

Uber hauls GitHub into court to find who hacked database of 50,000 drivers - p8952
http://www.theregister.co.uk/2015/02/28/uber_subpoenas_github_for_hacker_details/#1

======
parfe
Uber publishes secret key.

Uber ignores security breach for half a year.

Uber sues third party while trying to repair damage caused by their own
failings.

At this point the identity of the hacker is irrelevant. The data is in the
wild, Uber is exposed as incompetent (again). But hey, anyone want to invest
another billion at a 40 billion valuation? This company is going places.

~~~
danielweber
_At this point the identity of the hacker is irrelevant_

No. Even if I leave my door unlocked, someone who comes in and steals my
stereo should still be punished.

~~~
baldfat
This is different than someone stealing a stereo. This is you tape the
security code for your front door onto the door and then your mad at the
manufacturer of the door's lock. You want the manufacturer to give any
information about the person who broke into your house.

~~~
rlpb
The manufacturer digitally stores the fingerprints of anyone who uses the
lock. You want the manufacturer to give you a copy of the fingerprints to help
you identify the person who broke into your house.

> ...and then your [sic] mad at the manufacturer of the door's lock.

There is no evidence that Uber is mad at Github.

~~~
parfe
No,Uber is fishing for data they don't need. They have an IP address of the
intruder. Instead of demanding all the access logs for a months long period,
why not compel Github to answer the question "Did this IP address access the
Gist in question? If so, what are the timestamps?"

Instead Uber wants all github's access log data for the gist in question which
sounds like more incompetence and desperation on Uber's part.

~~~
tessierashpool
incompetence, desperation, and a great way to shift some blame onto GitHub, in
the eyes of people who know absolutely nothing about how this stuff works.

which could be the audience they're most concerned about.

~~~
tedunangst
Are any of the people who know absolutely nothing about how this stuff works
following the story on the register? Would anybody even know if the register
hadn't decided to make a story out of it? Doesn't seem like a particularly
effective blame shifting strategy to me.

~~~
tessierashpool
it's also on VentureBeat, Slashdot, and a bunch of other places. google
"GitHub Uber subpoena." it'll probably show up on TechCrunch and Valleywag by
the end of the day.

~~~
tessierashpool
also, and although I doubt you'll ever see this, I would bet almost anything
that my statement was 100% accurate as long as you assume the audience this
move was intended for is an _internal_ audience at Uber.

------
kyledrake
Protip: It's not illegal to throw out IP address data, as there are no
mandatory retention laws in the United States. Then if you get a John Doe
subpoena, you have no useful information to supply.

[https://www.eff.org/issues/mandatory-data-
retention/us](https://www.eff.org/issues/mandatory-data-retention/us)

Neocities currently scrambles stored IP addresses with scrypt, and (soon)
after 30 days, we intend to delete those IP hashes. It's legal. Consider doing
it.

Here's the code we used to do it:
[https://github.com/neocities/neocities/commit/4983a9b24eac00...](https://github.com/neocities/neocities/commit/4983a9b24eac00b8d8bfd300a18cdcee0152a271)

------
rayiner
Nitpick: the title implies that Uber is suing Github, but that's not the case.
Uber has a civil suit pending in N.D. Cal., and has issued Uber a third-party
subpoena:
[http://regmedia.co.uk/2015/02/28/ubergithubexhibit.pdf](http://regmedia.co.uk/2015/02/28/ubergithubexhibit.pdf).
Such subpoenas are used when a third party might have information relevant to
a pending lawsuit. They do not imply any allegations of wrongdoing against the
third party.

~~~
adaml_623
As a general rule headlines from 'The Register' should probably not be copied
directly regardless of the rules on this website.

Actual headline: "FORK ME! Uber hauls GitHub into court to find who hacked
database of 50,000 drivers"

~~~
JeremyNT
There's actually an exception in the site rules[0] for the sorts of titles
which are common on the Reg:

> Otherwise please use the original title, unless it is misleading or
> linkbait.

[0]
[https://news.ycombinator.com/newsguidelines.html](https://news.ycombinator.com/newsguidelines.html)

------
TeMPOraL
> _In keeping with its image as a gas tank of ethics running on empty (...)_

This is the best one-sentence summary of Uber I've ever seen.

~~~
tzs
Peter Sagal on NPR's "Wait Wait...Don't Tell Me!" had a good one liner
something along the lines of Uber heard Google's "Don't be evil" motto and
thought "They are leaving an open market niche for us!".

~~~
TeMPOraL
Haha, that's excellent as well! I think I'll just note both of them in my
quotes file.

BTW. After watching all episodes of John Oliver's "Last Week Tonight" I'm
looking for interesting shows. Is that podcast worth listening to? Anything
else you'd recommend?

~~~
paulornothing
Not the OP, but I pretty regularly listen to Wait Wait, it's always pretty
humorous and sadly it keeps me up on current events. I also listen to Marc
Maron's WTF podcast and Star Talk Radio with Neil Degrasse Tyson. Different
strokes for different folks though.

~~~
TeMPOraL
Thanks for recommendations, I'll check them out! :).

------
headcanon
So let me get this straight - They're publishing a secret key on a Gist, and
then getting whiny when it _somehow_ gets leaked.

Github _very_ clearly states that "secret" gists are NOT private:
[https://help.github.com/articles/about-
gists/](https://help.github.com/articles/about-gists/)

~~~
duaneb
> getting whiny

Actually, they're subpoenaing. This is necessary to identify who may have
accessed it; i don't think this is a suit over the privacy of gists.

~~~
kordless
> This is necessary to identify who may have accessed it

Actually, it's not. If Github's TOS (and their legal argument in response to
the subpoena) is strong enough, Uber can go fly a kite.

~~~
duaneb
Fair—but they won't have the opportunity without the subpoena. Point is, the
subpoena means nothing bad about github itself.

------
jgrowl
Asking for every IP address that accessed a public gist seems like a bit of an
overreach to me. Github should also have the responsibility to protect its
lawful users' data.

It seems reasonable though to request some user data for a specific IP address
that Uber suspects as being the invader (depending on how strong the evidence
is).

------
shawnhermans
When these types of things happen, I notice a strong "blame the victim"
mentality. When Sony was hacked, I saw similar comments about how it serves
them right for having bad security. Some people even go as far as to praise
the hacker and think they shouldn’t be held accountable for their crime. After
all, if Uber didn’t want this, they wouldn’t have made themselves so
vulnerable to penetration.

While I agree companies like Uber and Sony need to invest more time and energy
into security, real people are hurt when these types of things happen. It
isn’t the executive-level “fat cats” who are hurt the most. It is normal,
everyday people. They did not ask for their personal information to be stolen.
Their only crime was working for a company with poor information security.

Furthermore, the fact Uber issued a subpoena for information from Github does
not make Uber the bad guy for requesting the information and Github the good
guy for withholding the information. A crime was committed and this is part of
the investigation. The information requested by Uber is not unreasonable. They
are basically requesting log files for that specific Gist.

Channeling my inner Matthew McConaughey from A Time to Kill, imagine this
happening to an organization that is more likeable than Uber or Sony
(shouldn’t be that hard). What if this happened to an organization responsible
for helping rape victims and this person leaked the private information of
rape victims to the Internet? Would people be so willing to support the
criminal? Would people be so eager to praise Github for not cooperating?

Just because Uber is a horrible, unethical company does not mean it isn’t
protected under the law. We shouldn’t condone crime just because we don’t like
the victims.

------
alexbilbie
Would there be any consequence for Github themselves if they no longer had
this data (for example in the hypothetical case that they only store access
logs for 30 days)?

~~~
onli
No. You can't provide what you don't have, and you are not obliged to save
more than you are obliged by law. I'm not aware that Github has to save
anything in the first place.

------
swang
Didn't some court rule that IP addresses are not people? So they get these IPs
and sue them just like the MPAA/RIAA failed to do? I guess maybe some have
usernames...?

Also super shady they don't bother to explain why it took them almost 5 months
after they discovered it to notify anyone.

------
sergiotapia
Does Github have any obligation to share this data with Uber?

~~~
protomyth
A judge will determine that. Generally you do have to cough up information for
criminal activity, but a judge determines what and if.

------
sarciszewski
You guys really need to learn to use
[https://defuse.ca/b/](https://defuse.ca/b/)

Even better, use makepaste.sh

Using "secret" gists is just reckless, really.

