Hacker News new | comments | show | ask | jobs | submit login

I don't know about Uber, but I've worked at a lot of places that had sensitive data. A common patterns is to fail to treat employees like attackers, and protect data in ways that are very beatable by a motivated employee. Some examples that hopefully have been fixed:

-A company had a specific dataset that would be worth millions: The kind of things that a wikileaks might want to publish, and would make the papers. I was supposedly unable to access the app that displayed it, but I had access to the tables. For legitimate business reasons, I took the data out, put it in my company laptop, and stuck a search engine on top. There were no logs of my activity, and nobody came to ask why in the world I was doing something like this.

-At another place, they were saving credit cards, encrypted, but their idea of saving encryption keys was to put them in a file that only root could access. Well, everyone had access to create batch jobs (yes, even phone reps), and batch jobs ran as root, so anyone could walk out with the lot. I had to do a lot of work to convince them that yes, this was not PCI compliant.

-Another system had relatively well protected data, only available to people with access. Except they had single sign on, and some of they systems that took credentials did so in the clear. Peek at network traffic, steal credentials, and then do whatever you want as anyone you want! They had a process where you were never supposed to leave your computer unattended, and if you did, team members would go into your computer and send an email to the team promising cake, and you'd have to bring it as punishment for your security problems. Imagine their surprise when people were sending emails promising cake while they were using their computers.

-A phone company having cell call metadata in the clear, in a DB any developer could query. There was another system with billing information, equally accessible. So search for your favorite person in one, and go to the other and see who they call, when they call, and from where. Isn't that convenient?

So I don't believe anyone's claims about their data security unless they come from someone that has some security knowledge and has tried to evaluate the security pretending to be a real attacker. And even in that case, I'll probably want a team of them. Otherwise, I'll assume there are major flaws that nobody has found, just because nobody has cared enough. I have yet to find an employer where this was not the case.




> Otherwise, I'll assume there are major flaws that nobody has found, just because nobody has cared enough

Unfortunately, this is the state of 99% of all software, everywhere, it would appear. And I'm dubious about that extra 1%.

[Edit] and lets not forget, you can care a lot and still have this be the case




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: