> “The surprising part is that Valleywag knowingly outed their own source. Valleywag actually knew the screenshot had identifying information of the individual leaker prior to them publishing this story,” Kalanick told TechCrunch in a statement. “We told Nitasha Tiku from Valleywag that we would protect her source from legal ramifications if they did not publish the document. Nitasha and Valleywag decided to publish anyways.
I've said it here before, and I'll say it again: ValleyWag/Gawker Media are scum. This is just another entry in a long list of terrible things they do to get pageviews.
Editor John Cook told us that the screenshots did not, in fact, have any identifying information.
“We didn't publish any identifying information about the source of the screengrab,” Cook says. “We don't know who sent us that shot, and neither does Uber.
Now, I can't say which one of the two is telling the truth, but at least give both sides of the story. Looking at the shots, I'm not sure what is personally identifiable, though the bookmarks bar could give some clues.
And Travis's threat of legal action might just be hot air from him (which isn't exactly unprecedented). After all, these numbers look very good for Uber. I wouldn't want to be one of their competitors trying to raise a round of funding right now.
> It's a shame when tech journalists don't understand tech. Of course, they outed their source. With the time stamp Uber can check which employees looked at that page at a particular time. They can then ask these employees [likely just one] whose computer they were using at that time to figure out who grabbed the screenshot and sold it to ValleyWag.
So it's either VW didn't realize this, or fully realized it and still outed their source because they don't give a shit. Given their history of outing their sources, even after specifically being asked not to, I think the latter is much more likely.
With the time stamp Uber can check which employees looked at that page at a particular time.
I think it's a bit of a leap to assume that the Uber admin system logs every user pageview. It may well do, but many home-grown systems (and it certainly looks homegrown) don't bother with that level of detail. Certainly, if they were that security conscious you'd think they'd also avoid allowing any employee to see overall revenue figures.
It wouldn't be an internal address. As the article states, an Uber employee logged on using their friend's laptop. I'd be surprised if they did that at an Uber office.
Think that through, the Uber dashboard is going to be protected by a login regardless of the IP used. Somebody's login was used to access the dashboard at that exact time stamp which will be in the logs. And every web server logs this stuff as a matter of course, and every operations group keeps those logs to scan for unexpected accesses from outside the company or from former employees etc etc.
I don't know any company - even small ones - that keep internal stuff like that in the open. I'm willing to bet the Uber employee was on a VPN at the time, which narrows the search considerably.
I doubt Uber was secure/paranoid enough that the timestamp will immediately yield the leaker - but between webserver logs, VPN logs, etc etc, there's probably enough information there to deduce the culprit, especially if this occurred outside business hours.
Given that the Valleywag article (flagged off HN of course) said that they were able to load up the admin interface themselves (just not log in) I'm going to say that yes, its open.
In that case it's going to be simple to find them, something like:
grep /log-in server.log
to find the admin user id which logged in around that time and viewed that page from an external IP. I'm sure if they really want to they could find the IP at least, and track which user accessed the resource, which other pages were accessed, which will probably lead them to the leaker. Quite a lot is logged by default by the web server usually, and then on top of that their app will do more logging, maybe even associating page views with user ids.
You can subpoena ISP's to see who owned an address (I believe) up to 6 months back. How exactly do you think the RIAA filed so many lawsuits against internet pirates?
Assuming they're using Apache's basic logs wouldn't it be insanely easy to track down all URLs visited by that IP?
After you login to Uber.com it instantly does a GET to /api/clients/[PERSUMABLY_USER_ID]?parameters which would be in the logs or they might have logs of user logins on their side (to show users a 'you've recently logged in from...' list somewhere)
There is a discussion in the article between Techcrunch and the Gawker editor about the timestamp.
What's weird is the editor hairsplitting between the source and the employee that happily helped the source access the data. I guess Uber might care about the intermediary, but I'm pretty sure they will be concerned about the actions of the employee.
Privacy isn't exactly binary, though, so the point still stands that you should probably not leak to ValleyWag.
Privacy is like a game of 20 Questions where the adversary intends to hone in on the full identity. Regardless of whether the source is identified, it is still unfathomably sloppy on ValleyWag's part in protecting their sources.
The personally-identifiable bit could be a watermark: slight coloration changes.
It could also be the last-updated time, or particular numbers in a column... which would have only been served to a single account in a logged transaction.
A company that cares about its proprietary information can easily log and/or watermark everything served via internal tools.
> I've said it here before, and I'll say it again: ValleyWag/Gawker Media are scum. This is just another entry in a long list of terrible things they do to get pageviews.
Jokes on them cause AOL successfully hijacked their story anyway.
This is what news organizations do. They find newsworthy information and provide it to the public. TechCrunch or the Wall Street Journal would do the same thing.
The press doesn't exist to cheerlead (in most cases). There's no arguing that Uber's numbers are newsworthy, so I don't see anything wrong with Valleywag's coverage in this instance.
This leak is frustrating and sad. Many of us here applaud companies that work to be transparent with their employees and would appreciate working for a company that helped us understand metrics like this. It makes everyone feel like they are a larger part of the company's success and learn more about how to become founders themselves.
So, having an employee leak this out doesn't just hurt the culture at Uber (which it undoubtably will at least shake), but lessens the likelihood that any company that hopes to IPO or get bought will want to share their performance metrics with employees.
I don't think they did this, but one smart way for Uber to protect screenshots like this would be to include unique hex value colors depending which employee is logged into the dashboard. i.e. a different shade of blue in one of the cells for each employee who logs in. Then when the screenshot is published, you just eyedrop the color and you know who leaked it.
You would still get caught. You can reverse the timestamp from the "last 7 days" and the partial week column. You can get the timestamp from the numbers by summing until you hit the magic number, and taking the timestamp of the last transaction.
You would also need to delete the last two columns, and likely round-off the rest of the figures.
i actually think its a really simple solution for the problem at hand... its also hard to detect. the leaker didn't bother this time, but why not have such a simple mechanism in place?
There's a few more methods that I've used in real life. The trick is to have a number of them active, so that even if one method is thwarted(like by photocopying the image to monochrome), other methods still provide you enough unique information.
Some things we came up with(which actually helped find a leaker of a screen shot many of you may have seen on ycombinator a few years ago):
For protecting tabular data:
- Vary background colors slightly
- Fudge some numbers +/- .1% - low enough to not affect actual calculations.
- Change fonts for punctuation or some numbers(commas can be discernible by font type).
- Slightly adjust column/row widths
- Provide obvious personal identifying information on the page, so the person thinks thats the only thing they need to redact ;)
You could intentionally change some number or the other by a tiny bit that is not significant (and only noticeable to a very diligent observer who has comparison data) so that when comparing to the real numbers you see which number was changed by how much and find out who it is that way.
Are Uber drivers employees of Uber? Or are they contracted out, or independent, etc? If they aren't considered employees, then the $1B gross would not really be gross revenues under GAAP.
So there's Uber and then Uber X. Uber X are independent people with their own cars, but the black car service (at least in the cities that I've been) is farmed out to an already-existing car service in the city.
Those employees are also often contractors of those companies...
If they are a marketplace where the drivers are independent entities from Uber, then the money going to the drivers is not considered revenue under GAAP. Which is why I ask whether or not the drivers are Uber employees or not. I have no idea if they are or not. If they are Uber employees, then it is legitimate revenue, but if there is some agreement where they remain independent from Uber, then it would not, under GAAP.
Think about a site like Expedia, or Orbitz. They do not claim the entire price of the ticket as their revenue, since that money is going directly to the airlines. Their only revenue is the $10 they make from a ticket purchase.
This is the same issue that Groupon ran into pre-IPO where they were claiming the entire deal as their revenue.
By the title, it looks like they're working under GAAP rules. 1 billion gross, 213 million revenue. Gross would be the overall moneys that come in, $213mm would be what Uber grosses for itself, and the difference would be contractor payments.
I'm just speculating, of course, but if the title is to be believed, it supports what you're saying, I think.
You're correct. Which is why most reports of revenue for Uber, or even Airbnb, almost always use numbers in the hundreds of millions. However, both companies have gross sales in the billions.
Something is actually being bought and sold. This makes it easy to give a "real" valuation, rather than plucking figures out of the air based on buzz.
That is why unprofitable companies can raise so much money. You can sell the hope that it will someday make some sort of money, somehow. How much? Set your imagination (and your chequebook) free!
Uber collects the full amount of the fare, but keeps only 20% of it for itself -- 80% goes right back out the door to the driver. Typically this is called "Gross Revenue" vs. "Net Revenue"
So the $1B in gross revenue is the same as how a small car dealership books gross revenue for the total $ value of the cars it sells, even though most of that $ goes right back to the manufacturer ("cost of goods sold")
So $1B is their Gross Revenue (top top line), and $213M would be their Net Revenue (bottom top line) -- then all expenses, etc. come out from there...
My understanding is that its top line. So Uber gets $1B in revenue, but gives most of it to the drivers - so is left with $213M in total revenue. So we don't know its "income" or profits.
In many companies (and GAAP), what is here referred to as gross revenue will be revenue, and what is called here as net revenue will be gross income. After that you deduct normal expenses that is related to create revenue, then that will be earnings before tax, interest and amortization (EBITDA). To get to nett you need to deduct from EBITDA the interest, amortization and tax, as well as abnormal items. COGS (cost of goods sold) is normally the difference between revenue and gross income.
GAAP has adjustments for industries. Types of businesses where COGS is very high frequently have Gross and Net revenue rather than revenue and Gross income because of the difficulty in finding signal in costs and margins. Not to mention that a market maker with $1B in revenue can support orders of magnitude less interest expenses than a software firm with the "same" revenue.
Not all business analysis and important ratios depend on earnings, however defined. Thus the importance of a Net Revenue figure that then has typical expenses deducted from it to get to EBITDA.
It's raw financial information about a well-known and much-discussed new business, a business about which we aren't often privy to any numbers.
It's okay that you don't find it interesting, but I -- and many others, thus the upvotes -- do.
(If your definition of newsworthiness stems solely from whether or not it effects you in general, then I'd imagine you'd have to eliminate 80% of Hacker News, as well as ~98% of all world news.)
No snark necessary, Justin. It was a genuine question. I just didn't understand why it was so highly upvoted and why this was so interesting to people.
I apologize if I came off as snarky with the middle bit, I didn't mean it as such. (For instance, I don't find the VC stuff on here, such as the Kima15 thing, interesting at all. But I recognize that a huge portion of readers here do.)
I've said it here before, and I'll say it again: ValleyWag/Gawker Media are scum. This is just another entry in a long list of terrible things they do to get pageviews.