
How I got blacklisted by Uber - will3942
http://blog.will3942.com/blacklisted-uber-cab
======
tedivm
Lets be clear here- 600 requests every 1.2 seconds is 30,000 additional
requests a minute. Uber is not Facebook or Twitter- the amount of requests per
minute they get in a given city is probably in the hundreds, not the
thousands. These were also not public API's- they were reverse engineered.
That means that this puts real load on them, costs them real money in
infrastructure costs, and was not done with anything even resembling
permission.

A lot of people seem to say that Uber failed to communicate or were too harsh.
If someone throws an order or magnitude (or more) traffic at me without
telling me, without communicating with me, and using APIs that aren't supposed
to be public, you're damn right I'm going to ban them. Even OP knows why they
banned him, which he flat out said.

In this case it does seem like pure lack of thinking, and now that the story
is out there I'm hoping someone from Uber notices and removes the ban. I'm
also really hoping that Will learns a lesson here, and next time he does
something like this communicate with the company _before_ releasing anything
that's going to use their resources.

~~~
will3942
I completely agree with this, I acknowledged this and realised I would
probably get banned. It was more a case of letting people see how the Uber api
could be used, that's why I've now replaced it with a video so people can
continue to see it.

I completely agree with why they banned me, it's a huge load to throw on the
server. Although I'd love to be unbanned and use it again, I would be
surprised if I was.

Thanks for the advice to communicate before, definitely seems like the correct
approach.

~~~
throwaway1664
You're still publishing the tool you used to 'attack' the Uber API, might want
to take that down if you're serious about not causing Uber harm.

~~~
mcantelon
Maybe Uber should implement the necessary rate limiting.

~~~
tedivm
They did. Since it was a non public API he was abusing they just rate limited
him to zero.

------
squamos
Amos here from Uber. First of all, this was a very cool app Will. I love your
passion for technology and your interest in Uber. For some pretty obvious
reasons (many of which are mentioned in the comments), we didn't have a choice
to but to suspend your account. That said, there's no hard feelings. We've re-
activated your account and would love to chat with you about an internship
this summer. I hope you continue creating and exploring!

~~~
will3942
In touch with you now! Look forward to what comes of this, thanks for taking
the time to respond here too!

~~~
jyothepro
Nice move from Uber and congrats

------
kyro
Sorry, have to side with Uber. Hackers do not live in a bubble of innovation
that renders them immune to being penalized for the potentially negative
consequences of their hacks. Uber's priority is to serve their _paying_
customers (like me) as best as possible, and if that requires banning someone
who's being a nuisance, then so be it.

~~~
csmattryder
100%. Some people never empathise with the company they're using, if they were
the CTO at Uber and saw this spike in traffic from some guy's hack, you
wouldn't do the exact same?

I will drop 10 customers doing this so that 100 customers can use the service.
I bet you'd be hard pressed to find someone who wouldn't. It's basic business.

Although, just banning a user is a little extreme, did they not ask for the
project to be dropped, and themselves reset the tokens etc?

~~~
will3942
I can agree with you, I understand why I was banned and I can see it is a
valid response to the situation. I just want to make sure (if Uber have read
this) that they understand why I did it and what caused the spike.

------
Aardwolf
In the section "How did they find me?": Didn't they find you because of the
token you used?

~~~
will3942
Ah, yes that would be another way!

------
sdoering
Well that is quite interesting. A service that - as far as I can tell - just
got itself started by hacking the local travel business, blacklists a dev, who
just hacks his way to "expose" their API?

Isn't Uber fighting hard to deregulate a market, after it entered it and
turned it upside down - for better or worse?

Wasn't the Uber-CEO the absolute Ayn Rand disciple? [1]

[1] [http://pando.com/2012/10/24/travis-
shrugged/](http://pando.com/2012/10/24/travis-shrugged/)

Not that these two things have anything in common, but I find it slightly
amusing, that one the one hand...

... well, I believe you know, what I wanted to say.

~~~
maxk42
He essentially DDOS'd Über. It's a practical matter rather than a
philosophical one.

~~~
sdoering
I was not saying, that he did the right thing. By all standards, he did not.

I just smiled, when I read this and thought back about Uber and what their
take on rules and regulations were/are, when it comes to their business. I was
really not advocating for DDOSing the service.

------
sciguy77
I think some sort of communication from Uber about this would have gone a long
way.

~~~
will3942
Just contacted Uber London on twitter, would love if anyone could put me in
touch with someone. Would really like to use the service again.

------
Navarr
I feel like it's a bit harsh to blacklist you without a takedown warning.

~~~
wolfgke
That's why I don't understand why Will Evans writes: " I'd love to apologize
to Uber [...], but on the other hand I understand why they banned me."

I see no reason why he should apologize, nor why he appreciatives that Uber
banned him. He only wrote code to interprete the data Uber is sending and even
made it open source (the latter makes it public accessible research, which I
support even more). If Uber does not want others to interprete their data they
should not provide any service that sends it (and if Uber's business model
requires such a service/app: bad luck for Uber).

~~~
icebraining
_He only wrote code to interprete the data Uber is sending_

Hitting their servers with 500 reqs/sec for two hours is a little more than
just interpreting data.

~~~
wolfgke
Then Uber should rate-limit their service.

~~~
icebraining
They do, OP's rate is now limited to zero.

------
enscr
They should be talking to, or hiring people like you. Why be so uptight? Makes
them kinda similar to the traditional cab companies who don't like people
stepping on their turf.

~~~
will3942
Currently looking for an internship for the summer, Uber would be one place
I'd love to work. Unfortunately I'm not sure I'd be allowed in anymore!

------
alan_cx
I can't know, but I imagine you cause a lot of internal grief. Bosses would
have been kicking off, blaming techies for it, one way or another. I imagine a
couple of decision making noses were well put out of joint, if not broken.
Egos well bruised. Perhaps lots of Malcolm Tucker, if you know what I mean.

If you want your account back, or what ever, try writing a proper letter to
the MD or something. Grovel like hell, and offer something helpful in return
if you can.

~~~
frandroid
You didn't find his apology grovelling enough?

~~~
alan_cx
Results wise, clearly not.

------
revelation
I guess thats as good lesson as any on "how to scale".

If your product works through remote requests to another site (which is
already terribly slow with building up the connection), you absolutely want to
do all of that in the backend and repackage the data for users of your site.
Especially here, where everyone sees the same data.

------
speedracr
Regarding prior notice et al.: "Private API" is a slight understatement IMO.
Uber is running a $3.4bn business and their car data is a lot of what makes
them valuable. I wouldn't blame them for automatically blacklisting accounts
with unusual usage patterns just to be safe.

~~~
will3942
Still a private API. I can imagine finding an unusual account like mine is
quite simple and wouldn't need automating.

------
jey
Why not just cache the results for a minute or two instead of hitting the
server every damn time...

~~~
will3942
That realtime feel!

------
jdn
A shame. I was at this hackathon and witnessed this pair working on the hack;
very driven and talented hackers. This sort of activity should be encouraged
from such young talent, not punished.

~~~
gilrain
It was encouraged by the hackathon, since they won. It was punished by the
business it inadvertently harmed. This seems like a reasonable outcome.

------
kapilkale
What's to stop you from opening a new account using a different email and
credit card?

~~~
will3942
I seem to get banned, unsure why.

~~~
kapilkale
This seems solvable because there are a limited set of identifiers they could
use to ban you.

\- they may have banned your device, so I'd try using a different hardware to
register

\- Use an entirely different credit card. The "name" that gets entered in a
credit card form is useless, so I wouldn't put in a real name either. I'd
consider using another billing address too (same zip same house number, but
different street)

\- they may have banned your IP, so don't connect your phone to a wifi network
when signing up or using your first few cabs.

------
ibudiallo
Now Uber can create a similar service and send you a thank you note.

~~~
will3942
I'd imagine they already have the code for a similar service.

