Uber hauls GitHub into court to find who hacked database of 50,000 drivers
theregister.co.ukUber publishes secret key.
Uber ignores security breach for half a year.
Uber sues third party while trying to repair damage caused by their own failings.
At this point the identity of the hacker is irrelevant. The data is in the wild, Uber is exposed as incompetent (again). But hey, anyone want to invest another billion at a 40 billion valuation? This company is going places.
To be clear, GitHub is not being sued. GitHub is being served a subpoena. Big difference.
The third party being sued is the (as yet unidentified) person who used the key to obtain & leak the data.
I for one am just glad to see that GitHub refused to turn the data over without a subpoena.
At this point the identity of the hacker is irrelevant
No. Even if I leave my door unlocked, someone who comes in and steals my stereo should still be punished.
This is different than someone stealing a stereo. This is you tape the security code for your front door onto the door and then your mad at the manufacturer of the door's lock. You want the manufacturer to give any information about the person who broke into your house.
The manufacturer digitally stores the fingerprints of anyone who uses the lock. You want the manufacturer to give you a copy of the fingerprints to help you identify the person who broke into your house.
> ...and then your [sic] mad at the manufacturer of the door's lock.
There is no evidence that Uber is mad at Github.
No,Uber is fishing for data they don't need. They have an IP address of the intruder. Instead of demanding all the access logs for a months long period, why not compel Github to answer the question "Did this IP address access the Gist in question? If so, what are the timestamps?"
Instead Uber wants all github's access log data for the gist in question which sounds like more incompetence and desperation on Uber's part.
Or they believe the attacker likely accessed the information in the gist from several IP addresses; they want more trails to follow if the one bit of data (we are aware of) that they have proves cold. It's a sensible reason to subpoena, and it's also a fishing expedition so it's sensible for Github to not hand the data over without a court order.
Which is why we have courts.
incompetence, desperation, and a great way to shift some blame onto GitHub, in the eyes of people who know absolutely nothing about how this stuff works.
which could be the audience they're most concerned about.
Are any of the people who know absolutely nothing about how this stuff works following the story on the register? Would anybody even know if the register hadn't decided to make a story out of it? Doesn't seem like a particularly effective blame shifting strategy to me.
it's also on VentureBeat, Slashdot, and a bunch of other places. google "GitHub Uber subpoena." it'll probably show up on TechCrunch and Valleywag by the end of the day.
also, and although I doubt you'll ever see this, I would bet almost anything that my statement was 100% accurate as long as you assume the audience this move was intended for is an internal audience at Uber.
The victim here is not Uber, but the Uber drivers whose data was lost. Uber is partly guilty here, because of their negligence.
Your analogy is wrong. It's more like asking someone to protect the key of your locked door. And they make copies and leave them in random places with the address attached.
The entity responsible is being punished. They're paying for identity protection for a year and taking yet another public image hit. The hacker? Whoever it was did society a favor by exposing yet another careless company giving away your data because they don't value security.
I partly agree with parfe in principle. Uber is as responsible for this breach with their carelessness as the person who exposed it. That does not change the fact that there were 50,000 victims in the disclosure.
Protip: It's not illegal to throw out IP address data, as there are no mandatory retention laws in the United States. Then if you get a John Doe subpoena, you have no useful information to supply.
https://www.eff.org/issues/mandatory-data-retention/us
Neocities currently scrambles stored IP addresses with scrypt, and (soon) after 30 days, we intend to delete those IP hashes. It's legal. Consider doing it.
Here's the code we used to do it: https://github.com/neocities/neocities/commit/4983a9b24eac00...
Nitpick: the title implies that Uber is suing Github, but that's not the case. Uber has a civil suit pending in N.D. Cal., and has issued Uber a third-party subpoena: http://regmedia.co.uk/2015/02/28/ubergithubexhibit.pdf. Such subpoenas are used when a third party might have information relevant to a pending lawsuit. They do not imply any allegations of wrongdoing against the third party.
As a general rule headlines from 'The Register' should probably not be copied directly regardless of the rules on this website.
Actual headline: "FORK ME! Uber hauls GitHub into court to find who hacked database of 50,000 drivers"
There's actually an exception in the site rules[0] for the sorts of titles which are common on the Reg:
> Otherwise please use the original title, unless it is misleading or linkbait.
Why? What's your justification?
> In keeping with its image as a gas tank of ethics running on empty (...)
This is the best one-sentence summary of Uber I've ever seen.
Peter Sagal on NPR's "Wait Wait...Don't Tell Me!" had a good one liner something along the lines of Uber heard Google's "Don't be evil" motto and thought "They are leaving an open market niche for us!".
Haha, that's excellent as well! I think I'll just note both of them in my quotes file.
BTW. After watching all episodes of John Oliver's "Last Week Tonight" I'm looking for interesting shows. Is that podcast worth listening to? Anything else you'd recommend?
Not the OP, but I pretty regularly listen to Wait Wait, it's always pretty humorous and sadly it keeps me up on current events. I also listen to Marc Maron's WTF podcast and Star Talk Radio with Neil Degrasse Tyson. Different strokes for different folks though.
Thanks for recommendations, I'll check them out! :).
So let me get this straight - They're publishing a secret key on a Gist, and then getting whiny when it somehow gets leaked.
Github very clearly states that "secret" gists are NOT private: https://help.github.com/articles/about-gists/
> getting whiny
Actually, they're subpoenaing. This is necessary to identify who may have accessed it; i don't think this is a suit over the privacy of gists.
> This is necessary to identify who may have accessed it
Actually, it's not. If Github's TOS (and their legal argument in response to the subpoena) is strong enough, Uber can go fly a kite.
Fair—but they won't have the opportunity without the subpoena. Point is, the subpoena means nothing bad about github itself.
So how is the IP address of someone that has viewed or crawled said secret Gist relevant anyways? Someone crawling a website is not probable cause (even if there is a single IP address which can be traced to specific machine, which is highly unlikely).
Secret gists are not published publicly, and thus are not crawled. You would need to have a direct link to the gist to have accessed it. Having the link either means you had access to it as an internal employee, it was shared by an internal employee, or an internal employee's system or email was accessed by someone else.
Or it could have been linked somewhere public? It's far-fetched to think that you'd be able to prove that someone seeing this gist is malicious. Github clearly states Warning: Secret gists aren't private.
Yes, I'm definitely not disagreeing with that.
> and then getting whiny when it somehow gets leaked
How did you come away with that? They're trying to subpoena GitHub to gather information on who may have been responsible for the hack.
How do we know it was a gist published by Uber, and not a third party?
I couldn't find that information in the article or the subpoena.
http://regmedia.co.uk/2015/02/28/ubergithubexhibit.pdf
It was published by github.com/hhlin. The commit has a SHA256 hash of 2a4fae0e6d443b29826096fe043409e2c305bb79.
The publisher works for Bayes Impact, and according to his LinkedIn page, worked for Uber from April 2011 to October 2014.
Asking for every IP address that accessed a public gist seems like a bit of an overreach to me. Github should also have the responsibility to protect its lawful users' data.
It seems reasonable though to request some user data for a specific IP address that Uber suspects as being the invader (depending on how strong the evidence is).
When these types of things happen, I notice a strong "blame the victim" mentality. When Sony was hacked, I saw similar comments about how it serves them right for having bad security. Some people even go as far as to praise the hacker and think they shouldn’t be held accountable for their crime. After all, if Uber didn’t want this, they wouldn’t have made themselves so vulnerable to penetration.
While I agree companies like Uber and Sony need to invest more time and energy into security, real people are hurt when these types of things happen. It isn’t the executive-level “fat cats” who are hurt the most. It is normal, everyday people. They did not ask for their personal information to be stolen. Their only crime was working for a company with poor information security.
Furthermore, the fact Uber issued a subpoena for information from Github does not make Uber the bad guy for requesting the information and Github the good guy for withholding the information. A crime was committed and this is part of the investigation. The information requested by Uber is not unreasonable. They are basically requesting log files for that specific Gist.
Channeling my inner Matthew McConaughey from A Time to Kill, imagine this happening to an organization that is more likeable than Uber or Sony (shouldn’t be that hard). What if this happened to an organization responsible for helping rape victims and this person leaked the private information of rape victims to the Internet? Would people be so willing to support the criminal? Would people be so eager to praise Github for not cooperating?
Just because Uber is a horrible, unethical company does not mean it isn’t protected under the law. We shouldn’t condone crime just because we don’t like the victims.
Would there be any consequence for Github themselves if they no longer had this data (for example in the hypothetical case that they only store access logs for 30 days)?
No. You can't provide what you don't have, and you are not obliged to save more than you are obliged by law. I'm not aware that Github has to save anything in the first place.
Didn't some court rule that IP addresses are not people? So they get these IPs and sue them just like the MPAA/RIAA failed to do? I guess maybe some have usernames...?
Also super shady they don't bother to explain why it took them almost 5 months after they discovered it to notify anyone.
Does Github have any obligation to share this data with Uber?
A judge will determine that. Generally you do have to cough up information for criminal activity, but a judge determines what and if.
Presumably that's what the court will have to decide, if it gets that far.
You guys really need to learn to use https://defuse.ca/b/
Even better, use makepaste.sh
Using "secret" gists is just reckless, really.