
Uber paid 20-year-old Florida man to keep data breach secret - QUFB
https://www.reuters.com/article/us-uber-cyber-payment-exclusive/exclusive-uber-paid-20-year-old-florida-man-to-keep-data-breach-secret-sources-idUSKBN1E101C
======
sillysaurus3
Pentester here.

If any pentester would download more data than necessary to prove a bug
exists, they would be fired.

I don't know whether this person downloaded 57M user records. Maybe it was a
500kb zip file, which would be totally reasonable to grab in a pentest. And
then once you realize what it is, you run `srm` on it to ensure it's wiped,
then immediately call the client so they can deploy an emergency hotfix and
perform forensic analysis to see if the data had already been nabbed.

We know he contacted Uber. We don't know whether he said "Give me $100k and
I'll delete the data" or "Give me $100k and I'll keep my mouth shut" or if
Uber offered him the $100k or any details at all. In this scenario, it's
better to assume the best until proven otherwise. And by "proof" I mean
"emails showing what was said," not a second-hand news report that attempts to
spin it into an easily clickable form.

But I suppose it could have gone the other way too, and maybe he did. The
point is, it's totally reasonable for Uber to raise the price until he was
willing to keep quiet about it. If I ran into this bug in the wild, I would be
ethically obliged to report it to you, dear readers, after a reasonable time
period. But I suppose certain ethics would take a back seat to $100k in my
pocket, and I'm not ashamed of that.

But it depends on the data. If we're talking SSNs, that could really screw up
peoples' lives, so I don't think I'd be able to be bought. CC numbers I'd
probably overlook, since you can't really mess with someone's life by stealing
their CC number. They just get refunded. (edit: On the other hand, businesses
eat the cost of fraud, so this would probably need to be reported.)

The point is, it's a big complex topic and there are a bunch of things we
don't know. But above all, if you are ever holding data hostage and demanding
money to destroy it, you're not a pentester, you're a chump.

edit2: it occurs to me that maybe the 20yo wanted to hold the data in order to
prove to the world that the breach really did happen, i.e. his intent was
altruistic. I could picture myself doing something misguided like that back
when I was 20. But the trick is to keep only a few records at most, and redact
everything sensitive. Then tell the truth. The company can't lie and say it
didn't happen, since they don't know whether you can prove that it did. And no
one is at risk because the data is gone.

~~~
roel_v
"if you are ever holding data hostage and demanding money to destroy it,
you're not a pentester, you're a chump."

If you're not getting paid _up front_ , regardless of the outcome, you're not
a 'pentester' in the first place - you're just doing free work for a company
who will then (in some cases) not hesitate to sue you just for telling them
they have a problem. Fuck that. You're taking some sort of moral high ground
here; which is to be expected, as you're in the industry, or as we say in
Dutch - "whose bread one eats, whose word one speaks". But just because a
bunch of people with security services to sell says it's so, doesn't make it
true.

"Responsible disclosure" is bullshit. These "bug bounty" programs are just a
cover up - a way to retroactively say "but we had procedures!". The real
chumps are the people spending days or weeks looking for issues and then being
send off with a $250 Starbucks coupon and a pat on the head. The days of
'playing nice' or 'doing the 'ethical' _rollseyes_ thing' are over. Today's
internet is an all-out, free for all warzone (security-wise). "Responsible
disclosure" is a PR scapegoat, a smoke curtain devised by companies unwilling
to spend what it takes to make our eye-wateringly bad state of infrastructure
seem... if not good, then at least less crap.

I don't have a horse in this race; I stopped caring about infosec 15+ years
ago when the full contact spirit of the scene began to wade. I just assume
that anything with a keyboard I type on is compromised and adapt my behavior
to match. But it does still make me angry that so many people bought into this
whole spiel of blaming whoever finds the issue, instead of holding those that
caused it in the first place responsible. It's morally equivalent to the GFC
bailouts, except that there's not even a 'too big to fail' argument to be
made.

~~~
rando444
I agree with you, however when you get paid is irrelevant.

It's just a matter of having a clear objective and guidelines scoped out in a
contract.

~~~
roel_v
Yes, I meant 'agree upfront that you'll get paid at all', not so much that the
invoice needs to be paid before you start the work - that was unclear phrasing
on my part.

------
foobaw
Uber paid this Florida man 100K as a bug bounty - and the secrecy was just
part of the deal. My understanding is that bug bounties usually come with a
reasonable disclosure process but in this case, Uber did not want this because
of the severity of the issue, which in my opinion is wrong because of the
potential impact of the bug. In any case, I wouldn't be surprised if there are
similar cases that happened to other big companies like Google, Facebook.

Edit: According to the disclosure process on
[https://www.hackerone.com/disclosure-
guidelines](https://www.hackerone.com/disclosure-guidelines), there's nothing
about disclosures lasting this long.

~~~
ProAm
> Uber did not want this because of the severity of the issue

And they were currently negotiating with the FTC over a different prior
undisclosed data breach.

------
tptacek
People find game-over vulnerabilities and report them to bug bounties all the
time. To a first approximation, 100% of serverside RCE vulnerabilities
reported through HackerOne create comparable condictions. But the reporters
don't have their machines forensically imaged or violate breach disclosure
laws when they report on H1.

This doesn't add up.

------
Operyl
So, knowing it was HackerOne was this as nefarious as the news is truly making
it? It sounds like he found private keys in the github repos like was
mentioned, that doesn’t necessarily mean that he downloaded or even
blackmailed uber. Uber is still in the wrong for keeping a potential breach
secret, but I’m beginning to have my doubts here.

~~~
deedubaya
But if he found them, then someone else could have _already_ found them and
downloaded the data.

The problem isn't that Uber paid him for finding the vulnerability, but that
Uber kept it secret for so long.

~~~
tptacek
That doesn't make sense. Serverside RCEs get disclosed all the time. If you
take the median large SFBA tech company and stipulate serverside RCE, you're
almost 100% of the time going to be an hour or two away from breach-
disclosure-law event. But that never happens. What was different in this case?

------
Johnny555
_Uber also conducted a forensic analysis of the hacker’s machine to make sure
the data had been purged, the sources said._

It's a good thing no hacker would ever think to make a backup copy of the file
on a USB stick or upload it to some cloud provider.

~~~
jstarfish
Looking for evidence of data exfiltration is common procedure in any forensics
review.

~~~
Johnny555
No doubt, but after the fact it's very hard to detect any evidence especially
if the hacker was purposely trying to cover his tracks. Maybe they can see
that a USB drive was plugged in, but they won't know what may have been copied
to that drive or to a network drive.

~~~
PeterisP
You'd be surprised at what can occasionally be found.

I _think_ that I might be able to cover my tracks, but I'm definitely not
sufficiently certain to stake my freedom on it, there's always a chance that
I'd make some mistake and they happen to be more thorough than I am, and the
same applies for everyone (e.g. including authors of APT's employed by the
major intelligence services around the world); a 90% chance of getting some
extra money on top of what he got isn't worth a 10% chance of criminal
prosecution. Knowing that the machine is going to be analyzed by someone with
a lot of resources is a sufficient deterrent IMHO.

------
ourmandave
_The Florida hacker paid a second person for services that involved accessing
GitHub, ... to obtain credentials for access to Uber data stored elsewhere,
one of the sources said._

In what world is the FL man (and his 2nd person) not a felon?

------
WillyOnWheels
A well known heavily trafficked site was put under onerous FTC sanction and
had to agree to prepare monthly reports about how they were keeping user's
data safe for the next ten years.

Perhaps Uber will face the same penalty.

~~~
jnbiche
What site was that? Surely if they were FTC-sanctioned, it's public
information, right?

~~~
jeremycole
[https://www.ftc.gov/news-events/press-
releases/2010/06/twitt...](https://www.ftc.gov/news-events/press-
releases/2010/06/twitter-settles-charges-it-failed-protect-consumers-personal)

------
hitgeek
this seemed like a bug bounty from the beginning, and the media was
disingenuous to spin it like blackmail.

if there was no evidence that any data was actually compromised, I'm not sure
I see a reason why they would need to disclose this to the public.

~~~
cag_ii
> Uber received an email last year from an anonymous person demanding money in
> exchange for user data ...

Doesn't sound like a typical bug bounty to me.

~~~
dsacco
That sounds more like you’ve never been on the receiving end of a bug bounty
program :)

------
cyphunk
Not news

Long time security researcher here... most smart companies do not bribe, they
simply hire , post exploit. An employee or even consultant under NDA can’t
disclose very easily. In fact many fortune 500s will seek out up and coming
analysts for some fluff project with little other reason than to get that NDA.

------
mkagenius
So, they are willing to pay $100k but normally their max payout for the
severest bug is $15k?

~~~
erichurkman
Top end bugs typically get paid far above the 'max payout' for more typical
bugs, and that is not unique to Uber. Maybe not 6x higher, but 'max payout' is
a soft ceiling.

------
paul7986
I bet Uber was hacked long before 2016 as 1k was stolen from my Uber account
in May 2014. It was supposedly for a ride in London while Im in DC. When this
happened I searched Twitter and saw ten to 20 ppl a day complaining of the
same thing.

Uber's PR response at the time was it's the users fault for not choosing a
complicated password vs. owning up there's a problem and or being concerned
for their customers. What a great company!

~~~
nikcub
You can go onto underground markets and forums today and buy hundreds to
thousands of Uber accounts. They're obtained via endpoint malware and shared
passwords.

Buying and selling Netflix, porn and Uber accounts in this way is a very
common and popular

If you're account was affected it's a very good chance it was via this method
rather than a broader Uber breach

~~~
paul7986
Oh Uber was hacked in 2014 per this article
[https://www.google.com/amp/s/www.cnbc.com/amp/2017/11/21/ube...](https://www.google.com/amp/s/www.cnbc.com/amp/2017/11/21/uber-
hack-exposes-data-of-57-million-users-and-drivers-report-says.html)

Scroll to the middle of the article.

------
polock
Uber employee said "Uber hack - What a fucked up way to handle such a
problem."

[https://us.teamblind.com/article/uber-hack-
OYUM6OPh](https://us.teamblind.com/article/uber-hack-OYUM6OPh)

------
JoeAltmaier
Finally, Florida Man gets a break! Normally he has such a hard life:

[https://www.reddit.com/r/FloridaMan/](https://www.reddit.com/r/FloridaMan/)

------
pimmen
And that’s why you shouldn’t check in passwords or tokens with Git, kids.

------
sidcool
Isn't this like bug bounty? I know Uber is not a shining example of ethical
practices, but could this be a case of genuine bug bounty?

------
sirmike_
Lol sounds like a settlement but without the lawyers.

------
api
[http://reddit.com/r/floridaman](http://reddit.com/r/floridaman)

So he's doing corporate espionage stuff now?

------
ryanpcmcquen
#deleteUber

------
brian-armstrong
I see Florida Man has made the news again

~~~
etrhse5rhs5rh
The most important principle on HN, though, is to make thoughtful comments.
Thoughtful in both senses: civil and substantial.

The test for substance is a lot like it is for links. Does your comment teach
us anything? There are two ways to do that: by pointing out some consideration
that hadn't previously been mentioned, and by giving more information about
the topic, perhaps from personal experience. Whereas comments like "LOL!" or
worse still, "That's retarded!" teach us nothing.

~~~
sillysaurus3
Eh. It's better to just let stuff like this slide. I get the impulse too, but
it was a mistake for me to act on it. HN doesn't need a hall monitor.

Plus it makes boring reading.

