Taking a quick look at http://www.united.com/web/en-US/apps/mileageplus/awards/trav... it seems 1 million miles ~= $3000-$12000 depending on destination, date, etc. It doesn't seem all that bad of deal, except plenty of people don't fly often enough to even make use of this, and you have to fly united, which for me would kill all the value.
Well then I suppose it might be worth it, I've had great experiences on Lufthansa the few times I've flown on it, one time the plane was entirely empty except for our group of 5 so we had a 747 to ourselves.
I can totally see the appeal of flying in an almost empty 747, but at least according to this source[1] that makes a truly shocking 1MPG between the five of you. I can't help thinking the world would be a bit better off if they'd just apologised, and put you on the next flight.
I think the hundreds of passengers waiting the board the aircraft at where ever that flight was going might have a problem with that.
Sometimes the sizes of the passenger streams between two destinations aren't perfectly in balance. This is most clearly visible on shuttle services between a small and a large city - busy going to the large city in the morning and to the small city in the evening, and semi empty in the opposite directions.
Also seasonal flights - the first flight of the season to depart the destination (and the last to arrive) will often be pretty lightly loaded.
When that situation arises, you will need to reposition a less-than-full aircraft, otherwise your operations obviously falls apart. The GP clearly experienced an extreme case of this, but most likely that aircraft was being filled up at its next departure, and so needed to be there.
This is obviously expensive for airlines, so they try all they can to fill up these flights - which explains that the cheapest tickets are often on times that will be slightly odd or inconvenient, at least to business travellers.
The flight attendant told me the plane was fully booked on the next trip, it was replacing one that had to be taken in for maintenance at my destination or something along those lines (Its been a while, I don't remember the details), so it was either flying it empty or flying with us on it.
If airlines could do so, they would. It’s very expensive to fly an empty plane. But those planes are on a tight and inflexible schedule - they’d be flying even if no one boarded the plane at all.
I've had that on a few flights. Not quite as empty as you describe, but enough room where most in coach had 2-3 seats they could lay down in. Most often these have happened when taking vacations/business trips in the off season. Various places in Europe during the winter for example.
that is crazy ! I find that so hard to believe, it just seems so crazy. Maybe a chunk of the seats were sold but something happened like, airport shuttle buses broke down or got stuck and everyone missed the flight. Cringeworthy for the airline to have to fly that flight anyways heh
From the sound of it, it was going out to replace a plane that needed maintenance. Which is a thing that happens; just a couple weeks ago, IIRC, Delta had to pull a 747 out of a "boneyard" storage facility and fly it to Seoul to replace one that took a bunch of damage (mostly hailstones) from a thunderstorm.
Also, schedules are built around keeping the plane in the air as much of the time as possible, which sometimes means there's a mostly-empty "positioning" flight to get a plane to where it needs to be to carry a full load. I know with US Airways, for example, you can sometimes randomly snag a seat on a widebody international plane between Philadelphia and Charlotte (usually coming out of maintenance and onto transatlantic service, or switching which hub the plane operates from), and on Delta you can occasionally fly a 747 domestically between Atlanta and Detroit (to get the 747 in position to fly from Detroit to destinations in Asia).
I wanted to try first class on the 777 when it first came out, so I just connected in DFW for a PHX-ORD trip, and did the DFW-ORD segment on a 777.
As it turns out, domestic flights are GREAT in big aircraft. (Though I do like the smaller A321Ts too. International-class accommodations, but a really small feeling, like a private plane.)
Yeah, I was pretty confused myself at the time. We started to taxi with an empty plane and I asked a flight attendant wtf was going on and if the plane was supposed to be moving. It was nice though, I put up all the arm rests in one of the rows of middle seats and laid down for a nap.
I heard that airlines partner with companies like DHL and FedEx, and in cases like this they load more shipment packages in the storage space. That way they'll compensate the costs.
Though Lufthansa is known to severely restrict the ability to redeem Star Alliance partner miles for premium seats.
Back when US Airways (which is where I have my status) was in Star, that was a consistent complaint. Now we're in oneworld with the AA merger, the complaint is British Airways' ridiculous "fuel surcharge" which makes a premium-class mileage-award ticket still cost the same amount of cash as an actual economy-class ticket.
Booking a business-class or first-class award, on a US airline, to Heathrow, does not incur the massive "fuel surcharge". And as far as I'm aware, even booking on other British airlines (like Virgin Atlantic) does not incur the charge. It's only on BA.
I'll take your word on Thai, and ANA. But I would purposely avoid flying on LH. They've managed to screw me over so many times its not even funny.
(I know they're in the same group) I would take LX (Swiss) over LH any day.
When trying to help them in a bad situation on their end, they'll snap at you. (I.e. when they had a plane downgrade in FRA, I offered to be transferred to a UA metal flight on my way back to ORD.. their reaction "WHO TOLD YOU THIS!" [I was trying to help the person avoid involuntary bumping, worse.. I and my travel companion was on an award ticket.. even if it matter anyways]
Airlines are like hard disk vendors or car manufacturers. Everybody has their anecdotal evidence that the particular one they hate is indeed the worst.
You can get way more than $12000 out of a million miles. I don't fly *A, but a quick glance at UA's award chart shows ~200k miles for a one way "anytime" US-Australia flight in first class. That is currently about $10,000 according to Google Flights. Done 5 times, there's $50,000. (I'm sure you can redeem on one of their better partner airlines, like ANA, if you are willing to be flexible on dates and times.)
Of course, this is unhelpful if you don't want to go somewhere far away and expensive in a premium cabin. I've always found the value in frequent flyer miles to be in redeeming tickets that I could never afford with money. Using frequent flyer miles to fly from Chicago to Minneapolis is not getting you much value.
> and you have to fly united, which for me would kill all the value.
I used to love flying United (note: I mostly flown transatlantic flights with them; only one domestic US flight and the difference was stark), for a simple reason:
While basic economy in United isn't all that great, their frequent flyer program is (or used to be, been a few years) very good in terms of ease of getting upgrades or perks. Getting up in the tiers enough to always get free upgrades to Premium Economy didn't take much, and the top tiers are actually possible to reach if you travel a bit for business, unlike e.g. British Airlines where you practically have to live in the air to get to their higher tiers.
Business on United did not match business on e.g. BA or Virgin, but on the other hand upgrades to business on United was as reliable as clockwork - I got upgrades ca. every 3rd leg once I'd gotten to one of their upper tiers (which includes a multiplier on miles).
If you fly now and again for leisure, base it on what you'll pay for, sure. But if travelling for business, how the upgrades stack up makes a huge difference.
So free tickets in United aren't valuable because you would rather sit on the ground than get to travel for free? I fly over 75,000 miles a year with United, mostly international and they aren't any worse than any other American carrier. I travel enough that I'd even be willing to fly AA if it were completely free even though I despise AA and how they used their bankruptcy to avoid paying a judgement I won against them. Free is free though.
Well like I said, not everyone flies that much. I don't come anywhere near 75000 miles a year, maybe somewhere around there for a lifetime total. After my last flight on United (and Delta), I would flat out refuse except maybe first class, but that seems like a waste. I'm pretty tall and 2 hours in I'm just about in tears from the pain in my knees from sitting in those tiny seats. I'd rather pay full price than do that ever again. I try to stick with Jet Blue or Virgin as much as possible because I actually fit.
United is a tradeoff: You suffer until you've flown enough to get up a couple of tiers in their frequent fliers program, at which point they're great as their frequent flier programme is quite generous. If you don't fly much, then I'd avoid them too. When you do fly much (and 75k miles a year would get you to Premier Platinum, their second highest tier) it's a very different situation. Not least because you also earn miles at a higher multiple at the higher tiers.
I am happy never to have to board a United flight again, thanks to US Airways exiting Star Alliance in the AA merger.
Especially with United's latest performance report indicating less than 1/3 of flights operate on time now.
(granted, I still have to avoid AA's hubs like the plague since they shut down for days whenever there's a hint of rain within 500 miles, but at least US Airways is still plenty reliable)
Unfortunately, the mile multiplier you earn at higher statuses only applies to award miles, not EQMs, so it doesn't make it any easier to attain / retain status.
> they aren't any worse than any other American carrier
Which is kind of like saying that Ebola isn't any worse than any other hemorrhagic fever.
(FWIW, I've flown >800k miles. Every one of my "top 5 worst flights" was on an American airline, bar one that involved a planeload of drunken Irish football hooligans and a seatmate who was both lecherous and morbidly obese.)
Even if the nominal value of the reward were as low as $100, it also has another positive but unstated value: it's a strong signal that you won't be prosecuted for revealing to them a flaw you've found.
You wouldn't be stuck on United - although it's a lot easier to use them for flights on United itself they can be used to fly on any Star Alliance carrier, including some really nice ones like ANA and Singapore Airlines.
The million mile lifetime status is based on "Lifetime Flown Miles," which is different than EQMs (elite-qualifying miles), and "Award Miles." EQMs reset every year, and are used only to set your frequent flyer status level. Award Miles are equivalent to a currency, and you can accumulate them and spend them on award tickets and other things. The reward for the bug bounty is only in award miles.
Although it was different in the past, all the US carriers now differentiate between miles earned by actually flying (in the industry and the frequent-flyer community referred to as "BIS", or "butt-in-seat" miles), and miles earned from all other associated programs (credit cards, affiliate shopping, etc. etc.).
Only the mileage from actual flying counts toward frequent-flyer status, lifetime benefit thresholds and so on.
Not that this stops it from happening, Google eg. "sell frequent flyer miles". It's doubly risky though: from what I can tell all the companies in this space are by definition more or less dodgy, plus the airline will catch on pretty quick and confiscate your miles (yes, they can do that) if you start redeeming first-class tickets for a whole bunch of "cousins" with random names and in random places.
The rules of the bug bounty program disallowed many of the usual red team approaches to finding possible exploits.
Attempting any of the following will result in permanent disqualification from the bug bounty program and possible criminal and/or legal investigation. We do not allow any actions that could negatively impact the experience on our websites, apps or online portals for other United customers.
.. Brute-force attacks
.. Code injection on live systems
.. Disruption or denial-of-service attacks
.. The compromise or testing of MileagePlus accounts that are not your own
.. Any testing on aircraft or aircraft systems such as inflight entertainment or inflight Wi-Fi
.. Any threats, attempts at coercion or extortion of United employees, Star Alliance member airline employees, other partner airline employees, or customers
.. Physical attacks against United employees, Star Alliance member airline employees, other partner airline employees, or customers
.. Vulnerability scans or automated scans on United servers (including scans using tools such as Acunetix, Core Impact or Nessus)
One can hope that the bad guys are similarly polite. And, as you would expect, the United security folks did not see the irony of their restrictions when it was pointed out to them.
These seem like pretty standard bug bounty terms. "Find bugs, but don't disrupt production systems trying to exploit them to find more".
The last bullet addresses a problem everyone has with bounties and scanners, which is that (a) they don't work and (b) they generate loads of bogus findings that the people who pirate the scanners then demand bounties for.
Yeah, I don't understand why the bug bounty programs have you use the live site, and not say, a clone of said site on a sub-domain and isolated servers, with fake customer data and flights populated so you can just have at it.
Because that's expensive and time-consuming to set up, and the ROI is often not there compared to spending those same resources on professional help.
Also, be careful what you wish for. A bug bounty that doesn't come with rules of engagement for a staging site to test is one that gives you permission to test the company's real properties. A bug bounty with staging server rules of engagement is one that doesn't, and you can be sued or even prosecuted for hitting the real servers in that case.
As a rule, big companies with bug bounties are never relying on those bounty programs. When a giant company announces a bug bounty in 2015, they're outing themselves as early adopters (relative to the F500); they'll have been spending buttloads of money on pentesting already.
It's basically an additional QA or acceptance environment, capacity being a fraction of what is running live, that's no more costly and time consuming really then all the effort it takes to setup a bug bounty program, and you can get far more useful take aways from it if they can fully red team it. If someone finds an exploit that takes down the system or compromises account data, no real data or systems are at risk, no more so then they would be to actual malicious users.
The rules of engagement would obviously limit you from testing the real properties and restrict you to said servers that are completely isolated from the working production environment. DDOS attacks would be things that hang the application, or database, not simply flooding it with bot requests. Then they could do code injection, etc.
I spent 10 years negotiating for complete staging environments for professional pentests, on engagements with a median price somewhere in the mid-5-figures, and we rarely got them. Whatever you may think about the simplicity of setting up staging environments on a message board, they are empirically not easy in the real world.
There was no correlation between how savvy the target was and how likely they were to have staging environments for us. The modal organization that gave us a complete staging environment tended to be back-office IT for some huge company. Smart startups virtually never did.
One reason for this is that the environment a pentester needs is different from the one a developer needs. Large portions of the production environment can be stubbed out for a developer, and they can still get testing work done by focusing on their own component. Virtually every part of the environment needs to work, the way it does in prod, for a tester to do their job.
I'm still unclear on why code injection is such a big deal. The company isn't saying you can't test for vulnerabilities that lead to code injection. They're saying you can't actually inject code. There are two reasons you might, as a tester, want to do that: first, to "pivot" through the target to find more vulnerabilities, and second, to confirm a sev:hi flaw.
Neither of those goals are important here, as long as the company is good about acknowledging prospective sev:hi flaws.
Also, it adds ongoing costs to change management, as now you have to modify two environments for each change, test two environments, ensure data is refreshed into your non-prod environment (while ensuring you don't use production data in it), monitor two environments, pay licensing and support costs (hardware and software) for two environments, etc.
Having a secondary 'test' environment isn't as easy as 'oh just clone the VMs'.
He never 'got a lawsuit.' Instead, he got some comments from the contact to whom he reported it that criticized his approach. It's not even clear just who this person was. It seems he had trouble locating a contact to report security issues to, so this may as well have just been a low level support rep who was in over his head and saying things he shouldn't have.
"The hardest part - responsible disclosure. Support guy honestly answered there’s absolutely no way to get in touch with technical department and he’s sorry I feel this way. Emailing InformationSecurityServices@starbucks.com on March 23 was futile (and it only was answered on Apr 29). After trying really hard to find anyone who cares, I managed to get this bug fixed in like 10 days.
Not only did he test it live, but he used the gift card to purchase items. Could have easily walked in and checked the balance without purchasing anything.
To be fair, his purchase was relatively inexpensive, did not significantly disrupt other customers or otherwise compromise the system, and served to test that the balance was actually available, not just displayed.
Just deduct the price of the sandwiches from the bounty reward?
1. Don't do attacks all systems are vulnerable to. (DDOS, Brute force)
2. Don't fuck with our customers.
3. Don't fuck with our employees.
Sounds very fair for a company with hundreds of people hanging in the middle of the air at any given point in time.
It is not an audit or internal code review. This is bug bounty program. If you get to a position from where you can directly or indirectly affect live systems, you should stop there and report.
Any testing on aircraft or aircraft systems such as inflight entertainment or inflight Wi-Fi
I think this one and the "live system" one is due to legal regulations - they obviously do not want you to attempt to actually take control of a plane.
I think the "hack the plane through IFE" thing is nonsense but it still seems negligent to encourage people to try to break the electronics on a plane in the air, which is exactly what a bug bounty that qualifies findings in the IFE does.
Something to remember about every company that offers a bounty: they aren't just offering to pay for findings, but also implicitly granting permission to attack them, waiving many of their rights in the process. It makes sense that an airline would do that carefully.
Hack the inflight entertainment to display a scary action-movie ransom notice on every monitor in the cabin and see if you can't get the plane to go where you want.
Give me a million dollars and a Get Out of Jail Free card and I'll show you it's perfectly possible. If anything security teaches us, it's that everything is vulnerable if the attacker is determined enough.
I just plugged in my raspberry pi. It is air gapped and has no internet connection. Connect to it via SSH and I will be your personal servant for the rest of my life.
Yeah. And they have a huge surface area of non-customer-facing and/or abandoned servers which are off limits. They should be more concerned with that than someone gaming their mileage program.
I guess it's a way to dip their toes into the waters, because for good safe pen testing they would need to mirror their infrastructure and make a system for testers to create accounts on demands, which necessitate work.
I've been very confused about the really negative sniping responses to this program saying the miles aren't worth much.
A million frequent flier miles via a major alliance airline is a very, very sweet prize. That's enough for a person to fly themselves and their spouse to basically anywhere on the planet in business class five times, round trip.
Business class international on Delta is far more than that. I know, I fly Delta first-class often enough and that's ~100k/roundtrip domestic. So that would be five first-class domestic flights for me and a partner at 1MM miles. Business class international? Might get one roundtrip flight between the two of us with some leftover miles for domestics.
They all suck. It's a race to the bottom. Delta is at least upfront about it and their FF program IMO is overall the best (behind American) depending on your geographic location and actual desire to fly (and not run miles like your life depended on it).
A UA saver award on business is 115k miles roundtrip international. You could fly from San Francisco to anywhere in Europe in business class and back for 115k miles + ~$10.
Depending upon saver vs. standard and the destination, it's probably not quite that good--but, still, two to three pairs of round-trip business class tickets, which isn't bad.
A good rule of thumb for the floor value of miles is a $0.01 per mile (i.e. a penny). From a value perspective, you usually get a better exchange for business and first. Of course, you may or may not normally pay for those upgraded seats if it were your own cash so imputing the actual value is difficult in that case.
You may have misunderstood me. I was talking about the value of frequent flyer reward miles. So, for example, in rough terms, a round trip coast-to-coast coach flight in the US is going to cost you on the order of 50,000 rewards miles depending upon a number of factors. Buying the same ticket for cash will probably run you about $500--again in rough terms. So your "miles" (really reward points but everyone calls them miles) are worth about a penny a mile in that scenario.
Some airlines are moving to systems that tie reward miles more explicitly to both cost of tickets paid for and value of tickets being redeemed for but the above scenario is how it's generally been done to date.
I also don't understand the comments that you wouldn't like 1 Million miles from United and they are saying the miles don't matter. Everyone is saying "united is shit" because they don't like the service and not because of what is being discussed in the article.
Maybe UA get a kick-back from the agencies as well, since flying (international) would give the agencies identities, photos, fingerprints and a right to search the luggage of interesting hackers.
Sorry that you're the one to get the brunt of this, but I'm really bored of the NSA snark on unrelated articles. Yes, we get that they've done some terrible things. No, they didn't set up UA's security disclosure problem in some sort of obscure conspiracy to get hold of hacker's passport numbers.
On balance I probably agree that this particular scheme is unlikely to be an NSA scheme.
However, if we learned anything from Snowden it is err on the side of assuming that if it is possible then the NSA will eventually try to do it - and this definitely includes forcing US companies to act on their behalf. So post-Snowden the derogatory slur of "obscure conspiracy" doesn't carry so much weight.
I love how everyone is focused on the NSA and CIA as threats, to the exclusion of all other possible threats. If the US government wants to steal my credit card number, they can just tax me, that's a legitimate power they have. If they want to stop me from going somewhere, they can just arrest me at the TSA checkpoint. Setting up a MITM and breaking TLS, while possible, is way too much effort to gain something they can already gain in a perfectly straightforward way. It's like killing ants on the White House lawn by poisoning them via fracking.
The threat model for bugs in United is primarily non-governmental thieves.
What you said doesn't invalidate what I said. Are the intelligence agencies allowed to have that data at all? Because if they aren't they will try and get it using unofficial channels.
This is a fantastic idea. A great deal for both parties. Even if you have to fly United. If you're really that adverse to being in the air for a few hours on a United plane you can probably get use the miles for gifts. Get grandma a ticket to visit her grandchildren for her birthday or something.
FTA: United unveiled the approach in May just weeks before technological glitches grounded its entire fleet twice, underscoring the risks that airlines face.
Hmm, makes me wonder: could the glitches have been caused by some "hackers" doing testing?
There are small fees associated with redeeming miles on most US airlines.
British Airways is also notorious for applying "fuel surcharge" fees (payable in cash only) to mileage award tickets, running into the hundreds-of-dollars range when redeeming miles for business-class or first-class tickets.
How? They didn't dump a list of who is participating but Jordan Wiens was named and has a public profile and has published security research. I don't think black hat hackers are decloaking from tor to take a stab at some airline miles.
I wouldn't say the people are outright dumb; maybe they enjoy it and have a vacation lined up. Obviously, it isn't as financially rewarding as other BB programs, but outside of the compensation it doesn't seem overtly malicious. What rubs you the wrong way here?
He's being sarcastic. It's a running joke among frequent fliers that flying United is almost punishment because they are so bad. So even though you get the miles, you actually have to actually fly on United
I think most people don't realize that UA is a part of the Star Alliance, and you can redeem amazing seats/suites on their partner airlines, ie Lufthansa, Singapore Airlines, Turkish Airlines, Thai Airways and Air Canada.
It's far cheaper, especially since miles are so hard to redeem. United has so few seats per plane for miles users that they are nearly worthless. I have hundreds of thousands of miles on United and can rarely ever use them for a flight I want unless I am willing to make 4 or 5 hops.
The lions share of bug bounty reporters are from overseas.
I can't even remember a single submission from an American in the bounty I'm involved with.
So in conclusion: if you limit yourself to just that audience, and tempt them with only miles, most americans who are competent enough to obtain bug bounty rewards are making enough money that miles is kind of a dubious incentive. So sure- you save money, but you get fewer submissions, and you get less return on investment than a bounty that pays out.
BUT you get the great publicity of being one of the forward thinking companies that does bug bounties. Anecdotally many non-programmer people are starting to understand that bug bounty = good.
