
United Airlines awards hackers millions of miles for revealing risks - doppp
http://www.reuters.com/article/2015/07/16/us-cybersecurity-airmiles-idUSKCN0PQ0A320150716
======
Tiksi
Taking a quick look at [http://www.united.com/web/en-
US/apps/mileageplus/awards/trav...](http://www.united.com/web/en-
US/apps/mileageplus/awards/travel/awardTravel.aspx) it seems 1 million miles
~= $3000-$12000 depending on destination, date, etc. It doesn't seem all that
bad of deal, except plenty of people don't fly often enough to even make use
of this, and you have to fly united, which for me would kill all the value.

~~~
notauser
You can use United miles to buy tickets on Thai, Lufthansa and ANA, all of
which are superb.

(I used my last lot on two first class tickets to Tokyo which would have cost
a lot more than $12k each if bought for cash.)

~~~
Tiksi
Well then I suppose it might be worth it, I've had great experiences on
Lufthansa the few times I've flown on it, one time the plane was entirely
empty except for our group of 5 so we had a 747 to ourselves.

~~~
jon-wood
I don't know if that's awesome or terrible.

I can totally see the appeal of flying in an almost empty 747, but at least
according to this source[1] that makes a truly shocking 1MPG between the five
of you. I can't help thinking the world would be a bit better off if they'd
just apologised, and put you on the next flight.

[1]
[http://science.howstuffworks.com/transport/flight/modern/que...](http://science.howstuffworks.com/transport/flight/modern/question192.htm)

~~~
mseebach
I think the hundreds of passengers waiting the board the aircraft at where
ever that flight was going might have a problem with that.

Sometimes the sizes of the passenger streams between two destinations aren't
perfectly in balance. This is most clearly visible on shuttle services between
a small and a large city - busy going to the large city in the morning and to
the small city in the evening, and semi empty in the opposite directions.

Also seasonal flights - the first flight of the season to depart the
destination (and the last to arrive) will often be pretty lightly loaded.

When that situation arises, you will need to reposition a less-than-full
aircraft, otherwise your operations obviously falls apart. The GP clearly
experienced an extreme case of this, but most likely that aircraft was being
filled up at its next departure, and so needed to be there.

This is obviously expensive for airlines, so they try all they can to fill up
these flights - which explains that the cheapest tickets are often on times
that will be slightly odd or inconvenient, at least to business travellers.

~~~
jlittel
My roommate is a flight attendant - he informed me of term for transporting
passenger-less commercial planes: "ferrying".

------
drallison
The rules of the bug bounty program disallowed many of the usual red team
approaches to finding possible exploits.

 _Attempting any of the following will result in permanent disqualification
from the bug bounty program and possible criminal and /or legal investigation.
We do not allow any actions that could negatively impact the experience on our
websites, apps or online portals for other United customers.

    
    
        .. Brute-force attacks
        .. Code injection on live systems
        .. Disruption or denial-of-service attacks
        .. The compromise or testing of MileagePlus accounts that are not your own
        .. Any testing on aircraft or aircraft systems such as inflight entertainment or inflight Wi-Fi
        .. Any threats, attempts at coercion or extortion of United employees, Star Alliance member airline employees, other partner airline employees, or customers
        .. Physical attacks against United employees, Star Alliance member airline employees, other partner airline employees, or customers
        .. Vulnerability scans or automated scans on United servers (including scans using tools such as Acunetix, Core Impact or Nessus)

_

One can hope that the bad guys are similarly polite. And, as you would expect,
the United security folks did not see the irony of their restrictions when it
was pointed out to them.

~~~
tptacek
These seem like pretty standard bug bounty terms. "Find bugs, but don't
disrupt production systems trying to exploit them to find more".

The last bullet addresses a problem everyone has with bounties and scanners,
which is that (a) they don't work and (b) they generate loads of bogus
findings that the people who pirate the scanners then demand bounties for.

~~~
nowey
Reminds me of the guy who found the starbucks gift card exploit and decided to
test it _live_. That got him the lawsuit.

~~~
psykovsky
Only way to be sure it exists is to test it live.

~~~
lojack
Not only did he test it live, but he used the gift card to purchase items.
Could have easily walked in and checked the balance without purchasing
anything.

~~~
an_ko
To be fair, his purchase was relatively inexpensive, did not significantly
disrupt other customers or otherwise compromise the system, and served to test
that the balance was _actually available_ , not just displayed.

Just deduct the price of the sandwiches from the bounty reward?

------
CPLX
I've been very confused about the really negative sniping responses to this
program saying the miles aren't worth much.

A million frequent flier miles via a major alliance airline is a very, very
sweet prize. That's enough for a person to fly themselves and their spouse to
basically anywhere on the planet in business class five times, round trip.

~~~
icelancer
Business class international on Delta is far more than that. I know, I fly
Delta first-class often enough and that's ~100k/roundtrip domestic. So that
would be five first-class domestic flights for me and a partner at 1MM miles.
Business class international? Might get one roundtrip flight between the two
of us with some leftover miles for domestics.

~~~
driverdan
That's because Delta SkyPesos suck.

~~~
icelancer
They all suck. It's a race to the bottom. Delta is at least upfront about it
and their FF program IMO is overall the best (behind American) depending on
your geographic location and actual desire to fly (and not run miles like your
life depended on it).

------
adventured
"The cost can be less than hiring outside consultancies."

It's probably ten times cheaper when you consider the per mile cost to the
airline. United could hardly be getting a better deal.

~~~
draugadrotten
Maybe UA get a kick-back from the agencies as well, since flying
(international) would give the agencies identities, photos, fingerprints and a
right to search the luggage of interesting hackers.

~~~
jon-wood
Sorry that you're the one to get the brunt of this, but I'm really bored of
the NSA snark on unrelated articles. Yes, we get that they've done some
terrible things. No, they didn't set up UA's security disclosure problem in
some sort of obscure conspiracy to get hold of hacker's passport numbers.

~~~
JupiterMoon
On balance I probably agree that this particular scheme is unlikely to be an
NSA scheme.

However, if we learned anything from Snowden it is err on the side of assuming
that if it is possible then the NSA will eventually try to do it - and this
definitely includes forcing US companies to act on their behalf. So post-
Snowden the derogatory slur of "obscure conspiracy" doesn't carry so much
weight.

------
jvehent
I guess creating a bug bounty program is an easier way of pretenting that you
care than actually fixing your broken TLS...

    
    
        $ ./cipherscan united.com
        prio  ciphersuite             protocols              pfs                 curves
        1     RC4-SHA                 TLSv1,TLSv1.1,TLSv1.2  None                None

~~~
psykovsky
How will the NSA/CIA get "unofficial" access to the travellers data if they
step up their encryption?

~~~
saryant
Why would they need to get it from United when the government already has it
through TSA SecureFlight?

~~~
geofft
I love how everyone is focused on the NSA and CIA as threats, to the exclusion
of all other possible threats. If the US government wants to steal my credit
card number, _they can just tax me_ , that's a legitimate power they have. If
they want to stop me from going somewhere, _they can just arrest me at the TSA
checkpoint_. Setting up a MITM and breaking TLS, while possible, is way too
much effort to gain something they can already gain in a perfectly
straightforward way. It's like killing ants on the White House lawn by
poisoning them via fracking.

The threat model for bugs in United is primarily non-governmental thieves.

------
kendallpark
This is a fantastic idea. A great deal for both parties. Even if you have to
fly United. If you're really that adverse to being in the air for a few hours
on a United plane you can probably get use the miles for gifts. Get grandma a
ticket to visit her grandchildren for her birthday or something.

------
ajays
FTA: United unveiled the approach in May just weeks before technological
glitches grounded its entire fleet twice, underscoring the risks that airlines
face.

Hmm, makes me wonder: could the glitches have been caused by some "hackers"
doing testing?

~~~
X-Istence
Supposedly the downtime was due to a routing issue:

[https://www.reddit.com/r/networking/comments/3cme3b/a_route_...](https://www.reddit.com/r/networking/comments/3cme3b/a_route_leaking_misconfig_took_united_airlines/)

------
CyberDildonics
If they really wanted to thank them they would have given them miles to a
different airline.

------
kriro
Do you have to pay taxes on using the miles?

~~~
ghaff
Interesting question. The answer seems to be unclear. According to this
article
[http://www.forbes.com/sites/kellyphillipserb/2014/08/28/tax-...](http://www.forbes.com/sites/kellyphillipserb/2014/08/28/tax-
court-sides-with-irs-in-tax-treatment-of-frequent-flyer-miles-issued-by-
citibank/) miles given as "thank you points" can be taxable although there
doesn't seem to be a definitive rule.

Previously the IRS more or less said that they weren't going to pursue any
enforcement of frequent flyer miles obtained in the usual manner.
[http://www.journalofaccountancy.com/issues/2012/aug/20125796...](http://www.journalofaccountancy.com/issues/2012/aug/20125796.html)

------
nraynaud
that's a lot of broken guitars!

------
jaybna
What a honeypot. Anyone dumb enough to participate would have to fly United.

~~~
vonklaus
> What a honeypot.

How? They didn't dump a list of who is participating but Jordan Wiens was
named and has a public profile and has published security research. I don't
think black hat hackers are decloaking from tor to take a stab at some airline
miles.

I wouldn't say the people are outright dumb; maybe they enjoy it and have a
vacation lined up. Obviously, it isn't as financially rewarding as other BB
programs, but outside of the compensation it doesn't seem overtly malicious.
What rubs you the wrong way here?

~~~
misterbwong
He's being sarcastic. It's a running joke among frequent fliers that flying
United is almost punishment because they are so bad. So even though you get
the miles, you _actually have to actually fly on United_

~~~
saryant
Not really. Frequent fliers know you can redeem United miles for flights on
any *A carrier.

------
fapjacks
Phew. Talk about tying two cats together and stuffing them in a pillowcase.
That's how I feel about flying United, free miles or no.

~~~
amelius
But now you can fly with hackers.

~~~
fapjacks
Heh, you're exactly right. I totally forgot about that. I'll be so cool!

------
droopybuns
Offering miles limits the community of bounty hunters to locations served by
united.

Paying out with miles is a fun idea, but the strategy seems fatally flawed to
me.

~~~
JupiterMoon
But this far cheaper for United than offering cash rewards.

~~~
droopybuns
The lions share of bug bounty reporters are from overseas.

I can't even remember a single submission from an American in the bounty I'm
involved with.

So in conclusion: if you limit yourself to just that audience, and tempt them
with only miles, most americans who are competent enough to obtain bug bounty
rewards are making enough money that miles is kind of a dubious incentive. So
sure- you save money, but you get fewer submissions, and you get less return
on investment than a bounty that pays out.

~~~
JupiterMoon
BUT you get the great publicity of being one of the forward thinking companies
that does bug bounties. Anecdotally many non-programmer people are starting to
understand that bug bounty = good.

