Just read the federal complaint, my highlights and summary:
- Hackers downloaded a bunch of PII from Uber
- Uber CISO paid them a 100k bounty with bitcoin to sign an NDA with their hacking handles, but they wouldn't give real names
- Uber staff traced them down, found their real names, then met them in person and got them to sign NDAs with real names
- FTC is mad because CISO tried to make it seem like it wasn't a data breach vs bug report through the bounty program.
- Their 2014 breach was from "an AWS access ID and secret key in software code posted to GitHub"
- In 2016 to FTC "SULLIVAN elaborated that it was common at the time to write access IDs and other secrets directly into code when that code needed to call for information from another service." - oof
- SULLIVAN received an email from “johndoughs@protonmail.com” claiming to have found a “major vulnerability in uber,” and that “I was able to dump uber database and many other things.”
- in 2016 breach, the hackers used to stolen credentials to... get the AWS keys that were still in their github code, but was now private
-"Similarly, Uber argued that the industry at large had become more adept since 2014
at protecting private data in the cloud, and that Uber should not be judged for “what a company
did then (back when the company was much smaller and the technology at issue was evolving)
according to the standards that the agency thinks are appropriate now (given the current
sophistication of the company and current industry best practices).” Uber made these arguments
via letter in April 2017, approximately five months after the 2016 Breach."
> "Similarly, Uber argued that the industry at large had become more adept since 2014 at protecting private data in the cloud, and that Uber should not be judged for “what a company did then (back when the company was much smaller and the technology at issue was evolving) according to the standards that the agency thinks are appropriate now (given the current sophistication of the company and current industry best practices).” Uber made these arguments via letter in April 2017, approximately five months after the 2016 Breach."
I've been hearing this argument for decades, and every time it's been earnest but transparent blame-shifting. "The industry didn't understand security risks back then." "No one could have predicted this." The risks were well known back then by anyone who cared about risks.
Companies don't give a shit about security until it's too late. Security is a complex beast and I have yet to meet a developer who understands it top to bottom (nor should they but I would expect even juniors to know they should not store creds in the git repo). It's an increasing specialist role that startups rarely hire for because they're focusing on survival and growth so it's to be expected this story will repeat ad nausea.
In 2015 I was rolling out Hashicorp's vault to deal with secrets management in a small Brazilian startup, I believe that Uber 2014 had the engineering resources to deal with this issue much better than my two-men team could.
Just to be clear, the complaint charges Sullivan under these two federal criminal statutes:
18 U.S. Code § 1505. Obstruction of proceedings before departments, agencies, and committees -- [...] Whoever corruptly, or by threats or force, or by any threatening letter or communication influences, obstructs, or impedes or endeavors to influence, obstruct, or impede the due and proper administration of the law under which any pending proceeding is being had before any department or agency of the United States, or the due and proper exercise of the power of inquiry under which any inquiry or investigation is being had by either House, or any committee of either House or any joint committee of the Congress—
Shall be fined under this title, imprisoned not more than 5 years or, if the offense involves international or domestic terrorism (as defined in section 2331), imprisoned not more than 8 years, or both.
18 U.S. Code § 4. Misprision of felony -- Whoever, having knowledge of the actual commission of a felony cognizable by a court of the United States, conceals and does not as soon as possible make known the same to some judge or other person in civil or military authority under the United States, shall be fined under this title or imprisoned not more than three years, or both.
18 USC § 4 is independent of any federal investigation, unlike § 1505. The complaint itself lists quite damning facts. Have a read, it's quite readable. [0]
There's a recent case on Misprision of felony from the 9th Circuit, which has jurisdiction over California. [0]
"The panel affirmed the long-established federal rule that “[t]o establish misprision of a felony,” under 18 U.S.C. § 4, “the government must prove beyond a reasonable doubt: ‘(1) that the principal . . . committed and completed the felony alleged; (2) that the defendant had full knowledge of that fact; (3) that he failed to notify the authorities; and (4) that he took affirmative steps to conceal the crime of the principal.”"
It seems to me that Kalanick was often “aware” of things but conveniently avoids scrutiny. How is this? Uber did so many questionable things under his leadership. And he managed to totally dodge the Levandowski saga.
> It seems to me that Kalanick was often “aware” of things but conveniently avoids scrutiny. How is this?
Because the VC's funded Uber precisely because they knew that Kalanick was an asshole?
The people who gave him money did so with the expectation that he would pull out all the stops to become a mega-monopoly.
To top it off, Kalanick had been screwed by VC's before, so he made a particular point to structure stock ownership in such a way that he kept control. It's still not clear what deals were made to actually get him to go away.
Finally, I expect that Kalanick probably knows where all the bodies are buried. So, he probably knows even more shady things that were going on than have been exposed. So, he has leverage.
He is a savvy politician. You are definitely onto something here. The guy has a very carefully curated public image. It is genuinely impressive how opinion of him is higher than the company he runs.
Edit: I was convinced by the arguments. I was holding onto old idea of him. Clearly things have changed.
Is it higher? He resigned as CEO of Uber due to a flurry of scandals, including the Levandowski one. Do people really separate Uber’s shady business practices from his leadership? I’d be surprised if investors do, although they may just not care or view it as a good thing.
It is impressive that he’s avoided any criminal or civil suits. I don’t know that he’s guilty of anything, but with the number of scandals swirling around him it’s surprising that someone hasn’t at least tried to sue him.
Is he though? I thought he was pretty much considered a fratbro. The stories of the bro culture that permeated Uber HQ were pretty damning. There's also video of him drunkenly arguing with an Uber driver. The stories are plentiful. If that's the image he's curating, then it sounds like lots of politicians past and present, so maybe you're right.
Did we watch the same video, the one where he is in the Uber with two women? Because in the video I saw, he was politely disagreeing with the facts the driver was saying.
Neither person raised their voice or cursed, and I guess you can call it arguing but I did not see anything that was inappropriate behavior.
We are disagreeing right now, and maybe one of us has even been drinking -- does that mean that we are now ineligible to be CEOs?
I follow the tech news a bit more than the average person (but perhaps about average for the HN crowd), and my opinion of his leadership really couldn't be lower. Perhaps it's lower than Uber itself though as well because while I have little to no respect for the Uber culture, I generally agree that actions like theirs in the rideshare space, despite being heavy handed and pushy, spur innovation and put regulators on the defensive, which in turn forces regulators to adapt faster than they normally would--like a forest fire can lead to a stronger ecosystem.
Such a darwinistic approach to policy.
A failed business model artificially injected with tons of money wastes time and energy of the regulator which could be spent on actual real problems and not made up ones created by an agglomeration of dumb money with monopolistic long term goals (that are the only thing which can make this "ride-sharing" business feasible.)
This is not a forest fire, it's a nuclear reactor breach caused by greedy and irresponsible leaders.
This is especially interesting because Joe Sullivan is the current Chief Security Officer at Cloudflare. I'm curious to see what happens to his role at Cloudflare, will CF stand behind him or give him the boot considering the optics here...
Cloudflare CEO Matthew Prince has already tweeted [1] his support:
"Sad to see Joe Sullivan allegations. Joe's had a distinguished career as a US Attorney & exec at eBay, PayPal, Facebook, Uber & Cloudflare. Anytime an opportunity arose, Joe's advocated for us to be as transparent as possible. I hope this is resolved quickly for Joe & his family."
Why talk about optics? This is not about what seems bad, it's about what US democracy deemed is a felony. If I was CF I wouldn't want a criminal mind working for me, how can you trust him when you know he lies and cover up.
I dunno to me it sounds horrific that Machiavellism is accepted without a pause knowing how inefficient and detrimental it is for human cooperative endavours. History showed us that unchecked Machiavellism causes dynamics to devolve to paranoidic-zero-sum social dynamics.
Although is an aspect of our psychology we shouldn't just rationalize it as a force of nature.
When we talk we cynically opt to talk about optics so casually that's exactly what we're doing.
I really don't understand how this is a crime. Bug bounty is basically hiring consultants to find bugs. They found a bug that allowed consultant to download all the data. Uber paid the consultant the designated bounty. It is a done deal.
Implications that this is an actual breach are large. Does that mean if I hire a red team of independent consultants and they managed to gain access to one of my backups, i have to report it as a breach? Thats the worst case scenario.
The best case scenario is all companies have to pull bug bounty programs because any bug found is now considered a breach. This actually very bad for the industry. Bug bounties are very effective part of a comprehensive strategy to safe guard customer data.
> During this time, two hackers contacted Sullivan by email and demanded a six-figure payment in exchange for silence. [...] The criminal complaint alleges that Sullivan took deliberate steps to conceal, deflect, and mislead the Federal Trade Commission about the breach.
Doesn't seem like a bug bounty when you're being demanded to pay something, and when you're later asked about it you conceal, deflect and mislead about it.
Bounty programs explicitly tell you to only to target accounts that belong to you.
Outside of that, if you're "peeking" at information that doesn't belong to you, you immediately stop, document, and submit the report. You do not download 14,000 files as the Uber hackers did.
This is a non-trivial amount of nuance that clearly shows the hackers were not acting in good faith.
Yes and no. The indictment explicitly mentions the hackers got paid through HackerOne but didn't have a HackerOne account. HackerOne manually sending a payout so large manually via Bitcoin no less is strange to say the least.
It wasn't a bug bounty submission. He used the bug bounty program as a slush fund to pay off criminals so they wouldn't disclose that Uber customers personal data had been stolen.
Exactly. The 'it was a bug bounty' defense is completely laughable. If anything, allowing these types of hush money payments would be more dangerous to the concept of bug bounty programs because the public would lose faith they would be adequately notified of data breaches.
Plus, I think the messaging between Sullivan and Kalanick more than proves mens rea. It's possible Sullivan does have a "it was someone else's decision" argument, but not that everybody at Uber thought that what they were doing was above board.
There is no mens rea or actual harm involved in legit white hat hacking, including white hat hacking that is incentivized through bug bounties, so this activity is not criminal.
We don't know all of the specifics here, but for the feds to go after it one must assume that there was mens rea for the underlying offense (i.e., the hackers were in fact black hat) and there was actual harm (i.e., the hackers kept the stolen data and either intended to or did in fact use it for criminal purposes).
And in order to go after charges of obstruction and misprision, the DoJ must also believe that Sullivan was clearly aware that this behavior was criminal, and he intentionally sought to cover it up. This isn't much of a stretch because the FTC was probing it, so there was ample opportunity for him to respond incorrectly (and, allegedly, criminally) to FTC's questions during their probe.
In practice the line between bug bounties and extortion can often be a bit blurry, as well as the line between proving an exploit exists and actually exploiting it.
I think you’d need a lot more information to draw a reasonable conclusion. That said the prosecutors arguments that $100,000 is so much that it implies criminality, and that NDAs are non-standard (or that they also imply criminality) is complete and utter BS, and instantly makes me incredibly skeptical of the theories they’re operating on.
The same two people that carried out the Uber hack also hit Lynda.com while after using basically the exact same methodology. So, it would seem possible that they had credible evidence of a felony with intent to commit future ones.
The stuff you mentioned isn't really what's "criminal" here.
IMO, the "real" crime stems from his actions to hide / cover up the hack and payoffs and -- probably more importantly -- explicitly and outright lying to the federal government.
They really don't like that at all.
---
It's possible that this is also, at least in part, an attempt to go after others at Uber (if they have reason to believe there was other criminal behavior taking place).
From another reply here: U.S. Code § 1505 mandates that you do not obstruct procedures of departments, agencies, and committees of the US government. In this case, if you've just testified before the FTC on your data protection practices and a past data breach you do not keep quiet on a current breach but Give Them A Call.
I cannot imagine how doing business in the US is like given that I feel there are many more laws they can throw at you than where I live, but I know that in my firm have we many meetings on all kinds of levels with supervisors that are frankly quite open. You need good relationships with supervisors and good relationships build on openness. If we were ever to have a serious data breach the first call would be an impact assessment and notification under GDPR, the second call nearly at the same moment would be reaching out to our other (mostly financial) supervisors.
I know Joe, I've worked both with and for him. Frankly, this sounds completely out of character for him. He's someone who has a strong moral compass and has been catching black hats for over 20 years.
There has to be more to this story. I feel like he was probably railroaded by Uber's legal team/CEO and they did things he may not have been fully aware of. That's the only explanation I can come up with.
I look forward to him having his day in court to vindicate himself.
People can appear different to different people the same way that a person with multiple Reddit accounts can be entirely different personas on them.
When we see accounts of someone that strongly conflict with our accounts of that person, our inclination is to believe that our view of that person is the "right" one. This is just an artifact of human's natural sensory self-centrism: you can only see him as the person you have seen him as.
The likely truth, about everyone, is that like a 3D object viewed from a single vantage point, that no one person ever truly knows another.
And obviously, everyone deserves their day in court.
My admittedly limited understanding/speculation (from what I saw disclosed in the media and the timing of the events) is that this breach came to light shortly after Dara took over as CEO (presumably from a review of finances), and that Dara then voluntarily disclosed the breach to the public as part of Uber's reputation house cleaning effort, and that the failure to disclose the breach was the reason for Joe's termination.
I don't know whether Uber had a proper bug bounty program setup at the time this happened, nor whether this could be considered one, so I can't comment on the specifics.
In particular, part of Sullivan's cover-up efforts included passing the breach off as a $100,000 bug (their largest at the time) in the bounty program and trying to sign secret NDAs with the hackers. He also paid them a bitcoin ransom.
> Witnesses reported SULLIVAN was visibly shaken by the events.
The hackers first broke into Lynda.com, using the same techniques, and emailed a ransom demand; Lynda responded by immediately disclosing the breach. Uber moved the conversation to HackerOne, and then made two $50,000 bitcoin payments to the still-pseudonymous hackers.
What appears to be making this a big deal is that Uber had been hacked several years prior, and was negotiating with the FTC over the breach; the 2016 breach was not timely disclosed to the FTC, despite formal statements being provided after the breach occurred.
Misleading the FTC is pretty clearly something that was under Uber's control.
It is not unreasonable that an ethically minded person would have chosen to take the actions that he did. For example, consider if his first priority was to protect the people whose PII was leaked.
With the hackers' identities known, Uber or Sullivan is able to use the threat of exposing their crime as leverage if they should notice that the PII is being exploited. The 100k doesn't make single-game game-theoretic sense but can guard against people who expect a tit-for-tat.
From what I've read Sullivan claimed the decision to not inform the feds was one made by Uber's legal team. I have no idea if that's accurate, but it's a good reminder that a companies lawyers look out for the best interests of the company, not individual employees.
I've read that if you start to get involved in a legal issue at work like this, you need to get your own lawyer and keep your mouth shut.
As someone who has been falsely accused of a crime in the past, I'd just like to remind people that being charged with something does not make you guilty, it's an allegation. I know you know this,but society today seems to be treating allegations like convictions
I'm interested in your opinion here. After reading the indictment, which is fairly detailed, you still think that Sullivan is nearly blameless? Or do you just think other execs at Uber are also culpable?
It's hard to say. An indictment is necessarily one sided -- it's a document by a prosecutor with the goal of establishing guilt. There is nothing that prevents them from omitting information that is favorable to their target. That comes later during the defense's discovery process.
So the indictment sounds bad, but at this point I'm willing to give the benefit of the doubt and wait to find out the other side of the story.
Basically it states that for a long time, sexual harassers were given a blind eye with excuses like "he's good for our bottom line." But it turns out this isn't true. It turns out people who act unethically in one way often act unethically in other ways, that (among other things) hurt the bottom line.
Cloudflare should apply due process in this case as in all other HR matters, but let's just be clear that the amount of process "due" for terminating an employee is vastly less than the process due for imprisoning an individual with state power.
But do you want to live in a world where someone can completely fabricate an allegation that you can easily disprove, yet you’re still terminated on the spot for doing nothing wrong?
By "due process" I don't mean "no process." It's unlikely that someone can "easily disprove" a 19-page federal criminal complaint, but an employer should certainly give an employee the opportunity to do so before their dismissal.
Of course, I’m not suggesting he’s legally entitled to his job pending the outcome of his due process.
I’m saying that is the right thing to do, as opposed to instantly firing someone when there is only an allegation.
Although even in this case, I don’t think it warrants termination (unless he is physically unable to remain in the job because he is in prison, which would be a shame).
There is nothing wrong with paying a ransom, contrary to what the title implies. That’s not his crime. Those less familiar with the ransomware epidemic, and before that, the DDoS extortion/protection racket, might be surprised to hear that paying ransoms is not uncommon.
His alleged crime was essentially failing to disclose the breach. It’s not clear how much of that direction came from above him. Travis obviously knew about it at minimum, and he obviously did not direct him or Uber to disclose it.
It’s not difficult to imagine a complicated scenario where he was essentially in a position to be a whistleblower and forfeit his stock, also potentially damaging his reputation and ability to get a new job (doing the ‘right thing’ can still be career suicide), or just do what he was told.
That doesn’t absolve him of guilt in the eyes of the law, but good people make mistakes too, and this one would not seem to reveal anything that could jeopardize his current company. Again, he did not conceal it from the CEO, so presumably if he made that particular mistake at cloudflare, the CEO would direct him not to cover it up.
There could be other explanations as well. He hasn’t had an opportunity to present a defense. We only have the complaint, which is by design as adversarial and one-sided as possible.
Another Uber security guy was hired by Tesla and somehow came up related to the Gigafactory drug running stuff:
> Tesla then hired a new senior manager of Global Security named Nick Gicinto. He was told that Gicinto and team were “spying on Tesla employees using devices to monitor emails, cell phones, and data communications from Tesla employees. Hansen expressed concern to his supervisors regarding what he believed was illegal conduct.”
> In fact, Gicinto and his team allegedly used these same tactics at Uber under Jeff Jones, former head of security who was also hired at Tesla with another security employee Jacob Nocon.
> In a lawsuit filed in the United States District Court, District of Northern California, Waymo LLC v. Uber Technologies, Inc., (Case No.:17-cv-00939-WHA). Jones, Gicinto, and Nocon all “allegedly engaged in numerous illegal methods of investigations such as wiretapping and hacking.” These behaviors are all outlined in the “Jacob’s Letter” filed in this case.
I guess the problem is if you are using company property and the company is wiretapping that property and you have signed some disclaimer then it might be difficult to prove the company did something wrong.
I think some judges would consider the power imbalance between employer and employee before legalizing invasions of privacy because the employee signed a disclaimer. Contracts that a weaker party is pressured or coerced into don't automatically clear the company/institution of wrongdoing.
> “Companies like Uber are the caretakers, not the owners, of customers’ personal information,” said U.S. Attorney Anderson (for the Northern District of California)[1]
I would like that to be true, but everything I've read indicates otherwise. Uber, Google, Facebook, banks, and credit bureaus have my personal information, but I am not the owner of that information. I've been told that they own it, at least under U.S. laws. If I do own it, why can't I demand that credit bureaus delete all my personal information?
The quote comes from the prosecutor of the Uber executive. If anyone should know the law regarding who owns your personal information, he should. Is he right or wrong?
With regards to financial transactions et al - it's not the same. You can't open a credit card and then demand they delete your personal info. You can't move money around banks and then expect them to "forget" you.
Anonymity does not exist in finance, at least not between you and the institutions warding the money and the authorities they are regulated by. Though they are also (allegedly?) tightly controlled on what they can/cannot do with this personal info.
Frankly it couldn't work if it did because it would be rife with crime (<edgelord>moreso than it already is!</edgelord>)
Maybe I hang around with lawyers too much, but I suspect most data that companies hold about you could be argued is actually a receipt of a transaction between you and another party, especially in the case of credit bureaus. In that sense it's not really your personal information - it's about you in part, but it's also about the other party, and if that party doesn't want the data deleted it's reasonable that it isn't.
Exact the reason why we ought to NOT offer anything in digital form of our person information WHENEVER possible. Data is money. Why should I offer anyone anything in digital form unless I get paid!!!
The titles are generally used interchangeably, though a CISO has an IT connotation and implies an engineering leader, while a CSO can be a risk/policy leader instead of an engineering leader.
Hopefully none of them have CISSPs; the CISSP is a joke.
> “Need to get certainty of what he has, sensitivity/exposure of it and confidence that he can truly treat this as a [bug] bounty situation... resources can be flexible in order to put this to bed but we need to document this very tightly“ - Kalanic
Looks to me like this is why Kalanic was not indicted. If he deferred, said “handle it, keep it legal, and document it for any investigation,” that’s really all you can ask from a CEO.
Whether or not this is REALLY what he meant (or just a way to cover his butt) is up for debate. But it would be a good defense imo.
In fact, the two people responsible for the hack, Brandon Glover and Vasiley Mereacre, are awaiting sentencing after pleading guilty in federal court; they'll be sentenced next February.
There is no truth to that at all. Corporate liability protects employees in a subset of civil cases; even when employers are charged in tort cases, employees are often charged as well.
For what it's worth, and I'm no lawyer, it doesn't look like he's facing anything near 5 years.
For the misprision offense (18 USC 4), the guidelines are based on the underlying felony, less 9 levels, capped at 19. Assuming CFAA/wire fraud, a 2B.1 offense, that's:
6
+8 for the >$95,000 loss
+2 if involved harvesting email addresses (not charged?)
+2 for evasion across jurisdictions
+2 for exfiltrating trade secrets overseas
+2 for intent to exfiltrate customer PII
That reads to me a worst-case underlying level of 24, or a 15 for the misprision, which is 18-24 months; remove any of those constraints and it's a "Zone C" offense that doesn't require imprisonment at all.
The more painful charge appears to be the Obstruction (18 USC 1505), for which the guidelines appear to go:
14
+3 for substantial interference to an investigation
+2 for extensive planning
That worst-cases to 19, 30-37 months. Still not close to 5 years, though, and I'd assume (please correct me!) that these sentences group, since the underlying conduct is the same.
If you look at most federal cases they start off with 1-2 charges like Obstruction of Justice that are easy to prove to a judge. They always add charges later.
> The hackers’ ransom was paid in December 2016 via bitcoin, even though the hackers by that time had refused to sign the NDAs in their true names and had not yet been identified by Uber. Uber’s staff continued to work on identifying the hackers and were able to eventually identify them in January 2017, at which point SULLIVAN dispatched security staff to interview both hackers and obtain signed NDAs from them in their true names.
How did they identify them, and is the DOJ going after the hackers too?
edit: finished reading the PDF:
>H. The Hackers Pleaded Guilty to Federal Crimes.
>>50. On August 2, 2018, a Grand Jury in the Northern District of California returned an indictment charging Brandon Charles GLOVER and Vasile MEREACRE with crimes related to extortion involving computers under 18 U.S.C. § 1030(a)(7)(B) and 1030(c)(3)(A). The indictment alleged that GLOVER and MEREACRE, between December 2016 and January 2017, conspired to extort a online employment-oriented service (“COMPANY ONE”) by obtaining over 90,000 confidential user accounts and using those accounts as a means to obtain money.
this reminds me that Joe has ties to Tesla’s security team (ex Uber) which is embroiled in a whistleblower lawsuit that allege they spied and hacked employee devices and the insane eBay security team lawsuit in which the security team allegedly sent a severed pig head to a small town blogger they thought was working for Amazon
> ... the insane eBay security team lawsuit in which the security team ...
They (allegedly) did a whole lot more than that! Everything about that story is absolutely crazy!
I'm not sure what's leading these security folks to believe they can do anything they want and get by with it but I, personally, am glad to see this criminal prosecution taking place -- hopefully it will help to "remind" others that they must "play by the rules" and that "'winning' by any means necessary" is not acceptable.
The complete lack of ethics at Uber, in particular, was appalling. Fortunately, it sounds like Dara was working hard to fix that once they got rid of Kalanik.
One question for any attorneys here - if the FTC were not investigating the 2014 hack, would there not be any charges for these alleged actions? The indictment doesn't seem to mention any statutes violated except for in connection to impeding the existing investigation.
18 U.S. Code § 4. Misprision of felony -- Whoever, having knowledge of the actual commission of a felony cognizable by a court of the United States, conceals and does not as soon as possible make known the same to some judge or other person in civil or military authority under the United States, shall be fined under this title or imprisoned not more than three years, or both.
This statute doesn't require an active investigation.
Not a lawyer but what does "conceal" mean when it comes to websites like forums? You often see probably illegal stuff show up on popular forums and they eventually get banned/removed by moderators. Does that mean the moderators "concealed" it and are therefore liable?
I am also not a lawyer, but I think this sentence is what does it:
> actual commission of a felony cognizable by a court of the United States
Illegal isn't always a cognizable (ie: perceptible; clearly identifiable.) felony by a court. In this case, not only did the two hackers clearly commit a felony, the lack of reporting it lead to the exact same type of breach conducted by the same two individuals against another site Lynda.com.
That suggests they had clear evidence of a felony and knew of intent to commit future felonies. And the two hackers were caught and going through the court stuff now, they even plead guilty. So thats basically a slam dunk on a cognizable felony.
How is this any different than paying ransomware? Is that also illegal? If anything, it seems like he/Uber are the victims of blackmail. And I have no love for Uber.
He's not accused of paying off the hackers. Rather he's accused of hiding the incident from an ongoing FTC investigation. They list various ways in which he supposedly concealed the hack from the FTC, e.g. they claim he set up up a false paper trail to make it look as if the hack was a harmless bug bounty submission.
Yes, if there is a federal investigation you cannot conceal or refuse to disclose details.
There isn't a clear answer on proactive reporting. Depending on the type of business you have, what data you hold, the scale of the attack, etc. Some specific professions have mandatory reporting laws that may cover individuals that work for you. (see https://www.lw.com/thoughtLeadership/LW-ransomware-attacks-w... for a detailed answer)
The generally accepted best practice is that every ransom attack be reported to the Cybersecurity and Infrastructure Security Agency.
In the specific case of Uber, the incident involved scanned passports. The law is pretty clear that you have to report any compromise of passport data to the State Department.
If the ransomware attack doesn't exfiltrate any data I wouldn't think you'd have to disclose it. For this case, isn't it impossible to prove that the hackers didn't keep this data and sell it? Even if the hackers were fully cooperative with Uber, there's no guaranteeing that. In that case, I would think you'd have to notify the public.
You get an obstruction charge when it seems easier to convict or you can't make a solid case on the crime being investigated, and you don't have to be guilty of the investigated crime to be guilty of obstruction.
I could imagine crimes being committed might include securities fraud, money laundering, bribery...
Most states have data breach laws. for California:
>California law requires a business or state agency to notify any California resident whose unencrypted personal information, as defined, was acquired, or reasonably believed to have been acquired, by an unauthorized person.
Know this is not the case here, but any company in the EU must report a breach involving personal data. This was introduced with the EU-GDPR: https://gdpr-info.eu/art-33-gdpr/
So this expectation is that Americans know all the possible felonies the people around them are committing? What a law.
“ It has been reported that the Congressional Research Service cannot even count the current number of federal crimes. These laws are scattered in over 50 titles of the United States Code, encompassing roughly 27,000 pages. Worse yet, the statutory code sections often incorporate, by reference, the provisions and sanctions of administrative regulations promulgated by various regulatory agencies under congressional authorization. Estimates of how many such regulations exist are even less well settled, but the ABA thinks there are ”nearly 10,000.”
> So this expectation is that Americans know all the possible felonies the people around them are committing?
When relevant case-law is taken into account, it appears that is not the case. Courts require active concealment of a known felony for conviction under that statute.
IANAL but this seems far from a slam dunk to successfully prosecute. The charge is that he tried to cover up something that they aren't charging as a crime while they were investigating an unrelated thing they also aren't charging as a crime. And the legal department recommended and approved the bug bounty and the CEO was fully informed.
> " this sounds like every parent of every killer ever “he was a good kid. he would never do this” "
I understand that the HN mentality has become very cynical, but if your only contribution to this conversation is a sardonic simile, comparing someone you don't know to a murderer, you should consider biting your tongue.
If your only contribution is defending shitty character testimony you should consider biting your tongue. If there's no actual evidence I don't want to hear about what a nice guy he is.
Sorry, this isn't cool. Internet forums are far too quick to form flash mobs of judge, jury, and executioner. In nearly every case this turns out to be missing critical information. Moreover the instinct to do it is reflexive; it has nothing to do with the particulars of any situation—it's just an opportunity to have an experience that somehow we seem driven to recreate over and over again.
Because the tendency is overwhelmingly in this vicious and vengeful direction, having HN be the kind of community we want requires that we all make a conscious effort not to go there by default.
The OP was not comparing someone to a murderer. They were pointing out a phenomenon of denial whereby people refuse to believe that some person they know could ever be capable of some criminal doing. You should consider that you may have misunderstood.
The documents dumped by Martin Tripp in the Tesla case were pretty juicy. Looks like they had a full access to his personal phone, round the clock surveillance on him and constant hacking of his accounts. So much so that one of the security guys working for Tesla turned a whistleblower (Sean Gouthro).
Documents are taken down since a court ordered Martin to take them off the public display.
This is about lying to the FTC, not about paying off hackers to keep data private. Ransomware has shown that the latter is accepted even if not exactly legal.
> The database included the drivers’ license numbers for approximately 600,000 people who drove for Uber.
Drivers licenses are deterministic and can be generated by knowing full name and DOB and state. They aren't PII.
From reading the article it doesn't sound like this was ransomware:
> "During this time, two hackers contacted Sullivan by email and demanded a six-figure payment in exchange for silence. The hackers ultimately revealed that they had accessed and downloaded an Uber database containing personally identifying information, or PII, associated with approximately 57 million Uber users and drivers."
The hackers were demanding a ransom from Uber to keep silent about a data breach. Which is a whole lot different than paying a ransom to decrypt valuable, internal data. If a company has been breached, while it will almost certainly cause damage fiscally & to their reputation- they have a responsibility to notify users/customers. I'm unfamiliar with the law on this, but it should be illegal for a company to pay a ransom for malicious actors to keep silent about data they stole.
I haven't had to deal with PII issues for a few years now so I might be a bit rusty but: Regardless of how driver's license ids are created, they are global identifiers of a specific person. If company A knows a person's driver's license number, and company B knows that same person's driver's license number, the two companies can be certain they're talking about the same person.
That those ids are often formed from a transparent function of other PII only makes the issue more extreme. It's like PII^2.
This is not about lying, this is about actively assisting the criminals in concealing their crimes. The charges listed are obstruction of justice and misprision of a felony.
Furthermore, data being derived from something else has no bearing on whether it’s PII or not. ID numbers are personally identifiable information by definition. The whole point of them is to personally identify someone.
- Hackers downloaded a bunch of PII from Uber
- Uber CISO paid them a 100k bounty with bitcoin to sign an NDA with their hacking handles, but they wouldn't give real names
- Uber staff traced them down, found their real names, then met them in person and got them to sign NDAs with real names
- FTC is mad because CISO tried to make it seem like it wasn't a data breach vs bug report through the bounty program.
- Their 2014 breach was from "an AWS access ID and secret key in software code posted to GitHub"
- In 2016 to FTC "SULLIVAN elaborated that it was common at the time to write access IDs and other secrets directly into code when that code needed to call for information from another service." - oof
- SULLIVAN received an email from “johndoughs@protonmail.com” claiming to have found a “major vulnerability in uber,” and that “I was able to dump uber database and many other things.”
- in 2016 breach, the hackers used to stolen credentials to... get the AWS keys that were still in their github code, but was now private
-"Similarly, Uber argued that the industry at large had become more adept since 2014 at protecting private data in the cloud, and that Uber should not be judged for “what a company did then (back when the company was much smaller and the technology at issue was evolving) according to the standards that the agency thinks are appropriate now (given the current sophistication of the company and current industry best practices).” Uber made these arguments via letter in April 2017, approximately five months after the 2016 Breach."
https://assets.documentcloud.org/documents/7041237/Joseph-Su...