605 comments

[ 2.9 ms ] story [ 330 ms ] thread
I am amazed at the things Uber gets through and is still standing after...
Money.
how does this stop being the case? money > all else.
Start communities that use solar/wind energy, grow their own food (maybe using this in urban areas: https://www.media.mit.edu/groups/open-agriculture-openag/ove...), use WiFi mesh networking, maybe launch their own satellites (for inter-community links: https://newatlas.com/tubesat-personal-satellite/22211/), build their own things with multi-material 3D printers (maybe even print semiconductor components, who knows...) and employ barter rather than artificially scarce magical paper or e-coins. Also, employ "DIY Bio" in ethical life enhancing way, open production (open source everything etc) The technology and paradigms exist today or will fully exist soon.
Laws & strong enforcement, with an informed population.

While money gives power, the concern is that it's concentrated in a small number of people. Voting is not, and can result in controls of essentially any level.

Their investors are too big to fail (to recoup their investments by IPO offloading to the sucker public).
Never underestimate the power of marketing. My mother for instance would use Uber over any ride-sharing system due to its insane exposure and the fact that these stories remain relatively unheard of in comparison.
My family and friends outside the tech industry have almost no clue about nearly all these scandals - especially the data breaches and the former CEO's indiscretions. About the only thing they hear is that some Uber drivers have assaulted passengers in the past, but they write that off against the fact that a lot of Taxi drivers have done the same in the past.

It is a telling example that the pain point of a bad taxi service in a city is usually enough for them to conformance rationalise that Uber is still a better alternative, despite any of these issues.

She used uber because the service is fantastic.
It's already way more common to use "Uber" as a verb, or even a noun, that doesn't necessarily even mean Uber the company itself.

People have asked me before if I'm about "to uber" or "take an uber" someplace and they say it in an obvious way that implies "any ridesharing company" (or lyft in my case since most people know I only lyft nowadays).

Uber just as a word for ride-sharing has become ingrained and won't be easy to get rid of, IMO.

At this rate, Uber may be the first company to have a generic name and go out of business so soon afterward.
Same as `googling` will long remain the synonym for `searching the internet`.
> Same as `googling` will long remain the synonym for `searching the internet`.

That's more due to the ubiquity and dominance of Google itself.

It's rare to hear someone say "I Googled it on Bing" or even "Let me Google my email" when they're using Outlook. Maybe not unheard-of, but definitely nowhere near the threshold needed for genericization.

>It's rare to hear someone say "I Googled it on Bing" //

True AFAIK but if you ever give computer support you'll find people "just google it" and use the greeting page on their browser [aka "the internet"] which is just as often Bing or Yahoo as it is Google. Google, the verb, is definitely generic but the RTM holders of Google have several hundred million of $currency to spend on lawyers to say it isn't.

In contract, saying to "get a lyft" can be confusing, if not meaningless.
It’s weird, I’ve been using Lyft as my only ride-sharing service for almost a year, but still catch myself saying “I’ll Uber over there in a bit” all the time. It’s definitely because saying “I’ll get a Lyft” is indistinguishable from “I’ll get a lift” and I was to disambiguate that I’m talking about a ride-sharing service, but I wonder how many other people do this and if (in several years at least) their trademark is in danger.
(comment deleted)
> Uber said it will provide drivers whose licenses were compromised with free credit protection monitoring and identity theft protection.

This happened more than a year ago, and only now that they're planning on offering identity theft protection? That's ridiculous.

Obviously because only now it's come to the public's attention.
> Uber said it will provide drivers whose licenses were compromised with free credit protection monitoring and identity theft protection.

"Sorry we left uranium in your house a year ago and didn't bother telling you. Here's a coupon for free cancer screenings."

Ever since Susan Fowler told her story about what happened to her at Uber, I have only used Lyft, and have encouraged all my friends to do the same.

I plan to never use Uber again.

(comment deleted)
When I deactivated my account it was a huge pain, I had to reply to 2 emails, and in the end it took 5 days to complete. That alone annoyed me enough to never go back.
The current deletion process is smooth and can be completed in-app.
From the experience of two of my friends in the past month, they had that in-app system "error" and had to do the same emails and 5-day level delay.
Why bother? I just deleted the app and forgot about it. Is there something I should know?
IIRC you can't remove all payment methods from the app, so just deleting the app will leave your credit card information in their hands. Also all your previous ride data will still be on their servers. Both of these things could be lost in a data breach, and presumably account deletion deletes this data.
Deleting your account at Uber doesn't delete ride info[0]

In a lot of cases companies still leave behind an email stub to prevent users signing up over and over again for signup deals

The only way to ensure your data is safe is to never hand it over in the first place - signup with a fake name, prepaid card, etc.

[0] https://help.uber.com/h/24010fe7-7a67-4ee5-9938-c734000b144a

I didn't see any mention of ride info in that link, maybe the text has changed since you posted it.

It is frustrating that the page doesn't enumerate what information is deleted and what's retained.

In the EU, data protection rules mean they must delete all user data on request.

That means every day I'm a new customer and get $20 off my first ride of $22. One day, they'll wise up and stop making such silly deals.

> In the EU, data protection rules mean they must delete all user data on request. That means every day I'm a new customer and get $20 off my first ride of $22. One day, they'll wise up and stop making such silly deals.

The behavior described here is extremely selfish and amoral. It amounts to gaming the system. Additionally, the cost of exploiting a loophole such as this will be passed on to other customers before the company stops offering a losing deal. Those customers will not be reimbursed when the offer is rescinded.

The antisocial behavior of the company would not excuse the antisocial behavior of a user acting in this way.

I _really_ hope they let braintree handle that and don't touch PANs. If they do store PANs, presumably they'd be audited and hopefully would store them more securely. But hey, I guess you never know and less exposure is always better.
You may or may not want to remove your information, especially if you change phones. Someone getting your phone number could charge rides to your account if you don't unlink your credit card information.

It's also good hygiene to delete accounts. I don't typically do it, but when a company offers an easy delete button, I won't refuse.

Wasn't like that when Uber let my account get hacked and 1k was stolen from me. When that happened I went searching for answers and found UBer blaming it's users for their lack of security. Further I immediately wanted to cancel my account .. chop off it's head/the source but had to wait days for Uber to delete my account.

They are worst then Comcast and sorry need burn through all their VC money til they are ashes! Loathe Uber so much!

Same here. That and that video from the driver that bought a black car to drive it for Uber and ended up in massive debt.
(comment deleted)
You'll find that thinking like that will only lead to misery at worst and hypocrisy at best. For example, if you live in the United States (though this logic applies to any country, really), you'll be interested to know that the US holds the world record for the amount innocent civilians killed [1].

[1] https://www.globalresearch.ca/u-s-holds-the-world-record-of-...

EDIT: I realize I sound far more judge-y than intended in these posts. My overall point is that people should just do whatever makes 'em happy while doing the best you can (w.r.t. everything else). Trying to emphasize the morality in your actions is just wrong, imo.

Don’t let hypocrisy stop you from doing the right thing. Sometimes you need to climb one tree to cut down another.[1] That’s ok.

[1] tbh I don’t think you do, but I like the analogy so I’m keeping it.

I disagree. One needs to be consistent in their actions, otherwise, what's the point? Two wrongs don't make a right, after all.

EDIT: Er, I agree that hypocrisy shouldn't stop you from doing the right thing.

Consistency is absolutely impossible, as you already alluded to. It’s not a bad move to assess the current position, accept it for what it is, and improve it bit by bit. Pick your battles.

Two wrongs don’t make a right when you try to sum them, I.e. combine them. My point is: don’t compare them at all. Don’t change the subject. Uber is one, other things are another. Being a hypocrite doesn’t make you wrong, it just makes you a hypocrite. Don’t even pull in the other wrong to begin with.

Otherwise, how do you ever justify standing up for anything you believe in? I was born a hypocrite, surely a life of mute acquiescence can’t be my destiny?

My overall point is that people don't actually care. It's just virtue signaling. If people cared they'd have consistency in their actions. For example, you probably are very consistent in the fact that you probably will never cause physical harm to someone.

Consistency isn't impossible at all. People are already very consistent in doing what simply is convenient for them. In the case of Uber vs. Lyft, if you live in an area where they're priced similarly and are of similar service it's easy to switch to one or the other under the guise of trying to do the right thing, or whatever.

Not using Uber hardly requires any effort. What, ten seconds to uninstall an app and install the alternative one?

> My overall point is that people don't actually care. It's just virtue signaling.

That's just, like, your opinion, man.

I care up to certain thresholds. Last year my Uber use was probably 90%, Lyft 10%. Now that's flipped. I only use Uber if I'm outside the US and there's no comparable local alternative.

Uber is demonstrably making less money than it used to because I do this, and Lyft is making more. I'm personally happy with that arrangement, and honestly my feelings here are the only ones that matter. I don't particularly care if you think I'm just "virtue signaling" or if I'm "not doing enough" or whatever.

(comment deleted)
Hey, just wanted to let you know (not that you care), that you're 100% right. My original post, and subsequent responses were based on a false equivalency.

Dunno what I was thinking, I was totally in the wrong. Apologies if any offense was taken.

> people don't actually care. It's just virtue signaling.

"Virtue signaling" is an annoying, low-effort way of dismissing something. Try harder. You haven't even provided any evidence. Here's an alternative proposal: People like doing things that they believe will make the world a better place, within their money/time/inconvenience budget, in ways that are limited by their attention. They're human - they have limited attention, limited capacity for simultaneously optimizing hundreds of metrics, and many competing demands that they're trying to satisfy, so they're not going to be perfectly consistent.

No, one person uninstalling Uber is not a massive blow against evil. But many people uninstalling it has been enough to send a pretty powerful signal that -- in conjunction with a lot of concurrent social and legal factors -- is causing Uber to do a pretty solid about-face.

(And it's not seconds, because depending on where you are, Uber may have many more drivers than Lyft -- people travel, after all, so even if Lyft is equal in your home market, it's not equal everywhere. You're also losing the prospect of alternating apps when one or the other is in surge pricing. If you're a heavy user of ride-sharing services, uninstalling Uber imposes both a time and monetary cost.)

Kudos to the GP and others for uninstalling Uber. And for every other step they've taken to try to improve the world by their own actions.

Dans ses écrits, un sage Italien Dit que le mieux est l'ennemi du bien.

(In his writings, a wise Italian says that the better is the enemy of good.)

    -- Voltaire
Don't let the pursuit of perfection stop you from doing anything that matters.
Though I appreciate your post, it only further emphasizes my original point. You, apparently a professor at CMU, praise folks for merely uninstalling an app. Something you only knew because they bothered to post it on an internet board. This further reinforces that people should post that they're doing such virtuous things to begin with. Why, because they want to increase social standing among people in a given area, that is computer science, to which you already have a high standing in, given that you're a CS professor at CMU.

So yes, it is virtue signalling, pretty much by definition -- "the action or practice of publicly expressing opinions or sentiments intended to demonstrate one's good character or the moral correctness of one's position on a particular issue." That being said, I don't think virtue signalling is bad. In fact, it's virtue signalling that has led to the pressure on Uber that brought about this very discussion.

---

As an aside, I didn't realize "virtue signalling" was such a bad word, as well as "hypocrisy." I guess I'll have to stop using those words.

Let me quote from your original comment:

> people don't actually care. It's just virtue signaling.

You're making claims about their underlying motivation, and dismissing their actions as just virtue signaling.

"They're not doing A, they're only doing B"

Showing the presence of B is not sufficient to demonstrate the absence of A.

Second, you haven't actually shown that they're virtue signaling. Note that your definition specifically includes intent: "publicly expressing opinions or sentiments intended to demonstrate one's good character" -- the OP could be expressing their sentiments publicly in order to induce others to follow suit, for example. The same post admits many possible explanations, and you are in no position to read the mind of the posters in order to divine their intent. You're making assumptions, but you again haven't presented any evidence to suggest that your hypothesis is better than any others.

Hmmm, lots of good points here.

> You're making claims about their underlying motivation, and dismissing their actions as just virtue signaling.

This is true.

> Showing the presence of B is not sufficient to demonstrate the absence of A.

This is also true.

> Second, you haven't actually shown that they're virtue signaling. Note that your definition specifically includes intent: "publicly expressing opinions or sentiments intended to demonstrate one's good character" -- the OP could be expressing their sentiments publicly in order to induce others to follow suit, for example. The same post admits many possible explanations, and you are in no position to read the mind of the posters in order to divine their intent. You're making assumptions, but you again haven't presented any evidence to suggest that your hypothesis is better than any others.

Indeed, though, with respect to this there's no evidence -- save the person themselves stating that's what they intended -- that I could present that would be sufficient.

Overall I regret my original post and the ensuing posts, since ironically, my original intent was far less aggressive than is implied by the responses.

Oh well, live and learn.

You have my respect.

Your profile says "Contact me" but there's no contact info.

(It also says: “if you're going to claim something, please cite!” :) )

Thanks for engaging in good faith. The internet could use more of that.
It’s just not possible to be perfectly consistent in all your actions, we’re all hypocrites somewhere if you consider all down to the root. We probably all hate forced child labor, yet we all own smartphones, all of them most likely built with resources mined by children under grueling conditions. (This text Is typed on one) Still, don’t let that stop from doing the right thing once in a while. If we all did the right thing most of the time, we’d still be hypocrites, but the world would probably be a better place.
> We probably all hate forced child labor

A false premise. If that were true, just like you stated, we wouldn't support it. Actions speak louder than words, and all that.

EDIT: I realize I sound far more judge-y than intended in these posts. My overall point is that people should just do whatever makes 'em happy while doing the best you can (w.r.t. everything else). Trying to emphasize the morality in your actions is just wrong, imo.

It’s not a false premise. It’s just not humanly possible to change everything you don’t support. We can’t move all back to self-dug caves and till the land with our bare hands. You need to pick your battles.
It's not about changing things you support, it's just about consistency in your actions.

Taking the child labor thing into account, never being brand new electronics again would pretty much take care of that. One could make an argument that buying used goods is still supporting child labor, but I'd argue it's a sunk cost.

> brand new electronics

Why choose this example? Child labour is rife in many sectors, particularly textiles.

It's also rampant in electronics recycling[0]. So even if you never buy any new electronics, you're complicit when you dispose of your old electronics.

The point is you shouldn't allow an impossible quest for perfect ideological consistency and moral purity to prevent you from doing good on a imperfect, inconsistent scale.

[0] http://pulitzercenter.org/reporting/india-rising-tide-e-wast...

Oh I completely agree.
> Two wrongs don't make a right, after all.

That saying... doesn't even apply here.

Being consistent in all you do is hard. Doing 5 "bad" things instead of 10 "bad" things is certainly better.

the two wrongs in this case are the supposed wrong you did originally, and then the "wrong" of hypocrisy.

I agree with your overall point, though.

> tbh I don’t think you do

I've actually had to climb one tree to cut down another.

We can vote for people who don't want the US to kill civilians while not using Uber. I don't see the conflict here.
The point is that if you know that the US kills civilians yet you stay in the US, giving them money through tax, the majority of which is used to fund the very same military that kills civilians, yet claim to do the right thing, that's hypocritical, no?

In any case, you're right. There is no conflict. Just hypocrisy.

EDIT: I realize I sound far more judge-y than intended in these posts. My overall point is that people should just do whatever makes 'em happy while doing the best you can (w.r.t. everything else). Trying to emphasize the morality in your actions is just wrong, imo.

So one should absolve themselves of any way they could stop it in a peaceful and legal manner?
No no. My point probably just wasn't properly conveyed. In the original post I replied to the person the person encouraged their friends to use Lyft after hearing about the terrible things over at Uber.

Presumably they want friends to switch over as to not support an organization they disagree with, but my point was that doing so is pretty much impossible to begin with. If the goal is to not support organizations that do things you disagree with it's futile.

Therefore, one should just decide arbitrarily. It really doesn't matter.

Taking money away from a bad company helps stop that company from doing bad. Similarly, voting for a politician who will try not to kill civilians helps prevent civilians from being killed. Both of these are correct actions to take. Moving out of the country is comparatively less effective, and continuing to give money to the bad company is not effective at all.
I agree with you in general, but unfortunately things are never that simple. Most companies do good too, otherwise they wouldn't exist.
"things are never that simple" says the guy who is implying that you shouldn't think about whether a company is moral/not if you live in a country that does horrible things?
Heh, yeah I'll admit the original post and the subsequent responses were pretty dumb. Can't change the past (no really, I couldn't edit it even if I wanted).
>giving them money through tax

This number doesn't account for countless millions, if not the majority of Americans who drain more from the government in the form of services, subsidies, and assistance than they pay in taxes (and I'm not suggesting this is necessarily a bad thing).

Why should I tidy my room when we don't have world peace?

It's a ridiculous comparison. Leaving the country is a lot more difficult than changing ride share apps. It's not hypocritical to take the low-hanging ethical fruit, even if you don't do the harder stuff. In any case, living in a country doesn't imply that you support everything its government does. If anything, the ethical course of action is to stay and try to change things.

If you're not willing to restructure your entire life to the point of renouncing citizenship of the country you were born into then you shouldn't ever make any choices based on moral principles whatsoever? uh.. what??

https://yourlogicalfallacyis.com/black-or-white

I also do this where possible, but Lyft doesn't operate outside the US. I wish they would launch in the UK, at least.
Only reason I use them is because of Uber Green, otherwise I use Cabify and tell everyone to do the same.
Uber employee chiming in - while I entirely sympathize with HN's frustrations around our ethics and can't really justify our actions around this data breach, it is very much worth noting that Lyft would not exist were it not for Uber's extremely aggressive practices. There were/are far too many protectionist policies at play at most locales that -- not out of pure coincidence -- needed a company as aggressive as Uber to pave the path for a better option for both riders and drivers (over existing taxis).

We fought all the battles, took a hit on our reputation and set it up nicely for Lyft who very smartly played along with the nice guy approach to capitalize. Net-net, no Uber would have most likely meant existing taxis everywhere and as most riders/drivers will tell you, there is nothing inherently better about either app, they offer the same, pay the same but vastly differ in perception.

That said, we took our aggressive attitude way too far. In an ideal world, Travis would have evolved or replaced himself a couple of years back once the company essentially reached escape velocity where our consumers themselves became our most fervent supporters. Unfortunately that did not play out and making a near perfect switch like that is probably unlikely.

Given this important context, I hope you will give Uber another chance as in the end, Dara and the employees are genuinely trying to evolve by doing the right things and putting all of this behind us. You can get some sense of this from going to sites like reddit.com/r/uberdrivers (or r/lyft) and seeing the changing perception at least from the driver side of things.

(comment deleted)
(comment deleted)
Are you saying the end justify the means? The problem is that over and over and over we see companies breaking the rules, reaping massive rewards as a result of unethical practices, saying "sorry" and then carrying on with no real consequences. It sets a horrible precedent and unless people start being punished instead of rewarded(!!!) for their actions nothing will change.
I don't buy your view of what transpired. "In an ideal world", "making a near perfect switch like that is probably unlikely", "took a hit on our reputation", etc. None of these truly recognize the actual weight of what Uber has done as an organization.
I disagree that Lyft would not exist; Lyft invented the UberX category. Originally Kalanick complained about Lyft's creative interpretation of the law, before succumbing to internal employee pressure to introduce a competitor. Years after its introduction, Kalanick admitted that he didn't believe in UberX until it demonstrated its success.

That said, almost all of the notable legislative and regulatory battles were conducted and won by Uber.

The wrongful actions by companies do get forgiven eventually, as toxic executives leave (as in the case of the CEO, Legal Officer, and now the CSO), but no public is foolish enough to immediately absolve any company of wrongdoing. Uber will have a reputation for sexual harassment long after it meets or exceeds the standards of other large companies.

> Lyft invented the UberX category

In fact, there was a company called SideCar[1] who popularized the idea of ridesharing before Uber and Lyft. There was a time, maybe 2013 or 2014 when I exclusively used Sidecar until Uber became more prominent. Uber was only offering their high end cars at that time.

[1] https://en.wikipedia.org/wiki/Sidecar_(company)

You've got your history wrong. Lyft actually launched their ride sharing service before UberX. So don't take credit for Lyft's existence.
Sorry, no.

It's not like Uber did one bad thing. Uber has been a fountain of terrible things for years and years. You even admit that Uber's market-dominant position has been been achieved through those terrible things. And those are only the terrible things that we've discovered despite Uber's energetic attempts to cover things up. Lord knows what horrors you're still hiding.

Until Uber loses their ill-gotten lead, I won't even consider using them.

I drove for Lyft and Uber during that era, and I promise you lyft was doing just as much to fight those protectionist policies, they were doing it with a lighter touch. In many places they were making headway, and then Uber's asshole tactics wound up turning it into a two-steps-back situation (getting ridership access to San Diego Airport e.g.)
Good, it's important to judge a company of 10k people on one person's story. That's usually a great strategy.

I'm not defending uber, but this kind of attitude is exactly what got Trump elected. You can't generalize and demonize entities based on one person's view.

You might have a point if this was a different company, but look at the context - it's Uber. Probably one of the outright most scummiest companies out there.
> this kind of attitude is exactly what got Trump elected

Not really seeing the connection here

And I'd encourage any hiring manager to ask some pointed questions of anybody who has Uber on their resume. Maybe they're a good or naive person who just happened to end up in a bad place. But maybe they're willing to turn a blind eye to discrimination, harassment, or lawbreaking.
Uber is one of the fastest growing companies in the world, and it did an enormous amount of good in challenging laws prohibiting voluntary exchange and in expanding transportation options (which had benefits that included reducing DUI), while making many serious mistakes. I don't think it can be characterized as a "bad place", and I don't think many hiring managers will consider having experience at Uber a black mark. Quite the opposite.
lol
lol
L O L
Can you guys not do this, please? HN isn't Reddit.

We try to maintain some semblance of effort and thoughtfulness into posting here.

"In January 2016, the New York attorney general fined Uber $20,000 for failing to promptly disclose an earlier data breach in 2014."

Because you know...20k really really hurts for a company like Uber.

This would have been interesting if GDPR was applied.

https://www.gdpr.associates/data-breach-penalties/

"There will be two levels of fines based on the GDPR. The first is up to €10 million or 2% of the company’s global annual turnover of the previous financial year, whichever is higher. The second is up to €20 million or 4% of the company’s global annual turnover of the previous financial year, whichever is higher.

The Parliament had requested for fines to reach €100 million or 5% of the company’s global annual turnover. The agreed fines are the compromise that was reached."

> The first is up to €10 million or 2% of the company’s global annual turnover of the previous financial year, whichever is higher.

Why do big firms get off easier than the smaller firms?

That's not necessarily the case. Consider two firms one that has $1 billion in revenue and one that has $100 million in revenue. You'd argue that the bigger firm is getting off easier with a $20 million fine vs the smaller firm's $10 million because the fine is 2% instead of 10%.

OTOH, consider that the bigger firm is made up of a collection of 10 services, each earning $100 million. The breach is only in one business unit - is the global revenue a fair metric if the breach is not global?

It will be interesting to see how this is enforced against giant corporations when (inevitably) some small piece of data is missed on some small service in a business unit nobody at the c level has ever heard of.

The fines say “up to”. I don’t think a small mom n pop shop will get fined 10 million.
Something nice is also the fact that the people impacted by the breach must be told 72 hours max after the company is aware of the hack.
Even larger fines seem to draw weak behavior change. The U.S. corporate structure is remarkable in that sense. It shields employees (especially executives who often don't carry out orders) from criminal and financial responsibility for their actions.
This is not true. Back when JPM was being fined billions of dollars when the Southern District of NY was after them, they were quaking in their boots internally while at the same time redlining PR efforts to project external calmness.

Huge fines do exactly what they’re intended to do. JPM for instance responded by making legitimate operational changes to detect all manner of financial malfeasance within their organization.

I recall a story (that I'll probably recount incorrectly) about a daycare business deciding that too many parents were arriving late to pick up their children (meaning that staff had to stay late with the kids), so they instituted a fine for late pickups.

The result was that more parents were late. The reason being that the parents effectively considered the fine a "late pickup fee", and one they were more than willing to pay. If the parents were fined a day's daycare fee for being ten minutes late you can bet their attitude would change.

I see company fines in the same light - they formalise the process of absolving responsibility and moving on. Just pay the toll and continue to handle your customer data cavalierly.

>Just pay the toll

especially when the cost of doing the right thing is higher.

i mean look at HSBC - laundered trillions of dollars of mega-organized-crime money. for a decade. 400m dollar fine probably isnt even .01% of what they made off that endeavor

If HSBC was making profits of $4 trillion, they were also lying on their financial statements.
If ever you need evidence that people see really large numbers and lose perspective, look to this conversation and how many people completely glossed over the use of trillions instead of billions, a mistake so small it puts HSBC revenue in the realm of well developed nation states...
Apparently, when wielding numbers for outrage, the quantitative details are merely a trivial annoyance.
> laundered trillions of dollars of mega-organized-crime money

While I agree with your sentiment, there is no need to use such inflated and hilarious numbers.

Edit: Thanks for the corrections. I definitely messed up the magnitudes here. Was doing some other calculation on another topic and somehow I mixed them both. Sorry about that. Please disregard this comment as it it way off :(

While "trillions" is definitely inflated and hyperbole, I don't think it's THAT far off.

According to this The Guardian article [0] "At least $881m in drug trafficking money was laundered throughout the bank's accounts."

So 0.88 Tn. Definitely not "trillions" but definitely much more than I would've expected if they said "billions laundered".

Also, it says "at least", which I take it to say that the investigation was not complete so a final number couldn't be calculated and only a "lower" cap is given. Potentially it could still be "trillions" as in e.g. "1.3 trillions" (if that final figure is ever calculated or even published of course). So inflated, yes. Hilarious... not so sure.

[0] https://www.theguardian.com/business/2012/dec/11/hsbc-bank-u...

Isn't that 0.881 billion? They're still off by 3 orders of magnitude
(comment deleted)
(comment deleted)
And they say we need less regulation of corporate behavior.
Less regulation would be better than the system we have now - where large and connected corporations can buy get out of jail free cards.
Please tell me more about how even less regulation would have held Uber accountable.
It wouldn't. But I'd wager that Uber isn't going to be held accountable (or not very accountable) for this, so why not write the rules so that everyone gets to be as cavalier? It'd save a lot of companies the headaches that go along with I.T security.
Some drivers don't stop at stop signs.

Let's remove the stop signs so all drivers can be as cavalier.

It'd save a lot of drivers the headaches that go along with traffic laws.

I don't dispute your logic though I would prefer more traffic law enforcement.

But the uber situation would be closer to this - the parking meter costs $20/hr and a parking ticket costs $5. We're creating a situation where people who break the law get ahead of those who obey it. Either we can ramp up enforcement (good luck with that happening) or we can level the playing field.

I would prefer smarter drivers over more laws. Mandatory defensive driver education programs and stricter tests. Few people ever intend to break the laws that get them into accidents, so making sure they don't accidentally break them by being, smarter, more aware drivers would ideal.
Better example. Almost everyone performs rolling stops at stop signs. Even when people are ticketed they just pay it don't change their behavior. Why have the fine at all?
Because it’s basically free money for the departments the ticket money goes to
Well look at this case as an individual circumstance:

The US federal government decided 30 years ago that it was going to attempt to prevent some kinds of transactions from being part of the global economic growth. Kinds of transactions that were always here, and always willing to be part of the global economic growth.

It decided to use other people's money to attempt to enforce this blockade, at great expense, for perpetuity.

It does this by creating onerous reporting requirements for companies and individuals worldwide, and onerous and expensive procedures for the individuals that fail to merely file the correct paperwork.

All the while, massive multinational banks have been letting the well funded organizations continue moving their money through them and contributing to the global economic growth, while citizens are being fined and imprisoned for paperwork problems.

And your go-to thought was a satire on anyone suggesting less regulation, implying the same or more regulation would be a BETTER use of public resources?

World economic growth has always been fueled by money whose source you don't agree with. Using everyone's money in a government to merely PRETEND like it can prevent illicit sourced money from being used seems irresponsible and unconscionable, looking at the track record.

Is it really so uncomfortable to admit that multinational "cartels" (organizations of people under a common charter) are pretty good at fueling economic growth globally? Because thats how its always been

By this logic, we should encourage murder, since it's always been around and sudden, violent loss of life can create jobs.
Anti-money laundering laws don't pretend there is a victim, they attempt to discourage behavior by regulating an intermediary.

They also fail at it while ensnaring otherwise law abiding citizens in the dragnet.

So there is no logic to extrapolate to murders, where there is a victim from the activity of murdering.

AML via the Bank Secrecy Act, Patriot Act and other regulations was a swing and a miss, just looking at the evidence alone. Cash transactions over $10,000 were supposed to be reported, to stop terrorists, and the 1 BILLION of organized drug money that HSBC cleared is the equivalent of a dozen terrorists being financed per day, since 9/11.

Excepts its just people with a little extra cash that get jailed from these reporting laws.

HSBC did not make trillions from those transactions and they were fined $1.9bn in 2012.
Did you ask any families with a family member killed by a cartel if a fine seemed reasonable?
Why would you respond like this to someone putting forward plain facts.
Because it was in response to a post about how low the fines were:

"i mean look at HSBC - laundered trillions of dollars of mega-organized-crime money. for a decade. 400m dollar fine probably isnt even .01% of what they made off that endeavor"

$1.9b may sound like a lot, but there's a lot of blood attached to it.

Perhaps you should start reading this thread once more, starting with untog's daycare story. Then you might see why the financial facts are important.

It's not because any specific fine can ever be adequate compensation for all the suffering caused by the cartels. It's because you want the fine to be large enough to actually deter bad behavior in the future.

In this particular case I believe the fine (perhaps in combination with the threat of other regulatory action) has changed HSBC's behavior as there are many stories about erroneously frozen HSBC business accounts.

I just wonder if any number of deaths will ever change the behavior of the politicians who designed the disastrous war on drugs policies that have so utterly failed. I fear that won't happen as long as voters don't care about facts.

> laundered trillions of dollars

> 400m dollar fine

> isnt even .01% of what they made

...why even use numbers, a concept literally defined to quantify things, if you're just going to use utterly incorrect ones?

HSBC did not launder trillions of dollars over a decade, that figure is three orders of magnitude too high. HSBC is being fined $1.9B, not $400M.[1] HSBC also did not earn 19 trillion dollars over the course of a decade, which is what would make $1.9B your 0.01% figure. Even a $400M fine would still constitute earnings of $4 trillion.

Not only are your numbers incorrect factually speaking, their relationships with each other are entirely out of whack for measuring HSBC's profit, even in an absurd hypothetical scenario in which HSBC did launder trillions of dollars.

_________________________________________

1. https://www.bloomberg.com/news/articles/2013-07-02/hsbc-judg...

You are confusing profit, earnings, and the amount of money laundered, each of which is distinct and very different.

If you give me a million dollars in counterfeit bills, and I launder them for you, I might get paid only $10,000. My laundering efforts might have cost me $9,000. In this case my profits are $1,000 even though my earnings were $10,000 and I laundered $1,000,000.

I'm not saying that HSBC laundered 19 trillion, but the earnings and/or profits of HSBC have absolutely no relation to the potential amount they laundered.

Sure, but I think you’re missing the forest for the trees here.
> The reason being that the parents effectively considered the fine a "late pickup fee", and one they were more than willing to pay.

The real question in this story is this: If you find that you have customers who are willing to pay you more for providing more service ... why not provide that service? You get more money, your staff gets paid overtime, parents get peace of mind, everyone's happy.

I... don't really think that's the point of the story. Certainly not in any way that involves keeping this conversation on the topic of Uber being fined.
Because those more money may not be enough to pay for more people that would need to be hired? While existing stuff may be wiling to stay 30 minutes more occasionally, they might not like the idea of having even longer shifts all the time.
You can scale the price to find a point where it's economical to offer to stay open while maintaining good relations and if the demand is consistent and heavy then scale that price appropriately or, alternatively, simply refuse to service repeat offenders if it's becoming a serious headache.

It's a bit of a hard question because the daycare may not have a legal way to stop holding the child, unlike fedex they can't simply return it to sender, so these sorts of contingencies might not be expected on opening your center, but you'll need to scale into them.

They can always call child services, and have DCFS pick up the kid. I think that is what one of the local daycares by me does, after a certain cutoff time (i.e., they can't be expected to stay open all night).
(comment deleted)
I suspect the real reason in most cases is because daycare providers are often small companies, sometimes 1-2 people. At the pickup time you've been working 9-10 hours, and there's often cleaning to do afterwards. Making more money is nice, but committing to working 12 hours days five or more days a week in perpetuity is a tall order.
This is mentioned in Dan Ariely's Predictably Irrational.
It's in the book Freakonomics, when talking about economic, social, and moral incentives.

The day care changed what was a social incentive for an economic one, and then couldn't reverse the consequences: Not fining the parents anymore didn't reduce the number of late ones to previous levels.

I know about day care in Bay Area which is charging $20 per 5 minutes delay. I guess that's the reason:)
Wait until the EU GDPR kicks and in fines of up to 4% of annual turnover or 20 million kick in...
I suspect they don't even need to wait for that. EU watchdogs have serious teeth and take privacy seriously.
And the fine should always be bigger than whatever the company pocketed from the "crime" during that time.

I think it was AT&T or Verizon that got fined the "record" $3 million by the FTC for tracking users' browsing behaviors for like 2 or 3 years.

The FTC should have asked (subpoena I should say) the company for reports on how much money it made per user from that tracking for the whole period, and then charge it a multiples of that.

Did it make $1 billion? Charge it $2 or $3 billion.

And do this sort of stuff across industries with a regular occurrence, so that companies can "expect" such audits, and so they don't just think it's a one in a decade fine that maybe one company in the industry will get.

I think you'll see abusive behavior drastically reduce.

How does the EU calculate fines? And is there a reason we can’t just copy that?
The way you fix this is by making each 5m late cost 2 gallon of milk. If you are late for 15m that's 6 gallons of milk, an operational burden has been passed to the late parent. It's embarrassing to bring in 6 gallons of milk, an inconvenience to buy and deliver it, and an effective deterrent.
> If the parents were fined a day's daycare fee for being ten minutes late you can bet their attitude would change.

I think upping the pain works better. What's a daycare going to do with so many gallons of milk?

That amount of milk would last a couple days if snack is included in tuition. 20-40 glasses of milk, twice a day.

If for some reason you have too many gallons of milk, you can also use toilet paper, 10 rolls per 5 minutes. You can never have too much toilet paper, some late parents even buy the soft stuff too! lol

A huge fine isn't always the best deterrent and it makes people generally mad at your child care center.

Everyone gets a chuckle out of seeing a dad walk in with three jugs in each hand... It's a light hearted walk of shame and it really works to deter late pickups which is the real goal.

It's not so great for the staff either. Instead of waiting an extra 10 minutes for a parent that's 10 minutes late, they now have to wait 30 minutes because the parent had to make a 20 minute detour to the grocery store to buy milk.

> A huge fine isn't always the best deterrent and it makes people generally mad at your child care center.

EDIT: You can make this revenue neutral. Give parents a discount at the end of every month out of the money they collect in late fines. People on time at a better-than-average rate will come out ahead.

The milk is payable the next day during drop off. The point is to discourage parents to _never_ be late. It often ruins the staff's plans.
The very last late parent of the day has to dispose of all the milk.
You're kidding, right?
(comment deleted)
It's actually kind of brilliant -- you're fining them in time instead of money. They've already demonstrated that they value being able to use money to buy time flexibility, so this is a fine that hurts.
No... it’s an invitation for harried parents to show up with an IOU, a store card, or the cheapest ripest milk they could find.

Charging them double fees is more like it.

Or draw a different conclusion from the situation: parents are clearly willing to pay a premium for the daycare to stay open later. So raise the price for that service high enough that it's worthwhile for the daycare (including hiring additional staff as needed or paying overtime).
I think what you'd find is that people would just start using a different service which didn't treat them like children.
If they are chronically late, and the person feels like they are being slighted as a child, this is also a decent way to "fire" your customer. You don't need customers who don't respect the agreed rules of your service.

Another alternative is calling the police, because at what point is the child considered abandoned?

I think I would prefer the light hearted milk or toilet paper errand.

Well, day care operators have since learned...

... as I sit in my home office, just over an hour away from day care closing time I assure you I'm watching the clock like a hungry hawk watching a mouse. See, my kid's day care charges a mere $600 per hour late (billed in 1 minute increments).

I don't see kids parents late that often :-) and we've come close to missing it, but haven't in two years.

Surely you are joking?? Why would you agree to such a thing?
If you know you can show up on time, why not?

My guess is that day cares do this to basically mean "show up on time, we're not f'ing around."

There's a lot of things we as adults agree to where the consequences can be steep. This is one of the easier ones: we just show up on time. We plan accordingly and we, as responsible adults, manage to pull it off. That's not hard: so why not agree to such a thing?

Another perspective on this is why should we expect someone else to bear the consequences of our failing to meet our responsibilities? If we're late picking up our kid, they staff at the day care leave late to see their own families, they incur higher operational costs, etc.

Their request that we show up prior to their closing time is completely reasonable and that there are stern consequences for failing to meet our responsibilities doesn't seem unreasonable either... especially in light of the comment I was responding to.... I assure you the day care really doesn't want to collect that fee.

So you're in a car accident on the way and wake up in the hospital with a few thousand dollars in fines. Or better yet, pass out at home (in spite of being in good health; blood pressure can do weird things) with no witnesses and come to a few hours later.
I imagine the daycare will make an exception in the case of a family emergency.
If you were in a car accident, chances are that the day care would waive the fee. The fee doesn't exist to be needlessly cruel, it's there to encourage parents to pick up their children before closing.

As far as passing out in your home for a few hours. If that were really an issue for you, then potentially paying $600 might motivate you to actually go see a doctor. Otherwise there could come a day when you pass out and never wake up (and your children never get picked up by you or see you alive again)...

Even if there are no extreme cases like this, the stress of $10*num_of_min fine is not worth it. It seems disproportionate by a huge margin, and may contribute to bad health issues (e.g. blood pressure).
> See, my kid's day care charges a mere $600 per hour late (billed in 1 minute increments).

WOW, I'm in the wrong business I think. What else charges that much per hour? I don't even think a neurosurgeon could command that sort of rate!

The point is that you're not expecting people to ever pay it, because you've set it high enough to be a solid disincentive. If people are actually paying it regularly, you obviously haven't set it high enough.

This is also common when quoting freelance projects you don't really want to do.

This. I'm an independent consultant, too. There are things clients want me to do that I don't want to do and on terms that I don't want to do it on. However, if there's a real pinch and they have no other choice than hire me for that kind of gig: I'll do it, but you'll pay me my "I really don't want you to hire me for this" price. I'd rather they not hire me in those cases, but just telling them no is more alienating than telling them in advance here's my "don't hire me for this price".

(and with that... I better pick up the kid... ;-) )

British builders call this a "fuck off quote".
And here I thought the $90/hour late fee that my child's school imposes was steep (they charge $15 for every 5 minutes after 5:45 PM).
Can I ask where you live?
our daycare calls the police ... quite a deterrent I'd say
The bad PR might hurt more but I would error on the side of caution and say it has little effect. I have talked to drivers and passengers and they are unaware of those things .
What? Uber acted in an unethical manner? Seriously, is anyone surprised? I kinda hope (but not really) that they get hacked again in June 2018 and play the same trick.. us in the EU will have a party on Uber's corpse over GDPR.
And then we can go back to getting ripped off by taxis. I’ve lost more money in taxi rip offs than I ever spent on Uber.

Other than the sexist nonsense of the CEO, there really is an irrational hatred of Uber. Are many of us secretly moonlighting as cab drivers?

Uber’s nonsense is minuscule compared to generations of taxi corruption.

This isn’t me excusing Uber but it does seem like many people, especially Europeans have an inordinate amount of glee over anytime AirBnB or Uber get in trouble. Has the hacker ethic really devolved into statism?

We should be cheering over disruption of the status quo. Does anyone actually long for the days of getting ripped off by over-regulated and over taxed hotels and taxis?

Do you people actually like having government pick winners and losers? Do you actually trust government to do the right thing? Governments have a strong track record of stifling innovation, abridging freedom and giving regulatory handouts to the privileged classes. People here get all kinds of sanctimonious when it comes to patents and copyrights yet seem to fall firmly on the side of the entrenched incumbents when it comes to things like disrupting hotels and taxis. It’s a weird double standard; a hatred of government when they want to prevent people from stealing movies, but a love of government when they want to prop-up taxis and hotels.

Or maybe it's because people have valid concerns about little things like privacy, ethics, sexism, and the longer term effects of disruption that places more money and power into the hands of companies that are more than willing to overlook whatever regulations they deem are irrelevant.

Having those concerns isn't the same as unfailingly supporting incumbents, out of date regulation or a love of government.

> Do you people actually like having government pick winners and losers

Yes, many many people do.

Most European cities I've been in have way better public transportation than any US city, which makes Uber a much less valuable proposition. On top of that, taxis tend to be more professional, so even as a high-end option uber is less compelling.
taxis are also participating in the social security system : they pay taxes and therefore get social protection. Uber drivers don't get that. So basically Uber is pulling social security standards down. I understand they do fill a niche and they provide good service, but they have to play by the rules (esp. when the rules are here to help people). Now you can always complain that the social security system is not efficient but that's an entirely different debate
I feel like I've read almost this exact same post from you the last time Uber was in hot water. 'But what about the taxis' isn't a good defence, it's called a tu quoque fallacy and it ignores the existence of other competitors like Lyft and others who would surely fill the market gap if Uber were to disappear.

It's a really crappy and obvious distraction tactic, made worse by the addition of cliched libertarian sighs.

There's definitely an element of jealousy about Uber. It's the largest startup, still not public and very selective in hiring.
AirBnB might solve the hotel problem, but left unregulated, they would (and did) stress the rental market. Not just in Europe, but also in San Francisco.

> regulatory handouts to the privileged classes

And unregulated AirBnB is basically a way for rich people (privileged classes) to buy apartments in cities and turn them to money-making machines, to the detriment of the lower-incomed renter (lower-incomed because they can only afford to rent, not to buy their own place).

why is Uber paying hackers their ransom unethical?

I get all the other stuff they've done is unethical, but why is this occurrence one of them? They paid to protect their users. Almost plenty of companies get their data breached.

I bet the statutes define fines the same for any party with some maximum. States could charge a percentage of revenue, cash on hand, valuation, but those are easily fudged to minimize liability.
At the time of the incident, Uber was negotiating with U.S. regulators investigating separate claims of privacy violations. Uber now says it had a legal obligation to report the hack to regulators and to drivers whose license numbers were taken. Instead, the company paid hackers $100,000 to delete the data and keep the breach quiet.
Only $100k? They really should have tried for more... not that I support stealing PII.
They agreed to pay and nobody heard about it for a long time. I'd say they asked for the right amount
Credit Monitoring is the shittiest way to resolve these issues.

I've stopped using any credit card numbers for anything ditial. I can change paypal passwords weekly If I'm that paranoid.

Credit card numbers are a bug.
> Here’s how the hack went down: Two attackers accessed a private GitHub coding site used by Uber software engineers and then used login credentials they obtained there to access data stored on an Amazon Web Services account that handled computing tasks for the company. From there, the hackers discovered an archive of rider and driver information. Later, they emailed Uber asking for money, according to the company.

Don't check secrets into VCS, folks!

I'm surprised Uber doesn't have their engineers set up 2FA for GitHub. Super simple to implement and require organization-wide[1] and would have prevented this. Then again, not storing credentials in GitHub would also have prevented this . . .

[1] https://help.github.com/articles/requiring-two-factor-authen...

Working at another large tech company, this does not surprise me.

Edit: I mean it would surprise me if it wasn't recommended practice, but it would also surprise me if it was somehow strictly enforced.

This is so gob-smackingly uncommon I started asking "do you require 2fa for your github accounts" as part of my interview questions when I was looking for jobs (i.e. I'd ask my interviewers).

I don't know how to feel knowing that there is even one software-focused company out there that doesn't enforce 2fa on its github accounts. Like... how?! Why?!

2fa is just another hurdle. Good to have, but by no means a silver bullet.

Just one of the many ways to bypass it in this case: hack a developer machine and look at the local checkout.

I really don't think using 2FA and the direct hacking of an individual developer's machine are all that comparable here.

Who cares about access to individual dev's machines if the credentials to access code on github are obtained - 2FA at least offers some degree of protection in this scenario. The scope for attack is extremely different.

The hackers wanted access to the code to look for Amazon keys. For them it doesn't matter if they get the code from the internal GitHub or from a developer machine.

If you have an ultra-secure door, the thiefs will just enter through your regular window.

How do you know they "wanted" access to look for Amazon keys? Do you know it wasn't from a blanket scan of github?

Sure, there are only 13 projects on https://uber.github.io/, but there are 169 on https://github.com/uber, and it only takes a short while to scan for access keys. There are plenty of open tools that will scan github for keys.

This may not have been targeted at Uber but a net for all of github with Uber being just one company that was hit up for cash. Unless you're saying that you know the motivations of the attackers.

Laptops and desktops are by far the weakest link and a trove of passwords, tokens, code, logs, chats, emails.

They run browsers, communication tools, all sort of product experiments and testbeds, and they even connect to random airport/hotel wifi.

Attack a laptop and all software and hardware 2FA tokens are useless. A backdoor can sit around and wait for the user to press the button.

> A backdoor can sit around and wait for the user to press the button.

There exist 2FA protocols[1] that permit tying the 2FA challenge to a particular context: you can't just take the response from the 2FA hardware and use it anywhere. In this regard, the malware doesn't get anything more than what they already have, and the 2FA still adds protection: if the malware is able to compromise your password (e.g., through keylogging) it doesn't immediately get access to everything you have access to. Now, of course, if you 2FA for some resource, then yes, at that point, you're probably doomed, but I don't believe that gets the malware anything new (e.g., once the auth is complete, if that results in a "user is logged in" cookie, the malware could just read that, and go to town.)

Compromise of a local machine is definitely bad, and not what you want, but 2FA tokens are not useless, even in that situation.

[1]: https://developers.yubico.com/U2F/Protocol_details/Overview....

The ones that care about the security of their code base host it internally anyway.
To use 2fa on github you need a mobile phone.

Do you give every enployee a mobile phone, or do you ask your employees to use their own personal phones?

Asking them to use their personal phones seems like a very bad solution. Many software companies do not routinely give developers mobile phones...

It works with u2f as well.
> To use 2fa on github you need a mobile phone.

This is incorrect.

You only need the ability to generate TOTP or U2F tokens. This is often done using a smartphone app, but can also be done by a desktop app like 1Password or a hardware device like a Yubikey: https://github.com/blog/2071-github-supports-universal-2nd-f...

You can also record the TOTP secret in your automated login script, next to your password, and generate the token on the fly right there.

It's things like that that make me wonder why TOTP tokens are supposed to be conceptually different from passwords. A TOTP scheme involves knowing a master password, and nothing else.

Recording a TOTP secret next to your password would make 2FA worthless, true. That’s why you should use hardware generators whenever possible. However, Github supports Fido/u2f which is conceptually superior to TOTP: The authentication secret is bound to the domain and the token generator verifies this. So even a software u2f implementation protects against phishing for example, while TOTP does not.
It's actually getting more common to give out phones, at least in companies that really care about security.

For companies that don't do that Github also offers the option of FIDO U2F compatible keys.

> use their personal phones seems like a very bad solution

Why? You're not any less secure by using a personal phone. What are the odds that an employee is going to be phished and have their phone compromised by the same entity.

IANAL, but here is my thinking: The problem with personal phones is they are hard to audit. When a phone belongs to the corp, corp owns the phone, and "probably" can audit it as it wished.
In order to install my work Gmail account on my phone, I had to install a program on my personal phone that let admins wipe it remotely. This is not something that bothers me, because I expect to lose the phone almost anytime, so the contents on it are backed up continously on a system I control.
Whereas that bothered me so much I refused to put email on my phone and told my employer they needed to provide me with a phone if they wanted me to always be on email.

I'm already answering emails out of office hours which is for my employers benefit and they want to functionaly own my phone because of it?

Pretty high actually.. I mean it's a lot of money at stake.
Unless you're talking about a 3 person start-up, wouldn't the use of github itself be a red flag? If you're a software company, you live and die by your source code. Why on earth would you rely on some other company to hold it for you? This seems as ridiculous as doing your bookkeeping on Google Docs.

I've never once worked in a company that permitted source code to leave the company network.

What makes you think you (or most devs for that matter) know more about security than Github's security team?
It's not just about who knows more about security. It's a trade-off, and you need to account for other factors like cost, availability/uptime, data integrity, total attack surface area and others. Honestly, I'm surprised this is such a controversial point of view, but judging by the downvotes it appears it is. You learn something new every day, I guess.
The point is that the trade-offs usually come down in favor of using GitHub Enterprise (or whatever other well-regarded, trusted enterprise system). The availabilty and uptime are your own, because it’s self-hosted, like git. The data integrity is also your own. The security is better than probably any other VCS interface over git, with the possible exception of GitLab, and almost certainly better than what an organization could come up with on their own if it’s not their core competency. Unless you’re literally using straight git, GitHub Enterprise (or again, whatever other competitor) usually enhances team productivity. The attack surface is larger than git, sure, but the rational solution to that would really be to use no interface over git, because GitHub Enterprise is as safe as they come.

I think you’ve misinterpreted people’s reactions. It’s not at all controversial to use other companies’ services for your most sensitive assets, it’s your opinion that appears controversial to them. If you’re in control of your own servers, what remains is to trust GitHub Enterprise not to literally phone home your source code or to enable remote code execution on your own server. There are myriad information security policies and compliance methodologies for compartmentalizing, quantifying sharing that risk.

For what it’s worth, having personally performed security assessments for over 50 different companies across the gamut of size/maturity, nearly all of them use a centralized VCS hosted or produced by GitHub or Bitbucket (and nowadays, occasionally GitLab too).

GitHub Enterprise is a different beast, as it's self-hosted. My comment was in response to the parent's mention of companies storing their source code on GitHub, which might imply external hosting. I suppose it was ambiguous.
> Honestly, I'm surprised this is such a controversial point of view

HN users tend toward a very pro-SaaS stance.

Right, but none of those things is necessarily a home run for self-hosting your central git repository. Particularly in today's world, where you likely have remote workers and don't necessarily have any other servers you're managing, anything you could call a "local" network or even a VPN.
Because you trust their security better than your own, which at any organisation without a dedicated security team seems like a reasonable decision. I live and die by my money, too, and I give that to a private company to hold rather than protect it myself.
You have a full checkout on your laptop and probably a whole bunch of other developers laptops. With git you can also have random backup computers do the same thing! You don't have to rely on github alone, for this.
I've been surprised how many commercial, closed-source projects have opted for Github in recent years. While I would probably prefer to self-host (Gitlab, or similar) in order to reduce dependencies, I do see the benefits. Having recently worked at an organisation hosting exclusively on Github, it made collaboration with remote contractors and third parties very straightforward and helped eliminate much of the maintenance burden on our small team.
Unless 2fa was bypassed with the token you get from GitHub in order to use the git client via https.
I mean they don't say how they accessed the GitHub repo or whether there was a vulnerability in Github itself that allowed access
I assume it was password reuse from one of their engineers or something similar. If you could compromise GitHub itself there would probably be higher value targets (source code for upcoming AAA games, Coinbase, government organizations, etc.)
I mean 100k is a lot of money and there is no saying they didn't hit those guys also
> If you could compromise GitHub itself there would probably be higher value targets (source code for upcoming AAA games

I'm intrigued. Why would that be a higher-value target?

AAA games have budgets in the millions. Threatening full release would likely net you much more than a few hundred thousands, and without requiring any secondary attack.
Are many (any?) AAA studios using private Github repos for development?
The most I've ever personally seen a company do is require a VPN for their privately-hosted repos. For others using GitHub or Bitbucket? Never anything beyond a standard login.
uber engineer here, we have 2fa set up for everything. Starting my day takes about 5 different 2fa checks (ssh access, aws, phabricator, team chat, etc)
I know Uber has a strong engineering culture, which is why I was so surprised. I think philsnow's assessment that organization-wide required 2FA wasn't available for GitHub Enterprise at the time of the hack is probably correct.
(comment deleted)
That sounds really inefficient
That sounds reasonably secure and quite common for a big tech company.
Although more and more applications support SAML for SSO, much of the SaaS world is disparate and siloed. There's definitely something to be said for centralised user management on a homogeneous system. User leaves your organisation? Just retire them in LDAP.
You couldn't enforce 2FA on GHE for the longest time. GHE version 2.8.0 lists [0] "Enforce two-factor authentication" as a feature. 2.8.0 was released November 2016. According to the article,

> Kalanick, Uber’s co-founder and former CEO, learned of the hack in November 2016, a month after it took place, the company said.

I don't know if they were using GHE. If they were, at the time it did not come with a good way for them to enforce 2FA for users.

[0] https://enterprise.github.com/releases/2.8.0

If they are/were using GHE, I would expect (hope?) that they require some sort of VPN to get access to it, so my guess would be this was stored on github.com.
> I don't know if they were using GHE. If they were, at the time it did not come with a good way for them to enforce 2FA for users.

Well, sort of - at the application level, that's true, but GHE is typically run behind a VPN. Certainly that should be the case for a company the size of Uber.

Even before GHE added 2FA, it shouldn't have been possible for a leaked set of login credentials to be used to access GHE, without some other sort of compromise (VPN cert, physical compromise of hardware, etc.).

At my company (mostly a Windows and Microsoft shop), my domain credentials are used to log into the VPN, and TFS, and Octopus. Compromising just that one set of credentials could effectively "own" our company. And I'm just a senior-ish developer.

Lateral movement by an attacker is a real thing. And while credential reuse is something most security focused web companies are trying to mitigate, a push for "sso"-like account management is seemingly undoing most of that effort inside the network if not done properly (specifically, auditing and monitoring of behavior).

> my domain credentials are used to log into the VPN, and TFS, and Octopus. Compromising just that one set of credentials could effectively "own" our company.

This is why 2FA is important! I worked for a company that had a very similar setup: I essentially had a single "LDAP" password. But: everything web-browser went through a single sign-on site, and it required 2FA (and so, you were never entering your password into even random internal applications: there was exactly one page where you should log in). Terminal stuff had a similar flow that also required 2FA (e.g., for SSH). As a user, the experience was not painful at all.

It does seem like, however, from an operations standpoint, getting such a setup in the first place is not trivial.

> I don't know if they were using GHE.

They don't use GHE, they use Phabricator.

Yeah this was such a PITA several years ago... To solve the problem we ended up building a small proxy in Perl for the express purpose of adding 2FA to Github Enterprise.
that doesn't protect you from GitHub employees snooping around.
Or anyone who manages to breach GitHub's defenses.
Couldn't you say the same thing about any commercial web platform? Like AWS?
Github 2FA has been part of the first-day training/laptop setup for a while now (I joined in may) and there's security-related training in place as well. I was told there are also scanners in place now that check repos, gists, etc for secrets for exactly this type of mistake.

One snippet of the email the article didn't mention was that Sullivan's firing happened pretty much right after Dara learned of the breach and an investigation was conducted. It definitely inspires more confidence in leadership seeing that the CEO will not tolerate unethical behavior.

its possible and even likely that this happened post hack.
True, I just wanted to shed some light into the current state of affairs in here.
Uber will not tolerate unethical behavior, you got to be joking!?!?
I think the commenter meant the new CEO will not tolerate unethical behavior.
The new CEO will not tolerate new unethical behaviour.

Hopefully he will also slowly eradicate the existing unethical behaviour.

The new CEO will fix everything just like the last 3 GM CEO's changed their corporate culture and stopped them from making cars that kill teenagers...

... crap. My kids won't be buying a GM car.

The downvotes are likely because you're taking an Uber thread veering it off to GM's management and your children, neither of which have any relevance here.
Except for the CEO being changed and having a toxic corporate culture that didn't change and produced the same deadly car across CEO's after promising change but did nothing different--including not stopping production of a deadly vehicle.

I probably should have spoonfed the readers more. They grew up in a world that doesn't need critical thinking anymore so it's probably too much to ask for their brains to activate while reading on a website and have them put distinct ideas together to form a grander one.

Must. Downvote. Comments full of facts but from people I dislike. Must.... errooorrrrroooorrrrrr. 505.

It's okay. Every time I see downvotes here, I know I said something great but I just pissed someone in power off. I'm used to being a minority oppressed by a majority in power. It's no big deal. The system just builds people like that these days.

Still not making the connection from Uber to GM that you are trying to make. Because the GM CEO could not prevent teens across America from joyriding, the new CEO is going to be unable to reign in the behavior of his own supports?

Either make a valid point or let your comments stand. Leave the /r/iamverysmart tandems at the door

Americano Saviour Complex at work: Someone will come, a stranger in our midst, and will make the problems go away. Preferably with a gun and a swoard.

Its always a person, its never a institution, or organisation, never a boring measurement like bureacratic oversight or well made laws.

I think many people don't realize this, but the majority of the leadership team from like a year or two ago is now gone, including Travis.

Also, Uber has been hiring a lot of new people - the ratio of new people vs old timers is really high. I'm obviously just one anecdata point, but I believe new hires (and a lot of old timers) want Uber to be an ethical company, and many have joined the company specifically to tackle that challenge. One great example that comes to mind was when one board member made a sexist remark on an all-hands meeting a few months ago and by the end of that same day, Liane Hornsey (who had just joined as the new head of HR) had him give up his seat.

There's a big push towards trying to make things right, with the holden report, the 180 days of change campaign, the implementation of new training courses, anonymous complaint hotline for employees, etc. And the unspoken message right now is pretty clear: inappropriate conduct _will_ get you fired, even if you are the head of your org.

Obviously there's still a lot of work to be done, but I think we're at least in the right track now.

This is good for Uber and their employees in the short term, but I can't help but think it's bad for their ideals in the long run. There are a lot of scenarios that look very bad for Uber economically and it would be a shame for a culture shift to coincide with the realization of one of them.
Honestly, I find that a lot of economic discussions on the media are highly speculative (and dissonant to what I've seen circulated internally), and things get just downright sensationalist on some topics, so I've been taking news about Uber with a large grain of salt.

> it would be a shame for a culture shift to coincide with the realization of one of them

I think everyone at Uber has at least some idea about the P&L situation, but there's no doubt in people's minds that we need to drop the go-fast-and-dubiously culture and embrace a do-things-properly culture. If anything, I think it's more likely that a major crisis would continue to drive home that idea.

I really like how your description gets at these policies creating a tipping point in the culture. Hearing about any one individually always sounded like a bandaid, but hearing about them together and then how you and other employees react to them is very encouraging. Good luck to you and the rest of the company.
Are you using Github Enterprise? Is it available from outside of the uber network?
We primarily use private phabricator and gitolite instances for internal stuff, but we also have OSS things in regular public GH repos. We do have a few private GH repos, but AFAIK, you're not supposed to version control internal stuff on GH, and there's no real reason to use a private GH repo, except for legal review prior to open sourcing.

I don't have any context on why someone would have put production secrets in a GH repo. If it had happened in my team, I would definitely have sounded the alarm at code review.

Just curious, are you speaking as an Uber employee
Well, I am one, but the things I say here are my individual opinions and observations. I just think that as an insider I get some insights that you'd normally not get from the media, and I figured I'd share them.
I'll believe it when they stop having stories like this every few months. They had over a year to report the breach, and they paid hush money instead. Typical Uber
> They had over a year to report the breach, and they paid hush money instead.

Yeah, I'm totally with you there. Not cool :(

Hah, setting the example himself I remember him yelling / and cursing at an Uber driver in NYC, very ethical.

Good luck and I hope you're doing it for the money, cause nobody should buy the "Uber is an ethical company" bs.

Dara Khosrowshahi is the CEO now, not Travis Kalanick... Maybe catch up on the facts before reaching for the pitchforks? :)
Ha, the trouble is that pitchforks are more fun than facts.
Yep, but think of all of the private keys and tokens used in automation servers (think CI) for pulling down source. Those don't have 2FA - because they don't login - but they have full access to most source.

In an organization of about 200 engineers across various products, 1000+ github repos, and 10 or so different CI systems. We enforce 2FA at github. I can still easily see how someone could easily gain access to source code with secrets in it.

This is almost certainly what actually happened.
> In an organization of about 200 engineers across various products, 1000+ github repos

Wait, what? That's 5+ repos per engineer. What on earth would warrant that level of granularity? I've only worked once in my career in a place that used more than 2-3 repositories total, and that was a "MegaTechGiant" with thousands of engineers.

It depends upon the culture. Some places favour a project repo others a repo per microservice/job.
Could also be a company using clone - pull request workflow. 10-20 project repo an then each developer has a bunch of projects clones, including a few shared one - like the common infrastructure stuff, ...

I can see that with a company that has grown day 1 around Github, especially during early startup stages with a variety of contributors but no formalised "organization".

There are just three of us in my company and after 10 years I worked on close to 80 projects for 30 different clients. Each project has its own repo. So +3 per engineer is really not that much;)
Agencies may create multiple repos per client / project.
Good point—I can see the point of having numerous repos if you have multiple unrelated clients’ code bases.
I know that mentioning downvotes usually invites more downvotes, but...

I'm surprised you're being so heavily downvoted for your question. Engineering teams (and software companies) come in all shapes and sizes. It is absolutely reasonable for even an experienced engineer to have only worked at companies with a handful of repos.

Rather than downvoting, it would have been helpful to explain why your company has opted for such granularity (perhaps engineers or teams have a high level of autonomy, or your software is highly componentised and built from a great many, separately managed, parts).

(comment deleted)
Some CI setups benefit from a one-repo-per-service approach, as it makes it easier to figure out when an individual app has changed. In orgs where everything is in one giant repo, it can be difficult to establish what subset of your applications needs to be rebuilt when a commit is pushed.

I personally don't have a strong opinion about either way - they both have tradeoffs.

Depends on the company you work at, but most tech companies I've been at have gone the "micro" services approach.

Example:

- 1 repo for the frontend - 1 for each api - 1 for the infrastructure terraform scripts

It's good for CI / CD and general code base organization. Also easier to track changes and handle security. You give devs access only to the repos they need to do their job.

Our team has a product with multiple integrations and internal apis, so we easily have 40+ repos.

Plus one repo for every open source dependency you fork
How about, if Uber stores all data across those git repositories (1000+)? Perhaps they use git as a multi-versioned data storage? Perhaps better than Kafka (event sourcing thing?). Just a thought :)
It's normal and expected. I have a few dozen. git makes it great to create little repos for lots of different things. They don't have to be production apps. They can be libraries, utilities, documentation, scripts, or just random crap I may want to refer to someday.
2FA doesn't help if they used SSH access
It’s also required for SSH access to Uber’s servers.
Maybe it's just me, could "private GitHub coding site" have meant a private GitHub repo with GitHub pages turned on?

If that were the case, there would be no authentication whatsoever to access the closed-source site; the hacker would have just needed to guess the right url.

Do we know how the attackers accessed the github repo? If it was via malware on the employee's machine, or cookie theft then 2fa wouldn't have helped.
2FA wouldn't have necessarily solved this, if the hackers had access to an engineer's ssh keypair (e.g stolen laptop) they could clone repos as they pleased. 2FA isn't a silver bullet.
Could use a Yubikey (or similar) for SSH access.
No, 2FA would not have prevented disclosure of credentials in GitHub. The fix for that is to not check credentials in to GitHub. Nothing else.
Two factor won't protect you from a spear-fishing attack.

The attacker can submit your info to GitHub the moment you submit to the malicious site. You receive the token via SMS as expected, enter it on the second page of the malicious site, granting them access.

From what I hear it's pretty common...
It's very common, but there are lots of ways of addressing it.
Just pigging-backing on your comment. If you did, here's a guide from Github on how to remove it: https://help.github.com/articles/removing-sensitive-data-fro...
They key part is "Warning: Once you have pushed a commit to GitHub, you should consider any data it contains to be compromised. If you committed a password, change it! If you committed a key, generate a new one."

Removing the secrets from the repository is nice to have, but not that necessary - what is mandatory is to ensure that the compromised secrets are no longer useful, since they aren't secret any more and won't be ever again.

I am rather disappointed in github for publishing this guide. The portion at the top stating

> Warning: Once you have pushed a commit to GitHub, you should consider any data it contains to be compromised. If you committed a password, change it! If you committed a key, generate a new one.

Is a good argument as to why you shouldn't let users erase this data from history, it's already out there so no matter how painful or convoluted your process is for regenerating auth credentials is, you need to do it if you've published them into your SCM. If the process is painful you might want to simplify it because you'll probably need to do it sometime in the future again... yes even you large corporate workers who have no control over credential regeneration, an arduous process leads to credential sharing between projects which is another horrible thing.

They are doing the right thing by letting the users control their own data, and at most they can make it more complicated to do but not impossible.

There are cases- such as complying with court orders- where removing the data is appropriate (even if a bit futile in the long run).

There is sensitive data that isn't a password, and can't be changed.
(comment deleted)
Things like this make me feel much less concerned about the confidence gap.
You can use tools like Talisman which registers a Git hook to check if you are checking in anything that looks like secret.

https://github.com/thoughtworks/talisman

It's not foolproof but this tool needs to be more widely-known - it would've saved me on countless occasions.
We use a tool under a Linux Foundation project called anteater https://github.com/opnfv/releng-anteater, which does the same thing (but is for a jenkins / gerrit workflow). A key difference from looking at talisman, is anteater uses standard RegEx rather then code to seek out strings, so anyone can add their own strings / file names easily into a simple yaml file. Like wise they can use regex to provide a waiver, should something be incorrectly reported.

I am thinking now would be a good time to port it to working with webhooks as well.

The tool would have blocked the aws credentials from being checked in: https://github.com/opnfv/releng-anteater/blob/master/master_...

Dumb question: What's the best practice to share authentication credentials across the team for services that don't have an IAM feature?
There are a few SaaS offerings that will let you do that. LastPass or onepassword are two commonly used.

One you can use something like keypass to store a database in a shared location if you don't trust the SaaS offerings.

If you are looking at storing credentials for automation purposes, and don't have a secret store built in, you could look at something like Hashicorp Vault to help provide this for you

We use 1password for teams.
We're using Keepass / MacPass password protected vault shared with the team using Dropbox. It's really good and essentially free to use if you use a free Dropbox account.
Then make sure you use 2FA on the Dropbox account. And you should use a key + password to unlock keepass.
When it comes to security, there are no dumb questions.
In person I use a thumb drive. You could encrypt the credentials using PGP and send it to a coworker if they are remote.

Sometimes I just go on google hangouts and share my screen if I'm feeling lazy.

I've never used it in production (my last shop was heavily AWS based and relied on IAM), but I always like the look of Hashicorp's Vault [0]

https://www.vaultproject.io/

Totally agree. I am moving secrets onto consul/vault - would like to hear what others use for the same.
But you have to put them somewhere; how is idk, AWS credential management secured?
Store credential information where it is used. It is not used by the repository, so it is an improper location for it.

If someone gains access to a system that uses the credentials, then there is, in principle, no difference between puppeteering that system versus stealing its credentials.

"Don't check secrets into VCS, folks! "

I suppose? But at this point they have your code base. You are so owned at that point.

Yeah, but hopefully they can't do much if they just have your code base. If the secrecy of your code is the only thing stopping hackers from exploiting you, you're missing some gaping holes in your infrastructure. With that said, nothing wrong with using secrecy as a additional barrier, but shouldn't be the only, and if it's not the only, you're not "so owned at that point".
"If the secrecy of your code is the only thing stopping hackers from exploiting you"

I hate these types of arguments. Yeah no one said that ever.

Losing your code base is terrible. I view it as losing a journal. What your company tries, tests you run, funny comments, or funny mistakes. I mean they post it on the net, blackmail team members, imposter team members, forge for leaks, sell it, pushes to prod from compromised accounts, CI systems, -- seems bad to me. Sure don't have aws keys in there.

Glad to be talking with you too! :) I didn't mean to imply you said something you didn't, only that I would consider access keys to various services be of much more importance the code base itself. I read you comment as "Doesn't matter about the access keys, if they have your source code, you're screwed no matter what", which in that case would seem a bit strong.

Also "pushes to prod from compromised accounts, CI systems" seems more related to access keys and account security rather than the actual code base.

But hey, in the end I'm no security expert so what do I know.

“Just” leaking full source could be enough to destroy a lot of IP-based companies. A lot of companies stay wealthy because their IP is so huge than nobody can afford to develop competitive alternatives anymore (Adobe, Microsoft Office, Salesforce etc). Some of them have actual “secret sauce” that they cannot afford to share (suggestion engines, biotech processes etc). Even a service like Github, which relies on others entrusting their work to them, would take a humongous reputation hit from a leak like that.
> Adobe, Microsoft Office, Salesforce

I don't think either of those companies would cease to exist if their code bases leaked online today. Sure, someone might get something to build, but there is surely A LOT of things around the code bases to support all of this, which means the code bases would mostly serve as a study for software in general (and finding holes obviously).

Github is a bit unfair comparision, as their business is literally to make your code private, so if it leaks then of course it would be a hard hit. For the general company, I think leaking access credentials is a much bigger (but easier to fix) problem than leaking the source code itself.

(comment deleted)
> I don't think either of those companies would cease to exist if their code bases leaked online today.

A serious Photoshop clone that can match PS feature for feature would wipe Adobe, people cannot wait to get rid of them. 25% of MS revenues comes directly from Office and another 25% from Windows or other commercial offerings that are basically driven by Office, so yeah, MS would survive a working Office clone, but they would be deeply wounded; they pulled all the dirty tricks in the book to keep competitors from integrating seamlessly... having the real code responsible for their formats available in the open, would hurt them massively.

These companies are as big as they are because they did the right moves at the right time, and now they have spent so many man-decades on their codebases that nobody can realistically hope to catch up starting from scratch; but having a good look at their codebases would likely kickstart oozes of competitors with very good chances to replace them in a very short time.

> For the general company, I think leaking access credentials is a much bigger (but easier to fix) problem than leaking the source code itself.

Credentials are a mean to an end: protecting something. If you are Ashley Madison, your valuable IP is your database of users and their preferences; but if you are Microsoft or Adobe, what credentials are protecting is your source code. Adobe survived their user credentials being leaked, like so many other companies. They would have hurt much more had they leaked the entire PS codebase.

But a competing company can't just give a copy of the leaked source code to their developers and tell them to go to town. Even by employing clean room design, you can't get around all the patents that likely protect many of the features that Photoshop users consider crucial.
> you can't get around all the patents

Just open a shop in China and obfuscate a bit. Job done.

If they have access to the code inside Github, would they have been able to push their own changes to the code without anyone noticing?

Maybe pushing something that was labeled as a "security patch" but was actually a disguised vulnerability? I could see not even checking into that, and just downloading it. But I'm on a small team. Do big companies have procedures to protect against this?

Depends on how they get access. If they got control of one of the user accounts with push access, they could surely push code (but unsure about "without anyone noticing", depends on their own development processes I guess). However, if they got access to the code by reading some part of the memory/storage holding the code, without actually gaining access through authentication, they wouldn't be able to change it.
> Don't check secrets into VCS, folks!

Ok, how do you handle a bootstrap problem?

I really wish AWS would stop enabling master API keys by default. As soon as you create an AWS account you are given API keys which basically have SUDO permissions to your entire account. That is super dangerous and is probably the same key set that these hackers got ahold of. AWS needs to disable these full access API keys by default and instead should encourage users to generate keys for specific access to limit what they can do.
I wish I was a fly on the wall at Transport for London. Or to be at that meeting TfL will be having with Uber, when Uber are going to magically prove themselves to be a 'fit and proper' company. At some point after some British chat about the weather someone on the TfL side of the table might ask: 'So, that data breach...'
If the FTC doesn't act on this they are toothless. Uber's blatant disregard to anything accountable or respectable is astounding:

"In January 2016, the New York attorney general fined Uber $20,000 for failing to promptly disclose an earlier data breach in 2014. After last year’s cyberattack, the company was negotiating with the FTC on a privacy settlement even as it haggled with the hackers on containing the breach, Uber said. The company finally agreed to the FTC settlement three months ago, without admitting wrongdoing and before telling the agency about last year’s attack."

One would hope the next settlement would have more teeth.

If I was running the FTC, I would not settle this time, because it's blatantly obvious Uber was acting in bad faith last time around.

I hope the earlier agreement contains language that allows it to be voided, and put all the original violations back on the table. If there is no such term, this is one relatively straightforward way to improve the handling of these matters in future (if a company was unaware of other breaches at the time and appeared to act in good faith, the FTC could always choose to let the original agreement stand.)
I woke up an Silicon Valley has really become an Evil place. What ever happened to our mantra (really Google's but it reflected the whole valley) "Don't be evil"?

We really need to change.

It all started when Google banned all software that can not be used for Evil: http://wonko.com/post/jsmin-isnt-welcome-on-google-code
> What ever happened to our mantra (really Google's but it reflected the whole valley) "Don't be evil"?

The kool-aid wore off and everyone realized it never had any meaning to begin with.

> Uber said it will provide drivers whose licenses were compromised with free credit protection monitoring and identity theft protection

This got to be a running joke now. Companies lose the data and offer credit/theft protection than facing the consequences. If Equifax could get away with the giant breach, I am sure Uber will not even feel the heat. smh.

It'd be nice if I could register for 2FA with all the various agencies. Commenters have suggested paying a fee to 'freeze' credit activities but the process to 'unfreeze' them requires no new information than what's already in most of these leaks...
I moved to the US in April was and shocked by the Equifax breach, but more surprised to hear from a coworker how often these “free credit/identity monitoring for a year” situations occur.

One co-worker is covered by no less than four groups who failed to look out for him earlier, all for trusting companies to not screw up PII or remember that data is a liability.

Yeah, this happens a lot here. I mean the cheapest and most effective way for companies to get away.
"Here’s how the hack went down: Two attackers accessed a private GitHub coding site used by Uber software engineers and then used login credentials they obtained there to access data stored on an Amazon Web Services account that handled computing tasks for the company. From there, the hackers discovered an archive of rider and driver information. Later, they emailed Uber asking for money, according to the company."

Seems to suggest they committed AWS credentials into source control?

81% of all breaches now originate from compromised credentials mainly acquired from 3rd party data breaches or data leaks. Most organizations believe that 2FA and SSO are the answer but this proves that 2FA/SSO are not enough.
Do you believe this kind of thing is simply unavoidable? I wonder if this could've been avoided by simply making it impossible to access data without being connected to a VPN in addition to having some sort of physical device connected to your computer.
For amazon you can use IAM roles tied to specific EC2 instances, then no credentials are ever stored, you simply make S3 API calls in your code and as long as the machine you're making them from has access to the bucket you can get to the data.
It's entirely avoidable. Just don't commit secrets to source control. Ever.
This is good advice, but even if you don't, it's possible that someone else on your team will.
I don’t think many people intentionally commit secrets to source control. Frequently, it’s a matter of committing a bunch of work and accidentally missing the credentials you stuck in some prototype code.
I agree with ajsharp, this is completely avoidable.

Along with never committing secrets to source control, implementing 3rd party data breach and data leak monitoring is necessary as recommended in NIST 800-63B

If the attack was conducted using login credentials found on github how does this prove that 2FA/SSO are not enough? Wouldn't 2FA have prevented easy use of these credentials?
It never fucking ends with this company, does it?
No, it does not. Tough luck if you are a drive, btw. You'll be made redundant to self-driving cars soon.
I think its time that Uber starts paying a real and deathly penalty for their pattern of behaviors.
If companies hiring the "best and brightest" can't keep your data secure, what hope is there for the average non-tech company? Low tech lock-and-key solutions don't seem so bad now. If only they could scale...
If there was ever a company that I'd like to watch die in a fire, it would be Uber.
Yep.

About that time my Uber account was 'hacked' and someone kept requesting rides in Florida and I had to cancel them as fast as they made them.

I emailed Uber support and they got back to my 3 days later.

Then someone proceeded to try to gain access to every account I had with that email and password (yeah, yeah, I know). The next worse was someone getting into my DigitalOcean account and launching an instance.

It has finally settled down, I occasionally get alerts from people trying to break into something but lots of 2FA and no shared passwords anymore.

I am not sure if this was Uber's fault or another site's but the timeframe of Oct 2016 lines up.

In the disclosure it says that the attack included names, email addresses and phone numbers. It did not contain any passwords or social security numbers, so your passwords must have been compromised in some other way.
It's not related to this particular breach, but given this and Uber's other issues, it's not out of the realm of possibility that at some point they had a more serious breach involving loss of password hashes or interception of credentials at login.

(But in all likelihood the poster's account was just compromised through the usual means, otherwise there would be more reports of hacked accounts.)

The article states that this disclosure came out of an board commissioned investigation into the activities of Sullivan’s security team. Do you think that other more serious breaches discovered by this investigation is hidden, or is this more of a general sentiment around how you perceive Uber?
Oh there's more. Much more.
I don’t think these kind of comments adds much to the discourse, and we on HN try to not comment when we don’t have anything to add.

Do you have any evidence that the action here by the new leadership to disclose all breaches was disingenuous?

(comment deleted)
Uber accounts are frequently sold on underground markets - they're sourced via endpoint malware and shared passwords

You should check over all of your accounts and machines - I doubt it has anything to do with this leak

"For $100K we will delete the information, Scouts honor!"

...

The CSO was able to arrange for $100K to be paid out without any oversight of what that money was for?

If it was paid to hackers it's unlikely that finance cut a check. I'm imagining this was paid in bitcoin or similar. How was this able to be approved?

I'm guessing someone created a fake invoice? Wouldn't that constitute fraud?

Who needs to approve it? How would you know they didn't?
Generally your finance department needs approve purchases beyond a certain dollar amount. This is pretty standard stuff.

If they got it approved as such don't you think the CEO would have been informed that there was line item from Security for ransom?

The article states the CEO didn't find out about the hack until a month after.

I doubt the CEO of Uber is informed of every $100K transaction.
Maybe it's personal cash. 100k is barely a weekend in Vegas for these people.
IANAL but I did some basic visualization work as part of a story on US state data breach regulations. What may be Uber's undoing is that they must have the drivers license numbers for all of their drivers on file and that is considered PII by 45 states (nevermind that they also missed their reporting deadline).

And if you're interested, a gif of the data:

https://imgur.com/Rm32MeC

I can not believe Joe Sullivan would just sit there during this. There has to be so much more to this story.

I can not imagine he would be on board with negotiating with the hacker, and cannot imagine him sitting idly for a year after the cover up.

At this point if the next headline is “Uber sold nuclear submarine secrets to China whilst kicking puppies” I won’t bat an eyelid.