<article>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#article09_11_09_2319233</id>
	<title>Microsoft Tries To Censor Bing Vulnerability</title>
	<author>kdawson</author>
	<datestamp>1257795000000</datestamp>
	<htmltext>An anonymous reader writes <i>"Microsoft's Bing search engine has a vulnerability with its cash-back promotion, which impacts both merchants and customers. In traditional Microsoft fashion, the company has responded to the author of the <a href="http://bountii.com/blog/2009/11/07/surrendering-to-microsoft-and-bing-cashback/">breaking Bing cash-back</a> exploit with a cease &amp; desist letter, rather than by fixing the underlying security problem. It is possible for a malicious user to create fake Bing cash-back requests, resulting in not only fake cash-back costs for the merchant, but also blocking legitimate customers from receiving their cash-back from Bing. The original post is currently <a href="http://cc.bingj.com/cache.aspx?d=4879267570255838&amp;mkt=en-CA&amp;setlang=en-US&amp;w=90157511,9ea4ebc5">available in Bing's cache</a>, although perhaps not for long. But no worries, the author makes it clear that the exploit should be painfully obvious to anyone who reads the <a href="http://www.bing.com/community/blogs/developer/archive/2009/07/15/bing-sdk-available-for-download.aspx">Bing cash-back SDK</a>."</i></htmltext>
<tokenext>An anonymous reader writes " Microsoft 's Bing search engine has a vulnerability with its cash-back promotion , which impacts both merchants and customers .
In traditional Microsoft fashion , the company has responded to the author of the breaking Bing cash-back exploit with a cease &amp; desist letter , rather than by fixing the underlying security problem .
It is possible for a malicious user to create fake Bing cash-back requests , resulting in not only fake cash-back costs for the merchant , but also blocking legitimate customers from receiving their cash-back from Bing .
The original post is currently available in Bing 's cache , although perhaps not for long .
But no worries , the author makes it clear that the exploit should be painfully obvious to anyone who reads the Bing cash-back SDK .
"</tokentext>
<sentencetext>An anonymous reader writes "Microsoft's Bing search engine has a vulnerability with its cash-back promotion, which impacts both merchants and customers.
In traditional Microsoft fashion, the company has responded to the author of the breaking Bing cash-back exploit with a cease &amp; desist letter, rather than by fixing the underlying security problem.
It is possible for a malicious user to create fake Bing cash-back requests, resulting in not only fake cash-back costs for the merchant, but also blocking legitimate customers from receiving their cash-back from Bing.
The original post is currently available in Bing's cache, although perhaps not for long.
But no worries, the author makes it clear that the exploit should be painfully obvious to anyone who reads the Bing cash-back SDK.
"</sentencetext>
</article>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30044842</id>
	<title>Re:Solution</title>
	<author>guruevi</author>
	<datestamp>1257864660000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>The simplicity of this hack and the gaping hole in the system suggest that this 'feature' was entirely thought up and created by middle-to-upper management and a grunt working for HR or Accounting to implement it in Excel.</p></htmltext>
<tokenext>The simplicity of this hack and the gaping hole in the system suggest that this 'feature ' was entirely thought up and created by middle-to-upper management and a grunt working for HR or Accounting to implement it in Excel .</tokentext>
<sentencetext>The simplicity of this hack and the gaping hole in the system suggest that this 'feature' was entirely thought up and created by middle-to-upper management and a grunt working for HR or Accounting to implement it in Excel.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043284</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30044468</id>
	<title>Re:And now thanks to /. and microsoft</title>
	<author>Homburg</author>
	<datestamp>1257861600000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>5</modscore>
	<htmltext><p>I'm not sure how this is a sensible response to a poster complaining about security through obscurity: security through obscurity is exactly the problem here. We use information like SSN and address which are not in any way secret, merely obscure, as a way to supposedly verify identity, and that's why we have so much identity theft. The reason no-one wants to post their SSN and address on Slashdot is precisely because security through obscurity sucks.</p></htmltext>
<tokenext>I 'm not sure how this is a sensible response to a poster complaining about security through obscurity : security through obscurity is exactly the problem here .
We use information like SSN and address which are not in any way secret , merely obscure , as a way to supposedly verify identity , and that 's why we have so much identity theft .
The reason no-one wants to post their SSN and address on Slashdot is precisely because security through obscurity sucks .</tokentext>
<sentencetext>I'm not sure how this is a sensible response to a poster complaining about security through obscurity: security through obscurity is exactly the problem here.
We use information like SSN and address which are not in any way secret, merely obscure, as a way to supposedly verify identity, and that's why we have so much identity theft.
The reason no-one wants to post their SSN and address on Slashdot is precisely because security through obscurity sucks.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30044118</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043400</id>
	<title>mirrored post</title>
	<author>lkcl</author>
	<datestamp>1257847140000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>2</modscore>
	<htmltext><p><a href="http://lkcl.net/reports/bing.censorship.attempt" title="lkcl.net">http://lkcl.net/reports/bing.censorship.attempt</a> [lkcl.net] - additional mirrors will be added as i find them.</p></htmltext>
<tokenext>http : //lkcl.net/reports/bing.censorship.attempt [ lkcl.net ] - additional mirrors will be added as i find them .</tokentext>
<sentencetext>http://lkcl.net/reports/bing.censorship.attempt [lkcl.net] - additional mirrors will be added as i find them.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30044150</id>
	<title>Re:It's called fraud</title>
	<author>sskinnider</author>
	<datestamp>1257858000000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>And meanwhile, only the other consumers are hurt over this incompetent programming.  The cost of fraud is passed directly to the customer, it does not hurt Microsoft.</htmltext>
<tokenext>And meanwhile , only the other consumers are hurt over this incompetent programming .
The cost of fraud is passed directly to the customer , it does not hurt Microsoft .</tokentext>
<sentencetext>And meanwhile, only the other consumers are hurt over this incompetent programming.
The cost of fraud is passed directly to the customer, it does not hurt Microsoft.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043866</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30045176</id>
	<title>Re:Use microsoft == get screwed</title>
	<author>elrous0</author>
	<datestamp>1257866580000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>Actually, I worry a LOT more about Apple than I do about MS in this regard. Apple is MUCH worse at suppressing information about security flaws (and pretty much everything else) and not fixing flaws for a long time than microsoft EVER was. And don't get me started on how aggressive and sneaky Apple software is compared to just about everyone else (anyone who has ever tried to completely remove iTunes or Quicktime from their system can attest that this). The main advantage Apple has traditionally enjoyed over MS is that Windows is such a popular target. But the idea that MS is uniquely weak or slow on security fixes is just not fair. And considering the number of cease-and-desist letters that come out of Apple each *day*, it's silly to cite MS as being particularly egregious in their secrecy either.</htmltext>
<tokenext>Actually , I worry a LOT more about Apple than I do about MS in this regard .
Apple is MUCH worse at suppressing information about security flaws ( and pretty much everything else ) and not fixing flaws for a long time than microsoft EVER was .
And do n't get me started on how aggressive and sneaky Apple software is compared to just about everyone else ( anyone who has ever tried to completely remove iTunes or Quicktime from their system can attest that this ) .
The main advantage Apple has traditionally enjoyed over MS is that Windows is such a popular target .
But the idea that MS is uniquely weak or slow on security fixes is just not fair .
And considering the number of cease-and-desist letters that come out of Apple each * day * , it 's silly to cite MS as being particularly egregious in their secrecy either .</tokentext>
<sentencetext>Actually, I worry a LOT more about Apple than I do about MS in this regard.
Apple is MUCH worse at suppressing information about security flaws (and pretty much everything else) and not fixing flaws for a long time than microsoft EVER was.
And don't get me started on how aggressive and sneaky Apple software is compared to just about everyone else (anyone who has ever tried to completely remove iTunes or Quicktime from their system can attest that this).
The main advantage Apple has traditionally enjoyed over MS is that Windows is such a popular target.
But the idea that MS is uniquely weak or slow on security fixes is just not fair.
And considering the number of cease-and-desist letters that come out of Apple each *day*, it's silly to cite MS as being particularly egregious in their secrecy either.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043180</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30045162</id>
	<title>Re:And now thanks to /. and microsoft</title>
	<author>madcow\_bg</author>
	<datestamp>1257866520000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>2</modscore>
	<htmltext>Obligatory quote from The Black Adder:<br><br>Perkins: Oh, your lawyer now, yes sir.  Don't you think that might be a bit<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; of a waste of money, sir.<br><br>Edmund: Not when he's the finest mind in English legal history.  Ever heard<br>
&nbsp; &nbsp; &nbsp; &nbsp; of Bob Mattingburg?<br><br>Perkins: Oh, yes indeed, sir!  A most gifted gentleman!<br><br>Edmund: I remember Mattingburg's most famous case, the case of the bloody knife.<br>
&nbsp; &nbsp; &nbsp; &nbsp; A man was found next to a murdured body, he had the knife in his hand,<br>
&nbsp; &nbsp; &nbsp; &nbsp; thirteen witnesses that seen him stab the victim, when the police<br>
&nbsp; &nbsp; &nbsp; &nbsp; arrived he said, "I'm glad I killed the bastard."  Mattingburg not<br>
&nbsp; &nbsp; &nbsp; &nbsp; only got him off, but he got him knighted in the New Year's Honors<br>
&nbsp; &nbsp; &nbsp; &nbsp; list, and the relatives of the victim had to pay to have the blood<br>
&nbsp; &nbsp; &nbsp; &nbsp; washed out of his jacket.</div>
	</htmltext>
<tokenext>Obligatory quote from The Black Adder : Perkins : Oh , your lawyer now , yes sir .
Do n't you think that might be a bit           of a waste of money , sir.Edmund : Not when he 's the finest mind in English legal history .
Ever heard         of Bob Mattingburg ? Perkins : Oh , yes indeed , sir !
A most gifted gentleman ! Edmund : I remember Mattingburg 's most famous case , the case of the bloody knife .
        A man was found next to a murdured body , he had the knife in his hand ,         thirteen witnesses that seen him stab the victim , when the police         arrived he said , " I 'm glad I killed the bastard .
" Mattingburg not         only got him off , but he got him knighted in the New Year 's Honors         list , and the relatives of the victim had to pay to have the blood         washed out of his jacket .</tokentext>
<sentencetext>Obligatory quote from The Black Adder:Perkins: Oh, your lawyer now, yes sir.
Don't you think that might be a bit
          of a waste of money, sir.Edmund: Not when he's the finest mind in English legal history.
Ever heard
        of Bob Mattingburg?Perkins: Oh, yes indeed, sir!
A most gifted gentleman!Edmund: I remember Mattingburg's most famous case, the case of the bloody knife.
        A man was found next to a murdured body, he had the knife in his hand,
        thirteen witnesses that seen him stab the victim, when the police
        arrived he said, "I'm glad I killed the bastard.
"  Mattingburg not
        only got him off, but he got him knighted in the New Year's Honors
        list, and the relatives of the victim had to pay to have the blood
        washed out of his jacket.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30044776</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30045774</id>
	<title>The masses will probably still flock to Bing</title>
	<author>gearloos</author>
	<datestamp>1257869580000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>It really doesn't matter. Seems like the dumber the m$oft coder, the more people migrate to it. You can't fix stupid.</htmltext>
<tokenext>It really does n't matter .
Seems like the dumber the m $ oft coder , the more people migrate to it .
You ca n't fix stupid .</tokentext>
<sentencetext>It really doesn't matter.
Seems like the dumber the m$oft coder, the more people migrate to it.
You can't fix stupid.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30044688</id>
	<title>Re:And now thanks to /. and microsoft</title>
	<author>IsThisWorking</author>
	<datestamp>1257863580000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>5</modscore>
	<htmltext><p><a href="http://en.wikipedia.org/wiki/Security\_through\_obscurity" title="wikipedia.org" rel="nofollow">Security through obscurity</a> [wikipedia.org] is not about relying on secrecy of data, but about relying on secrecy of the algorithm or implementation. Those two things are different.</p><p>If you do not make the distinction between data/information secrecy and design/algorithm/protocol/implementation secrecy, then you do not understand what security is.</p></htmltext>
<tokenext>Security through obscurity [ wikipedia.org ] is not about relying on secrecy of data , but about relying on secrecy of the algorithm or implementation .
Those two things are different.If you do not make the distinction between data/information secrecy and design/algorithm/protocol/implementation secrecy , then you do not understand what security is .</tokentext>
<sentencetext>Security through obscurity [wikipedia.org] is not about relying on secrecy of data, but about relying on secrecy of the algorithm or implementation.
Those two things are different.If you do not make the distinction between data/information secrecy and design/algorithm/protocol/implementation secrecy, then you do not understand what security is.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30044118</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30044248</id>
	<title>Re:And now thanks to /. and microsoft</title>
	<author>commodore64\_love</author>
	<datestamp>1257859320000</datestamp>
	<modclass>Troll</modclass>
	<modscore>0</modscore>
	<htmltext><p>&gt;&gt;&gt;I fail to see how releasing this type of information is a bad thing.</p><p>I do.  Just as we trust the government to take care of us, we need to trust Microsoft to do the right thing.  Microsoft's leaders and the government's leaders are honorable men whose only desire is to see us succeed as human beings.</p><p><nobr> <wbr></nobr>/end sarcasm</p></htmltext>
<tokenext>&gt; &gt; &gt; I fail to see how releasing this type of information is a bad thing.I do .
Just as we trust the government to take care of us , we need to trust Microsoft to do the right thing .
Microsoft 's leaders and the government 's leaders are honorable men whose only desire is to see us succeed as human beings .
/end sarcasm</tokentext>
<sentencetext>&gt;&gt;&gt;I fail to see how releasing this type of information is a bad thing.I do.
Just as we trust the government to take care of us, we need to trust Microsoft to do the right thing.
Microsoft's leaders and the government's leaders are honorable men whose only desire is to see us succeed as human beings.
/end sarcasm</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043120</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043456</id>
	<title>I'm not interested in fixing the bug...</title>
	<author>da5idnetlimit.com</author>
	<datestamp>1257847980000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Just interested in keeping the extra income 8)</p></htmltext>
<tokenext>Just interested in keeping the extra income 8 )</tokentext>
<sentencetext>Just interested in keeping the extra income 8)</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043120</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043244</id>
	<title>Re:Use microsoft == get screwed</title>
	<author>Anonymous</author>
	<datestamp>1257844560000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>In this case, it's Microsoft getting screwed by Microsoft. They are on the verge of paying, or have already paid, $2000 out-of-pocket to a guy who did a simple GET.</p><p>Entirely Microsoft's problem - except it'll become the guy's problem when he gets prosecuted for fraud. Faking a $100k transaction is not a smart move. The $1 transaction is a perfectly fine proof-of-concept.</p></htmltext>
<tokenext>In this case , it 's Microsoft getting screwed by Microsoft .
They are on the verge of paying , or have already paid , $ 2000 out-of-pocket to a guy who did a simple GET.Entirely Microsoft 's problem - except it 'll become the guy 's problem when he gets prosecuted for fraud .
Faking a $ 100k transaction is not a smart move .
The $ 1 transaction is a perfectly fine proof-of-concept .</tokentext>
<sentencetext>In this case, it's Microsoft getting screwed by Microsoft.
They are on the verge of paying, or have already paid, $2000 out-of-pocket to a guy who did a simple GET.Entirely Microsoft's problem - except it'll become the guy's problem when he gets prosecuted for fraud.
Faking a $100k transaction is not a smart move.
The $1 transaction is a perfectly fine proof-of-concept.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043180</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30045058</id>
	<title>Re:And now thanks to /. and microsoft</title>
	<author>drinkypoo</author>
	<datestamp>1257865860000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><div class="quote"><p>you are presumed guilty, and it's your job to prove innocence.</p> </div><p> Destroying any checks paid/returning any electronic payments should prove intent nicely.</p></div>
	</htmltext>
<tokenext>you are presumed guilty , and it 's your job to prove innocence .
Destroying any checks paid/returning any electronic payments should prove intent nicely .</tokentext>
<sentencetext>you are presumed guilty, and it's your job to prove innocence.
Destroying any checks paid/returning any electronic payments should prove intent nicely.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30044268</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043076</id>
	<title>And now thanks to /. and microsoft</title>
	<author>Anonymous</author>
	<datestamp>1257885180000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>5</modscore>
	<htmltext><p>it will probably be all over the rest of the internet and general common knowledge within the week.</p></htmltext>
<tokenext>it will probably be all over the rest of the internet and general common knowledge within the week .</tokentext>
<sentencetext>it will probably be all over the rest of the internet and general common knowledge within the week.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043866</id>
	<title>It's called fraud</title>
	<author>Anonymous</author>
	<datestamp>1257854340000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>5</modscore>
	<htmltext><p>This is called "fraud". Look it up. It's been around for a long time, a lot longer than HTTP. There are standard business practices for dealing with it. Not all of them are technical. This system's technical defenses are probably sufficient to raise an alarm (delayed by a few weeks as the results are collated), and it will produce a pretty good paper trail leading to the owner of the Bing account. Some of the systems take into account minor details such as the existence of accountants, a police force, a paper trail, and a legal system. Obviously some stronger technical measures might have made it a bit more difficult to pull off this partucular fraud, or maybe it might have even stopped it, but the non-technical measures will also work just fine if they are called into play.</p><p>Whether or not the door is obviously guarded, it's still illegal to steal stuff from a store. The fact that the door was not protected with the latest and greatest in RFID theft detection systems doesn't change the fact that what you are doing is illegal. And perhaps the tracking process is slower than what you see in movies, people still get tracked down and arrested, days or weeks after the event. Moving from the streets onto the Internet doesn't really change the rules much (except that your case will probably wind up with Federal jurisdiction).</p><p>In this case, the poor "hacker" (I wish him/her luck!) appears to have done the following:<br>1. Used a specially formatted HTTP request to get a small fabricated purchase to show up as credited to his/her Bing account.<br>2. Noticed that the cash back did show up with no problem as "available for withdrawal".<br>3. Tried again with a much larger purchase. Again the purchase shows up in his account.<br>4. Hacker is hoping that the amount will soon become available for withdrawal.</p><p>On the other side of the world, the accounting systems for Microsoft and the associated merchant have likely compared invoices and noticed the discrepancies. The small ones got noted, but they were thrown out as "somebody is playing with the system, but it's not worth dealing with it". But this month, when going over the books, they're going to find a nice big 100,000 item that doesn't match up with any purchase recorded on the store's official records. However, they do have the account number of the buyer that should be getting the cash back. I'm not sure what typically happens at this point, but it probably involves cancelling dinner for the wolf pack so that by the time they're ready to send out the posse, the wolves are hungry.</p><p>In this case, Microsoft has apparently (I haven't looked into this) provided an API by which a store can report a sale and attribute the sale to a particular Bing account. The API has varying levels of security, depending on how much effort the store wants to put into preventing fake transactions from entering the system. Low effort might be fine and takes less time to set up, but it's easier to attack and that means more work to do when reconciling the accounts. Just like many other mechanisms for quickly distributing non-critical information between merchants, this isn't meant to be the authoritative information transmission system, just a way for people to keep status on accounts in between the regularly-scheduled account reconciliations. This way Bing can update your account balance within seconds of the purchase. Of course, the payback won't happen until they've gone back and checked Microsoft's records against the merchant's records and pulled out any differences. The differences go to the auditor and possibly to the police or FBI.</p><p>Could we maybe just think for a second before acting like jerks? Being a jerk means everybody suffers. I mean, just because I see a way to deface somebody's website doesn't mean I am obligated to do so. I walk by 100 cars a day, and I could easily spray shaving cream all over them and not get caught. But if everybody did that, quality of life would go down for everybody. Same thing on the internet.</p><p>I hate this attitude out there th</p></htmltext>
<tokenext>This is called " fraud " .
Look it up .
It 's been around for a long time , a lot longer than HTTP .
There are standard business practices for dealing with it .
Not all of them are technical .
This system 's technical defenses are probably sufficient to raise an alarm ( delayed by a few weeks as the results are collated ) , and it will produce a pretty good paper trail leading to the owner of the Bing account .
Some of the systems take into account minor details such as the existence of accountants , a police force , a paper trail , and a legal system .
Obviously some stronger technical measures might have made it a bit more difficult to pull off this partucular fraud , or maybe it might have even stopped it , but the non-technical measures will also work just fine if they are called into play.Whether or not the door is obviously guarded , it 's still illegal to steal stuff from a store .
The fact that the door was not protected with the latest and greatest in RFID theft detection systems does n't change the fact that what you are doing is illegal .
And perhaps the tracking process is slower than what you see in movies , people still get tracked down and arrested , days or weeks after the event .
Moving from the streets onto the Internet does n't really change the rules much ( except that your case will probably wind up with Federal jurisdiction ) .In this case , the poor " hacker " ( I wish him/her luck !
) appears to have done the following : 1 .
Used a specially formatted HTTP request to get a small fabricated purchase to show up as credited to his/her Bing account.2 .
Noticed that the cash back did show up with no problem as " available for withdrawal " .3 .
Tried again with a much larger purchase .
Again the purchase shows up in his account.4 .
Hacker is hoping that the amount will soon become available for withdrawal.On the other side of the world , the accounting systems for Microsoft and the associated merchant have likely compared invoices and noticed the discrepancies .
The small ones got noted , but they were thrown out as " somebody is playing with the system , but it 's not worth dealing with it " .
But this month , when going over the books , they 're going to find a nice big 100,000 item that does n't match up with any purchase recorded on the store 's official records .
However , they do have the account number of the buyer that should be getting the cash back .
I 'm not sure what typically happens at this point , but it probably involves cancelling dinner for the wolf pack so that by the time they 're ready to send out the posse , the wolves are hungry.In this case , Microsoft has apparently ( I have n't looked into this ) provided an API by which a store can report a sale and attribute the sale to a particular Bing account .
The API has varying levels of security , depending on how much effort the store wants to put into preventing fake transactions from entering the system .
Low effort might be fine and takes less time to set up , but it 's easier to attack and that means more work to do when reconciling the accounts .
Just like many other mechanisms for quickly distributing non-critical information between merchants , this is n't meant to be the authoritative information transmission system , just a way for people to keep status on accounts in between the regularly-scheduled account reconciliations .
This way Bing can update your account balance within seconds of the purchase .
Of course , the payback wo n't happen until they 've gone back and checked Microsoft 's records against the merchant 's records and pulled out any differences .
The differences go to the auditor and possibly to the police or FBI.Could we maybe just think for a second before acting like jerks ?
Being a jerk means everybody suffers .
I mean , just because I see a way to deface somebody 's website does n't mean I am obligated to do so .
I walk by 100 cars a day , and I could easily spray shaving cream all over them and not get caught .
But if everybody did that , quality of life would go down for everybody .
Same thing on the internet.I hate this attitude out there th</tokentext>
<sentencetext>This is called "fraud".
Look it up.
It's been around for a long time, a lot longer than HTTP.
There are standard business practices for dealing with it.
Not all of them are technical.
This system's technical defenses are probably sufficient to raise an alarm (delayed by a few weeks as the results are collated), and it will produce a pretty good paper trail leading to the owner of the Bing account.
Some of the systems take into account minor details such as the existence of accountants, a police force, a paper trail, and a legal system.
Obviously some stronger technical measures might have made it a bit more difficult to pull off this partucular fraud, or maybe it might have even stopped it, but the non-technical measures will also work just fine if they are called into play.Whether or not the door is obviously guarded, it's still illegal to steal stuff from a store.
The fact that the door was not protected with the latest and greatest in RFID theft detection systems doesn't change the fact that what you are doing is illegal.
And perhaps the tracking process is slower than what you see in movies, people still get tracked down and arrested, days or weeks after the event.
Moving from the streets onto the Internet doesn't really change the rules much (except that your case will probably wind up with Federal jurisdiction).In this case, the poor "hacker" (I wish him/her luck!
) appears to have done the following:1.
Used a specially formatted HTTP request to get a small fabricated purchase to show up as credited to his/her Bing account.2.
Noticed that the cash back did show up with no problem as "available for withdrawal".3.
Tried again with a much larger purchase.
Again the purchase shows up in his account.4.
Hacker is hoping that the amount will soon become available for withdrawal.On the other side of the world, the accounting systems for Microsoft and the associated merchant have likely compared invoices and noticed the discrepancies.
The small ones got noted, but they were thrown out as "somebody is playing with the system, but it's not worth dealing with it".
But this month, when going over the books, they're going to find a nice big 100,000 item that doesn't match up with any purchase recorded on the store's official records.
However, they do have the account number of the buyer that should be getting the cash back.
I'm not sure what typically happens at this point, but it probably involves cancelling dinner for the wolf pack so that by the time they're ready to send out the posse, the wolves are hungry.In this case, Microsoft has apparently (I haven't looked into this) provided an API by which a store can report a sale and attribute the sale to a particular Bing account.
The API has varying levels of security, depending on how much effort the store wants to put into preventing fake transactions from entering the system.
Low effort might be fine and takes less time to set up, but it's easier to attack and that means more work to do when reconciling the accounts.
Just like many other mechanisms for quickly distributing non-critical information between merchants, this isn't meant to be the authoritative information transmission system, just a way for people to keep status on accounts in between the regularly-scheduled account reconciliations.
This way Bing can update your account balance within seconds of the purchase.
Of course, the payback won't happen until they've gone back and checked Microsoft's records against the merchant's records and pulled out any differences.
The differences go to the auditor and possibly to the police or FBI.Could we maybe just think for a second before acting like jerks?
Being a jerk means everybody suffers.
I mean, just because I see a way to deface somebody's website doesn't mean I am obligated to do so.
I walk by 100 cars a day, and I could easily spray shaving cream all over them and not get caught.
But if everybody did that, quality of life would go down for everybody.
Same thing on the internet.I hate this attitude out there th</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30045034</id>
	<title>Re:And now thanks to /. and microsoft</title>
	<author>Anonymous</author>
	<datestamp>1257865800000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>1</modscore>
	<htmltext><p>Pardon me, but it seems from his blog that he DID do it.   Any similarity to the child porn case from yesterday is limited at best, illusory at worst.  This is a different situation.</p><p>Fortunately according to US Jurisprudence, there's a concept called Mens Rea.   It's certainly an affirmative defense, but it may serve to eliminate culpability.</p><p>Not that the guy didn't behave stupidly in some ways, but that's another matter.</p></htmltext>
<tokenext>Pardon me , but it seems from his blog that he DID do it .
Any similarity to the child porn case from yesterday is limited at best , illusory at worst .
This is a different situation.Fortunately according to US Jurisprudence , there 's a concept called Mens Rea .
It 's certainly an affirmative defense , but it may serve to eliminate culpability.Not that the guy did n't behave stupidly in some ways , but that 's another matter .</tokentext>
<sentencetext>Pardon me, but it seems from his blog that he DID do it.
Any similarity to the child porn case from yesterday is limited at best, illusory at worst.
This is a different situation.Fortunately according to US Jurisprudence, there's a concept called Mens Rea.
It's certainly an affirmative defense, but it may serve to eliminate culpability.Not that the guy didn't behave stupidly in some ways, but that's another matter.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30044268</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30045326</id>
	<title>Re:And now thanks to /. and microsoft</title>
	<author>realityimpaired</author>
	<datestamp>1257867360000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>2</modscore>
	<htmltext><p><div class="quote"><p>Wow, I didn't realize that there are people that still believe in that 'security through obscurity' nonsense.</p></div><p>It's not nonsense, it's just silly to expect it to be your only line of defense. By all means use an obscure platform, as long as you have people who can maintain and support it, but don't use it as a substitute for some common sense, and for securing your system, keeping it properly maintained and updated, limiting points of entry, blocking remote root access, using non-standard, non-root usernames with very secure passwords for system maintenance/root tasks, etc..</p><p>But security through obscurity does still offer an amount of extra security, and shouldn't be dismissed out of hand.</p></div>
	</htmltext>
<tokenext>Wow , I did n't realize that there are people that still believe in that 'security through obscurity ' nonsense.It 's not nonsense , it 's just silly to expect it to be your only line of defense .
By all means use an obscure platform , as long as you have people who can maintain and support it , but do n't use it as a substitute for some common sense , and for securing your system , keeping it properly maintained and updated , limiting points of entry , blocking remote root access , using non-standard , non-root usernames with very secure passwords for system maintenance/root tasks , etc..But security through obscurity does still offer an amount of extra security , and should n't be dismissed out of hand .</tokentext>
<sentencetext>Wow, I didn't realize that there are people that still believe in that 'security through obscurity' nonsense.It's not nonsense, it's just silly to expect it to be your only line of defense.
By all means use an obscure platform, as long as you have people who can maintain and support it, but don't use it as a substitute for some common sense, and for securing your system, keeping it properly maintained and updated, limiting points of entry, blocking remote root access, using non-standard, non-root usernames with very secure passwords for system maintenance/root tasks, etc..But security through obscurity does still offer an amount of extra security, and shouldn't be dismissed out of hand.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043440</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30055172</id>
	<title>Re:And now thanks to /. and microsoft</title>
	<author>tietokone-olmi</author>
	<datestamp>1257866940000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Fool.</p></htmltext>
<tokenext>Fool .</tokentext>
<sentencetext>Fool.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30044118</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043428</id>
	<title>Re:And now thanks to /. and microsoft</title>
	<author>Anonymous</author>
	<datestamp>1257847620000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>5</modscore>
	<htmltext><p>like this you mean?</p><p>Breaking Bing Cashback<br>Posted November 4th, 2009 by Samir</p><p>I've never bought anything using Bing Cashback, but the balance of my account is $2080.06. Apparently, I placed two $1 orders on January 24th of this year, and spent another $104,000 on October 24th. Let's see how these transactions might have "accidentally" got credited to my account.</p><p>First, we need to try to figure out how transactions get into Bing Cashback. Microsoft posted some documentation here. The explanation of how a merchant reports transactions to Bing starts on page 20.  Merchants have a few options for reporting, but Bing suggests using a tracking pixel. Basically, the merchant adds a tracking pixel to their order confirmation page, which will report the the transaction details back to Bing. The request for the tracking pixel looks something like this:</p><p><a href="https://ssl.search.live.com/cashback/pixel/index" title="live.com" rel="nofollow">https://ssl.search.live.com/cashback/pixel/index</a> [live.com]?<br>jftid=0&amp;jfoid=&amp;jfmid=<br>&amp;m[0]=&amp;p[0]=&amp;q[0]=</p><p>This implementation, while easy for the merchant, has an obvious flaw. Anyone can simulate the tracking pixel requests, and post fake transactions to Bing. I'm not going to explain exactly how to generate the fake requests so that they actually post, but it's not complicated. Bing doesn't seem to be able to detect these fake transactions, at least not right away. The six cents I earned in January have "cleared," and I'm guessing the remaining $2080 will clear on schedule, unless there is some manual intervention.</p><p>Even if Bing detects these fake transactions at some point in the future, the current implementation might have another interesting side effect. I haven't done enough work to say it with confidence, but a malicious user might be able to block another user's legitimate purchases from being reported correctly by Bing (I only tried this once, but it seemed to work). Posting a transaction to Bing requires sending them an order ID in the request. Bing performs a reasonable sanity check on the order ID, and will not post a transaction that repeats a previously reported order ID.  When a store uses predictable order ID's (e.g. sequential), a malicious user can "use up" all the future order ID's, and cause legitimate transactions to be ignored. Reporting would be effectively down for days, causing a customer service nightmare for both Bing and the merchant.</p><p>Based on what I've found, I wouldn't implement Bing Cashback if I were a merchant.  And, as an end user and bargain hunter, it does not seem smart to rely on Bing Cashback for savings.  In our next blog post, I'll demonstrate some other subtle but important reasons to avoid using Bing Cashback.</p></htmltext>
<tokenext>like this you mean ? Breaking Bing CashbackPosted November 4th , 2009 by SamirI 've never bought anything using Bing Cashback , but the balance of my account is $ 2080.06 .
Apparently , I placed two $ 1 orders on January 24th of this year , and spent another $ 104,000 on October 24th .
Let 's see how these transactions might have " accidentally " got credited to my account.First , we need to try to figure out how transactions get into Bing Cashback .
Microsoft posted some documentation here .
The explanation of how a merchant reports transactions to Bing starts on page 20 .
Merchants have a few options for reporting , but Bing suggests using a tracking pixel .
Basically , the merchant adds a tracking pixel to their order confirmation page , which will report the the transaction details back to Bing .
The request for the tracking pixel looks something like this : https : //ssl.search.live.com/cashback/pixel/index [ live.com ] ? jftid = 0&amp;jfoid = &amp;jfmid = &amp;m [ 0 ] = &amp;p [ 0 ] = &amp;q [ 0 ] = This implementation , while easy for the merchant , has an obvious flaw .
Anyone can simulate the tracking pixel requests , and post fake transactions to Bing .
I 'm not going to explain exactly how to generate the fake requests so that they actually post , but it 's not complicated .
Bing does n't seem to be able to detect these fake transactions , at least not right away .
The six cents I earned in January have " cleared , " and I 'm guessing the remaining $ 2080 will clear on schedule , unless there is some manual intervention.Even if Bing detects these fake transactions at some point in the future , the current implementation might have another interesting side effect .
I have n't done enough work to say it with confidence , but a malicious user might be able to block another user 's legitimate purchases from being reported correctly by Bing ( I only tried this once , but it seemed to work ) .
Posting a transaction to Bing requires sending them an order ID in the request .
Bing performs a reasonable sanity check on the order ID , and will not post a transaction that repeats a previously reported order ID .
When a store uses predictable order ID 's ( e.g .
sequential ) , a malicious user can " use up " all the future order ID 's , and cause legitimate transactions to be ignored .
Reporting would be effectively down for days , causing a customer service nightmare for both Bing and the merchant.Based on what I 've found , I would n't implement Bing Cashback if I were a merchant .
And , as an end user and bargain hunter , it does not seem smart to rely on Bing Cashback for savings .
In our next blog post , I 'll demonstrate some other subtle but important reasons to avoid using Bing Cashback .</tokentext>
<sentencetext>like this you mean?Breaking Bing CashbackPosted November 4th, 2009 by SamirI've never bought anything using Bing Cashback, but the balance of my account is $2080.06.
Apparently, I placed two $1 orders on January 24th of this year, and spent another $104,000 on October 24th.
Let's see how these transactions might have "accidentally" got credited to my account.First, we need to try to figure out how transactions get into Bing Cashback.
Microsoft posted some documentation here.
The explanation of how a merchant reports transactions to Bing starts on page 20.
Merchants have a few options for reporting, but Bing suggests using a tracking pixel.
Basically, the merchant adds a tracking pixel to their order confirmation page, which will report the the transaction details back to Bing.
The request for the tracking pixel looks something like this:https://ssl.search.live.com/cashback/pixel/index [live.com]?jftid=0&amp;jfoid=&amp;jfmid=&amp;m[0]=&amp;p[0]=&amp;q[0]=This implementation, while easy for the merchant, has an obvious flaw.
Anyone can simulate the tracking pixel requests, and post fake transactions to Bing.
I'm not going to explain exactly how to generate the fake requests so that they actually post, but it's not complicated.
Bing doesn't seem to be able to detect these fake transactions, at least not right away.
The six cents I earned in January have "cleared," and I'm guessing the remaining $2080 will clear on schedule, unless there is some manual intervention.Even if Bing detects these fake transactions at some point in the future, the current implementation might have another interesting side effect.
I haven't done enough work to say it with confidence, but a malicious user might be able to block another user's legitimate purchases from being reported correctly by Bing (I only tried this once, but it seemed to work).
Posting a transaction to Bing requires sending them an order ID in the request.
Bing performs a reasonable sanity check on the order ID, and will not post a transaction that repeats a previously reported order ID.
When a store uses predictable order ID's (e.g.
sequential), a malicious user can "use up" all the future order ID's, and cause legitimate transactions to be ignored.
Reporting would be effectively down for days, causing a customer service nightmare for both Bing and the merchant.Based on what I've found, I wouldn't implement Bing Cashback if I were a merchant.
And, as an end user and bargain hunter, it does not seem smart to rely on Bing Cashback for savings.
In our next blog post, I'll demonstrate some other subtle but important reasons to avoid using Bing Cashback.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043076</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30044882</id>
	<title>Re:And now thanks to /. and microsoft</title>
	<author>ShadowRangerRIT</author>
	<datestamp>1257864900000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>2</modscore>
	<htmltext>You know, just because they make it easy doesn't mean it's not hacking.  Is it not breaking and entering if a homeowner uses a flimsy lock? (don't get cute and try and say this is no lock at all; it's just a very bad one) If he intentionally exploited this flaw to register fake transactions, then yes, it would be a crime, and for good reason.  This isn't some abuse of the hacking law, like trying to nail people for violating the ToS of a site and calling it hacking, this is basically the definition of the term (in the real world; I know some pedants want to call it cracking instead of hacking, but to the non-geek world, it's hacking).</htmltext>
<tokenext>You know , just because they make it easy does n't mean it 's not hacking .
Is it not breaking and entering if a homeowner uses a flimsy lock ?
( do n't get cute and try and say this is no lock at all ; it 's just a very bad one ) If he intentionally exploited this flaw to register fake transactions , then yes , it would be a crime , and for good reason .
This is n't some abuse of the hacking law , like trying to nail people for violating the ToS of a site and calling it hacking , this is basically the definition of the term ( in the real world ; I know some pedants want to call it cracking instead of hacking , but to the non-geek world , it 's hacking ) .</tokentext>
<sentencetext>You know, just because they make it easy doesn't mean it's not hacking.
Is it not breaking and entering if a homeowner uses a flimsy lock?
(don't get cute and try and say this is no lock at all; it's just a very bad one) If he intentionally exploited this flaw to register fake transactions, then yes, it would be a crime, and for good reason.
This isn't some abuse of the hacking law, like trying to nail people for violating the ToS of a site and calling it hacking, this is basically the definition of the term (in the real world; I know some pedants want to call it cracking instead of hacking, but to the non-geek world, it's hacking).</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30044268</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30046494</id>
	<title>Re:And now thanks to /. and microsoft</title>
	<author>plague3106</author>
	<datestamp>1257872640000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>An exception does not prove a rule.  You can't assert that a virus did it and not expect to be able to show you had a virus.  Simply throwing out that it COULD happen doesn't mean it did.</p><p>Yes, in this case that's exactly what happened.  A reasonable person would conclude he did it based on the fact that only he had access to the computer.  Its fine to say "I'm innocent" in that case, but you need to show your story is in fact reasonable.</p><p>Otherwise you might as well say the FSM downloaded it.</p></htmltext>
<tokenext>An exception does not prove a rule .
You ca n't assert that a virus did it and not expect to be able to show you had a virus .
Simply throwing out that it COULD happen does n't mean it did.Yes , in this case that 's exactly what happened .
A reasonable person would conclude he did it based on the fact that only he had access to the computer .
Its fine to say " I 'm innocent " in that case , but you need to show your story is in fact reasonable.Otherwise you might as well say the FSM downloaded it .</tokentext>
<sentencetext>An exception does not prove a rule.
You can't assert that a virus did it and not expect to be able to show you had a virus.
Simply throwing out that it COULD happen doesn't mean it did.Yes, in this case that's exactly what happened.
A reasonable person would conclude he did it based on the fact that only he had access to the computer.
Its fine to say "I'm innocent" in that case, but you need to show your story is in fact reasonable.Otherwise you might as well say the FSM downloaded it.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30045602</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043440</id>
	<title>Re:And now thanks to /. and microsoft</title>
	<author>theurge14</author>
	<datestamp>1257847860000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>4</modscore>
	<htmltext><p>Wow, I didn't realize that there are people that still believe in that 'security through obscurity' nonsense.</p></htmltext>
<tokenext>Wow , I did n't realize that there are people that still believe in that 'security through obscurity ' nonsense .</tokentext>
<sentencetext>Wow, I didn't realize that there are people that still believe in that 'security through obscurity' nonsense.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043076</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043220</id>
	<title>Source of URL</title>
	<author>pgn674</author>
	<datestamp>1257844320000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>3</modscore>
	<htmltext>If anyone is quickly wondering exactly where he got the info to construct the request URL in his original post (like, how did he know about jftid, jfoid, and jfmid?), it looks like page 33 of the linked <a href="http://advertising.microsoft.com/WWDocs/User/en-us/Advertise/Integration\_Guide.pdf" title="microsoft.com">Integration Guide PDF</a> [microsoft.com] gives the URL <a href="https://ssl.bing.com/cashback/javascripts/1x1tracking.js" title="bing.com">https://ssl.bing.com/cashback/javascripts/1x1tracking.js</a> [bing.com]. That JavaScript file has info on constructing that URL.</htmltext>
<tokenext>If anyone is quickly wondering exactly where he got the info to construct the request URL in his original post ( like , how did he know about jftid , jfoid , and jfmid ?
) , it looks like page 33 of the linked Integration Guide PDF [ microsoft.com ] gives the URL https : //ssl.bing.com/cashback/javascripts/1x1tracking.js [ bing.com ] .
That JavaScript file has info on constructing that URL .</tokentext>
<sentencetext>If anyone is quickly wondering exactly where he got the info to construct the request URL in his original post (like, how did he know about jftid, jfoid, and jfmid?
), it looks like page 33 of the linked Integration Guide PDF [microsoft.com] gives the URL https://ssl.bing.com/cashback/javascripts/1x1tracking.js [bing.com].
That JavaScript file has info on constructing that URL.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30059274</id>
	<title>!Censor</title>
	<author>AP31R0N</author>
	<datestamp>1257086520000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Only gov'ts can censor.  This is concealing.</p></htmltext>
<tokenext>Only gov'ts can censor .
This is concealing .</tokentext>
<sentencetext>Only gov'ts can censor.
This is concealing.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30049272</id>
	<title>Re:And now thanks to /. and microsoft</title>
	<author>Khyber</author>
	<datestamp>1257882120000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Nope, I don't mind at al. See, through various years of harassing people over the internet, it's much more fun when you hand out real information, and lure people into your trap.</p><p>Last moron I gave my information to actually showed up at my house. I beat the living shit out of him and sent his ass to 201 Poplar. All of his forum posts went against him in court, he's in jail for 5 years.</p><p>IT'S A TRAP should be the first thing people learn on the internet.</p></htmltext>
<tokenext>Nope , I do n't mind at al .
See , through various years of harassing people over the internet , it 's much more fun when you hand out real information , and lure people into your trap.Last moron I gave my information to actually showed up at my house .
I beat the living shit out of him and sent his ass to 201 Poplar .
All of his forum posts went against him in court , he 's in jail for 5 years.IT 'S A TRAP should be the first thing people learn on the internet .</tokentext>
<sentencetext>Nope, I don't mind at al.
See, through various years of harassing people over the internet, it's much more fun when you hand out real information, and lure people into your trap.Last moron I gave my information to actually showed up at my house.
I beat the living shit out of him and sent his ass to 201 Poplar.
All of his forum posts went against him in court, he's in jail for 5 years.IT'S A TRAP should be the first thing people learn on the internet.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30044118</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043120</id>
	<title>Re:And now thanks to /. and microsoft</title>
	<author>Anonymous</author>
	<datestamp>1257885960000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>2</modscore>
	<htmltext><p><div class="quote"><p>it will probably be all over the rest of the internet and general common knowledge within the week.</p></div><p>The way you phrased this, it would seem to indicate that you are against slashdot for releasing this information.  I fail to see how releasing this type of information is a bad thing.  You would be better off believing in fairies than thinking only 1 person will find a way to exploit a bug.  The more people who know about this issue the better as it will be more likely that microsoft will actually fix the bug instead of suppressing the author.</p></div>
	</htmltext>
<tokenext>it will probably be all over the rest of the internet and general common knowledge within the week.The way you phrased this , it would seem to indicate that you are against slashdot for releasing this information .
I fail to see how releasing this type of information is a bad thing .
You would be better off believing in fairies than thinking only 1 person will find a way to exploit a bug .
The more people who know about this issue the better as it will be more likely that microsoft will actually fix the bug instead of suppressing the author .</tokentext>
<sentencetext>it will probably be all over the rest of the internet and general common knowledge within the week.The way you phrased this, it would seem to indicate that you are against slashdot for releasing this information.
I fail to see how releasing this type of information is a bad thing.
You would be better off believing in fairies than thinking only 1 person will find a way to exploit a bug.
The more people who know about this issue the better as it will be more likely that microsoft will actually fix the bug instead of suppressing the author.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043076</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30046124</id>
	<title>Due Process should start before BEFORE the crisis</title>
	<author>psbrogna</author>
	<datestamp>1257871080000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>Developers make tactical &amp; strategic errors, entire companies do the same and sometimes the response is poorly handled when either is caught<nobr> <wbr></nobr>... yadda, yadda, yadda. Let's not dwell on a common-place phenomenon inherent to humans. What causes me the most concern is the QA/QC that should catch this sort of thing is failing. That's the larger problem to me. What buffoon, and presumably somebody senior was responsible for oversight of the review process, was responsible for looking at a tracking-pixel based mechanism and letting it pass muster? What other responsibilities does this joker have in Redmond?</htmltext>
<tokenext>Developers make tactical &amp; strategic errors , entire companies do the same and sometimes the response is poorly handled when either is caught ... yadda , yadda , yadda .
Let 's not dwell on a common-place phenomenon inherent to humans .
What causes me the most concern is the QA/QC that should catch this sort of thing is failing .
That 's the larger problem to me .
What buffoon , and presumably somebody senior was responsible for oversight of the review process , was responsible for looking at a tracking-pixel based mechanism and letting it pass muster ?
What other responsibilities does this joker have in Redmond ?</tokentext>
<sentencetext>Developers make tactical &amp; strategic errors, entire companies do the same and sometimes the response is poorly handled when either is caught ... yadda, yadda, yadda.
Let's not dwell on a common-place phenomenon inherent to humans.
What causes me the most concern is the QA/QC that should catch this sort of thing is failing.
That's the larger problem to me.
What buffoon, and presumably somebody senior was responsible for oversight of the review process, was responsible for looking at a tracking-pixel based mechanism and letting it pass muster?
What other responsibilities does this joker have in Redmond?</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043338</id>
	<title>Re:Use microsoft == get screwed</title>
	<author>ProfessionalCookie</author>
	<datestamp>1257846180000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>Be fair, they botch the user interface as well.</htmltext>
<tokenext>Be fair , they botch the user interface as well .</tokentext>
<sentencetext>Be fair, they botch the user interface as well.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043180</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30044722</id>
	<title>I'm not going to say I could have done better...</title>
	<author>Anonymous</author>
	<datestamp>1257863880000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>I'm not saying I could have done better than the engineers at Bing. In fact I'm certain I would have done worse. But I know I or my peers would have spotted the flaw in my design and have started working on a fix. That's because I work with Open Source software and thousands of eyes would have reviewed the code... sometimes with very hostile intent... and the product would not have been a big ego but a solid product. It's not that Open Source is better... it's that it gets peer reviewed without ego.</p><p>Microsoft, this is why you will eventually lose. All is not lost, you can can change... you can learn. But honestly... when *will* you?</p></htmltext>
<tokenext>I 'm not saying I could have done better than the engineers at Bing .
In fact I 'm certain I would have done worse .
But I know I or my peers would have spotted the flaw in my design and have started working on a fix .
That 's because I work with Open Source software and thousands of eyes would have reviewed the code... sometimes with very hostile intent... and the product would not have been a big ego but a solid product .
It 's not that Open Source is better... it 's that it gets peer reviewed without ego.Microsoft , this is why you will eventually lose .
All is not lost , you can can change... you can learn .
But honestly... when * will * you ?</tokentext>
<sentencetext>I'm not saying I could have done better than the engineers at Bing.
In fact I'm certain I would have done worse.
But I know I or my peers would have spotted the flaw in my design and have started working on a fix.
That's because I work with Open Source software and thousands of eyes would have reviewed the code... sometimes with very hostile intent... and the product would not have been a big ego but a solid product.
It's not that Open Source is better... it's that it gets peer reviewed without ego.Microsoft, this is why you will eventually lose.
All is not lost, you can can change... you can learn.
But honestly... when *will* you?</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043672</id>
	<title>Mirror</title>
	<author>Anonymous</author>
	<datestamp>1257851160000</datestamp>
	<modclass>Redundant</modclass>
	<modscore>-1</modscore>
	<htmltext><p>For posterity<br>"</p><p>I&rsquo;ve never bought anything using Bing Cashback, but the balance of my account is $2080.06. Apparently, I placed two $1 orders on January 24th of this year, and spent another $104,000 on October 24th. Let&rsquo;s see how these transactions might have &ldquo;accidentally&rdquo; got credited to my account.</p><p>First, we need to try to figure out how transactions get into Bing Cashback. Microsoft posted some documentation here. The explanation of how a merchant reports transactions to Bing starts on page 20.  Merchants have a few options for reporting, but Bing suggests using a tracking pixel. Basically, the merchant adds a tracking pixel to their order confirmation page, which will report the the transaction details back to Bing. The request for the tracking pixel looks something like this:</p><p>https://ssl.search.live.com/cashback/pixel/index?<br>jftid=0&amp;jfoid=&amp;jfmid=<br>&amp;m[0]=&amp;p[0]=&amp;q[0]=</p><p>This implementation, while easy for the merchant, has an obvious flaw. Anyone can simulate the tracking pixel requests, and post fake transactions to Bing. I&rsquo;m not going to explain exactly how to generate the fake requests so that they actually post, but it&rsquo;s not complicated. Bing doesn&rsquo;t seem to be able to detect these fake transactions, at least not right away. The six cents I earned in January have &ldquo;cleared,&rdquo; and I&rsquo;m guessing the remaining $2080 will clear on schedule, unless there is some manual intervention.</p><p>Even if Bing detects these fake transactions at some point in the future, the current implementation might have another interesting side effect. I haven&rsquo;t done enough work to say it with confidence, but a malicious user might be able to block another user&rsquo;s legitimate purchases from being reported correctly by Bing (I only tried this once, but it seemed to work). Posting a transaction to Bing requires sending them an order ID in the request. Bing performs a reasonable sanity check on the order ID, and will not post a transaction that repeats a previously reported order ID.  When a store uses predictable order ID&rsquo;s (e.g. sequential), a malicious user can &ldquo;use up&rdquo; all the future order ID&rsquo;s, and cause legitimate transactions to be ignored. Reporting would be effectively down for days, causing a customer service nightmare for both Bing and the merchant.</p><p>Based on what I&rsquo;ve found, I wouldn&rsquo;t implement Bing Cashback if I were a merchant.  And, as an end user and bargain hunter, it does not seem smart to rely on Bing Cashback for savings.  In our next blog post, I&rsquo;ll demonstrate some other subtle but important reasons to avoid using Bing Cashback.</p><p>"</p></htmltext>
<tokenext>For posterity " I    ve never bought anything using Bing Cashback , but the balance of my account is $ 2080.06 .
Apparently , I placed two $ 1 orders on January 24th of this year , and spent another $ 104,000 on October 24th .
Let    s see how these transactions might have    accidentally    got credited to my account.First , we need to try to figure out how transactions get into Bing Cashback .
Microsoft posted some documentation here .
The explanation of how a merchant reports transactions to Bing starts on page 20 .
Merchants have a few options for reporting , but Bing suggests using a tracking pixel .
Basically , the merchant adds a tracking pixel to their order confirmation page , which will report the the transaction details back to Bing .
The request for the tracking pixel looks something like this : https : //ssl.search.live.com/cashback/pixel/index ? jftid = 0&amp;jfoid = &amp;jfmid = &amp;m [ 0 ] = &amp;p [ 0 ] = &amp;q [ 0 ] = This implementation , while easy for the merchant , has an obvious flaw .
Anyone can simulate the tracking pixel requests , and post fake transactions to Bing .
I    m not going to explain exactly how to generate the fake requests so that they actually post , but it    s not complicated .
Bing doesn    t seem to be able to detect these fake transactions , at least not right away .
The six cents I earned in January have    cleared ,    and I    m guessing the remaining $ 2080 will clear on schedule , unless there is some manual intervention.Even if Bing detects these fake transactions at some point in the future , the current implementation might have another interesting side effect .
I haven    t done enough work to say it with confidence , but a malicious user might be able to block another user    s legitimate purchases from being reported correctly by Bing ( I only tried this once , but it seemed to work ) .
Posting a transaction to Bing requires sending them an order ID in the request .
Bing performs a reasonable sanity check on the order ID , and will not post a transaction that repeats a previously reported order ID .
When a store uses predictable order ID    s ( e.g .
sequential ) , a malicious user can    use up    all the future order ID    s , and cause legitimate transactions to be ignored .
Reporting would be effectively down for days , causing a customer service nightmare for both Bing and the merchant.Based on what I    ve found , I wouldn    t implement Bing Cashback if I were a merchant .
And , as an end user and bargain hunter , it does not seem smart to rely on Bing Cashback for savings .
In our next blog post , I    ll demonstrate some other subtle but important reasons to avoid using Bing Cashback .
"</tokentext>
<sentencetext>For posterity"I’ve never bought anything using Bing Cashback, but the balance of my account is $2080.06.
Apparently, I placed two $1 orders on January 24th of this year, and spent another $104,000 on October 24th.
Let’s see how these transactions might have “accidentally” got credited to my account.First, we need to try to figure out how transactions get into Bing Cashback.
Microsoft posted some documentation here.
The explanation of how a merchant reports transactions to Bing starts on page 20.
Merchants have a few options for reporting, but Bing suggests using a tracking pixel.
Basically, the merchant adds a tracking pixel to their order confirmation page, which will report the the transaction details back to Bing.
The request for the tracking pixel looks something like this:https://ssl.search.live.com/cashback/pixel/index?jftid=0&amp;jfoid=&amp;jfmid=&amp;m[0]=&amp;p[0]=&amp;q[0]=This implementation, while easy for the merchant, has an obvious flaw.
Anyone can simulate the tracking pixel requests, and post fake transactions to Bing.
I’m not going to explain exactly how to generate the fake requests so that they actually post, but it’s not complicated.
Bing doesn’t seem to be able to detect these fake transactions, at least not right away.
The six cents I earned in January have “cleared,” and I’m guessing the remaining $2080 will clear on schedule, unless there is some manual intervention.Even if Bing detects these fake transactions at some point in the future, the current implementation might have another interesting side effect.
I haven’t done enough work to say it with confidence, but a malicious user might be able to block another user’s legitimate purchases from being reported correctly by Bing (I only tried this once, but it seemed to work).
Posting a transaction to Bing requires sending them an order ID in the request.
Bing performs a reasonable sanity check on the order ID, and will not post a transaction that repeats a previously reported order ID.
When a store uses predictable order ID’s (e.g.
sequential), a malicious user can “use up” all the future order ID’s, and cause legitimate transactions to be ignored.
Reporting would be effectively down for days, causing a customer service nightmare for both Bing and the merchant.Based on what I’ve found, I wouldn’t implement Bing Cashback if I were a merchant.
And, as an end user and bargain hunter, it does not seem smart to rely on Bing Cashback for savings.
In our next blog post, I’ll demonstrate some other subtle but important reasons to avoid using Bing Cashback.
"</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043180</id>
	<title>Use microsoft == get screwed</title>
	<author>Anonymous</author>
	<datestamp>1257843720000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>3</modscore>
	<htmltext><p>After about 30 years is this still news?</p><p>Use Microsoft software and you get screwed. They don't design software they design the user interface and botch the software. They are now as always a marketing not an IT company. It's always been that way, it will always be that way.</p></htmltext>
<tokenext>After about 30 years is this still news ? Use Microsoft software and you get screwed .
They do n't design software they design the user interface and botch the software .
They are now as always a marketing not an IT company .
It 's always been that way , it will always be that way .</tokentext>
<sentencetext>After about 30 years is this still news?Use Microsoft software and you get screwed.
They don't design software they design the user interface and botch the software.
They are now as always a marketing not an IT company.
It's always been that way, it will always be that way.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043288</id>
	<title>Re:And now thanks to /. and microsoft</title>
	<author>Anonymous</author>
	<datestamp>1257845520000</datestamp>
	<modclass>Funny</modclass>
	<modscore>1</modscore>
	<htmltext><p>Except, by the time it turns up on slashdot, it already is all over the rest of the internet.</p><p>Even if bing removes it from their <em>cahce</em>.</p></htmltext>
<tokenext>Except , by the time it turns up on slashdot , it already is all over the rest of the internet.Even if bing removes it from their cahce .</tokentext>
<sentencetext>Except, by the time it turns up on slashdot, it already is all over the rest of the internet.Even if bing removes it from their cahce.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043076</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30044338</id>
	<title>Re:Use microsoft == get screwed</title>
	<author>Anonymous</author>
	<datestamp>1257860340000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Speak for yourself.  I have used Microsoft Operating Systems and other software since I switched over to the PC in 1997.  I'm very happy and have never once felt screwed, as you so eloquently put it.</p></htmltext>
<tokenext>Speak for yourself .
I have used Microsoft Operating Systems and other software since I switched over to the PC in 1997 .
I 'm very happy and have never once felt screwed , as you so eloquently put it .</tokentext>
<sentencetext>Speak for yourself.
I have used Microsoft Operating Systems and other software since I switched over to the PC in 1997.
I'm very happy and have never once felt screwed, as you so eloquently put it.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043180</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30044002</id>
	<title>Hey Mercedes!</title>
	<author>tjstork</author>
	<datestamp>1257856020000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>2</modscore>
	<htmltext><p>Your car has an exploit, so I stole it and drove it into a wall to prove a point.</p></htmltext>
<tokenext>Your car has an exploit , so I stole it and drove it into a wall to prove a point .</tokentext>
<sentencetext>Your car has an exploit, so I stole it and drove it into a wall to prove a point.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043592</id>
	<title>Re:Solution</title>
	<author>Anonymous</author>
	<datestamp>1257849900000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>I'd consider HMAC-SHA256 or SHMAC-SHA512 these days.  SHA1 is a lot more sturdy than MD5, but it is nearing the end of its useful lifespan.  This is why NIST is running a competition looking for the next SHA-3 algorithm, similar to how AES was chosen, results likely expected in 2012 (from the wiki).</p></htmltext>
<tokenext>I 'd consider HMAC-SHA256 or SHMAC-SHA512 these days .
SHA1 is a lot more sturdy than MD5 , but it is nearing the end of its useful lifespan .
This is why NIST is running a competition looking for the next SHA-3 algorithm , similar to how AES was chosen , results likely expected in 2012 ( from the wiki ) .</tokentext>
<sentencetext>I'd consider HMAC-SHA256 or SHMAC-SHA512 these days.
SHA1 is a lot more sturdy than MD5, but it is nearing the end of its useful lifespan.
This is why NIST is running a competition looking for the next SHA-3 algorithm, similar to how AES was chosen, results likely expected in 2012 (from the wiki).</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043284</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30046722</id>
	<title>Re:Solution</title>
	<author>Otto</author>
	<datestamp>1257873480000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>The value of the MAC would change depending on the transaction, and part of the algorithm would involve a "shared secret". Basically a number shared between Microsoft and the merchant only.</p><p>A simplistic implementation would be to take the shared secret and the final price of the transaction, append them together, then run SHA over them to get a hash value. You can give the result to the client. If they change the price, then the hash doesn't match any more. They can't create a new hash, because they don't know the shared secret.</p><p>Obviously that approach is too simple, a real algorithm would be more complex, but you get the idea. Combine a secret code with values from the transaction, then use a one-way hashing function on them in some manner. The resulting hash is good only for those particular details, and can't be recreated by the untrusted client.</p></htmltext>
<tokenext>The value of the MAC would change depending on the transaction , and part of the algorithm would involve a " shared secret " .
Basically a number shared between Microsoft and the merchant only.A simplistic implementation would be to take the shared secret and the final price of the transaction , append them together , then run SHA over them to get a hash value .
You can give the result to the client .
If they change the price , then the hash does n't match any more .
They ca n't create a new hash , because they do n't know the shared secret.Obviously that approach is too simple , a real algorithm would be more complex , but you get the idea .
Combine a secret code with values from the transaction , then use a one-way hashing function on them in some manner .
The resulting hash is good only for those particular details , and ca n't be recreated by the untrusted client .</tokentext>
<sentencetext>The value of the MAC would change depending on the transaction, and part of the algorithm would involve a "shared secret".
Basically a number shared between Microsoft and the merchant only.A simplistic implementation would be to take the shared secret and the final price of the transaction, append them together, then run SHA over them to get a hash value.
You can give the result to the client.
If they change the price, then the hash doesn't match any more.
They can't create a new hash, because they don't know the shared secret.Obviously that approach is too simple, a real algorithm would be more complex, but you get the idea.
Combine a secret code with values from the transaction, then use a one-way hashing function on them in some manner.
The resulting hash is good only for those particular details, and can't be recreated by the untrusted client.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043692</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30045054</id>
	<title>Re:It's called fraud</title>
	<author>Anonymous</author>
	<datestamp>1257865860000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>3</modscore>
	<htmltext><p><div class="quote"><p>In this case, the poor "hacker" (I wish him/her luck!) appears to have done the following:
1. Used a specially formatted HTTP request to get a small fabricated purchase to show up as credited to his/her Bing account.
2. Noticed that the cash back did show up with no problem as "available for withdrawal".
3. Tried again with a much larger purchase. Again the purchase shows up in his account.
4. Hacker is hoping that the amount will soon become available for withdrawal.</p></div><p>5. Notified Microsoft about the issue?<br> <br>
Meanwhile, MS allowed a system where someone could redirect money to *someone else's* account, even an innocent third party.  Imagine walking out of a local jewelry store, and the gate drops around you, sirens blare... all because a pickpocket put jewels in your pants.  Imagine that instead of all of the sirens and gates, the store owner could have implemented a less expensive alternative that would have completely prevented the thief from doing this.  So, the jewelry store is paying more to harass its customers... the store owners must enjoy it.</p></div>
	</htmltext>
<tokenext>In this case , the poor " hacker " ( I wish him/her luck !
) appears to have done the following : 1 .
Used a specially formatted HTTP request to get a small fabricated purchase to show up as credited to his/her Bing account .
2. Noticed that the cash back did show up with no problem as " available for withdrawal " .
3. Tried again with a much larger purchase .
Again the purchase shows up in his account .
4. Hacker is hoping that the amount will soon become available for withdrawal.5 .
Notified Microsoft about the issue ?
Meanwhile , MS allowed a system where someone could redirect money to * someone else 's * account , even an innocent third party .
Imagine walking out of a local jewelry store , and the gate drops around you , sirens blare... all because a pickpocket put jewels in your pants .
Imagine that instead of all of the sirens and gates , the store owner could have implemented a less expensive alternative that would have completely prevented the thief from doing this .
So , the jewelry store is paying more to harass its customers... the store owners must enjoy it .</tokentext>
<sentencetext>In this case, the poor "hacker" (I wish him/her luck!
) appears to have done the following:
1.
Used a specially formatted HTTP request to get a small fabricated purchase to show up as credited to his/her Bing account.
2. Noticed that the cash back did show up with no problem as "available for withdrawal".
3. Tried again with a much larger purchase.
Again the purchase shows up in his account.
4. Hacker is hoping that the amount will soon become available for withdrawal.5.
Notified Microsoft about the issue?
Meanwhile, MS allowed a system where someone could redirect money to *someone else's* account, even an innocent third party.
Imagine walking out of a local jewelry store, and the gate drops around you, sirens blare... all because a pickpocket put jewels in your pants.
Imagine that instead of all of the sirens and gates, the store owner could have implemented a less expensive alternative that would have completely prevented the thief from doing this.
So, the jewelry store is paying more to harass its customers... the store owners must enjoy it.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043866</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30044268</id>
	<title>Re:And now thanks to /. and microsoft</title>
	<author>commodore64\_love</author>
	<datestamp>1257859560000</datestamp>
	<modclass>Troll</modclass>
	<modscore>1</modscore>
	<htmltext><p>&gt;&gt;&gt;I placed two $1 orders on January 24th of this year, and spent another $104,000 on October 24th.</p><p>According to our idiotic U.S. law, you are guilty of hacking a computer service.  It doesn't matter that you didn't actually do it - you are presumed guilty, and it's your job to prove innocence.  (Kinda similar to that guy who was falsely accused of downloading child porn - he too was presumed guilty until he could prove that it was malware that did it.)</p></htmltext>
<tokenext>&gt; &gt; &gt; I placed two $ 1 orders on January 24th of this year , and spent another $ 104,000 on October 24th.According to our idiotic U.S. law , you are guilty of hacking a computer service .
It does n't matter that you did n't actually do it - you are presumed guilty , and it 's your job to prove innocence .
( Kinda similar to that guy who was falsely accused of downloading child porn - he too was presumed guilty until he could prove that it was malware that did it .
)</tokentext>
<sentencetext>&gt;&gt;&gt;I placed two $1 orders on January 24th of this year, and spent another $104,000 on October 24th.According to our idiotic U.S. law, you are guilty of hacking a computer service.
It doesn't matter that you didn't actually do it - you are presumed guilty, and it's your job to prove innocence.
(Kinda similar to that guy who was falsely accused of downloading child porn - he too was presumed guilty until he could prove that it was malware that did it.
)</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043428</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30044118</id>
	<title>Re:And now thanks to /. and microsoft</title>
	<author>indiechild</author>
	<datestamp>1257857580000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>So you wouldn't mind posting your real full name, social security number (assuming you're American) and residential address?</p></htmltext>
<tokenext>So you would n't mind posting your real full name , social security number ( assuming you 're American ) and residential address ?</tokentext>
<sentencetext>So you wouldn't mind posting your real full name, social security number (assuming you're American) and residential address?</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043440</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043736</id>
	<title>Re:mirrored post</title>
	<author>SharpFang</author>
	<datestamp>1257852240000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><i>fuck you.  do not attempt to censor people's efforts to bring to your<br>attention your own stupidity.  go fix the problem, and pay the guy who<br>found the problem a lot of money, as a thank you.</i></p><p>Microsoft's standard policy of thank-you for people who help them prevent multi-million losses is a free T-shirt.<br>You can't really hope for any better.</p></htmltext>
<tokenext>fuck you .
do not attempt to censor people 's efforts to bring to yourattention your own stupidity .
go fix the problem , and pay the guy whofound the problem a lot of money , as a thank you.Microsoft 's standard policy of thank-you for people who help them prevent multi-million losses is a free T-shirt.You ca n't really hope for any better .</tokentext>
<sentencetext>fuck you.
do not attempt to censor people's efforts to bring to yourattention your own stupidity.
go fix the problem, and pay the guy whofound the problem a lot of money, as a thank you.Microsoft's standard policy of thank-you for people who help them prevent multi-million losses is a free T-shirt.You can't really hope for any better.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043400</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30044280</id>
	<title>MS Response</title>
	<author>TheVelvetFlamebait</author>
	<datestamp>1257859680000</datestamp>
	<modclass>Funny</modclass>
	<modscore>2</modscore>
	<htmltext><p>Microsoft has posted this page in response:</p><p><a href="http://www.bing.com/search?q=bing+cashback+vulnerability&amp;go=&amp;form=QBLH&amp;filt=all&amp;qs=n" title="bing.com">http://www.bing.com/search?q=bing+cashback+vulnerability&amp;go=&amp;form=QBLH&amp;filt=all&amp;qs=n</a> [bing.com]</p></htmltext>
<tokenext>Microsoft has posted this page in response : http : //www.bing.com/search ? q = bing + cashback + vulnerability&amp;go = &amp;form = QBLH&amp;filt = all&amp;qs = n [ bing.com ]</tokentext>
<sentencetext>Microsoft has posted this page in response:http://www.bing.com/search?q=bing+cashback+vulnerability&amp;go=&amp;form=QBLH&amp;filt=all&amp;qs=n [bing.com]</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043726</id>
	<title>Re:And now thanks to /. and microsoft</title>
	<author>Anonymous</author>
	<datestamp>1257852000000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext>MS no longer suppresses authors. Instead, balmer invites them to his office and then into his chair. Issue solved in MS's eye.</htmltext>
<tokenext>MS no longer suppresses authors .
Instead , balmer invites them to his office and then into his chair .
Issue solved in MS 's eye .</tokentext>
<sentencetext>MS no longer suppresses authors.
Instead, balmer invites them to his office and then into his chair.
Issue solved in MS's eye.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043120</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043924</id>
	<title>But then they put the key in plaintext in JS</title>
	<author>originalhack</author>
	<datestamp>1257855000000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>Seriously....  they couldn't possibly assume that their affiliates can program, so the key would have to be in the users' web browser instead of on the affiliates' server.</htmltext>
<tokenext>Seriously.... they could n't possibly assume that their affiliates can program , so the key would have to be in the users ' web browser instead of on the affiliates ' server .</tokentext>
<sentencetext>Seriously....  they couldn't possibly assume that their affiliates can program, so the key would have to be in the users' web browser instead of on the affiliates' server.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043284</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30046782</id>
	<title>Re:Solution</title>
	<author>peterw</author>
	<datestamp>1257873660000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><blockquote><div><p>A reasonable way: both of the existing ones. The tracking pixel is used to provide instant user update in 99\% of the cases, but the transaction is marked pending. At the end of the day the text list is uploaded to the FTP. Compare the 2 lists, approving all that match and flagging for review any that don't (extra, missing, or different).</p></div></blockquote><p>Exactly. And I wonder if they've done that already, and simply not updated their integration docs. There's no way to pass a transaction date with the pixel, so Bountii must've first played with this back in January. It would've been nice to know how long the Jan 24 forgeries took to clear. The fact that the Oct 24th purchase hadn't become Available by Nov 4th suggests that Bing might now require batch confirmation for all transactions. Or perhaps the merchant used the Merchant Center interface to flag the transaction -- I know in the ecommerce systems I've been involved with, staff review the transaction log for anything unusual.</p><p>There is still that Denial of Service problem -- a user claiming all "future" order IDs and preventing legitimate customers from getting their credits. I thought Bing might've simply prevented any given customer from submitting two claims with the same merchant ID &amp; order ID (classic "transaction token"/page reload stuff), but the screenshots of the Merchant Center suggest that Bing isn't dong that (yet).</p><p>My favorite part is that on page 20 of the Bing Cashback integration guide they say that the pixel hack is "recommended" for reporting purchases. <b>Recommended</b>!</p><p>Second favorite: that Samir at Bountii posted this on his blog without contacting Bing first. He should've followed something like the RFPolicy protocol (http://www.wiretrip.net/rfp/policy.html).</p></div>
	</htmltext>
<tokenext>A reasonable way : both of the existing ones .
The tracking pixel is used to provide instant user update in 99 \ % of the cases , but the transaction is marked pending .
At the end of the day the text list is uploaded to the FTP .
Compare the 2 lists , approving all that match and flagging for review any that do n't ( extra , missing , or different ) .Exactly .
And I wonder if they 've done that already , and simply not updated their integration docs .
There 's no way to pass a transaction date with the pixel , so Bountii must 've first played with this back in January .
It would 've been nice to know how long the Jan 24 forgeries took to clear .
The fact that the Oct 24th purchase had n't become Available by Nov 4th suggests that Bing might now require batch confirmation for all transactions .
Or perhaps the merchant used the Merchant Center interface to flag the transaction -- I know in the ecommerce systems I 've been involved with , staff review the transaction log for anything unusual.There is still that Denial of Service problem -- a user claiming all " future " order IDs and preventing legitimate customers from getting their credits .
I thought Bing might 've simply prevented any given customer from submitting two claims with the same merchant ID &amp; order ID ( classic " transaction token " /page reload stuff ) , but the screenshots of the Merchant Center suggest that Bing is n't dong that ( yet ) .My favorite part is that on page 20 of the Bing Cashback integration guide they say that the pixel hack is " recommended " for reporting purchases .
Recommended ! Second favorite : that Samir at Bountii posted this on his blog without contacting Bing first .
He should 've followed something like the RFPolicy protocol ( http : //www.wiretrip.net/rfp/policy.html ) .</tokentext>
<sentencetext>A reasonable way: both of the existing ones.
The tracking pixel is used to provide instant user update in 99\% of the cases, but the transaction is marked pending.
At the end of the day the text list is uploaded to the FTP.
Compare the 2 lists, approving all that match and flagging for review any that don't (extra, missing, or different).Exactly.
And I wonder if they've done that already, and simply not updated their integration docs.
There's no way to pass a transaction date with the pixel, so Bountii must've first played with this back in January.
It would've been nice to know how long the Jan 24 forgeries took to clear.
The fact that the Oct 24th purchase hadn't become Available by Nov 4th suggests that Bing might now require batch confirmation for all transactions.
Or perhaps the merchant used the Merchant Center interface to flag the transaction -- I know in the ecommerce systems I've been involved with, staff review the transaction log for anything unusual.There is still that Denial of Service problem -- a user claiming all "future" order IDs and preventing legitimate customers from getting their credits.
I thought Bing might've simply prevented any given customer from submitting two claims with the same merchant ID &amp; order ID (classic "transaction token"/page reload stuff), but the screenshots of the Merchant Center suggest that Bing isn't dong that (yet).My favorite part is that on page 20 of the Bing Cashback integration guide they say that the pixel hack is "recommended" for reporting purchases.
Recommended!Second favorite: that Samir at Bountii posted this on his blog without contacting Bing first.
He should've followed something like the RFPolicy protocol (http://www.wiretrip.net/rfp/policy.html).
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043922</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30045296</id>
	<title>Hope he remembers</title>
	<author>harris s newman</author>
	<datestamp>1257867180000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>Don't drop the soap, if you do, don't bend over to pick it up.  Don't look people in the eyes, and plead no-contest.</htmltext>
<tokenext>Do n't drop the soap , if you do , do n't bend over to pick it up .
Do n't look people in the eyes , and plead no-contest .</tokentext>
<sentencetext>Don't drop the soap, if you do, don't bend over to pick it up.
Don't look people in the eyes, and plead no-contest.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30044336</id>
	<title>Bing vulnerability?</title>
	<author>selven</author>
	<datestamp>1257860340000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>What bing vulnerability?</p></htmltext>
<tokenext>What bing vulnerability ?</tokentext>
<sentencetext>What bing vulnerability?</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043450</id>
	<title>Re:Use microsoft == get screwed</title>
	<author>Anonymous</author>
	<datestamp>1257847920000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Getting screwed is a feature not a bug!</p><p>Captcha: unbroken</p></htmltext>
<tokenext>Getting screwed is a feature not a bug ! Captcha : unbroken</tokentext>
<sentencetext>Getting screwed is a feature not a bug!Captcha: unbroken</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043180</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30044434</id>
	<title>Re:It's called fraud</title>
	<author>Anonymous</author>
	<datestamp>1257861240000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><div class="quote"><p>This way Bing can update your account balance within seconds of the purchase. Of course, the payback won't happen until they've gone back and checked Microsoft's records against the merchant's records and pulled out any differences. The differences go to the auditor and possibly to the police or FBI.</p></div><p>Only he's $0.06 was already avalible for withdrawl, i.e it had passed all the checks.</p><p><div class="quote"><p>I hate this attitude out there that "if it isn't nailed down, I have every right to grab it and take it home, and if it is nailed down, I have every right to destroy it". I don't want a world (or even an Internet) where everything is nailed down and/or destroyed.</p></div><p>Actually i think the attitude is, if you are going to deploy software that deals with real money make it secure, the posting wasn't a "howto steal money from microsoft", it was just a blog post detailing a security flaw. There is a big difference between some blag with pictures of kittens and an online shopping system, implemented by a major IT company, If you can deface the homepage of a major IT company it shows incompetence, if you can steal money from them then dear god what are they doing?</p></div>
	</htmltext>
<tokenext>This way Bing can update your account balance within seconds of the purchase .
Of course , the payback wo n't happen until they 've gone back and checked Microsoft 's records against the merchant 's records and pulled out any differences .
The differences go to the auditor and possibly to the police or FBI.Only he 's $ 0.06 was already avalible for withdrawl , i.e it had passed all the checks.I hate this attitude out there that " if it is n't nailed down , I have every right to grab it and take it home , and if it is nailed down , I have every right to destroy it " .
I do n't want a world ( or even an Internet ) where everything is nailed down and/or destroyed.Actually i think the attitude is , if you are going to deploy software that deals with real money make it secure , the posting was n't a " howto steal money from microsoft " , it was just a blog post detailing a security flaw .
There is a big difference between some blag with pictures of kittens and an online shopping system , implemented by a major IT company , If you can deface the homepage of a major IT company it shows incompetence , if you can steal money from them then dear god what are they doing ?</tokentext>
<sentencetext>This way Bing can update your account balance within seconds of the purchase.
Of course, the payback won't happen until they've gone back and checked Microsoft's records against the merchant's records and pulled out any differences.
The differences go to the auditor and possibly to the police or FBI.Only he's $0.06 was already avalible for withdrawl, i.e it had passed all the checks.I hate this attitude out there that "if it isn't nailed down, I have every right to grab it and take it home, and if it is nailed down, I have every right to destroy it".
I don't want a world (or even an Internet) where everything is nailed down and/or destroyed.Actually i think the attitude is, if you are going to deploy software that deals with real money make it secure, the posting wasn't a "howto steal money from microsoft", it was just a blog post detailing a security flaw.
There is a big difference between some blag with pictures of kittens and an online shopping system, implemented by a major IT company, If you can deface the homepage of a major IT company it shows incompetence, if you can steal money from them then dear god what are they doing?
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043866</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30044962</id>
	<title>Re:And now thanks to /. and microsoft</title>
	<author>abigsmurf</author>
	<datestamp>1257865500000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>Wow. So you're saying that someone who is in possession of a computer with child porn shouldn't be brought to trial on possession of child porn charges? That someone who not only admits to doing something, but posts credible, detailed information on how he achieved it doesn't deserve to be brought to trial?
<br> <br>
In case you didn't notice, both of these examples are incredibly damning evidence, just as seeing someone over a corpse with a knife and blood on his hands is pretty damning too.
<br> <br>
You don't seem to understand the point of trials. Trials happen when there is convincing evidence that on it's own, if you didn't defend yourself, would be enough to find you guilty of a crime. The presumption of innocence at that point is irrelevant because the evidence trumps the presumption. For a case to get to court, there is a minimum burden of proof. Hence cases getting dismissed by judges when there isn't enough proof.
The purpose of a trial is to provide defendants a chance to show the evidence against him doesn't prove guilt.</htmltext>
<tokenext>Wow .
So you 're saying that someone who is in possession of a computer with child porn should n't be brought to trial on possession of child porn charges ?
That someone who not only admits to doing something , but posts credible , detailed information on how he achieved it does n't deserve to be brought to trial ?
In case you did n't notice , both of these examples are incredibly damning evidence , just as seeing someone over a corpse with a knife and blood on his hands is pretty damning too .
You do n't seem to understand the point of trials .
Trials happen when there is convincing evidence that on it 's own , if you did n't defend yourself , would be enough to find you guilty of a crime .
The presumption of innocence at that point is irrelevant because the evidence trumps the presumption .
For a case to get to court , there is a minimum burden of proof .
Hence cases getting dismissed by judges when there is n't enough proof .
The purpose of a trial is to provide defendants a chance to show the evidence against him does n't prove guilt .</tokentext>
<sentencetext>Wow.
So you're saying that someone who is in possession of a computer with child porn shouldn't be brought to trial on possession of child porn charges?
That someone who not only admits to doing something, but posts credible, detailed information on how he achieved it doesn't deserve to be brought to trial?
In case you didn't notice, both of these examples are incredibly damning evidence, just as seeing someone over a corpse with a knife and blood on his hands is pretty damning too.
You don't seem to understand the point of trials.
Trials happen when there is convincing evidence that on it's own, if you didn't defend yourself, would be enough to find you guilty of a crime.
The presumption of innocence at that point is irrelevant because the evidence trumps the presumption.
For a case to get to court, there is a minimum burden of proof.
Hence cases getting dismissed by judges when there isn't enough proof.
The purpose of a trial is to provide defendants a chance to show the evidence against him doesn't prove guilt.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30044268</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043276</id>
	<title>Re:Use microsoft == get screwed</title>
	<author>kestasjk</author>
	<datestamp>1257845280000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>A marketing company which subcontracts out its marketing and makes billions from software sales. That's a pretty weird marketing company.</htmltext>
<tokenext>A marketing company which subcontracts out its marketing and makes billions from software sales .
That 's a pretty weird marketing company .</tokentext>
<sentencetext>A marketing company which subcontracts out its marketing and makes billions from software sales.
That's a pretty weird marketing company.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043180</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30053874</id>
	<title>Re:And now thanks to /. and microsoft</title>
	<author>Anonymous</author>
	<datestamp>1257859260000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>So then how would you classify a hidden url as a security mechanism?  Say http://www.example.com/private/jadkjfHs44hjakd/</p><p>Would you classify that as secrecy of data, or security through obscurity?  By your definition it is secrecy of data, but many / most people on slashdot classify it as security through obscurity.</p></htmltext>
<tokenext>So then how would you classify a hidden url as a security mechanism ?
Say http : //www.example.com/private/jadkjfHs44hjakd/Would you classify that as secrecy of data , or security through obscurity ?
By your definition it is secrecy of data , but many / most people on slashdot classify it as security through obscurity .</tokentext>
<sentencetext>So then how would you classify a hidden url as a security mechanism?
Say http://www.example.com/private/jadkjfHs44hjakd/Would you classify that as secrecy of data, or security through obscurity?
By your definition it is secrecy of data, but many / most people on slashdot classify it as security through obscurity.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30044688</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30044506</id>
	<title>Re:It's called fraud</title>
	<author>leeosenton</author>
	<datestamp>1257862020000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>Well written and thought provoking.</htmltext>
<tokenext>Well written and thought provoking .</tokentext>
<sentencetext>Well written and thought provoking.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043866</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30045602</id>
	<title>Re:And now thanks to /. and microsoft</title>
	<author>Svartalf</author>
	<datestamp>1257868680000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><blockquote><div><p>I hate to tell you, but having kiddie porn ON YOUR COMPUTER is fairly good evidence you've done something wrong.</p></div></blockquote><p><a href="http://tech.yahoo.com/news/ap/20091108/ap\_on\_hi\_te/us\_tec\_a\_virus\_framed\_me" title="yahoo.com">I hate to tell you, but that's not at all accurate</a> [yahoo.com].</p><p>Normally, you can say that the  "virus framed me" line is akin to "the dog ate my homework".  Unfortunately in this case, it really, really did do what they claimed on this one- and your line of reasoning is bogus.  ANYTHING can happen, including having someone <em> <b>plant</b> </em> it on your machine without your knowledge- especially if you're using Windows as an OS.</p></div>
	</htmltext>
<tokenext>I hate to tell you , but having kiddie porn ON YOUR COMPUTER is fairly good evidence you 've done something wrong.I hate to tell you , but that 's not at all accurate [ yahoo.com ] .Normally , you can say that the " virus framed me " line is akin to " the dog ate my homework " .
Unfortunately in this case , it really , really did do what they claimed on this one- and your line of reasoning is bogus .
ANYTHING can happen , including having someone plant it on your machine without your knowledge- especially if you 're using Windows as an OS .</tokentext>
<sentencetext>I hate to tell you, but having kiddie porn ON YOUR COMPUTER is fairly good evidence you've done something wrong.I hate to tell you, but that's not at all accurate [yahoo.com].Normally, you can say that the  "virus framed me" line is akin to "the dog ate my homework".
Unfortunately in this case, it really, really did do what they claimed on this one- and your line of reasoning is bogus.
ANYTHING can happen, including having someone  plant  it on your machine without your knowledge- especially if you're using Windows as an OS.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30044776</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30044776</id>
	<title>Re:And now thanks to /. and microsoft</title>
	<author>plague3106</author>
	<datestamp>1257864180000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>If he were presumed guilty, he'd have already been serving time, pending the outcome of a trial to prove his innocence.</p><p>I hate to tell you, but having kiddie porn ON YOUR COMPUTER is fairly good evidence you've done something wrong.  You have the bloody knife in your hand standing over the body.. yes you'd better be able to show me that you AREN'T the murder, and saying "well someone else did it" without showing me its reasonble isn't going to cut it.</p></htmltext>
<tokenext>If he were presumed guilty , he 'd have already been serving time , pending the outcome of a trial to prove his innocence.I hate to tell you , but having kiddie porn ON YOUR COMPUTER is fairly good evidence you 've done something wrong .
You have the bloody knife in your hand standing over the body.. yes you 'd better be able to show me that you ARE N'T the murder , and saying " well someone else did it " without showing me its reasonble is n't going to cut it .</tokentext>
<sentencetext>If he were presumed guilty, he'd have already been serving time, pending the outcome of a trial to prove his innocence.I hate to tell you, but having kiddie porn ON YOUR COMPUTER is fairly good evidence you've done something wrong.
You have the bloody knife in your hand standing over the body.. yes you'd better be able to show me that you AREN'T the murder, and saying "well someone else did it" without showing me its reasonble isn't going to cut it.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30044268</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30049504</id>
	<title>Re:And now thanks to /. and microsoft</title>
	<author>MostAwesomeDude</author>
	<datestamp>1257883020000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Corbin D. Simpson</p><p>975 NW Garfield, Corvallis, OR 97330</p><p>I'll leave it up to you to deduce my SSN; it's not terribly difficult. I'm not posting it because I'd like to hold on to what little cash I've got, although if you're going to defraud a college student with empty pockets...</p></htmltext>
<tokenext>Corbin D. Simpson975 NW Garfield , Corvallis , OR 97330I 'll leave it up to you to deduce my SSN ; it 's not terribly difficult .
I 'm not posting it because I 'd like to hold on to what little cash I 've got , although if you 're going to defraud a college student with empty pockets.. .</tokentext>
<sentencetext>Corbin D. Simpson975 NW Garfield, Corvallis, OR 97330I'll leave it up to you to deduce my SSN; it's not terribly difficult.
I'm not posting it because I'd like to hold on to what little cash I've got, although if you're going to defraud a college student with empty pockets...</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30044118</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043692</id>
	<title>Re:Solution</title>
	<author>bjourne</author>
	<datestamp>1257851340000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>Can you elaborate on that? The tracking pixels are used to report transactions to Bing's api by having the customers web browser doing a GET request to Bing's cashback server. Since it is all done on the client side, a malicious user could just include the MAC for the merchant in the forged transaction. So I don't see how using a MAC would help at all.</htmltext>
<tokenext>Can you elaborate on that ?
The tracking pixels are used to report transactions to Bing 's api by having the customers web browser doing a GET request to Bing 's cashback server .
Since it is all done on the client side , a malicious user could just include the MAC for the merchant in the forged transaction .
So I do n't see how using a MAC would help at all .</tokentext>
<sentencetext>Can you elaborate on that?
The tracking pixels are used to report transactions to Bing's api by having the customers web browser doing a GET request to Bing's cashback server.
Since it is all done on the client side, a malicious user could just include the MAC for the merchant in the forged transaction.
So I don't see how using a MAC would help at all.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043284</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043946</id>
	<title>Re:And now thanks to /. and microsoft</title>
	<author>buchner.johannes</author>
	<datestamp>1257855360000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>5</modscore>
	<htmltext><p><div class="quote"><p>In traditional Microsoft fashion, the company has responded to the author of the breaking bing cashback expoit with a cease &amp; desist letter, rather than by fixing the underlying security problem.</p></div><p>Maybe they are doing both?</p><p>The cease and desist letter seems partially reasonable: </p><p><div class="quote"><p>Specifically, at this site you are providing information directing users how to misuse the microsoft Bing Cashback program through unauthorized technical means. Further, on this website you admit that you have personally misused the Cashback program in this regard.</p> </div><p>It's pretty stupid to admit you violate a law on a blog that has your name on it. He should have used a anonymous blog for that or inform Microsoft of the issue in the first place.</p></div>
	</htmltext>
<tokenext>In traditional Microsoft fashion , the company has responded to the author of the breaking bing cashback expoit with a cease &amp; desist letter , rather than by fixing the underlying security problem.Maybe they are doing both ? The cease and desist letter seems partially reasonable : Specifically , at this site you are providing information directing users how to misuse the microsoft Bing Cashback program through unauthorized technical means .
Further , on this website you admit that you have personally misused the Cashback program in this regard .
It 's pretty stupid to admit you violate a law on a blog that has your name on it .
He should have used a anonymous blog for that or inform Microsoft of the issue in the first place .</tokentext>
<sentencetext>In traditional Microsoft fashion, the company has responded to the author of the breaking bing cashback expoit with a cease &amp; desist letter, rather than by fixing the underlying security problem.Maybe they are doing both?The cease and desist letter seems partially reasonable: Specifically, at this site you are providing information directing users how to misuse the microsoft Bing Cashback program through unauthorized technical means.
Further, on this website you admit that you have personally misused the Cashback program in this regard.
It's pretty stupid to admit you violate a law on a blog that has your name on it.
He should have used a anonymous blog for that or inform Microsoft of the issue in the first place.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043428</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30054150</id>
	<title>Re:Solution</title>
	<author>Anonymous</author>
	<datestamp>1257860640000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Being a former developer of an affiliate network I can tell you the main problem is with lazy and technically inept merchants that are incapable of doing anything except embedding a static piece of html. MS just wanted their business and decided security isn't worth losing a chunk of the client base.</p></htmltext>
<tokenext>Being a former developer of an affiliate network I can tell you the main problem is with lazy and technically inept merchants that are incapable of doing anything except embedding a static piece of html .
MS just wanted their business and decided security is n't worth losing a chunk of the client base .</tokentext>
<sentencetext>Being a former developer of an affiliate network I can tell you the main problem is with lazy and technically inept merchants that are incapable of doing anything except embedding a static piece of html.
MS just wanted their business and decided security isn't worth losing a chunk of the client base.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043284</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30045080</id>
	<title>Re:It's called fraud</title>
	<author>Anonymous</author>
	<datestamp>1257865980000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>What a long story to completely miss the point. Yes, you are right, the world sucks and there are a lot of bastards out there who think it is ok to use every opportunity to scam other people out of money.</p><p>However, considering that the bastards are a given, providing a service as badly protected as this cash back program is simply criminal negligence. Yes, maybe the system is protected in other ways, and the criminals abusing it will be caught. But what good does that do to people who now have to spend time and money to deal with the consequences ?</p></htmltext>
<tokenext>What a long story to completely miss the point .
Yes , you are right , the world sucks and there are a lot of bastards out there who think it is ok to use every opportunity to scam other people out of money.However , considering that the bastards are a given , providing a service as badly protected as this cash back program is simply criminal negligence .
Yes , maybe the system is protected in other ways , and the criminals abusing it will be caught .
But what good does that do to people who now have to spend time and money to deal with the consequences ?</tokentext>
<sentencetext>What a long story to completely miss the point.
Yes, you are right, the world sucks and there are a lot of bastards out there who think it is ok to use every opportunity to scam other people out of money.However, considering that the bastards are a given, providing a service as badly protected as this cash back program is simply criminal negligence.
Yes, maybe the system is protected in other ways, and the criminals abusing it will be caught.
But what good does that do to people who now have to spend time and money to deal with the consequences ?</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043866</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043922</id>
	<title>Re:Solution</title>
	<author>Rufus211</author>
	<datestamp>1257855000000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>2</modscore>
	<htmltext><p>It's pretty clear that whoever designed this API didn't even take an passing glance at the security or reliability implications.  There are 2 ways (from the linked slides) for a merchant to report cashback activity to MS:</p><p>1) Tracking pixel: this gives instant update to the user, but is completely insecure and also fairly unreliable (image fails to load, cross site https issues, random network hickup, etc).</p><p>2) FTP upload of a plain text list: yes really, plain old FTP.  This is at least reliable but is only authenticated by a plain-text user/pass.  The list does not have any signature for authentication.</p><p>I'm not a web guy at all (I'm an ASIC hardware guy) and off the top of my head I can think of 2 real solutions:</p><p>The right way: SOAP.  Gives instant update to the user, should be trivial in any backend web language, is reliable, is trivial to encrypt (https), is trivial to authenticate (a simple shared secret would be enough).</p><p>A reasonable way: both of the existing ones.  The tracking pixel is used to provide instant user update in 99\% of the cases, but the transaction is marked pending.  At the end of the day the text list is uploaded to the FTP.  Compare the 2 lists, approving all that match and flagging for review any that don't (extra, missing, or different).  As an added bonus a cryptographic signature should be added to the list.</p><p>The problem with simply adding a MAC to the existing tracking pixel is that it doesn't fix the reliability issue.  Also the advantage of the current tracking pixel is that it's stupidly easy to implement.  If you're going to load in some libraries to do the MAC calculation on the server, you might as well load in a SOAP library and do the transaction properly.</p><p>It really boggles the mind that a bogus transaction could actually be paid out.  That indicates there is absolutely no auditing or rationalization between what the e-tailer thinks should be paid out and what MS thinks should be paid out.  Even something as stupid as end-of-month totals should flag that there are bogus transactions.</p></htmltext>
<tokenext>It 's pretty clear that whoever designed this API did n't even take an passing glance at the security or reliability implications .
There are 2 ways ( from the linked slides ) for a merchant to report cashback activity to MS : 1 ) Tracking pixel : this gives instant update to the user , but is completely insecure and also fairly unreliable ( image fails to load , cross site https issues , random network hickup , etc ) .2 ) FTP upload of a plain text list : yes really , plain old FTP .
This is at least reliable but is only authenticated by a plain-text user/pass .
The list does not have any signature for authentication.I 'm not a web guy at all ( I 'm an ASIC hardware guy ) and off the top of my head I can think of 2 real solutions : The right way : SOAP .
Gives instant update to the user , should be trivial in any backend web language , is reliable , is trivial to encrypt ( https ) , is trivial to authenticate ( a simple shared secret would be enough ) .A reasonable way : both of the existing ones .
The tracking pixel is used to provide instant user update in 99 \ % of the cases , but the transaction is marked pending .
At the end of the day the text list is uploaded to the FTP .
Compare the 2 lists , approving all that match and flagging for review any that do n't ( extra , missing , or different ) .
As an added bonus a cryptographic signature should be added to the list.The problem with simply adding a MAC to the existing tracking pixel is that it does n't fix the reliability issue .
Also the advantage of the current tracking pixel is that it 's stupidly easy to implement .
If you 're going to load in some libraries to do the MAC calculation on the server , you might as well load in a SOAP library and do the transaction properly.It really boggles the mind that a bogus transaction could actually be paid out .
That indicates there is absolutely no auditing or rationalization between what the e-tailer thinks should be paid out and what MS thinks should be paid out .
Even something as stupid as end-of-month totals should flag that there are bogus transactions .</tokentext>
<sentencetext>It's pretty clear that whoever designed this API didn't even take an passing glance at the security or reliability implications.
There are 2 ways (from the linked slides) for a merchant to report cashback activity to MS:1) Tracking pixel: this gives instant update to the user, but is completely insecure and also fairly unreliable (image fails to load, cross site https issues, random network hickup, etc).2) FTP upload of a plain text list: yes really, plain old FTP.
This is at least reliable but is only authenticated by a plain-text user/pass.
The list does not have any signature for authentication.I'm not a web guy at all (I'm an ASIC hardware guy) and off the top of my head I can think of 2 real solutions:The right way: SOAP.
Gives instant update to the user, should be trivial in any backend web language, is reliable, is trivial to encrypt (https), is trivial to authenticate (a simple shared secret would be enough).A reasonable way: both of the existing ones.
The tracking pixel is used to provide instant user update in 99\% of the cases, but the transaction is marked pending.
At the end of the day the text list is uploaded to the FTP.
Compare the 2 lists, approving all that match and flagging for review any that don't (extra, missing, or different).
As an added bonus a cryptographic signature should be added to the list.The problem with simply adding a MAC to the existing tracking pixel is that it doesn't fix the reliability issue.
Also the advantage of the current tracking pixel is that it's stupidly easy to implement.
If you're going to load in some libraries to do the MAC calculation on the server, you might as well load in a SOAP library and do the transaction properly.It really boggles the mind that a bogus transaction could actually be paid out.
That indicates there is absolutely no auditing or rationalization between what the e-tailer thinks should be paid out and what MS thinks should be paid out.
Even something as stupid as end-of-month totals should flag that there are bogus transactions.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043284</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043284</id>
	<title>Solution</title>
	<author>QuoteMstr</author>
	<datestamp>1257845460000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>2</modscore>
	<htmltext><p>All Microsoft needed to do was include a <a href="http://en.wikipedia.org/wiki/Message\_authentication\_code" title="wikipedia.org">Message Authentication Code</a> [wikipedia.org] (such as, say, HMAC-SHA1) in the tracking image URL. Microsoft and the merchant obviously already have a shared secret they can use for the purpose. Using a MAC would have been practically free.</p><p>Given what Microsoft pays its programmers, I'm just appalled that nobody thought to include basic precautions in a brand-new interface written in this day and age. Whoever wrote the Bing API specification really should have known better.</p></htmltext>
<tokenext>All Microsoft needed to do was include a Message Authentication Code [ wikipedia.org ] ( such as , say , HMAC-SHA1 ) in the tracking image URL .
Microsoft and the merchant obviously already have a shared secret they can use for the purpose .
Using a MAC would have been practically free.Given what Microsoft pays its programmers , I 'm just appalled that nobody thought to include basic precautions in a brand-new interface written in this day and age .
Whoever wrote the Bing API specification really should have known better .</tokentext>
<sentencetext>All Microsoft needed to do was include a Message Authentication Code [wikipedia.org] (such as, say, HMAC-SHA1) in the tracking image URL.
Microsoft and the merchant obviously already have a shared secret they can use for the purpose.
Using a MAC would have been practically free.Given what Microsoft pays its programmers, I'm just appalled that nobody thought to include basic precautions in a brand-new interface written in this day and age.
Whoever wrote the Bing API specification really should have known better.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30044784</id>
	<title>Re:And now thanks to /. and microsoft</title>
	<author>Anonymous</author>
	<datestamp>1257864300000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>And the reason he wouldn't do this is precisely because the whole identity system in the United States<br>is based on a 'security through obscurity' method: assuming someone else won't know your social security number or other personal informations.</p><p>What was your point exactly?</p></htmltext>
<tokenext>And the reason he would n't do this is precisely because the whole identity system in the United Statesis based on a 'security through obscurity ' method : assuming someone else wo n't know your social security number or other personal informations.What was your point exactly ?</tokentext>
<sentencetext>And the reason he wouldn't do this is precisely because the whole identity system in the United Statesis based on a 'security through obscurity' method: assuming someone else won't know your social security number or other personal informations.What was your point exactly?</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30044118</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043494</id>
	<title>Re:Use microsoft == get screwed</title>
	<author>gzipped\_tar</author>
	<datestamp>1257848580000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><blockquote><div><p>In this case, it's Microsoft getting screwed by Microsoft.</p></div> </blockquote><p>Reminds me of a piece of quotation often attributed to Freud: <b>"The only thing about masturbation to be ashamed of is doing it badly."</b> </p><p>Shame, Microsoft, SHAME!!!</p></div>
	</htmltext>
<tokenext>In this case , it 's Microsoft getting screwed by Microsoft .
Reminds me of a piece of quotation often attributed to Freud : " The only thing about masturbation to be ashamed of is doing it badly .
" Shame , Microsoft , SHAME ! !
!</tokentext>
<sentencetext>In this case, it's Microsoft getting screwed by Microsoft.
Reminds me of a piece of quotation often attributed to Freud: "The only thing about masturbation to be ashamed of is doing it badly.
" Shame, Microsoft, SHAME!!
!
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043244</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30050588</id>
	<title>Re:Hey Mercedes!</title>
	<author>Anonymous</author>
	<datestamp>1257844020000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p><div class="quote"><p>Your car has an exploit, so I stole it and drove it into a wall to prove a point.</p></div><p>or: millions of cars have an exploit, so you stole one and drove it into a wall to prove a point</p></div>
	</htmltext>
<tokenext>Your car has an exploit , so I stole it and drove it into a wall to prove a point.or : millions of cars have an exploit , so you stole one and drove it into a wall to prove a point</tokentext>
<sentencetext>Your car has an exploit, so I stole it and drove it into a wall to prove a point.or: millions of cars have an exploit, so you stole one and drove it into a wall to prove a point
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30044002</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30048186</id>
	<title>So, let me get this straight:</title>
	<author>Anonymous</author>
	<datestamp>1257878280000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>The Empire has to \_pay\_ people to use Bing?</p><p>Or do they have to pay the merchants to use it?</p><p>Or, is it \_both\_?</p><p>(FWIW: I don't have Windoze(tm)(r)(c), and can't use Bing)</p></htmltext>
<tokenext>The Empire has to \ _pay \ _ people to use Bing ? Or do they have to pay the merchants to use it ? Or , is it \ _both \ _ ?
( FWIW : I do n't have Windoze ( tm ) ( r ) ( c ) , and ca n't use Bing )</tokentext>
<sentencetext>The Empire has to \_pay\_ people to use Bing?Or do they have to pay the merchants to use it?Or, is it \_both\_?
(FWIW: I don't have Windoze(tm)(r)(c), and can't use Bing)</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30046742</id>
	<title>Re:And now thanks to /. and microsoft</title>
	<author>amicusNYCL</author>
	<datestamp>1257873540000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><div class="quote"><p>According to our idiotic U.S. law, you are guilty of hacking a computer service. It doesn't matter that you didn't actually do it - you are presumed guilty, and it's your job to prove innocence.</p></div><p>Nice troll, but that's not how it works.  A confession tends to remove that whole notion of "presumed innocent".  This guy confessed to exactly what he did.  Frankly, he <i>should</i> be convicted and fined, at the very least this is fraud that he willfully perpetrated and then confessed to.</p><p>Probably not the most intelligent blog post he's ever made..</p></div>
	</htmltext>
<tokenext>According to our idiotic U.S. law , you are guilty of hacking a computer service .
It does n't matter that you did n't actually do it - you are presumed guilty , and it 's your job to prove innocence.Nice troll , but that 's not how it works .
A confession tends to remove that whole notion of " presumed innocent " .
This guy confessed to exactly what he did .
Frankly , he should be convicted and fined , at the very least this is fraud that he willfully perpetrated and then confessed to.Probably not the most intelligent blog post he 's ever made. .</tokentext>
<sentencetext>According to our idiotic U.S. law, you are guilty of hacking a computer service.
It doesn't matter that you didn't actually do it - you are presumed guilty, and it's your job to prove innocence.Nice troll, but that's not how it works.
A confession tends to remove that whole notion of "presumed innocent".
This guy confessed to exactly what he did.
Frankly, he should be convicted and fined, at the very least this is fraud that he willfully perpetrated and then confessed to.Probably not the most intelligent blog post he's ever made..
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30044268</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30050110</id>
	<title>Re:And now thanks to /. and microsoft</title>
	<author>GasparGMSwordsman</author>
	<datestamp>1257885240000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><blockquote><div><p>&gt;&gt;&gt;I placed two $1 orders on January 24th of this year, and spent another $104,000 on October 24th.<br> <br>

According to our idiotic U.S. law, you are guilty of hacking a computer service. It doesn't matter that you didn't actually do it - you are presumed guilty, and it's your job to prove innocence. (Kinda similar to that guy who was falsely accused of downloading child porn - he too was presumed guilty until he could prove that it was malware that did it.)</p></div></blockquote><p>

The law is not idiotic.  It is also not a guilty until proven innocent issue.<br> <br>

Every<nobr> <wbr></nobr>/. reader is sure of what he did.  Why?  Because of what HE WROTE.  He makes it very clear what he did, just because he did not jump up and down and say "I committed wire fraud," does not mean it is not obvious.<br> <br>

What is stupid here is that Microsoft sent a cease and desist letter to the guy that even mentioned his writing.  What they should have done is sent a cease and desist letter to him requesting that he STOP STEALING FROM THEM.  Instead they mentioned a secondary issue and now the story is about Microsoft censoring someone.  This was a simple and stupid PR move by Microsoft.<br> <br>

For those of you who question if he was stealing or not?  Well please point out where he says he is going to return the $2080.06 or contact Microsoft about this issue.  I didn't see a mention of the author doing either of those things.  What was written was that $2080.06 that he had no right to was being transferred into his account...</p></div>
	</htmltext>
<tokenext>&gt; &gt; &gt; I placed two $ 1 orders on January 24th of this year , and spent another $ 104,000 on October 24th .
According to our idiotic U.S. law , you are guilty of hacking a computer service .
It does n't matter that you did n't actually do it - you are presumed guilty , and it 's your job to prove innocence .
( Kinda similar to that guy who was falsely accused of downloading child porn - he too was presumed guilty until he could prove that it was malware that did it .
) The law is not idiotic .
It is also not a guilty until proven innocent issue .
Every / .
reader is sure of what he did .
Why ? Because of what HE WROTE .
He makes it very clear what he did , just because he did not jump up and down and say " I committed wire fraud , " does not mean it is not obvious .
What is stupid here is that Microsoft sent a cease and desist letter to the guy that even mentioned his writing .
What they should have done is sent a cease and desist letter to him requesting that he STOP STEALING FROM THEM .
Instead they mentioned a secondary issue and now the story is about Microsoft censoring someone .
This was a simple and stupid PR move by Microsoft .
For those of you who question if he was stealing or not ?
Well please point out where he says he is going to return the $ 2080.06 or contact Microsoft about this issue .
I did n't see a mention of the author doing either of those things .
What was written was that $ 2080.06 that he had no right to was being transferred into his account.. .</tokentext>
<sentencetext>&gt;&gt;&gt;I placed two $1 orders on January 24th of this year, and spent another $104,000 on October 24th.
According to our idiotic U.S. law, you are guilty of hacking a computer service.
It doesn't matter that you didn't actually do it - you are presumed guilty, and it's your job to prove innocence.
(Kinda similar to that guy who was falsely accused of downloading child porn - he too was presumed guilty until he could prove that it was malware that did it.
)

The law is not idiotic.
It is also not a guilty until proven innocent issue.
Every /.
reader is sure of what he did.
Why?  Because of what HE WROTE.
He makes it very clear what he did, just because he did not jump up and down and say "I committed wire fraud," does not mean it is not obvious.
What is stupid here is that Microsoft sent a cease and desist letter to the guy that even mentioned his writing.
What they should have done is sent a cease and desist letter to him requesting that he STOP STEALING FROM THEM.
Instead they mentioned a secondary issue and now the story is about Microsoft censoring someone.
This was a simple and stupid PR move by Microsoft.
For those of you who question if he was stealing or not?
Well please point out where he says he is going to return the $2080.06 or contact Microsoft about this issue.
I didn't see a mention of the author doing either of those things.
What was written was that $2080.06 that he had no right to was being transferred into his account...
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30044268</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30050256</id>
	<title>Re:And now thanks to /. and microsoft</title>
	<author>GasparGMSwordsman</author>
	<datestamp>1257885840000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><blockquote><div><p>We use information like SSN and address which are not in any way secret, merely obscure, as a way to supposedly verify identity, and that's why we have so much identity theft. The reason no-one wants to post their SSN and address on Slashdot is precisely because security through obscurity sucks.</p></div></blockquote><p>

Well that and if post your SSN it really isn't obscure anymore now is it...?</p></div>
	</htmltext>
<tokenext>We use information like SSN and address which are not in any way secret , merely obscure , as a way to supposedly verify identity , and that 's why we have so much identity theft .
The reason no-one wants to post their SSN and address on Slashdot is precisely because security through obscurity sucks .
Well that and if post your SSN it really is n't obscure anymore now is it... ?</tokentext>
<sentencetext>We use information like SSN and address which are not in any way secret, merely obscure, as a way to supposedly verify identity, and that's why we have so much identity theft.
The reason no-one wants to post their SSN and address on Slashdot is precisely because security through obscurity sucks.
Well that and if post your SSN it really isn't obscure anymore now is it...?
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30044468</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30063632</id>
	<title>Re:And now thanks to /. and microsoft</title>
	<author>bobzaguy</author>
	<datestamp>1257104880000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>What fun is fixing bugs when you can fuck over someone in court?
              &mdash;W. Gates</htmltext>
<tokenext>What fun is fixing bugs when you can fuck over someone in court ?
   W. Gates</tokentext>
<sentencetext>What fun is fixing bugs when you can fuck over someone in court?
—W. Gates</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043120</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30044504</id>
	<title>Hey Microsoft?</title>
	<author>Anonymous</author>
	<datestamp>1257861960000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Ever heard of the "Streisand Effect"?</p><p>You can't cause people to "unlearn" something. An <a href="http://pastebin.com/f25aa8630" title="pastebin.com" rel="nofollow"> example</a> [pastebin.com] for ya...</p><p>Enjoy your broken system. Or maybe you'd better change it, word is REALLY out now.</p></htmltext>
<tokenext>Ever heard of the " Streisand Effect " ? You ca n't cause people to " unlearn " something .
An example [ pastebin.com ] for ya...Enjoy your broken system .
Or maybe you 'd better change it , word is REALLY out now .</tokentext>
<sentencetext>Ever heard of the "Streisand Effect"?You can't cause people to "unlearn" something.
An  example [pastebin.com] for ya...Enjoy your broken system.
Or maybe you'd better change it, word is REALLY out now.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30044652</id>
	<title>Re:And now thanks to /. and microsoft</title>
	<author>AftanGustur</author>
	<datestamp>1257863400000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>Yep !
<p>
Future Microsoft Vulnerability Announcements will be made on 4Chan  !
</p></htmltext>
<tokenext>Yep !
Future Microsoft Vulnerability Announcements will be made on 4Chan !</tokentext>
<sentencetext>Yep !
Future Microsoft Vulnerability Announcements will be made on 4Chan  !
</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30044268</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043668</id>
	<title>Fix the spelling, FFS</title>
	<author>Anonymous</author>
	<datestamp>1257851100000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>What exactly is the point of submissions being labelled "typo" on the firehose they're not going to be fixed in the article?</p></htmltext>
<tokenext>What exactly is the point of submissions being labelled " typo " on the firehose they 're not going to be fixed in the article ?</tokentext>
<sentencetext>What exactly is the point of submissions being labelled "typo" on the firehose they're not going to be fixed in the article?</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30045594</id>
	<title>Not Wire Fraud</title>
	<author>rwv</author>
	<datestamp>1257868620000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Lots of people are screaming "Wire Fraud" about this but I don't buy it.  Microsoft needs to be accountable for their lack of security.  They cost the world Billions of dollars (lost productivity plus value of the anti-virus/removal industry) because they're the leaders of a mentality where rushing products out the door is preferable to more reliable measures.

</p><p>I mean... blame the person who exploited the crappy security all you want... but if Microsoft doesn't stop the $2k deposit from going into his account I don't think laws should give them a leg to stand-on.  One poster noted that Microsoft probably has a team to review these large charges and I would agree that they do have resources to manually stop this large payment.

</p><p>But if they don't stop it... well if MUST be more profitable to make that choice because Microsoft is a very, very smart business and they have historically made very, very ballsy and successful business decisions.  So, as long as valuable taxpayer dollars don't get wasted on the case of whether it's morally right to exploit Microsoft for personal gain, I don't think there's much to talk about here.  BUT if this becomes a court battle (Unreliable, Cheap Software v. John Doe) I hope the Unreliable, Cheap Software loses.</p></htmltext>
<tokenext>Lots of people are screaming " Wire Fraud " about this but I do n't buy it .
Microsoft needs to be accountable for their lack of security .
They cost the world Billions of dollars ( lost productivity plus value of the anti-virus/removal industry ) because they 're the leaders of a mentality where rushing products out the door is preferable to more reliable measures .
I mean... blame the person who exploited the crappy security all you want... but if Microsoft does n't stop the $ 2k deposit from going into his account I do n't think laws should give them a leg to stand-on .
One poster noted that Microsoft probably has a team to review these large charges and I would agree that they do have resources to manually stop this large payment .
But if they do n't stop it... well if MUST be more profitable to make that choice because Microsoft is a very , very smart business and they have historically made very , very ballsy and successful business decisions .
So , as long as valuable taxpayer dollars do n't get wasted on the case of whether it 's morally right to exploit Microsoft for personal gain , I do n't think there 's much to talk about here .
BUT if this becomes a court battle ( Unreliable , Cheap Software v. John Doe ) I hope the Unreliable , Cheap Software loses .</tokentext>
<sentencetext>Lots of people are screaming "Wire Fraud" about this but I don't buy it.
Microsoft needs to be accountable for their lack of security.
They cost the world Billions of dollars (lost productivity plus value of the anti-virus/removal industry) because they're the leaders of a mentality where rushing products out the door is preferable to more reliable measures.
I mean... blame the person who exploited the crappy security all you want... but if Microsoft doesn't stop the $2k deposit from going into his account I don't think laws should give them a leg to stand-on.
One poster noted that Microsoft probably has a team to review these large charges and I would agree that they do have resources to manually stop this large payment.
But if they don't stop it... well if MUST be more profitable to make that choice because Microsoft is a very, very smart business and they have historically made very, very ballsy and successful business decisions.
So, as long as valuable taxpayer dollars don't get wasted on the case of whether it's morally right to exploit Microsoft for personal gain, I don't think there's much to talk about here.
BUT if this becomes a court battle (Unreliable, Cheap Software v. John Doe) I hope the Unreliable, Cheap Software loses.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043722</id>
	<title>Just in case it disappears from the cache, too</title>
	<author>dotancohen</author>
	<datestamp>1257851880000</datestamp>
	<modclass>Redundant</modclass>
	<modscore>0</modscore>
	<htmltext><p>Just in case it disappears from the cache, too:</p><p><div class="quote"><p>I&rsquo;ve never bought anything using Bing Cashback, but the balance of my account is $2080.06. Apparently, I placed two $1 orders on January 24th of this year, and spent another $104,000 on October 24th. Let&rsquo;s see how these transactions might have &ldquo;accidentally&rdquo; got credited to my account.</p><p>First, we need to try to figure out how transactions get into Bing Cashback. Microsoft posted some documentation here. The explanation of how a merchant reports transactions to Bing starts on page 20.  Merchants have a few options for reporting, but Bing suggests using a tracking pixel. Basically, the merchant adds a tracking pixel to their order confirmation page, which will report the the transaction details back to Bing. The request for the tracking pixel looks something like this:</p><p><a href="https://ssl.search.live.com/cashback/pixel/index" title="live.com">https://ssl.search.live.com/cashback/pixel/index</a> [live.com]?<br>jftid=0&amp;jfoid=&amp;jfmid=<br>&amp;m[0]=&amp;p[0]=&amp;q[0]=</p><p>This implementation, while easy for the merchant, has an obvious flaw. Anyone can simulate the tracking pixel requests, and post fake transactions to Bing. I&rsquo;m not going to explain exactly how to generate the fake requests so that they actually post, but it&rsquo;s not complicated. Bing doesn&rsquo;t seem to be able to detect these fake transactions, at least not right away. The six cents I earned in January have &ldquo;cleared,&rdquo; and I&rsquo;m guessing the remaining $2080 will clear on schedule, unless there is some manual intervention.</p><p>Even if Bing detects these fake transactions at some point in the future, the current implementation might have another interesting side effect. I haven&rsquo;t done enough work to say it with confidence, but a malicious user might be able to block another user&rsquo;s legitimate purchases from being reported correctly by Bing (I only tried this once, but it seemed to work). Posting a transaction to Bing requires sending them an order ID in the request. Bing performs a reasonable sanity check on the order ID, and will not post a transaction that repeats a previously reported order ID.  When a store uses predictable order ID&rsquo;s (e.g. sequential), a malicious user can &ldquo;use up&rdquo; all the future order ID&rsquo;s, and cause legitimate transactions to be ignored. Reporting would be effectively down for days, causing a customer service nightmare for both Bing and the merchant.</p><p>Based on what I&rsquo;ve found, I wouldn&rsquo;t implement Bing Cashback if I were a merchant.  And, as an end user and bargain hunter, it does not seem smart to rely on Bing Cashback for savings.  In our next blog post, I&rsquo;ll demonstrate some other subtle but important reasons to avoid using Bing Cashback.</p></div></div>
	</htmltext>
<tokenext>Just in case it disappears from the cache , too : I    ve never bought anything using Bing Cashback , but the balance of my account is $ 2080.06 .
Apparently , I placed two $ 1 orders on January 24th of this year , and spent another $ 104,000 on October 24th .
Let    s see how these transactions might have    accidentally    got credited to my account.First , we need to try to figure out how transactions get into Bing Cashback .
Microsoft posted some documentation here .
The explanation of how a merchant reports transactions to Bing starts on page 20 .
Merchants have a few options for reporting , but Bing suggests using a tracking pixel .
Basically , the merchant adds a tracking pixel to their order confirmation page , which will report the the transaction details back to Bing .
The request for the tracking pixel looks something like this : https : //ssl.search.live.com/cashback/pixel/index [ live.com ] ? jftid = 0&amp;jfoid = &amp;jfmid = &amp;m [ 0 ] = &amp;p [ 0 ] = &amp;q [ 0 ] = This implementation , while easy for the merchant , has an obvious flaw .
Anyone can simulate the tracking pixel requests , and post fake transactions to Bing .
I    m not going to explain exactly how to generate the fake requests so that they actually post , but it    s not complicated .
Bing doesn    t seem to be able to detect these fake transactions , at least not right away .
The six cents I earned in January have    cleared ,    and I    m guessing the remaining $ 2080 will clear on schedule , unless there is some manual intervention.Even if Bing detects these fake transactions at some point in the future , the current implementation might have another interesting side effect .
I haven    t done enough work to say it with confidence , but a malicious user might be able to block another user    s legitimate purchases from being reported correctly by Bing ( I only tried this once , but it seemed to work ) .
Posting a transaction to Bing requires sending them an order ID in the request .
Bing performs a reasonable sanity check on the order ID , and will not post a transaction that repeats a previously reported order ID .
When a store uses predictable order ID    s ( e.g .
sequential ) , a malicious user can    use up    all the future order ID    s , and cause legitimate transactions to be ignored .
Reporting would be effectively down for days , causing a customer service nightmare for both Bing and the merchant.Based on what I    ve found , I wouldn    t implement Bing Cashback if I were a merchant .
And , as an end user and bargain hunter , it does not seem smart to rely on Bing Cashback for savings .
In our next blog post , I    ll demonstrate some other subtle but important reasons to avoid using Bing Cashback .</tokentext>
<sentencetext>Just in case it disappears from the cache, too:I’ve never bought anything using Bing Cashback, but the balance of my account is $2080.06.
Apparently, I placed two $1 orders on January 24th of this year, and spent another $104,000 on October 24th.
Let’s see how these transactions might have “accidentally” got credited to my account.First, we need to try to figure out how transactions get into Bing Cashback.
Microsoft posted some documentation here.
The explanation of how a merchant reports transactions to Bing starts on page 20.
Merchants have a few options for reporting, but Bing suggests using a tracking pixel.
Basically, the merchant adds a tracking pixel to their order confirmation page, which will report the the transaction details back to Bing.
The request for the tracking pixel looks something like this:https://ssl.search.live.com/cashback/pixel/index [live.com]?jftid=0&amp;jfoid=&amp;jfmid=&amp;m[0]=&amp;p[0]=&amp;q[0]=This implementation, while easy for the merchant, has an obvious flaw.
Anyone can simulate the tracking pixel requests, and post fake transactions to Bing.
I’m not going to explain exactly how to generate the fake requests so that they actually post, but it’s not complicated.
Bing doesn’t seem to be able to detect these fake transactions, at least not right away.
The six cents I earned in January have “cleared,” and I’m guessing the remaining $2080 will clear on schedule, unless there is some manual intervention.Even if Bing detects these fake transactions at some point in the future, the current implementation might have another interesting side effect.
I haven’t done enough work to say it with confidence, but a malicious user might be able to block another user’s legitimate purchases from being reported correctly by Bing (I only tried this once, but it seemed to work).
Posting a transaction to Bing requires sending them an order ID in the request.
Bing performs a reasonable sanity check on the order ID, and will not post a transaction that repeats a previously reported order ID.
When a store uses predictable order ID’s (e.g.
sequential), a malicious user can “use up” all the future order ID’s, and cause legitimate transactions to be ignored.
Reporting would be effectively down for days, causing a customer service nightmare for both Bing and the merchant.Based on what I’ve found, I wouldn’t implement Bing Cashback if I were a merchant.
And, as an end user and bargain hunter, it does not seem smart to rely on Bing Cashback for savings.
In our next blog post, I’ll demonstrate some other subtle but important reasons to avoid using Bing Cashback.
	</sentencetext>
</comment>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_09_2319233_7</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043726
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043120
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043076
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_09_2319233_29</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043288
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043076
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_09_2319233_1</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30045176
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043180
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_09_2319233_23</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30050110
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30044268
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043428
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043076
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_09_2319233_19</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043456
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043120
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043076
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_09_2319233_0</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043946
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043428
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043076
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_09_2319233_30</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30053874
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30044688
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30044118
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043440
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043076
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_09_2319233_26</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30044882
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30044268
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043428
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043076
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_09_2319233_20</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30049504
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30044118
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043440
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043076
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_09_2319233_18</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30046722
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043692
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043284
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_09_2319233_21</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30044150
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043866
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_09_2319233_35</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043924
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043284
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_09_2319233_13</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30046494
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30045602
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30044776
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30044268
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043428
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043076
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_09_2319233_12</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30045162
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30044776
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30044268
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043428
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043076
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_09_2319233_11</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043450
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043180
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_09_2319233_34</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30044338
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043180
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_09_2319233_6</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30063632
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043120
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043076
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_09_2319233_33</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30045058
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30044268
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043428
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043076
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_09_2319233_24</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30044248
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043120
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043076
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_09_2319233_40</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30045326
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043440
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043076
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_09_2319233_10</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30044652
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30044268
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043428
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043076
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_09_2319233_3</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30044962
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30044268
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043428
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043076
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_09_2319233_5</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30044784
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30044118
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043440
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043076
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_09_2319233_27</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30050256
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30044468
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30044118
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043440
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043076
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_09_2319233_32</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30054150
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043284
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_09_2319233_4</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043736
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043400
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_09_2319233_17</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30044842
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043284
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_09_2319233_22</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30046782
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043922
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043284
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_09_2319233_25</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30045054
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043866
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_09_2319233_16</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30049272
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30044118
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043440
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043076
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_09_2319233_39</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043338
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043180
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_09_2319233_15</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043494
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043244
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043180
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_09_2319233_9</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30045034
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30044268
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043428
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043076
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_09_2319233_36</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043276
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043180
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_09_2319233_8</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30055172
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30044118
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043440
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043076
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_09_2319233_38</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30050588
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30044002
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_09_2319233_2</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30044434
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043866
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_09_2319233_14</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30044506
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043866
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_09_2319233_37</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043592
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043284
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_09_2319233_28</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30045080
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043866
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_09_2319233_31</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30046742
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30044268
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043428
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043076
</commentlist>
</thread>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_11_09_2319233.3</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043284
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043922
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30046782
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043592
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30044842
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043692
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30046722
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30054150
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043924
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_11_09_2319233.1</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043866
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30044150
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30044434
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30045080
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30045054
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30044506
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_11_09_2319233.4</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30044722
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_11_09_2319233.2</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043076
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043440
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30045326
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30044118
---http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30055172
---http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30049272
---http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30044468
----http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30050256
---http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30044784
---http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30044688
----http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30053874
---http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30049504
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043288
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043120
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043726
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30044248
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30063632
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043456
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043428
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30044268
---http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30044962
---http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30044652
---http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30044882
---http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30046742
---http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30050110
---http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30044776
----http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30045162
----http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30045602
-----http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30046494
---http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30045058
---http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30045034
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043946
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_11_09_2319233.7</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043400
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043736
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_11_09_2319233.5</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30044002
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30050588
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_11_09_2319233.6</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30045594
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_11_09_2319233.0</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043180
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30045176
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30044338
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043276
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043450
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043338
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043244
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_09_2319233.30043494
</commentlist>
</conversation>
