[parfe]

Uber publishes secret key.

Uber ignores security breach for half a year.

Uber sues third party while trying to repair damage caused by their own failings.

At this point the identity of the hacker is irrelevant. The data is in the wild, Uber is exposed as incompetent (again). But hey, anyone want to invest another billion at a 40 billion valuation? This company is going places.

[finnh]

To be clear, GitHub is not being sued. GitHub is being served a subpoena. Big difference.

The third party being sued is the (as yet unidentified) person who used the key to obtain & leak the data.

[ultramancool]

I for one am just glad to see that GitHub refused to turn the data over without a subpoena.

[danielweber]

At this point the identity of the hacker is irrelevant

No. Even if I leave my door unlocked, someone who comes in and steals my stereo should still be punished.

[baldfat]

This is different than someone stealing a stereo. This is you tape the security code for your front door onto the door and then your mad at the manufacturer of the door's lock. You want the manufacturer to give any information about the person who broke into your house.

[rlpb]

The manufacturer digitally stores the fingerprints of anyone who uses the lock. You want the manufacturer to give you a copy of the fingerprints to help you identify the person who broke into your house.

> ...and then your [sic] mad at the manufacturer of the door's lock.

There is no evidence that Uber is mad at Github.

[parfe]

No,Uber is fishing for data they don't need. They have an IP address of the intruder. Instead of demanding all the access logs for a months long period, why not compel Github to answer the question "Did this IP address access the Gist in question? If so, what are the timestamps?"

Instead Uber wants all github's access log data for the gist in question which sounds like more incompetence and desperation on Uber's part.

[fixermark]

Or they believe the attacker likely accessed the information in the gist from several IP addresses; they want more trails to follow if the one bit of data (we are aware of) that they have proves cold. It's a sensible reason to subpoena, and it's also a fishing expedition so it's sensible for Github to not hand the data over without a court order.

Which is why we have courts.

[tessierashpool]

incompetence, desperation, and a great way to shift some blame onto GitHub, in the eyes of people who know absolutely nothing about how this stuff works.

which could be the audience they're most concerned about.

[tedunangst]

Are any of the people who know absolutely nothing about how this stuff works following the story on the register? Would anybody even know if the register hadn't decided to make a story out of it? Doesn't seem like a particularly effective blame shifting strategy to me.

[microtonal]

The victim here is not Uber, but the Uber drivers whose data was lost. Uber is partly guilty here, because of their negligence.

Your analogy is wrong. It's more like asking someone to protect the key of your locked door. And they make copies and leave them in random places with the address attached.

[parfe]

The entity responsible is being punished. They're paying for identity protection for a year and taking yet another public image hit. The hacker? Whoever it was did society a favor by exposing yet another careless company giving away your data because they don't value security.

[sarciszewski]

I partly agree with parfe in principle. Uber is as responsible for this breach with their carelessness as the person who exposed it. That does not change the fact that there were 50,000 victims in the disclosure.