106 points by tristanho 10 months ago
Being involved in bug bounties, don't be fooled by what happened here. This is exactly a case of extortion: the hacker had downloaded user data from Uber, and was paid off in order to delete the files. This differs from an actual bug bounty payout, where a hacker would be disqualified for extracting user information.
Yeah, I'm disappointed that the article didn't focus more on that distinction - "send us a snippet from our production database" is not really how responsible programs operate. Compare this story with a similar severity facebook bug:
> That's right, the response contained Facebook's /etc/passwd. Now we were going somewhere. By then I knew I had found the keys to the kingdom. After all, having the ability to read (almost) any file and open arbitrary network connections through the point of view of the Facebook server, and which doesn't go through any kind of proxy was surely something Facebook wanted to avoid at any cost. But I wanted more. I wanted to escalate this to a full Remote Execution.
> A lot of bug bounty programs around the web have a rule that I think is very sensible: whenever you find a bug, don't linger on messing around. Report the bug right away and the security team will consider the worst case scenario and pay accordingly. However, I didn't have much experience with the security team at Facebook and didn't know if they would consider my bug as a Remote Code Execution or not. I Since I didn't want to cause the wrong impressions, I decided I would report the bug right away, ask for permission to try to escalate it to a RCE and then work on it while it was being fixed. I figured that would be ok because most bugs take a long time to be processed, and so I had plenty of time to try to escalate to an RCE while still keeping the nice imaginary white hat I have on my head. So after writing the bug report I decided to go out and have lunch, and the plan was to continue working when I came back.
That's the difference between paying a ransom and a bounty.
To be honest, its very hard to tell from the article. I get the feeling Uber is covering something up.
The hacker definitely downloaded files, but Uber also asked him to download production data to confirm the hack (um, what?) Uber escalated the payout; the hack wasn't particularly interesting, but it was substantial, so who knows there. The hacker's communication was dodgy, but he eventually met in person, and the fact he didn't want to leave his house indicates a possible social disorder.
Their handling was poor, but this may just be a case of "hating uber because they're uber".
Uber's story doesn't make any sense. In what world does "you published your passwords on GitHub" get a response of "prove it by using them"?
IDK, it seems to fit the frat bro culture I've come to expect out of Uber.
"Oh yeah? Then fucking do it then", seems fairly Uber.
In any sufficiently large corporation, there are so many different accounts/credentials floating around, that it's hard for anyone to keep track of them all. It's possible that the engineering team may have already invalidated the credentials that were published on GitHub. It's possible that those credentials were actually a bait, meant specifically to distract potential hackers. Asking for proof is a very quick and easy (and sloppy) way to get around all of the above.
Private user information isn't proof that valid credentials were published on GitHub. It would be faster and easier to ask for actual proof in the form of a link to a valid credential published on GitHub, and that would actually prove that they were published.
According to the article "Other emails obtained by The Times show Mr. Fletcher treated the incident as a bounty and encouraged Preacher to provide proof of the vulnerability, including sending a few lines of data from the database he had breached."
So no, this was not disqualifying and he was told to do so. This is not extortion, just pay negotiations.
alternately: your read on it is precisely why he phrased the email this way, understanding the gravity of the situation and hedging if the email conversation ever became public.
I’ve been involved on the payout side of the equation. I disagree with your position.
BB’s are complicated and can be messy. You never know what the behavior of the participant will be after the award. Someone had to fight for approval of this payout at significant career risk for themselves. If we broadly assume bad faith on the reporter or on the recipients, we’ll lose the protection that bb’s can provide and white hats will be more at risk of CFAA prosecution. We need to be more willing to make mistakes when it comes to these situations.
> Someone had to fight for approval of this payout at significant career risk for themselves.
I think that, in this case, it is more likely that someone was told, or felt it to be the case, that their career or options were at risk unless they could come up with some sort of cover so that Uber could claim it did not have to disclose the leak.
There is a simple test for whether someone is seeking a bug bonus, or to extort you: if someone says he has a way to get your data and would you care to know how, its a BB case, but if they say they have your data, give us some money to say we deleted all copies of it, that's extortion.
But judging from how they weasel out of paying bug bounties, this may be the only way to get them to pay anything!
According to Hackerone they've paid out quite a few bounties. I am not sure if this total includes the 100k in question though.
Total bounties paid
It's the 100k paid out to this guy included with that number? Just curious
The minimum payout matches the average payout at $500.
Highly doubt 100k is included in there.
Extortion is always wrong.
Although it is in your right to keep holding the same opinion when new evidence shows that it is probably wrong, that is not a virtue.
Sadly this is a core part of discourse in the Bay Area and American society at this point, which I believe contributes to people’s inability to connect well and develop shared empathy.
After reading the article, it certainly sounds like a regular bug bounty case, maybe the reaction was an overreaction.
Keep in mind this article was written by Mike Isaac who has been a thorn in the side of Uber all throughout 2017. I highly, highly doubt after all the anti-Uber articles he's written that he's an Uber schill, someone who is pro-Uber, or someone who would just blindly believe whatever Uber PR told him.
The tone is distinctively even-tempered, which leads me to believe that maybe it should be taken at face value and it wasn't a coverup at all.
On the contrary, even taking this report at face value, the pattern is one of extortioner and extorted conspiring, at the behest of the latter, to hide a problem from the people directly affected.
You have zero basis for that statement. In fact, the main writer says that it wasn’t a cover up or extortion as well.
I should not have presented my skepticism as a certainty, but it is based on a couple of things. Firstly, there is the length of time it took for this version of the story to come out: this you would expect from an organisation that is threading a story to be consistent with all the information about the event that has leaked (including an explanation for the delay in promulgating that story itself), without making statements that might be contradicted by further disclosures. Conversely, an entity that is just trying to get the facts straight would be best served by being forthright. Secondly, the journalists seem to be too ready to accept what they have been told, such as "Mr. Fletcher drew further details about the hacker out through emails, including ... proof that he deleted his copy of Uber’s downloaded data by looking at a virtual copy of his system provided by his host" - that cannot prove anything of consequence. Therefore, I am skeptical that the reporters have seen all the relevant communications.
I accept that this may be too conspiracy-theoretical.
The two writers, especially Mike Isaac, are pretty openly anti-Uber. To say they are the core of some conspiracy to make Uber look better is an ignorant statement about who the writers are. They said they interviewed dozens of people in getting this story, reporters (especially NY Times writers) don't rely on single sources when they report things.
But you are free to believe whatever you want.
Nowhere did I suggest the reporters were the core of any conspiracy. That you should so claim raises the distinct possibility that your analysis of the issue is just as flawed.
If you had read my previous post with more care, you would have noticed that I am tending towards agreeing with you, though with reservations.
Many larger companies have policies surrounding the paying of ransoms for kidnapping. How is paying this "bounty" any different from paying such a ransom?
They don't fail to tell law enforcement after paying kidnapping ransoms and don't consider the perp to be law-abiding person. Also if a kidnapper was ever located domestically there'd be about a 0.00001% chance of the person getting a payout.
It's also against Canadian law to pay ransoms for kidnapping, even if you're a private citizen. (Although you'll be hard pressed to find someone who has been prosecuted for this.) The U.S. has a similar "we don't negotiate with terrorists" policy, but I'm not sure if it's explicitly illegal to send money.
>"we don't negotiate with terrorists"
Yes, always negotiate. The outcome if worse if you don't.
Here's a book from an ex FBI hostage negotiator. It narrates some real case stories from the inside, it's well written and quite interesting. https://www.amazon.co.uk/Stalling-Time-Life-Hostage-Negotiat...
Refusing to negotiate with terrorists isn’t a strategy designed to produce the best outcome in isolation. It’s to avoid providing incentives for more terrorism, despite the consequences viewed in isolation.
So “outcomes are worse if you don’t” is not relevant. Several times as many terrorism incidents with better outcomes on average is not what most people would consider effective anti-terrorism.
The discussion went through ransoms, hostages and terrorism.
It's inappropriate to reply to all situations with "we don't negotiate with terrorists".
Refusing to negotiate with terrorists is not a real strategy practiced by anyone. It’s just tough PR talk with zero basis on reality.
One encourages people theft. The other encourages data theft only. The latter is generally considered less deplorable.
Doesn’t that sort of depend on the data?
Details of "hundreds, potentially thousands" of vulnerable people, including children, have been emailed to taxi firms by a council.
Just for one example from the headlines.
Sort of? Maybe? I mean, a list of people doesn't really encourage kidnapping. Someone could just use a phone book instead. Perhaps cases of witness protection or something. But those are extreme edge cases.
No, it does not depend on the data, you automata
I’m not sure that a bare denial laced with a petty insult really does much for your point.
What was stolen wasn't company financial data, it was driver personal data.
The digital version of kidnapping would be the hackers who stole Netflix shows and tried to random the money from them.
Sorry, but is there a better record on this issue?
This article just tries to connect vaguely described events into a story. Very poor journalism, reading this is a waste of time.
Was the vulnerability a dumb mistake or an unexpected exploit? Was it disclosed to the company in advance? How does this case differ from other cases so that there are four lawsuits now and why has everyone been fired? Because they created a bug bounty system that resulted in bug disclosure? Nothing appears to make sense and the journalist doesn't worry at all.
no more uber stores pls. kthanks.
I hope some blackhat just burns them instead of negotiating chump change.