) is gonna stop me. Oh, and I advocate, use, and contribute to free software.

I'll tell ya, though, I've never been one to romanticize "workers". Humans aren't "workers", they're humans; consequently, I am not a "worker", I'm a human. And I doubt that most "workers" are "workers" by choice, but are forced into the position due to social and economic conditions.

I've never really understood why people would want to romanticize the concept of "workers"; other than the concept's historical significance in relation to revolutionary politics, I don't see how it does us much good in the circumstances of today. This isn't 1930s Spain, after all. Our circumstances are unique to us, just as Spain's circumstances were unique to it. We should model our analysis and language upon the present, not upon the past. The past certainly gives us insight and perspective, but I'd say that many of the tactics of the past have largely been a failure. I mean, after decades of marches, rallies, and direct actions, things are pretty much the same as they've always been.

In any case, I'm not really meaning to argue with you here... Just meaning to offer my ideas about some o' the topics you brought up. Maybe some day you and I won't be alienating ourselves behind a computer screen. Maybe some day we'll be out in the real world actually creating change. Hopefully we'll be workin' together, finally bringing the mythical General Strike into reality. Or maybe we'll just sit around and think about it and post our rants on K5.

I say unto you: one must still have chaos in oneself to be able to give birth to a dancing star. I say unto you: you still have chaos in yourselves.
 -- Friedrich Nietzsche, Thus Spoke Zarathustra: A Book for All and None

[ Parent ]

that's exactly what i meant (4.00 / 3) (#175)
by turmeric on Tue Dec 03, 2002 at 08:01:39 PM EST

food not bombs, iww, imc, mostly middle class white kids.

your 'discovery' and 'research' into this 'bug' is rather silly. we all did this song in college when doing web crap. we didnt write stories about it for 2600 or abuse it because we knew very damn well it was merely one of ten thousand bugs in the systems of the day, and i personally feel shit like therac 25 or ariane is a bollocks site more interesting than teaching a bunch of 12 year olds how to steal from websites.

if you want 'change' why dont you stop acting like a goddamn enron executive, blaming everything on 'the system', claiming you werent doing anything wrong, and hiring a bunch of lawyers to back your sorry ass up.

[ Parent ]

whatever (1.00 / 1) (#187)
by Jizzbug on Wed Dec 04, 2002 at 12:40:38 AM EST

mostly middle class white kids

And I suppose you're a black guy living in the slums. I'm sorry, but I don't see how "mostly middle class white kids" even means anything. Middle class white kids can't help their being middle class white kids. If they could have chosen, I'm sure they would have picked to be born in China.

Do you even know any "workers"? My uncle is a union leader in Chicago (one of the few educated ones that knows about Haymarket, etc.), and I'm pretty sure if most "workers" ever met your smart ass, they'd pound your face in (after they'd pounded mine in, of course, for stealing their plastic and metal).

your 'discovery' and 'research' into this 'bug' is rather silly.

I don't think I ever claimed to have discovered anything unique, and I've known about these types of techniques since 1998 or so. I don't think I misrepresented myself in my article as though I was some brilliant researcher bringing new light to the world. I have to say that I was surprised to 'discover' that many shopping carts were still susceptible this and similar techniques.

I was just interested in documenting and analyzing the particulars of, and some of my ideas about, the transaction. People are free to not like the results, and, in your case, people are free to be assholes. I used to think you were a pretty cool individual. I even voted for front page on a few o' your articles. I'm sorry to say that you've managed to prove me wrong.

If it means anything, I apologize for having been born under favorable circumstances. I would have much prefered to be born the retarded son of crackwhore, but we don't always get the things we want. I also apologize that I was able to skip college; maybe if I'd been unfortunate enough to torture myself with it, I could have turned out exactly like you.

I say unto you: one must still have chaos in oneself to be able to give birth to a dancing star. I say unto you: you still have chaos in yourselves.
 -- Friedrich Nietzsche, Thus Spoke Zarathustra: A Book for All and None

[ Parent ]

yeah, thatd be a friggin tragedy (3.00 / 1) (#192)
by turmeric on Wed Dec 04, 2002 at 01:40:08 AM EST

imagine a world in whciih you did not feel you were entiteld to gain your self worth by living off the backs of the underclass all the while pretending you were 'fighting the system'.

welcome to the table, piggy! more equal than equal we are, the hackers! the dreamers of dreams! the sketchers of pictures! the intelligent and elite!

[ Parent ]

"Making the world a better place" (4.50 / 2) (#197)
by Craevenwulfe on Wed Dec 04, 2002 at 07:36:30 AM EST

by theft, deceit and downright immorality.

Back the fuck away from my world, right NOW!

The samaritans parable obviously missed the bit where jizzbug came up and kicked the crap out of the guy "just to see if he could do it, you know, to test if the law was perfect and all".

[ Parent ]
Do you really believe theres human evaluation? (2.66 / 3) (#99)
by X3nocide on Tue Dec 03, 2002 at 11:21:19 AM EST

What leads you to believe that any human interaction was involved in verifying and accepting your order rather than an automated script? I don't see any valid reason in the article for to believe this, and its a highly important aspect to the legality of the whole scheme.

pwnguin.net
Because there has to be (4.00 / 2) (#112)
by hardburn on Tue Dec 03, 2002 at 01:12:24 PM EST

Credit cards can be automatically processed, but at some point a human has to look over the order, put it in a box, and ship it. There isn't as much automation in web stores as they appear to have.

Another gaping security hole I've found in a few web stores is in their use of encryption. Any web store that isn't using SSL for credit card numbersis discarded by any halfway clueful person, but the problem often comes in the validation portion. Many stores will e-mail a person who processes the actual order, including the credit card information, but this e-mail is sent in cleartext. This is less of a problem when the web server, e-mail server, and the real person are all in the same building (it's still bad, just less so), but it gets really bad when you have colocated servers.


----
while($story = K5::Story->new()) { $story->vote(-1) if($story->section() == $POLITICS); }


[ Parent ]
Has to be where? (5.00 / 3) (#132)
by Kwil on Tue Dec 03, 2002 at 03:17:04 PM EST

All you've shown is that some flunky down in the warehouse gets an inventory list and puts things in a box. No indication of prices whatsoever.

Beyond this, there doesn't even have to be this level of human interaction with the order. A properly roboticized and organized factory/shipping complex could theoretically do all of this processing automatically. Human involvement need never come into the order fulfillment side of things.

Now, I'm willing to grant that such a complex may not exist quite yet, but that's certainly no guaruntee that it won't ever.

That Jesus Christ guy is getting some terrible lag... it took him 3 days to respawn! -NJ CoolBreeze


[ Parent ]
You didn't read the article closely enough (none / 0) (#211)
by Majromax on Wed Dec 04, 2002 at 11:54:46 AM EST

I don't see any valid reason in the article for to believe this
Quoteth the article:

My order was handled personally by several humans at the Canadian supplier. They actually had to type my credit card number into a machine by hand, and someone wrote "web order" on the signature line of the credit card machine's receipt. There were also some handwritten corrections on the invoice I'd received.

If the received invoice had handwritten corrections, then someone must have actually seen it -- it went through a review process. It is then the company's fault that they accepted the incorrect offer.

Ethically, this kind of thing is still wrong, but I have to file it away with the other exploits (technological or not) that I give people credit for, just for the sheer balls to try it

[ Parent ]

If you don't like their offer, ask for better... (4.00 / 6) (#105)
by Ricdude on Tue Dec 03, 2002 at 12:00:09 PM EST

Even if they don't officially offer it, ask for a price match.  I did this just yesterday.  I saw an ad for a camera and basic lens at a local photo supply store.  I knew it was available more cheaply via an internet retailer, and asked if they could match the price.  They asked details about the package and where it was available, etc., then counter-offered a price slightly higher than the internet retailer (once you take shipping and handling into account).  The difference of $20 or so on a $500 total order wasn't that big a deal to me compared to the convenience of being able to take the item home that day, and knowing exactly what the return policy and procedures were.

When purchasing more expensive items, it is usually in your best interests to do some research on features and price comparisons.  My favourite tools are http://shopper.cnet.com, and http://www.pricegrabber.com for live internet comparison shopping.

Good luck in your purchases.


This is cool. (4.00 / 3) (#107)
by Kwil on Tue Dec 03, 2002 at 12:36:05 PM EST

However, your key point of course is that you ask.

Our "researcher" friend here didn't.

That Jesus Christ guy is getting some terrible lag... it took him 3 days to respawn! -NJ CoolBreeze


[ Parent ]
The only crime (3.83 / 6) (#111)
by dvchaos on Tue Dec 03, 2002 at 12:59:52 PM EST

Committed here is the ignorance of the merchant. The author of this story did nothing wrong, aside from using a technical advantage to solicit a better offer. It is not his responsibility to make sure a shopping cart he dosen't even own and has absolutely no affiliations to is in any way secure. Security of a shopping cart is only the responisibility of the merchant. as for the 'moral' and 'ethics' issue of this non-crime, the only issue that should be at debate here is if the author made a sensible decision or not, and the only person that can answer that is the author of this article.

--
RAR.to - anonymous proxy server!
confusing the issue (3.25 / 4) (#116)
by amarodeeps on Tue Dec 03, 2002 at 02:05:43 PM EST

First of all, apparently nobody committed a crime here, as Jizzbug so tenaciously attempts to prove.

As to whether s/he did something wrong, I believe s/he did, as far as my system of ethics goes. You may disagree, of course. But I find it morally reprehensible to take advantage of a merchant's ignorance and thereby hook yourself up with a USD$375.00 discount. Even more disturbing than this I believe is the fact that Jizzbug was exploring the possibilities of the system (hacking) and then used his/her discoveries for his/her own benefit. This is blackhat behavior and I don't care for it, that's all. It's the reason "hacker" is a bad word.

Implying that Jizzbug was merely some sort of consumer robot stuffing random consumer information into the shopping cart app, and that the merchant on the other end is fully ethically culpable for the entire transaction is disingenuous and belies the purpose of the effort Jizzbug went through to suggest his/her innocence at the end of the article. I think Jizzbug knows s/he did something wrong, but wants to convince us (and him/herself) that s/he didn't.

Finally, as far as deciding if the author made a sensible decision, yes I suppose Jizzbug is the only person who can make this decision; but posting this article on Kuro5hin certainly gives me and anyone else who wishes to comment on it free reign to do so.



[ Parent ]
"hacker" (4.00 / 2) (#142)
by Jizzbug on Tue Dec 03, 2002 at 04:20:30 PM EST

It's the reason "hacker" is a bad word.

I merely want to clarify that I never once used the words "hacker" or "hack" in my article. I discussed what I did in the article as a security issue, because it potentially is (albeit an old one). Whether or not my submitted order deceived the merchant is up in the air. Everything I know about the circumstances leads me to postulate that I probably didn't deceive them, and that they were aware of everything. That doesn't makes the security potentials I discuss in the article any less potential, though.

I say unto you: one must still have chaos in oneself to be able to give birth to a dancing star. I say unto you: you still have chaos in yourselves.
 -- Friedrich Nietzsche, Thus Spoke Zarathustra: A Book for All and None

[ Parent ]

That's fine. (4.00 / 1) (#160)
by amarodeeps on Tue Dec 03, 2002 at 06:36:22 PM EST

I merely want to clarify that I never once used the words "hacker" or "hack" in my article.

That's beside the point. My point was that the sort of action you took was the sort of action associated with black hat hackers, and was the sort of action that helped alter the popular meaning of hacker (from somebody who investigates systems for sheer interest in their potentiality, to someone to investigates systems to see their potentiality and then use that for personal gain). Furthermore, it seems you would have us associate your actions with someone doing something fully legitimate (from a hacking perspective--whether you use the word or not) rather than self-serving (i.e. more like cracking, which is what you were really doing).

Whether or not my submitted order deceived the merchant is up in the air. Everything I know about the circumstances leads me to postulate that I probably didn't deceive them, and that they were aware of everything.

Keep believing you didn't do anything wrong, that's your prerogative. I will continue to believe that what you did was entirely unethical, and that you are trying desperately to convince us otherwise while actually knowing yourself that it was. The fact is, if you let someone else define your code of ethics, you've got no code of ethics at all. You asked a lawyer if what you did was right, you rationalized it out by saying that "well, someone must have seen my order" as if that excuses it, and then you posted this article on Kuro5hin looking for some kind of validation. You got some sort of response, at least.

That doesn't makes the security potentials I discuss in the article any less potential, though.

I wasn't questioning the security potentials you discussed in your article. You yourself proved the validity of the potentials you discovered by breaking the system for personal gain, just the sort of action that these merchants should be worried about.

Let me tell you what most security professionals do when they discover a security issue in a piece of software: most first contact the vendor and maybe allow them time to issue a fix/patch or at least the opportunity to take some action. Secondarily (depending...) many people will post on bugtraq, announcing the problem. Some people will post a working proof-of-concept exploit along with the notice, and some people have a problem with this, but there is still a strong argument toward this being an ethical thing to do. At no point does a security professional actually use his/her exploit against any person or business and expect to be taken seriously; this is what blackhat hackers do, what criminals do, and this is just what you did.

I think you are probably just confused about what you did, and not a criminal or a blackhat hacker (most of those sort know full well the ethical implications of what they are doing, but have chosen that path as acceptable) but you are also obviously not a security professional, and I would call your ethical standards highly questionable. Were I in a position to hire you, I would look at this act with great distaste. Say you worked for my company, and you found that you could increase your paycheck by, say, merely changing a field on a form you had to submit to human resources/payroll, a form which you knew they would look over but which most often times they rubber stamped? This would certainly upset me as an employer, and I could easily see you doing such a thing based on your shopping cart trick; it's essentially the exact same thing.

The fact is, what you did was unethical, many, many people would see it this way, and you know damn well that if that merchant really knew you were getting a $375.00 discount on his/her goods through your 'system,' s/he'd be fucking pissed. I think you should re-examine your conclusion that no one was deceived by this act; seems like you deceived the merchant and yourself.



[ Parent ]
Humm... (4.00 / 1) (#133)
by gjetost on Tue Dec 03, 2002 at 03:21:03 PM EST

OK, so if I put the price down as 1 cent, is it then a crime? I really doubt there was any human checking on the merchant's part. Who in their right mind would sell you something for 1/5 the price? (Unless, of course, it was just some creditcard number puncher guy who wouldn't know a thing about how much these things cost... But still, I'd think it's a slim chance...)

[ Parent ]
Human Intervention (3.50 / 2) (#150)
by zaxus on Tue Dec 03, 2002 at 05:10:27 PM EST

Quoth the article:
"I received the graphics tablet in mid-April via U.S. Postal Service. My order was handled personally by several humans at the Canadian supplier. They actually had to type my credit card number into a machine by hand, and someone wrote "web order" on the signature line of the credit card machine's receipt. There were also some handwritten corrections on the invoice I'd received."

One would guess that to make handwritten notes on the invoice, one would have had to look at it.


---
"If you loved me, you'd all kill yourselves today." - Spider Jerusalem, Transmetropolitan


[ Parent ]
Shipping Boys (none / 0) (#249)
by jubilation on Wed Dec 04, 2002 at 04:59:30 PM EST

Quoth the article: "I received the graphics tablet in mid-April via U.S. Postal Service. My order was handled personally by several humans at the Canadian supplier. They actually had to type my credit card number into a machine by hand, and someone wrote "web order" on the signature line of the credit card machine's receipt. There were also some handwritten corrections on the invoice I'd received."

One would guess that to make handwritten notes on the invoice, one would have had to look at it.
You seem to assume that the shipping boys down in the mailroom have any idea of what the catalog says the prices are. This so-called "human intervention" probably takes place long after the machine "approves" the transaction.

I'd be wary of saying that this was a proper bid properly reviewed. More like you hand a clerk 90 one-dollar bills instead of 91, and he doesn't catch the mistake.

[ Parent ]
You could probably get a job... (3.75 / 4) (#117)
by failrate on Tue Dec 03, 2002 at 02:06:49 PM EST

You could probably get a job from this company by returning the hardware and giving them a detailed report of the security flaw. That's worked for people in the past. Or, under US law, you could get life in prison for "malicious hacking".

Of course, looking for security flaws like this is a really "good" idea. In game development, it's called play-testing. We gamedevs give raw apps to our test groups with the goal of intentionally eviscerating the whole system, thus exposing vulnerabilities, exploits, etc. I have the feeling that the e-commerce industry generated code and superstructure far too quickly to implement this necessary step in development.

While I would certainly never hack a site like this, it would only be out of fear of prosecution. If I went into a store and told them I was going to pay a discounted price, and the cashier accepted that amount, and the register (WHICH IS A COMPUTER LINKED TO A PRICE DATABASE!!!) accepted the price, then I would accept the product with no guilt whatsoever. It happens that I've received unintentional discounts that were later discovered. And I got to keep the discount because it was the store's error.

Any company which blindly allows a computer system to verify orders, without constantly being on the lookout for security holes, should expect to be robbed. Physical stores expect to be robbed. It's called "shrinkage" and their budgets reflect a certain quantity set aside for this. They also upgrade their security whenever they have a chance. I'm sure that store owner trade magazines even have articles and advertisements for security. So, why wouldn't the manager of an e-commerce site religiously read slashdot, kuro5hin, and 2600. It just doesn't make any sense that someone could be that irresponsible as to expose their belly for the entire world to gouge.

pant... pant... pant... Oooh. Sorry. I got a little carried away, again.


Voodoo Girl is da bomb!
Duh... I Was Testing Ford Security (3.00 / 1) (#203)
by SEWilco on Wed Dec 04, 2002 at 10:03:56 AM EST

If he was only testing he could have done it with a $10 item instead of one involving hundreds of dollars, and he would have tried to get feedback from the webmaster rather than see if he got a complaint or court date.

[ Parent ]
You could probably get a job... (1.66 / 3) (#118)
by failrate on Tue Dec 03, 2002 at 02:17:09 PM EST

You could probably get a job from this company by returning the hardware and giving them a detailed report of the security flaw. That's worked for people in the past. Or, under US law, you could get life in prison for "malicious hacking".

Of course, looking for security flaws like this is a really "good" idea. In game development, it's called play-testing. We gamedevs give raw apps to our test groups with the goal of intentionally eviscerating the whole system, thus exposing vulnerabilities, exploits, etc. I have the feeling that the e-commerce industry generated code and superstructure far too quickly to implement this necessary step in development.

While I would certainly never hack a site like this, it would only be out of fear of prosecution. If I went into a store and told them I was going to pay a discounted price, and the cashier accepted that amount, and the register (WHICH IS A COMPUTER LINKED TO A PRICE DATABASE!!!) accepted the price, then I would accept the product with no guilt whatsoever. It happens that I've received unintentional discounts that were later discovered. And I got to keep the discount because it was the store's error.

Any company which blindly allows a computer system to verify orders, without constantly being on the lookout for security holes, should expect to be robbed. Physical stores expect to be robbed. It's called "shrinkage" and their budgets reflect a certain quantity set aside for this. They also upgrade their security whenever they have a chance. I'm sure that store owner trade magazines even have articles and advertisements for security. So, why wouldn't the manager of an e-commerce site religiously read slashdot, kuro5hin, and 2600. It just doesn't make any sense that someone could be that irresponsible as to expose their belly for the entire world to gouge.

pant... pant... pant... Oooh. Sorry. I got a little carried away, again.


Voodoo Girl is da bomb!
Is it any wonder (3.20 / 5) (#123)
by buck on Tue Dec 03, 2002 at 02:34:16 PM EST

hackers get a bad rap?

-----
“You, on the other hand, just spew forth your mental phlegmwads all over the place and don't have the goddamned courtesy to throw us a tissue afterwards.” -- kitten
Incredible. (3.09 / 11) (#129)
by Ron Harwood on Tue Dec 03, 2002 at 03:07:31 PM EST

It's often said that if you are not part of the solution, you are part of the problem.

You have proven that quite nicely.

You could have reported said flaws to the retailer, or even the authors of the software.

Instead, you decided to exploit them, rationalise your reasons for doing so, and then gloat about it in a two public forums.

Even if you have not officially broken the law in the US - you probably have in Canada.  I suspect that you specifically targetted a Canadian business so that if there was any question of legallity, that it would be more difficult to prosecute.

You have also cost a retailer a considerable amount of money for the product you 'purchased'.

After all of that - you are proud of yourself.  You are scum, and beneath contempt.  I only hope if the law doesn't catch up with you, fate/karma/whatever you believe in does.

BlackNova Traders - Tradewars for the web

I have no sympathy... (2.00 / 2) (#153)
by FreddytheFish on Tue Dec 03, 2002 at 05:24:57 PM EST

...for either the retailers or the author of this article should he get caught and prosecuted. Price tag switching is a practice as old as prices. It's illegal at any regular store and I can't imagine it's any different for an online store. The author should be ashamed for his childish behaviour and online retailers should take a lesson from this and spend the time and money on a proper e-commerce system.


Whatever you can do or dream you can, begin it. Boldness has genius, power and magic in it. Begin it now. --J. W. von Goethe
[ Parent ]

Holy crap man (4.66 / 6) (#134)
by sllort on Tue Dec 03, 2002 at 03:24:02 PM EST

I first observed this phenomenon in late 1999 early 2000. Hundreds of merchants do this, but the one I found was Gateway. I showed my friends how I could potentially order a $6000 server for 1$. But I never actually did it because I assumed it was federal fraud. I was terrified of even mentioning this flaw, since usually the discoverer is blamed. Here's what I did do: I had my company order a $2479.63 server for $2479.73. By increasing the cost by ten cents, I figured I could test the concept without any accountability and not get caught or charged. The test was successful, but I never told anyone because I was sure I'd get busted.

I'm not sure what amazes me more about your story: the fact that the same flaw exists three years later, the fact that you openly comitted fraud, the fact that you submitted it to 2600, the fact that a lawyer has said you're in the clear, or the fact that you so far remain unprosecuted. Good luck man. You can keep the credit. Scares me crapless.
--
Warning: On Lawn is a documented liar.
Amen to that! (none / 0) (#248)
by jubilation on Wed Dec 04, 2002 at 04:54:15 PM EST

I'm not sure what amazes me more about your story: the fact that the same flaw exists three years later, the fact that you openly comitted fraud, the fact that you submitted it to 2600, the fact that a lawyer has said you're in the clear, or the fact that you so far remain unprosecuted. Good luck man. You can keep the credit. Scares me crapless.
Another surprising thing or two:
-- This guy seems to actually believe that this was a good-faith transaction.
-- Several people have weighed in behind him. The school of thought "It was possible, therefore it was what the store intended", which I'd thought safely quarantined to slashdot, has reared it's ugly head here.
-- Nobody has uttered the dread phrase "outdated business model". ;)

[ Parent ]
You can't have it both ways... (3.75 / 4) (#137)
by ODiV on Tue Dec 03, 2002 at 03:33:28 PM EST

Is this a e-commerce security article or isn't it? How is there a hole in their e-commerce set-up if every order checked over by a person?

If you maintain that it's soley human error which caused you to get a $500 discount, then I don't see the security issue.

In this situation you can't be clever and non-fraudulant at the same time, sorry.

--
[ odiv.net ]
You're right. (3.50 / 2) (#144)
by Jizzbug on Tue Dec 03, 2002 at 04:30:15 PM EST

I discussed what I did in the article as a security issue because it potentially is (albeit an old one). Whether or not my submitted order deceived the merchant and exploited a security vulnerability is up in the air. Everything I know about the circumstances leads me to postulate that I probably didn't deceive them, and that they were aware of everything. That doesn't makes the security potentials I discuss in the article any less potential, though.

And if the merchant was aware, and did approve my order intentionally (as everything I know leads me to believe), then this brings up an interesting issue of: "Why is a computer retailer having to resort to accepting offers of 20%?" Which, in some ways, I find to be a more interesting question than the ones posed in this article.

In any case, I am in the process of contacting the merchant, so I'll probably be posting an update as to what the facts of the scenerio are. And we can decide definitively, once and for all, whether or not I am indeed an evil bastard criminal shit-face.

I say unto you: one must still have chaos in oneself to be able to give birth to a dancing star. I say unto you: you still have chaos in yourselves.
 -- Friedrich Nietzsche, Thus Spoke Zarathustra: A Book for All and None

[ Parent ]

Get a REAL lawyer before you talk (5.00 / 1) (#154)
by Blarney on Tue Dec 03, 2002 at 05:29:52 PM EST

If I were you, I wouldn't even think of contacting the merchant directly. I'd have a real lawyer do it for me. If this goes wrong, you may find yourself sitting in a Canadian jail for some felony computer hacking charge.

You wouldn't be the first computer hacker to cleverly turn himself in - remember that Slashdot article about some poor guy who found that a local newspaper had a webserver with anonymous FTP downloading AND uploading enabled, told them, and got charged? He got a misdemeanor and a $1000 fine. Lucky bastard. Maybe you won't be so lucky. Think about it, and get a lawyer now. Perhaps the right thing to do is to shut the hell up and never use the email account in your K5 profile ever again? Ask your lawyer.

[ Parent ]

Too late for the e-mail. (3.00 / 1) (#190)
by Kwil on Wed Dec 04, 2002 at 01:05:47 AM EST

After all, it's already out there, and published in this discussion as well.

It only takes a minute or so to fire up Google and find out the author's full name and city of residence.

From there, it's just a hop, skip, and a jump to the local online yellow pages to find the 25 likely matches for the first initial and name.  However, (un?)fortunately, our author has kindly provided his middle initial in some of the emails you can find online which shaves another 14 people from the list, leaving 10 possible and one probable home address and phone number as the initials and last name match.

So if I can do this in three minutes without even bothering with a whois or an IP lookup, you can bet anybody who's serious about trying to find the author will have little difficulty.

That Jesus Christ guy is getting some terrible lag... it took him 3 days to respawn! -NJ CoolBreeze


[ Parent ]
My name. (4.00 / 2) (#193)
by Jizzbug on Wed Dec 04, 2002 at 01:45:50 AM EST

If my name were to be my downfall, it'd have happened by now. The article was published in 2600 under my real name (middle initial and all), and the issue it's in came out a while ago. I'm sure 2600 is probably a more monitored publication than K5. Also, searching Google for "Jizzbug" will turn up a number of details about me. And I think I'm the only person to ever use the name "Jizzbug", so pretty much any "Jizzbug" you ever see should be me.

Anybody want my social security number?

I say unto you: one must still have chaos in oneself to be able to give birth to a dancing star. I say unto you: you still have chaos in yourselves.
 -- Friedrich Nietzsche, Thus Spoke Zarathustra: A Book for All and None

[ Parent ]

Keep your head down (5.00 / 1) (#220)
by Blarney on Wed Dec 04, 2002 at 12:52:21 PM EST

I hope you've at least reconsidered your plan to contact the retailer directly, without legal counsel.

Check out the case of Brian Keith West, who I mentioned before. He walked into a website so insecure that all he had to do was click Edit on his copy of Frontpage and it allowed him to do so, without even asking for a password. In theory, his misdemeanor conviction of "unauthorized access" was based on him saving a copy of a Perl script from the website and examining it while developing a similar script himself - sounds like bull to me, you be the judge.

Solzhenitzen relates an anecdote in his "Gulag Archipelago" about a Soviet citizen sentenced to 20 years in a Siberian prison camp. A guard asked him what offence he had committed when he entered the camp, and he said "Nothing at all." The guard said "You are lying. The sentence for nothing at all is 10 years."

Well, in the world of computer hacking the sentence for "nothing at all" is a misdemeanor conviction for unauthorized access, years of probation, and enough fines, court costs, and legal fees to buy a modest new car. You actually got some money out of the deal too, so it could go harder for you. Be careful.

[ Parent ]

Apparently, Infoworld reads K5. (4.00 / 3) (#146)
by porkchop_d_clown on Tue Dec 03, 2002 at 04:51:57 PM EST

E-commerce package flaw makes for easy discounts


--
Once one sock is sucked, the other sock will remain forever unsucked.


Hehe. (5.00 / 1) (#151)
by Jizzbug on Tue Dec 03, 2002 at 05:15:43 PM EST

And after the issue of 2600 came out, this appeared on Bugtraq:
http://online.securityfocus.com/archive/1/299691

I say unto you: one must still have chaos in oneself to be able to give birth to a dancing star. I say unto you: you still have chaos in yourselves.
 -- Friedrich Nietzsche, Thus Spoke Zarathustra: A Book for All and None

[ Parent ]

In defense of the exploit (4.55 / 9) (#149)
by rujith on Tue Dec 03, 2002 at 05:06:57 PM EST

  1. Many posters compared the exploit to switching items' price-tags in a "physical" store. But I think a better analogy is a physical store in which the items' prices are marked on the shelves, rather than on the items, and a customer is expected to correctly copy the items' prices onto a sheet of paper and submit it to the cashier.
  2. Most "physical" stores have at least minimal security to guard against switching of price-tags, etc. I think the on-line merchant deserved all he got for using such crappy software.


"Good Faith" and "Paid in full" (4.93 / 15) (#152)
by Blarney on Tue Dec 03, 2002 at 05:20:10 PM EST

I'm not a lawyer, but I don't believe that your friend is giving you good advice here. Of course you may offer a lower sum of money to a merchant than the list price on an item - and the merchant may well decide to accept your offer. However, to be a "bid" legally your offer must be given in "good faith" - you must be presenting it with the honest intention that both you and the merchant will be reviewing your offer and making an informed decision as to whether to agree or not.

Sneaky ways of making an offer with the express intention that the other party will not actually read it are not legally valid. For instance, you might want to check this "urban legend" out: http://www.snopes.com/business/bank/paidfull.htm. People have tried to get out of debts by writing the words "Paid in full" on their check and sending their creditor a partial payment - knowing that the check is probably going to be processed by automated machinery and intending to use their cancelled check to "prove" that the merchant "accepted" their offer as full payment of the bill. This doesn't hold up in court, because it's not a good faith offer, and is in fact considered fradulent. In fact, as the Snopes.com article cites, the Uniform Commercial Code of the United States specifically disallows such conditions for electronically handled transactions - you can't claim that the payment, in and of itself, is a full payment of the debt simply because it was accepted.

I don't know how Canadian law works - perhaps there isn't such a specific condition about electronic payments - but Canadian law is based on English common law just as United States law is, and certainly recognizes the difference between an offer in "good faith" and one that isn't.

Very informative (5.00 / 4) (#173)
by Rogerborg on Tue Dec 03, 2002 at 07:46:09 PM EST

But I don't see how it applies here.  There is no previous business relationship (as in the case of paying off an existing debt), and the seller is completely free to accept or reject the offered sum.

Remember, we know the circumstances of this transaction because the buyer has told us.  In a contested transaction of this sort (where the seller has accepted payment and dispatched goods), it would really be up to them to show that there was an intent to deceive.  Given that sellers frequently offer goods at varying prices, and sometimes at sharp discounts, it might be hard for them to do that.

Initially I agreed with your position, but then I thought of it this way: why should there be an onus on the purchaser to tell the seller what price they're supposed to be selling at?  If the seller doesn't know, that's really their problem.

"Exterminate all rational thought." - W.S. Burroughs
[ Parent ]

But the onus wasn't on the purchaser... (4.20 / 5) (#183)
by dani14 on Tue Dec 03, 2002 at 09:30:11 PM EST

In this case, the purchaser created his own pages to replace the pages of the e-tailer in order to fraudulently represent a different price. The e-tailer didn't ask the purchaser to enter a price, nor did it ask the purchaser to misrepresent his pages for those of the e-tailer. It's fraud, and you can't hold the e-tailer fully accountable for it.

As they say, "fool me once shame on you, fool me twice, shame on me," but how can the e-tailer learn from this experience when instead of doing the honorable thing and reporting it, the author chooses to publicize this loop-hole to a technologically savvy internet community? This wasn't testing a theory, it was a morally corrupt act and subsequent bragging of it with enough information to propogate the act.

--


"The samaritans parable obviously missed the bit where jizzbug ... kicked the crap out of the guy "just to see if he could do it, you know, to test if the law was perfect and all"." -- Craevenwulfe
[
Parent ]
The e-tailed DID ask the purchaser to enter price (3.00 / 1) (#226)
by Sloppy on Wed Dec 04, 2002 at 01:55:46 PM EST

The e-tailer didn't ask the purchaser to enter a price
But from the point of view of the computers, that is exactly what the e-tailer did do.

I realize that reductionism can be really stupid in some situations (e.g. "all I did was give you some atoms, it's not my fault your cells interpreted them in a catastrophic manner just because they happened to be in a cyanide pattern"), but I'm not convinced this is one of those situations. HTTP get/post parameters are not at a low level of abstraction that is ridiculously far below what is "normal" for humans (expecially in this day and age -- maybe 100 years from now it will be).

I'm serious about that. Just Monday, I sent an email from someone else's computer by manually telnetting to a server's port 25, not because I was "hacking", but because I didn't want to deal with their misconfigured email client. In 2002, these protocols still just aren't below the surface.

And in the end, if we believe the story, conscious human beings did voluntarily process the order.

I speculate that if he had offered to pay only ten cents instead of a hundred bucks for the item in question, then humans would have spoken up and said "hey, wait a minute, this is a bogus order." And if that's correct, then humans really are responsible for processing the order, and he's not just exploiting automation.

I will admit it's a bit of a grey area, though.
"RSA, 2048, seeks sexy young entropic lover, for several clock cycles of prime passion..."
[ Parent ]

You forget that you are the minority (4.50 / 2) (#229)
by Dephex Twin on Wed Dec 04, 2002 at 02:50:44 PM EST

I'm serious about that. Just Monday, I sent an email from someone else's computer by manually telnetting to a server's port 25, not because I was "hacking", but because I didn't want to deal with their misconfigured email client.
And you read and post on K5, and probably other tech-savvy websites. This is because you ARE tech-savvy. Some people do not even understand what telnetting or port 25 are. *Most* people don't know how to do what you did, and will never know. You have to understand that you are in the minority by a great margin.

And your example was *much* more obvious and common than what the author did. You could consider knowing telnet and common ports to be fairly common knowledge within the techie community (depends on where you draw the line for who is a "techie"). However, what the author did was not common knowledge or obvious, and this is most strongly supported by the fact that it *was* published in 2600 and shows up here on K5. If it is news to *us*, how would it even be remotely intuitive to your average Joe?

You are grasping for straws when you say that, from a certain point of view, the website *did* have an option for manual price entry. If they truly wanted someone to do that, they would have allowed for this on their website. If the author truly believed they wanted someone to do that, he wouldn't have talked about it as an "exploit".


Alcohol: the cause of, and solution to, all of life's problems. -- Homer Simpson
[ Parent ]
Why is this stored client side? (4.57 / 7) (#158)
by evilpenguin on Tue Dec 03, 2002 at 06:07:01 PM EST

I did some consulting for a small buisness a while back that wanted to put a shopping cart on their website.  Up to this point, they had a true "order form" with fill-in textboxes for 'item', 'quantity', 'price each' and 'total'.  The user was left to enter all this, get a sum, enter it into the 'subtotal' textbox, calculate the shipping cost and enter that in a 'shipping' box, if they were in the state, calculate the tax and enter that, then sum everything up and enter a final 'total'.

I saw occasions (very few) where a user entered the wrong prices (never egregiously so -- perhaps using the price from an outdated catalog or some forgotten corner of the site that had not been updated).  The "protocol" was to have the person who first noticed it call the customer to inform them of the error (most of the time it was only a difference of a few dollars, but still, you can't bill that without informing the customer).  The order was then booked and shipped as usual.

So it was my job to put a cart on the site.  After looking around at the various free and commercial offerings, and not being satisfied with any of them, I wrote and tested my own in about a day and 600 lines of perl.  Essentially, all the customer's browser tells it is "what item and how many".  That quantity is multiplied by the price stored in the item database, giving a total.  Simple.

The fact that anyone would rely on the client for price data is beyond the bounds of stupidity, into sheer mental retardation.  I realize, it is tempting for the cart vendor to make something so idoticly simple (using the <input type=hidden> tags, etc), but that strikes me as incredibly irresponsible.  Even if the price data is stored in an encrypted string somewhere in a cookie that only the most dedicated will find... it's still just such an atrociously a bad idea, and I'd fire anyone who did such a thing.

Is it morally wrong to exploit?  That's dubious.  I'm going to say "yes", but morals obviously have no bearing on the law nor people's actions, so, do what you will.  I'd say the blame truly falls on the cart vendor, who left a gaping security hole that people just can't help but to walk through.  Unfortunately, the most likely person to be prosecuted should they report such a flaw is the reporter himself.
--
# nohup cat /dev/dsp > /dev/hda & killall -9 getty

Two ways around it (4.80 / 5) (#161)
by seeS on Tue Dec 03, 2002 at 06:55:20 PM EST

I run a small ecommerce site. The way to stop this sort of thing is simple but for us effective. The shopping cart stays on the server, not the browser. The broswer just sends a session id. The second way is the prices are checked. Not down to the nearest cent but they at least have to be in the right ball park. I don't agree with hacking ecommerce sites just because they got some moron to code it, its not the shops fault if they've been sold a lemon.
--
Where's a policeman when you need one to blame the World Wide Web?
thats the way it should be done (3.66 / 3) (#169)
by Work on Tue Dec 03, 2002 at 07:35:58 PM EST

however, alot (probably most) sites are using cheap old code that was written at the start of the .com era, by people with minimal experience in secure programming. And with insane deadlines.

At that time, sessions were still an experimental and novel idea.

Then theres the fact that alot of languages used dont natively support sessions. The nice thing about java and jsp's is the native support in the case of jsp's (every jsp page has a session object automatically created, and entitled 'session' for easy use) and in the case of servlets, it requires 1 line of code to access the current session.

It's no surprise that java has become the language of choice in backend web apps.

[ Parent ]

If you're contracting someone else.. (4.00 / 1) (#256)
by omghax on Wed Dec 04, 2002 at 05:28:37 PM EST

to do your "e-tail" software/scripts, why not check their work or include some kind of clause in the contract that would hold them liable for any such exploitation, or just make them fix it if it comes to light?


I put the "LOL" in phiLOLigcal leadership - vote for OMGHAX for CMF president!
[ Parent ]
good job jizzbug (2.00 / 4) (#171)
by due 2 dew on Tue Dec 03, 2002 at 07:44:37 PM EST

u have only posted 2 stories yet....and both are pretty interesting......good job, keep it up !

My thoughts. (4.00 / 8) (#176)
by Rogerborg on Tue Dec 03, 2002 at 08:09:10 PM EST

First, I thought "you thieving bastard".  And then I had another think, and came to a different conclusion.

You're quite right that it's the seller's responsibility to check that they payment that they are choosing to accept are actually acceptable.  In fact, that's tautology.  If they accept it, it's acceptable.

If you had 'phoned or mailed in a cheque for $100 for a $400 product and they'd accepted it, it would be easy to see it as you making a speculative offer and it being accepted.  So why would we think it was different for an electronic order?  After I really thought about it, the answer was "no good reason".  There is nothing different about it, except that it's less likely that the seller will check an electronic offer.  But as I concluded above, that's their problem, not yours.

And that leads me to the morality of it.  At first I thought you were taking advantage of them, then I considered it this way: who forced them to install an electronic ordering system instead of having all orders handled by an actual person?  Nobody.  They chose to do it because it saves them money.  They thought it was a free lunch.  But when you think about it, "saves them money" means "let them sack people in their orders department".  That's the price of efficiency.  So it was their choice not to have this looked at by a human in the first instance.

So when I had it all straight, I realised that you're absolutely right.  It's the sellers sole responsibility to ensure that they are selling at the price they want.  There's an argument that you acted in bad faith because you guessed that an electronic order wouldn't be vetted before being accepted, but that's bunk.  You had no way of knowing that (and humans were involved, as you said), and even if it's true, it was the seller's choice to set up their system so that the machine made the decision.

This seller probably got exactly the quality of system that they were willing to pay for, and forgive me if I don't shed a tear for their loss on this transaction, because I'm saving my pity for the poor shmoe that they replaced with this shoddily programmed computer.  Well done for demonstrating that there really is no such thing as a free lunch.

"Exterminate all rational thought." - W.S. Burroughs

You've never been to the real world have you? (5.00 / 1) (#198)
by Craevenwulfe on Wed Dec 04, 2002 at 07:52:25 AM EST

And that leads me to the morality of it. At first I thought you were taking advantage of them, then I considered it this way: who forced them to install an electronic ordering system instead of having all orders handled by an actual person? Nobody. They chose to do it because it saves them money. They thought it was a free lunch. But when you think about it, "saves them money" means "let them sack people in their orders department". That's the price of efficiency. So it was their choice not to have this looked at by a human in the first instance.

There is a difference between "saving money" and being economically viable in the first place and thus able to employ people. It is not a government institution, it cannot afford to be run wildly inefficiently.

I'll back this up by saying that as a manufacturing engineer in a Global electronics contract manufacturer that should we bump prices by a pound we'd not get the business in the first place.

Less jobs or no jobs.
Necessity not choice.

[ Parent ]
Sure, in theory (none / 0) (#267)
by Rogerborg on Thu Dec 05, 2002 at 09:55:57 AM EST

But as an R&D engineer forced to work with the crappy overpriced solutions bought from "global electronics contract manufacturers" like yourself by our corrupt and inept management, I'm here to tell you that a dollar on the price doesn't matter as much as a few thousand in soft money kickbacks on the golf course.

Sorry, didn't you know that's how it actually works in the real world?

I'm sure you'll escalate the world weary cynicism, but as I have 12 days until I'm made redundant because of exactly this situation, I'm really not that bothered about arguing it out.

"Exterminate all rational thought." - W.S. Burroughs
[ Parent ]

Asking for honor, not a free lunch (5.00 / 2) (#215)
by cestmoi on Wed Dec 04, 2002 at 12:01:35 PM EST

I am amazed at the logical contortions you're willing to go through to excuse Jizzbug's theft. Spare me the legalisms and just ask yourself - if you were the merchant would you want someone to do to you what Jizzbug has done?

"That's the merchant's problem" doesn't address the underlying theft or lack of morality but does indicate that you would behave the same way as Jizzbug did given the same opportunity.

[ Parent ]

If *I* were the merchant, I would. (none / 0) (#266)
by dark on Thu Dec 05, 2002 at 09:26:04 AM EST

I would want him to do what he did and then tell me about it. Of course, he would have had a much harder time doing it :-)

[ Parent ]
A&P (4.00 / 2) (#181)
by El Volio on Tue Dec 03, 2002 at 08:20:15 PM EST

I went to an A&P (attack & penetration) class from a company with a great deal of expertise in such matters. Several of the instructors were actually folks who work for the consulting arm of the firm — ie the guys who do the A&P work. They showed us this sort of vulnerability, but had an interesting story to go with it.

Seems that a company had contracted with them to examine the security of their web site, including the application. The vulnerability described in this article was present, and they were able to order some expensive merchandise from the site at a substantially reduced cost. This of course was then reported back in the final review to the customer, and an attempt was made to return the merchandise (which was pretty ugly, I must say).

The kicker was that the company didn't want it back — it simply wasn't set up for this (fairly small operation). So they were stuck with it...

Shocked, but try before you condemn (4.62 / 8) (#185)
by zvpunry on Wed Dec 04, 2002 at 12:07:11 AM EST

Like a lot of K5ers, I am utterly shocked that there are web sites still doing this. (Still doing it? I'm shocked anybody ever did it.) It violates certain principles that I learned, I don't know, somewhere around 8th grade. (Which was way before the web, so maybe they weren't the exact same principles.)

But don't condemn a site before you actually try it. For example, this bugtraq article claims that there are sites which protect product prices, but not shipping info. That may well be, but I wonder how many of those sites the author tried.

At my company, for example, we do have hidden input fields that contain shipping and sales tax information. But we don't trust it. Long story, but our design called for the convenience of a one-page order system. This, in turn, requires dynamic HTML for displaying shipping and sales tax info. But what happens when the customer doesn't have javascript enabled, or is using a browser that cannot display dynamic content? The solution is: hidden input fields, which are only updated when the customer's browser is capable of displaying the newly calculated values. This way we can be certain that the customer knows what she's going to be charged. On the back-end, we calculate total price; if the price there differs from what was passed to us, we send them back to the form with the adjusted prices. Combine this with well-chosen default values that cover most cases (no sales tax, domestic shipping charges), and we minimize the number of people who have to sit through multiple pages to complete their order.

A zealous critic, however, might see our markup, and automatically conclude that we don't know what we're doing. That critic would be well-advised to try screwing us before condemning us.

Also in our case, session information is overkill, and I'm really wondering whether back-end session state is the panacea that so many make it out to be. Not only does this lock you into technologies, and perhaps force you into upgrade cycles later on that would otherwise make no business sense, but it doesn't offer much of an advantage in most cases. In fact, it can have adverse effects: requiring more DB hits, and even (as in the case of one of our business partners) requiring funky, clumsy, error-prone "sticky" load balancers because the underlying session technology is not shared between servers. (D'oh!)

You should also calculate charges after the customer submits her order, anyway. So what's the fundamental difference between storing product, quantity, and shipping address info in the customer's cookies, and reading that every time she returns? You want to manipulate that? Fine. Tell me you want 20 products instead of 2. I'll be happy to accept your order. Tell me you're somebody else. Do you know their password?

Anyway, some have claimed that many sites just haven't been "updated" to take advantage of newer technologies. But how much updating does it really require to take out price info from the customer's cookie, and look it up in the same database that you originally got it from before sticking it in her cookie? I do wonder if some sites have been sold on session management, and are under the false impression that it would take a lot of effort (even a platform migration) to make their site secure, and just gave up? Is this a case of selling a technology, instead of selling a solution?

d'oh -- session management (5.00 / 1) (#186)
by zvpunry on Wed Dec 04, 2002 at 12:30:18 AM EST

Of course I realize cookies are "a form of" session management. I confused two separate thoughts in my head.

So my rant at the end should not refer to cookies, but to HTTP requests:


Anyway, some have claimed that many sites just haven't been "updated" to take advantage of newer technologies. But how much updating does it really require to look up the price in the same database that you originally got it from before sticking it on the form? I do wonder if some sites have been sold on session management, and are under the false impression that it would take a lot of effort (even a platform migration) to make their site secure, and just gave up? Is this a case of selling a technology, instead of selling a solution?

In the paragraph prior to that, what I really meant was that server-side session management doesn't provide any real advantage (in most case) to client-side session management. And cookies can often be more effective and provide an easier path of migration, with no concomitant upgrade cycle, for those who presently use braindead ecommerce solutions.

Of course, why am I bothering to correct myself when I just realized this article was posted 24 hours ago, and not four hours ago as I first thought?

[ Parent ]

I just got even worse. (2.50 / 8) (#189)
by Jizzbug on Wed Dec 04, 2002 at 12:58:59 AM EST

On my way home from a friend's house just a few minutes ago, I hit and killed Bambi!! SERIOUSLY!

I say unto you: one must still have chaos in oneself to be able to give birth to a dancing star. I say unto you: you still have chaos in yourselves.
 -- Friedrich Nietzsche, Thus Spoke Zarathustra: A Book for All and None

Cool !!! (2.00 / 1) (#208)
by dvchaos on Wed Dec 04, 2002 at 11:20:54 AM EST

Do you beat little old grandma's to death with their own walking sticks too ? I mean, you may as well .. that seems to be the image most of these people are conjuring up in their little boxed minds.

--
RAR.to - anonymous proxy server!
[ Parent ]
Just thought I'd add. (2.00 / 1) (#239)
by Jizzbug on Wed Dec 04, 2002 at 03:41:02 PM EST

I didn't enjoy killing Bambi. I feel quite bad. The damn thing ran out in front of my car before I'd had much time to slow down. It was am ambush, I swear! Besides, it fucked up my car, so if for no other reason, I would have much prefered not hitting it. I guess I can't say whether or not I killed it. I don't know that for sure. I didn't hit much of it, just its head, mostly. Maybe it just got knocked out really good for a while. It was fuckin' weird, though, watchin' this huge ass animal run across the road all slow motion like. It was almost as if the deer was meaning to commit suicide or something.

I say unto you: one must still have chaos in oneself to be able to give birth to a dancing star. I say unto you: you still have chaos in yourselves.
 -- Friedrich Nietzsche, Thus Spoke Zarathustra: A Book for All and None

[ Parent ]
Contacted the merchant yet? (4.00 / 1) (#243)
by cavalier on Wed Dec 04, 2002 at 04:01:20 PM EST

Found a box to ship the tablet? Your attempt at whimsical deflection fails because in doing so you admit your guilt and again are trying to turn it around on the audience -- like it's our fault you stole the thing.

Come on, cleanse and purge yourself in the water, as Maynard would say. Get on with it.


[ Parent ]
What I can't understand is... (4.20 / 5) (#195)
by Rasman on Wed Dec 04, 2002 at 05:41:00 AM EST

I'm an e-commerce web developer, and I can't get my head around why anyone would want to put the prices of the products in the users' hands, whether in visible or hidden form elements. Even without the use of sessions, you could still just store the product ID's in the form elements and ask the database every time you view the cart for the product name and price! It never once crossed my mind to make my webapp like with prices at the mercy of form submissions. Why? Tell me why!!

---
Brave. Daring. Fearless. Clippy - The Clothes Pin Stuntman
Three possible reasons... (4.00 / 1) (#210)
by cestmoi on Wed Dec 04, 2002 at 11:39:15 AM EST

The developer wasn't thinking or the developer was lazy or both. Having coded for over 30 years I've seen plenty of examples of all 3 cases.

[ Parent ]
Prices on client-side (4.00 / 1) (#244)
by jubilation on Wed Dec 04, 2002 at 04:01:42 PM EST

I'm an e-commerce web developer, and I can't get my head around why anyone would want to put the prices of the products in the users' hands, whether in visible or hidden form elements.
That's something that cuts both ways. If the client passes back a product ID, saying "buy this!", and the server looks up a (possibly updated in the meantime!) price, there could be a serious disconnect.

I'd suggest that client pass in the price he thinks he's paying, server look up it's version of the price, and if they don't match, panic (or otherwise don't transact).

[ Parent ]
So you're saying... (none / 0) (#263)
by Rasman on Thu Dec 05, 2002 at 04:34:16 AM EST

...that the problem solved by this incredibly insecure method is when product prices change during the time between when the customer adds the item to her cart and when she checks out. Pretty big risk for such a small fix.

Personally, in my sites, when the customer adds something to the cart, it takes a snapshot of all relevant data (e.g. product name, price, product id) and stores the snapshot in a cart object kept in the session. This snapshot is then saved the db when the checkout is finalized. Because obviously you can't only store the product id and a quantity with order because the chances of the product price changing between when the order is placed and the order is viewed (or reviewed weeks after the order is shipped) is quite high.

---
Brave. Daring. Fearless. Clippy - The Clothes Pin Stuntman
[ Parent ]
Two reasons... (4.00 / 1) (#245)
by KILNA on Wed Dec 04, 2002 at 04:14:27 PM EST

1. Ignorance of how the web works.
2. Simplicity. You do not need a database to operate a cart in this manner, all you need is a CGI and some cookies.

This is not a robust e-commerce solution, it is much like the price tag analogy I keep using. Yes, you could get a database with SKUs and prices hooked into your cash registers... *beep*. *beep*. *beep*. This may be overkill, or too much invenstment at the current time, so you go for a cheap solution. You just slap tags on everything and enter them into the register by hand. This is just like setting up an HTML-only site and pointing at PayPal for the checkout. In PayPal you just embed a bit of HTML into your page for an "Add to Cart" link and away you go, the price and everything else is embedded in that cut-and-paste code. It is cheap, and gets the job done for a lot of people. But it also has the hidden cost of fraud risk, and many merchants don't understand this. The author of the article is taking advantage of this fact.



[ Parent ]
Okay, but... (none / 0) (#264)
by Rasman on Thu Dec 05, 2002 at 04:44:56 AM EST

Yours is the best response to my "why?" question as far as attempting to defend the idiots doing this, but it certainly doesn't excuse the practice. I can't really imagine someone knowing enough about CGI and cookies to be able to implement this and not knowing enough about the development platform (windows or *nix) to be able to set up an MS Access or mysql database backend for the products. And is it really simplicity? I think it would be a challenge to set up an e-commerce site with no database backend!

And another thing... Would anyone other than just a Mom-n-Pop's web store set up a db-less site? You couldn't manage more than about a dozen products in this way, so no doubt the one or two employees of the company would have intimate knowledge of the product prices.

---
Brave. Daring. Fearless. Clippy - The Clothes Pin Stuntman
[ Parent ]
No cgi or cookies! (none / 0) (#271)
by KILNA on Fri Dec 06, 2002 at 03:51:52 AM EST

Unfortunately, my response is that it IS that bad. You don't need to know a darned thing about CGI or cookies to implement PayPal's shopping cart. Yes, there are plenty of technically illiterate companies running reasonably-sized sites off of "soft carts". Their core competency is making widgets in a lot of cases, and they just leave the web site to the nephew of the owner. *shudder*

[ Parent ]
I'm amazed at the rationalizations (4.20 / 5) (#201)
by cestmoi on Wed Dec 04, 2002 at 09:46:33 AM EST

I'm amazed that there are people on this board who think Jizzbug's blatant lack of ethics is ok. The merchant obviously has a flawed system and isn't clever enough to figure it out on their own. The merchant's technical stupidity is offered as an excuse to steal from the merchant. It's as if cheating an idiot is fine if you get away with it. The old expression "stealing candy from a baby" comes to mind. Sure, you can do it. The question is, should you?

Evidently several people on this board think that's ok.

That's because (none / 0) (#207)
by dvchaos on Wed Dec 04, 2002 at 11:17:09 AM EST

Their is no lack of ethics because their is no crime. The merchant didn't seem to think that, why should you ?

--
RAR.to - anonymous proxy server!
[ Parent ]
Oh to be 15 again. (5.00 / 1) (#209)
by cavalier on Wed Dec 04, 2002 at 11:35:45 AM EST

Their is no lack of ethics because their is no crime. The merchant didn't seem to think that, why should you ?
Er, because the merchant has no idea that it happened. Read, rinse, and repeat -- if the merchant was aware of the transaction, they would most likely be unhappy(tm).

Like the original comment said, rationalizing the victimization of a victim because they were "asking for it" does not make it morally sound.

[ Parent ]
How do you know ? (1.00 / 1) (#214)
by dvchaos on Wed Dec 04, 2002 at 11:57:55 AM EST

what gives you the right to assume they will feel anything at all, let alone victimised? why are you so eager to assume that because you would feel hard done by, that others would as well ? what right is it of yours to assume the pretence that you know exactly how everyone else in the world must feel ?

Please don't give me this "oh to be 15 again" crap until you've removed your head from your ass and stopped talking so much bullshit. Gawd, talk about 'growing up' geeze. Shit happens, get over it, it's not your right to assume how other people should feel in any situation, let alone this one.

--
RAR.to - anonymous proxy server!
[ Parent ]
Are you missing the point on purpose? Geez n/t (none / 0) (#218)
by cavalier on Wed Dec 04, 2002 at 12:22:09 PM EST



[ Parent ]
No, not at all. (1.00 / 1) (#221)
by dvchaos on Wed Dec 04, 2002 at 12:59:25 PM EST

Thier is no 'point',aside from it simply ain't your right to assume you know how everyone else must feel in any single given 'moral' situation.

--
RAR.to - anonymous proxy server!
[ Parent ]
I'm sorry, but (5.00 / 1) (#222)
by amarodeeps on Wed Dec 04, 2002 at 01:05:28 PM EST

...your petulance is just fucking stupid. 99% of the merchants out there would be pissed if you sneaked a $375.00 discount through their system, which is exactly what Jizzbug did, like it or not (and the remaining 1% are going to go out of business, lessee...right about now). AND EVERYBODY FUCKING KNOWS THIS, THOSE THAT ARE NOT ADMITTING IT ARE CHILDREN WHO WANT TO PLAY IN THEIR OWN LITTLE FREE-MORALITY WONDERLAND. Just because a crime was not committed doesn't mean there wasn't a breach of ethics, see my other post. I just wish that you and everyone else who keeps insisting that there was no ethical problem with what Jizzbug did would realize that your theoretical "ethical system" is useless in the real world. Please, you are the one that needs to grow up and get your head out of your ass.



[ Parent ]
Say cheese (none / 0) (#233)
by aonifer on Wed Dec 04, 2002 at 03:09:15 PM EST

what gives you the right to assume they will feel anything at all, let alone victimised?

What gives you the right to assume they won't?

[ Parent ]

toddlers think like that. (none / 0) (#237)
by ph0rk on Wed Dec 04, 2002 at 03:26:45 PM EST

That, in short, if you get punshed, you did something wrong.  If you avoid punishment, you did nothing wrong.

I suppose you could make a weak argument that what you -really- were trying to do is apply labeling theory, but I doubt it.

Farting in an enclosed space that you and several others have to stay in (elevator, car, etc) isn't a crime, but it ain't right either.

.
[ f o r k . s c h i z o i d . c o m ]
[ Parent ]

Legal doesn't mean Moral (none / 0) (#262)
by dani14 on Thu Dec 05, 2002 at 02:24:30 AM EST

Legality and Morality do not always coincide. In the 1800's it was legal to own slaves, but it certainly wasn't moral.

Of course, that was so long ago, it doesn't apply anymore.... yeah, right. How about Enron? A lot of what Enron did was legally sound. They hid losses in legal accounting maneuvers. But was it ethical? Shareholders and employees were deceived into believing the company was worth more than it really was and lost millions of dollars when the truth hit.

Even to look at Michael Jackson's nose... There is no law stopping a plastic surgeon from repeatedly resizing Jacko's nose as many times as he wants, but is it ethical? At what point does the potential damage to a patient outweigh the patient's desires and the doctor's need for cash?

Ethics isn't easy, but it certainly isn't as black and white as "if it's legal, it's ethical."

--


"The samaritans parable obviously missed the bit where jizzbug ... kicked the crap out of the guy "just to see if he could do it, you know, to test if the law was perfect and all"." -- Craevenwulfe
[
Parent ]
Which Software Is OK or Faulty? (4.00 / 1) (#204)
by SEWilco on Wed Dec 04, 2002 at 10:10:00 AM EST

OK, so which store software has faults and which does not?

Some people have mentioned specific software, scattered within various responses. Drop your comments here with the software name and OK/Not OK in the Subject line.

Zoovy: OK / PayPal: NOT OK (none / 0) (#272)
by KILNA on Fri Dec 06, 2002 at 04:09:42 AM EST

PayPal: NOT OK
Zoovy (my employer): OK (though you can force a compatibility mode with some "soft cart" software, it is not enabled by default and we strongly discourage it)


[ Parent ]
IMHO (4.50 / 2) (#217)
by jd on Wed Dec 04, 2002 at 12:20:23 PM EST

I cannot seriously consider any system that advertises what information is important as "secure". To me, secure includes the implicit requirement of not telling half the world when a credit card transaction takes place.

This, however, would require that the entire site be accessed via IPSec, SSL or some other secure process.

It also requires that users have client-side certificates - dispensed by the shop, possibly. OpenCA is hardly a massive overhead.

Why all this security? Because identity theft is becoming increasingly common, and humans are generally incompetent at using/remembering good passwords. Because, no matter how good an algorithm or implementation is, there may be flaws. If you don't differentiate your pop-up ads from your personal data, it becomes much harder to steal information.

Then, there's the problem with insecure servers. All the encryption in the world isn't going to help, if the root password is "password", and the credit card numbers are in plain text.

E-Commerce needs tough security. It should be impossible for a cracker to access credit card data. The web server should not contain such data. If you want to make things simple for the user, fine! Keep the personal data on a different computer, and have ALL access to that server be through a write-only connection.

None of these things are hard. Given the cost of a T1, T3 or T4 line, they're not expensive, either. But they can avoid "Yet Another Hundred Thousand Cards/Identities/Egos Stolen" scandal.

Let's not even get into the legal arguments... (4.60 / 5) (#225)
by Dephex Twin on Wed Dec 04, 2002 at 01:51:06 PM EST

This was touched on by some other people in different places in the discussion, but I think the following is an important point.

You have claimed what you did is publicly available, required little effort, and an accepted situation (ie this takes place in catalog orders).  Yet, at the same time, you wrote an article here and had something published in 2600.  But I thought this required no extraordinary effort and is something that the merchant should have known about (since it *is* publicly available).  If you are writing to a _techie_ website such as K5, and it is supposed to be news to _us_, why would you, in good faith, believe that the (not-expected-to-be-techie) merchant should know such an exploit exists?

Secondly, you discuss your act in an article talking about e-commerce *security* and you use the words "hole" and "exploit" to talk about it.  Either it is a hole/exploit, or it is a publicly available and legitimate way of carrying out a transaction.  Pick one.  Of course, now you either don't get to feel clever or you have to feel morally wrong.

You are using cognitive dissonance so that your sense of "I am so clever, I got away with it!" doesn't have to come to terms with your morals, because you defrauded this company.  And your fear of getting caught has caused you to attempt to rationalize your behavior and deflect as much as possible any indication that this is clearly illegal.

You struggle with the question of whether your act was legal/moral in the article.  It's pretty obvious even you don't believe that what you did was okay, but you *desperately* want to.


Alcohol: the cause of, and solution to, all of life's problems. -- Homer Simpson

The most interesting thing about this... (5.00 / 2) (#241)
by KILNA on Wed Dec 04, 2002 at 03:44:29 PM EST

...are the people defending the morality of actions which are so clearly wrong. One person used intentional deception to trick another into conceeding something they usually wouldn't. This is so obviously wrong. And yet there are many here trying to rationalize the morality of it becuase the security was weak, or there is a precedent in marginally similar catalog sales. A precedent that I had never heard of before, and I have made a lot of catalog orders in my time. Just because it may not be illegal to decieve me in certain cases, does not make it right for you to do so. My using telnet vice ssh does not give you the moral right to enter my server. Person A took advantage of person B, period.

Aside from the morals I think that legally they'd have a hard time in front of a court. It is a self-evident act of bad faith, and deliberately entering into commerce in bad faith has civil and often criminal repercussions.



[ Parent ]
Using a system the way it was intended to be used (5.00 / 2) (#251)
by zvpunry on Wed Dec 04, 2002 at 05:01:57 PM EST

Right. He used the system in a way inconsistent with its expected, stated means of using it. Nevermind that it was insecure: you don't secure your servers because the law says it's perfectly legitimate for anybody to exploit your system and get away with it. No, the law says the contrary. You secure your servers because sometimes it's damned difficult--often impossible--to prosecute and receive full compensation for the damage done, no matter what the legal consequences are for the criminal.

Similarly, in this case, the merchant had a responsibility to implement a reasonable e-commerce solution NOT because it's perfectly OK for any K5er/Slashdotter to offer themselves an 80% discount on their products, but because they can get taken for a lot of money and probably won't get but pennies on the dollar even if every criminal were prosecuted and convicted. Nevermind that their reputation could be ruined.

It's the same reason you take your keys out of the car and lock the doors when you enter a restaurant. Not because the law says, "Anybody taking possession of another's car, with the keys inside and the motor running, shall be deemed the legal owner of said vehicle, and should be immediately granted full access to spare keys and maintenance records. Failure to file records of title transfer at the DMV within fifteen days shall constitute a violation of the law, and the prior owner fined $300, or imprisoned for thirty days, or both." No, the law doesn't say that, now does it?

If this story is real (I have doubts at this point), the poster broke the law.

Now where's the story on "HOW-TO Turn in a K5 Criminal."? ;-)

[ Parent ]

If it's theft.... (2.00 / 1) (#247)
by railruler on Wed Dec 04, 2002 at 04:39:48 PM EST

how then are consumers supposed to exercise their right to haggle?

I think this is more like a country-road unmanned "honor system" vegetable stand. Prices are listed but nobody's there enforcing them. There's nobody to haggle with.

What would happen if someone modified the HTTP stream to submit a "bid" and then notified customer service that he had done so, telling them to feel free to cancel the order if they felt it was unfair?

Haggling (5.00 / 2) (#250)
by Dephex Twin on Wed Dec 04, 2002 at 05:01:10 PM EST

how then are consumers supposed to exercise their right to haggle?
By having both parties know they are haggling. If you haggle with someone for some collectible plate, and it turns out later that plate was worth 10x what the merchant sold it to you for, you've done some shrewd haggling. If you tell him "one of your associates promised me this item at a really low price a couple days ago", that's not haggling. That's one person trying to take advantage of the other.
What would happen if someone modified the HTTP stream to submit a "bid" and then notified customer service that he had done so, telling them to feel free to cancel the order if they felt it was unfair?
Why not ask first? Then nobody will get confused.


Alcohol: the cause of, and solution to, all of life's problems. -- Homer Simpson
[ Parent ]
I have to think... (2.50 / 2) (#254)
by ColeH on Wed Dec 04, 2002 at 05:13:58 PM EST

That the only people supporting this kind of theft are not supporting themselves. That is usually what leads to the mentality of 'It isn't illegal so it is ok'.

OWASP (5.00 / 1) (#273)
by Alhazred on Sun Dec 08, 2002 at 11:22:09 AM EST

You might want to check out www.owasp.org, the "Open Web Application Security Project", which is an organization who's mission in life is to provide information about web application security practices, develop testing regimens, and to promulgate good standard practices in the industry.

The application you describe is unfortunately all too common. Very few web based applications are even remotely close to secure! The list of possible ways to compromise your average shopping cart is dishearteningly long.

Just as a sample of the possibilities...

  • Modification of state information- this is the attack you chose to illustrate, where information relevant to the state of the application is modified by the client. Best practice would of course be never to store any state information at the client, or at least to verify its integrity on resubmission. (IE, you would not believe the prices the client software submits to you, you would look them up again.)
  • Order/Session hijacking- You will be amazed at how many systems simply pass back an incrementing number as the "order id" or "session id", making it extremely easy to alter this value and assume control of someone else's session. In the case of carts it is often quite easy to then submit alterations to an order, like changing the address someone's stuff gets shipped to...
  • SQL injection attacks - These are VERY common. They consist of submitting values for form parameters which when interpolated into SQL (the language used by database servers) result in unintended operations. These can be extremely effective attacks and though they are quite technical in nature turn out to be very easy to implement and almost 100% of web applications that use a database are vulnerable.
  • Cross Site Scripting attacks - These have been historically the most popular. For instance you could analyze the backend admin section of a shopping cart and you might determine that submitting a particular form on one page will get your order approved, you could then insert something like <script>some evil javascript to submit the form goes here</script> into some field (address, a comment, etc.). Most systems will happily allow this and when the admin views your order your javascript commands his browser to submit the form he's viewing.
  • etc. There are probably a dozen other types of attacks, including "HTML Injection", various encoding hacks, log file injection attacks...

All of this comes to the point of, if you are a merchant or tech person working on e-commerce systems, INSIST that any shopping cart system you use has been tested to OWASP standards and was designed from the ground up with security in mind. Unfortunately right now I can't recommend ANY existing Open Source cart as meeting these standards. Forgive me if you have one that does, I certainly haven't reviewed them all, but the vast majority are completely lame!


That is not dead which may eternal lie And with strange aeons death itself may die.
Paper (5.00 / 1) (#274)
by GreenHell on Sun Dec 08, 2002 at 08:44:56 PM EST

I was originally writing up a great big comment regarding this, but my machine froze, and I can't be bothered anymore.

Anyways, the gist of it:
A really good paper on the subject (or rather, a possible solution) from The Eleventh International World Wide Web Conference (WWW2002)

-GreenHell
This .sig was my last best hope to seem eloquent. It failed.
Another common exploit... (3.00 / 1) (#275)
by Scratch o matic on Sun Dec 08, 2002 at 09:19:51 PM EST

is to switch the price tags on merchandise in a store. A small store, commonly referred to as a "mom and pop operation," would be best because they are less likely to have barcode scanning. If they notice the switch and don't accept your "offer," you can revisit the same store a few weeks later and just try slipping the merchandise into your jacket. Again, the mom and pop operation is best because they are less likely to have a security scanner at the door. Good luck!

Oh, and fuck Mom and Pop if they don't notice.

The Current State of E-commerce Security | 275 comments (270 topical, 5 editorial, 1 hidden)
Display: Sort:

kuro5hin.org

[XML]
All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!