Don't check secrets into VCS, folks!
One snippet of the email the article didn't mention was that Sullivan's firing happened pretty much right after Dara learned of the breach and an investigation was conducted. It definitely inspires more confidence in leadership seeing that the CEO will not tolerate unethical behavior.
Also, Uber has been hiring a lot of new people - the ratio of new people vs old timers is really high. I'm obviously just one anecdata point, but I believe new hires (and a lot of old timers) want Uber to be an ethical company, and many have joined the company specifically to tackle that challenge. One great example that comes to mind was when one board member made a sexist remark on an all-hands meeting a few months ago and by the end of that same day, Liane Hornsey (who had just joined as the new head of HR) had him give up his seat.
There's a big push towards trying to make things right, with the holden report, the 180 days of change campaign, the implementation of new training courses, anonymous complaint hotline for employees, etc. And the unspoken message right now is pretty clear: inappropriate conduct _will_ get you fired, even if you are the head of your org.
Obviously there's still a lot of work to be done, but I think we're at least in the right track now.
> it would be a shame for a culture shift to coincide with the realization of one of them
I think everyone at Uber has at least some idea about the P&L situation, but there's no doubt in people's minds that we need to drop the go-fast-and-dubiously culture and embrace a do-things-properly culture. If anything, I think it's more likely that a major crisis would continue to drive home that idea.
Hopefully he will also slowly eradicate the existing unethical behaviour.
... crap. My kids won't be buying a GM car.
I probably should have spoonfed the readers more. They grew up in a world that doesn't need critical thinking anymore so it's probably too much to ask for their brains to activate while reading on a website and have them put distinct ideas together to form a grander one.
Must. Downvote. Comments full of facts but from people I dislike. Must.... errooorrrrroooorrrrrr. 505.
It's okay. Every time I see downvotes here, I know I said something great but I just pissed someone in power off. I'm used to being a minority oppressed by a majority in power. It's no big deal. The system just builds people like that these days.
Either make a valid point or let your comments stand. Leave the /r/iamverysmart tandems at the door
Its always a person, its never a institution, or organisation, never a boring measurement like bureacratic oversight or well made laws.
Good luck and I hope you're doing it for the money, cause nobody should buy the "Uber is an ethical company" bs.
I don't have any context on why someone would have put production secrets in a GH repo. If it had happened in my team, I would definitely have sounded the alarm at code review.
Yeah, I'm totally with you there. Not cool :(
In an organization of about 200 engineers across various products, 1000+ github repos, and 10 or so different CI systems. We enforce 2FA at github. I can still easily see how someone could easily gain access to source code with secrets in it.
Wait, what? That's 5+ repos per engineer. What on earth would warrant that level of granularity? I've only worked once in my career in a place that used more than 2-3 repositories total, and that was a "MegaTechGiant" with thousands of engineers.
- 1 repo for the frontend
- 1 for each api
- 1 for the infrastructure terraform scripts
It's good for CI / CD and general code base organization. Also easier to track changes and handle security. You give devs access only to the repos they need to do their job.
Our team has a product with multiple integrations and internal apis, so we easily have 40+ repos.
I'm surprised you're being so heavily downvoted for your question. Engineering teams (and software companies) come in all shapes and sizes. It is absolutely reasonable for even an experienced engineer to have only worked at companies with a handful of repos.
Rather than downvoting, it would have been helpful to explain why your company has opted for such granularity (perhaps engineers or teams have a high level of autonomy, or your software is highly componentised and built from a great many, separately managed, parts).
I personally don't have a strong opinion about either way - they both have tradeoffs.
I can see that with a company that has grown day 1 around Github, especially during early startup stages with a variety of contributors but no formalised "organization".
> Kalanick, Uber’s co-founder and former CEO, learned of the hack in November 2016, a month after it took place, the company said.
I don't know if they were using GHE. If they were, at the time it did not come with a good way for them to enforce 2FA for users.
Well, sort of - at the application level, that's true, but GHE is typically run behind a VPN. Certainly that should be the case for a company the size of Uber.
Even before GHE added 2FA, it shouldn't have been possible for a leaked set of login credentials to be used to access GHE, without some other sort of compromise (VPN cert, physical compromise of hardware, etc.).
Lateral movement by an attacker is a real thing. And while credential reuse is something most security focused web companies are trying to mitigate, a push for "sso"-like account management is seemingly undoing most of that effort inside the network if not done properly (specifically, auditing and monitoring of behavior).
This is why 2FA is important! I worked for a company that had a very similar setup: I essentially had a single "LDAP" password. But: everything web-browser went through a single sign-on site, and it required 2FA (and so, you were never entering your password into even random internal applications: there was exactly one page where you should log in). Terminal stuff had a similar flow that also required 2FA (e.g., for SSH). As a user, the experience was not painful at all.
It does seem like, however, from an operations standpoint, getting such a setup in the first place is not trivial.
They don't use GHE, they use Phabricator.
I don't know how to feel knowing that there is even one software-focused company out there that doesn't enforce 2fa on its github accounts. Like... how?! Why?!
Just one of the many ways to bypass it in this case: hack a developer machine and look at the local checkout.
Who cares about access to individual dev's machines if the credentials to access code on github are obtained - 2FA at least offers some degree of protection in this scenario. The scope for attack is extremely different.
They run browsers, communication tools, all sort of product experiments and testbeds, and they even connect to random airport/hotel wifi.
Attack a laptop and all software and hardware 2FA tokens are useless. A backdoor can sit around and wait for the user to press the button.
There exist 2FA protocols that permit tying the 2FA challenge to a particular context: you can't just take the response from the 2FA hardware and use it anywhere. In this regard, the malware doesn't get anything more than what they already have, and the 2FA still adds protection: if the malware is able to compromise your password (e.g., through keylogging) it doesn't immediately get access to everything you have access to. Now, of course, if you 2FA for some resource, then yes, at that point, you're probably doomed, but I don't believe that gets the malware anything new (e.g., once the auth is complete, if that results in a "user is logged in" cookie, the malware could just read that, and go to town.)
Compromise of a local machine is definitely bad, and not what you want, but 2FA tokens are not useless, even in that situation.
If you have an ultra-secure door, the thiefs will just enter through your regular window.
Sure, there are only 13 projects on https://uber.github.io/, but there are 169 on https://github.com/uber, and it only takes a short while to scan for access keys. There are plenty of open tools that will scan github for keys.
This may not have been targeted at Uber but a net for all of github with Uber being just one company that was hit up for cash. Unless you're saying that you know the motivations of the attackers.
Do you give every enployee a mobile phone, or do you ask your employees to use their own personal phones?
Asking them to use their personal phones seems like a very bad solution. Many software companies do not routinely give developers mobile phones...
This is incorrect.
You only need the ability to generate TOTP or U2F tokens. This is often done using a smartphone app, but can also be done by a desktop app like 1Password or a hardware device like a Yubikey:
It's things like that that make me wonder why TOTP tokens are supposed to be conceptually different from passwords. A TOTP scheme involves knowing a master password, and nothing else.
Why? You're not any less secure by using a personal phone. What are the odds that an employee is going to be phished and have their phone compromised by the same entity.
I'm already answering emails out of office hours which is for my employers benefit and they want to functionaly own my phone because of it?
For companies that don't do that Github also offers the option of FIDO U2F compatible keys.
I've never once worked in a company that permitted source code to leave the company network.
I think you’ve misinterpreted people’s reactions. It’s not at all controversial to use other companies’ services for your most sensitive assets, it’s your opinion that appears controversial to them. If you’re in control of your own servers, what remains is to trust GitHub Enterprise not to literally phone home your source code or to enable remote code execution on your own server. There are myriad information security policies and compliance methodologies for compartmentalizing, quantifying sharing that risk.
For what it’s worth, having personally performed security assessments for over 50 different companies across the gamut of size/maturity, nearly all of them use a centralized VCS hosted or produced by GitHub or Bitbucket (and nowadays, occasionally GitLab too).
HN users tend toward a very pro-SaaS stance.
If that were the case, there would be no authentication whatsoever to access the closed-source site; the hacker would have just needed to guess the right url.
Edit: I mean it would surprise me if it wasn't recommended practice, but it would also surprise me if it was somehow strictly enforced.
The attacker can submit your info to GitHub the moment you submit to the malicious site. You receive the token via SMS as expected, enter it on the second page of the malicious site, granting them access.
I'm intrigued. Why would that be a higher-value target?
I am thinking now would be a good time to port it to working with webhooks as well.
The tool would have blocked the aws credentials from being checked in: https://github.com/opnfv/releng-anteater/blob/master/master_...
One you can use something like keypass to store a database in a shared location if you don't trust the SaaS offerings.
If you are looking at storing credentials for automation purposes, and don't have a secret store built in, you could look at something like Hashicorp Vault to help provide this for you
The user in question has some specific interest in editing LogMeIn, parent of LastPass, pages: https://en.wikipedia.org/w/index.php?limit=50&title=Special%...
Sometimes I just go on google hangouts and share my screen if I'm feeling lazy.
1 - https://www.envkey.com
Removing the secrets from the repository is nice to have, but not that necessary - what is mandatory is to ensure that the compromised secrets are no longer useful, since they aren't secret any more and won't be ever again.
> Warning: Once you have pushed a commit to GitHub, you should consider any data it contains to be compromised. If you committed a password, change it! If you committed a key, generate a new one.
Is a good argument as to why you shouldn't let users erase this data from history, it's already out there so no matter how painful or convoluted your process is for regenerating auth credentials is, you need to do it if you've published them into your SCM. If the process is painful you might want to simplify it because you'll probably need to do it sometime in the future again... yes even you large corporate workers who have no control over credential regeneration, an arduous process leads to credential sharing between projects which is another horrible thing.
There are cases- such as complying with court orders- where removing the data is appropriate (even if a bit futile in the long run).
I suppose? But at this point they have your code base. You are so owned at that point.
I don't think either of those companies would cease to exist if their code bases leaked online today. Sure, someone might get something to build, but there is surely A LOT of things around the code bases to support all of this, which means the code bases would mostly serve as a study for software in general (and finding holes obviously).
Github is a bit unfair comparision, as their business is literally to make your code private, so if it leaks then of course it would be a hard hit. For the general company, I think leaking access credentials is a much bigger (but easier to fix) problem than leaking the source code itself.
A serious Photoshop clone that can match PS feature for feature would wipe Adobe, people cannot wait to get rid of them. 25% of MS revenues comes directly from Office and another 25% from Windows or other commercial offerings that are basically driven by Office, so yeah, MS would survive a working Office clone, but they would be deeply wounded; they pulled all the dirty tricks in the book to keep competitors from integrating seamlessly... having the real code responsible for their formats available in the open, would hurt them massively.
These companies are as big as they are because they did the right moves at the right time, and now they have spent so many man-decades on their codebases that nobody can realistically hope to catch up starting from scratch; but having a good look at their codebases would likely kickstart oozes of competitors with very good chances to replace them in a very short time.
> For the general company, I think leaking access credentials is a much bigger (but easier to fix) problem than leaking the source code itself.
Credentials are a mean to an end: protecting something. If you are Ashley Madison, your valuable IP is your database of users and their preferences; but if you are Microsoft or Adobe, what credentials are protecting is your source code. Adobe survived their user credentials being leaked, like so many other companies. They would have hurt much more had they leaked the entire PS codebase.
Just open a shop in China and obfuscate a bit. Job done.
I hate these types of arguments. Yeah no one said that ever.
Losing your code base is terrible. I view it as losing a journal. What your company tries, tests you run, funny comments, or funny mistakes. I mean they post it on the net, blackmail team members, imposter team members, forge for leaks, sell it, pushes to prod from compromised accounts, CI systems, -- seems bad to me. Sure don't have aws keys in there.
Also "pushes to prod from compromised accounts, CI systems" seems more related to access keys and account security rather than the actual code base.
But hey, in the end I'm no security expert so what do I know.
Maybe pushing something that was labeled as a "security patch" but was actually a disguised vulnerability? I could see not even checking into that, and just downloading it. But I'm on a small team. Do big companies have procedures to protect against this?
Quick google yielded this https://github.com/awslabs/git-secrets
If someone gains access to a system that uses the credentials, then there is, in principle, no difference between puppeteering that system versus stealing its credentials.
Ok, how do you handle a bootstrap problem?
The "I didn't know, I just took a vast salary to play golf" argument should not be any kind of defence. If there is the real prospect of going to jail, golfers will resign, those who take the job would actually take an interest and have the ability to do so.
An idea whose time has come.
No sensible person would sign up for the CSO position if they risked jail time when their company gets hacked. You can't really control it. A random engineer could make a mistake that gets hackers a step closer. Or it could be a zero-day vulnerability that nobody knows how to protect against.
There are millions of motivated adversaries out there and a finite number of employees at your company to outsmart them. It's a game you can't win. The larger your company becomes, the broader your attack surface becomes, and the higher value a target you become.
You just have to hope that when you get hacked, it is a "forgiveable" hack like a zero-day or highly targeted attack.
If CSO's are to be personally accountable for the malicious actions of others, it needs to be due to clear negligence on their part and the responsibilities need to be clearly defined.
We're talking about cover up, if you cover up the fact someone stole private data belonging to other people you took responsibility for. If you try and pretend it didn't happen because you might get away with it then claim you didn't know when it comes out? Then yes, absolutely, you deserve to risk jail time for that. As does your board of directors.
CSOs, senior management, boards of directors should be personally responsible for their own actions. They need to have something at stake that they really dread losing when making the decision "perhaps we can get away with this?"
And how do you make that scale? If I miss a semicolon and leak 5 people's data, then I'd hardly get any jail time. If I miss a semicolon and leak 150,000,000 people's data, I will die in prison. In both scenarios, I made the same error, but the outcomes were insanely different!
So how does one draw the lines between bad luck, reasonable security problems, everyday poor performance, civil liability, and criminal negligence?
> A random engineer could make a mistake that gets hackers a step closer
That could be prevented, to a large extent, with much tighter controls. Of course, those controls would greatly increases the cost of operations and other things.
Is it possible we're all accustomed to the wrong model, that our standard of IT security is like the standard of car safety in the early auto industry (and maybe until the 1970s) - far too lenient? Maybe we should be facing the potential fact that the normal cost of IT should include those controls and other security expenses.
By analyzing how they prepared for the inevitable attack (mitigation), as well as how they respond to it after the fact.
Essentially we need a price tag on personal data. Let's say 1$ for each email and password leaked to an unknown number of entities. That would be a 114M$ incentive for Uber to keep their data secure.
It's a shame this happened pre-GDPR because that has steep fines - 4% of worldwide revenue - which would be north of $260M going off their 2015 numbers. And that's assuming they get off with a single fine.
As CEO, former engineer and customer I really hope this gets some serious traction. IMHO if you are making money from customers, it should be mandatory to follow compliance regulations and protect all data.
Sure they can. It is called "insurance". Sort of like malpractice. CSO wants to get paid millions of dollars? Excellent, either be personally on the hook or have an insurance company that would be willing to underwrite your method of dealing with it, be that having your own crack team of people who get to oversee everything, or relying on Jr system admins from your company or whatever else.
I think that's a very sad commentary on how little your company values security.
OP's a realistic. His perspective is nothing to do with how a company values security.
No one in security assumes they won't get hacked, we assume we will and when we do get compromised. Our metrics aren't measured on if, our success metrics are:
* How quickly we find out
* How much damage we can mitigate
* How quickly we mitigate the risks and controls for X vulnerability and
* How we incorporate our reporting to find trends to find the event quicker next time
Now we report on many compromises. I'm not talking just about data breaches here, there's a whole spectrum of compromises that we manage and mitigate.
I don't know anyone who operates in Security who has a different mindset to OP.
Of course it does. The stick is not big enough so CSOs just do not care enough. Increase a size of the stick and it would split the group of CSOs into two:
1. Like OP will run away saying "I'm not going to put myself in a line of fire if crap gets hacked". We need broomsticks for those.
2. The ones that will say "OK, two years", do their best and probably succeed.
This has nothing to do with not valuing security, it's just about being realistic. Can you guarantee that your company is hacker-proof? No? Then we're on the same page.
It's great that you take all those steps and investment. The fact that you still don't believe you can control whether or not you get hacked is a sad reflection of modern software practices, which are akin to throwing together a house out of plywood, newspaper, and gasoline, then asking the security team to place fire extinguishers.
I believe it's more like getting into a car accident. You can be the best driver in the world, you can always drive under the speed limit and take all precautions but you are bound to be in an accident at one point or another.
You may go decades without incident but it's almost a certainty that you will find yourself in a situation where another driver collides with you in a way that couldn't have been forseen. This driver could have hit you accidentally or on purpose, it doesn't matter. You could be teaching another how to drive during the incident, you could have had a momentary lapse in judgment...it doesn't matter. What matters is how you handle the situation after the fact and the steps you took to mitigate the damage.
If you spend enough time on the road the likelihood of an incident approaches 100%.
If you don't assume that you will be hacked, then you won't design in auditing, alerting and containment that will tell you when you've been hacked, let you determine what data was compromised, and prevent the attacker from having free reign over all of your systems.
Otherwise, you'll be like a former coworker that refused to secure internal systems because "We paid a lot of money for our firewall, it's going to block any hackers". It took me less than 30 minutes on my first day to hack the login passwords of senior executives because they logged into a non-SSL reporting server (and I did through a simple MAC overflow attack on a network switch from a network port in the break room)
I see a big difference between preparing for the event of a hack, and believing that a hack is inevitable no matter what practices are in place.
CSO: We have airtight security, we cannot get hacked.
CSO: Please approve and fund this plan to handle a breach in case we are hacked.
CEO: But you just told me we can't get hacked.
CSO: Right, it's impossible.
CEO: So why do we need to spend money preparing for it?
CSO: Just in case.
CEO: Just in case what? You just told me it can't happen.
That seems a little like asking for money to prepare for an alien invasion or a zombie attack.
Also, the personal liability for board members and managers is something that is exceedingly pursued by shareholders and creditors (for the financial liability) and prosecutors (for the criminal liability) compared to how it used to be.
I don't think it matters much, though.
You cant just give Jail-time for data breeches. It would encourage cover ups and scape goats. Also never underestimate just how disorganised large organisations are, incompetence at addressing issues is systemic and goes far beyond data protection. What seems like malice is sometimes just plain stupidity.
It has to be backed by some sort of regulatory framework. Just like a fire code or employment rights. But crafted in a way that it doesnt end up like PCI, ratings agencies or financial auditors. IE creating an industry that sells compliance and not actual security.
Perhaps something light, like mandetory minimum bug-bounty schemes for all companies, where fines (or more) are imposed for not addressing issues and an independant regulator works with larger companies to resolve issues (or penalise the company severely if they deliberately wont).
The reasonable company director should have known X and when found out was bound to report it. Person Y did not report it, should have known as it was their job to know and there aren't extenuating circumstances. Guilty. 6 months. Next case.
"I don't know anything about this company I accept 7 figure sums to oversee as a director." Should never be any kind of legal defence. If senior management and directors have something personally at risk you'll see vastly improved behavior. Right now we're selecting for the opposite and seeing the inevitable results.
There is a story like this about directors and management cover ups every single day
Who will fill the void ? People who are overconfident and people who are not scared of going to jail.
It's much better to impose financial penalties. Should the directors or the shareholders pay ? Let them figure it out between themselves!
We do this for CFOs, Chief Compliance Officers and many other roles for many other things.
For example, the Target credit card breach occurred because malware intercepted the credit card information at the Point of Sale appliances before the information was encrypted and transmitted.
Prison time seems extreme, but Congress should should absolutely establish statutory fines (for companies) for breaches of PII. Then any company officer can save the company money by simply spending more on prevention because it will lower breach insurance premiums.
WEll that's already happening without jail time so maybe give it a whirl. LEt's get real here, the idea of suits going to jail is just scary to some people but it'll be fine.
This happened more than a year ago, and only now that they're planning on offering identity theft protection? That's ridiculous.
"Sorry we left uranium in your house a year ago and didn't bother telling you. Here's a coupon for free cancer screenings."
I don't think the average Joe is up to date with this news, or even care about.
Just like we don't know anything about the CEO of the product making your detergents, the CEO of the brand of clothes you purchase, the CEO of your oven at home... Not knowing about CEOs is rather the norm, not the exception, and ultimately if the product/service is good, the CEO does not matter for most people, or they are only going to care about it in passing and then return to their old habits. GoDaddy is still in business.
If everyone in the country was told "write a check to GM for $50 or go to jail," and conservative media wasn't berating Tesla/Musk, public opinion would be a lot different... Take it all with some healthy skepticism.
Personally, I like him quite a bit, but to be fair I know that outside of my own echo chamber of my news and social media feeds, that there are a lot of people who don't like him, and where that negativity is coming from.
HN is a community. If users don't have some consistent identity for others to relate to, we may as well have no usernames and no community at all. That would be a different kind of forum.
Anonymity is fine, and throwaways for a specific purpose are ok. Just not routinely.
There are a couple different things at play.
First, one plank in their infowar strategy is to combat anything that even indirectly propagates any understanding of climate change among the proles. They take positions even against more-efficient-than-incandescent light bulbs, so this line of attack certainly includes targeting electric cars and solar. Musk is obviously a celebrity of sorts in these areas. Any government help to build solar plants or subsidize non-fossil-fuel alternatives (e.g. electric vehicles) is portrayed as deeply corrupt, a betrayal of American values and working families, etc. Ergo, Musk is bad.
Two, Elon Musk and John McCain have a strong association. Musk has supported McCain and in turn McCain has supported Musk and his business ventures. This is the kind of invest-in-politicians-who-can-help-you relationship that is pretty much a fundamental building block of how the American government works, but it always looks bad to somebody inclined to see it that way. (It's probably also objectively bad that this is how the system works, but anyway it is.) So I think a lot of conservative media that doesn't like McCain (because he is too "establishment" or whatever the reason) have repeatedly brought Musk into it, implying corruption on the part of McCain to help Musk use Russian rocket engines at SpaceX, for example. McCain is bad, ergo his sleazy buddy Musk is also bad.
Secondly, SpaceX have been spending millions in political lobbying and McCain's political campaign is among many who benefited from such largess (and his own McCain institute) from Musk. Most Americans don't see this kind of lobbying activities with millions dollars spent on politicians as a "fundamental building block" of a well-functioning gov't, but a corrosive force that serves interests of a few at the expense of the majority, however well-meaning in the eyes of Musk supporters. I personally don't see any problem with organizing an interest group to better represent their views -- or lobbyists -- but when it involves so much money and the final outcome ends in lopsided legislation favoring one particular individual or company over others, it's probably a good time to question their "invest-in-politicians-who-can-help-you" relationship.
Ideologically, McCain's views are aligned with those of the "neoconservative" wing of the republican party -- he's mostly known for aggressive foreign policies, American democracy everywhere, and subsequently pro-Military Industry Complex (MIC) which inevitably all leads to a bigger gov't. While most conservatives are also for strong national defense, not everyone is necessarily on board with permanent warfare and welfare (and police) state and that's why "other" conservatives are so annoyed with McCain.
So, once you put these together, it's not too difficult to see why the holy alliance between Must and McCain is criticized by those on the right. They are not necessarily grounded on "anti-facts" or alt-right views as you mischaracterized here. It's just too bad that your pathetic, uninformed comment had to start with the poisoning the well logical fallacy.
Although I do think there tends to be a broader overlap on the "conservative" side, for reasons for that are complicated and don't necessarily have a lot to do with being conservative, the "liberal" side does indeed have its vaccine deniers, MSG paranoiacs, and so on. (However, they don't have TV networks dedicated to these things, available in every hotel and airport in the country...)
I try to judge media organizations (and people) based on their commitment to truth and openness to empirical evidence and new information. Their political leanings may be interesting, but are a (much) less significant data point.
So very recently, and unless you've been to college in those years, you won't be aware of it.
I forget where he said it, or I would link to it. It might have been in a recent conversation he had with Jordan Peterson.
Also, Rush Limbaugh hates Musk (he has the #1 talk show since 1987... Since record-keeping began, so a lot of people are exposed to that negativity)
Funny, they opened a satellite office right near my apartment and I'd considered applying. Then I heard pretty disconcerting stuff about the environment, and now this. Dodged a bullet, I guess.
I would never work as an engineer for a company like that. How can I trust that it will honor any deal I make and not screw me? I have to think about that with every company but this one in particular can’t even spell ”integrity”.
If the company views engineers as better than other people and someone they wouldn't want to screw with, I'm not working there either on principle.
I expect blowback. I expect negative news. They essentially pulled it off by looking at every day as combat where fighting dirty was rewarded.
The biggest part of the comment was seeing the taxi driver protest in Seattle when I was there on business. My hotel room window had a view of city hall and I watched a bunch of cabs with a news crew pull up for about 45 seconds and start honking their horns. Then they all left and went back to taking fares.
When I watched the local news that night, the broadcast made it look as if they'd blockaded city hall for the day in protest.
It's the things like that that give me pause when I see bad press around a company that has upset entrenched interests.
Who are getting screwed.
Having to register for that is quite surreal.
To be fair, they weren't spying on their customers. They were fingerprinting phones which is against the Apple ToS.
"As an online discussion grows longer, the probability of a comparison involving Trump approaches 1"
User starik36's comment was in a downvoted state. Which is what prompted me to write that comment. I didn't think what he said deemed a down vote because from general observation what he stated seems true.
Looks like they fired two people over this, pretty immediately at that. Uncertain if the new CEO was aware of the cover-up until (presumably) contacted for comment by a news org.
The fact that the cover-up persisted this long is bad, but on the other hand the Kalanick-era Uber probably would've gone to war with the journalists breaking the stories rather than admit fault, so there's that.
Edit: allow me to replace the word "found" with "created." I was just using a figure of speech.
I can think of a few: https://en.wikipedia.org/wiki/United_States_presidential_ele...
If you think the current sitting POTUS is an innocent victim of politics, then I have a bridge to sell you. Uber has used similar PR tactics in the past to deflect/detract from their actions.
I think the point that the great great? grandparent top post was making is that whoever is in charge of dealing with the media at Uber is doing a horrible job.
Also, I am sad that we don't talk about the policies and rather focus on the personal flaws. I think there would be a chance of a compromise if we debated on policy. I mean if we talk about just personality, what makes our Honorable Governor of New Jersey eligible for office? Not a fan of 45 but really I think politics has become too polarized.
I’d normally say eventually it’d bite you if you fall into the habit and do it on a public repo by accident but it looks like it can bite you on a private one too.
Manage your secrets. Use something like Vault or Pass they’re free and awesome projects.
I keep all of my secrets even non-prod ones in one of these two because if you think about it, even your “non-prod” github credentials are kinda prod since you have access to code.
Also when it comes to AWS secrets, give your developers read only access, make them turn on MFA and assume a role that scopes permissions to the work they need to do.
Leaking AWS secrets is really asking for it. The amount of bots that consistently scan public git repos and then use the credentials to spin up massive instances to mine crypto currency is impressive. I’ve seen it do upwards of $10000 in AWS usage within five minutes of the commit containing the credentials.
"In January 2016, the New York attorney general fined Uber $20,000 for failing to promptly disclose an earlier data breach in 2014. After last year’s cyberattack, the company was negotiating with the FTC on a privacy settlement even as it haggled with the hackers on containing the breach, Uber said. The company finally agreed to the FTC settlement three months ago, without admitting wrongdoing and before telling the agency about last year’s attack."
If I was running the FTC, I would not settle this time, because it's blatantly obvious Uber was acting in bad faith last time around.
Seems to suggest they committed AWS credentials into source control?
Folks should be using short lived aws tokens to avoid the possibility of having tokens in source control: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentia...
Along with never committing secrets to source control, implementing 3rd party data breach and data leak monitoring is necessary as recommended in NIST 800-63B
Because you know...20k really really hurts for a company like Uber.
The result was that more parents were late. The reason being that the parents effectively considered the fine a "late pickup fee", and one they were more than willing to pay. If the parents were fined a day's daycare fee for being ten minutes late you can bet their attitude would change.
I see company fines in the same light - they formalise the process of absolving responsibility and moving on. Just pay the toll and continue to handle your customer data cavalierly.
The day care changed what was a social incentive for an economic one, and then couldn't reverse the consequences: Not fining the parents anymore didn't reduce the number of late ones to previous levels.
... as I sit in my home office, just over an hour away from day care closing time I assure you I'm watching the clock like a hungry hawk watching a mouse. See, my kid's day care charges a mere $600 per hour late (billed in 1 minute increments).
I don't see kids parents late that often :-) and we've come close to missing it, but haven't in two years.
Another perspective on this is why should we expect someone else to bear the consequences of our failing to meet our responsibilities? If we're late picking up our kid, they staff at the day care leave late to see their own families, they incur higher operational costs, etc.
Their request that we show up prior to their closing time is completely reasonable and that there are stern consequences for failing to meet our responsibilities doesn't seem unreasonable either... especially in light of the comment I was responding to.... I assure you the day care really doesn't want to collect that fee.
As far as passing out in your home for a few hours. If that were really an issue for you, then potentially paying $600 might motivate you to actually go see a doctor. Otherwise there could come a day when you pass out and never wake up (and your children never get picked up by you or see you alive again)...
My guess is that day cares do this to basically mean "show up on time, we're not f'ing around."
WOW, I'm in the wrong business I think. What else charges that much per hour? I don't even think a neurosurgeon could command that sort of rate!
This is also common when quoting freelance projects you don't really want to do.
(and with that... I better pick up the kid... ;-) )
I think upping the pain works better. What's a daycare going to do with so many gallons of milk?
If for some reason you have too many gallons of milk,
you can also use toilet paper, 10 rolls per 5 minutes. You can never have too much toilet paper, some late parents even buy the soft stuff too! lol
A huge fine isn't always the best deterrent and it makes people generally mad at your child care center.
Everyone gets a chuckle out of seeing a dad walk in with three jugs in each hand... It's a light hearted walk of shame and it really works to deter late pickups which is the real goal.
> A huge fine isn't always the best deterrent and it makes people generally mad at your child care center.
EDIT: You can make this revenue neutral. Give parents a discount at the end of every month out of the money they collect in late fines. People on time at a better-than-average rate will come out ahead.
Another alternative is calling the police, because at what point is the child considered abandoned?
I think I would prefer the light hearted milk or toilet paper errand.
Charging them double fees is more like it.
I think it was AT&T or Verizon that got fined the "record" $3 million by the FTC for tracking users' browsing behaviors for like 2 or 3 years.
The FTC should have asked (subpoena I should say) the company for reports on how much money it made per user from that tracking for the whole period, and then charge it a multiples of that.
Did it make $1 billion? Charge it $2 or $3 billion.
And do this sort of stuff across industries with a regular occurrence, so that companies can "expect" such audits, and so they don't just think it's a one in a decade fine that maybe one company in the industry will get.
I think you'll see abusive behavior drastically reduce.
The real question in this story is this: If you find that you have customers who are willing to pay you more for providing more service ... why not provide that service? You get more money, your staff gets paid overtime, parents get peace of mind, everyone's happy.
It's a bit of a hard question because the daycare may not have a legal way to stop holding the child, unlike fedex they can't simply return it to sender, so these sorts of contingencies might not be expected on opening your center, but you'll need to scale into them.
especially when the cost of doing the right thing is higher.
i mean look at HSBC - laundered trillions of dollars of mega-organized-crime money. for a decade. 400m dollar fine probably isnt even .01% of what they made off that endeavor
> 400m dollar fine
> isnt even .01% of what they made
...why even use numbers, a concept literally defined to quantify things, if you're just going to use utterly incorrect ones?
HSBC did not launder trillions of dollars over a decade, that figure is three orders of magnitude too high. HSBC is being fined $1.9B, not $400M. HSBC also did not earn 19 trillion dollars over the course of a decade, which is what would make $1.9B your 0.01% figure. Even a $400M fine would still constitute earnings of $4 trillion.
Not only are your numbers incorrect factually speaking, their relationships with each other are entirely out of whack for measuring HSBC's profit, even in an absurd hypothetical scenario in which HSBC did launder trillions of dollars.
If you give me a million dollars in counterfeit bills, and I launder them for you, I might get paid only $10,000. My laundering efforts might have cost me $9,000. In this case my profits are $1,000 even though my earnings were $10,000 and I laundered $1,000,000.
I'm not saying that HSBC laundered 19 trillion, but the earnings and/or profits of HSBC have absolutely no relation to the potential amount they laundered.
While I agree with your sentiment, there is no need to use such inflated and hilarious numbers.
While "trillions" is definitely inflated and hyperbole, I don't think it's THAT far off.
According to this The Guardian article  "At least $881m in drug trafficking money was laundered throughout the bank's accounts."
So 0.88 Tn. Definitely not "trillions" but definitely much more than I would've expected if they said "billions laundered".
Also, it says "at least", which I take it to say that the investigation was not complete so a final number couldn't be calculated and only a "lower" cap is given. Potentially it could still be "trillions" as in e.g. "1.3 trillions" (if that final figure is ever calculated or even published of course). So inflated, yes. Hilarious... not so sure.
You mean 0.00088 Tn.
"i mean look at HSBC - laundered trillions of dollars of mega-organized-crime money. for a decade. 400m dollar fine probably isnt even .01% of what they made off that endeavor"
$1.9b may sound like a lot, but there's a lot of blood attached to it.
It's not because any specific fine can ever be adequate compensation for all the suffering caused by the cartels. It's because you want the fine to be large enough to actually deter bad behavior in the future.
In this particular case I believe the fine (perhaps in combination with the threat of other regulatory action) has changed HSBC's behavior as there are many stories about erroneously frozen HSBC business accounts.
I just wonder if any number of deaths will ever change the behavior of the politicians who designed the disastrous war on drugs policies that have so utterly failed. I fear that won't happen as long as voters don't care about facts.
Let's remove the stop signs so all drivers can be as cavalier.
It'd save a lot of drivers the headaches that go along with traffic laws.
But the uber situation would be closer to this - the parking meter costs $20/hr and a parking ticket costs $5. We're creating a situation where people who break the law get ahead of those who obey it. Either we can ramp up enforcement (good luck with that happening) or we can level the playing field.
The US federal government decided 30 years ago that it was going to attempt to prevent some kinds of transactions from being part of the global economic growth. Kinds of transactions that were always here, and always willing to be part of the global economic growth.
It decided to use other people's money to attempt to enforce this blockade, at great expense, for perpetuity.
It does this by creating onerous reporting requirements for companies and individuals worldwide, and onerous and expensive procedures for the individuals that fail to merely file the correct paperwork.
All the while, massive multinational banks have been letting the well funded organizations continue moving their money through them and contributing to the global economic growth, while citizens are being fined and imprisoned for paperwork problems.
And your go-to thought was a satire on anyone suggesting less regulation, implying the same or more regulation would be a BETTER use of public resources?
World economic growth has always been fueled by money whose source you don't agree with. Using everyone's money in a government to merely PRETEND like it can prevent illicit sourced money from being used seems irresponsible and unconscionable, looking at the track record.
Is it really so uncomfortable to admit that multinational "cartels" (organizations of people under a common charter) are pretty good at fueling economic growth globally? Because thats how its always been
They also fail at it while ensnaring otherwise law abiding citizens in the dragnet.
So there is no logic to extrapolate to murders, where there is a victim from the activity of murdering.
AML via the Bank Secrecy Act, Patriot Act and other regulations was a swing and a miss, just looking at the evidence alone. Cash transactions over $10,000 were supposed to be reported, to stop terrorists, and the 1 BILLION of organized drug money that HSBC cleared is the equivalent of a dozen terrorists being financed per day, since 9/11.
Excepts its just people with a little extra cash that get jailed from these reporting laws.
"There will be two levels of fines based on the GDPR. The first is up to €10 million or 2% of the company’s global annual turnover of the previous financial year, whichever is higher. The second is up to €20 million or 4% of the company’s global annual turnover of the previous financial year, whichever is higher.
The Parliament had requested for fines to reach €100 million or 5% of the company’s global annual turnover. The agreed fines are the compromise that was reached."
Why do big firms get off easier than the smaller firms?
OTOH, consider that the bigger firm is made up of a collection of 10 services, each earning $100 million. The breach is only in one business unit - is the global revenue a fair metric if the breach is not global?
It will be interesting to see how this is enforced against giant corporations when (inevitably) some small piece of data is missed on some small service in a business unit nobody at the c level has ever heard of.
Huge fines do exactly what they’re intended to do. JPM for instance responded by making legitimate operational changes to detect all manner of financial malfeasance within their organization.
Other than the sexist nonsense of the CEO, there really is an irrational hatred of Uber. Are many of us secretly moonlighting as cab drivers?
Uber’s nonsense is minuscule compared to generations of taxi corruption.
This isn’t me excusing Uber but it does seem like many people, especially Europeans have an inordinate amount of glee over anytime AirBnB or Uber get in trouble. Has the hacker ethic really devolved into statism?
We should be cheering over disruption of the status quo. Does anyone actually long for the days of getting ripped off by over-regulated and over taxed hotels and taxis?
Do you people actually like having government pick winners and losers? Do you actually trust government to do the right thing? Governments have a strong track record of stifling innovation, abridging freedom and giving regulatory handouts to the privileged classes. People here get all kinds of sanctimonious when it comes to patents and copyrights yet seem to fall firmly on the side of the entrenched incumbents when it comes to things like disrupting hotels and taxis. It’s a weird double standard; a hatred of government when they want to prevent people from stealing movies, but a love of government when they want to prop-up taxis and hotels.
Having those concerns isn't the same as unfailingly supporting incumbents, out of date regulation or a love of government.
It's a really crappy and obvious distraction tactic, made worse by the addition of cliched libertarian sighs.
> regulatory handouts to the privileged classes
And unregulated AirBnB is basically a way for rich people (privileged classes) to buy apartments in cities and turn them to money-making machines, to the detriment of the lower-incomed renter (lower-incomed because they can only afford to rent, not to buy their own place).
Yes, many many people do.
About that time my Uber account was 'hacked' and someone kept requesting rides in Florida and I had to cancel them as fast as they made them.
I emailed Uber support and they got back to my 3 days later.
Then someone proceeded to try to gain access to every account I had with that email and password (yeah, yeah, I know). The next worse was someone getting into my DigitalOcean account and launching an instance.
It has finally settled down, I occasionally get alerts from people trying to break into something but lots of 2FA and no shared passwords anymore.
I am not sure if this was Uber's fault or another site's but the timeframe of Oct 2016 lines up.
(But in all likelihood the poster's account was just compromised through the usual means, otherwise there would be more reports of hacked accounts.)
Do you have any evidence that the action here by the new leadership to disclose all breaches was disingenuous?
You should check over all of your accounts and machines - I doubt it has anything to do with this leak
I do not get why there is no legal action taken against Uber or even steps to shut it down.
So much of the stuff violate basic laws how to run a business, apart from the humongous flaws in Ubers ethics and damaging effects on society.
Small companies will instantly get sued and pay fees ruining them for this things. And that already the 1st time it happens. For Uber this is beyond ten finger counting in terms of issues in the past two years.
It is just not having any consequences and by now from the legal side you can conclude that Uber is a repeated offender which has not learned anything from previous cases.
So, my point stands. When will this actually lead to consequences and justice being served?
I know Joe (the ousted CISO). I’ve known him for almost 15 years, and worked with him professionally in the past.
This is not like him. He was the most ethical lawyer I ever met. Everything was by the book. He cares about privacy. He cares about users. He’s prosecuted the worst of the worst.
Something here isn’t right.
It is a telling example that the pain point of a bad taxi service in a city is usually enough for them to conformance rationalise that Uber is still a better alternative, despite any of these issues.
People have asked me before if I'm about "to uber" or "take an uber" someplace and they say it in an obvious way that implies "any ridesharing company" (or lyft in my case since most people know I only lyft nowadays).
Uber just as a word for ride-sharing has become ingrained and won't be easy to get rid of, IMO.
That's more due to the ubiquity and dominance of Google itself.
It's rare to hear someone say "I Googled it on Bing" or even "Let me Google my email" when they're using Outlook. Maybe not unheard-of, but definitely nowhere near the threshold needed for genericization.
True AFAIK but if you ever give computer support you'll find people "just google it" and use the greeting page on their browser [aka "the internet"] which is just as often Bing or Yahoo as it is Google. Google, the verb, is definitely generic but the RTM holders of Google have several hundred million of $currency to spend on lawyers to say it isn't.
While money gives power, the concern is that it's concentrated in a small number of people. Voting is not, and can result in controls of essentially any level.
I plan to never use Uber again.
We fought all the battles, took a hit on our reputation and set it up nicely for Lyft who very smartly played along with the nice guy approach to capitalize. Net-net, no Uber would have most likely meant existing taxis everywhere and as most riders/drivers will tell you, there is nothing inherently better about either app, they offer the same, pay the same but vastly differ in perception.
That said, we took our aggressive attitude way too far. In an ideal world, Travis would have evolved or replaced himself a couple of years back once the company essentially reached escape velocity where our consumers themselves became our most fervent supporters. Unfortunately that did not play out and making a near perfect switch like that is probably unlikely.
Given this important context, I hope you will give Uber another chance as in the end, Dara and the employees are genuinely trying to evolve by doing the right things and putting all of this behind us. You can get some sense of this from going to sites like reddit.com/r/uberdrivers (or r/lyft) and seeing the changing perception at least from the driver side of things.
That said, almost all of the notable legislative and regulatory battles were conducted and won by Uber.
The wrongful actions by companies do get forgiven eventually, as toxic executives leave (as in the case of the CEO, Legal Officer, and now the CSO), but no public is foolish enough to immediately absolve any company of wrongdoing. Uber will have a reputation for sexual harassment long after it meets or exceeds the standards of other large companies.
In fact, there was a company called SideCar who popularized the idea of ridesharing before Uber and Lyft. There was a time, maybe 2013 or 2014 when I exclusively used Sidecar until Uber became more prominent. Uber was only offering their high end cars at that time.
It's not like Uber did one bad thing. Uber has been a fountain of terrible things for years and years. You even admit that Uber's market-dominant position has been been achieved through those terrible things. And those are only the terrible things that we've discovered despite Uber's energetic attempts to cover things up. Lord knows what horrors you're still hiding.
Until Uber loses their ill-gotten lead, I won't even consider using them.
They are worst then Comcast and sorry need burn through all their VC money til they are ashes! Loathe Uber so much!
In a lot of cases companies still leave behind an email stub to prevent users signing up over and over again for signup deals
The only way to ensure your data is safe is to never hand it over in the first place - signup with a fake name, prepaid card, etc.
That means every day I'm a new customer and get $20 off my first ride of $22. One day, they'll wise up and stop making such silly deals.
The behavior described here is extremely selfish and amoral. It amounts to gaming the system. Additionally, the cost of exploiting a loophole such as this will be passed on to other customers before the company stops offering a losing deal. Those customers will not be reimbursed when the offer is rescinded.
The antisocial behavior of the company would not excuse the antisocial behavior of a user acting in this way.
It is frustrating that the page doesn't enumerate what information is deleted and what's retained.
It's also good hygiene to delete accounts. I don't typically do it, but when a company offers an easy delete button, I won't refuse.
I'm not defending uber, but this kind of attitude is exactly what got Trump elected. You can't generalize and demonize entities based on one person's view.
Not really seeing the connection here
EDIT: I realize I sound far more judge-y than intended in these posts. My overall point is that people should just do whatever makes 'em happy while doing the best you can (w.r.t. everything else). Trying to emphasize the morality in your actions is just wrong, imo.
 tbh I don’t think you do, but I like the analogy so I’m keeping it.
I've actually had to climb one tree to cut down another.
EDIT: Er, I agree that hypocrisy shouldn't stop you from doing the right thing.
A false premise. If that were true, just like you stated, we wouldn't support it. Actions speak louder than words, and all that.
Taking the child labor thing into account, never being brand new electronics again would pretty much take care of that. One could make an argument that buying used goods is still supporting child labor, but I'd argue it's a sunk cost.
Why choose this example? Child labour is rife in many sectors, particularly textiles.
It's also rampant in electronics recycling. So even if you never buy any new electronics, you're complicit when you dispose of your old electronics.
The point is you shouldn't allow an impossible quest for perfect ideological consistency and moral purity to prevent you from doing good on a imperfect, inconsistent scale.
Two wrongs don’t make a right when you try to sum them, I.e. combine them. My point is: don’t compare them at all. Don’t change the subject. Uber is one, other things are another. Being a hypocrite doesn’t make you wrong, it just makes you a hypocrite. Don’t even pull in the other wrong to begin with.
Otherwise, how do you ever justify standing up for anything you believe in? I was born a hypocrite, surely a life of mute acquiescence can’t be my destiny?
Consistency isn't impossible at all. People are already very consistent in doing what simply is convenient for them. In the case of Uber vs. Lyft, if you live in an area where they're priced similarly and are of similar service it's easy to switch to one or the other under the guise of trying to do the right thing, or whatever.
Not using Uber hardly requires any effort. What, ten seconds to uninstall an app and install the alternative one?
That's just, like, your opinion, man.
I care up to certain thresholds. Last year my Uber use was probably 90%, Lyft 10%. Now that's flipped. I only use Uber if I'm outside the US and there's no comparable local alternative.
Uber is demonstrably making less money than it used to because I do this, and Lyft is making more. I'm personally happy with that arrangement, and honestly my feelings here are the only ones that matter. I don't particularly care if you think I'm just "virtue signaling" or if I'm "not doing enough" or whatever.
Dunno what I was thinking, I was totally in the wrong. Apologies if any offense was taken.
"Virtue signaling" is an annoying, low-effort way of dismissing something. Try harder. You haven't even provided any evidence. Here's an alternative proposal: People like doing things that they believe will make the world a better place, within their money/time/inconvenience budget, in ways that are limited by their attention. They're human - they have limited attention, limited capacity for simultaneously optimizing hundreds of metrics, and many competing demands that they're trying to satisfy, so they're not going to be perfectly consistent.
No, one person uninstalling Uber is not a massive blow against evil. But many people uninstalling it has been enough to send a pretty powerful signal that -- in conjunction with a lot of concurrent social and legal factors -- is causing Uber to do a pretty solid about-face.
(And it's not seconds, because depending on where you are, Uber may have many more drivers than Lyft -- people travel, after all, so even if Lyft is equal in your home market, it's not equal everywhere. You're also losing the prospect of alternating apps when one or the other is in surge pricing. If you're a heavy user of ride-sharing services, uninstalling Uber imposes both a time and monetary cost.)
Kudos to the GP and others for uninstalling Uber. And for every other step they've taken to try to improve the world by their own actions.
Dans ses écrits, un sage Italien
Dit que le mieux est l'ennemi du bien.
(In his writings, a wise Italian
says that the better is the enemy of good.)
So yes, it is virtue signalling, pretty much by definition -- "the action or practice of publicly expressing opinions or sentiments intended to demonstrate one's good character or the moral correctness of one's position on a particular issue." That being said, I don't think virtue signalling is bad. In fact, it's virtue signalling that has led to the pressure on Uber that brought about this very discussion.
As an aside, I didn't realize "virtue signalling" was such a bad word, as well as "hypocrisy." I guess I'll have to stop using those words.
> people don't actually care. It's just virtue signaling.
You're making claims about their underlying motivation, and dismissing their actions as just virtue signaling.
"They're not doing A, they're only doing B"
Showing the presence of B is not sufficient to demonstrate the absence of A.
Second, you haven't actually shown that they're virtue signaling. Note that your definition specifically includes intent: "publicly expressing opinions or sentiments intended to demonstrate one's good character" -- the OP could be expressing their sentiments publicly in order to induce others to follow suit, for example. The same post admits many possible explanations, and you are in no position to read the mind of the posters in order to divine their intent. You're making assumptions, but you again haven't presented any evidence to suggest that your hypothesis is better than any others.
> You're making claims about their underlying motivation, and dismissing their actions as just virtue signaling.
This is true.
> Showing the presence of B is not sufficient to demonstrate the absence of A.
This is also true.
> Second, you haven't actually shown that they're virtue signaling. Note that your definition specifically includes intent: "publicly expressing opinions or sentiments intended to demonstrate one's good character" -- the OP could be expressing their sentiments publicly in order to induce others to follow suit, for example. The same post admits many possible explanations, and you are in no position to read the mind of the posters in order to divine their intent. You're making assumptions, but you again haven't presented any evidence to suggest that your hypothesis is better than any others.
Indeed, though, with respect to this there's no evidence --
save the person themselves stating that's what they intended -- that I could present that would be sufficient.
Overall I regret my original post and the ensuing posts, since ironically, my original intent was far less aggressive than is implied by the responses.
Oh well, live and learn.
Your profile says "Contact me" but there's no contact info.
(It also says: “if you're going to claim something, please cite!” :) )
That saying... doesn't even apply here.
Being consistent in all you do is hard. Doing 5 "bad" things instead of 10 "bad" things is certainly better.
I agree with your overall point, though.
In any case, you're right. There is no conflict. Just hypocrisy.
It's a ridiculous comparison. Leaving the country is a lot more difficult than changing ride share apps. It's not hypocritical to take the low-hanging ethical fruit, even if you don't do the harder stuff. In any case, living in a country doesn't imply that you support everything its government does. If anything, the ethical course of action is to stay and try to change things.
This number doesn't account for countless millions, if not the majority of Americans who drain more from the government in the form of services, subsidies, and assistance than they pay in taxes (and I'm not suggesting this is necessarily a bad thing).
Presumably they want friends to switch over as to not support an organization they disagree with, but my point was that doing so is pretty much impossible to begin with. If the goal is to not support organizations that do things you disagree with it's futile.
Therefore, one should just decide arbitrarily. It really doesn't matter.
The Joe Sullivan details are the lurid stuff that propels news story copy, but the important takeaway is that almost nobody, including companies with serious investments in security, can safely get a large-scale dev team deploying onto AWS.
This story keeps getting re-told, and has been for something like 5 years now. It's a problem, and it needs to get fixed, decisively.
You're definitely on to something here. While I wouldn't call AWS security "broken," it is next to impossible to implement it correctly in any medium to large size business. There are 30+ services that AWS provides, each with an infinite number of security controls, JSON-based policies, etc. Cross-service access is even worse. Almost every service has some form of sub control that extends or complements the main security tool (IAM). KMS has key policies, ECR has registry policies, SNS has delivery policies, etc. S3 has perhaps the most confusing permission policy in existence, which has led to scores of high profile hacks this year alone.
There are 12+ public regions now, with more coming every few months, each fully enabled, yet segregated within the UI and API (which makes detecting attackers who have embedded themselves in unused regions more difficult).
All it takes is literally one typo in a single user's policy and leaked credentials and you're environment is completely compromised. Recovery is next to impossible without basically starting from scratch because you'll never find every tiny hole the attacker left as a backdoor for later without combing through GB of CloudTrail logs.
Now take all that, put it in an organization with 500+ engineers and you can see how easy it is for this to happen. Think you're safe by putting each team in their own account? Well AWS supports cross account role provisioning and engineers can easily set that up within their accounts. The spider web of issues is endless.
That doesn't match with the rest of your comment. At all. What would you call broken, then?
The issue is in the user's use of the security features. Do you call bcrypt broken if someone uses a weak password and only 1 round of salting? Do you call TLS broken if someone misconfigures their NGINX installation?
This got to be a running joke now. Companies lose the data and offer credit/theft protection than facing the consequences. If Equifax could get away with the giant breach, I am sure Uber will not even feel the heat. smh.
One co-worker is covered by no less than four groups who failed to look out for him earlier, all for trusting companies to not screw up PII or remember that data is a liability.
> Two hackers had stolen data about the company’s riders and drivers — including phone numbers, email addresses and names — from a third-party server, putting the personal data of more than 57 million people at risk. The hackers approached Uber and demanded $100,000 to delete their copy of the data [...].
> Uber acquiesced to the demands. Under the orders of Travis Kalanick, who was then its chief executive, and Joe Sullivan, the chief security officer, the company paid the ransom.
> Then Uber went further. The company tracked down the hackers and pushed them to sign nondisclosure agreements [...]. To further conceal the damage, Uber executives also made it appear as if the payout had been part of a “bug bounty” [...].
And if you're interested, a gif of the data:
If it was paid to hackers it's unlikely that finance cut a check. I'm imagining this was paid in bitcoin or similar. How was this able to be approved?
I'm guessing someone created a fake invoice? Wouldn't that constitute fraud?
If they got it approved as such don't you think the CEO would have been informed that there was line item from Security for ransom?
The article states the CEO didn't find out about the hack until a month after.
- This is not Equifax, which leaked hundreds of millions SSN; or LinkedIn, which leaked hashed password of millions; or Yahoo, which leaked personal information of billions, including security questions and hashed passwords ; or Target, which affected 40MM credit cards .
"Compromised data [..] included names, email addresses and phone numbers of 50 million Uber riders around the world, [..] including some 600,000 U.S. driver’s license numbers. No Social Security numbers, credit card information, trip location details or other data were taken"
- There is no gross incompetence. The breach was due to an AWS access key in a private github repo. I bet you can find enough developers in this forum who store sensitive information in private GitHub repos without git encryption, and who may or may not feel guilty, because of the (false) sense of safety given by 1) the guarantee of github private repo and 2) the fact that access keys can be revoked and are generally handled with less care.
- The response by the new CEO is decisive and timely. The CSO was fired on the same day the CEO learned about the incident. There is also internal review, new advisor, and reasonable protection offered to the drivers affected, even though there is no indication the data is leaked beyond the thief, and driver license numbers are not the best for identify theft.
I can not imagine he would be on board with negotiating with the hacker, and cannot imagine him sitting idly for a year after the cover up.
A lot more will likely leak out now. Iceberg tip located.
I've stopped using any credit card numbers for anything ditial. I can change paypal passwords weekly If I'm that paranoid.
Why on earth would a software-based company like Uber that stores a boatload of confidential employee and customer information on its servers put a non-technical person of any sort, lawyer or not, in charge of its security team?
Instead of giving cash bribe, bribe with cushy jobs with high salary and no real responsibility, since no one would expect a lawyer to understand what even to delegate to members of IT security team.
A white hat hacker you have an agreement with on how the data should be handled is the same as an employee who has access to the same data, where you also have an agreement on the employees use of the data.
You might say "Ooh, but can you trust the hacker not to keep a copy of the data!?!", but it's exactly the same as saying "Can you trust the employee not to copy the data?". I don't think a company would announce a data breach just because the database administrator had access to a backup tape...
Having said that, you raise an interesting point, because if this money was paid as a bug bounty, then perhaps the lines would be blurred again. I guess the difference is that a bug bounty would have more clearly defined parameters about how far the hack should go. Logging into AWS using credentials that were found lying around, then continuing on to download data, seems like it is beyond the realm of reasonable bug-bounty hunting and responsible disclosure.
Anonymously extorting a company after stealing its data is a black-hat activity any way you look at it.
If Uber didn't have a bounty program or responsible disclosure policy, and the hackers didn't download the user data, but reported it in a manner consistent with other responsible disclosures after discovering a means to access, then it would be grey-hat at best.
> You might say "Ooh, but can you trust the hacker not to keep a copy of the data!?!", but it's exactly the same as saying "Can you trust the employee not to copy the data?".
I trust someone I vetted and hired a hell of a lot more than the person who just extorted $100K from me.
If it is as you describe, do you think the public would understand and react differently?
Hacks of this magnitude, especially in other cases where they involve credit card information, cause millions in damages ultimately, however the black hats involved (the initial part of that chain of events) sell that data for much less. Could we cut the losses there, by paying the hackers? Would it be legal? It could be a more serious version of a bug bounty.
"That gist is believed to have contained a login key used by a hacker to access an internal Uber database of 50,000 drivers."
I wonder if it is a good time to start a role at Uber or Lyft? I’m not sure which one I would pick.
Gotta be careful dealing with company like Uber. At some price point they might just hire hitmen to kill you instead.
 Income tax, unemployment insurance, healthcare, and maybe even pension. All going to the benefit of the country as there is no identifiable human on the receiving end.
This is so baffling coming from one of the largest tech companies in the world.
Among other things, this shows that they do not have proper access policies to user data (e.g anybody working at Uber can get access to any user's data), which in my opinion is a larger issue than this individual hacking case.
Other tech companies (e.g Google) safely silo PII data, and any access has to be audited.
I cannot wait before GDPR is implemented in Europe... at least companies will be seriously fined if they want to cut corners on privacy and data protection.
Private github sites are private as in hidden. Not as in digitally encrypted bank vault.
What sort of tech company doesn't go for a self hosted git option anyway!?
Like Gitlab which comes with CI to keep the whole thing private.
Also self hosting allows an arbitrary level of security..
I am wondering what private Github coding site stands for? If it is GitHub Enterprise, then how those hackers would even access it from outside of the uber network? Does it mean that they had access to Uber's VPN as well?
Except when you actually steal data, you're not eligible to bounty. This means the hackers had decent leverage and negotiation skills (maybe Uber could've scared them with lawyers, etc).
maybe a yearly most evil corp awards.
because it looks like uber is relentlessly bad.
So this was willful. Expect many more exits.
Really? Evidence of deletion?
For starters, Chiquita Bananas intimidated farmers and union leaders with AK 47s and hired militias in Colombia .
Really? Really? Come on!!!
can't even lolz
We try to maintain some semblance of effort and thoughtfulness into posting here.
We really need to change.
The kool-aid wore off and everyone realized it never had any meaning to begin with.
Redhat also stopped including JSMin for the same reason.