HN Gopher Feed (2017-11-21) - page 1 of 10 ___________________________________________________________________
Uber Concealed Cyberattack That Exposed 57M People's Data
304 points by coloneltcb
https://www.bloomberg.com/news/articles/2017-11-21/uber-conceale...___________________________________________________________________
NelsonMinar - 34 minutes ago
It never fucking ends with this company, does it?
chris_wot - 7 minutes ago
No, it does not. Tough luck if you are a drive, btw. You'll be
made redundant to self-driving cars soon.
SubiculumCode - 30 minutes ago
I think its time that Uber starts paying a real and deathly penalty
for their pattern of behaviors.
ksk - 25 minutes ago
If companies hiring the "best and brightest" can't keep your data
secure, what hope is there for the average non-tech company? Low
tech lock-and-key solutions don't seem so bad now. If only they
could scale...
[deleted]
madamelic - 19 minutes ago
Yep.About that time my Uber account was 'hacked' and someone kept
requesting rides in Florida and I had to cancel them as fast as
they made them.I emailed Uber support and they got back to my 3
days later.Then someone proceeded to try to gain access to every
account I had with that email and password (yeah, yeah, I know).
The next worse was someone getting into my DigitalOcean account and
launching an instance.It has finally settled down, I occasionally
get alerts from people trying to break into something but lots of
2FA and no shared passwords anymore.I am not sure if this was
Uber's fault or another site's but the timeframe of Oct 2016 lines
up.
asabjorn - 10 minutes ago
In the disclosure it says that the attack included names, email
addresses and phone numbers. It did not contain any passwords or
social security numbers, so your passwords must have been
compromised in some other way.
keyle - 17 minutes ago
"For $100K we will delete the information, Scouts honor!"...
osrec - 52 minutes ago
I am amazed at the things Uber gets through and is still standing
after...
idibidiart - 50 minutes ago
Money.
sunsetMurk - 48 minutes ago
how does this stop being the case? money > all else.
IanCal - 33 minutes ago
Laws & strong enforcement, with an informed population.While
money gives power, the concern is that it's concentrated in a
small number of people. Voting is not, and can result in
controls of essentially any level.
idibidiart - 41 minutes ago
Start communities that use solar/wind energy, grow their own
food (maybe using this in urban areas:
https://www.media.mit.edu/groups/open-agriculture-
openag/ove...), use WiFi mesh networking, maybe launch their
own satellites (for inter-community links:
https://newatlas.com/tubesat-personal-satellite/22211/),
build their own things with multi-material 3D printers (maybe
even print semiconductor components, who knows...) and employ
barter rather than artificially scarce magical paper or
e-coins. Also, employ "DIY Bio" in ethical life enhancing
way, open production (open source everything etc) The
technology and paradigms exist today or will fully exist
soon.
wavefunction - 48 minutes ago
Their investors are too big to fail (to recoup their investments
by IPO offloading to the sucker public).
dijit - 47 minutes ago
Never underestimate the power of marketing. My mother for
instance would use Uber over any ride-sharing system due to its
insane exposure and the fact that these stories remain relatively
unheard of in comparison.
spike021 - 33 minutes ago
It's already way more common to use "Uber" as a verb, or even a
noun, that doesn't necessarily even mean Uber the company
itself.People have asked me before if I'm about "to uber" or
"take an uber" someplace and they say it in an obvious way that
implies "any ridesharing company" (or lyft in my case since
most people know I only lyft nowadays).Uber just as a word for
ride-sharing has become ingrained and won't be easy to get rid
of, IMO.
ryacko - 16 minutes ago
At this rate, Uber may be the first company to have a generic
name and go out of business so soon afterward.
malydok - 8 minutes ago
Same as `googling` will long remain the synonym for
`searching the internet`.
cyberferret - 41 minutes ago
My family and friends outside the tech industry have almost no
clue about nearly all these scandals - especially the data
breaches and the former CEO's indiscretions. About the only
thing they hear is that some Uber drivers have assaulted
passengers in the past, but they write that off against the
fact that a lot of Taxi drivers have done the same in the
past.It is a telling exmaple that the pain point of a bad taxi
service in a city is usually enough for them to conformance
rationalise that Uber is still a better alternative, despite
any of these issues.
user5994461 - 38 minutes ago
She used uber because the service is fantastic.
[deleted]
ipsum2 - 51 minutes ago
> Uber said it will provide drivers whose licenses were compromised
with free credit protection monitoring and identity theft
protection.This happened more than a year ago, and only now that
they're planning on offering identity theft protection? That's
ridiculous.
stevenj - 50 minutes ago
Ever since Susan Fowler told her story about what happened to her
at Uber, I have only used Lyft, and have encouraged all my friends
to do the same.I plan to never use Uber again.
[deleted]
[deleted]
tabeth - 9 minutes ago
You'll find that thinking like that will only lead to misery at
worst and hypocrisy at best. For example, if you live in the
United States (though this logic applies to any country, really),
you'll be interested to know that the US holds the world record
for the amount innocent civilians killed [1].[1]
https://www.globalresearch.ca/u-s-holds-the-world-record-of-...
nothrabannosir - 5 minutes ago
Don?t let hypocrisy stop you from doing the right thing.
Sometimes you need to climb one tree to cut down another.[1]
That?s ok.[1] tbh I don?t think you do, but I like the analogy
so I?m keeping it.
tabeth - moments ago
I disagree. One needs to be consistent in their actions,
otherwise, what's the point? Two wrongs don't make a right,
after all.
rlabrecque - 39 minutes ago
When I deactivated my account it was a huge pain, I had to reply
to 2 emails, and in the end it took 5 days to complete. That
alone annoyed me enough to never go back.
linkregister - 2 minutes ago
The current deletion process is smooth and can be completed in-
app.
partycoder - 38 minutes ago
Same here. That and that video from the driver that bought a
black car to drive it for Uber and ended up in massive debt.
gncb - 49 minutes ago
lol
deusofnull - 46 minutes ago
lol
kgraves - 8 minutes ago
L O L
bogomipz - 12 minutes ago
The CSO was able to arrange for $100K to be paid out without any
oversight of what that money was for?If it was paid to hackers it's
unlikely that finance cut a check. I'm imagining this was paid in
bitcoin or similar. How was this able to be approved?I'm guessing
someone created a fake invoice? Wouldn't that constitute fraud?
tedunangst - 4 minutes ago
Who needs to approve it? How would you know they didn't?
michaelbuckbee - 11 minutes ago
IANAL but I did some basic visualization work as part of a story on
US state data breach regulations. What may be Uber's undoing is
that they must have the drivers license numbers for all of their
drivers on file and that is considered PII by 45 states (nevermind
that they also missed their reporting deadline).And if you're
interested, a gif of the data:https://imgur.com/Rm32MeC
jtchang - 47 minutes ago
"In January 2016, the New York attorney general fined Uber $20,000
for failing to promptly disclose an earlier data breach in
2014."Because you know...20k really really hurts for a company like
Uber.
untog - 26 minutes ago
I recall a story (that I'll probably recount incorrectly) about a
daycare business deciding that too many parents were arriving
late to pick up their children (meaning that staff had to stay
late with the kids), so they instituted a fine for late
pickups.The result was that more parents were late. The reason
being that the parents effectively considered the fine a "late
pickup fee", and one they were more than willing to pay. If the
parents were fined a day's daycare fee for being ten minutes late
you can bet their attitude would change.I see company fines in
the same light - they formalise the process of absolving
responsibility and moving on. Just pay the toll and continue to
handle your customer data cavalierly.
gr3yh47 - 22 minutes ago
>Just pay the tollespecially when the cost of doing the right
thing is higher.i mean look at HSBC - laundered trillions of
dollars of mega-organized-crime money. for a decade. 400m
dollar fine probably isnt even .01% of what they made off that
endeavor
tedunangst - 10 minutes ago
If HSBC was making profits of $4 trillion, they were also
lying on their financial statements.
21 - 8 minutes ago
> laundered trillions of dollars of mega-organized-crime
moneyWhile I agree with your sentiment, there is no need to
use such inflated and hilarious numbers.
panarky - 2 minutes ago
And they say we need less regulation of corporate behavior.
fauigerzigerk - moments ago
HSBC did not make trillions from those transactions and they
were fined $1.9bn in 2012.
Swizec - 17 minutes ago
> The reason being that the parents effectively considered the
fine a "late pickup fee", and one they were more than willing
to pay.The real question in this story is this: If you find
that you have customers who are willing to pay you more for
providing more service ... why not provide that service? You
get more money, your staff gets paid overtime, parents get
peace of mind, everyone's happy.
untog - 10 minutes ago
I... don't really think that's the point of the story.
Certainly not in any way that involves keeping this
conversation on the topic of Uber being fined.
watwut - 8 minutes ago
Because those more money may not be enough to pay for more
people that would need to be hired? While existing stuff may
be wiling to stay 30 minutes more occasionally, they might
not like the idea of having even longer shifts all the time.
lanius - 14 minutes ago
Here's an article about that:
http://www.nytimes.com/2005/05/15/books/chapters/freakonomic...
amesen - moments ago
This is mentioned in Dan Ariely's Predictably Irrational.
dajohnson89 - 16 minutes ago
more than 100% of their profits?
mewmew - 42 minutes ago
This would have been interesting if GDPR was
applied.https://www.gdpr.associates/data-breach-penalties/"There
will be two levels of fines based on the GDPR. The first is up
to ?10 million or 2% of the company?s global annual turnover of
the previous financial year, whichever is higher. The second is
up to ?20 million or 4% of the company?s global annual turnover
of the previous financial year, whichever is higher.The
Parliament had requested for fines to reach ?100 million or 5% of
the company?s global annual turnover. The agreed fines are the
compromise that was reached."
vm - 37 minutes ago
Even larger fines seem to draw weak behavior change. The U.S.
corporate structure is remarkable in that sense. It shields
employees (especially executives who often don't carry out
orders) from criminal and financial responsibility for their
actions.
sp527 - 28 minutes ago
This is not true. Back when JPM was being fined billions of
dollars when the Southern District of NY was after them, they
were quaking in their boots internally while at the same time
redlining PR efforts to project external calmness.Huge fines do
exactly what they?re intended to do. JPM for instance responded
by making legitimate operational changes to detect all manner
of financial malfeasance within their organization.
sehugg - 46 minutes ago
At the time of the incident, Uber was negotiating with U.S.
regulators investigating separate claims of privacy violations.
Uber now says it had a legal obligation to report the hack to
regulators and to drivers whose license numbers were taken.
Instead, the company paid hackers $100,000 to delete the data and
keep the breach quiet.
Rotten194 - 39 minutes ago
Only $100k? They really should have tried for more... not that I
support stealing PII.
ejcx - 10 minutes ago
I can not believe Joe Sullivan would just sit there during this.
There has to be so much more to this story.I can not imagine he
would be on board with negotiating with the hacker, and cannot
imagine him sitting idly for a year after the cover up.
wheelzr - 46 minutes ago
Credit Monitoring is the shittiest way to resolve these issues.I've
stopped using any credit card numbers for anything ditial. I can
change paypal passwords weekly If I'm that paranoid.
wheelzr - 45 minutes ago
Credit card numbers are a bug.
rickcnagy - 44 minutes ago
> Here?s how the hack went down: Two attackers accessed a private
GitHub coding site used by Uber software engineers and then used
login credentials they obtained there to access data stored on an
Amazon Web Services account that handled computing tasks for the
company. From there, the hackers discovered an archive of rider and
driver information. Later, they emailed Uber asking for money,
according to the company.Don't check secrets into VCS, folks!
claudiulodro - 34 minutes ago
I'm surprised Uber doesn't have their engineers set up 2FA for
GitHub. Super simple to implement and require organization-
wide[1] and would have prevented this. Then again, not storing
credentials in GitHub would also have prevented this . . .[1]
https://help.github.com/articles/requiring-two-factor-authen...
dmoy - 25 minutes ago
Working at another large tech company, this does not surprise
me.Edit: I mean it would surprise me if it wasn't recommended
practice, but it would also surprise me if it was somehow
strictly enforced.
komali2 - 22 minutes ago
This is so gob-smackingly uncommon I started asking "do you
require 2fa for your github accounts" as part of my interview
questions when I was looking for jobs (i.e. I'd ask my
interviewers).I don't know how to feel knowing that there is
even one software-focused company out there that doesn't
enforce 2fa on its github accounts. Like... how?! Why?!
dboreham - 7 minutes ago
Unless 2fa was bypassed with the token you get from GitHub in
order to use the git client via https.
flylib - 4 minutes ago
I mean they don't say how they accessed the GitHub repo or
whether there was a vulnerability in Github itself that allowed
access
Toast_25 - 31 minutes ago
From what I hear it's pretty common...
shallot_router - moments ago
It's very common, but there are lots of ways of addressing it.
Theodores - 44 minutes ago
I wish I was a fly on the wall at Transport for London. Or to be at
that meeting TfL will be having with Uber, when Uber are going to
magically prove themselves to be a 'fit and proper' company. At
some point after some British chat about the weather someone on the
TfL side of the table might ask: 'So, that data breach...'
ProAm - 41 minutes ago
If the FTC doesn't act on this they are toothless. Uber's blatant
disregard to anything respectable is astounding:"In January 2016,
the New York attorney general fined Uber $20,000 for failing to
promptly disclose an earlier data breach in 2014. After last year?s
cyberattack, the company was negotiating with the FTC on a privacy
settlement even as it haggled with the hackers on containing the
breach, Uber said. The company finally agreed to the FTC settlement
three months ago, without admitting wrongdoing and before telling
the agency about last year?s attack."
justinzollars - 40 minutes ago
I woke up an Silicon Valley has really become an Evil place. What
ever happened to our mantra (really Google's but it reflected the
whole valley) "Don't be evil"?We really need to change.
dictum - 31 minutes ago
It all started when Google banned all software that can not be
used for Evil: http://wonko.com/post/jsmin-isnt-welcome-on-
google-code
vthallam - 39 minutes ago
> Uber said it will provide drivers whose licenses were compromised
with free credit protection monitoring and identity theft
protectionThis got to be a running joke now. Companies lose the
data and offer credit/theft protection than facing the
consequences. If Equifax could get away with the giant breach, I am
sure Uber will not even feel the heat. smh.
Jach - 29 minutes ago
It'd be nice if I could register for 2FA with all the various
agencies. Commenters have suggested paying a fee to 'freeze'
credit activities but the process to 'unfreeze' them requires no
new information than what's already in most of these leaks...
theDoug - 16 minutes ago
I moved to the US in April was and shocked by the Equifax breach,
but more surprised to hear from a coworker how often these ?free
credit/identity monitoring for a year? situations occur.One co-
worker is covered by no less than four groups who failed to look
out for him earlier, all for trusting companies to not screw up
PII or remember that data is a liability.
sthomas1618 - 37 minutes ago
"Here?s how the hack went down: Two attackers accessed a private
GitHub coding site used by Uber software engineers and then used
login credentials they obtained there to access data stored on an
Amazon Web Services account that handled computing tasks for the
company. From there, the hackers discovered an archive of rider and
driver information. Later, they emailed Uber asking for money,
according to the company."Seems to suggest they committed AWS
credentials into source control?