All I see from uber is bad publicity and poor management decisions. I wonder what it's like to work there from an insiders perspective, cause from the outside it doesn't look good.
I could see it taking a while to find one bad request in the entire history of the API's lifespan -- presuming that they had to find the logs, weed out false positives, different sites and versions that behaved differently, etc.
That still doesn't explain a 5 month gap. The only (charitable) explanation that makes sense to me is that they discovered the API was exposed, thought they had proven it was never improperly accessed, and then only much later realized that it had been after all.
The lesson here is that sometimes, you do much better by breaking all the rules.
I guess we'll find out after Uber has exhausted its VC money, if Google doesn't replace them with self-driving cars first.
The difficulty of making an urban self-driving car aside, Google would have to achieve a quantum leap forward in the quality of their navigation platform. Otherwise every auto-taxi in San Francisco will proceed single file down Van Ness, with turns onto Market or Mission only. All other streets will be empty and filled with pigeons.
They need to actually use the accident data. Use a diverse set of routes to get to the same place, so that there isn't one path for every car on the road. Understand stoplight patterns and where it's hard or easy to make a turn. Not focus obsessively on shortest path rather than most tolerable path.
Fundamentally what a good cab driver (which are not that common) offers you is knowledge of the best route to a destination from experience. Google Maps doesn't have that. And if it did, and it controlled a significant portion of the cars, it would no longer be the best route.
> And if it did, and it controlled a significant portion of the cars, it would no longer be the best route.
Of course it would, because it would be able to run a global route optimization on all the cars simultaneously, thus outperforming even the most experienced human drivers by orders of magnitude. Getting above human level seems like a college-level exercise.
When I lived in Sydney, I used to take the taxi often. And the rule was pretty much: If your address doesn't exist on Google Maps, they don't know how to get there. Even "At the corner of Hyde Park and Oxford St", which is in the CBD, returned a 404 from the driver's vocal API. They were all officially registered drivers, I just think cab's over reliance on Google Maps makes them unaware of the street names.
I don't know about you, but my experience is that Google Maps is far more reliable than a cabbie who purports to know their way around.
Perhaps the US has a different culture for its cab drivers? I can't imagine why, though. We have all the taxi licensing schemes and whatnot that the US does, so it can't be a case of "there's more competition so they're better". Perhaps it literally does just come down to culture?
This is majorly helpful beyond usual satnav use case. Eg, to get dropped off during high-traffic area, the cabbies will know well the surrounding streets and at your request can drop you off in a reasonable place 1-2 blocks away, for much less time and expense.
There's licensing, but it's a far cry from the Knowledge of London.
When have they ever tried playing nice?
A charitable interpretation might be that they discovered a vulnerability in September, but didn't find the May breach until recently.
Heck, if we're being that careful maybe I should just throw my computers out the window. A Google search result or a forum post could link me to the wrong page and I could get sued.
Interesting nevertheless, but ultimately not more than a slight reveal of how things look on the inside.
"90 points by nathanmock"
Civil Code § 1798.82(a):
I find it hard to square that requirement with Uber waiting 5 months from when it found out.
I mean, the average Congresscritter probably has no idea what the typical answer is to "how do you do a password reset?" other than "call daughter/son". They're not good at establishing competency. They are sorta half way decent at bringing out the hammer "disclose what you know within X days, or we're going to fine you... when we do find out when you knew it."
So that brings up the question how the legislation determines whether and exactly when the company knew they were breached. And I'd say they should learn from history which is not to be such dicks like they were with hackers in the 80's and 90's and instantly criminalize disproportionately. We were learning things as a result of all of that, and by repressing it, we learned a lot less. So with companies I'd say up front the disclosure needs to be civil in nature (fines), and if there's willful hiding of what they know, tampering of evidence, destruction of evidence in an attempt to claim they didn't know they were breached or how badly, then it becomes criminal and lay down the hammer. Ultimately though, the worst punishment is up to the states, since the corporate charter is granted by states, not the feds. Off hand I can't think of a case where a corporation was executed in this manner though (revoking it's charter or articles of incorporation).
...will be the response by many Congresspersons. Nothing will happen on this until a number of public figures are doxxed to hell and back.
This is a spreadsheet containing all the taxi drivers in NYC with their names, license numbers, and license expiration dates. Given that the only information leaked (according to Uber) were names and license numbers, that really isn't much beyond what might otherwise be available publicly.
the number of f*cks i can give for the company is so low. just feel sorry for all the drivers with the leaked information...
Starting with the user story: "As a Pawn Shop Clerk, I scan a copy of the customer’s drivers’ license because the company is required by law to keep this record at least two years from the date we purchase a used valuable from a customer."
There was a good Q&A about data retention, that included a lawyer in the audience.
Obama's proposing data privacy regulations. I think it's worth considering what you'd like to see involved in same.
My ID has been breached twice in other, unrelated incidents. Each time these ID protection companies want to know my SS# and all sorts of other stuff. My heart skips a beat imagining them scraping the web for my SS# and CC# in an otherwise well intentioned effort. I've refused their services and insist they only provide the insurance policy associated with this.
They are happy enough if their systems actually work and run. That's enough for them.
This incident won't cost Uber anything. It won't matter to them. A few appologies here and there and that will be the end of it.
Maybe, maybe there is some trivial fine to pay, but that will be a rounding error on their balance sheet.
Management usually doesn't care, revenue and convenience trump security; until of course something bad happens, which is why older institutions have draconian access standards, meetings to discuss who has the right to know about the meeting to determine the access list management program (true story) and so on.
Nothing in the press release hints at an actual attack. "An unauthorized third party accessed our database, and we immediately changed the password" sounds like they realized one of their competitors hired an intern to get them a login.
I'd be keen to see if every driver's info aligns with the license number (for those states that use encoding systems that embed PII into the number).
Listen, guys. I don't care how small you are. If you are handling PII or credit card data or anything that, if leaked, would harm your business or your customers, you need a security guy. Not a programmer who knows some security stuff. Not a manager who checks off the online PCI self-assessment. Not "we outsource to an MSSP". At least one security guy, full time. Make sure that everything you do is run past that person. If you're so busy that you can't run everything past that person, hire another.
It's not a joke. Stop fucking ruining people's lives. It's 2015, four years past "the year of the breach" . Get with the program. It's not okay to have a breach. It's not. It doesn't matter how much money you saved from not having a security guy or the tools they need. Get someone who knows what they're talking about and listen to them.
Again, this is not arguing against security guys.. It's just this post reads a bit like "Well, if they were only hiring people like me maybe this wouldn't have happened".
Woah... A professional security auditor actually knows what to look for and would be flexible enough to understand (and manipulate) what your software is doing. If you are paying someone to run a script, you're not getting your money's worth.
Even a dedicated security guy at a large company can't be everywhere and doesn't know everything(or even understand, say, hypervisor security).
True, that's why ideally you'd want a team of people on this, not just one security guy to carry the globe.
I agree though, security needs to be thought out from the beginning and throughout the development process. The later you catch something, the harder it is to fix. But you need a fair amount of experience as a developer to see security issues thoroughly (because you often need to understand the platforms you are building on, not just your domain). So if you don't have that knowledge you can either teach yourself or if you don't have the time, let someone else do it.
Having a thorough understanding of what you are actually doing does take care of most of that. I doubt that's where a startup's priorities are, sadly. For most, speed > solid code
That said, any company collecting PII (or any type of data a customer believes is protected really) as part of their business has a duty of protecting that information.
Unfortunately, you can't trust joe sixpack to make safe and sound decisions as to whether they should sign up and give their contact/personal info to your new random app, let alone evaluate the level of your opsec practices.
Saying "we take the privacy of our customers very seriously" months after a breach and going back to business as usual is not enough, and I think this is true for both startups and big corporations.
One of the earlier comments said "Stop fucking ruining people's lives.", I think it pretty much sums it up even if it's probably a bit extreme.
The first step is to stop considering security as an afterthought when you write any piece of code.
Obviously, this doesn't mean one should disregard security concerns. It's important to engage in good practices, to cultivate a combination of paranoia and attention to detail, to scrutinize suspicious behavior. But even if you do all of these things, modern computer systems have tons of surface area outside of your control. These days, it's unrealistic to demand perfect security from anyone, let alone small businesses.
Instead of being so uncompromising, I think it's better to ask businesses to explain their security policies and practices. Are administrators required to use multi-factor auth? Are backups encrypted, and if so, how? How are passwords hashed? Is data encrypted in transmission, and if so, how? Are server logs shipped to prevent tampering? Answering these questions (and others like them) can give security-conscious customers an idea of the business's expertise, and allow people to use products (or not) accordingly.
Well actually, if you think it's OK to expose your user's data because you don't know what you're doing but think you deserve a piece of the startup gold rush pie anyway, it's you who should go live in Somalia and see what becomes of a 'society' of people who just do something with no oversight, skill of knowledge. If the choice is between 'doing it poorly' and 'nothing at all', then you should do 'nothing at all' because your actions affect other people. Basically you say 'screw my users, I can't be bothered to learn things properly but I want money anyway!'. Well, fuck you, you are the cause of all these problems, and you deserve everything that comes to you.
Will you give your little speech about laws and how it's illegal to hack your website and people shouldn't have done it?
nothing, otherwise you put yourself at a disadvantage against other market players (at least in US).
US has no reasonable industry regulation, its more of a laughable industry written guidelines if anything. There are no consequences, no serious penalties for harming public. Whats more public itself is too clueless to care and incentivize proper behaviour. Only HUGE events are capable of changing (exxon valdez) perception and forcing real regulation.
If only this were true, they would be hiring security people.
Nothing is going to change until companies are held accountable for the damages caused by negligence. If someone in the infosec field wants to make a difference, I'd reckon their best bet is lobbying to make this happen.
In the 18 months since I assume they have assembled a decent security team and while most likely Uber dropped the ball here at least they recognized the need for security before they got burnt.
It's the only thing that matters. It's capitalism. Those who waste money on unneccessary expenses get outcompeted by those who don't. Unless you find a way to make companies financially responsible for crappy security, they won't care. Right now breaches like these seem to be more like free advertising (a typical user will just read "something something Uber something hacked" and next week will just have a vague sense Uber was mentioned in the news).
From a market perspective, would be enough if customers cared more about these breaches and take took business elsewhere. Apparently they don't care.
If only they were spherical humans of uniform density...
> Apparently they don't care.
Well, they do, but they can't do anything about it. See, it's a very known problem with real humans - from boycotting Coca Cola for slaughtering people in poor countries, to tantalum capacitor production being based on even worse slaughter of men, women and children in poor countries, to the whole environmental fuckup we enjoy today - "voting with your wallet" doesn't work. People can't coordinate on a large enough scale, so they have to stick with the bad choices. Why should I move my business elsewhere, if the risk is unlikely and my competitor here will save money over me if he stays? And my competitor thinks the same, and neither of us move.
It's the very case regulations exist for - it's much easier (and in reality, actually feasible) to coordinate people to ban all businesses from doing particular classes of shitty things.
But honestly, I thought that's kind of economics 101, that this is market failure mode when it is applied to real, flesh and blood humans.
It isn't surprising that they deprioritize security -- the market doesn't demand it.
Serious, legit question here. How many lives will be ruined by this breach of 50k? How many lives were ruined when 40 million CCs and 70 million accounts (address, phone number , etc) were stolen in the Target breach?
Ruin seems like an awfully strong word here. I hesitate to say that because I don't want to downplay the importance of security. But to take security seriously I think we also have to be non-hyperbolic about the consequences of not doing so.
But think about the Anthem breech just this year. SSNs, full name, date of birth, employer and yearly income, home address. Everything you need to ruin someone's life for real, and permanently. Having to have a credit card replaced is an inconvenience. Having to constantly watch your credit because everything an attacker needs to open a new credit card in your name is ruin.
Beyond that though, little inconveniences add up. How many times do you want to have to replace your credit card in a year? And if you have an auto-payment set up but miss changing your card number for that, how much will missing that payment impact your credit score? And how many hours are you spending fighting fraudulent charges? How many years of your life are taken off by the stress of constant breaches?
Life ruining? Probably not. Life-changing? Yeah, it's getting there.
This leads to a ruined life? Talk about a first world problem
Hey now, cancelled auto-payments are no joke. Just imagine you lose your Netflix subscription or (god beware) Amazon Prime over this.
Sounds more like "inconvenience" territory to me, but I hope you and your car are recovering well from this life altering experience.
And the point is, yes, consequences can be rather more damaging than having your Amazon Prime membership lapse.
Seems hard to believe.
It's the same in my country.
But if you're late on payments then a normal dunning process begins. Before your insurance turns invalid you have to ignore at least 3 letters over the course of 3 months.
In the UK they just flip the switch when a single payment fails, without prior warning?
"NICK MARSDEN, DEPT. OF TRANSPORT AND MAIN ROADS (Aug. 28, 2014, male voiceover): "No covert activity was done today, Uber locked third phone due to penalty infringement notices being issued yesterday. Time was spent purchasing new credit cards, activating Gmail accounts and setting up two more phones. These phones are the last ones, will be ordering additional units.""
My sister has info stolen from a fake pad at a gas station. It was a debit card. She got all of her money back but it took close to 6 weeks to fully resolve. If you live paycheck to paycheck, and at the time she wasn't too far off, that can be a very difficult situation. It worked out in the end but it was definitely painful for her.
By and large these are not "ruined life" events. Identity theft and fraud are, unfortunately, common and mainstream enough that hitting "ruined life" level is exceptionally difficult. Back in the 90s when the average person didn't know those terms it might have been more common. But now it's just something that everyone, individuals and corporations, have to deal with.
The costs of engineering time and hiring a security professional may be much more expensive than the lost business due to breaches.
In this particular case they likely have enough resources to have made it happen, but it remains to be seen whether this will actually cost them much if anything.
However, this is just offloading the negative externalities onto the banks and the customers. That's just shitty. I'm not one to call for government regulation that easily, but this is exactly why we have a federal government. To make sure the citizens are being protected. That's why the FCC declared ISPs to be utilities. To stop them from abusing the customers. That's why the EPA has regulations on chemical and oil spills. If Home Depot got fined $100m for their breach, what would the cost look like then?
The cost of security is more than the impact of the lost business. That needs to be fixed, because until it is, we will continue to have breaches that make our lives terrible.
This problem might just be a little more complex than we are giving credit for..
I would always complain about being 2-5 years behind in terms of technology stacks when I lived in D.C., but we were always a lot more careful about deployment decisions and extremely serious about data security. That mentality is ingrained in me until today so I always think about security. Unfortunately; it's not in the minds of a lot of people.
I don't think these breaches are going to stop until something really serious happens or until there are some serious negative legal consequences for data breaches. Sadly, it's up to consumers to try and sort out which companies have the best practices and that's not always apparent.
I'm gung-ho about security as much as you but the truth is that users hardly stop using a service after data breaches. The ones that do matter though are like the ones that delete all your AWS instances and custom AMIs when holding your company's assets for ransom. That is what startups should be worried about indeed (as well as enterprises that are transitioning more of their IT into cloud environments that can be scripted and automated much easier - makes it easier for attackers in theory too).
And if we're going by Wikipedia's definition of PII, probably at least 50% of the websites in the world. Including this one.
Maybe you don't mean all that, but if I am to take what you posted at face value, it seems insanely irrational.
Insanely irrational? If you are comfortable handing your information to companies who do nothing more than the bare minimum to make sure it's safe, that's insanely irrational. I get tired of companies giving my information away. I really do. There's no excuse for it.
Security is by no means a solved problem, nor is it possible to solve at this point. But how often do you hear that the company wasn't hashing, wasn't encrypting, wasn't paying attention to their security tools? Damn near every time. Things like this very, very rarely happen to companies who take security seriously.
I remember as a kid, there was a family owned comic book shop I would visit. I would let them know what comics I'm interested in, and they would call me if they got something in that they thought I would be interested in. So they had good reason to have our phone number. It was probably even stored really insecurely (on a piece of paper). But it was the early 90's. And if someone stole it it might have included 200 phone numbers.
I buy magic the gathering cards from small card shops across the country. They need my address to ship it. Since most of these single store businesses are fairly low tech, I doubt they do too much to protect it.
Also, your initial statement also said handle, not collect. Most brick and mortar stores handle credit card data, although they don't collect it. There's even been instances of thieves affixing devices to ATMs and credit card machines that will scan your card data as you slide or insert it.
You can collect PII by hosting a static webpage (ip addresses). Leaking that PII can cause harm to users (DDOS). This may seem made up but people who make a living off live streaming are fairly regularly DDOS'd by malicious viewers who figure out their IP.
More generally, any leak of data, whether it includes PII or not, will harm a company's reputation.
This is why I called your post insanely irrational. It's all black and white: hire a dedicated security engineer, or you're doing it wrong. Regardless of size. The majority of businesses in the country would go out of business if they had to abide by your rules.
Target paid $1.2 BILLION in dividends on $21.8 BILLION sales for 2014, its data breach only cost it $162 Million. Cost of doing business.
It's become such a common issue there is no incentive to invest in security and that's a bad thing.
Why does sec get breached? Marketing wants easy access to all data, deep learning wants easy access, lots of data is in transit.
Security is not convenient for operations, therefor companies have sec on paper and audits and stuff but no real sec.
The lesson: security is really hard in the real world, even for the best professionals.
Because lists of data exist.
Why do they exist?
Because everyone is using Excel.
I just think that this is a company with no product, no business model, horrendous business practices and somehow their valuation is still higher than the entire market they operate in. At least their not selling the data to the IRS, right?
I got 50k drivers ready to drive for us. :P
If they get classified as a cab company in a particular market, they'll sue. If they don't get their way, they'll exit the market. They could also move into other businesses which are clearly not cabs, as shown by their dabblings in courier and delivery services. Consider how many startups are paying people to drive things from point A to point B -- that entire industry could be outsourced to Uber.
If they do exit a market, they won't lose anything besides face -- it's the drivers who will carry all of the capital investment and most of the operating costs, they're the ones who will be hurt.