FRAUD! Uber PAID RANSOM to Conceal IDIOTIC Data Breach

All companies should be held criminally and financially liable for any data they collect, including data they sell to 3rd parties. No getting out of it with damn ToS agreements.

Ceece

When you did the bit about "black van with a red stripe", I had to pause and go back to check the text. It's sad that a bunch of incompetent Uber execs thinking enough of themselves to ride around in an A-Team van is actually believable.

mthiffau

Notoriously exploitative company does something stupid, reckless and unethical? I will try to control my surprise.

lexslate

Just to clarify something that was apparently garbled in the complaint - AWS access IDs are not secrets. Access *keys* are. What AWS users will usually do is put the access ID for a "user" (it's not really a user, but whatevs) in their code somewhere and then use one of the AWS secret management services to pull the access key that corresponds to the ID. The ID is really just like a username, and the key is a random password AWS generates for you once and only once.

That said, part of the point of using an AWS secret management service is that you are able to automatically rotate the keys regularly with zero effort. It takes almost no effort to implement that, which was by purposeful choice in the design AWS used. So the confusion doesn't save the situation for them anyway. DUMB, DUMB, DUMB.

deriamis

Oh the irony of an Uber pre-roll ad on this video really hits hard hahaha

kempokiai

Man all this stuff about Uber (and Lyft) lately has me feeling pretty vindicated about never trusting them.

Fastollis

Oh my God, I KNEW about that flaw! I saw some programmers talking about it online. I talked to an Uber driver about it and couldn't convince him that it was real.

I feel very vindicated right now :)

Axius

FYI: “Misprision” is the deliberate concealment of one’s knowledge of a treasonable act or felony. A rare word these days, I’d say!

MrShoward

Unencrypted database... in 2020. After how many high profile breaches?

DahVoozel

It's shocking that a company that has repeatedly shown itself to be both incompetent and evil is incompetent and evil. <SNARK>

hive_indicator

Well, that was stupid trying to cover that up.

EDIT: Another breach, there was more than one?

ScorpiusZA.

For non technical people
S3 (simple storage service) is a place to store files. It's very slow (compared to hard disks / SSD's) but it's plenty fast enough for http type requests. S3 is about 1/3 - 1/10th the cost of disk based storage (EBS). You typically use http to interact with the content (think posting a form rather than the file on disk). The storage is also not bound to a VM within AWS. In short it's good for backups, or similar that don't require alot of I/O, It would be really bad if you try and use it as the storage for a running database.

You NEVER write keys (or any other credentials) in code. That's software development 101. Anyone who has either done software development professionally or worked in a similar environment would know 9:03 was a complete lie. I'd expect an intern to know better. EVERY programming language has ways of getting values from a config file or the environment they are running in.

If you need to store those credentials in a repo (because you're doing CI/CD) then you use GPG or similar to encrypt the content and only decrypt either during deployment or at runtime. There are alternatives

DontScareTheFish

As a former GitHub employee who has also worked on other code-management products, secrets in the repo happens a lot, and it's a major problem for companies of any size - there are credscan tools available that will prevent commits that include credentials/secrets - definitely a must-have.

CombatZAK

*"Fired Sullivan"* so how much did Uber give him as a severance? LMAO

Wonderful sunflowers. Interesting story. Thank you.

volodyanarchist

Many companies break the rules and just pay the fines if it is profitable. Wells Fargo anyone?

depleteduraniumcowboy

4:25
I feel it's really awkward when a company does its own investigation and sends its own 'police' to enforce their own version of justice.

xCAFEFD

Not to mention all the sex assault claims against them for not background checking their drivers nor the coverup and defamation they did against one of the victims in Asia.

na

Yeah, there are ways to create secrets on a cloud platform that prevent keys from being present in code specifically for these kinds of situations, which is a standard practice. This is beyond simple negligence.

konstantinkh

I guess you don't cover English court cases, but there are two rulings pending for Über London which could be interesting. There was a (UK) Supreme Court hearing just over a month ago regarding employment status of their drivers, similar to California. If that goes against them, they could owe their drivers about £120m in back pay. The other is in Westminster Magistrates Court hopefully later this month if there are no more Covid ajournments, regarding Transport for London's decision to revoke their licence to operate.

katrinabryce