
Is Uber’s rider database a sitting duck for hackers? - uptown
http://www.washingtonpost.com/blogs/the-switch/wp/2014/12/01/is-ubers-rider-database-a-sitting-duck-for-hackers/
======
danso
The operational security and access control at Uber doesn't inspire
confidence...if the data is so easily accessible from the inside to be used
for whatever purpose, then it's only a matter of time before an employee with
a "12345" password gets phished. The OP didn't mention the problem of user-
ratings being exposed through the mobile site ([https://medium.com/@aaln/how-
to-find-your-uber-passenger-rat...](https://medium.com/@aaln/how-to-find-your-
uber-passenger-rating-4aa1d9cc927f))...even if that data isn't such a big
deal, the fact that it was just left floating out there, secured via
obscurity, doesn't speak well for Uber's precautionary mindset.

------
exelius
I would be less concerned about hackers than old-school espionage. That's
actually my biggest concern with large-scale data collection in general: if
the US government requires data to be collected, that means mechanisms exist
within private enterprise to collect and share the data. Hostile state actors
can then use classic espionage tactics (false flag ops, social engineering,
romance scams, etc.) to infiltrate those organizations and gather the data
themselves because it's already being collected and shared in an aggregated
manner.

I guarantee there are state intelligence agencies (both US and non-US) with
"assets" at Uber with access to this information. This is bread and butter
espionage - plant or recruit employees at private companies with access to the
information you need.

------
imgabe
Is it me or are these alarmist articles are always short on detail as to what
the actual threat is?

> Wouldn’t detailed data on such rides be handy for a foreign power eager to
> map the relationships among various Washington players? It could potentially
> show both a history of contact and real-time movements as meetings are
> convening.

And then what? Let's say China knows that Senator A and Senator B both took an
Uber to the same restaurant at the same time. What do they do with that
information? It doesn't tell them what, if anything was discussed. Maybe they
didn't talk politics at all. Maybe they had a big fight and swore never to
speak to each other again. Who knows? How does the ride information help? I'm
hardly an expert on espionage, but I don't see what advantage this gives
anyone.

~~~
munin
well, this is how textbook blackmail starts. you can probably compute an
inverse "rides of glory" measure and detect people with something to hide,
make a stab at what it is, approach them, and pressure them, without ever
leaving the safety of your home. you could apply this to everyone. that
doesn't sound bad? or do you think that people should just not have anything
to hide...

~~~
imgabe
It _might_ be a starting point for blackmail, but if someone is doing
something blackmailable then that's a separate problem. They're a liability
and I'm sure far more effective means at finding such vulnerabilities are
already being employed. They're going to need something more concrete than
ride data to effectively blackmail someone, anyway. "Give us the launch codes
or we'll release that you took an Uber to this address!" isn't going to cut
it, I think.

------
blfr
Theoretically, maybe. But completely practically, that info is available for
cabs today, for example in NYC[1]. A determined person can even figure out if
you tipped[2].

All that without doing anything illegal. It's just a matter of matching pick-
up locations and timestamps to people of interest. Which should be easy in
case of public officials and companies with known headquarters.

[1]
[http://www.andresmh.com/nyctaxitrips/](http://www.andresmh.com/nyctaxitrips/)

[2]
[https://news.ycombinator.com/item?id=7896537](https://news.ycombinator.com/item?id=7896537)

~~~
danso
No. This is not even remotely comparable. The Uber data would presumably
contain identities and histories. The taxi cab data does not. And it is not
simply "a matter of matching pick-up locations and timestamps to people of
interest"...the only way to do that would be to actively surveil those people
for a non-significant amount of time, and that's assuming they are taking the
taxi on a regular basis...predicting the times they've taken one-off meetings
would be futile.

Another big difference: taxi destination is only in lat/lng. For Uber data,
it's possible that much of the data is exact address (or at least corner) of
the destination...because it's just easier to enter it in the address you want
as a user rather than obfuscate it (obviously, people trying to cover their
tracks would try to obfuscate, but why would the use Uber in the first place
if they were that self-conscious?)

------
berberous
Does Uber disclose their data retention policies? I don't see any need for
them to retain my trip history on a non-anonymized basis, other than a short
lookback period for driver and date/time for purposes of finding lost items.
And I would feel better knowing that they publicly state as much.

------
bengali3
As highlighted by the last line of the article “Most people,” Lewis said,
“have really bad operational security.”

I don't think the media is going to stop targeting Uber for a while...

I am always happy when the topic of security and data-privacy is discussed in
the broader media. I wish there was an easy 'goto' option for
agile/startup/lean/hacker teams with little time for security policies are
focused on speed so early on.

"Regulation--SOX, HIPAA, GLBA, the credit-card industry's PCI, the various
disclosure laws, the European Data Protection Act, whatever--has been the best
stick the industry has found to beat companies over the head with. And it
works. Regulation forces companies to take security more seriously, and sells
more products and services." \- Bruce Schneier[1]

[1]
[https://www.schneier.com/news/archives/2008/01/bruce_schneie...](https://www.schneier.com/news/archives/2008/01/bruce_schneier_refle.html)

------
GrinningFool
Wow. I've been taking a break from most computer stuff over the last week or
so. What'd Uber do that they're now getting targeted with speculative smear
pieces?

~~~
danso
One of Uber's exec was mouthing off against tech reporters at what he thought
was an off-the-record dinner: [http://www.buzzfeed.com/bensmith/uber-
executive-suggests-dig...](http://www.buzzfeed.com/bensmith/uber-executive-
suggests-digging-up-dirt-on-journalists)

Obviously, that kind of alleged discussion is not going to win the hearts of
the journalistic class, but Uber's problem is that it had a reported history
of using user data for unexpected purposes, like to use the God View as
decoration at a _company party_.

One of the key points in the OP that I hadn't seen before is an anonymous Uber
interviewee who claimed that he/she had total access to the Uber customer
database as part of the interview...and for _hours after the interview_.

I agree with some people here, that this seems like an overblown story because
Uber isn't any more an attractive data center than
Google/Facebook/Github/etc...the problem is that what we know of how Uber has
disseminated the data within the company indicates an almost certain lack of
prioritization of access control. And many of the employees at Uber being
human, it's only a matter of time before someone gets phished and something
like an attachable Excel file of intranet-passwords is found (or other
manifestation of sloppy IT-security practices/work-arounds).

And I'd say Uber deserves a little additional scrutiny...its data may not be
as valuable as Google or Facebook's, but it could very well have the lowest
focus on operational-security compared to companies in its tier of valuations.

~~~
GrinningFool
Very interesting, thanks for replying and the link.

While I agree that given the nature of the data they capture, it makes sense
that they receive a little additional scrutiny -- this more feels like someone
had the idea of how the data could be misused, then discussed the idea with a
various security folks who (unsurprisingly) said, "Well.. yeah, now that you
mention it, this COULD be a problem." In other words, feels like the writer
was making the news here and not reporting it.

And to an extent that's legitimate. I question the need to approach it in this
way though - making a one-sided story of it instead of working with Uber to
see if they're aware of this as a potential issue, determining what steps
they're taking to prevent it, etc...

As far as how Uber is using the data they've acquired - it seems they've hit
that painful point that every long-term startup does. They've evolved past the
point of a small group of folks with an idea, and need to adjust to a new
reality. That includes reining in some of their "ooh, pretty data! let's play
with it!" impulses, because of the privacy implications and because of the
implicit trust their users place in them. I would expect a couple of high
profile hires and some policy statements to be forthcoming as they mature.

~~~
GrinningFool
Edit: heh, as I catch up I see that last is already happening -
[http://www.buzzfeed.com/johanabhuiyan/amid-user-concerns-
ube...](http://www.buzzfeed.com/johanabhuiyan/amid-user-concerns-uber-rolls-
out-its-privacy-policy)

------
tlrobinson
"Is [technology company's] database a sitting duck for hackers?"

------
marknutter
This is somewhat off topic, but these kinds of headlines should be auto-
flagged from every news aggregator site on the web. Asking a question which
seems to incriminate its subject is click-baity at best and unethical at
worst. Either make the claim or not and back it up in the article. Don't just
throw bullshit questions into your headline. For example:

"Is the Washington Post the Most Unethical Publication in the Nation?"

~~~
flycaliguy
Maybe click baity, but it is a serious question which is being asked. Not out
of the blue but after a pretty shocking revelation of the unnecessary
information they are gathering.

Opening up innocent people to hacking is one of the most important reasons
that this new school of data gathering is being discussed.

Is it unethical when it appears as if the answer is almost certinly "YES!"?

edit: I'm specifically thinking of Uber gathering which customers have phones
with vulnerabilities.

~~~
marknutter
If the answer is "Yes" then they should put it in the fucking headline.

------
brandonmenc
At this point, these anti-Uber articles constitute nothing more than a smear
campaign - and a bad one, at that.

Every company sits on troves of data re: your personal habits and comings and
goings - and they all get hacked, all the time. Even ones run by the "grown
ups" that - according to the narrative - Uber so desperately needs if they
ever want to be seen as a member of decent society.

~~~
untog
As the article states, Uber is unique in a few ones. One: all signs point to
employees being given unfettered access to all user data. That's A Bad Thing.

------
qrush
[http://en.wikipedia.org/wiki/Betteridge%27s_law_of_headlines](http://en.wikipedia.org/wiki/Betteridge%27s_law_of_headlines)

~~~
friggeri
Corollary: Any headline which ends in a question mark will lead to someone
commenting with a reference to Betteridge's law of headlines.

