> Here’s how the hack went down: Two attackers accessed a private GitHub coding site used by Uber software engineers and then used login credentials they obtained there to access data stored on an Amazon Web Services account that handled computing tasks for the company. From there, the hackers discovered an archive of rider and driver information. Later, they emailed Uber asking for money, according to the company.
I'm surprised Uber doesn't have their engineers set up 2FA for GitHub. Super simple to implement and require organization-wide[1] and would have prevented this. Then again, not storing credentials in GitHub would also have prevented this . . .
Github 2FA has been part of the first-day training/laptop setup for a while now (I joined in may) and there's security-related training in place as well. I was told there are also scanners in place now that check repos, gists, etc for secrets for exactly this type of mistake.
One snippet of the email the article didn't mention was that Sullivan's firing happened pretty much right after Dara learned of the breach and an investigation was conducted. It definitely inspires more confidence in leadership seeing that the CEO will not tolerate unethical behavior.
I think many people don't realize this, but the majority of the leadership team from like a year or two ago is now gone, including Travis.
Also, Uber has been hiring a lot of new people - the ratio of new people vs old timers is really high. I'm obviously just one anecdata point, but I believe new hires (and a lot of old timers) want Uber to be an ethical company, and many have joined the company specifically to tackle that challenge. One great example that comes to mind was when one board member made a sexist remark on an all-hands meeting a few months ago and by the end of that same day, Liane Hornsey (who had just joined as the new head of HR) had him give up his seat.
There's a big push towards trying to make things right, with the holden report, the 180 days of change campaign, the implementation of new training courses, anonymous complaint hotline for employees, etc. And the unspoken message right now is pretty clear: inappropriate conduct _will_ get you fired, even if you are the head of your org.
Obviously there's still a lot of work to be done, but I think we're at least in the right track now.
I really like how your description gets at these policies creating a tipping point in the culture. Hearing about any one individually always sounded like a bandaid, but hearing about them together and then how you and other employees react to them is very encouraging. Good luck to you and the rest of the company.
This is good for Uber and their employees in the short term, but I can't help but think it's bad for their ideals in the long run. There are a lot of scenarios that look very bad for Uber economically and it would be a shame for a culture shift to coincide with the realization of one of them.
Honestly, I find that a lot of economic discussions on the media are highly speculative (and dissonant to what I've seen circulated internally), and things get just downright sensationalist on some topics, so I've been taking news about Uber with a large grain of salt.
> it would be a shame for a culture shift to coincide with the realization of one of them
I think everyone at Uber has at least some idea about the P&L situation, but there's no doubt in people's minds that we need to drop the go-fast-and-dubiously culture and embrace a do-things-properly culture. If anything, I think it's more likely that a major crisis would continue to drive home that idea.
The downvotes are likely because you're taking an Uber thread veering it off to GM's management and your children, neither of which have any relevance here.
Except for the CEO being changed and having a toxic corporate culture that didn't change and produced the same deadly car across CEO's after promising change but did nothing different--including not stopping production of a deadly vehicle.
I probably should have spoonfed the readers more. They grew up in a world that doesn't need critical thinking anymore so it's probably too much to ask for their brains to activate while reading on a website and have them put distinct ideas together to form a grander one.
Must. Downvote. Comments full of facts but from people I dislike. Must.... errooorrrrroooorrrrrr. 505.
It's okay. Every time I see downvotes here, I know I said something great but I just pissed someone in power off. I'm used to being a minority oppressed by a majority in power. It's no big deal. The system just builds people like that these days.
Still not making the connection from Uber to GM that you are trying to make. Because the GM CEO could not prevent teens across America from joyriding, the new CEO is going to be unable to reign in the behavior of his own supports?
Either make a valid point or let your comments stand. Leave the /r/iamverysmart tandems at the door
We primarily use private phabricator and gitolite instances for internal stuff, but we also have OSS things in regular public GH repos. We do have a few private GH repos, but AFAIK, you're not supposed to version control internal stuff on GH, and there's no real reason to use a private GH repo, except for legal review prior to open sourcing.
I don't have any context on why someone would have put production secrets in a GH repo. If it had happened in my team, I would definitely have sounded the alarm at code review.
Well, I am one, but the things I say here are my individual opinions and observations. I just think that as an insider I get some insights that you'd normally not get from the media, and I figured I'd share them.
I'll believe it when they stop having stories like this every few months. They had over a year to report the breach, and they paid hush money instead. Typical Uber
Yep, but think of all of the private keys and tokens used in automation servers (think CI) for pulling down source. Those don't have 2FA - because they don't login - but they have full access to most source.
In an organization of about 200 engineers across various products, 1000+ github repos, and 10 or so different CI systems. We enforce 2FA at github. I can still easily see how someone could easily gain access to source code with secrets in it.
> In an organization of about 200 engineers across various products, 1000+ github repos
Wait, what? That's 5+ repos per engineer. What on earth would warrant that level of granularity? I've only worked once in my career in a place that used more than 2-3 repositories total, and that was a "MegaTechGiant" with thousands of engineers.
Depends on the company you work at, but most tech companies I've been at have gone the "micro" services approach.
Example:
- 1 repo for the frontend
- 1 for each api
- 1 for the infrastructure terraform scripts
It's good for CI / CD and general code base organization. Also easier to track changes and handle security. You give devs access only to the repos they need to do their job.
Our team has a product with multiple integrations and internal apis, so we easily have 40+ repos.
I know that mentioning downvotes usually invites more downvotes, but...
I'm surprised you're being so heavily downvoted for your question. Engineering teams (and software companies) come in all shapes and sizes. It is absolutely reasonable for even an experienced engineer to have only worked at companies with a handful of repos.
Rather than downvoting, it would have been helpful to explain why your company has opted for such granularity (perhaps engineers or teams have a high level of autonomy, or your software is highly componentised and built from a great many, separately managed, parts).
Some CI setups benefit from a one-repo-per-service approach, as it makes it easier to figure out when an individual app has changed. In orgs where everything is in one giant repo, it can be difficult to establish what subset of your applications needs to be rebuilt when a commit is pushed.
I personally don't have a strong opinion about either way - they both have tradeoffs.
There are just three of us in my company and after 10 years I worked on close to 80 projects for 30 different clients. Each project has its own repo. So +3 per engineer is really not that much;)
It's normal and expected. I have a few dozen. git makes it great to create little repos for lots of different things. They don't have to be production apps. They can be libraries, utilities, documentation, scripts, or just random crap I may want to refer to someday.
Could also be a company using clone - pull request workflow.
10-20 project repo an then each developer has a bunch of projects clones, including a few shared one - like the common infrastructure stuff, ...
I can see that with a company that has grown day 1 around Github, especially during early startup stages with a variety of contributors but no formalised "organization".
How about, if Uber stores all data across those git repositories (1000+)? Perhaps they use git as a multi-versioned data storage? Perhaps better than Kafka (event sourcing thing?). Just a thought :)
You couldn't enforce 2FA on GHE for the longest time. GHE version 2.8.0 lists [0] "Enforce two-factor authentication" as a feature. 2.8.0 was released November 2016. According to the article,
> Kalanick, Uber’s co-founder and former CEO, learned of the hack in November 2016, a month after it took place, the company said.
I don't know if they were using GHE. If they were, at the time it did not come with a good way for them to enforce 2FA for users.
Yeah this was such a PITA several years ago... To solve the problem we ended up building a small proxy in Perl for the express purpose of adding 2FA to Github Enterprise.
> I don't know if they were using GHE. If they were, at the time it did not come with a good way for them to enforce 2FA for users.
Well, sort of - at the application level, that's true, but GHE is typically run behind a VPN. Certainly that should be the case for a company the size of Uber.
Even before GHE added 2FA, it shouldn't have been possible for a leaked set of login credentials to be used to access GHE, without some other sort of compromise (VPN cert, physical compromise of hardware, etc.).
At my company (mostly a Windows and Microsoft shop), my domain credentials are used to log into the VPN, and TFS, and Octopus. Compromising just that one set of credentials could effectively "own" our company. And I'm just a senior-ish developer.
Lateral movement by an attacker is a real thing. And while credential reuse is something most security focused web companies are trying to mitigate, a push for "sso"-like account management is seemingly undoing most of that effort inside the network if not done properly (specifically, auditing and monitoring of behavior).
> my domain credentials are used to log into the VPN, and TFS, and Octopus. Compromising just that one set of credentials could effectively "own" our company.
This is why 2FA is important! I worked for a company that had a very similar setup: I essentially had a single "LDAP" password. But: everything web-browser went through a single sign-on site, and it required 2FA (and so, you were never entering your password into even random internal applications: there was exactly one page where you should log in). Terminal stuff had a similar flow that also required 2FA (e.g., for SSH). As a user, the experience was not painful at all.
It does seem like, however, from an operations standpoint, getting such a setup in the first place is not trivial.
If they are/were using GHE, I would expect (hope?) that they require some sort of VPN to get access to it, so my guess would be this was stored on github.com.
This is so gob-smackingly uncommon I started asking "do you require 2fa for your github accounts" as part of my interview questions when I was looking for jobs (i.e. I'd ask my interviewers).
I don't know how to feel knowing that there is even one software-focused company out there that doesn't enforce 2fa on its github accounts. Like... how?! Why?!
I really don't think using 2FA and the direct hacking of an individual developer's machine are all that comparable here.
Who cares about access to individual dev's machines if the credentials to access code on github are obtained - 2FA at least offers some degree of protection in this scenario. The scope for attack is extremely different.
> A backdoor can sit around and wait for the user to press the button.
There exist 2FA protocols[1] that permit tying the 2FA challenge to a particular context: you can't just take the response from the 2FA hardware and use it anywhere. In this regard, the malware doesn't get anything more than what they already have, and the 2FA still adds protection: if the malware is able to compromise your password (e.g., through keylogging) it doesn't immediately get access to everything you have access to. Now, of course, if you 2FA for some resource, then yes, at that point, you're probably doomed, but I don't believe that gets the malware anything new (e.g., once the auth is complete, if that results in a "user is logged in" cookie, the malware could just read that, and go to town.)
Compromise of a local machine is definitely bad, and not what you want, but 2FA tokens are not useless, even in that situation.
The hackers wanted access to the code to look for Amazon keys. For them it doesn't matter if they get the code from the internal GitHub or from a developer machine.
If you have an ultra-secure door, the thiefs will just enter through your regular window.
How do you know they "wanted" access to look for Amazon keys? Do you know it wasn't from a blanket scan of github?
Sure, there are only 13 projects on https://uber.github.io/, but there are 169 on https://github.com/uber, and it only takes a short while to scan for access keys. There are plenty of open tools that will scan github for keys.
This may not have been targeted at Uber but a net for all of github with Uber being just one company that was hit up for cash. Unless you're saying that you know the motivations of the attackers.
You only need the ability to generate TOTP or U2F tokens. This is often done using a smartphone app, but can also be done by a desktop app like 1Password or a hardware device like a Yubikey:
https://github.com/blog/2071-github-supports-universal-2nd-f...
You can also record the TOTP secret in your automated login script, next to your password, and generate the token on the fly right there.
It's things like that that make me wonder why TOTP tokens are supposed to be conceptually different from passwords. A TOTP scheme involves knowing a master password, and nothing else.
Recording a TOTP secret next to your password would make 2FA worthless, true. That’s why you should use hardware generators whenever possible. However, Github supports Fido/u2f which is conceptually superior to TOTP: The authentication secret is bound to the domain and the token generator verifies this. So even a software u2f implementation protects against phishing for example, while TOTP does not.
> use their personal phones seems like a very bad solution
Why? You're not any less secure by using a personal phone. What are the odds that an employee is going to be phished and have their phone compromised by the same entity.
IANAL, but here is my thinking: The problem with personal phones is they are hard to audit. When a phone belongs to the corp, corp owns the phone, and "probably" can audit it as it wished.
In order to install my work Gmail account on my phone, I had to install a program on my personal phone that let admins wipe it remotely. This is not something that bothers me, because I expect to lose the phone almost anytime, so the contents on it are backed up continously on a system I control.
Whereas that bothered me so much I refused to put email on my phone and told my employer they needed to provide me with a phone if they wanted me to always be on email.
I'm already answering emails out of office hours which is for my employers benefit and they want to functionaly own my phone because of it?
Unless you're talking about a 3 person start-up, wouldn't the use of github itself be a red flag? If you're a software company, you live and die by your source code. Why on earth would you rely on some other company to hold it for you? This seems as ridiculous as doing your bookkeeping on Google Docs.
I've never once worked in a company that permitted source code to leave the company network.
Because you trust their security better than your own, which at any organisation without a dedicated security team seems like a reasonable decision. I live and die by my money, too, and I give that to a private company to hold rather than protect it myself.
It's not just about who knows more about security. It's a trade-off, and you need to account for other factors like cost, availability/uptime, data integrity, total attack surface area and others. Honestly, I'm surprised this is such a controversial point of view, but judging by the downvotes it appears it is. You learn something new every day, I guess.
The point is that the trade-offs usually come down in favor of using GitHub Enterprise (or whatever other well-regarded, trusted enterprise system). The availabilty and uptime are your own, because it’s self-hosted, like git. The data integrity is also your own. The security is better than probably any other VCS interface over git, with the possible exception of GitLab, and almost certainly better than what an organization could come up with on their own if it’s not their core competency. Unless you’re literally using straight git, GitHub Enterprise (or again, whatever other competitor) usually enhances team productivity. The attack surface is larger than git, sure, but the rational solution to that would really be to use no interface over git, because GitHub Enterprise is as safe as they come.
I think you’ve misinterpreted people’s reactions. It’s not at all controversial to use other companies’ services for your most sensitive assets, it’s your opinion that appears controversial to them. If you’re in control of your own servers, what remains is to trust GitHub Enterprise not to literally phone home your source code or to enable remote code execution on your own server. There are myriad information security policies and compliance methodologies for compartmentalizing, quantifying sharing that risk.
For what it’s worth, having personally performed security assessments for over 50 different companies across the gamut of size/maturity, nearly all of them use a centralized VCS hosted or produced by GitHub or Bitbucket (and nowadays, occasionally GitLab too).
GitHub Enterprise is a different beast, as it's self-hosted. My comment was in response to the parent's mention of companies storing their source code on GitHub, which might imply external hosting. I suppose it was ambiguous.
Right, but none of those things is necessarily a home run for self-hosting your central git repository. Particularly in today's world, where you likely have remote workers and don't necessarily have any other servers you're managing, anything you could call a "local" network or even a VPN.
I've been surprised how many commercial, closed-source projects have opted for Github in recent years. While I would probably prefer to self-host (Gitlab, or similar) in order to reduce dependencies, I do see the benefits. Having recently worked at an organisation hosting exclusively on Github, it made collaboration with remote contractors and third parties very straightforward and helped eliminate much of the maintenance burden on our small team.
You have a full checkout on your laptop and probably a whole bunch of other developers laptops. With git you can also have random backup computers do the same thing! You don't have to rely on github alone, for this.
uber engineer here, we have 2fa set up for everything. Starting my day takes about 5 different 2fa checks (ssh access, aws, phabricator, team chat, etc)
I know Uber has a strong engineering culture, which is why I was so surprised. I think philsnow's assessment that organization-wide required 2FA wasn't available for GitHub Enterprise at the time of the hack is probably correct.
Although more and more applications support SAML for SSO, much of the SaaS world is disparate and siloed. There's definitely something to be said for centralised user management on a homogeneous system. User leaves your organisation? Just retire them in LDAP.
2FA wouldn't have necessarily solved this, if the hackers had access to an engineer's ssh keypair (e.g stolen laptop) they could clone repos as they pleased. 2FA isn't a silver bullet.
Maybe it's just me, could "private GitHub coding site" have meant a private GitHub repo with GitHub pages turned on?
If that were the case, there would be no authentication whatsoever to access the closed-source site; the hacker would have just needed to guess the right url.
The most I've ever personally seen a company do is require a VPN for their privately-hosted repos. For others using GitHub or Bitbucket? Never anything beyond a standard login.
Two factor won't protect you from a spear-fishing attack.
The attacker can submit your info to GitHub the moment you submit to the malicious site. You receive the token via SMS as expected, enter it on the second page of the malicious site, granting them access.
I assume it was password reuse from one of their engineers or something similar. If you could compromise GitHub itself there would probably be higher value targets (source code for upcoming AAA games, Coinbase, government organizations, etc.)
AAA games have budgets in the millions. Threatening full release would likely net you much more than a few hundred thousands, and without requiring any secondary attack.
We use a tool under a Linux Foundation project called anteater https://github.com/opnfv/releng-anteater, which does the same thing (but is for a jenkins / gerrit workflow). A key difference from looking at talisman, is anteater uses standard RegEx rather then code to seek out strings, so anyone can add their own strings / file names easily into a simple yaml file. Like wise they can use regex to provide a waiver, should something be incorrectly reported.
I am thinking now would be a good time to port it to working with webhooks as well.
There are a few SaaS offerings that will let you do that. LastPass or onepassword are two commonly used.
One you can use something like keypass to store a database in a shared location if you don't trust the SaaS offerings.
If you are looking at storing credentials for automation purposes, and don't have a secret store built in, you could look at something like Hashicorp Vault to help provide this for you
We're using Keepass / MacPass password protected vault shared with the team using Dropbox. It's really good and essentially free to use if you use a free Dropbox account.
They key part is "Warning: Once you have pushed a commit to GitHub, you should consider any data it contains to be compromised. If you committed a password, change it! If you committed a key, generate a new one."
Removing the secrets from the repository is nice to have, but not that necessary - what is mandatory is to ensure that the compromised secrets are no longer useful, since they aren't secret any more and won't be ever again.
I am rather disappointed in github for publishing this guide. The portion at the top stating
> Warning: Once you have pushed a commit to GitHub, you should consider any data it contains to be compromised. If you committed a password, change it! If you committed a key, generate a new one.
Is a good argument as to why you shouldn't let users erase this data from history, it's already out there so no matter how painful or convoluted your process is for regenerating auth credentials is, you need to do it if you've published them into your SCM. If the process is painful you might want to simplify it because you'll probably need to do it sometime in the future again... yes even you large corporate workers who have no control over credential regeneration, an arduous process leads to credential sharing between projects which is another horrible thing.
Yeah, but hopefully they can't do much if they just have your code base. If the secrecy of your code is the only thing stopping hackers from exploiting you, you're missing some gaping holes in your infrastructure. With that said, nothing wrong with using secrecy as a additional barrier, but shouldn't be the only, and if it's not the only, you're not "so owned at that point".
“Just” leaking full source could be enough to destroy a lot of IP-based companies. A lot of companies stay wealthy because their IP is so huge than nobody can afford to develop competitive alternatives anymore (Adobe, Microsoft Office, Salesforce etc). Some of them have actual “secret sauce” that they cannot afford to share (suggestion engines, biotech processes etc). Even a service like Github, which relies on others entrusting their work to them, would take a humongous reputation hit from a leak like that.
I don't think either of those companies would cease to exist if their code bases leaked online today. Sure, someone might get something to build, but there is surely A LOT of things around the code bases to support all of this, which means the code bases would mostly serve as a study for software in general (and finding holes obviously).
Github is a bit unfair comparision, as their business is literally to make your code private, so if it leaks then of course it would be a hard hit. For the general company, I think leaking access credentials is a much bigger (but easier to fix) problem than leaking the source code itself.
> I don't think either of those companies would cease to exist if their code bases leaked online today.
A serious Photoshop clone that can match PS feature for feature would wipe Adobe, people cannot wait to get rid of them. 25% of MS revenues comes directly from Office and another 25% from Windows or other commercial offerings that are basically driven by Office, so yeah, MS would survive a working Office clone, but they would be deeply wounded; they pulled all the dirty tricks in the book to keep competitors from integrating seamlessly... having the real code responsible for their formats available in the open, would hurt them massively.
These companies are as big as they are because they did the right moves at the right time, and now they have spent so many man-decades on their codebases that nobody can realistically hope to catch up starting from scratch; but having a good look at their codebases would likely kickstart oozes of competitors with very good chances to replace them in a very short time.
> For the general company, I think leaking access credentials is a much bigger (but easier to fix) problem than leaking the source code itself.
Credentials are a mean to an end: protecting something. If you are Ashley Madison, your valuable IP is your database of users and their preferences; but if you are Microsoft or Adobe, what credentials are protecting is your source code. Adobe survived their user credentials being leaked, like so many other companies. They would have hurt much more had they leaked the entire PS codebase.
But a competing company can't just give a copy of the leaked source code to their developers and tell them to go to town. Even by employing clean room design, you can't get around all the patents that likely protect many of the features that Photoshop users consider crucial.
"If the secrecy of your code is the only thing stopping hackers from exploiting you"
I hate these types of arguments. Yeah no one said that ever.
Losing your code base is terrible. I view it as losing a journal. What your company tries, tests you run, funny comments, or funny mistakes. I mean they post it on the net, blackmail team members, imposter team members, forge for leaks, sell it, pushes to prod from compromised accounts, CI systems, -- seems bad to me. Sure don't have aws keys in there.
Glad to be talking with you too! :) I didn't mean to imply you said something you didn't, only that I would consider access keys to various services be of much more importance the code base itself. I read you comment as "Doesn't matter about the access keys, if they have your source code, you're screwed no matter what", which in that case would seem a bit strong.
Also "pushes to prod from compromised accounts, CI systems" seems more related to access keys and account security rather than the actual code base.
But hey, in the end I'm no security expert so what do I know.
If they have access to the code inside Github, would they have been able to push their own changes to the code without anyone noticing?
Maybe pushing something that was labeled as a "security patch" but was actually a disguised vulnerability? I could see not even checking into that, and just downloading it. But I'm on a small team. Do big companies have procedures to protect against this?
Depends on how they get access. If they got control of one of the user accounts with push access, they could surely push code (but unsure about "without anyone noticing", depends on their own development processes I guess). However, if they got access to the code by reading some part of the memory/storage holding the code, without actually gaining access through authentication, they wouldn't be able to change it.
Really surprising to see that sensitive credentials were checked in to VCS. Apart from peer code review, how can a company avoid developers checking in sensitive data to VCS?
I really wish AWS would stop enabling master API keys by default. As soon as you create an AWS account you are given API keys which basically have SUDO permissions to your entire account. That is super dangerous and is probably the same key set that these hackers got ahold of. AWS needs to disable these full access API keys by default and instead should encourage users to generate keys for specific access to limit what they can do.
Store credential information where it is used. It is not used by the repository, so it is an improper location for it.
If someone gains access to a system that uses the credentials, then there is, in principle, no difference between puppeteering that system versus stealing its credentials.
Every day we see more evidence that boards of directors and senior management should be personally accountable financially and with respect to their liberty for the company they are managing or overseeing doing foul things that they ought to have known.
The "I didn't know, I just took a vast salary to play golf" argument should not be any kind of defence. If there is the real prospect of going to jail, golfers will resign, those who take the job would actually take an interest and have the ability to do so.
I'm in charge of security at a large e-commerce company. I do not play golf. I mostly live in fear.
No sensible person would sign up for the CSO position if they risked jail time when their company gets hacked. You can't really control it. A random engineer could make a mistake that gets hackers a step closer. Or it could be a zero-day vulnerability that nobody knows how to protect against.
There are millions of motivated adversaries out there and a finite number of employees at your company to outsmart them. It's a game you can't win. The larger your company becomes, the broader your attack surface becomes, and the higher value a target you become.
You just have to hope that when you get hacked, it is a "forgiveable" hack like a zero-day or highly targeted attack.
If CSO's are to be personally accountable for the malicious actions of others, it needs to be due to clear negligence on their part and the responsibilities need to be clearly defined.
Not because you got hacked. No. Hell no. I never suggested that and reject it totally.
We're talking about cover up, if you cover up the fact someone stole private data belonging to other people you took responsibility for. If you try and pretend it didn't happen because you might get away with it then claim you didn't know when it comes out? Then yes, absolutely, you deserve to risk jail time for that. As does your board of directors.
CSOs, senior management, boards of directors should be personally responsible for their own actions. They need to have something at stake that they really dread losing when making the decision "perhaps we can get away with this?"
The problem with jail time is that the courts need to assess how much damage was done to determine what a fair sentence is. How do you assess the damage done during a data leak? Do you get one hour of jail time for each person's data you leaked? Do you get a day per gigabyte leaked? What if nobody does anything with the stolen data?
And how do you make that scale? If I miss a semicolon and leak 5 people's data, then I'd hardly get any jail time. If I miss a semicolon and leak 150,000,000 people's data, I will die in prison. In both scenarios, I made the same error, but the outcomes were insanely different!
IANAL but isn't it already the case that if you knowingly break a law, you can be convicted and sentenced to jail? In this case, I'm assuming that it's not against the law to cover up a hacking incident, in which case there's no basis to suggest putting someone in jail.
Covering up isn't done by the CSO. It'll be driven by lawyers, or worst-case by a rogue CEO. Mind you the CSO would be expected to resign under those circumstances, if they were kept in the loop on the cover up plan.
It's not really much about that Uber got hacked, which is bad enough. It's that they paid off the hackers and didn't tell anyone they got hacked until now.
I’m not sure the previous comment is saying in all circumstances. I agree with what you’re saying - because higher officials obviously aren’t able to catch every mistake made by every engineer but I think the parent comment really meant that if there is gross negligence or intent to cover up breaches then that seems like a crime that the individual should be punished for.
You raise a difficult issue - how you would honestly resolve it. On one hand, CSOs cannot be personally liable for every hack. On the other, they shouldn't be given a pass on everything either.
So how does one draw the lines between bad luck, reasonable security problems, everyday poor performance, civil liability, and criminal negligence?
> A random engineer could make a mistake that gets hackers a step closer
That could be prevented, to a large extent, with much tighter controls. Of course, those controls would greatly increases the cost of operations and other things.
Is it possible we're all accustomed to the wrong model, that our standard of IT security is like the standard of car safety in the early auto industry (and maybe until the 1970s) - far too lenient? Maybe we should be facing the potential fact that the normal cost of IT should include those controls and other security expenses.
(In the EU) companies are already required to tell where my personal data goes to. There is no specific fine for violations as far as I know though.
Essentially we need a price tag on personal data. Let's say 1$ for each email and password leaked to an unknown number of entities. That would be a 114M$ incentive for Uber to keep their data secure.
> There is no specific fine for violations as far as I know though.
It's a shame this happened pre-GDPR because that has steep fines - 4% of worldwide revenue - which would be north of $260M going off their 2015 numbers. And that's assuming they get off with a single fine.
GDPR is pretty much the thing that will - if properly executed - mean the end of these things.
As CEO, former engineer and customer I really hope this gets some serious traction. IMHO if you are making money from customers, it should be mandatory to follow compliance regulations and protect all data.
GDPR will come into effect in about half a year. Everyone is sitting duck about exactly how to implement things. When this gets into effect, companies will take it seriously - the fine is astronomical if you fail.
> You raise a difficult issue - how you would honestly resolve it. On one hand, CSOs cannot be personally liable for every hack. On the other, they shouldn't be given a pass on everything either
Sure they can. It is called "insurance". Sort of like malpractice. CSO wants to get paid millions of dollars? Excellent, either be personally on the hook or have an insurance company that would be willing to underwrite your method of dealing with it, be that having your own crack team of people who get to oversee everything, or relying on Jr system admins from your company or whatever else.
If you can demonstrate due process and reasonable effort to secure against breaches, your doing your job. For instance with described procedures, sane defaults, locked down environments ect. But if you're a CSO and have not described threatmodels, workflows, and security practices, then you've not done your job and should be held accountable for data breaches.
I think your perspective is either immature or unrealistic.
OP's a realistic. His perspective is nothing to do with how a company values security.
No one in security assumes they won't get hacked, we assume we will and when we do get compromised. Our metrics aren't measured on if, our success metrics are:
* How quickly we find out
* How much damage we can mitigate
* How quickly we mitigate the risks and controls for X vulnerability and
* How we incorporate our reporting to find trends to find the event quicker next time
Now we report on many compromises. I'm not talking just about data breaches here, there's a whole spectrum of compromises that we manage and mitigate.
I don't know anyone who operates in Security who has a different mindset to OP.
> OP's a realistic. His perspective is nothing to do with how a company values security.
Of course it does. The stick is not big enough so CSOs just do not care enough. Increase a size of the stick and it would split the group of CSOs into two:
1. Like OP will run away saying "I'm not going to put myself in a line of fire if crap gets hacked". We need broomsticks for those.
2. The ones that will say "OK, two years", do their best and probably succeed.
Having practices in case for the event of a hack is obviously good, but it doesn't imply believing that you can't control getting hacked and can't win against the hackers (previous poster's exact words).
It's because you can't control it. There are limitless attackers and vectors. Security is mostly a game of being hardened enough to where most of those attackers will give up and go off looking for easier targets. Against a zero-day that nobody knows about yet, or an extremely determined attacker with a lot of patience? You will eventually lose, and you have to do your best to detect when it happens and act accordingly, as stated previously.
Our company cares more about security than anyone in our space, if you look at how much we invest relative to the others. We have full time penetration testers on staff. We contract out to countless third party security vendors. We take their advice.
This has nothing to do with not valuing security, it's just about being realistic. Can you guarantee that your company is hacker-proof? No? Then we're on the same page.
I'm not sure why we have to accept a dichotomy between guaranteeing hacker-proofness and throwing up your hands and saying you're bound to get hacked no matter what you do.
It's great that you take all those steps and investment. The fact that you still don't believe you can control whether or not you get hacked is a sad reflection of modern software practices, which are akin to throwing together a house out of plywood, newspaper, and gasoline, then asking the security team to place fire extinguishers.
I believe it's more like getting into a car accident. You can be the best driver in the world, you can always drive under the speed limit and take all precautions but you are bound to be in an accident at one point or another.
You may go decades without incident but it's almost a certainty that you will find yourself in a situation where another driver collides with you in a way that couldn't have been forseen. This driver could have hit you accidentally or on purpose, it doesn't matter. You could be teaching another how to drive during the incident, you could have had a momentary lapse in judgment...it doesn't matter. What matters is how you handle the situation after the fact and the steps you took to mitigate the damage.
If you spend enough time on the road the likelihood of an incident approaches 100%.
More a sad commentary of how many people think there's some magic bullet of security practices and if they just follow those, then they won't be hacked.
If you don't assume that you will be hacked, then you won't design in auditing, alerting and containment that will tell you when you've been hacked, let you determine what data was compromised, and prevent the attacker from having free reign over all of your systems.
Otherwise, you'll be like a former coworker that refused to secure internal systems because "We paid a lot of money for our firewall, it's going to block any hackers". It took me less than 30 minutes on my first day to hack the login passwords of senior executives because they logged into a non-SSL reporting server (and I did through a simple MAC overflow attack on a network switch from a network port in the break room)
> If you don't assume that you will be hacked, then you won't design in auditing, alerting and containment that will tell you when you've been hacked, let you determine what data was compromised, and prevent the attacker from having free reign over all of your systems.
I see a big difference between preparing for the event of a hack, and believing that a hack is inevitable no matter what practices are in place.
How do you get your CEO to pay for the monitoring and other breach preparation if you've just told him that "We have air-tight security, we cannot get hacked"?
CSO: We have airtight security, we cannot get hacked.
CEO: Great!
CSO: Please approve and fund this plan to handle a breach in case we are hacked.
CEO: But you just told me we can't get hacked.
CSO: Right, it's impossible.
CEO: So why do we need to spend money preparing for it?
CSO: Just in case.
CEO: Just in case what? You just told me it can't happen.
That seems a little like asking for money to prepare for an alien invasion or a zombie attack.
Probably the CEO would have read the document their Insurance Carrier made him sign that details the measures they need to keep cyber cover valid and therefore this conversation wouldn't happen.
There is personal liability for board members and management boards (CEO etc.) in many (most?) jurisdictions, usually including for some things that they should have known but didn't know, typically if the "not knowing" part can be characterized as gross negligent.
Also, the personal liability for board members and managers is something that is exceedingly pursued by shareholders and creditors (for the financial liability) and prosecutors (for the criminal liability) compared to how it used to be.
You cant just give Jail-time for data breeches. It would encourage cover ups and scape goats. Also never underestimate just how disorganised large organisations are, incompetence at addressing issues is systemic and goes far beyond data protection. What seems like malice is sometimes just plain stupidity.
It has to be backed by some sort of regulatory framework. Just like a fire code or employment rights. But crafted in a way that it doesnt end up like PCI, ratings agencies or financial auditors. IE creating an industry that sells compliance and not actual security.
Perhaps something light, like mandetory minimum bug-bounty schemes for all companies, where fines (or more) are imposed for not addressing issues and an independant regulator works with larger companies to resolve issues (or penalise the company severely if they deliberately wont).
The reasonable company director should have known X and when found out was bound to report it. Person Y did not report it, should have known as it was their job to know and there aren't extenuating circumstances. Guilty. 6 months. Next case.
"I don't know anything about this company I accept 7 figure sums to oversee as a director." Should never be any kind of legal defence. If senior management and directors have something personally at risk you'll see vastly improved behavior. Right now we're selecting for the opposite and seeing the inevitable results.
There is a story like this about directors and management cover ups everysingleday
So person Y read an email late at night and forgot about it. So you send a director to jail. Tomorrow many of the "good" directors feel scared and they simply do not accept any new appointments.
Who will fill the void ? People who are overconfident and people who are not scared of going to jail.
It's much better to impose financial penalties. Should the directors or the shareholders pay ? Let them figure it out between themselves!
Doesn't PCI work well in general? It has a large amount of overhead but we see very few credit card breaches from within the "PCI vault," while we see many Social Security number breaches and email/password combinations.
For example, the Target credit card breach occurred because malware intercepted the credit card information at the Point of Sale appliances before the information was encrypted and transmitted.
Prison time seems extreme, but Congress should should absolutely establish statutory fines (for companies) for breaches of PII. Then any company officer can save the company money by simply spending more on prevention because it will lower breach insurance premiums.
You cant just give Jail-time for data breeches. It would encourage cover ups and scape goats.
WEll that's already happening without jail time so maybe give it a whirl. LEt's get real here, the idea of suits going to jail is just scary to some people but it'll be fine.
Man, I don't know if Uber is evil or if most tech companies are evil and Uber just doesn't drop the kind of money on PR strategery that an evil company need to drop in order to seem normal. But either way, holy cow does that company come off as toxic. They've completely revolutionized the drive-for-hire industry and all anyone ever hears about it what a D-bag their CEO is or how toxic and mysogonist their work environment is or how hard they work to spy on their employees and customers (to the point that the CEO of Apple had to have a Come To Jesus talk with the CEO of Uber) or how their employees feel like they are getting screwed or, now, how they are concealing massive data breaches. It's like how I imagine Uber would be if it was run by Magneto instead of Tony Stark.
>and all anyone ever hears about it what a D-bag their CEO is or how toxic and mysogonist their work environment is or how hard they work to spy on their employees and customers
I don't think the average Joe is up to date with this news, or even care about.
Nope, they don't know. My non-tech friends are all using Uber / UberEats with no clue about the company, and the CEO. They just see an easy to use app to get what they want quickly.
> My non-tech friends are all using Uber / UberEats with no clue about the company, and the CEO
Just like we don't know anything about the CEO of the product making your detergents, the CEO of the brand of clothes you purchase, the CEO of your oven at home... Not knowing about CEOs is rather the norm, not the exception, and ultimately if the product/service is good, the CEO does not matter for most people, or they are only going to care about it in passing and then return to their old habits. GoDaddy is still in business.
Speaking of politics, media influence and tech, a fair number of average joes have a terrible opinion of Musk/Tesla/SpaceX; but these same people are unaware, or maybe vaguely aware the US Gov spent >10billion, just in direct financial losses, bailing out GM.
If everyone in the country was told "write a check to GM for $50 or go to jail," and conservative media wasn't berating Tesla/Musk, public opinion would be a lot different... Take it all with some healthy skepticism.
This is news to me, I've never come across an average person having a negative opinion of Musk. On the contrary they think of him as some iron-man like figure.
Most "average people" I know (admittedly on the other side of the world) have some name recognition for Tesla the company (they make expensive cars and batteries right?) and would probably struggle to tell you who elon musk is, let alone have an opinion on him. The tech bubble has thick walls sometimes...
How many people do you know that listen to Rush Limbaugh or read Breitbart? Apparently none.
Personally, I like him quite a bit, but to be fair I know that outside of my own echo chamber of my news and social media feeds, that there are a lot of people who don't like him, and where that negativity is coming from.
HN is a community. If users don't have some consistent identity for others to relate to, we may as well have no usernames and no community at all. That would be a different kind of forum.
Anonymity is fine, and throwaways for a specific purpose are ok. Just not routinely.
I think it's more the "anti-fact" wing of the media (which does mostly overlap "conservative" on the Venn diagram). Unabashed alt-right agitprop outlets like Breitbart news, for instance, or climate change deniers.
There are a couple different things at play.
First, one plank in their infowar strategy is to combat anything that even indirectly propagates any understanding of climate change among the proles. They take positions even against more-efficient-than-incandescent light bulbs, so this line of attack certainly includes targeting electric cars and solar. Musk is obviously a celebrity of sorts in these areas. Any government help to build solar plants or subsidize non-fossil-fuel alternatives (e.g. electric vehicles) is portrayed as deeply corrupt, a betrayal of American values and working families, etc. Ergo, Musk is bad.
Two, Elon Musk and John McCain have a strong association. Musk has supported McCain and in turn McCain has supported Musk and his business ventures. This is the kind of invest-in-politicians-who-can-help-you relationship that is pretty much a fundamental building block of how the American government works, but it always looks bad to somebody inclined to see it that way. (It's probably also objectively bad that this is how the system works, but anyway it is.) So I think a lot of conservative media that doesn't like McCain (because he is too "establishment" or whatever the reason) have repeatedly brought Musk into it, implying corruption on the part of McCain to help Musk use Russian rocket engines at SpaceX, for example. McCain is bad, ergo his sleazy buddy Musk is also bad.
On your first point, I don't think most (fiscal, small-gov't) conservatives would have much problem with tax incentive for electric vehicles, or anything that generally reduces taxpayer burden. But they are typically vocally against subsidies and grants that favor particular individuals or companies over others -- which is not only unfair, but also adds to more spending. It does little, but to help justify a bigger gov't.
Secondly, SpaceX have been spending millions in political lobbying and McCain's political campaign is among many who benefited from such largess (and his own McCain institute) from Musk. Most Americans don't see this kind of lobbying activities with millions dollars spent on politicians as a "fundamental building block" of a well-functioning gov't, but a corrosive force that serves interests of a few at the expense of the majority, however well-meaning in the eyes of Musk supporters. I personally don't see any problem with organizing an interest group to better represent their views -- or lobbyists -- but when it involves so much money and the final outcome ends in lopsided legislation favoring one particular individual or company over others, it's probably a good time to question their "invest-in-politicians-who-can-help-you" relationship.
Ideologically, McCain's views are aligned with those of the "neoconservative" wing of the republican party -- he's mostly known for aggressive foreign policies, American democracy everywhere, and subsequently pro-Military Industry Complex (MIC) which inevitably all leads to a bigger gov't. While most conservatives are also for strong national defense, not everyone is necessarily on board with permanent warfare and welfare (and police) state and that's why "other" conservatives are so annoyed with McCain.
So, once you put these together, it's not too difficult to see why the holy alliance between Must and McCain is criticized by those on the right. They are not necessarily grounded on "anti-facts" or alt-right views as you mischaracterized here. It's just too bad that your pathetic, uninformed comment had to start with the poisoning the well logical fallacy.
I personally mostly don't agree with conservative media either, and I even mostly agree with you here, but to be fair the left also has their anti-fact narratives & outlets, and wrongthink, just the same as the right--just on different issues.
I completely agree with you, and didn't mean to imply otherwise.
Although I do think there tends to be a broader overlap on the "conservative" side, for reasons for that are complicated and don't necessarily have a lot to do with being conservative, the "liberal" side does indeed have its vaccine deniers, MSG paranoiacs, and so on. (However, they don't have TV networks dedicated to these things, available in every hotel and airport in the country...)
I try to judge media organizations (and people) based on their commitment to truth and openness to empirical evidence and new information. Their political leanings may be interesting, but are a (much) less significant data point.
That used to be the tendency, yes, but according to Jonathan Haidt at https://heterodoxacademy.org, "the left" has caught up to "the right"/conservatives in the number of scientific topics they deny outright, and it has happened in the last 5 years.
So very recently, and unless you've been to college in those years, you won't be aware of it.
I forget where he said it, or I would link to it. It might have been in a recent conversation he had with Jordan Peterson.
I don't know. I've received a lot of flak for even using Uber from non-tech friends/dates recently. I think the continual tide of negative publicity is definitely having a material effect on their brand image.
Funny, they opened a satellite office right near my apartment and I'd considered applying. Then I heard pretty disconcerting stuff about the environment, and now this. Dodged a bullet, I guess.
And testing their self driving cars without getting the proper permits. And hiding shit like this from investors so they’ll lose a lot of money later.
I would never work as an engineer for a company like that. How can I trust that it will honor any deal I make and not screw me? I have to think about that with every company but this one in particular can’t even spell ”integrity”.
Nobody's getting screwed yet. Nobody had their data stolen then covered up either, until they did. No investors were lied right into their face about this either, until they were. No women were harassed and had the events covered up either, until they were.
If the company views engineers as better than other people and someone they wouldn't want to screw with, I'm not working there either on principle.
Google and Facebook are publicly traded companies and stock can be sold immediately; I'm not sure we can say Uber is not screwing employees until there is a liquidation event (not counting the internal buy back program)
I never quite know how to think about them. On the one hand, they’d changed an entire industry in a way that people wanted but was getting serious resistance from the entrenched players. They had to break a lot of rules and go around a lot of people with a whole lot of connections to get where they are and in the process made a lot of enemies.
I expect blowback. I expect negative news. They essentially pulled it off by looking at every day as combat where fighting dirty was rewarded.
Yea, probably a good idea. I only even need them when I travel but all the cars I saw at the last airport had Uber and Lyft stickers anyway.
The biggest part of the comment was seeing the taxi driver protest in Seattle when I was there on business. My hotel room window had a view of city hall and I watched a bunch of cabs with a news crew pull up for about 45 seconds and start honking their horns. Then they all left and went back to taking fares.
When I watched the local news that night, the broadcast made it look as if they'd blockaded city hall for the day in protest.
It's the things like that that give me pause when I see bad press around a company that has upset entrenched interests.
AirBnb had to fight a very similar path and the only bad press I can remember about them was that tone deaf/ offensive political marketing campaign they had.
AirBnb have their own issues, and plenty of bad press about cities popular with tourists crumbling under the load AirBnB are causing on their communities.
There's been several articles about them shafting apartment owners, offering very little from their "insurance" for trashed apartments. In most cases the renters are sane people, but if you get the drug-fueled orgy, you can probably safe in betting that AirBnB will not compensate you for the cleanup.
Plenty of companies have disrupted plenty of industries by now, but without this kind of behavior. I don't see how the way they dealt with the data breach was required to disrupt the local ground transportation industry, nor was the way they've treated employees (including drivers) and customers.
As much as I hate blaming the victim, but giving your personal info just to get a Taxi ride is utterly moronic. I don't want to have any relation of any sorts with a Taxi, I ride I pay and bye.
Uber is like the Donald Trump of corporations. It sets new ground in how openly vile you can be without any consequences. Just like Donald Trump the real danger is not in Uber itself but in whatever it will be that uses it as a role model.
You can't say anything approaching positive about Trump. You will be down voted. The vehement supporters of freedom of speech doesn't support this. Well, the irony.
User starik36's comment was in a downvoted state. Which is what prompted me to write that comment. I didn't think what he said deemed a down vote because from general observation what he stated seems true.
There isn't any irony. Freedom of speech is about preventing government censorship of citizens and has absolutely nothing to do with shielding people from the social consequences of saying unpopular things. It's about being legally allowed to say unpopular things, not about stopping people from disliking what you say.
I agree. That's all I meant too. Stating the obvious - As in, if you say anything in support of this Trump fellow, you will be down voted. And this is true as exemplified by the "down votes".
Just yesterday, I got some serious flak for suggesting that changing one person in leadership wasn't enough to make them not evil. I'm sad to see just how bad this is/was, but I'm not one bit surprised.
I think it's progress. Culture does tend to come from the top down - and just like dogs companies do have a habit of resembling their upper management.
Looks like they fired two people over this, pretty immediately at that. Uncertain if the new CEO was aware of the cover-up until (presumably) contacted for comment by a news org.
The fact that the cover-up persisted this long is bad, but on the other hand the Kalanick-era Uber probably would've gone to war with the journalists breaking the stories rather than admit fault, so there's that.
I'm not sure if that's an accurate analogy. Few politicians would want to find themselves working in the climate Trump has found in Washington, (if anything, he has proven that a groundswell of popular support can't unseat a party establishment). Also, it simply would be inaccurate to describe Uber's actions as impotent.
Edit: allow me to replace the word "found" with "created." I was just using a figure of speech.
If you think the current sitting POTUS is an innocent victim of politics, then I have a bridge to sell you. Uber has used similar PR tactics in the past to deflect/detract from their actions.
> If you think the current sitting POTUS is an innocent victim of politics, then I have a bridge to sell you. Uber has used similar PR tactics in the past to deflect/detract from their actions.
I think the point that the great great? grandparent top post was making is that whoever is in charge of dealing with the media at Uber is doing a horrible job.
Also, I am sad that we don't talk about the policies and rather focus on the personal flaws. I think there would be a chance of a compromise if we debated on policy. I mean if we talk about just personality, what makes our Honorable Governor of New Jersey eligible for office? Not a fan of 45 but really I think politics has become too polarized.
Private repo or not, checking your credentials into git is amateur.
I’d normally say eventually it’d bite you if you fall into the habit and do it on a public repo by accident but it looks like it can bite you on a private one too.
Manage your secrets. Use something like Vault[1] or Pass[2] they’re free and awesome projects.
I keep all of my secrets even non-prod ones in one of these two because if you think about it, even your “non-prod” github credentials are kinda prod since you have access to code.
Also when it comes to AWS secrets, give your developers read only access, make them turn on MFA and assume a role that scopes permissions to the work they need to do.
Leaking AWS secrets is really asking for it. The amount of bots that consistently scan public git repos and then use the credentials to spin up massive instances to mine crypto currency is impressive. I’ve seen it do upwards of $10000 in AWS usage within five minutes of the commit containing the credentials.
Amateur may not have been the best word. Maybe easy or lazy or debt. Ive seen it a lot where it was something that was inherited and the current team knows its a problem, but they have a 1000 features to build and never get around to fixing that debt.
If the FTC doesn't act on this they are toothless. Uber's blatant disregard to anything accountable or respectable is astounding:
"In January 2016, the New York attorney general fined Uber $20,000 for failing to promptly disclose an earlier data breach in 2014. After last year’s cyberattack, the company was negotiating with the FTC on a privacy settlement even as it haggled with the hackers on containing the breach, Uber said. The company finally agreed to the FTC settlement three months ago, without admitting wrongdoing and before telling the agency about last year’s attack."
I hope the earlier agreement contains language that allows it to be voided, and put all the original violations back on the table. If there is no such term, this is one relatively straightforward way to improve the handling of these matters in future (if a company was unaware of other breaches at the time and appeared to act in good faith, the FTC could always choose to let the original agreement stand.)
"Here’s how the hack went down: Two attackers accessed a private GitHub coding site used by Uber software engineers and then used login credentials they obtained there to access data stored on an Amazon Web Services account that handled computing tasks for the company. From there, the hackers discovered an archive of rider and driver information. Later, they emailed Uber asking for money, according to the company."
Seems to suggest they committed AWS credentials into source control?
81% of all breaches now originate from compromised credentials mainly acquired from 3rd party data breaches or data leaks. Most organizations believe that 2FA and SSO are the answer but this proves that 2FA/SSO are not enough.
If the attack was conducted using login credentials found on github how does this prove that 2FA/SSO are not enough? Wouldn't 2FA have prevented easy use of these credentials?
Do you believe this kind of thing is simply unavoidable? I wonder if this could've been avoided by simply making it impossible to access data without being connected to a VPN in addition to having some sort of physical device connected to your computer.
For amazon you can use IAM roles tied to specific EC2 instances, then no credentials are ever stored, you simply make S3 API calls in your code and as long as the machine you're making them from has access to the bucket you can get to the data.
I don’t think many people intentionally commit secrets to source control. Frequently, it’s a matter of committing a bunch of work and accidentally missing the credentials you stuck in some prototype code.
I agree with ajsharp, this is completely avoidable.
Along with never committing secrets to source control, implementing 3rd party data breach and data leak monitoring is necessary as recommended in NIST 800-63B
I recall a story (that I'll probably recount incorrectly) about a daycare business deciding that too many parents were arriving late to pick up their children (meaning that staff had to stay late with the kids), so they instituted a fine for late pickups.
The result was that more parents were late. The reason being that the parents effectively considered the fine a "late pickup fee", and one they were more than willing to pay. If the parents were fined a day's daycare fee for being ten minutes late you can bet their attitude would change.
I see company fines in the same light - they formalise the process of absolving responsibility and moving on. Just pay the toll and continue to handle your customer data cavalierly.
It's in the book Freakonomics, when talking about economic, social, and moral incentives.
The day care changed what was a social incentive for an economic one, and then couldn't reverse the consequences: Not fining the parents anymore didn't reduce the number of late ones to previous levels.
... as I sit in my home office, just over an hour away from day care closing time I assure you I'm watching the clock like a hungry hawk watching a mouse. See, my kid's day care charges a mere $600 per hour late (billed in 1 minute increments).
I don't see kids parents late that often :-) and we've come close to missing it, but haven't in two years.
There's a lot of things we as adults agree to where the consequences can be steep. This is one of the easier ones: we just show up on time. We plan accordingly and we, as responsible adults, manage to pull it off. That's not hard: so why not agree to such a thing?
Another perspective on this is why should we expect someone else to bear the consequences of our failing to meet our responsibilities? If we're late picking up our kid, they staff at the day care leave late to see their own families, they incur higher operational costs, etc.
Their request that we show up prior to their closing time is completely reasonable and that there are stern consequences for failing to meet our responsibilities doesn't seem unreasonable either... especially in light of the comment I was responding to.... I assure you the day care really doesn't want to collect that fee.
So you're in a car accident on the way and wake up in the hospital with a few thousand dollars in fines. Or better yet, pass out at home (in spite of being in good health; blood pressure can do weird things) with no witnesses and come to a few hours later.
If you were in a car accident, chances are that the day care would waive the fee. The fee doesn't exist to be needlessly cruel, it's there to encourage parents to pick up their children before closing.
As far as passing out in your home for a few hours. If that were really an issue for you, then potentially paying $600 might motivate you to actually go see a doctor. Otherwise there could come a day when you pass out and never wake up (and your children never get picked up by you or see you alive again)...
Even if there are no extreme cases like this, the stress of $10*num_of_min fine is not worth it. It seems disproportionate by a huge margin, and may contribute to bad health issues (e.g. blood pressure).
The point is that you're not expecting people to ever pay it, because you've set it high enough to be a solid disincentive. If people are actually paying it regularly, you obviously haven't set it high enough.
This is also common when quoting freelance projects you don't really want to do.
This. I'm an independent consultant, too. There are things clients want me to do that I don't want to do and on terms that I don't want to do it on. However, if there's a real pinch and they have no other choice than hire me for that kind of gig: I'll do it, but you'll pay me my "I really don't want you to hire me for this" price. I'd rather they not hire me in those cases, but just telling them no is more alienating than telling them in advance here's my "don't hire me for this price".
(and with that... I better pick up the kid... ;-) )
The way you fix this is by making each 5m late cost 2 gallon of milk. If you are late for 15m that's 6 gallons of milk, an operational burden has been passed to the late parent. It's embarrassing to bring in 6 gallons of milk, an inconvenience to buy and deliver it, and an effective deterrent.
Or draw a different conclusion from the situation: parents are clearly willing to pay a premium for the daycare to stay open later. So raise the price for that service high enough that it's worthwhile for the daycare (including hiring additional staff as needed or paying overtime).
That amount of milk would last a couple days if snack is included in tuition. 20-40 glasses of milk, twice a day.
If for some reason you have too many gallons of milk,
you can also use toilet paper, 10 rolls per 5 minutes. You can never have too much toilet paper, some late parents even buy the soft stuff too! lol
A huge fine isn't always the best deterrent and it makes people generally mad at your child care center.
Everyone gets a chuckle out of seeing a dad walk in with three jugs in each hand... It's a light hearted walk of shame and it really works to deter late pickups which is the real goal.
It's not so great for the staff either. Instead of waiting an extra 10 minutes for a parent that's 10 minutes late, they now have to wait 30 minutes because the parent had to make a 20 minute detour to the grocery store to buy milk.
> A huge fine isn't always the best deterrent and it makes people generally mad at your child care center.
EDIT: You can make this revenue neutral. Give parents a discount at the end of every month out of the money they collect in late fines. People on time at a better-than-average rate will come out ahead.
If they are chronically late, and the person feels like they are being slighted as a child, this is also a decent way to "fire" your customer. You don't need customers who don't respect the agreed rules of your service.
Another alternative is calling the police, because at what point is the child considered abandoned?
I think I would prefer the light hearted milk or toilet paper errand.
It's actually kind of brilliant -- you're fining them in time instead of money. They've already demonstrated that they value being able to use money to buy time flexibility, so this is a fine that hurts.
And the fine should always be bigger than whatever the company pocketed from the "crime" during that time.
I think it was AT&T or Verizon that got fined the "record" $3 million by the FTC for tracking users' browsing behaviors for like 2 or 3 years.
The FTC should have asked (subpoena I should say) the company for reports on how much money it made per user from that tracking for the whole period, and then charge it a multiples of that.
Did it make $1 billion? Charge it $2 or $3 billion.
And do this sort of stuff across industries with a regular occurrence, so that companies can "expect" such audits, and so they don't just think it's a one in a decade fine that maybe one company in the industry will get.
I think you'll see abusive behavior drastically reduce.
> The reason being that the parents effectively considered the fine a "late pickup fee", and one they were more than willing to pay.
The real question in this story is this: If you find that you have customers who are willing to pay you more for providing more service ... why not provide that service? You get more money, your staff gets paid overtime, parents get peace of mind, everyone's happy.
I... don't really think that's the point of the story. Certainly not in any way that involves keeping this conversation on the topic of Uber being fined.
Because those more money may not be enough to pay for more people that would need to be hired? While existing stuff may be wiling to stay 30 minutes more occasionally, they might not like the idea of having even longer shifts all the time.
You can scale the price to find a point where it's economical to offer to stay open while maintaining good relations and if the demand is consistent and heavy then scale that price appropriately or, alternatively, simply refuse to service repeat offenders if it's becoming a serious headache.
It's a bit of a hard question because the daycare may not have a legal way to stop holding the child, unlike fedex they can't simply return it to sender, so these sorts of contingencies might not be expected on opening your center, but you'll need to scale into them.
They can always call child services, and have DCFS pick up the kid. I think that is what one of the local daycares by me does, after a certain cutoff time (i.e., they can't be expected to stay open all night).
I suspect the real reason in most cases is because daycare providers are often small companies, sometimes 1-2 people. At the pickup time you've been working 9-10 hours, and there's often cleaning to do afterwards. Making more money is nice, but committing to working 12 hours days five or more days a week in perpetuity is a tall order.
especially when the cost of doing the right thing is higher.
i mean look at HSBC - laundered trillions of dollars of mega-organized-crime money. for a decade. 400m dollar fine probably isnt even .01% of what they made off that endeavor
...why even use numbers, a concept literally defined to quantify things, if you're just going to use utterly incorrect ones?
HSBC did not launder trillions of dollars over a decade, that figure is three orders of magnitude too high. HSBC is being fined $1.9B, not $400M.[1] HSBC also did not earn 19 trillion dollars over the course of a decade, which is what would make $1.9B your 0.01% figure. Even a $400M fine would still constitute earnings of $4 trillion.
Not only are your numbers incorrect factually speaking, their relationships with each other are entirely out of whack for measuring HSBC's profit, even in an absurd hypothetical scenario in which HSBC did launder trillions of dollars.
You are confusing profit, earnings, and the amount of money laundered, each of which is distinct and very different.
If you give me a million dollars in counterfeit bills, and I launder them for you, I might get paid only $10,000. My laundering efforts might have cost me $9,000. In this case my profits are $1,000 even though my earnings were $10,000 and I laundered $1,000,000.
I'm not saying that HSBC laundered 19 trillion, but the earnings and/or profits of HSBC have absolutely no relation to the potential amount they laundered.
Edit: Thanks for the corrections. I definitely messed up the magnitudes here. Was doing some other calculation on another topic and somehow I mixed them both. Sorry about that. Please disregard this comment as it it way off :(
While "trillions" is definitely inflated and hyperbole, I don't think it's THAT far off.
According to this The Guardian article [0] "At least $881m in drug trafficking money was laundered throughout the bank's accounts."
So 0.88 Tn. Definitely not "trillions" but definitely much more than I would've expected if they said "billions laundered".
Also, it says "at least", which I take it to say that the investigation was not complete so a final number couldn't be calculated and only a "lower" cap is given. Potentially it could still be "trillions" as in e.g. "1.3 trillions" (if that final figure is ever calculated or even published of course). So inflated, yes. Hilarious... not so sure.
Because it was in response to a post about how low the fines were:
"i mean look at HSBC - laundered trillions of dollars of mega-organized-crime money. for a decade. 400m dollar fine probably isnt even .01% of what they made off that endeavor"
$1.9b may sound like a lot, but there's a lot of blood attached to it.
Perhaps you should start reading this thread once more, starting with untog's daycare story. Then you might see why the financial facts are important.
It's not because any specific fine can ever be adequate compensation for all the suffering caused by the cartels. It's because you want the fine to be large enough to actually deter bad behavior in the future.
In this particular case I believe the fine (perhaps in combination with the threat of other regulatory action) has changed HSBC's behavior as there are many stories about erroneously frozen HSBC business accounts.
I just wonder if any number of deaths will ever change the behavior of the politicians who designed the disastrous war on drugs policies that have so utterly failed. I fear that won't happen as long as voters don't care about facts.
If ever you need evidence that people see really large numbers and lose perspective, look to this conversation and how many people completely glossed over the use of trillions instead of billions, a mistake so small it puts HSBC revenue in the realm of well developed nation states...
It wouldn't. But I'd wager that Uber isn't going to be held accountable (or not very accountable) for this, so why not write the rules so that everyone gets to be as cavalier? It'd save a lot of companies the headaches that go along with I.T security.
Better example. Almost everyone performs rolling stops at stop signs. Even when people are ticketed they just pay it don't change their behavior. Why have the fine at all?
I don't dispute your logic though I would prefer more traffic law enforcement.
But the uber situation would be closer to this - the parking meter costs $20/hr and a parking ticket costs $5. We're creating a situation where people who break the law get ahead of those who obey it. Either we can ramp up enforcement (good luck with that happening) or we can level the playing field.
I would prefer smarter drivers over more laws. Mandatory defensive driver education programs and stricter tests. Few people ever intend to break the laws that get them into accidents, so making sure they don't accidentally break them by being, smarter, more aware drivers would ideal.
Well look at this case as an individual circumstance:
The US federal government decided 30 years ago that it was going to attempt to prevent some kinds of transactions from being part of the global economic growth. Kinds of transactions that were always here, and always willing to be part of the global economic growth.
It decided to use other people's money to attempt to enforce this blockade, at great expense, for perpetuity.
It does this by creating onerous reporting requirements for companies and individuals worldwide, and onerous and expensive procedures for the individuals that fail to merely file the correct paperwork.
All the while, massive multinational banks have been letting the well funded organizations continue moving their money through them and contributing to the global economic growth, while citizens are being fined and imprisoned for paperwork problems.
And your go-to thought was a satire on anyone suggesting less regulation, implying the same or more regulation would be a BETTER use of public resources?
World economic growth has always been fueled by money whose source you don't agree with. Using everyone's money in a government to merely PRETEND like it can prevent illicit sourced money from being used seems irresponsible and unconscionable, looking at the track record.
Is it really so uncomfortable to admit that multinational "cartels" (organizations of people under a common charter) are pretty good at fueling economic growth globally? Because thats how its always been
Anti-money laundering laws don't pretend there is a victim, they attempt to discourage behavior by regulating an intermediary.
They also fail at it while ensnaring otherwise law abiding citizens in the dragnet.
So there is no logic to extrapolate to murders, where there is a victim from the activity of murdering.
AML via the Bank Secrecy Act, Patriot Act and other regulations was a swing and a miss, just looking at the evidence alone. Cash transactions over $10,000 were supposed to be reported, to stop terrorists, and the 1 BILLION of organized drug money that HSBC cleared is the equivalent of a dozen terrorists being financed per day, since 9/11.
Excepts its just people with a little extra cash that get jailed from these reporting laws.
"There will be two levels of fines based on the GDPR. The first is up to €10 million or 2% of the company’s global annual turnover of the previous financial year, whichever is higher. The second is up to €20 million or 4% of the company’s global annual turnover of the previous financial year, whichever is higher.
The Parliament had requested for fines to reach €100 million or 5% of the company’s global annual turnover. The agreed fines are the compromise that was reached."
That's not necessarily the case. Consider two firms one that has $1 billion in revenue and one that has $100 million in revenue. You'd argue that the bigger firm is getting off easier with a $20 million fine vs the smaller firm's $10 million because the fine is 2% instead of 10%.
OTOH, consider that the bigger firm is made up of a collection of 10 services, each earning $100 million. The breach is only in one business unit - is the global revenue a fair metric if the breach is not global?
It will be interesting to see how this is enforced against giant corporations when (inevitably) some small piece of data is missed on some small service in a business unit nobody at the c level has ever heard of.
Even larger fines seem to draw weak behavior change. The U.S. corporate structure is remarkable in that sense. It shields employees (especially executives who often don't carry out orders) from criminal and financial responsibility for their actions.
This is not true. Back when JPM was being fined billions of dollars when the Southern District of NY was after them, they were quaking in their boots internally while at the same time redlining PR efforts to project external calmness.
Huge fines do exactly what they’re intended to do. JPM for instance responded by making legitimate operational changes to detect all manner of financial malfeasance within their organization.
What? Uber acted in an unethical manner? Seriously, is anyone surprised? I kinda hope (but not really) that they get hacked again in June 2018 and play the same trick.. us in the EU will have a party on Uber's corpse over GDPR.
And then we can go back to getting ripped off by taxis. I’ve lost more money in taxi rip offs than I ever spent on Uber.
Other than the sexist nonsense of the CEO, there really is an irrational hatred of Uber. Are many of us secretly moonlighting as cab drivers?
Uber’s nonsense is minuscule compared to generations of taxi corruption.
This isn’t me excusing Uber but it does seem like many people, especially Europeans have an inordinate amount of glee over anytime AirBnB or Uber get in trouble. Has the hacker ethic really devolved into statism?
We should be cheering over disruption of the status quo. Does anyone actually long for the days of getting ripped off by over-regulated and over taxed hotels and taxis?
Do you people actually like having government pick winners and losers? Do you actually trust government to do the right thing? Governments have a strong track record of stifling innovation, abridging freedom and giving regulatory handouts to the privileged classes. People here get all kinds of sanctimonious when it comes to patents and copyrights yet seem to fall firmly on the side of the entrenched incumbents when it comes to things like disrupting hotels and taxis. It’s a weird double standard; a hatred of government when they want to prevent people from stealing movies, but a love of government when they want to prop-up taxis and hotels.
Or maybe it's because people have valid concerns about little things like privacy, ethics, sexism, and the longer term effects of disruption that places more money and power into the hands of companies that are more than willing to overlook whatever regulations they deem are irrelevant.
Having those concerns isn't the same as unfailingly supporting incumbents, out of date regulation or a love of government.
I feel like I've read almost this exact same post from you the last time Uber was in hot water. 'But what about the taxis' isn't a good defence, it's called a tu quoque fallacy and it ignores the existence of other competitors like Lyft and others who would surely fill the market gap if Uber were to disappear.
It's a really crappy and obvious distraction tactic, made worse by the addition of cliched libertarian sighs.
AirBnB might solve the hotel problem, but left unregulated, they would (and did) stress the rental market. Not just in Europe, but also in San Francisco.
> regulatory handouts to the privileged classes
And unregulated AirBnB is basically a way for rich people (privileged classes) to buy apartments in cities and turn them to money-making machines, to the detriment of the lower-incomed renter (lower-incomed because they can only afford to rent, not to buy their own place).
Most European cities I've been in have way better public transportation than any US city, which makes Uber a much less valuable proposition. On top of that, taxis tend to be more professional, so even as a high-end option uber is less compelling.
taxis are also participating in the social security system : they pay taxes and therefore get social protection. Uber drivers don't get that. So basically Uber is pulling social security standards down. I understand they do fill a niche and they provide good service, but they have to play by the rules (esp. when the rules are here to help people).
Now you can always complain that the social security system is not efficient but that's an entirely different debate
The bad PR might hurt more but I would error on the side of caution and say it has little effect. I have talked to drivers and passengers and they are unaware of those things .
I bet the statutes define fines the same for any party with some maximum. States could charge a percentage of revenue, cash on hand, valuation, but those are easily fudged to minimize liability.
About that time my Uber account was 'hacked' and someone kept requesting rides in Florida and I had to cancel them as fast as they made them.
I emailed Uber support and they got back to my 3 days later.
Then someone proceeded to try to gain access to every account I had with that email and password (yeah, yeah, I know). The next worse was someone getting into my DigitalOcean account and launching an instance.
It has finally settled down, I occasionally get alerts from people trying to break into something but lots of 2FA and no shared passwords anymore.
I am not sure if this was Uber's fault or another site's but the timeframe of Oct 2016 lines up.
In the disclosure it says that the attack included names, email addresses and phone numbers. It did not contain any passwords or social security numbers, so your passwords must have been compromised in some other way.
It's not related to this particular breach, but given this and Uber's other issues, it's not out of the realm of possibility that at some point they had a more serious breach involving loss of password hashes or interception of credentials at login.
(But in all likelihood the poster's account was just compromised through the usual means, otherwise there would be more reports of hacked accounts.)
The article states that this disclosure came out of an board commissioned investigation into the activities of Sullivan’s security team. Do you think that other more serious breaches discovered by this investigation is hidden, or is this more of a general sentiment around how you perceive Uber?
From the article: "After Uber’s disclosure Tuesday, New York Attorney General Eric Schneiderman launched an investigation into the hack, his spokeswoman Amy Spitalnick said. The company was also sued for negligence over the breach by a customer seeking class-action status."
I read that, what I do not get is how the difference in judgement can be justified.
Small companies will instantly get sued and pay fees ruining them for this things. And that already the 1st time it happens. For Uber this is beyond ten finger counting in terms of issues in the past two years.
It is just not having any consequences and by now from the legal side you can conclude that Uber is a repeated offender which has not learned anything from previous cases.
So, my point stands. When will this actually lead to consequences and justice being served?
I know Joe (the ousted CISO). I’ve known him for almost 15 years, and worked with him professionally in the past.
This is not like him. He was the most ethical lawyer I ever met. Everything was by the book. He cares about privacy. He cares about users. He’s prosecuted the worst of the worst.
CSO/CISOs are basically there to be the fall person in the case of a data breach. Your job is basically to implement process and policy to the point of nearly breaking productivity, then get fired when that wasn't enough.
Never underestimate the power of marketing. My mother for instance would use Uber over any ride-sharing system due to its insane exposure and the fact that these stories remain relatively unheard of in comparison.
My family and friends outside the tech industry have almost no clue about nearly all these scandals - especially the data breaches and the former CEO's indiscretions. About the only thing they hear is that some Uber drivers have assaulted passengers in the past, but they write that off against the fact that a lot of Taxi drivers have done the same in the past.
It is a telling example that the pain point of a bad taxi service in a city is usually enough for them to conformance rationalise that Uber is still a better alternative, despite any of these issues.
It's already way more common to use "Uber" as a verb, or even a noun, that doesn't necessarily even mean Uber the company itself.
People have asked me before if I'm about "to uber" or "take an uber" someplace and they say it in an obvious way that implies "any ridesharing company" (or lyft in my case since most people know I only lyft nowadays).
Uber just as a word for ride-sharing has become ingrained and won't be easy to get rid of, IMO.
It’s weird, I’ve been using Lyft as my only ride-sharing service for almost a year, but still catch myself saying “I’ll Uber over there in a bit” all the time. It’s definitely because saying “I’ll get a Lyft” is indistinguishable from “I’ll get a lift” and I was to disambiguate that I’m talking about a ride-sharing service, but I wonder how many other people do this and if (in several years at least) their trademark is in danger.
> Same as `googling` will long remain the synonym for `searching the internet`.
That's more due to the ubiquity and dominance of Google itself.
It's rare to hear someone say "I Googled it on Bing" or even "Let me Google my email" when they're using Outlook. Maybe not unheard-of, but definitely nowhere near the threshold needed for genericization.
>It's rare to hear someone say "I Googled it on Bing" //
True AFAIK but if you ever give computer support you'll find people "just google it" and use the greeting page on their browser [aka "the internet"] which is just as often Bing or Yahoo as it is Google. Google, the verb, is definitely generic but the RTM holders of Google have several hundred million of $currency to spend on lawyers to say it isn't.
Laws & strong enforcement, with an informed population.
While money gives power, the concern is that it's concentrated in a small number of people. Voting is not, and can result in controls of essentially any level.
Start communities that use solar/wind energy, grow their own food (maybe using this in urban areas: https://www.media.mit.edu/groups/open-agriculture-openag/ove...), use WiFi mesh networking, maybe launch their own satellites (for inter-community links: https://newatlas.com/tubesat-personal-satellite/22211/), build their own things with multi-material 3D printers (maybe even print semiconductor components, who knows...) and employ barter rather than artificially scarce magical paper or e-coins. Also, employ "DIY Bio" in ethical life enhancing way, open production (open source everything etc) The technology and paradigms exist today or will fully exist soon.
Uber employee chiming in - while I entirely sympathize with HN's frustrations around our ethics and can't really justify our actions around this data breach, it is very much worth noting that Lyft would not exist were it not for Uber's extremely aggressive practices. There were/are far too many protectionist policies at play at most locales that -- not out of pure coincidence -- needed a company as aggressive as Uber to pave the path for a better option for both riders and drivers (over existing taxis).
We fought all the battles, took a hit on our reputation and set it up nicely for Lyft who very smartly played along with the nice guy approach to capitalize. Net-net, no Uber would have most likely meant existing taxis everywhere and as most riders/drivers will tell you, there is nothing inherently better about either app, they offer the same, pay the same but vastly differ in perception.
That said, we took our aggressive attitude way too far. In an ideal world, Travis would have evolved or replaced himself a couple of years back once the company essentially reached escape velocity where our consumers themselves became our most fervent supporters. Unfortunately that did not play out and making a near perfect switch like that is probably unlikely.
Given this important context, I hope you will give Uber another chance as in the end, Dara and the employees are genuinely trying to evolve by doing the right things and putting all of this behind us. You can get some sense of this from going to sites like reddit.com/r/uberdrivers (or r/lyft) and seeing the changing perception at least from the driver side of things.
I disagree that Lyft would not exist; Lyft invented the UberX category. Originally Kalanick complained about Lyft's creative interpretation of the law, before succumbing to internal employee pressure to introduce a competitor. Years after its introduction, Kalanick admitted that he didn't believe in UberX until it demonstrated its success.
That said, almost all of the notable legislative and regulatory battles were conducted and won by Uber.
The wrongful actions by companies do get forgiven eventually, as toxic executives leave (as in the case of the CEO, Legal Officer, and now the CSO), but no public is foolish enough to immediately absolve any company of wrongdoing. Uber will have a reputation for sexual harassment long after it meets or exceeds the standards of other large companies.
In fact, there was a company called SideCar[1] who popularized the idea of ridesharing before Uber and Lyft. There was a time, maybe 2013 or 2014 when I exclusively used Sidecar until Uber became more prominent. Uber was only offering their high end cars at that time.
Are you saying the end justify the means? The problem is that over and over and over we see companies breaking the rules, reaping massive rewards as a result of unethical practices, saying "sorry" and then carrying on with no real consequences. It sets a horrible precedent and unless people start being punished instead of rewarded(!!!) for their actions nothing will change.
I drove for Lyft and Uber during that era, and I promise you lyft was doing just as much to fight those protectionist policies, they were doing it with a lighter touch. In many places they were making headway, and then Uber's asshole tactics wound up turning it into a two-steps-back situation (getting ridership access to San Diego Airport e.g.)
It's not like Uber did one bad thing. Uber has been a fountain of terrible things for years and years. You even admit that Uber's market-dominant position has been been achieved through those terrible things. And those are only the terrible things that we've discovered despite Uber's energetic attempts to cover things up. Lord knows what horrors you're still hiding.
Until Uber loses their ill-gotten lead, I won't even consider using them.
I don't buy your view of what transpired. "In an ideal world", "making a near perfect switch like that is probably unlikely", "took a hit on our reputation", etc. None of these truly recognize the actual weight of what Uber has done as an organization.
When I deactivated my account it was a huge pain, I had to reply to 2 emails, and in the end it took 5 days to complete. That alone annoyed me enough to never go back.
Wasn't like that when Uber let my account get hacked and 1k was stolen from me. When that happened I went searching for answers and found UBer blaming it's users for their lack of security. Further I immediately wanted to cancel my account .. chop off it's head/the source but had to wait days for Uber to delete my account.
They are worst then Comcast and sorry need burn through all their VC money til they are ashes! Loathe Uber so much!
IIRC you can't remove all payment methods from the app, so just deleting the app will leave your credit card information in their hands. Also all your previous ride data will still be on their servers. Both of these things could be lost in a data breach, and presumably account deletion deletes this data.
> In the EU, data protection rules mean they must delete all user data on request.
That means every day I'm a new customer and get $20 off my first ride of $22. One day, they'll wise up and stop making such silly deals.
The behavior described here is extremely selfish and amoral. It amounts to gaming the system. Additionally, the cost of exploiting a loophole such as this will be passed on to other customers before the company stops offering a losing deal. Those customers will not be reimbursed when the offer is rescinded.
The antisocial behavior of the company would not excuse the antisocial behavior of a user acting in this way.
I _really_ hope they let braintree handle that and don't touch PANs. If they do store PANs, presumably they'd be audited and hopefully would store them more securely. But hey, I guess you never know and less exposure is always better.
You may or may not want to remove your information, especially if you change phones. Someone getting your phone number could charge rides to your account if you don't unlink your credit card information.
It's also good hygiene to delete accounts. I don't typically do it, but when a company offers an easy delete button, I won't refuse.
Uber is one of the fastest growing companies in the world, and it did an enormous amount of good in challenging laws prohibiting voluntary exchange and in expanding transportation options (which had benefits that included reducing DUI), while making many serious mistakes. I don't think it can be characterized as a "bad place", and I don't think many hiring managers will consider having experience at Uber a black mark. Quite the opposite.
Good, it's important to judge a company of 10k people on one person's story. That's usually a great strategy.
I'm not defending uber, but this kind of attitude is exactly what got Trump elected. You can't generalize and demonize entities based on one person's view.
You might have a point if this was a different company, but look at the context - it's Uber. Probably one of the outright most scummiest companies out there.
You'll find that thinking like that will only lead to misery at worst and hypocrisy at best. For example, if you live in the United States (though this logic applies to any country, really), you'll be interested to know that the US holds the world record for the amount innocent civilians killed [1].
EDIT: I realize I sound far more judge-y than intended in these posts. My overall point is that people should just do whatever makes 'em happy while doing the best you can (w.r.t. everything else). Trying to emphasize the morality in your actions is just wrong, imo.
It’s just not possible to be perfectly consistent in all your actions, we’re all hypocrites somewhere if you consider all down to the root. We probably all hate forced child labor, yet we all own smartphones, all of them most likely built with resources mined by children under grueling conditions. (This text Is typed on one) Still, don’t let that stop from doing the right thing once in a while. If we all did the right thing most of the time, we’d still be hypocrites, but the world would probably be a better place.
A false premise. If that were true, just like you stated, we wouldn't support it. Actions speak louder than words, and all that.
EDIT: I realize I sound far more judge-y than intended in these posts. My overall point is that people should just do whatever makes 'em happy while doing the best you can (w.r.t. everything else). Trying to emphasize the morality in your actions is just wrong, imo.
It’s not a false premise. It’s just not humanly possible to change everything you don’t support. We can’t move all back to self-dug caves and till the land with our bare hands. You need to pick your battles.
It's not about changing things you support, it's just about consistency in your actions.
Taking the child labor thing into account, never being brand new electronics again would pretty much take care of that. One could make an argument that buying used goods is still supporting child labor, but I'd argue it's a sunk cost.
Why choose this example? Child labour is rife in many sectors, particularly textiles.
It's also rampant in electronics recycling[0]. So even if you never buy any new electronics, you're complicit when you dispose of your old electronics.
The point is you shouldn't allow an impossible quest for perfect ideological consistency and moral purity to prevent you from doing good on a imperfect, inconsistent scale.
Consistency is absolutely impossible, as you already alluded to. It’s not a bad move to assess the current position, accept it for what it is, and improve it bit by bit. Pick your battles.
Two wrongs don’t make a right when you try to sum them, I.e. combine them. My point is: don’t compare them at all. Don’t change the subject. Uber is one, other things are another. Being a hypocrite doesn’t make you wrong, it just makes you a hypocrite. Don’t even pull in the other wrong to begin with.
Otherwise, how do you ever justify standing up for anything you believe in? I was born a hypocrite, surely a life of mute acquiescence can’t be my destiny?
My overall point is that people don't actually care. It's just virtue signaling. If people cared they'd have consistency in their actions. For example, you probably are very consistent in the fact that you probably will never cause physical harm to someone.
Consistency isn't impossible at all. People are already very consistent in doing what simply is convenient for them. In the case of Uber vs. Lyft, if you live in an area where they're priced similarly and are of similar service it's easy to switch to one or the other under the guise of trying to do the right thing, or whatever.
Not using Uber hardly requires any effort. What, ten seconds to uninstall an app and install the alternative one?
> My overall point is that people don't actually care. It's just virtue signaling.
That's just, like, your opinion, man.
I care up to certain thresholds. Last year my Uber use was probably 90%, Lyft 10%. Now that's flipped. I only use Uber if I'm outside the US and there's no comparable local alternative.
Uber is demonstrably making less money than it used to because I do this, and Lyft is making more. I'm personally happy with that arrangement, and honestly my feelings here are the only ones that matter. I don't particularly care if you think I'm just "virtue signaling" or if I'm "not doing enough" or whatever.
Hey, just wanted to let you know (not that you care), that you're 100% right. My original post, and subsequent responses were based on a false equivalency.
Dunno what I was thinking, I was totally in the wrong. Apologies if any offense was taken.
> people don't actually care. It's just virtue signaling.
"Virtue signaling" is an annoying, low-effort way of dismissing something. Try harder. You haven't even provided any evidence. Here's an alternative proposal: People like doing things that they believe will make the world a better place, within their money/time/inconvenience budget, in ways that are limited by their attention. They're human - they have limited attention, limited capacity for simultaneously optimizing hundreds of metrics, and many competing demands that they're trying to satisfy, so they're not going to be perfectly consistent.
No, one person uninstalling Uber is not a massive blow against evil. But many people uninstalling it has been enough to send a pretty powerful signal that -- in conjunction with a lot of concurrent social and legal factors -- is causing Uber to do a pretty solid about-face.
(And it's not seconds, because depending on where you are, Uber may have many more drivers than Lyft -- people travel, after all, so even if Lyft is equal in your home market, it's not equal everywhere. You're also losing the prospect of alternating apps when one or the other is in surge pricing. If you're a heavy user of ride-sharing services, uninstalling Uber imposes both a time and monetary cost.)
Kudos to the GP and others for uninstalling Uber. And for every other step they've taken to try to improve the world by their own actions.
Dans ses écrits, un sage Italien
Dit que le mieux est l'ennemi du bien.
(In his writings, a wise Italian
says that the better is the enemy of good.)
-- Voltaire
Don't let the pursuit of perfection stop you from doing anything that matters.
Though I appreciate your post, it only further emphasizes my original point. You, apparently a professor at CMU, praise folks for merely uninstalling an app. Something you only knew because they bothered to post it on an internet board. This further reinforces that people should post that they're doing such virtuous things to begin with. Why, because they want to increase social standing among people in a given area, that is computer science, to which you already have a high standing in, given that you're a CS professor at CMU.
So yes, it is virtue signalling, pretty much by definition -- "the action or practice of publicly expressing opinions or sentiments intended to demonstrate one's good character or the moral correctness of one's position on a particular issue." That being said, I don't think virtue signalling is bad. In fact, it's virtue signalling that has led to the pressure on Uber that brought about this very discussion.
---
As an aside, I didn't realize "virtue signalling" was such a bad word, as well as "hypocrisy." I guess I'll have to stop using those words.
> people don't actually care. It's just virtue signaling.
You're making claims about their underlying motivation, and dismissing their actions as just virtue signaling.
"They're not doing A, they're only doing B"
Showing the presence of B is not sufficient to demonstrate the absence of A.
Second, you haven't actually shown that they're virtue signaling. Note that your definition specifically includes intent: "publicly expressing opinions or sentiments intended to demonstrate one's good character" -- the OP could be expressing their sentiments publicly in order to induce others to follow suit, for example. The same post admits many possible explanations, and you are in no position to read the mind of the posters in order to divine their intent. You're making assumptions, but you again haven't presented any evidence to suggest that your hypothesis is better than any others.
> You're making claims about their underlying motivation, and dismissing their actions as just virtue signaling.
This is true.
> Showing the presence of B is not sufficient to demonstrate the absence of A.
This is also true.
> Second, you haven't actually shown that they're virtue signaling. Note that your definition specifically includes intent: "publicly expressing opinions or sentiments intended to demonstrate one's good character" -- the OP could be expressing their sentiments publicly in order to induce others to follow suit, for example. The same post admits many possible explanations, and you are in no position to read the mind of the posters in order to divine their intent. You're making assumptions, but you again haven't presented any evidence to suggest that your hypothesis is better than any others.
Indeed, though, with respect to this there's no evidence --
save the person themselves stating that's what they intended -- that I could present that would be sufficient.
Overall I regret my original post and the ensuing posts, since ironically, my original intent was far less aggressive than is implied by the responses.
The point is that if you know that the US kills civilians yet you stay in the US, giving them money through tax, the majority of which is used to fund the very same military that kills civilians, yet claim to do the right thing, that's hypocritical, no?
In any case, you're right. There is no conflict. Just hypocrisy.
EDIT: I realize I sound far more judge-y than intended in these posts. My overall point is that people should just do whatever makes 'em happy while doing the best you can (w.r.t. everything else). Trying to emphasize the morality in your actions is just wrong, imo.
Why should I tidy my room when we don't have world peace?
It's a ridiculous comparison. Leaving the country is a lot more difficult than changing ride share apps. It's not hypocritical to take the low-hanging ethical fruit, even if you don't do the harder stuff. In any case, living in a country doesn't imply that you support everything its government does. If anything, the ethical course of action is to stay and try to change things.
This number doesn't account for countless millions, if not the majority of Americans who drain more from the government in the form of services, subsidies, and assistance than they pay in taxes (and I'm not suggesting this is necessarily a bad thing).
No no. My point probably just wasn't properly conveyed. In the original post I replied to the person the person encouraged their friends to use Lyft after hearing about the terrible things over at Uber.
Presumably they want friends to switch over as to not support an organization they disagree with, but my point was that doing so is pretty much impossible to begin with. If the goal is to not support organizations that do things you disagree with it's futile.
Therefore, one should just decide arbitrarily. It really doesn't matter.
Taking money away from a bad company helps stop that company from doing bad. Similarly, voting for a politician who will try not to kill civilians helps prevent civilians from being killed. Both of these are correct actions to take. Moving out of the country is comparatively less effective, and continuing to give money to the bad company is not effective at all.
"things are never that simple" says the guy who is implying that you shouldn't think about whether a company is moral/not if you live in a country that does horrible things?
Heh, yeah I'll admit the original post and the subsequent responses were pretty dumb. Can't change the past (no really, I couldn't edit it even if I wanted).
If you're not willing to restructure your entire life to the point of renouncing citizenship of the country you were born into then you shouldn't ever make any choices based on moral principles whatsoever? uh.. what??
Amazon's access control and authorization system is the current most important broken thing in the industry.
The Joe Sullivan details are the lurid stuff that propels news story copy, but the important takeaway is that almost nobody, including companies with serious investments in security, can safely get a large-scale dev team deploying onto AWS.
This story keeps getting re-told, and has been for something like 5 years now. It's a problem, and it needs to get fixed, decisively.
Full disclosure: I'm the founder of CloudSploit[1] which aims to reduce these risks.
You're definitely on to something here. While I wouldn't call AWS security "broken," it is next to impossible to implement it correctly in any medium to large size business. There are 30+ services that AWS provides, each with an infinite number of security controls, JSON-based policies, etc. Cross-service access is even worse. Almost every service has some form of sub control that extends or complements the main security tool (IAM). KMS has key policies, ECR has registry policies, SNS has delivery policies, etc. S3 has perhaps the most confusing permission policy in existence, which has led to scores of high profile hacks this year alone.
There are 12+ public regions now, with more coming every few months, each fully enabled, yet segregated within the UI and API (which makes detecting attackers who have embedded themselves in unused regions more difficult).
All it takes is literally one typo in a single user's policy and leaked credentials and you're environment is completely compromised. Recovery is next to impossible without basically starting from scratch because you'll never find every tiny hole the attacker left as a backdoor for later without combing through GB of CloudTrail logs.
Now take all that, put it in an organization with 500+ engineers and you can see how easy it is for this to happen. Think you're safe by putting each team in their own account? Well AWS supports cross account role provisioning and engineers can easily set that up within their accounts. The spider web of issues is endless.
The security itself is sound. AWS has very very few security incidents where their security was compromised. KMS hasn't been broken (to anyone's public knowledge). If you mark an S3 bucket as private, they've never been accidentally exposed at the fault of AWS.
The issue is in the user's use of the security features. Do you call bcrypt broken if someone uses a weak password and only 1 round of salting? Do you call TLS broken if someone misconfigures their NGINX installation?
> Uber said it will provide drivers whose licenses were compromised with free credit protection monitoring and identity theft protection
This got to be a running joke now. Companies lose the data and offer credit/theft protection than facing the consequences. If Equifax could get away with the giant breach, I am sure Uber will not even feel the heat. smh.
I moved to the US in April was and shocked by the Equifax breach, but more surprised to hear from a coworker how often these “free credit/identity monitoring for a year” situations occur.
One co-worker is covered by no less than four groups who failed to look out for him earlier, all for trusting companies to not screw up PII or remember that data is a liability.
It'd be nice if I could register for 2FA with all the various agencies. Commenters have suggested paying a fee to 'freeze' credit activities but the process to 'unfreeze' them requires no new information than what's already in most of these leaks...
> Two hackers had stolen data about the company’s riders and drivers — including phone numbers, email addresses and names — from a third-party server, putting the personal data of more than 57 million people at risk. The hackers approached Uber and demanded $100,000 to delete their copy of the data [...].
> Uber acquiesced to the demands. Under the orders of Travis Kalanick, who was then its chief executive, and Joe Sullivan, the chief security officer, the company paid the ransom.
> Then Uber went further. The company tracked down the hackers and pushed them to sign nondisclosure agreements [...]. To further conceal the damage, Uber executives also made it appear as if the payout had been part of a “bug bounty” [...].
IANAL but I did some basic visualization work as part of a story on US state data breach regulations. What may be Uber's undoing is that they must have the drivers license numbers for all of their drivers on file and that is considered PII by 45 states (nevermind that they also missed their reporting deadline).
- This is not Equifax, which leaked hundreds of millions SSN; or LinkedIn, which leaked hashed password of millions[1]; or Yahoo, which leaked personal information of billions, including security questions and hashed passwords [2]; or Target, which affected 40MM credit cards [3].
"Compromised data [..] included names, email addresses and phone numbers of 50 million Uber riders around the world, [..] including some 600,000 U.S. driver’s license numbers. No Social Security numbers, credit card information, trip location details or other data were taken"
- There is no gross incompetence. The breach was due to an AWS access key in a private github repo. I bet you can find enough developers in this forum who store sensitive information in private GitHub repos without git encryption, and who may or may not feel guilty, because of the (false) sense of safety given by 1) the guarantee of github private repo and 2) the fact that access keys can be revoked and are generally handled with less care.
- The response by the new CEO is decisive and timely. The CSO was fired on the same day the CEO learned about the incident. There is also internal review, new advisor, and reasonable protection offered to the drivers affected, even though there is no indication the data is leaked beyond the thief, and driver license numbers are not the best for identify theft.
At the time of the incident, Uber was negotiating with U.S. regulators investigating separate claims of privacy violations. Uber now says it had a legal obligation to report the hack to regulators and to drivers whose license numbers were taken. Instead, the company paid hackers $100,000 to delete the data and keep the breach quiet.
> Joe Sullivan, the outgoing security chief, spearheaded the response to the hack last year, a spokesman told Bloomberg. Sullivan, a onetime federal prosecutor who joined Uber in 2015 from Facebook Inc....
Why on earth would a software-based company like Uber that stores a boatload of confidential employee and customer information on its servers put a non-technical person of any sort, lawyer or not, in charge of its security team?
Security, as far as a corporate entity is concerned, is fundamentally a way to reduce business and legal risk. A lawyer at the top, making those decisions with the input of technologists, seems like it should be reasonable when things are working correctly. This isn't a failure of skillset or knowledge, it's a failure of ethics and leadership. (Which should, to be clear, be punished far more severely than skill-related incompetence.)
Instead of giving cash bribe, bribe with cushy jobs with high salary and no real responsibility, since no one would expect a lawyer to understand what even to delegate to members of IT security team.
Put a lawyer in charge when your strategy is to defend lawsuits against issues and mitigate the fallout of issues, rather than to, you know, prevent the security issues
Missing a trick these hackers, they don't want to ask for a one of payment, they want to turn this business of theirs into a cashflow. Pay X a month and we will keep the data safe. X could be a much smaller number than 100k. As we all know they haven't deleted the data. Think of it as a security tax levied by the internets.
I wish I was a fly on the wall at Transport for London. Or to be at that meeting TfL will be having with Uber, when Uber are going to magically prove themselves to be a 'fit and proper' company. At some point after some British chat about the weather someone on the TfL side of the table might ask: 'So, that data breach...'
If these 'hackers' were white hat and signed a contract saying they responsibly handled and deleted the data, and then uber checked the access logs of the data and verified that nobody else accessed it, then IMO it is not a data breach. It was a potential breach.
A white hat hacker you have an agreement with on how the data should be handled is the same as an employee who has access to the same data, where you also have an agreement on the employees use of the data.
You might say "Ooh, but can you trust the hacker not to keep a copy of the data!?!", but it's exactly the same as saying "Can you trust the employee not to copy the data?". I don't think a company would announce a data breach just because the database administrator had access to a backup tape...
What you have described makes sense only if they were originally hired as penetration testers. I think an external hack of this nature, even if done by white hat hackers, should rightfully be treated differently.
Having said that, you raise an interesting point, because if this money was paid as a bug bounty, then perhaps the lines would be blurred again. I guess the difference is that a bug bounty would have more clearly defined parameters about how far the hack should go. Logging into AWS using credentials that were found lying around, then continuing on to download data, seems like it is beyond the realm of reasonable bug-bounty hunting and responsible disclosure.
These are absolutely not white-hat hackers. In order for a breach of this nature to be white-hat, they would have to be acting openly, and within the parameters of Uber's bug bounty program (https://hackerone.com/uber). I have yet to see a bug bounty program that would allow the pen-testers to access private user data en-masse (I don't even think a company could legally allow this).
Anonymously extorting a company after stealing its data is a black-hat activity any way you look at it.
If Uber didn't have a bounty program or responsible disclosure policy, and the hackers didn't download the user data, but reported it in a manner consistent with other responsible disclosures after discovering a means to access, then it would be grey-hat at best.
In what world is stealing information and then holding it for ransom 'white hat'?
> You might say "Ooh, but can you trust the hacker not to keep a copy of the data!?!", but it's exactly the same as saying "Can you trust the employee not to copy the data?".
I trust someone I vetted and hired a hell of a lot more than the person who just extorted $100K from me.
Although obviously wrong on Uber's part, I'm curious: If they had informed law enforcement, could it be possible to legally pay the hackers to delete the data?
Hacks of this magnitude, especially in other cases where they involve credit card information, cause millions in damages ultimately, however the black hats involved (the initial part of that chain of events) sell that data for much less. Could we cut the losses there, by paying the hackers? Would it be legal? It could be a more serious version of a bug bounty.
Whoa, Uber even had the hackers sign an NDA? Like, what were they going to do if the hackers broke the NDA? That's just...insanity. The fact that Travis knew about it as well smells like he could face charges.
I don't know, paying off the hackers might have been the best call. It prevented my data from being exposed into the wild vs notifying authorities which would have all but guaranteed a leak. If the objective was to protect Ubers' customers, mission accomplished. Should they have covered it up and not disclosed it? No, but this is as a tough call ethically.
Another breach that 2FA and SSO didn't stop. 81% of all breaches now originate from compromised credentials mainly acquired from 3rd party data breaches. Most organizations believe that 2FA and SSO are the answer but this proves they are not enough.
Did anyone else read this title and assume that it meant Uber had stolen the data of 57M people and then paid hackers to delete it? I feel like the word "ransom" should probably be used somewhere in the title.
I'm getting sick of this stuff. As a user of Uber (or Equifax), would I have any case if I tried to sue them for mishandling private data (I live in Massachusetts)?
What would be the tax implications of this in USA? I imagine there isn't a bill given by another entity, but this is rather a bitcoin/cash transaction. In my country this would mean this payout would be hit with all the taxes [1], pretty much doubling the cost.
--
[1] Income tax, unemployment insurance, healthcare, and maybe even pension. All going to the benefit of the country as there is no identifiable human on the receiving end.
And people wonder why I keep saying that Uber needs to have its business license yanked or suffer some similarly drastic sanction or they'll just keep right on doing it and others will follow the same strategy. I mean, how often does a firm have to breach the trust of (just about) everyone it deals with before it's time to punish it in some meaningful way?
They stored AWS storage credentials in clear, in a (private) Github repo...
This is so baffling coming from one of the largest tech companies in the world.
Among other things, this shows that they do not have proper access policies to user data (e.g anybody working at Uber can get access to any user's data), which in my opinion is a larger issue than this individual hacking case.
Yes, and this is from 2014! They really did not learn anything, and Kalanick's apologies and statements about "becoming more mature" were all just bullshit.
as the size of the company grows past a certain size, especially these "move fast and break things" idiots, i feel like the likelihood of this goes up. there are more and more people, someone is bound to do something stupid.
The fact that this is a big company is exactly why strict access policies are necessary! I might trust a handful of administrators, or a limited set of engineers whose data access is audited, but I sure as hell would not trust thousands of engineers with my private data.
Other tech companies (e.g Google) safely silo PII data, and any access has to be audited.
I cannot wait before GDPR is implemented in Europe... at least companies will be seriously fined if they want to cut corners on privacy and data protection.
At what point can we just let a company die? Is there even such a line to be crossed anymore? Personal data leaks and illegal cover-ups, Greyball, utter disregard for regulations, IP theft, a culture systemic harassment and sexism, etc etc etc. Uber just needs to die so that the rest of us can have some semblance of faith in the system left.
> Here’s how the hack went down: Two attackers accessed a private GitHub coding site...
I am wondering what private Github coding site stands for? If it is GitHub Enterprise, then how those hackers would even access it from outside of the uber network? Does it mean that they had access to Uber's VPN as well?
In about 2014 I noticed that the logged in API request, on Uber's website, included full driver info nested under the ride JSON object. It included the drivers full address, license, phone numbers, etc. They patched it a few months later, but it was the worst data leak I've seen.
So was the stolen data deleted? This could've easily just been part of a "bug county," no?
Except when you actually steal data, you're not eligible to bounty. This means the hackers had decent leverage and negotiation skills (maybe Uber could've scared them with lawyers, etc).
Not quite what you are looking for but the International Labor Rights Forum does a great job of trying to change some of the worst of the worst practices around the world (unfortunately, Uber is unlikely to make a top ten list).
Wouldn't the easy solution to this class of problems be to require some sort of physical device to be connected to your machine in order to access certain sets of data? Assuming the device itself couldn't be spoofed, wouldn't that solve this once and for all?
It seems that Uber has only paid the infiltrators to say they have deleted the data. Putting aside, for the moment, all the legal and ethical issues, why would anyone at Uber imagine that this would be in the slightest bit beneficial?
If companies hiring the "best and brightest" can't keep your data secure, what hope is there for the average non-tech company? Low tech lock-and-key solutions don't seem so bad now. If only they could scale...
And just for an FYI: California law SB1386 requires mandatory breach notification when drivers license data is stolen.... which this team knew very very well.
This is exactly why the CEO should lead by example. If the CEO himself does shady stuff all the time and in fact encourages it, its normal and even expected that the hack is covered up.
The journalist speculated about "evidence that the files were actually deleted" referring to the "hackers" deleting their copies of the extracted data.
Massive data spill as Uber was hacked.. maybe email address is not so importat but ride history and wherever location data is something quite sensitive .. shift delete!
I woke up an Silicon Valley has really become an Evil place. What ever happened to our mantra (really Google's but it reflected the whole valley) "Don't be evil"?
People keep bringing this link up every time, but obscure the actual reason that was done: it puts the developers depending on the library in legal jeopardy. Licenses like "Do Whatever The Fuck You Want To" [0] are in the same boat.
Redhat also stopped including JSMin for the same reason. [1]
Don't check secrets into VCS, folks!