Uber sues third party while trying to repair damage caused by their own failings.
At this point the identity of the hacker is irrelevant. The data is in the wild, Uber is exposed as incompetent (again). But hey, anyone want to invest another billion at a 40 billion valuation? This company is going places.
This is different than someone stealing a stereo. This is you tape the security code for your front door onto the door and then your mad at the manufacturer of the door's lock. You want the manufacturer to give any information about the person who broke into your house.
The manufacturer digitally stores the fingerprints of anyone who uses the lock. You want the manufacturer to give you a copy of the fingerprints to help you identify the person who broke into your house.
> ...and then your [sic] mad at the manufacturer of the door's lock.
No,Uber is fishing for data they don't need. They have an IP address of the intruder. Instead of demanding all the access logs for a months long period, why not compel Github to answer the question "Did this IP address access the Gist in question? If so, what are the timestamps?"
Instead Uber wants all github's access log data for the gist in question which sounds like more incompetence and desperation on Uber's part.
Or they believe the attacker likely accessed the information in the gist from several IP addresses; they want more trails to follow if the one bit of data (we are aware of) that they have proves cold. It's a sensible reason to subpoena, and it's also a fishing expedition so it's sensible for Github to not hand the data over without a court order.
incompetence, desperation, and a great way to shift some blame onto GitHub, in the eyes of people who know absolutely nothing about how this stuff works.
which could be the audience they're most concerned about.
The victim here is not Uber, but the Uber drivers whose data was lost. Uber is partly guilty here, because of their negligence.
Your analogy is wrong. It's more like asking someone to protect the key of your locked door. And they make copies and leave them in random places with the address attached.
The entity responsible is being punished. They're paying for identity protection for a year and taking yet another public image hit. The hacker? Whoever it was did society a favor by exposing yet another careless company giving away your data because they don't value security.
I partly agree with parfe in principle. Uber is as responsible for this breach with their carelessness as the person who exposed it. That does not change the fact that there were 50,000 victims in the disclosure.
Protip: It's not illegal to throw out IP address data, as there are no mandatory retention laws in the United States. Then if you get a John Doe subpoena, you have no useful information to supply.
Neocities currently scrambles stored IP addresses with scrypt, and (soon) after 30 days, we intend to delete those IP hashes. It's legal. Consider doing it.
Nitpick: the title implies that Uber is suing Github, but that's not the case. Uber has a civil suit pending in N.D. Cal., and has issued Uber a third-party subpoena: http://regmedia.co.uk/2015/02/28/ubergithubexhibit.pdf. Such subpoenas are used when a third party might have information relevant to a pending lawsuit. They do not imply any allegations of wrongdoing against the third party.
Peter Sagal on NPR's "Wait Wait...Don't Tell Me!" had a good one liner something along the lines of Uber heard Google's "Don't be evil" motto and thought "They are leaving an open market niche for us!".
Haha, that's excellent as well! I think I'll just note both of them in my quotes file.
BTW. After watching all episodes of John Oliver's "Last Week Tonight" I'm looking for interesting shows. Is that podcast worth listening to? Anything else you'd recommend?
Not the OP, but I pretty regularly listen to Wait Wait, it's always pretty humorous and sadly it keeps me up on current events. I also listen to Marc Maron's WTF podcast and Star Talk Radio with Neil Degrasse Tyson. Different strokes for different folks though.
So how is the IP address of someone that has viewed or crawled said secret Gist relevant anyways? Someone crawling a website is not probable cause (even if there is a single IP address which can be traced to specific machine, which is highly unlikely).
Secret gists are not published publicly, and thus are not crawled. You would need to have a direct link to the gist to have accessed it. Having the link either means you had access to it as an internal employee, it was shared by an internal employee, or an internal employee's system or email was accessed by someone else.
Or it could have been linked somewhere public? It's far-fetched to think that you'd be able to prove that someone seeing this gist is malicious. Github clearly states Warning: Secret gists aren't private.
Asking for every IP address that accessed a public gist seems like a bit of an overreach to me. Github should also have the responsibility to protect its lawful users' data.
It seems reasonable though to request some user data for a specific IP address that Uber suspects as being the invader (depending on how strong the evidence is).
When these types of things happen, I notice a strong "blame the victim" mentality. When Sony was hacked, I saw similar comments about how it serves them right for having bad security. Some people even go as far as to praise the hacker and think they shouldn’t be held accountable for their crime. After all, if Uber didn’t want this, they wouldn’t have made themselves so vulnerable to penetration.
While I agree companies like Uber and Sony need to invest more time and energy into security, real people are hurt when these types of things happen. It isn’t the executive-level “fat cats” who are hurt the most. It is normal, everyday people. They did not ask for their personal information to be stolen. Their only crime was working for a company with poor information security.
Furthermore, the fact Uber issued a subpoena for information from Github does not make Uber the bad guy for requesting the information and Github the good guy for withholding the information. A crime was committed and this is part of the investigation. The information requested by Uber is not unreasonable. They are basically requesting log files for that specific Gist.
Channeling my inner Matthew McConaughey from A Time to Kill, imagine this happening to an organization that is more likeable than Uber or Sony (shouldn’t be that hard). What if this happened to an organization responsible for helping rape victims and this person leaked the private information of rape victims to the Internet? Would people be so willing to support the criminal? Would people be so eager to praise Github for not cooperating?
Just because Uber is a horrible, unethical company does not mean it isn’t protected under the law. We shouldn’t condone crime just because we don’t like the victims.
Would there be any consequence for Github themselves if they no longer had this data (for example in the hypothetical case that they only store access logs for 30 days)?
No. You can't provide what you don't have, and you are not obliged to save more than you are obliged by law. I'm not aware that Github has to save anything in the first place.
Didn't some court rule that IP addresses are not people? So they get these IPs and sue them just like the MPAA/RIAA failed to do? I guess maybe some have usernames...?
Also super shady they don't bother to explain why it took them almost 5 months after they discovered it to notify anyone.
Uber ignores security breach for half a year.
Uber sues third party while trying to repair damage caused by their own failings.
At this point the identity of the hacker is irrelevant. The data is in the wild, Uber is exposed as incompetent (again). But hey, anyone want to invest another billion at a 40 billion valuation? This company is going places.