Lets be clear here- 600 requests every 1.2 seconds is 30,000 additional requests a minute. Uber is not Facebook or Twitter- the amount of requests per minute they get in a given city is probably in the hundreds, not the thousands. These were also not public API's- they were reverse engineered. That means that this puts real load on them, costs them real money in infrastructure costs, and was not done with anything even resembling permission.
A lot of people seem to say that Uber failed to communicate or were too harsh. If someone throws an order or magnitude (or more) traffic at me without telling me, without communicating with me, and using APIs that aren't supposed to be public, you're damn right I'm going to ban them. Even OP knows why they banned him, which he flat out said.
In this case it does seem like pure lack of thinking, and now that the story is out there I'm hoping someone from Uber notices and removes the ban. I'm also really hoping that Will learns a lesson here, and next time he does something like this communicate with the company before releasing anything that's going to use their resources.
I completely agree with this, I acknowledged this and realised I would probably get banned. It was more a case of letting people see how the Uber api could be used, that's why I've now replaced it with a video so people can continue to see it.
I completely agree with why they banned me, it's a huge load to throw on the server. Although I'd love to be unbanned and use it again, I would be surprised if I was.
Thanks for the advice to communicate before, definitely seems like the correct approach.
Yeah, I figured you got it, and my comment was not directed at you. However, in the few minutes this post has been up there's a lot of blame going towards Uber, which is what I wanted to call out.
I feel that I should keep it up just for reference and educational purposes. This was in no way an attack, but a mere hack that was created in 24 hours. It was not intended to be damaging to the service, although I do take responsibility that it was.
Amos here from Uber. First of all, this was a very cool app Will. I love your passion for technology and your interest in Uber. For some pretty obvious reasons (many of which are mentioned in the comments), we didn't have a choice to but to suspend your account. That said, there's no hard feelings. We've re-activated your account and would love to chat with you about an internship this summer. I hope you continue creating and exploring!
Sorry, have to side with Uber. Hackers do not live in a bubble of innovation that renders them immune to being penalized for the potentially negative consequences of their hacks. Uber's priority is to serve their paying customers (like me) as best as possible, and if that requires banning someone who's being a nuisance, then so be it.
100%. Some people never empathise with the company they're using, if they were the CTO at Uber and saw this spike in traffic from some guy's hack, you wouldn't do the exact same?
I will drop 10 customers doing this so that 100 customers can use the service. I bet you'd be hard pressed to find someone who wouldn't. It's basic business.
Although, just banning a user is a little extreme, did they not ask for the project to be dropped, and themselves reset the tokens etc?
I can agree with you, I understand why I was banned and I can see it is a valid response to the situation.
I just want to make sure (if Uber have read this) that they understand why I did it and what caused the spike.
Well that is quite interesting. A service that - as far as I can tell - just got itself started by hacking the local travel business, blacklists a dev, who just hacks his way to "expose" their API?
Isn't Uber fighting hard to deregulate a market, after it entered it and turned it upside down - for better or worse?
Wasn't the Uber-CEO the absolute Ayn Rand disciple? [1]
I was not saying, that he did the right thing. By all standards, he did not.
I just smiled, when I read this and thought back about Uber and what their take on rules and regulations were/are, when it comes to their business. I was really not advocating for DDOSing the service.
It does seem the more rational response would be to rate-limit him (and by him I mean everyone) down to once every 30 seconds or so rather than panic and ban him forever. I once wrote a script to analyze queries of one of the major search engines. As long as I only sent a request every 2 seconds, it was not a problem. Once I crossed that threshold, within a minute, kaboom.
By the time I did that I had more than enough data for my nefarious (actually mostly innocuous) purposes at the time
and just wanted to see when I'd get crushed.
That's why I don't understand why Will Evans writes: " I'd love to apologize to Uber [...], but on the other hand I understand why they banned me."
I see no reason why he should apologize, nor why he appreciatives that Uber banned him. He only wrote code to interprete the data Uber is sending and even made it open source (the latter makes it public accessible research, which I support even more). If Uber does not want others to interprete their data they should not provide any service that sends it (and if Uber's business model requires such a service/app: bad luck for Uber).
One man's research is another's DOS attack in this case, and is explicitly against Uber's TOS[0]: "You will not impair the proper operation of the network".
I created the hack to benefit others and to create and visualise some pretty cool data.
I know why Uber banned me, they probably don't want people knowing how to access their data. This is not a reason I approve of but I can see their reasoning.
The reason I'd like to apologise is because of the above, if they feel I have harmed their service (although I feel it was more beneficial to them in advertising it) then I'd apologise.
You don't need to come up with reasons they banned you; you agreed to those reasons when you signed up for Uber -- you quite clearly and willingly violated their terms of service and encouraged others to do so as well.
"You shall not [...] (iv) reverse engineer or access the Application in order to (a) design or build a competitive product or service, (b) design or build a product using similar ideas, features, functions or graphics of the Service or Application, or (c) copy any ideas, features, functions or graphics of the Service or Application, or (v) launch an automated program or script, including, but not limited to, web spiders, web crawlers, web robots, web ants, web indexers, bots, viruses or worms, or any program which may make multiple server requests per second, or unduly burdens or hinders the operation and/or performance of the Service or Application."
He mights have violated Uber's terms of service. But on the other hand: I see no reason why you shouldn't despise a company that has such terms of services - even more if it's willing to apply these terms. Especially if it's a company that tries to be popular in hacker circles.
They should be talking to, or hiring people like you. Why be so uptight? Makes them kinda similar to the traditional cab companies who don't like people stepping on their turf.
I can't know, but I imagine you cause a lot of internal grief. Bosses would have been kicking off, blaming techies for it, one way or another. I imagine a couple of decision making noses were well put out of joint, if not broken. Egos well bruised. Perhaps lots of Malcolm Tucker, if you know what I mean.
If you want your account back, or what ever, try writing a proper letter to the MD or something. Grovel like hell, and offer something helpful in return if you can.
I guess thats as good lesson as any on "how to scale".
If your product works through remote requests to another site (which is already terribly slow with building up the connection), you absolutely want to do all of that in the backend and repackage the data for users of your site. Especially here, where everyone sees the same data.
Regarding prior notice et al.: "Private API" is a slight understatement IMO. Uber is running a $3.4bn business and their car data is a lot of what makes them valuable. I wouldn't blame them for automatically blacklisting accounts with unusual usage patterns just to be safe.
A shame. I was at this hackathon and witnessed this pair working on the hack; very driven and talented hackers. This sort of activity should be encouraged from such young talent, not punished.
This seems solvable because there are a limited set of identifiers they could use to ban you.
- they may have banned your device, so I'd try using a different hardware to register
- Use an entirely different credit card. The "name" that gets entered in a credit card form is useless, so I wouldn't put in a real name either. I'd consider using another billing address too (same zip same house number, but different street)
- they may have banned your IP, so don't connect your phone to a wifi network when signing up or using your first few cabs.
A lot of people seem to say that Uber failed to communicate or were too harsh. If someone throws an order or magnitude (or more) traffic at me without telling me, without communicating with me, and using APIs that aren't supposed to be public, you're damn right I'm going to ban them. Even OP knows why they banned him, which he flat out said.
In this case it does seem like pure lack of thinking, and now that the story is out there I'm hoping someone from Uber notices and removes the ban. I'm also really hoping that Will learns a lesson here, and next time he does something like this communicate with the company before releasing anything that's going to use their resources.