Slashdot Mirror

← Back to Stories (view on slashdot.org)

IP Address May Associate Lyft CTO With Uber Data Breach (reuters.com)

Posted by Soulskill on from the worked-for-the-cardinals dept.

An anonymous reader writes: According to two unnamed Reuters sources the IP address of Lyft CTO Chris Lambert has been revealed by Uber's investigations to be associated with the accessing of a security key that was accidentally deposited on GitHub in 2014 and used to access 50,000 database records of Uber drivers later that year. However, bearing in mind that the breach was carried out through a fiercely protectionist Scandinavian VPN, and that Lambert was a Google software engineer before become CTO of a major technology company, it does seem surprising that he would have accessed such sensitive data with his own domestic IP address.

103 comments

  1. Guilty! by sinij · · Score: 5, Funny

    If RIAA and CSI taught us anything is that both IP and DNA are definitive proof of guilt. Since Chris Lambert was shown to have both, we can be certain he did it.

    1. Re:Guilty! by Anonymous Coward · · Score: 0

      Bumped by IP and VPN scandoguard. Clearify DNA please.

      Digging deeply into those SXwiss-cheese-inspired scandinavian want-to-be secretive VPN caves might teach us all a thing or two. It is not as pretty as you hope it is. Furthermore, I think Scandinavia is up for a major cup of who the hell did what when, mainly because of the giant data-center resources these countries have been entrusted with by US and others.

    2. Re:Guilty! by Anonymous Coward · · Score: 0

      The alternative theory is that a CTO of a major technology company didn't have his home WiFi secured and some enterprising criminal hijacked it to hack Uber.

    3. Re:Guilty! by Anonymous Coward · · Score: 1

      The problem here is that the IP has accessed a text file, not a database. That's one. Two, Uber says that they've examined and 'ruled out' every address but one of all that accessed the aforementioned key for a period of several months. I just looked at the daily logs to the login page of my quite obscure squirrelmail installation, and I see something like 7,000 IP addresses. Supposing that the Github account in question is as obscure as this installation, then you have at least few hundred thousand addresses to look at. Something tells me you can't 'definitely rule out' all of them but one.

    4. Re:Guilty! by Anonymous Coward · · Score: 0

      Or, maybe, it could be that the VPN provider might have more than one customer. I know it sounds strange, but these days companies do the craziest things to make a profit. We shouldn't dismiss the hypothesis upfront.

    5. Re:Guilty! by Lakitu · · Score: 1

      No, one of almost an infinite amount of alternative theories is that the CTO of a major technology company didn't have his home WiFi secured and some enterprising criminal hijacked it to hack Uber. A much more plausible theory is that the Lyft guy used a Swedish VPN sometimes.

      The Uber key was posted publicly on github in March of 2014, and was presumably publicly available until Uber realized their mistake when they were breached in February 2015. It's pretty ridiculous to say that they could have eliminated all of the IP addresses except one, even with being able to cross-check the Swedish VPN users with those who may have accessed the github page. Anyone who accessed the github page could have made the key publicly available somewhere else, like, say, on a Russian forum, where a third party used it to illegitimately access Uber's data.

    6. Re: Guilty! by Anonymous Coward · · Score: 0

      Not so quick. Let's enhance that image a bit more.

  2. Thankfully... by Rei · · Score: 5, Insightful

    Uber has long proven themselves to be eminently trustworthy and never scheming up shady ways to try to drive their competition out of business, so we can just take them at their word on this.

    --
    The human body can be drained of blood in 8.6 seconds given adequate vacuuming systems.
    1. Re:Thankfully... by phantomfive · · Score: 3, Interesting

      Exactly. Whenever an accusation starts with our competitor may have been evil..., wait for corroborating evidence.

      --
      "First they came for the slanderers and i said nothing."
    2. Re:Thankfully... by Anonymous Coward · · Score: 1

      You don't take two unnamed people at their word? How dare you!

    3. Re:Thankfully... by Triklyn · · Score: 1, Interesting

      hell, even if they did do this, good

      fuck uber.

      you don't get international competitors to team up against a company unless that company is trying to fuck everyone and everything.

      holy hell.

      i don't often root for chinese anticompetitive behavior... but fuck uber.

      and fuck uber for making me bedfellows with those assholes.

    4. Re:Thankfully... by Anonymous Coward · · Score: 0

      So, you drive a cab I assume?

    5. Re:Thankfully... by Anonymous Coward · · Score: 1

      So, you drive a cab I assume?

      No way. His English is way too good and I can't smell his BO through my monitor. Plus, he didn't go off on a needless tangent for several paragraphs before he got to his point.

    6. Re:Thankfully... by Coisiche · · Score: 1

      unless that company is trying to fuck everyone and everything.

      I think every company operates like that, under the guise of "delivering shareholder value".

      I'm sure there are companies without shareholders that also operate like that, but never to same extreme in my experience.

    7. Re:Thankfully... by kilfarsnar · · Score: 1

      unless that company is trying to fuck everyone and everything.

      I think every company operates like that, under the guise of "delivering shareholder value".

      I'm sure there are companies without shareholders that also operate like that, but never to same extreme in my experience.

      Yep, they don't have to deal with a bunch of otherwise disinterested parties shouting about their money.

      --
      "What the American public doesn't know is what makes them the American public." -Ray Zalinsky (Tommy Boy)
    8. Re:Thankfully... by tripleevenfall · · Score: 2

      you don't get international competitors to team up against a company unless that company is trying to fuck everyone and everything.

      Well, you could get competitors to team up against you by eating their lunch and beating them at their own games. That would be one way.

    9. Re:Thankfully... by tripleevenfall · · Score: 2

      I for one welcome taxi cartels and their anticompetitive practices

    10. Re: Thankfully... by Anonymous Coward · · Score: 0

      That is some bad, bad logic. Just because competitors are hurt by no means makes it a bad thing. Under that logic if a drug company came out with a proven universal cancer vaccine and every now obsolete drug manufacturer turned against them we should side with the unified old entrenched treatment makers over the miracle makers.

    11. Re:Thankfully... by rockmuelle · · Score: 4, Interesting

      Uber is great in the same way Pets.com was great: they're burning their investor's money to run an unsustainable business. I loved getting 40lb bags of dog food delivered for free and I love paying less than the driver is making for my Uber rides. As a consumer, I win!

      What's new about Uber compared to Pets.com is that Uber is the VC world's experiment in seeing if they can create illegal businesses and then use their huge piles of money to change the law in their favor. This is what should really scare everyone.

      -Chris

    12. Re:Thankfully... by Triklyn · · Score: 3

      hells no, and i can probably count the number of cab rides i've taken in my life using my hands and feet.

      i don't like them flaunting consumer protections, i don't like that whole period they were like, "oh insurance? what's that? and why can't our driver's personal insurance foot the fucking bill?"
      i don't like how their executives think the idea of mudslinging journalists that criticize them is a fun idea.
      i don't like how their idea of damage control is to try to bury, bury bury, until someone fucking dies

      i don't like how their idea of fair competition is to spam their competitors with fake pickup requests
      i don't like how their fucking profit margin comes straight out of their contracter's pockets
      i don't like how their fucking car payment tie-in apparently is financially calamitous to their drivers

      so, no, i don't drive a cab, i'm just not enamored of evil.

    13. Re:Thankfully... by Triklyn · · Score: 1

      they typically wouldn't team up.

      like how assad and the rebels are teaming up against isis... wait, that's not it...

      how the US UK and USSR teamed up to fight the nazis. there we go.

      sure everyone hated stalin, like everyone HATED stalin. and they were probably pretty sure they'd have a problem with him somewhere down the road... but Hitler, fuck hitler.

    14. Re:Thankfully... by caluml · · Score: 1

      i can probably count the number of cab rides i've taken in my life using my hands and feet.

      So 2^20 then? 1048576 is a lot of cab rides.

      --
      Get your own free personal location tracker
    15. Re:Thankfully... by Triklyn · · Score: 1

      obviously,

      born in a cab, live in a cab, now in a cab, die in a cab,

      when i'm dead, i'll have my ashes scattered to the corners of the earth in cabs.

      Cabs are love, cabs are life.

    16. Re:Thankfully... by Anonymous Coward · · Score: 0

      Indeed. The frequent self-serving lawyerly shenanigans from Uber will eventually give base evil greed a bad name.

  3. The perfect cover? by rmdingler · · Score: 4, Funny

    However, bearing in mind that the breach was carried out through a fiercely protectionist Scandinavian VPN, and that Lambert was a Google software engineer before become CTO of a major technology company, it does seem surprising that he would have accessed such sensitive data with his own domestic IP address.

    What a great defense... there's no way it's me.

    --
    Happiness in intelligent people is the rarest thing I know.

    Ernest Hemingway

    1. Re:The perfect cover? by DRJlaw · · Score: 4, Insightful

      The report emphasises that the IP address is not the one associated with the act of the breach itself; instead it was obtained by a process of elimination as Uberâ(TM)s investigations team worked through all the IPs which accessed a critical security key that had accidentally been deposited on the public code-sharing and versioning platform GitHub in March of 2014 â" approximately nine months before the breach occurred.

      The only one it could not account for is, according to the report, a Comcast IP address associated with Lambert.

      Translation: We believed everyone else but this guy is a right bastard (because he works for Lyft) and thus assuredly guilty.

  4. Life imitating art? by ramriot · · Score: 5, Interesting

    Sounds exactly like something from Mr Robot, IP address CTO of organisation found in logs related to hacking server farm.

    Like, we trust the logs, after someone has Owned the system, sure let me know how that goes!

    1. Re:Life imitating art? by GameboyRMH · · Score: 1

      Damn, beaten - this sounds exactly like part of Mr. Robot's plot...seems way too easy & convenient. What kind of total noob would hack from their home IP anyway?

      --
      "When information is power, privacy is freedom" - Jah-Wren Ryel
  5. We trust what Uber says now? by Anonymous Coward · · Score: 3, Insightful

    A company run by crooks with a scam as their business model. Uber is the one that blundered its own key then failed to secure its databases. Now they are blame shifting.

    1. Re:We trust what Uber says now? by NotDrWho · · Score: 0

      a scam as their business model

      Last time I checked, their business model was to offer a valuable service that people really like in exchange for money. That's not what I would call a "scam."

      --
      SJW's don't eliminate discrimination. They just expropriate it for themselves.
    2. Re:We trust what Uber says now? by deadweight · · Score: 4, Funny

      My new airline is really cheap. I skip things like a 100 hour inspections, 135 certs, opspecs, and all the other things that make running an airline a huge PITA. I have a plane, what more do you want?

    3. Re:We trust what Uber says now? by Richard_at_work · · Score: 4, Insightful

      Just like a restaurant which doesn't give a toss about minimum wage, where its ingredients come from, the cleanliness of the kitchens or the reliability of the refrigeration - but the customers love the public face, service and price, so that restaurant should be given a break when it comes to following the rules other restaurants have to abide by...

    4. Re:We trust what Uber says now? by Anonymous Coward · · Score: 0

      I have a plane, what more do you want?

      If it's shiny and you offer me a bottle of water, I'm sold!
      Wait.. you have an app, right?

    5. Re:We trust what Uber says now? by Anonymous Coward · · Score: 0, Insightful

      Since when did /. get inundated with pissed-off cab drivers bad-mothing Uber?

      Don't you fuckers have anything better to do?

      Oh wait...since no one wants your shitty service and smelly cabs anymore, I guess you don't.

    6. Re:We trust what Uber says now? by slashdice · · Score: 1

      Sadly, you're describing Flytenow and airpooler. Except their pilots aren't paid.

      --
      Copyright (c) 1990 - 2014 Dice. All rights reserved. Use of this comment is subject to certain Terms and Conditions.
    7. Re:We trust what Uber says now? by Nidi62 · · Score: 4, Insightful

      a scam as their business model

      Last time I checked, their business model was to offer a valuable service that people really like in exchange for money.

      People really like cocaine and meth, but exchanging those for money is just as illegal as operating illegal cabs.

      --
      The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
    8. Re:We trust what Uber says now? by Nidi62 · · Score: 2

      That's a great example of false equivalence, and you're a great example of an idiotic sack of shit. Go fuck yourself, bitch boy.

      Ok, how about this then. I set up a freight shipping line that is much cheaper because I don't worry about those pesky rest rules, maintenance, or even making sure my drivers have CDLs. Since low cost shipping is a very valuable service this should be perfectly legal? Nope, just as illegal as Uber is.

      --
      The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
    9. Re:We trust what Uber says now? by NostalgiaForInfinity · · Score: 0

      My new airline is really cheap. I skip things like a 100 hour inspections, 135 certs, opspecs, and all the other things that make running an airline a huge PITA. I have a plane, what more do you want?

      I really don't give a f*ck about your "100 hour inspections" or your "135 certs"; those are meaningless theater, something you can easily cheat on if you want to and that doesn't make me one iota safer.

      What i care about is: (1) what is your track record, (2) what are your financials, and (3) what is your insurance.

    10. Re:We trust what Uber says now? by Solandri · · Score: 1

      Just like a restaurant which doesn't give a toss about minimum wage, where its ingredients come from, the cleanliness of the kitchens or the reliability of the refrigeration - but the customers love the public face, service and price, so that restaurant should be given a break when it comes to following the rules other restaurants have to abide by...

      If you do a lot of traveling, restaurants in most of the world operate exactly that way. You don't exactly see massive reports of food poisoning sickening or killing huge numbers of people who visit such restaurants.

      I'm not saying such regulation isn't helpful. I'm only saying that you shouldn't assume that such regulation is always helpful. Over-regulation comes at a cost. The county health inspector assigned to the hotel/restaurant I used to work at was a control freak on a power trip. She wrote us up for several "violations" that she required us to fix or she'd shut us down. Some of them were reasonable (mice had chewed a hole in an exterior door). Others were just plain ridiculous. She required us to install metal flashing around the top of our walk-in refrigerators to enclose the air gap between it and the ceiling, which we did at a cost of several thousand dollars. During our next fire inspection, the fire marshal told us that was a fire code violation and we had to take it down - that space is open specifically so you can immediately see and smell any smoke from a fire that develops in the refrigeration unit. She required us to put sneeze guards on the sides of salad serving carts which abutted against each other (so the sides weren't exposed). We spent weeks trying to a place that sold these, then finally called the manufacturer. They told us that they sold these carts nationwide in thousands of health jurisdictions, and this was the first time anyone had ever inquired about putting sneeze guards on the side. We ended up buying plexiglas sheets and having our maintenance department custom-cut them to fit in the sides of said carts to make our inspector happy.

      Personally I'm on the anti-Uber side of this. I do think regulation of the taxi industry serves a beneficial purpose. However, I support Uber in challenging the status quo. That is, I refuse to condemn Uber "just because" they are upsetting the existing taxicab business and regulation model. Said model has developed slowly over a hundred years. It's probably high time we shook it up a little and had some serious debate about it.

    11. Re:We trust what Uber says now? by NostalgiaForInfinity · · Score: 0

      Let's say you travel to some country where government health certification is voluntary. Would you rather eat in a dirty restaurant that got bad Yelp reviews but has a government certification, or eat in a restaurant that looks spotlessly clean and has excellent Yelp reviews but you don't see a government certification sticker?

      Government health certificates for restaurants are pretty much useless, just like taxi licensing schemes.

    12. Re:We trust what Uber says now? by Anonymous Coward · · Score: 0

      Aww, poor widdle hypocritical republican, feels like he should ignore whatever laws he feels like but everyone else has to obey whatever laws he decides should apply (to them, not to him). Do you need to have a diaper change after having a shit fit over someone suggesting that they should just get to ignore some law they didn't like?

      That's a great example of false equivalence

      Let me guess, it's different because you say so and God died and make you lord high ruler of who gets to say so. Do you have any other excuse for claiming a false equivalence? Like maybe "You're wrong and this is why you're wrong?" or are you just going to spew shit all over yourself again when someone suggests that they should be allowed to ignore a law you like.

    13. Re:We trust what Uber says now? by GlennC · · Score: 2

      What i care about is: (1) what is your track record, (2) what are your financials, and (3) what is your insurance.

      Why should you care about those things? If the plane crashes or the baggage crew loses your luggage, you can give them a 1-star rating...that'll teach them.

      --
      Go on, citizen, stamp the vote card. R or D, your choice.
    14. Re:We trust what Uber says now? by mobby_6kl · · Score: 1

      Cocaine's pretty awesome though, so who cares.

    15. Re:We trust what Uber says now? by Nidi62 · · Score: 1

      Cocaine's pretty awesome though, so who cares.

      Yes, yes, we all know cocaine's a hell of a drug.

      --
      The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
    16. Re:We trust what Uber says now? by Anonymous Coward · · Score: 0

      No it's not. Selling drugs and driving an illegal cab are equivalent in that they are both illegal. They are not equivalent in every way, but this way is precisely the equivalence to which the author was referring.

      So there is no fallacy here at all. Your knowledge of logical fallacies may be in place, but your understanding of when they do and do not apply could use some work.

    17. Re:We trust what Uber says now? by Triklyn · · Score: 1

      http://safefoodinternational.o...

      interesting, you don't hear about big food poisoning cases because unless it's big it doesn't break the news, and those generally involve contamination in an industrial setting.

      and you don't hear about food poisoning cases on the small scale because they're pretty common.

    18. Re: We trust what Uber says now? by Anonymous Coward · · Score: 0

      It is pretty easy today something is illegal and any debate should be stopped. If you were not aware, laws can change. Unless you also think black people can't ride at the front of the bus?

    19. Re:We trust what Uber says now? by Lakitu · · Score: 1

      How are inspections meaningless? They're only meaningless if they're meaningless.

      In this post you are claiming to believe that we live in a universe where inspections are fundamentally impossible of providing any value or accomplishing anything in any way. Judging by the fact that you believe you can accurately inspect an airline's track record, financials, and insurance (without those having been cheated on at all!), I'm sure you must have just made some kind of mistake.

    20. Re:We trust what Uber says now? by NostalgiaForInfinity · · Score: 1

      In this post you are claiming to believe that we live in a universe where inspections are fundamentally impossible of providing any value or accomplishing anything in any way.

      Some inspections are very valuable, namely the inspections where the inspector and his organization faces stiff personal and corporate liabilities and hence have a strong economic incentive to assess risks correctly. Accountants and insurance companies perform those kinds of inspections.

      Government regulators and government inspection programs generally lack these incentives, and that makes their inspections pretty much worthless.

    21. Re:We trust what Uber says now? by NostalgiaForInfinity · · Score: 1

      Why should you care about those things?

      The track record should be self evident. Financials and insurance are good measures because they reflect the confidence of investors and insurance risk estimators, people who have actual money at stake when a plane crashes and hence have an incentive to make correct risk assessments.

    22. Re:We trust what Uber says now? by Lakitu · · Score: 1

      namely the inspections where the inspector and his organization faces stiff personal and corporate liabilities and hence have a strong economic incentive to assess risks correctly. Accountants and insurance companies perform those kinds of inspections.

      Government regulators and government inspection programs generally lack these incentives, and that makes their inspections pretty much worthless.

      What about government regulators and inspection programs which require certification or inspection from one of the entities you listed in the above paragraph? Because, guess what, that's what a lot of government inspections and certifications are.

    23. Re:We trust what Uber says now? by dave420 · · Score: 2

      You seem to be confusing your broken, dysfunctional part of the world with the entire world. This is going to blow your mind, but some places have great health certification, and great taxis. Those are the places which are fighting companies which seek to decrease the standard by which they do business.

    24. Re:We trust what Uber says now? by NostalgiaForInfinity · · Score: 1

      You should be able to answer your own question based on what I said: does the certifying entity stand to lose large amounts of money if the thing they are certifying fails? Can you figure it out?

    25. Re:We trust what Uber says now? by Anonymous Coward · · Score: 0

      Not sure what you mean by "my broken, dysfunctional part of the world". I'm in London often enough to base my dislike of it on lots of actual experience: London is generally overpriced and unpleasant, and most restaurants aren't very good. But, no doubt, someone with your provincial and nationalistic attitudes is going to contradict that.

      (Incidentally, London taxi fare is about $3.70 / mile, NYC taxi fare is about $2.50 / mile, and LA Uber fare is about $1.00 / mile, and London taxis have the worst availability or punctuality of the bunch.)

    26. Re: We trust what Uber says now? by Anonymous Coward · · Score: 0

      You are completely ignorant of the subject you are discussing. Your assumptions here are not related to any facts about FAA inspections, and your conclusions are completely off base.

      Please look up what a 100 hour inspection is, who performs it, what the regulations require, who is liable if it is done poorly, or basically anything about the FAA and it's safety record before posting more on this subject. It's embarrassing how little your statements match the facts.

      The US track record on airline safety is among the best in the world. It didn't get that way with sloppy inspections.

    27. Re:We trust what Uber says now? by Lakitu · · Score: 1

      I'm glad you've changed your mind since your original post! Nice chat.

    28. Re:We trust what Uber says now? by deadweight · · Score: 1

      I am a commercial pilot AND have a car. I think I know the difference.

    29. Re:We trust what Uber says now? by deadweight · · Score: 1

      1 - track record is I am not dead that you know of. 2 - My financials are not available to you and what that has to do with my airplane I am not sure. It has 2 wings and most of the paint is still on. Are you one of those demanding passengers that wants me to clean it too? 3 - I have no valid insurance because no insurance company in the world will cover part 135 or 121 flights done without proper 135/121 inspections and rated pilots.

    30. Re:We trust what Uber says now? by Anonymous Coward · · Score: 0

      OK, looks like you are simply too stupid to answer your own question.

    31. Re:We trust what Uber says now? by Anonymous Coward · · Score: 0

      3 - I have no valid insurance because no insurance company in the world will cover part 135 or 121 flights done without proper 135/121 inspections and rated pilots.

      At issue isn't whether you have insurance, but the amount, like $10 million per passenger or $2.5 billion per plane. For that, you need to do a lot better than merely completing "135/121 inspections", which is why those inspections are insufficient in determining whether you are safe to fly with.

      1 - track record is I am not dead that you know of. 2 - My financials are not available to you

      Well, and then people will choose not to fly with you, despite your "135/121 inspections", again illustrating that those inspections are worthless for people to determine whether you are safe to fly with.

      That is, you keep proving that regulatory compliance is a necessary indicator of safety, but who cares? The fact that the pilot is breathing is a necessary indicator for safety. The issue is whether regulatory compliance is a sufficient indicator of safety, and it obviously is not.

      Thanks for illustrating my point.

    32. Re:We trust what Uber says now? by Lakitu · · Score: 1

      You should be able to answer your own question based on what I said: does the certifying entity stand to lose large amounts of money if the thing they are certifying fails? Can you figure it out?

      Let's have a look at some options.

      (a) Airline wishes to keep its reputation and passengers alive, inspects planes thoroughly. Does so in-house or faces severe financial consequences in the event of failure.

      (b) Airline wishes to keep its reputation and passengers alive, pays an outside entity (with its own reputation and financial incentives) to inspect planes thoroughly.

      (c) Government requires that all airlines pass certain safety standards so that start-up airlines can't crash their dilapidated planes into heavily subsidized airport real estate near cities. Government does this by recognizing already existing certifications and inspections done by private entities, such as in (b).

      In the event of a plane failure in (a), the airline loses out. Customers don't trust the company nor its inspections and it loses money.
      In the event of a plane failure in (b), both the airline and the inspectors lose out. Let's take as a given that it's clearly a mechanical failure because of improper inspections, and the inspection company is blamed for it, and it loses out the most. Inspection company loses the trust of its clients and the general public.
      In the event of a plane failure in (c), the same thing happens as in either (a) or (b)! The companies lose the trust of their clients (or passengers) and lose revenue streams. If the company fails to do its job, then the company is going to lose money. Apparently you still wish to claim that there is no financial incentives for companies involved here to conduct proper and thorough inspections, but instead of saying that and displaying your stupidity, you're hoping I can just read your mind to figure it out. I'm trying my best here.

      At this point I'd like to point something out to you:

      does the certifying entity stand to lose large amounts of money if the thing they are certifying fails?

      This could actually be a financial incentive to cheat on the inspections! Sometimes delivery volume is more important than a few failures. Perhaps you'll be thinking, with a smile, about how much money someone else saved as you hurtle towards your death in an airplane which hadn't been inspected at all?

    33. Re:We trust what Uber says now? by deadweight · · Score: 1

      Just so you know, your Randian paradise airline system was tried long ago. It killed so many people the better airlines were BEGGING the government to step in before this whole newfangled flying machine thing just collapsed and died due to public mistrust. $10,000,000 per SEAT? OMFG I am rolling on the floor. It is extraordinarily difficult to get 10% of that and most of my quotes are for $1,000,000 for the entire plane and that is instantly void the second I take off on a 135 flight absent the right certs. I happen to be certified myself to pilot 135 flights and it was not an easy thing to do. Look up "The day the music died" for the reason these rules were invented.

  6. Actually, this is plausible. by Anonymous Coward · · Score: 1

    All the smarts in the world won't fix a fat finger. You accessed the DB from your super secure VPN, disconnected your VPN, forgot it was disconnected, reconnected -- and, oh shit, there you are: Your personal IP has been revealed. This is why you use things like Tails, folks, or you do your dirty work in a VM -- then securely delete the VM. :)

    1. Re:Actually, this is plausible. by GameboyRMH · · Score: 2

      do your dirty work in a VM -- then securely delete the VM. :)

      Or run the VM like a LiveCD from a read-only filesystem - what happens in RAM stays in RAM...

      --
      "When information is power, privacy is freedom" - Jah-Wren Ryel
    2. Re:Actually, this is plausible. by petermgreen · · Score: 1

      VM or not you need to set things up so that your client box CANNOT access the internet without using the VPN. If you have a system where a VPN failure results in a direct connection you will almost certainly end up making a direct connection sooner or later.

      --
      note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
  7. You think?? by Type44Q · · Score: 1

    it does seem surprising that he would have accessed such sensitive data with his own domestic IP address.

    No fucking shit...

    1. Re:You think?? by Anonymous Coward · · Score: 0

      It depends on your definition of a sensitive IP address.

    2. Re:You think?? by kilfarsnar · · Score: 2

      It depends on your definition of a sensitive IP address.

      Well my IP address cries at the slightest thing, so yeah.

      --
      "What the American public doesn't know is what makes them the American public." -Ray Zalinsky (Tommy Boy)
    3. Re:You think?? by Bob+the+Super+Hamste · · Score: 1

      Your IP address is John Boehner?

      --
      Time to offend someone
    4. Re:You think?? by Anonymous Coward · · Score: 0

      Is it Sarah Sharp?

  8. Nobody to blame but yourself...? by Sneeka2 · · Score: 2

    So some doofus posted the keys to the kingdom on Github, and they're crying foul if a competitor picks them up to take a peek behind the curtain?

    I mean, yeah, sure, that's not the gentlemen's way of doing things, but waddaya expect?!

    --
    Bitten Apples are still better than dirty Windows...
    1. Re:Nobody to blame but yourself...? by farble1670 · · Score: 1

      but waddaya expect?!

      retarded reasoning.

      you left your bicycle on your porch without a lock, whaddya expect?
      you walked down a dark street at night, whaddya expect?
      you left your car unlocked and your wallet on the seat, whaddya expect?
      you set down your backpack containing a laptop in the seat next to you on the train and turned your head, whaddya expect?
      you threw out some paperwork that listed your social security number and other personal information, whaddya expect? ...

      see where that goes? enjoy your uptopia where making a mistake a mistake completely removes your protection under the law.

    2. Re:Nobody to blame but yourself...? by praxis · · Score: 1

      I am not sure what protection under the law has to do with anything. Sneeka2 did not mention anything about protections, only the stupidity of Uber's maneuver. Posting a private key in a public place is pretty dumb. Not revoking and changing your keys once you discover the mistake is also stupid. Expecting someone who finds the key to not use it is also stupid.

      The things you mentioned are also risks, to different degrees. I don't leave my car unlocked with my wallet on the street. I find that stupid. I shred any paper with my social security number on it. I find putting such paper in the trash stupid. I still expect legal protections in case I do make a mistake, but I would expect that if I left my car unlocked with my wallet on the seat that someone might burgle it. That's a pretty reasonable expectation. It's why I avoid exposing myself to such risk.

      Private keys posted on the public internet are dumber than putting a wallet on the seat of an unlocked car.

  9. I just dropped my monocle, and my pink mustache! by NotDrWho · · Score: 1

    Shocking! Harumph!

    --
    SJW's don't eliminate discrimination. They just expropriate it for themselves.
  10. Protectionist? by pr0nbot · · Score: 3, Informative

    I don't know why a VPN provider would favour trade tariffs.

    Perhaps "protective" was meant?

    https://en.wikipedia.org/wiki/...

  11. Maybe he was just curious? by Anonymous Coward · · Score: 1

    In the sense of "there's no way this can be real, can it?".

  12. Profit? by Anonymous Coward · · Score: 0

    1. Leak security key on Internet
    2. Discover key has been leaked
    3. Sit on ass and don't revoke the key
    4. ?????
    5. Profit

    WTF? Some security engineer needs to lose their job over this.

  13. Mr Robot by HongPong · · Score: 1

    Elliot changed the IP address to implicate him. No surprise!

    --
    --hongpong.com
  14. Corporate Persons by Chris+Johnson · · Score: 5, Insightful

    So wait. Not only does Uber choose to commandeer Slashdot at every opportunity to spout off how great it is through increasingly vehement sockpuppet ACs and the pushing of clickbait articles, it ALSO feels the need to pull you aside and fill you in on its paranoid fantasies?

    Man, 'corporate personhood' is weird. This is distinctly a personality that's consistent and recognizable. Just yeah.

    Excuse me, Uber. I think I see somebody over there that I know D:

    1. Re:Corporate Persons by metrix007 · · Score: 1

      You're one of those idiots who attributes every comment you disagree with to a sockpuppet, huh.

      --
      If you ignore ACs because they are anonymous - you're an idiot.
    2. Re:Corporate Persons by Anonymous Coward · · Score: 0

      Damn sock puppets keep bothering me...

    3. Re:Corporate Persons by KGIII · · Score: 1

      Fucking shill.

      (I keed, I keed indeed.)

      --
      "So long and thanks for all the fish."
  15. The article alleges no connection, though. by shess · · Score: 5, Insightful

    Apparently they leaked the key on GitHub, and allege that this IP address visited the page - along with tens of thousands of other visitors.

    If I were CTO of a company, and I saw a Slashdot posting about "YourCompetitor leaked all of their keys on GitHub!", I would probably click through. ESPECIALLY if I were in charge of preventing similar leaks from the company I worked for.

    1. Re: The article alleges no connection, though. by ZFox · · Score: 1

      If nothing else, to blacklist whoever committed it from employment at your company.

  16. What happened to headlines like: by angularbanjo · · Score: 1

    Reuters Routers Rout Russian (probably)

  17. Such access is not surprising at all. by shess · · Score: 1

    Apparently Uber leaked the keys on GitHub, and allege that this IP address visited the page - along with tens of thousands of other visitors. It wasn't some sort of Mission Impossible nighttime raid or anything, they published things publicly.

    If I were CTO of a company, and I saw a Slashdot posting about "YourCompetitor leaked all of their keys on GitHub!", I would probably click through. ESPECIALLY if I were in charge of preventing similar leaks from the company I worked for.

    Hell, I'd probably keep an eye on what kinds of things my competitor published on GitHub simply to inform what kinds of things my company might want to publish, simply to stay competitive.

    1. Re:Such access is not surprising at all. by 0100010001010011 · · Score: 1

      I'd probably keep an eye on what kinds of things my competitor published on GitHub

      That's not how Gists work. Reading the old article a lot of people seem to assume that this was published via git. Gists are just a place to store plain text.

  18. He actually has a permament public static IP? by Zeorge · · Score: 1

    Don't know how it works in other countries. But, some USA ISP's will give you a static public facing IP and then release every so often. Just curious...

  19. This sounds dubious by quantaman · · Score: 2

    According to documents filed in the case, the company learned months after the hack that someone had used an Uber digital security key to access the driver database. A copy of the key was inadvertently posted by Uber on one of its public pages on the code development platform GitHub in March of 2014, prior to the breach, the court filings show, and remained there for months.

    After Uber discovered the unauthorized download, it examined the Internet Protocol addresses of every visitor to the page during the time between when the key was posted and when the breach occurred, according to court documents. The Uber review concluded that "the Comcast IP address is the only IP address that accessed the GitHub post that Uber has not eliminated" from suspicion, court papers say.

    So for months this key was sitting on a public website and they've managed to eliminate every other address from suspicion?

    Unless the actual URL was somehow hidden that sounds very unlikely, I'd wager there are hacking groups who write robots to crawl around the web looking for private keys.

    We don't even know in what form the key was posted, if it were sitting in some chunk of code that Uber had posted to GitHub I wouldn't be in the least surprised that the Lyft CTO decided to checkout the project to see what the rival company was doing.

    --
    I stole this Sig
  20. Seriously? by GeekWithAKnife · · Score: 1


    Would I be stupid enough to leave my home address near the murder weapon?!

    I move to drop this investigation immediately it's obviously nonsense because I am a really smart person.

    As you know, smart people do not do stupid things(tm)

    --
    A 'singular oddity' is an event that cannot be explained and only happens when you are alone.
    1. Re:Seriously? by TechyImmigrant · · Score: 1

      >Would I be stupid enough to leave my home address near the murder weapon?!

      Isn't is the murder weapon that can be left somewhere and the home address that is pretty permanently fixed in one place?

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
    2. Re:Seriously? by farble1670 · · Score: 1

      ^^^ pretty much. i love the "no one could be THAT stupid" defense. so really, all i need to do to get away with a crime is to make sure i'm really obvious when i commit it?

  21. Try searching for Chris Lamberts IP address by Anonymous Coward · · Score: 0

    Ubers claim is that IP address X accessed Github and that that IP address belongs to Lyfts Chris Lambert because they found it on the internet associated with him.

    So there is a claim we can check right there, simply by trying to find Chris Lamberts IP address on the internet:

    "The two sources, however, said Uber researched the address and discovered that it showed up elsewhere in Internet postings associated with Lambert, and that the address was assigned to his name. "

    I can't find a forum (the only place I can think would publicly list an IP address) with a post from Chris Lambert, perhaps you can do better?

    1. Re:Try searching for Chris Lamberts IP address by TechyImmigrant · · Score: 1

      Accessing Github is crime?

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
    2. Re:Try searching for Chris Lamberts IP address by farble1670 · · Score: 1

      Accessing Github is crime?

      no, but using the information found there for cyber warfare against your competition is.

      Chris Lambert has been revealed by Uber's investigations to be associated with the accessing of a security key that was accidentally deposited on GitHub in 2014 and used to access 50,000 database records of Uber drivers later that year.

      or maybe you are suggesting the "you made it easy for me to commit the crime" defense? like, you left your bike unlocked, therefore it's mine for the taking?

  22. Why would I spray paint my own name? by Anonymous Coward · · Score: 0

    Seriously, why would I vandalize something leaving traces that it was me, massive impossible to miss traces that place blame directly on me?

    Because my defense would be "I'd never be that inept or stupid as to implicate myself".

    I'm sorry I just don't buy some "hacker" cracking into this guys wifi then using that connection to attack it's competitor? No, that's a little bit of a stretch IMO.

    He did it, and either figured my first answer would get him out of hot water, or he's so obtuse and full of himself he didn't think to try to cover his tracks.

  23. WTF? by Anonymous Coward · · Score: 0

    How does Uber know what the IP address of Lyft's CTO is?

    Also, even if they did know the CTO's IP address, since when was brosing a GitHub repo prove guilt in a a data breach?

    This whole story is pure bullshit.

  24. ONE VPN? by sexconker · · Score: 1

    ONE?
    Everyone knows you have to go through 7 proxies.

  25. It's not that he's Guilty by WillAffleckUW · · Score: 1

    It's that he needs to be imprisoned without bail, tried, sentenced, and all assets stripped from him and any trusts he set up.

    --
    -- Tigger warning: This post may contain tiggers! --