SoylentNews is people
SoylentNews
USA Today has a story about a New Jersey couple who allegedly used a glitch in Lowes website to steal merchandise.
A New Jersey couple used a website glitch to try and get more than $258,000 worth of goods — everything from a gazebo to an air conditioner to a stainless steel grill — for free from a home improvement store, authorities said.
Ultimately, the couple was only able to secure nearly $13,000 worth of merchandise from Lowe's after exploiting "weaknesses" in the company's website to have the items shipped to their home in Brick for free, according to a release from the Ocean County Prosecutor's Office.
Romela Velazquez, 24, was arrested and charged with theft by deception and computer criminal activity for accessing a computer system with the purpose to defraud. She attempted to get about $258,068 worth of unpaid merchandise from Lowe's, according to the release.
She actually received about $12,971 in stolen products, according to the release.
Her husband, Kimy Velazquez, 40, was charged with third-degree receipt of stolen property and fencing for his role in the alleged scheme.
The couple tried to sell some of the products on a local Facebook "buy and sell" group for half of the original sale price, listing the products as "new in box," authorities said.
According to an article on NJ.com, an attorney for the couple has stated that Velazquez is just an expert shopper, not a criminal hacker.
Jef Henninger, an attorney for Romela Velazquez, said his client is "the farthest thing from a computer hacker."
"Like many young mothers, she needs to stretch every dollar she can," Henninger said in a statement. "As a result, she has learned to spot good deals. These are the same deals that any of us can take advantage of, but most of us are too busy to learn how to spot them.
"Buying things at a big discount and selling them is not illegal. As a result, she maintains her innocence (and) looks forward to her day in court."
As far as I have been able to find, no technical details about the hack have been released.
One of the more interesting details that I did see was
Lowe's, makers of Ugg shoes and Victoria's Secret have been identified as victims so far – but many more retailers were also ripped off and will eventually be identified, officials said.
Who knew?
Additional coverage at the New York Post and BleepingComputer.
(Score: 5, Insightful) by Justin Case on Tuesday August 22 2017, @01:17AM (34 children)
OK I get it that most people would judge this as theft.
But just to present another perspective...
I call you up and say "Hey I want to buy a couch. Can you ship it to me?"
You: "Sure"
Me: "How much?"
You: "$500"
Me: "OK I'll take it but I'm not paying $500. Will you accept $300?"
Now you have a decision. You've stated a price. I made a counter offer. You can accept or not. Shipping the goods after I propose a price reduction seems to be accepting my offer.
How is it different if you delegate the decision to a web site? If you did not adequately explain your discount policy to your web server how is that my fault?
I send you a message. You accept it and act on it. You had a choice to decline my order. Where is the crime?
Most "web site hacking" involves sending a (possibly unusual) request to a web site and the web site chooses how to respond.
(Score: 1) by khallow on Tuesday August 22 2017, @01:54AM (19 children)
Why the expectation that the web site operates flawlessly?
Further, what is the price offered for unpaid merchandise? Why should there be an expectation that a business is going to legitimately negotiate their products down to free for the taking?
(Score: 0) by Anonymous Coward on Tuesday August 22 2017, @03:00AM (1 child)
Because the cost to give you free shipping may be less than the cost to have the merchandise disposed. Should we pay someone to get rid of this office furnature or set the price to $1.00 or $0.00 and have customers carry it away for free? I've rang up an on sale item that was an in store display, and after the $20.00 off MFG coupon I ended up paying the customer to take the item. The MFG coupon will be reimbursed.
Your black and white view of economics is so mentally deficient you need to check yourself back into elementary school.
(Score: 2, Insightful) by khallow on Tuesday August 22 2017, @12:29PM
But that's not the case here.
We're not speaking of economics here. We're speaking of someone who found a trick for getting a quarter of a million dollars in merchandise for free and is claiming as their defense that they thought it was legitimate. Where is the expectation here that a business will legitimate give away that quantity of merchandise for free no matter the supposed economic reason when they weren't prior? Especially when the person then turns around and sells the merchandise for a significant fraction of its original price?
(Score: 5, Insightful) by Justin Case on Tuesday August 22 2017, @03:14AM (4 children)
Why the expectation that an employee operates flawlessly?
A business is usually liable for the mistakes of its employees, even if the employee fails to follow instructions. Here, the web site is following the instructions given to it by the business.
(Score: 1) by khallow on Tuesday August 22 2017, @12:35PM (3 children)
There is no such expectation of that either. And there have been times when large mistakes by employees have been reversed rather than honored (for example, mistyped refunds).
Sorry, I don't think this story would turn out different if it were an employee who mistakenly gave this person $250k in merchandise rather than a website.
(Score: 2) by Justin Case on Tuesday August 22 2017, @01:46PM (2 children)
What if the clearly written company policy said "If a customer walks in the door wearing a tinfoil hat, their purchases are free"? What if the employee and the customer can produce that written policy in court as part of the customer's defense?
If the employee follows the written instructions exactly, it isn't an employee mistake. It might be a mistake in the written policy. Responsibility for that would have have to rest on the people who wrote the policy.
The customer would say "Hey, I read your policy. I'm not responsible for your pricing decisions and promotions. You said if I wear a tin foil hat I get free stuff. I acted on that discount you made available. It isn't my fault other customers didn't read the fine print. It surely isn't my fault you didn't read your own fine print.
(Score: 1) by khallow on Wednesday August 23 2017, @06:21AM (1 child)
Feel free to consider whatever you want. But if you want me to consider it, it should have some real world relevance. This scenario has no relevance to the story since as described, it wasn't a policy failure, but bugs in the website.
"IF".
(Score: 2) by Justin Case on Wednesday August 23 2017, @01:30PM
From the perspective of the web server, the site's code is the company policy.
I suspect the web server followed its employer's written instructions exactly. Computers are very good at that.
(Score: 2) by sjames on Tuesday August 22 2017, @05:12AM (8 children)
I see no such expectation. If the company chooses to be represented by an idiot (meat or electronic), that's their issue.
(Score: 1) by khallow on Tuesday August 22 2017, @12:44PM (7 children)
(Score: 2) by Justin Case on Tuesday August 22 2017, @01:30PM (5 children)
Software bugs no longer exist. We are about to trust our lives to self driving cars.
(Score: 2) by Immerman on Tuesday August 22 2017, @04:46PM (2 children)
Not a problem so long as the cars' software is less buggy than most human drivers, which is a relatively low bar to cross.
(Score: 2) by Justin Case on Tuesday August 22 2017, @05:21PM (1 child)
So the amount this couple "stole" from Lowe's should be not a problem, so long as it is less than most thieves usually steal.
On the one hand "web site bugs are so common Lowe's should not be expected to have a bug free site".
On the other hand "self driving car bugs are so rare we can bet our lives on this untested future vaporware".
If we've learned anything from decades of web site developers it is that sloppy code is common, easy to abuse, and never goes away. Yet we have people arguing that incompetence is to be expected, and not a problem, and surely not anyone's responsibility.
(Score: 2) by Immerman on Tuesday August 22 2017, @06:15PM
I was commenting primarily on your implied smearing of self-driving car capabilities - which are not untested vaporware. Tests have been ongoing for years, and even compensating for manufacturer overstatement they're at least getting into the same league as the average (incompetent) human driver.
In a broader context yes, incompetence is *absolutely* to be expected - only gods are infallible... and actually most religious texts make a pretty good argument against even that if you read them carefully - even the Abrahamic ones.
As for responsibility - it's the responsibility of anyone relying on the results of such known-flawed individuals or infrastructure to ensure that adequate safeguards are in place to reduce the risk to acceptable levels. If you're operating a large-scale store I expect there are safeguards to protect against incompetent (or corrupt) human employees - no less should be expected of your expected-flawed software.
The big problem with software is not that it's flawed - that's implied by its very existence. The problem is that it fails *predictably* - which humans (mostly*) don't. Wouldn't be a problem in an "honest" world, but it means that any flaw discovered can potentially be exploited on a large scale by dishonest individuals if sufficient oversight isn't present. Quite similar to the law really, where the wealthy and powerful will predictably exploit any loophole they find (or have intentionally installed) until such time as sufficient public outrage builds around it to get the flaw repaired. In both cases, the key to continued exploitation is to maintain a low enough profile to avoid triggering repairs.
(*Though we do have our weaknesses - most of which are exploited mercilessly by marketing and political campaigns).
(Score: 1) by khallow on Wednesday August 23 2017, @06:23AM (1 child)
Ok. Feel free to get back on subject any time you'd like. Last I checked, web sites were not being managed by self driving cars.
(Score: 2) by Justin Case on Wednesday August 23 2017, @01:37PM
Way to miss the point. I didn't say web sites are being managed by SDCs. They're both being coded by careless quick-to-market fix-it-later-or-never development teams. The difference is sloppy websites sometimes cost the seller (who should therefore have at least a little reason to care) while SDCs will kill innocent bystanders, and so far I have not heard anyone who is going to be held responsible (by the death penalty, preferably) for that.
Here's what I did say... currently just TWO posts above your reply:
(Score: 2) by sjames on Wednesday August 23 2017, @11:54PM
No provision needed. Offer made and accepted. Perhaps it was accepted because the website was the modern electronic version of the village idiot, but that's who/what Lowe's chose to have represent it.
(Score: 2) by urza9814 on Tuesday August 22 2017, @06:54PM (2 children)
Because they agreed to the transaction and because they've empowered that software to make decisions on the company's behalf. If they're afraid of bugs in their site shipping things out for free, they can always code additional layers of validation before the item ships. They can pay a room full of humans to validate every single transaction if that's what it takes. But once they take your money and ship the merchandise, they've agreed to the sale.
If you go into a store and the cashier charges you the wrong price, the store can't arrest you just because their employee screwed up. It's their job to ensure their employees know how to do their job. If they want to use automation to replace those cashiers -- whether it's in store or online -- then that automation ought to be held to the same standard. It's not my job to know the difference between a good deal and a faulty algorithm. It's often not even possible. I can buy a pair of sunglasses for one cent on Amazon while WalMart would charge twenty bucks for an identical pair (identical as far as I can tell from an online photo at least). Seems like a mistake. But they've been on sale at that price for years, people are buying and reviewing them, nobody has removed the listing...so it's probably not a mistake, it's probably cheap Chinese garbage and they're siphoning a profit off the shipping fees or bundled ads or something. So what you're saying is the company can ship those out for years, and then when they start going bankrupt they just threaten to arrest everyone who ever bought a pair unless they pay an additional $20? That's not retail, it's extortion.
(Score: 1) by khallow on Wednesday August 23 2017, @01:29AM (1 child)
They can, if you do it often enough that you get $250k of merchandise that way. This goes way beyond exploiting a single mistake. It's stealing the store blind.
And since we're putting arbitrary words in each others' mouth, what are you really saying? "khallow is quite right and I beg his mercy for having the foolish temerity to question anything he has ever posted." I think it is quite possible that that wasn't what you were saying just like your straw man wasn't what I was saying. A single exploiter who steals a lot of merchandise is not equivalent to selling items to a zillion people at a discount and then attempting to extort considerably more money from them in some ludicrous scheme.
(Score: 2) by urza9814 on Wednesday August 23 2017, @11:37AM
So if instead of one pair of those cheap sunglasses I buy twenty thousand and start selling them for a profit, THEN I may or may not be a criminal depending on whether or not the company later decides that their pricing algorithm was incorrect?
(Score: 2) by maxwell demon on Tuesday August 22 2017, @04:54AM (10 children)
Imagine you are making a written contract. The other side signed it and hands it to you to sign as well. Before you sign it, you alter it without the other side noticing. The other side proceeds to fulfil his part of the contract, and then when its your turn you point to your alterations, pointing out they say you are not required to fulfil them. Now please tell me, did you defraud the other party or not?
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by Immerman on Tuesday August 22 2017, @04:55PM
My parents actually had such a case go to court - slightly less simplified as there's not really any way to unilaterally modify a contract after one person has signed it.
The contract was sent back and forth many times with revisions highlighted, until right near the end the other guy failed to highlight a two-word change buried in a "settled" part of the contract, that seriously changed the balance of power in the business relationship. The judge's final ruling, despite having the paper trail of evidence showing the intentional deception - "Tough luck. The law is responsible for upholding the contract you signed, not the one you intended to sign."
(Score: 2) by urza9814 on Tuesday August 22 2017, @07:09PM (1 child)
Big companies like Lowes do this as standard business practice. You sign up for an account and agree to their terms of service, then six months later an email drops into your spam folder saying "We've updated the terms; continuing to use the service constitutes agreement to these terms." They don't renegotiate, they don't ask if you agree, that's all just assumed.
(Score: 2) by maxwell demon on Wednesday August 23 2017, @05:04AM
They can do this because there was a clause in the previous version that stated it explicitly. That is, when you accepted the original terms, you also accepted that they may change the terms whenever they want. I'm pretty sure if they didn't include that clause in the original terms, later changes without your explicit agreement would not be allowed. Similarly, they certainly don't include a clause that you may change the terms as you see fit, therefore I'm pretty sure if you just sent them an email telling them "I changed the terms of service in that and that way; if you continue to provide the service that counts as implicit acceptance" that wouldn't work.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by FatPhil on Wednesday August 23 2017, @08:34AM (6 children)
Your tale seems to be making the second player the corrupt one, the computer in a webshop. This tale is "You modify the contract, sign it, and hand it back. Player 2 signs it." which is very different.
Depending on the lengths that were gone to in order to wrangle the deal (anything more than editing a human-visible field on a page would probably constitute a deliberate intent to defraud), I'd say this looks like a case of "the computer fucked up". If the shop feels hard done by, it should try to sue whoever it got its crappy webshop software from. If that company goes bust, good, it's shitty software is bringing down what's left of the good name of real programmers.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by maxwell demon on Wednesday August 23 2017, @06:28PM (5 children)
No, in every online shopping system I know, the shop makes the offer and I can accept.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by Justin Case on Wednesday August 23 2017, @07:05PM (3 children)
I don't think we have the details of this "attack" but the way it usually goes is something like this:
Website: Please buy my WIDGET for $100.
User: I want the WIDGET but I think the price should be $0.
Website: OK.
Perhaps this was a stupid response from the website, but it is up to the website to enact Lowe's business logic.
To put it another way, it is not "unauthorized access" to a website when the website explicitly accepts, approves, and responds positively to your request.
(Score: 2) by maxwell demon on Wednesday August 23 2017, @08:00PM (2 children)
We must visit different web sites. I wouldn't have an idea where I could suggest a price.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by Justin Case on Wednesday August 23 2017, @11:18PM (1 child)
Just because you don't know how doesn't mean nobody knows how.
This is a common mistake made by web site developers. "I can't imagine a way to abuse this, so there's no need to validate the data."
(Score: 2) by maxwell demon on Thursday August 24 2017, @05:46AM
So you admit they abused an error in the programming. Thus it's the equivalent to my scenario. Note that you are not making a contract with the computer; a computer cannot ever be a legal agent. The computer is only a means, and they used a programming error to make the computer do something the shop owner did neither intend nor approve of.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by FatPhil on Thursday August 24 2017, @03:24PM
Why should web-shopping be different? Citation requested if you're claiming contract law applied differently to them.
A quick google search implies that they're the same. Check the terms and conditions - they might say that the offer/order is only accepted, the contract concretised, when the order is dispatched.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 1) by Virindi on Tuesday August 22 2017, @06:43AM (1 child)
The difference is, in this particular situation, is it reasonable for the "buyer" to believe that they were actually making such a deal? Or does the "buyer" think they are deceiving the website and getting something against the will of the company?
The crimes she is charged with require this intent. By her actions, the prosecutor believes it is obvious that she knew that the site did not actually intend to make such a sale, but rather, she was tricking them into getting merchandise that did not rightfully belong to her.
Criminal law is all about intent, not the technical form of the interaction.
(Score: 2) by FatPhil on Wednesday August 23 2017, @08:37AM
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by FakeBeldin on Tuesday August 22 2017, @08:48AM
That's what one side alleges. The other side seems to claim it went something more akin to: