
Former Uber Security Chief Charged with Concealing Hack - tempsy
https://www.nytimes.com/2020/08/20/technology/joe-sullivan-uber-charged-hack.html
======
EE84M3i
Isn't Joe Sullivan the CISO at Cloudflare now?

Edit: Yes.
[https://twitter.com/eastdakota/status/1296522269313785862?s=...](https://twitter.com/eastdakota/status/1296522269313785862?s=19)

Edit2: full indictment [https://www.justice.gov/usao-ndca/press-
release/file/1306781...](https://www.justice.gov/usao-ndca/press-
release/file/1306781/download)

~~~
chubot
That makes sense as CloudFlare also has a history of minimizing important
security breaches, like when they sprayed their customer's and customer's
customer's private data all over the Internet:

[https://en.wikipedia.org/wiki/Cloudbleed#Cloudflare](https://en.wikipedia.org/wiki/Cloudbleed#Cloudflare)

Tavis Ormandy said:

 _I had a call with cloudflare, and explained that I was baffled why they were
not sharing their notification with me._

 _They gave several excuses that didn 't make sense, then asked to speak to me
on the phone to explain. _

[https://bugs.chromium.org/p/project-
zero/issues/detail?id=11...](https://bugs.chromium.org/p/project-
zero/issues/detail?id=1139#c16)

 _Cloudflare did finally send me a draft. It contains an excellent postmortem,
but severely downplays the risk to customers._

[https://bugs.chromium.org/p/project-
zero/issues/detail?id=11...](https://bugs.chromium.org/p/project-
zero/issues/detail?id=1139#c19)

Maybe that was before this guy's tenure, not sure. The point is that most
companies do this, and users and customers should push back on it.

~~~
EE84M3i
>Maybe that was before this guy's tenure, not sure.

That predates him joining Cloudflare, as far as I can tell.

~~~
JakeTheAndroid
I believe the parent implication is that he aligns with CF's way of doing
business in regards to disclosure of security issues.

------
jamestimmins
From the affadavit:

    
    
      Records further indicate Uber’s management team, with the sole exception of Uber’s C.E.O. at the time, had no contemporaneous knowledge of the details of the data breach and had no role in the decision to treat the breach under the Bug Bounty program. 
    
    

Does this suggest that Travis might be guilty as well?

------
waihtis
This is still baffling. To have that many records leak, and try to play a
hush-hush strategy AND pay the hackers makes no sense at all, especially from
a former federal prosecutor standpoint.

There’s more to this story that is being told to the public.

~~~
stefan_
There was an ongoing FTC investigation into a S3 data breach from 2014. At
around the same time they were trying to argue how very sophisticated their
security practices now were after hiring Joe, this 2016 breach occurred, again
from unprotected S3 data. Disclosing it would have obviously doomed the
efforts to end the FTC investigation (escalated it in fact) and of course put
his ongoing tenure as CSO in jeopardy.

So, no, this is just run of the mill executive cover-up. The only reason there
is a federal charge here is because he lied to the FTC to make it happen.

~~~
waihtis
I just find it difficult to see why the CSO would take such a big personal
liability onto himself, but I guess we’ve seen some funky actions around the
big startups elsewhere..

------
skim_milk
Will this change anything? Every last place I have ever worked at I am 100%
certain concealed successful hacks in the past either internally for political
purposes or purposefully externally for PR purposes.

I still think it should be on the shareholders to hire brutally honest
employees and CXX's or face the consequences of fines from employees
concealing successful hacks. Don't put stress of having to manage expectations
of greedy shareholders that don't want to hear about hacks and having the
threat of some prosecutor somewhere drawing their own grey blurry line in the
sand and saying you crossed it. That stress should 100% be on the shareholders
- they will have to make sure to hire the right people and make the right
culture that won't conceal hacks for internal, political purposes and external
PR purposes.

If we're going to keep ignoring corporate law and go after employees for their
own mistakes, we're never going to fix our objectively awful collective
security culture in our tech companies where we work and we're never going to
hold greedy shareholders for the shit they could have prevented by fixing
their employees' security culture.

------
schoolornot
I'm having a really hard time understanding the legalese around these charges.

In 2014 Uber was hacked and the FTC opened an investigation In 2016 Uber was
hacked again but Sullivan supposedly didn't disclose this to the FTC

* Why would he be compelled to disclose information to the FTC about an incident unrelated to the one being investigated?

* The charge of "Misprision of felony" is new to me: [https://www.law.cornell.edu/uscode/text/18/4](https://www.law.cornell.edu/uscode/text/18/4)

Since when does anyone have an obligation to report felonies to law
enforcement? If I overhear some kids planning to burglarize a house, I have a
legal obligation to report that? Isn't freedom of speech involved here?

~~~
ftf87
> If I overhear some kids planning to burglarize a house, I have a legal
> obligation to report that?

No, because you did not become aware of the commission of a felony. If you
overheard those same kids discussing a murder they had committed, yes, you are
legally liable if you sit on that.

Isn’t this common knowledge?

~~~
emiliobumachar
Excuse me, I did not get it. Is burglary not a felony? Is it about past vs.
future?

~~~
ftf87
The distinction comes down to whether something rises to the level of
conspiracy, if you were hypothetically aware of a crime before it was
committed. Beside that, however, burglary in the United States is not a
federal felony, which is the specific charge being discussed here.

I shared a general legal principle. If you become aware of the commission of a
felony and leave a significant amount of evidence showing that you intended to
conceal it, it’s absolutely open and shut, and you will be treated as an
accomplice. All Americans have a duty, whether they like it or not, to
disclose commission of a crime for investigation. Failure to do so can lead to
liability down one of several paths. This is one of them.

Freedom of speech is completely irrelevant.

------
paxys
I would like to hear about ONE thing Uber did during Travis's tenure that
wasn't completely shady.

~~~
godzillabrennus
They vastly improved the transportation industry from the standard that cab
companies had set...

------
thrownaway954
anyone have a non-paywall version

edit: found one:

[https://www.npr.org/2020/08/20/904113981/former-uber-
executi...](https://www.npr.org/2020/08/20/904113981/former-uber-executive-
charged-with-paying-hush-money-to-conceal-massive-breach)

~~~
everybodyknows
> also concealed it from many other Uber employees, including top management —
> with one exception. According to the complaint, Uber's CEO at the time,
> Travis Kalanick.

So, COO kept in the dark. Is "Need-to-Know basis only" standard corporate
cover-up practice?

