
Uber’s Payment to a Hacker, and the Fallout - tristanho
https://www.nytimes.com/2018/01/12/technology/uber-hacker-payment-100000.html
======
cablej
Being involved in bug bounties, don't be fooled by what happened here. This is
exactly a case of extortion: the hacker had downloaded user data from Uber,
and was paid off in order to delete the files. This differs from an actual bug
bounty payout, where a hacker would be disqualified for extracting user
information.

~~~
SilasX
But judging from how they weasel out of paying bug bounties, this may be the
only way to get them to pay anything!

~~~
julianj
According to Hackerone they've paid out quite a few bounties. I am not sure if
this total includes the 100k in question though.

Total bounties paid $1,345,845

[https://hackerone.com/uber](https://hackerone.com/uber)

~~~
fstuff
It's the 100k paid out to this guy included with that number? Just curious

------
pfarnsworth
After reading the article, it certainly sounds like a regular bug bounty case,
maybe the reaction was an overreaction.

Keep in mind this article was written by Mike Isaac who has been a thorn in
the side of Uber all throughout 2017. I highly, highly doubt after all the
anti-Uber articles he's written that he's an Uber schill, someone who is pro-
Uber, or someone who would just blindly believe whatever Uber PR told him.

The tone is distinctively even-tempered, which leads me to believe that maybe
it should be taken at face value and it wasn't a coverup at all.

~~~
mannykannot
On the contrary, even taking this report at face value, the pattern is one of
extortioner and extorted conspiring, at the behest of the latter, to hide a
problem from the people directly affected.

~~~
pfarnsworth
You have zero basis for that statement. In fact, the main writer says that it
wasn’t a cover up or extortion as well.

[https://mobile.twitter.com/nicoleperlroth/status/95196148060...](https://mobile.twitter.com/nicoleperlroth/status/951961480601063424)

~~~
mannykannot
I should not have presented my skepticism as a certainty, but it is based on a
couple of things. Firstly, there is the length of time it took for this
version of the story to come out: this you would expect from an organisation
that is threading a story to be consistent with all the information about the
event that has leaked (including an explanation for the delay in promulgating
that story itself), without making statements that might be contradicted by
further disclosures. Conversely, an entity that is just trying to get the
facts straight would be best served by being forthright. Secondly, the
journalists seem to be too ready to accept what they have been told, such as
"Mr. Fletcher drew further details about the hacker out through emails,
including ... proof that he deleted his copy of Uber’s downloaded data by
looking at a virtual copy of his system provided by his host" \- that cannot
prove anything of consequence. Therefore, I am skeptical that the reporters
have seen all the relevant communications.

I accept that this may be too conspiracy-theoretical.

~~~
pfarnsworth
The two writers, especially Mike Isaac, are pretty openly anti-Uber. To say
they are the core of some conspiracy to make Uber look better is an ignorant
statement about who the writers are. They said they interviewed dozens of
people in getting this story, reporters (especially NY Times writers) don't
rely on single sources when they report things.

But you are free to believe whatever you want.

~~~
mannykannot
Nowhere did I suggest the reporters were the core of any conspiracy. That you
should so claim raises the distinct possibility that your analysis of the
issue is just as flawed.

If you had read my previous post with more care, you would have noticed that I
am tending towards agreeing with you, though with reservations.

------
pcoweg
Many larger companies have policies surrounding the paying of ransoms for
kidnapping. How is paying this "bounty" any different from paying such a
ransom?

~~~
ballenf
They don't fail to tell law enforcement after paying kidnapping ransoms and
don't consider the perp to be law-abiding person. Also if a kidnapper was ever
located domestically there'd be about a 0.00001% chance of the person getting
a payout.

~~~
tylerhou
It's also against Canadian law to pay ransoms for kidnapping, even if you're a
private citizen. (Although you'll be hard pressed to find someone who has been
prosecuted for this.) The U.S. has a similar "we don't negotiate with
terrorists" policy, but I'm not sure if it's explicitly illegal to send money.

~~~
ryanlol
>"we don't negotiate with terrorists"

A myth.

~~~
user5994461
Yes, always negotiate. The outcome if worse if you don't.

Here's a book from an ex FBI hostage negotiator. It narrates some real case
stories from the inside, it's well written and quite interesting.
[https://www.amazon.co.uk/Stalling-Time-Life-Hostage-
Negotiat...](https://www.amazon.co.uk/Stalling-Time-Life-Hostage-
Negotiator/dp/1400067251)

~~~
extempore
Refusing to negotiate with terrorists isn’t a strategy designed to produce the
best outcome in isolation. It’s to avoid providing incentives for more
terrorism, despite the consequences viewed in isolation.

So “outcomes are worse if you don’t” is not relevant. Several times as many
terrorism incidents with better outcomes on average is not what most people
would consider effective anti-terrorism.

~~~
user5994461
The discussion went through ransoms, hostages and terrorism. It's
inappropriate to reply to all situations with "we don't negotiate with
terrorists".

------
lgrapenthin
Sorry, but is there a better record on this issue? This article just tries to
connect vaguely described events into a story. Very poor journalism, reading
this is a waste of time. Was the vulnerability a dumb mistake or an unexpected
exploit? Was it disclosed to the company in advance? How does this case differ
from other cases so that there are four lawsuits now and why has everyone been
fired? Because they created a bug bounty system that resulted in bug
disclosure? Nothing appears to make sense and the journalist doesn't worry at
all.

------
msmith10101
no more uber stores pls. kthanks.

