
Former Uber executive charged with paying 'hush money' to conceal breach - PatrolX
https://www.npr.org/2020/08/20/904113981/former-uber-executive-charged-with-paying-hush-money-to-conceal-massive-breach
======
cwkoss
Just read the federal complaint, my highlights and summary:

\- Hackers downloaded a bunch of PII from Uber

\- Uber CISO paid them a 100k bounty with bitcoin to sign an NDA with their
hacking handles, but they wouldn't give real names

\- Uber staff traced them down, found their real names, then met them in
person and got them to sign NDAs with real names

\- FTC is mad because CISO tried to make it seem like it wasn't a data breach
vs bug report through the bounty program.

\- Their 2014 breach was from "an AWS access ID and secret key in software
code posted to GitHub"

\- In 2016 to FTC "SULLIVAN elaborated that it was common at the time to write
access IDs and other secrets directly into code when that code needed to call
for information from another service." \- oof

\- SULLIVAN received an email from “johndoughs@protonmail.com” claiming to
have found a “major vulnerability in uber,” and that “I was able to dump uber
database and many other things.”

\- _in 2016 breach, the hackers used to stolen credentials to... get the AWS
keys that were still in their github code, but was now private_

-"Similarly, Uber argued that the industry at large had become more adept since 2014 at protecting private data in the cloud, and that Uber should not be judged for “what a company did then (back when the company was much smaller and the technology at issue was evolving) according to the standards that the agency thinks are appropriate now (given the current sophistication of the company and current industry best practices).” Uber made these arguments via letter in April 2017, approximately five months after the 2016 Breach."

[https://assets.documentcloud.org/documents/7041237/Joseph-
Su...](https://assets.documentcloud.org/documents/7041237/Joseph-Sullivan-
Complaint.pdf)

~~~
ashearer
> "Similarly, Uber argued that the industry at large had become more adept
> since 2014 at protecting private data in the cloud, and that Uber should not
> be judged for “what a company did then (back when the company was much
> smaller and the technology at issue was evolving) according to the standards
> that the agency thinks are appropriate now (given the current sophistication
> of the company and current industry best practices).” Uber made these
> arguments via letter in April 2017, approximately five months after the 2016
> Breach."

I've been hearing this argument for decades, and every time it's been earnest
but transparent blame-shifting. "The industry didn't understand security risks
back then." "No one could have predicted this." The risks were well known back
then by anyone who cared about risks.

~~~
rorykoehler
Companies don't give a shit about security until it's too late. Security is a
complex beast and I have yet to meet a developer who understands it top to
bottom (nor should they but I would expect even juniors to know they should
not store creds in the git repo). It's an increasing specialist role that
startups rarely hire for because they're focusing on survival and growth so
it's to be expected this story will repeat ad nausea.

------
droidno9
Just to be clear, the complaint charges Sullivan under these two federal
criminal statutes:

18 U.S. Code § 1505. Obstruction of proceedings before departments, agencies,
and committees -- [...] Whoever corruptly, or by threats or force, or by any
threatening letter or communication influences, obstructs, or impedes or
endeavors to influence, obstruct, or impede the due and proper administration
of the law under which any pending proceeding is being had before any
department or agency of the United States, or the due and proper exercise of
the power of inquiry under which any inquiry or investigation is being had by
either House, or any committee of either House or any joint committee of the
Congress—

Shall be fined under this title, imprisoned not more than 5 years or, if the
offense involves international or domestic terrorism (as defined in section
2331), imprisoned not more than 8 years, or both.

18 U.S. Code § 4. Misprision of felony -- Whoever, having knowledge of the
actual commission of a felony cognizable by a court of the United States,
conceals and does not as soon as possible make known the same to some judge or
other person in civil or military authority under the United States, shall be
fined under this title or imprisoned not more than three years, or both.

18 USC § 4 is independent of any federal investigation, unlike § 1505. The
complaint itself lists quite damning facts. Have a read, it's quite readable.
[0]

[0] [https://assets.documentcloud.org/documents/7041237/Joseph-
Su...](https://assets.documentcloud.org/documents/7041237/Joseph-Sullivan-
Complaint.pdf)

~~~
droidno9
There's a recent case on Misprision of felony from the 9th Circuit, which has
jurisdiction over California. [0]

"The panel affirmed the long-established federal rule that “[t]o establish
misprision of a felony,” under 18 U.S.C. § 4, “the government must prove
beyond a reasonable doubt: ‘(1) that the principal . . . committed and
completed the felony alleged; (2) that the defendant had full knowledge of
that fact; (3) that he failed to notify the authorities; and (4) that he took
affirmative steps to conceal the crime of the principal.”"

[0] [https://www.whitecollarbriefly.com/2017/06/07/9th-circuit-
cl...](https://www.whitecollarbriefly.com/2017/06/07/9th-circuit-clarifies-
elements-of-misprision-of-felony/)

------
throwaway2474
It seems to me that Kalanick was often “aware” of things but conveniently
avoids scrutiny. How is this? Uber did so many questionable things under his
leadership. And he managed to totally dodge the Levandowski saga.

~~~
A4ET8a8uTh0
He is a savvy politician. You are definitely onto something here. The guy has
a very carefully curated public image. It is genuinely impressive how opinion
of him is higher than the company he runs.

Edit: I was convinced by the arguments. I was holding onto old idea of him.
Clearly things have changed.

~~~
dylan604
Is he though? I thought he was pretty much considered a fratbro. The stories
of the bro culture that permeated Uber HQ were pretty damning. There's also
video of him drunkenly arguing with an Uber driver. The stories are plentiful.
If that's the image he's curating, then it sounds like lots of politicians
past and present, so maybe you're right.

~~~
asciident
Did we watch the same video, the one where he is in the Uber with two women?
Because in the video I saw, he was politely disagreeing with the facts the
driver was saying.

Neither person raised their voice or cursed, and I guess you can call it
arguing but I did not see anything that was inappropriate behavior.

We are disagreeing right now, and maybe one of us has even been drinking --
does that mean that we are now ineligible to be CEOs?

------
mariomariomario
This is especially interesting because Joe Sullivan is the current Chief
Security Officer at Cloudflare. I'm curious to see what happens to his role at
Cloudflare, will CF stand behind him or give him the boot considering the
optics here...

~~~
mola
Why talk about optics? This is not about what seems bad, it's about what US
democracy deemed is a felony. If I was CF I wouldn't want a criminal mind
working for me, how can you trust him when you know he lies and cover up.

I just don't understand this sort of detachment.

Optics are not of essence.

~~~
luckylion
> how can you trust him when you know he lies and cover up

If he lies and covers up _in the interest of his employer_ , that's a pretty
good recommendation.

~~~
mola
I dunno to me it sounds horrific that Machiavellism is accepted without a
pause knowing how inefficient and detrimental it is for human cooperative
endavours. History showed us that unchecked Machiavellism causes dynamics to
devolve to paranoidic-zero-sum social dynamics. Although is an aspect of our
psychology we shouldn't just rationalize it as a force of nature. When we talk
we cynically opt to talk about optics so casually that's exactly what we're
doing.

------
adrr
I really don't understand how this is a crime. Bug bounty is basically hiring
consultants to find bugs. They found a bug that allowed consultant to download
all the data. Uber paid the consultant the designated bounty. It is a done
deal.

Implications that this is an actual breach are large. Does that mean if I hire
a red team of independent consultants and they managed to gain access to one
of my backups, i have to report it as a breach? Thats the worst case scenario.

The best case scenario is all companies have to pull bug bounty programs
because any bug found is now considered a breach. This actually very bad for
the industry. Bug bounties are very effective part of a comprehensive strategy
to safe guard customer data.

~~~
EE84M3i
In a bug bounty program, you agree to the terms before participating and in
particular those terms include not exfiltrating data.

These hackers were not participants in the bugbounty program, and extorted
money from Uber. They were not in anyway "consultants", even retroactively.

But that's not the issue at hand here, the issue at hand is the cover-up while
Uber was being investigated about a similar breach.

It is also curious that HackerOne was the middleman here. I do wonder how much
they knew of what was going on.

~~~
closeparen
>those terms include not exfiltrating data

Is there a way to determine that your credentials are sufficient to download
an S3 object without actually downloading it?

How would you know whether you'd found an information disclosure vulnerability
without peeking at the information?

~~~
BlueGh0st
Bounty programs explicitly tell you to only to target accounts that belong to
you.

Outside of that, if you're "peeking" at information that doesn't belong to
you, you immediately stop, document, and submit the report. You do not
download 14,000 files as the Uber hackers did.

This is a non-trivial amount of nuance that clearly shows the hackers were not
acting in good faith.

------
jedberg
I know Joe, I've worked both with and for him. Frankly, this sounds completely
out of character for him. He's someone who has a strong moral compass and has
been catching black hats for over 20 years.

There has to be more to this story. I feel like he was probably railroaded by
Uber's legal team/CEO and they did things he may not have been fully aware of.
That's the only explanation I can come up with.

I look forward to him having his day in court to vindicate himself.

~~~
mascafe
Your views conflict with facts

1)
[https://web.archive.org/web/20200414123312/http://www.ubersc...](https://web.archive.org/web/20200414123312/http://www.uberscandals.org/category/managers/joe-
sullivan/)

2) [https://arstechnica.com/tech-policy/2017/12/new-letter-
top-u...](https://arstechnica.com/tech-policy/2017/12/new-letter-top-uber-
officials-engaged-in-illegal-wiretapping-shady-spycraft/)

~~~
rhacker
Who wrote the facts?

------
refurb
From what I've read Sullivan claimed the decision to not inform the feds was
one made by Uber's legal team. I have no idea if that's accurate, but it's a
good reminder that a companies lawyers _look out for the best interests of the
company_ , not individual employees.

I've read that if you start to get involved in a legal issue at work like
this, you need to get your own lawyer and keep your mouth shut.

~~~
tomnipotent
Except Sullivan was also Deputy General Counsel, making the legal team his
team.

~~~
refurb
I didn't know that, and that certainly changes things!

That also makes this statement kind of absurd...

 _" The spokesperson said Uber's legal team, rather than Sullivan, was
responsible for deciding whether and to whom the matter should be disclosed."_

------
ta738383
As someone who has been falsely accused of a crime in the past, I'd just like
to remind people that being charged with something does not make you guilty,
it's an allegation. I know you know this,but society today seems to be
treating allegations like convictions

------
coworkerthrow
I worked with people who worked with him before Uber. When the news came out
they were surprised. They thought he was the scapegoat.

I never worked with him. That personal anecdote does not exonerate him at all
but it does give me second thoughts. Truth is nuanced sometimes.

~~~
jedberg
> When the news came out they were surprised. They thought he was the
> scapegoat.

Same. My initial thought was that Uber threw him under the bus. I still think
that.

~~~
tptacek
I'm interested in your opinion here. After reading the indictment, which is
fairly detailed, you still think that Sullivan is nearly blameless? Or do you
just think other execs at Uber are also culpable?

~~~
jedberg
It's hard to say. An indictment is necessarily one sided -- it's a document by
a prosecutor with the goal of establishing guilt. There is nothing that
prevents them from omitting information that is favorable to their target.
That comes later during the defense's discovery process.

So the indictment sounds bad, but at this point I'm willing to give the
benefit of the doubt and wait to find out the other side of the story.

~~~
tptacek
That makes sense. Thanks!

------
Arete314159
My first thought on hearing this news was the famous essay "The Al Capone
Theory of Sexual Harassment."

[https://blog.valerieaurora.org/2017/07/18/the-al-capone-
theo...](https://blog.valerieaurora.org/2017/07/18/the-al-capone-theory-of-
sexual-harassment/)

Basically it states that for a long time, sexual harassers were given a blind
eye with excuses like "he's good for our bottom line." But it turns out this
isn't true. It turns out people who act unethically in _one_ way often act
unethically in _other_ ways, that (among other things) hurt the bottom line.

------
mike_d
He is currently the CISO of CloudFlare. [https://blog.cloudflare.com/why-im-
joining-cloudflare/](https://blog.cloudflare.com/why-im-joining-cloudflare/)

Hopefully eastdakota is preparing a statement about his departure.

~~~
lawnchair_larry
Hopefully not, considering he hasn’t had due process yet.

~~~
ponker
Cloudflare should apply due process in this case as in all other HR matters,
but let's just be clear that the amount of process "due" for terminating an
employee is vastly less than the process due for imprisoning an individual
with state power.

~~~
lawnchair_larry
But do you want to live in a world where someone can completely fabricate an
allegation that you can easily disprove, yet you’re still terminated on the
spot for doing nothing wrong?

~~~
ponker
By "due process" I don't mean "no process." It's unlikely that someone can
"easily disprove" a 19-page federal criminal complaint, but an employer should
certainly give an employee the opportunity to do so before their dismissal.

------
cma
Another Uber security guy was hired by Tesla and somehow came up related to
the Gigafactory drug running stuff:

> Tesla then hired a new senior manager of Global Security named Nick Gicinto.
> He was told that Gicinto and team were “spying on Tesla employees using
> devices to monitor emails, cell phones, and data communications from Tesla
> employees. Hansen expressed concern to his supervisors regarding what he
> believed was illegal conduct.”

> In fact, Gicinto and his team allegedly used these same tactics at Uber
> under Jeff Jones, former head of security who was also hired at Tesla with
> another security employee Jacob Nocon.

> In a lawsuit filed in the United States District Court, District of Northern
> California, Waymo LLC v. Uber Technologies, Inc., (Case
> No.:17-cv-00939-WHA). Jones, Gicinto, and Nocon all “allegedly engaged in
> numerous illegal methods of investigations such as wiretapping and hacking.”
> These behaviors are all outlined in the “Jacob’s Letter” filed in this case.

[https://patriotssoapbox.com/business/tesla-whistle-blower-
al...](https://patriotssoapbox.com/business/tesla-whistle-blower-alleges-ties-
between-sr-management-organized-crime/)

~~~
benmmurphy
I guess the problem is if you are using company property and the company is
wiretapping that property and you have signed some disclaimer then it might be
difficult to prove the company did something wrong.

~~~
soup10
I think some judges would consider the power imbalance between employer and
employee before legalizing invasions of privacy because the employee signed a
disclaimer. Contracts that a weaker party is pressured or coerced into don't
automatically clear the company/institution of wrongdoing.

------
cantrevealname
> _“Companies like Uber are the caretakers, not the owners, of customers’
> personal information,” said U.S. Attorney Anderson (for the Northern
> District of California)_ [1]

I would like that to be true, but everything I've read indicates otherwise.
Uber, Google, Facebook, banks, and credit bureaus have my personal
information, but I am _not_ the owner of that information. I've been told that
they own it, at least under U.S. laws. If I do own it, why can't I demand that
credit bureaus delete all my personal information?

The quote comes from the prosecutor of the Uber executive. If anyone should
know the law regarding who owns your personal information, he should. Is he
right or wrong?

[1] [https://www.justice.gov/usao-ndca/pr/florida-man-and-
canadia...](https://www.justice.gov/usao-ndca/pr/florida-man-and-canadian-
national-plead-guilty-hackingextortion-conspiracy) [this was a link in the
featured article]

~~~
deepstack
Exact the reason why we ought to NOT offer anything in digital form of our
person information WHENEVER possible. Data is money. Why should I offer anyone
anything in digital form unless I get paid!!!

~~~
deepstack
I know someone is going to say because it offer your connivence. Then we each
would have to weight is the connivence worth trading our privacy?

------
drtillberg
The CSO informed the CEO so ... this is individual concealment?

The better question is: If the CSO was not previously an AUSA, would the
prosecutors have charged this conduct?

~~~
kerng
Is there also a CISO or is CSO same as CISO? Man all those security titles.
Hopefully everyone has a CISSP.

~~~
tptacek
The titles are generally used interchangeably, though a CISO has an IT
connotation and implies an engineering leader, while a CSO can be a
risk/policy leader instead of an engineering leader.

Hopefully none of them have CISSPs; the CISSP is a joke.

------
neom
Interesting he's a former federal prosecutor himself (currently the CSO at
CloudFlare).

------
PatrolX
U.S. Attorney Anderson announces charges against Joseph Sullivan for alleged
cover-up of Uber hack (Video)

[https://www.youtube.com/watch?v=QEPRm2E_PUw](https://www.youtube.com/watch?v=QEPRm2E_PUw)

------
curiousllama
> “Need to get certainty of what he has, sensitivity/exposure of it and
> confidence that he can truly treat this as a [bug] bounty situation...
> resources can be flexible in order to put this to bed but we need to
> document this very tightly“ - Kalanic

Looks to me like this is why Kalanic was not indicted. If he deferred, said
“handle it, keep it legal, and document it for any investigation,” that’s
really all you can ask from a CEO.

Whether or not this is REALLY what he meant (or just a way to cover his butt)
is up for debate. But it would be a good defense imo.

------
x87678r
I'm a bit surprised this is a criminal offense.

What control does the FTC have over storage of personal data anyway?

~~~
kodablah
The criminal offense is not the hack, it's the concealment.

~~~
tptacek
In fact, the two people responsible for the hack, Brandon Glover and Vasiley
Mereacre, are awaiting sentencing after pleading guilty in federal court;
they'll be sentenced next February.

~~~
pvg
'Vasile', which I think is the Romanian variant.

------
tptacek
For what it's worth, and I'm no lawyer, it doesn't look like he's facing
anything near 5 years.

For the misprision offense (18 USC 4), the guidelines are based on the
underlying felony, less 9 levels, capped at 19. Assuming CFAA/wire fraud, a
2B.1 offense, that's:

    
    
        6
        +8 for the >$95,000 loss
        +2 if involved harvesting email addresses (not charged?)
        +2 for evasion across jurisdictions
        +2 for exfiltrating trade secrets overseas
        +2 for intent to exfiltrate customer PII
    

That reads to me a worst-case underlying level of 24, or a 15 for the
misprision, which is 18-24 months; remove any of those constraints and it's a
"Zone C" offense that doesn't require imprisonment at all.

The more painful charge appears to be the Obstruction (18 USC 1505), for which
the guidelines appear to go:

    
    
        14
        +3 for substantial interference to an investigation
        +2 for extensive planning
    

That worst-cases to 19, 30-37 months. Still not close to 5 years, though, and
I'd assume (please correct me!) that these sentences group, since the
underlying conduct is the same.

(I assume this case settles?)

~~~
mike_d
If you look at most federal cases they start off with 1-2 charges like
Obstruction of Justice that are easy to prove to a judge. They always add
charges later.

~~~
tptacek
Seems unlikely here. (I was going to say the whole case is pretty silly, but
then I read the indictment, re: the FTC investigation.)

------
mascafe
While working at Uber, Joe Sullivan's head of Global Threat Intelligence hired
Ergo to carry out surveillance against Uber's legal foes.
[https://www.theverge.com/2016/7/10/12127638/uber-ergo-
invest...](https://www.theverge.com/2016/7/10/12127638/uber-ergo-
investigation-lawsuit-fraud-travis-kalanick)

~~~
casefields
Im sensing a pattern here. See Jedberg, you're like that neighbor when the
news shows up saying how the "bad person" nextdoor seemed totally normal.

Happens to the best of us bud.

------
ciarannolan
From the criminal complaint:

> The hackers’ ransom was paid in December 2016 via bitcoin, even though the
> hackers by that time had refused to sign the NDAs in their true names and
> had not yet been identified by Uber. Uber’s staff continued to work on
> identifying the hackers and were able to eventually identify them in January
> 2017, at which point SULLIVAN dispatched security staff to interview both
> hackers and obtain signed NDAs from them in their true names.

How did they identify them, and is the DOJ going after the hackers too?

edit: finished reading the PDF:

>H. The Hackers Pleaded Guilty to Federal Crimes. >>50\. On August 2, 2018, a
Grand Jury in the Northern District of California returned an indictment
charging Brandon Charles GLOVER and Vasile MEREACRE with crimes related to
extortion involving computers under 18 U.S.C. § 1030(a)(7)(B) and
1030(c)(3)(A). The indictment alleged that GLOVER and MEREACRE, between
December 2016 and January 2017, conspired to extort a online employment-
oriented service (“COMPANY ONE”) by obtaining over 90,000 confidential user
accounts and using those accounts as a means to obtain money.

------
tempsy
this reminds me that Joe has ties to Tesla’s security team (ex Uber) which is
embroiled in a whistleblower lawsuit that allege they spied and hacked
employee devices _and_ the insane eBay security team lawsuit in which the
security team allegedly sent a severed pig head to a small town blogger they
thought was working for Amazon

[https://www.bloomberg.com/news/features/2019-03-13/when-
elon...](https://www.bloomberg.com/news/features/2019-03-13/when-elon-musk-
tried-to-destroy-tesla-whistleblower-martin-tripp)

[https://www.wsj.com/articles/ebay-harassment-campaign-pig-
co...](https://www.wsj.com/articles/ebay-harassment-campaign-pig-cockroach-
blog-11593009038)

great legacy

~~~
jlgaddis
> _... the insane eBay security team lawsuit in which the security team ..._

They (allegedly) did a whole lot more than that! Everything about that story
is absolutely crazy!

I'm not sure what's leading these security folks to believe they can do
anything they want and get by with it but I, personally, am glad to see this
criminal prosecution taking place -- hopefully it will help to "remind" others
that they must "play by the rules" and that "'winning' by any means necessary"
is not acceptable.

The complete lack of ethics at Uber, in particular, was appalling.
Fortunately, it sounds like Dara was working hard to fix that once they got
rid of Kalanik.

------
meigetsu
One question for any attorneys here - if the FTC were not investigating the
2014 hack, would there not be any charges for these alleged actions? The
indictment doesn't seem to mention any statutes violated except for in
connection to impeding the existing investigation.

~~~
droidno9
18 U.S. Code § 4. Misprision of felony -- Whoever, having knowledge of the
actual commission of a felony cognizable by a court of the United States,
conceals and does not as soon as possible make known the same to some judge or
other person in civil or military authority under the United States, shall be
fined under this title or imprisoned not more than three years, or both.

This statute doesn't require an active investigation.

~~~
tdrp
Not a lawyer but what does "conceal" mean when it comes to websites like
forums? You often see probably illegal stuff show up on popular forums and
they eventually get banned/removed by moderators. Does that mean the
moderators "concealed" it and are therefore liable?

~~~
JakeTheAndroid
I am also not a lawyer, but I think this sentence is what does it:

> actual commission of a felony cognizable by a court of the United States

Illegal isn't always a cognizable (ie: perceptible; clearly identifiable.)
felony by a court. In this case, not only did the two hackers clearly commit a
felony, the lack of reporting it lead to the exact same type of breach
conducted by the same two individuals against another site Lynda.com.

That suggests they had clear evidence of a felony and knew of intent to commit
future felonies. And the two hackers were caught and going through the court
stuff now, they even plead guilty. So thats basically a slam dunk on a
cognizable felony.

------
bigmattystyles
How is this any different than paying ransomware? Is that also illegal? If
anything, it seems like he/Uber are the victims of blackmail. And I have no
love for Uber.

~~~
pdw
He's not accused of paying off the hackers. Rather he's accused of hiding the
incident from an ongoing FTC investigation. They list various ways in which he
supposedly concealed the hack from the FTC, e.g. they claim he set up up a
false paper trail to make it look as if the hack was a harmless bug bounty
submission.

~~~
bigmattystyles
Would you have to disclose a ransomware attack?

~~~
mike_d
Yes, if there is a federal investigation you cannot conceal or refuse to
disclose details.

There isn't a clear answer on proactive reporting. Depending on the type of
business you have, what data you hold, the scale of the attack, etc. Some
specific professions have mandatory reporting laws that may cover individuals
that work for you. (see [https://www.lw.com/thoughtLeadership/LW-ransomware-
attacks-w...](https://www.lw.com/thoughtLeadership/LW-ransomware-attacks-when-
is-notification-required) for a detailed answer)

The generally accepted best practice is that every ransom attack be reported
to the Cybersecurity and Infrastructure Security Agency.

In the specific case of Uber, the incident involved scanned passports. The law
is pretty clear that you have to report any compromise of passport data to the
State Department.

------
dcanelhas
Sounds like the TV series devs

~~~
DevKoala
I thought the same, but Amaya was more like a combination of Apple and Google.

------
DaniloDias
What law obligates a company to report a breach? Is this only applicable for
publicly traded companies?

~~~
kube-system
This is the law cited in the article:

[https://www.law.cornell.edu/uscode/text/18/4](https://www.law.cornell.edu/uscode/text/18/4)

~~~
DaniloDias
So this expectation is that Americans know all the possible felonies the
people around them are committing? What a law.

“ It has been reported that the Congressional Research Service cannot even
count the current number of federal crimes. These laws are scattered in over
50 titles of the United States Code, encompassing roughly 27,000 pages. Worse
yet, the statutory code sections often incorporate, by reference, the
provisions and sanctions of administrative regulations promulgated by various
regulatory agencies under congressional authorization. Estimates of how many
such regulations exist are even less well settled, but the ABA thinks there
are ”nearly 10,000.”

[https://www.wired.com/2013/06/why-i-have-nothing-to-hide-
is-...](https://www.wired.com/2013/06/why-i-have-nothing-to-hide-is-the-wrong-
way-to-think-about-surveillance/)

~~~
kube-system
> So this expectation is that Americans know all the possible felonies the
> people around them are committing?

When relevant case-law is taken into account, it appears that is not the case.
Courts require active concealment of a known felony for conviction under that
statute.

[https://en.wikipedia.org/wiki/Misprision_of_felony#cite_note...](https://en.wikipedia.org/wiki/Misprision_of_felony#cite_note-6)

In this case, a CISO certainly is aware of the CFAA.

~~~
DaniloDias
>> In this case, a CISO certainly is aware of the CFAA.

That is a fair counterpoint

------
holidayacct
If you see an individual paying hush money to conceal a breach, check the
commit history asap.

------
mrandish
IANAL but this seems far from a slam dunk to successfully prosecute. The
charge is that he tried to cover up something that they aren't charging as a
crime while they were investigating an unrelated thing they also aren't
charging as a crime. And the legal department recommended and approved the bug
bounty and the CEO was fully informed.

------
sinuhe69
I’m surprised by the misprision charge. Is that not a bit dated?

------
foolfoolz
this sounds like every parent of every killer ever “he was a good kid. he
would never do this”

~~~
nickff
> " this sounds like every parent of every killer ever “he was a good kid. he
> would never do this” "

I understand that the HN mentality has become very cynical, but if your only
contribution to this conversation is a sardonic simile, comparing someone you
don't know to a murderer, you should consider biting your tongue.

~~~
colinmhayes
If your only contribution is defending shitty character testimony you should
consider biting your tongue. If there's no actual evidence I don't want to
hear about what a nice guy he is.

~~~
dang
Sorry, this isn't cool. Internet forums are far too quick to form flash mobs
of judge, jury, and executioner. In nearly every case this turns out to be
missing critical information. Moreover the instinct to do it is reflexive; it
has nothing to do with the particulars of any situation—it's just an
opportunity to have an experience that somehow we seem driven to recreate over
and over again.

Because the tendency is overwhelmingly in this vicious and vengeful direction,
having HN be the kind of community we want requires that we all make a
conscious effort not to go there by default.

[https://news.ycombinator.com/newsguidelines.html](https://news.ycombinator.com/newsguidelines.html)

------
vmception
Its extremely out of character that he can’t pay more hush money to get out of
the charge of paying hush money

Why isnt Uber Inc helping him get a “Deferred Prosecution Agreement” so that
he can _kickback_ and relax

~~~
EE84M3i
He's the CSO of cloudflare now, so I doubt he does much relaxing.

Other thread:
[https://news.ycombinator.com/item?id=24227059](https://news.ycombinator.com/item?id=24227059)

------
H8crilA
The documents dumped by Martin Tripp in the Tesla case were pretty juicy.
Looks like they had a full access to his personal phone, round the clock
surveillance on him and constant hacking of his accounts. So much so that one
of the security guys working for Tesla turned a whistleblower (Sean Gouthro).

Documents are taken down since a court ordered Martin to take them off the
public display.

------
55555
This is about lying to the FTC, not about paying off hackers to keep data
private. Ransomware has shown that the latter is accepted even if not exactly
legal.

> The database included the drivers’ license numbers for approximately 600,000
> people who drove for Uber.

Drivers licenses are deterministic and can be generated by knowing full name
and DOB and state. They aren't PII.

~~~
vesche
From reading the article it doesn't sound like this was ransomware:

> "During this time, two hackers contacted Sullivan by email and demanded a
> six-figure payment in exchange for silence. The hackers ultimately revealed
> that they had accessed and downloaded an Uber database containing personally
> identifying information, or PII, associated with approximately 57 million
> Uber users and drivers."

The hackers were demanding a ransom from Uber to keep silent about a data
breach. Which is a whole lot different than paying a ransom to decrypt
valuable, internal data. If a company has been breached, while it will almost
certainly cause damage fiscally & to their reputation- they have a
responsibility to notify users/customers. I'm unfamiliar with the law on this,
but it should be illegal for a company to pay a ransom for malicious actors to
keep silent about data they stole.

