IP Address May Associate Lyft CTO With Uber Data Breach

An anonymous reader writes: According to two unnamed Reuters sources the IP address of Lyft CTO Chris Lambert has been revealed by Uber's investigations to be associated with the accessing of a security key that was accidentally deposited on GitHub in 2014 and used to access 50,000 database records of Uber drivers later that year. However, bearing in mind that the breach was carried out through a fiercely protectionist Scandinavian VPN, and that Lambert was a Google software engineer before become CTO of a major technology company, it does seem surprising that he would have accessed such sensitive data with his own domestic IP address.

Guilty!

[sinij]

If RIAA and CSI taught us anything is that both IP and DNA are definitive proof of guilt. Since Chris Lambert was shown to have both, we can be certain he did it.

Re:Guilty!

The problem here is that the IP has accessed a text file, not a database. That's one. Two, Uber says that they've examined and 'ruled out' every address but one of all that accessed the aforementioned key for a period of several months. I just looked at the daily logs to the login page of my quite obscure squirrelmail installation, and I see something like 7,000 IP addresses. Supposing that the Github account in question is as obscure as this installation, then you have at least few hundred thousand addresses to look at. Something tells me you can't 'definitely rule out' all of them but one.

Re:Guilty!

[Lakitu]

No, one of almost an infinite amount of alternative theories is that the CTO of a major technology company didn't have his home WiFi secured and some enterprising criminal hijacked it to hack Uber. A much more plausible theory is that the Lyft guy used a Swedish VPN sometimes.

The Uber key was posted publicly on github in March of 2014, and was presumably publicly available until Uber realized their mistake when they were breached in February 2015. It's pretty ridiculous to say that they could have eliminated all of the IP addresses except one, even with being able to cross-check the Swedish VPN users with those who may have accessed the github page. Anyone who accessed the github page could have made the key publicly available somewhere else, like, say, on a Russian forum, where a third party used it to illegitimately access Uber's data.

Thankfully...

[Rei]

Uber has long proven themselves to be eminently trustworthy and never scheming up shady ways to try to drive their competition out of business, so we can just take them at their word on this.

Re:Thankfully...

[phantomfive]

Exactly. Whenever an accusation starts with our competitor may have been evil..., wait for corroborating evidence.

Re:Thankfully...

You don't take two unnamed people at their word? How dare you!

Re:Thankfully...

[Triklyn]

hell, even if they did do this, good

fuck uber.

you don't get international competitors to team up against a company unless that company is trying to fuck everyone and everything.

holy hell.

i don't often root for chinese anticompetitive behavior... but fuck uber.

and fuck uber for making me bedfellows with those assholes.

Re:Thankfully...

So, you drive a cab I assume?

No way. His English is way too good and I can't smell his BO through my monitor. Plus, he didn't go off on a needless tangent for several paragraphs before he got to his point.

Re:Thankfully...

[Coisiche]

unless that company is trying to fuck everyone and everything.

I think every company operates like that, under the guise of "delivering shareholder value".

I'm sure there are companies without shareholders that also operate like that, but never to same extreme in my experience.

Re:Thankfully...

[kilfarsnar]

unless that company is trying to fuck everyone and everything.

I think every company operates like that, under the guise of "delivering shareholder value".

I'm sure there are companies without shareholders that also operate like that, but never to same extreme in my experience.

Yep, they don't have to deal with a bunch of otherwise disinterested parties shouting about their money.

Re:Thankfully...

[tripleevenfall]

you don't get international competitors to team up against a company unless that company is trying to fuck everyone and everything.

Well, you could get competitors to team up against you by eating their lunch and beating them at their own games. That would be one way.

Re:Thankfully...

[tripleevenfall]

I for one welcome taxi cartels and their anticompetitive practices

Re:Thankfully...

[rockmuelle]

Uber is great in the same way Pets.com was great: they're burning their investor's money to run an unsustainable business. I loved getting 40lb bags of dog food delivered for free and I love paying less than the driver is making for my Uber rides. As a consumer, I win!

What's new about Uber compared to Pets.com is that Uber is the VC world's experiment in seeing if they can create illegal businesses and then use their huge piles of money to change the law in their favor. This is what should really scare everyone.

-Chris

Re:Thankfully...

[Triklyn]

hells no, and i can probably count the number of cab rides i've taken in my life using my hands and feet.

i don't like them flaunting consumer protections, i don't like that whole period they were like, "oh insurance? what's that? and why can't our driver's personal insurance foot the fucking bill?"
i don't like how their executives think the idea of mudslinging journalists that criticize them is a fun idea.
i don't like how their idea of damage control is to try to bury, bury bury, until someone fucking dies

i don't like how their idea of fair competition is to spam their competitors with fake pickup requests
i don't like how their fucking profit margin comes straight out of their contracter's pockets
i don't like how their fucking car payment tie-in apparently is financially calamitous to their drivers

so, no, i don't drive a cab, i'm just not enamored of evil.

Re:Thankfully...

[Triklyn]

they typically wouldn't team up.

like how assad and the rebels are teaming up against isis... wait, that's not it...

how the US UK and USSR teamed up to fight the nazis. there we go.

sure everyone hated stalin, like everyone HATED stalin. and they were probably pretty sure they'd have a problem with him somewhere down the road... but Hitler, fuck hitler.

Re:Thankfully...

[caluml]

i can probably count the number of cab rides i've taken in my life using my hands and feet.

So 2^20 then? 1048576 is a lot of cab rides.

Re:Thankfully...

[Triklyn]

obviously,

born in a cab, live in a cab, now in a cab, die in a cab,

when i'm dead, i'll have my ashes scattered to the corners of the earth in cabs.

Cabs are love, cabs are life.

The perfect cover?

[rmdingler]

However, bearing in mind that the breach was carried out through a fiercely protectionist Scandinavian VPN, and that Lambert was a Google software engineer before become CTO of a major technology company, it does seem surprising that he would have accessed such sensitive data with his own domestic IP address.

What a great defense... there's no way it's me.

Re:The perfect cover?

[DRJlaw]

The report emphasises that the IP address is not the one associated with the act of the breach itself; instead it was obtained by a process of elimination as Uberâ(TM)s investigations team worked through all the IPs which accessed a critical security key that had accidentally been deposited on the public code-sharing and versioning platform GitHub in March of 2014 â" approximately nine months before the breach occurred.

The only one it could not account for is, according to the report, a Comcast IP address associated with Lambert.

Translation: We believed everyone else but this guy is a right bastard (because he works for Lyft) and thus assuredly guilty.

Life imitating art?

[ramriot]

Sounds exactly like something from Mr Robot, IP address CTO of organisation found in logs related to hacking server farm.

Like, we trust the logs, after someone has Owned the system, sure let me know how that goes!

Re:Life imitating art?

[GameboyRMH]

Damn, beaten - this sounds exactly like part of Mr. Robot's plot...seems way too easy & convenient. What kind of total noob would hack from their home IP anyway?

We trust what Uber says now?

A company run by crooks with a scam as their business model. Uber is the one that blundered its own key then failed to secure its databases. Now they are blame shifting.

Re:We trust what Uber says now?

[deadweight]

My new airline is really cheap. I skip things like a 100 hour inspections, 135 certs, opspecs, and all the other things that make running an airline a huge PITA. I have a plane, what more do you want?

Re:We trust what Uber says now?

[Richard_at_work]

Just like a restaurant which doesn't give a toss about minimum wage, where its ingredients come from, the cleanliness of the kitchens or the reliability of the refrigeration - but the customers love the public face, service and price, so that restaurant should be given a break when it comes to following the rules other restaurants have to abide by...

Re:We trust what Uber says now?

[slashdice]

Sadly, you're describing Flytenow and airpooler. Except their pilots aren't paid.

Re:We trust what Uber says now?

[Nidi62]

a scam as their business model

Last time I checked, their business model was to offer a valuable service that people really like in exchange for money.

People really like cocaine and meth, but exchanging those for money is just as illegal as operating illegal cabs.

Re:We trust what Uber says now?

[Nidi62]

That's a great example of false equivalence, and you're a great example of an idiotic sack of shit. Go fuck yourself, bitch boy.

Ok, how about this then. I set up a freight shipping line that is much cheaper because I don't worry about those pesky rest rules, maintenance, or even making sure my drivers have CDLs. Since low cost shipping is a very valuable service this should be perfectly legal? Nope, just as illegal as Uber is.

Re:We trust what Uber says now?

[Solandri]

Just like a restaurant which doesn't give a toss about minimum wage, where its ingredients come from, the cleanliness of the kitchens or the reliability of the refrigeration - but the customers love the public face, service and price, so that restaurant should be given a break when it comes to following the rules other restaurants have to abide by...

If you do a lot of traveling, restaurants in most of the world operate exactly that way. You don't exactly see massive reports of food poisoning sickening or killing huge numbers of people who visit such restaurants.

I'm not saying such regulation isn't helpful. I'm only saying that you shouldn't assume that such regulation is always helpful. Over-regulation comes at a cost. The county health inspector assigned to the hotel/restaurant I used to work at was a control freak on a power trip. She wrote us up for several "violations" that she required us to fix or she'd shut us down. Some of them were reasonable (mice had chewed a hole in an exterior door). Others were just plain ridiculous. She required us to install metal flashing around the top of our walk-in refrigerators to enclose the air gap between it and the ceiling, which we did at a cost of several thousand dollars. During our next fire inspection, the fire marshal told us that was a fire code violation and we had to take it down - that space is open specifically so you can immediately see and smell any smoke from a fire that develops in the refrigeration unit. She required us to put sneeze guards on the sides of salad serving carts which abutted against each other (so the sides weren't exposed). We spent weeks trying to a place that sold these, then finally called the manufacturer. They told us that they sold these carts nationwide in thousands of health jurisdictions, and this was the first time anyone had ever inquired about putting sneeze guards on the side. We ended up buying plexiglas sheets and having our maintenance department custom-cut them to fit in the sides of said carts to make our inspector happy.

Personally I'm on the anti-Uber side of this. I do think regulation of the taxi industry serves a beneficial purpose. However, I support Uber in challenging the status quo. That is, I refuse to condemn Uber "just because" they are upsetting the existing taxicab business and regulation model. Said model has developed slowly over a hundred years. It's probably high time we shook it up a little and had some serious debate about it.

Re:We trust what Uber says now?

[GlennC]

What i care about is: (1) what is your track record, (2) what are your financials, and (3) what is your insurance.

Why should you care about those things? If the plane crashes or the baggage crew loses your luggage, you can give them a 1-star rating...that'll teach them.

Re:We trust what Uber says now?

[mobby_6kl]

Cocaine's pretty awesome though, so who cares.

Re:We trust what Uber says now?

[Nidi62]

Cocaine's pretty awesome though, so who cares.

Yes, yes, we all know cocaine's a hell of a drug.

Re:We trust what Uber says now?

[Triklyn]

http://safefoodinternational.o...

interesting, you don't hear about big food poisoning cases because unless it's big it doesn't break the news, and those generally involve contamination in an industrial setting.

and you don't hear about food poisoning cases on the small scale because they're pretty common.

Re:We trust what Uber says now?

[Lakitu]

How are inspections meaningless? They're only meaningless if they're meaningless.

In this post you are claiming to believe that we live in a universe where inspections are fundamentally impossible of providing any value or accomplishing anything in any way. Judging by the fact that you believe you can accurately inspect an airline's track record, financials, and insurance (without those having been cheated on at all!), I'm sure you must have just made some kind of mistake.

Re:We trust what Uber says now?

[NostalgiaForInfinity]

In this post you are claiming to believe that we live in a universe where inspections are fundamentally impossible of providing any value or accomplishing anything in any way.

Some inspections are very valuable, namely the inspections where the inspector and his organization faces stiff personal and corporate liabilities and hence have a strong economic incentive to assess risks correctly. Accountants and insurance companies perform those kinds of inspections.

Government regulators and government inspection programs generally lack these incentives, and that makes their inspections pretty much worthless.

Re:We trust what Uber says now?

[NostalgiaForInfinity]

Why should you care about those things?

The track record should be self evident. Financials and insurance are good measures because they reflect the confidence of investors and insurance risk estimators, people who have actual money at stake when a plane crashes and hence have an incentive to make correct risk assessments.

Re:We trust what Uber says now?

[Lakitu]

namely the inspections where the inspector and his organization faces stiff personal and corporate liabilities and hence have a strong economic incentive to assess risks correctly. Accountants and insurance companies perform those kinds of inspections.

Government regulators and government inspection programs generally lack these incentives, and that makes their inspections pretty much worthless.

What about government regulators and inspection programs which require certification or inspection from one of the entities you listed in the above paragraph? Because, guess what, that's what a lot of government inspections and certifications are.

Re:We trust what Uber says now?

[dave420]

You seem to be confusing your broken, dysfunctional part of the world with the entire world. This is going to blow your mind, but some places have great health certification, and great taxis. Those are the places which are fighting companies which seek to decrease the standard by which they do business.

Re:We trust what Uber says now?

[NostalgiaForInfinity]

You should be able to answer your own question based on what I said: does the certifying entity stand to lose large amounts of money if the thing they are certifying fails? Can you figure it out?

Re:We trust what Uber says now?

[Lakitu]

I'm glad you've changed your mind since your original post! Nice chat.

Re:We trust what Uber says now?

[deadweight]

I am a commercial pilot AND have a car. I think I know the difference.

Re:We trust what Uber says now?

[deadweight]

1 - track record is I am not dead that you know of. 2 - My financials are not available to you and what that has to do with my airplane I am not sure. It has 2 wings and most of the paint is still on. Are you one of those demanding passengers that wants me to clean it too? 3 - I have no valid insurance because no insurance company in the world will cover part 135 or 121 flights done without proper 135/121 inspections and rated pilots.

Re:We trust what Uber says now?

[Lakitu]

You should be able to answer your own question based on what I said: does the certifying entity stand to lose large amounts of money if the thing they are certifying fails? Can you figure it out?

Let's have a look at some options.

(a) Airline wishes to keep its reputation and passengers alive, inspects planes thoroughly. Does so in-house or faces severe financial consequences in the event of failure.

(b) Airline wishes to keep its reputation and passengers alive, pays an outside entity (with its own reputation and financial incentives) to inspect planes thoroughly.

(c) Government requires that all airlines pass certain safety standards so that start-up airlines can't crash their dilapidated planes into heavily subsidized airport real estate near cities. Government does this by recognizing already existing certifications and inspections done by private entities, such as in (b).

In the event of a plane failure in (a), the airline loses out. Customers don't trust the company nor its inspections and it loses money.
In the event of a plane failure in (b), both the airline and the inspectors lose out. Let's take as a given that it's clearly a mechanical failure because of improper inspections, and the inspection company is blamed for it, and it loses out the most. Inspection company loses the trust of its clients and the general public.
In the event of a plane failure in (c), the same thing happens as in either (a) or (b)! The companies lose the trust of their clients (or passengers) and lose revenue streams. If the company fails to do its job, then the company is going to lose money. Apparently you still wish to claim that there is no financial incentives for companies involved here to conduct proper and thorough inspections, but instead of saying that and displaying your stupidity, you're hoping I can just read your mind to figure it out. I'm trying my best here.

At this point I'd like to point something out to you:

does the certifying entity stand to lose large amounts of money if the thing they are certifying fails?

This could actually be a financial incentive to cheat on the inspections! Sometimes delivery volume is more important than a few failures. Perhaps you'll be thinking, with a smile, about how much money someone else saved as you hurtle towards your death in an airplane which hadn't been inspected at all?

Re:We trust what Uber says now?

[deadweight]

Just so you know, your Randian paradise airline system was tried long ago. It killed so many people the better airlines were BEGGING the government to step in before this whole newfangled flying machine thing just collapsed and died due to public mistrust. $10,000,000 per SEAT? OMFG I am rolling on the floor. It is extraordinarily difficult to get 10% of that and most of my quotes are for $1,000,000 for the entire plane and that is instantly void the second I take off on a 135 flight absent the right certs. I happen to be certified myself to pilot 135 flights and it was not an easy thing to do. Look up "The day the music died" for the reason these rules were invented.

Actually, this is plausible.

All the smarts in the world won't fix a fat finger. You accessed the DB from your super secure VPN, disconnected your VPN, forgot it was disconnected, reconnected -- and, oh shit, there you are: Your personal IP has been revealed. This is why you use things like Tails, folks, or you do your dirty work in a VM -- then securely delete the VM. :)

Re:Actually, this is plausible.

[GameboyRMH]

do your dirty work in a VM -- then securely delete the VM. :)

Or run the VM like a LiveCD from a read-only filesystem - what happens in RAM stays in RAM...

Re:Actually, this is plausible.

[petermgreen]

VM or not you need to set things up so that your client box CANNOT access the internet without using the VPN. If you have a system where a VPN failure results in a direct connection you will almost certainly end up making a direct connection sooner or later.

You think??

[Type44Q]

it does seem surprising that he would have accessed such sensitive data with his own domestic IP address.

No fucking shit...

Re:You think??

[kilfarsnar]

It depends on your definition of a sensitive IP address.

Well my IP address cries at the slightest thing, so yeah.

Re:You think??

[Bob+the+Super+Hamste]

Your IP address is John Boehner?

Nobody to blame but yourself...?

[Sneeka2]

So some doofus posted the keys to the kingdom on Github, and they're crying foul if a competitor picks them up to take a peek behind the curtain?

I mean, yeah, sure, that's not the gentlemen's way of doing things, but waddaya expect?!

Re:Nobody to blame but yourself...?

[farble1670]

but waddaya expect?!

retarded reasoning.

you left your bicycle on your porch without a lock, whaddya expect?
you walked down a dark street at night, whaddya expect?
you left your car unlocked and your wallet on the seat, whaddya expect?
you set down your backpack containing a laptop in the seat next to you on the train and turned your head, whaddya expect?
you threw out some paperwork that listed your social security number and other personal information, whaddya expect? ...

see where that goes? enjoy your uptopia where making a mistake a mistake completely removes your protection under the law.

Re:Nobody to blame but yourself...?

[praxis]

I am not sure what protection under the law has to do with anything. Sneeka2 did not mention anything about protections, only the stupidity of Uber's maneuver. Posting a private key in a public place is pretty dumb. Not revoking and changing your keys once you discover the mistake is also stupid. Expecting someone who finds the key to not use it is also stupid.

The things you mentioned are also risks, to different degrees. I don't leave my car unlocked with my wallet on the street. I find that stupid. I shred any paper with my social security number on it. I find putting such paper in the trash stupid. I still expect legal protections in case I do make a mistake, but I would expect that if I left my car unlocked with my wallet on the seat that someone might burgle it. That's a pretty reasonable expectation. It's why I avoid exposing myself to such risk.

Private keys posted on the public internet are dumber than putting a wallet on the seat of an unlocked car.

I just dropped my monocle, and my pink mustache!

[NotDrWho]

Shocking! Harumph!

Protectionist?

[pr0nbot]

I don't know why a VPN provider would favour trade tariffs.

Perhaps "protective" was meant?

https://en.wikipedia.org/wiki/...

Maybe he was just curious?

In the sense of "there's no way this can be real, can it?".

Mr Robot

[HongPong]

Elliot changed the IP address to implicate him. No surprise!

Corporate Persons

[Chris+Johnson]

So wait. Not only does Uber choose to commandeer Slashdot at every opportunity to spout off how great it is through increasingly vehement sockpuppet ACs and the pushing of clickbait articles, it ALSO feels the need to pull you aside and fill you in on its paranoid fantasies?

Man, 'corporate personhood' is weird. This is distinctly a personality that's consistent and recognizable. Just yeah.

Excuse me, Uber. I think I see somebody over there that I know D:

Re:Corporate Persons

[metrix007]

You're one of those idiots who attributes every comment you disagree with to a sockpuppet, huh.

Re:Corporate Persons

[KGIII]

Fucking shill.

(I keed, I keed indeed.)

The article alleges no connection, though.

[shess]

Apparently they leaked the key on GitHub, and allege that this IP address visited the page - along with tens of thousands of other visitors.

If I were CTO of a company, and I saw a Slashdot posting about "YourCompetitor leaked all of their keys on GitHub!", I would probably click through. ESPECIALLY if I were in charge of preventing similar leaks from the company I worked for.

Re: The article alleges no connection, though.

[ZFox]

If nothing else, to blacklist whoever committed it from employment at your company.

What happened to headlines like:

[angularbanjo]

Reuters Routers Rout Russian (probably)

Such access is not surprising at all.

[shess]

Apparently Uber leaked the keys on GitHub, and allege that this IP address visited the page - along with tens of thousands of other visitors. It wasn't some sort of Mission Impossible nighttime raid or anything, they published things publicly.

If I were CTO of a company, and I saw a Slashdot posting about "YourCompetitor leaked all of their keys on GitHub!", I would probably click through. ESPECIALLY if I were in charge of preventing similar leaks from the company I worked for.

Hell, I'd probably keep an eye on what kinds of things my competitor published on GitHub simply to inform what kinds of things my company might want to publish, simply to stay competitive.

Re:Such access is not surprising at all.

[0100010001010011]

I'd probably keep an eye on what kinds of things my competitor published on GitHub

That's not how Gists work. Reading the old article a lot of people seem to assume that this was published via git. Gists are just a place to store plain text.

He actually has a permament public static IP?

[Zeorge]

Don't know how it works in other countries. But, some USA ISP's will give you a static public facing IP and then release every so often. Just curious...

This sounds dubious

[quantaman]

According to documents filed in the case, the company learned months after the hack that someone had used an Uber digital security key to access the driver database. A copy of the key was inadvertently posted by Uber on one of its public pages on the code development platform GitHub in March of 2014, prior to the breach, the court filings show, and remained there for months.

After Uber discovered the unauthorized download, it examined the Internet Protocol addresses of every visitor to the page during the time between when the key was posted and when the breach occurred, according to court documents. The Uber review concluded that "the Comcast IP address is the only IP address that accessed the GitHub post that Uber has not eliminated" from suspicion, court papers say.

So for months this key was sitting on a public website and they've managed to eliminate every other address from suspicion?

Unless the actual URL was somehow hidden that sounds very unlikely, I'd wager there are hacking groups who write robots to crawl around the web looking for private keys.

We don't even know in what form the key was posted, if it were sitting in some chunk of code that Uber had posted to GitHub I wouldn't be in the least surprised that the Lyft CTO decided to checkout the project to see what the rival company was doing.

Seriously?

[GeekWithAKnife]

Would I be stupid enough to leave my home address near the murder weapon?!

I move to drop this investigation immediately it's obviously nonsense because I am a really smart person.

As you know, smart people do not do stupid things(tm)

Re:Seriously?

[TechyImmigrant]

>Would I be stupid enough to leave my home address near the murder weapon?!

Isn't is the murder weapon that can be left somewhere and the home address that is pretty permanently fixed in one place?

Re:Seriously?

[farble1670]

^^^ pretty much. i love the "no one could be THAT stupid" defense. so really, all i need to do to get away with a crime is to make sure i'm really obvious when i commit it?

Re:Try searching for Chris Lamberts IP address

[TechyImmigrant]

Accessing Github is crime?

ONE VPN?

[sexconker]

ONE?
Everyone knows you have to go through 7 proxies.

Re:Try searching for Chris Lamberts IP address

[farble1670]

Accessing Github is crime?

no, but using the information found there for cyber warfare against your competition is.

Chris Lambert has been revealed by Uber's investigations to be associated with the accessing of a security key that was accidentally deposited on GitHub in 2014 and used to access 50,000 database records of Uber drivers later that year.

or maybe you are suggesting the "you made it easy for me to commit the crime" defense? like, you left your bike unlocked, therefore it's mine for the taking?

It's not that he's Guilty

[WillAffleckUW]

It's that he needs to be imprisoned without bail, tried, sentenced, and all assets stripped from him and any trusts he set up.