IP Address May Associate Lyft CTO With Uber Data Breach (reuters.com)

← Back to Stories (view on slashdot.org)

IP Address May Associate Lyft CTO With Uber Data Breach (reuters.com)

Posted by Soulskill on Thursday October 8, 2015 @12:59AM from the worked-for-the-cardinals dept.

An anonymous reader writes: According to two unnamed Reuters sources the IP address of Lyft CTO Chris Lambert has been revealed by Uber's investigations to be associated with the accessing of a security key that was accidentally deposited on GitHub in 2014 and used to access 50,000 database records of Uber drivers later that year. However, bearing in mind that the breach was carried out through a fiercely protectionist Scandinavian VPN, and that Lambert was a Google software engineer before become CTO of a major technology company, it does seem surprising that he would have accessed such sensitive data with his own domestic IP address.

24 of 103 comments (clear)

Min score:

Reason:

Sort:

Guilty! by sinij · 2015-10-08 01:02 · Score: 5, Funny

If RIAA and CSI taught us anything is that both IP and DNA are definitive proof of guilt. Since Chris Lambert was shown to have both, we can be certain he did it.
Thankfully... by Rei · 2015-10-08 01:04 · Score: 5, Insightful

Uber has long proven themselves to be eminently trustworthy and never scheming up shady ways to try to drive their competition out of business, so we can just take them at their word on this.

--
The human body can be drained of blood in 8.6 seconds given adequate vacuuming systems.
1. Re:Thankfully... by phantomfive · 2015-10-08 01:06 · Score: 3, Interesting
  
  Exactly. Whenever an accusation starts with our competitor may have been evil..., wait for corroborating evidence.
  
  --
  "First they came for the slanderers and i said nothing."
2. Re:Thankfully... by tripleevenfall · 2015-10-08 02:32 · Score: 2
  
  you don't get international competitors to team up against a company unless that company is trying to fuck everyone and everything.
  Well, you could get competitors to team up against you by eating their lunch and beating them at their own games. That would be one way.
3. Re:Thankfully... by tripleevenfall · 2015-10-08 02:32 · Score: 2
  
  I for one welcome taxi cartels and their anticompetitive practices
4. Re:Thankfully... by rockmuelle · 2015-10-08 03:12 · Score: 4, Interesting
  
  Uber is great in the same way Pets.com was great: they're burning their investor's money to run an unsustainable business. I loved getting 40lb bags of dog food delivered for free and I love paying less than the driver is making for my Uber rides. As a consumer, I win!
  What's new about Uber compared to Pets.com is that Uber is the VC world's experiment in seeing if they can create illegal businesses and then use their huge piles of money to change the law in their favor. This is what should really scare everyone.
  -Chris
5. Re:Thankfully... by Triklyn · 2015-10-08 06:02 · Score: 3
  
  hells no, and i can probably count the number of cab rides i've taken in my life using my hands and feet.
  i don't like them flaunting consumer protections, i don't like that whole period they were like, "oh insurance? what's that? and why can't our driver's personal insurance foot the fucking bill?"
  i don't like how their executives think the idea of mudslinging journalists that criticize them is a fun idea.
  i don't like how their idea of damage control is to try to bury, bury bury, until someone fucking dies
  i don't like how their idea of fair competition is to spam their competitors with fake pickup requests
  i don't like how their fucking profit margin comes straight out of their contracter's pockets
  i don't like how their fucking car payment tie-in apparently is financially calamitous to their drivers
  so, no, i don't drive a cab, i'm just not enamored of evil.
The perfect cover? by rmdingler · 2015-10-08 01:06 · Score: 4, Funny

However, bearing in mind that the breach was carried out through a fiercely protectionist Scandinavian VPN, and that Lambert was a Google software engineer before become CTO of a major technology company, it does seem surprising that he would have accessed such sensitive data with his own domestic IP address.
What a great defense... there's no way it's me.

--
Happiness in intelligent people is the rarest thing I know.
Ernest Hemingway
1. Re:The perfect cover? by DRJlaw · 2015-10-08 01:14 · Score: 4, Insightful
  
  The report emphasises that the IP address is not the one associated with the act of the breach itself; instead it was obtained by a process of elimination as Uberâ(TM)s investigations team worked through all the IPs which accessed a critical security key that had accidentally been deposited on the public code-sharing and versioning platform GitHub in March of 2014 â" approximately nine months before the breach occurred.
  The only one it could not account for is, according to the report, a Comcast IP address associated with Lambert.
  Translation: We believed everyone else but this guy is a right bastard (because he works for Lyft) and thus assuredly guilty.
Life imitating art? by ramriot · 2015-10-08 01:12 · Score: 5, Interesting

Sounds exactly like something from Mr Robot, IP address CTO of organisation found in logs related to hacking server farm.
Like, we trust the logs, after someone has Owned the system, sure let me know how that goes!
We trust what Uber says now? by Anonymous Coward · 2015-10-08 01:14 · Score: 3, Insightful

A company run by crooks with a scam as their business model. Uber is the one that blundered its own key then failed to secure its databases. Now they are blame shifting.
1. Re:We trust what Uber says now? by deadweight · 2015-10-08 01:39 · Score: 4, Funny
  
  My new airline is really cheap. I skip things like a 100 hour inspections, 135 certs, opspecs, and all the other things that make running an airline a huge PITA. I have a plane, what more do you want?
2. Re:We trust what Uber says now? by Richard_at_work · 2015-10-08 01:48 · Score: 4, Insightful
  
  Just like a restaurant which doesn't give a toss about minimum wage, where its ingredients come from, the cleanliness of the kitchens or the reliability of the refrigeration - but the customers love the public face, service and price, so that restaurant should be given a break when it comes to following the rules other restaurants have to abide by...
3. Re:We trust what Uber says now? by Nidi62 · 2015-10-08 02:18 · Score: 4, Insightful
  
  a scam as their business model
  Last time I checked, their business model was to offer a valuable service that people really like in exchange for money.
  People really like cocaine and meth, but exchanging those for money is just as illegal as operating illegal cabs.
  
  --
  The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
4. Re:We trust what Uber says now? by Nidi62 · 2015-10-08 02:47 · Score: 2
  
  That's a great example of false equivalence, and you're a great example of an idiotic sack of shit. Go fuck yourself, bitch boy.
  Ok, how about this then. I set up a freight shipping line that is much cheaper because I don't worry about those pesky rest rules, maintenance, or even making sure my drivers have CDLs. Since low cost shipping is a very valuable service this should be perfectly legal? Nope, just as illegal as Uber is.
  
  --
  The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
5. Re:We trust what Uber says now? by GlennC · 2015-10-08 04:41 · Score: 2
  
  What i care about is: (1) what is your track record, (2) what are your financials, and (3) what is your insurance.
  Why should you care about those things? If the plane crashes or the baggage crew loses your luggage, you can give them a 1-star rating...that'll teach them.
  
  --
  Go on, citizen, stamp the vote card. R or D, your choice.
6. Re:We trust what Uber says now? by dave420 · 2015-10-08 20:00 · Score: 2
  
  You seem to be confusing your broken, dysfunctional part of the world with the entire world. This is going to blow your mind, but some places have great health certification, and great taxis. Those are the places which are fighting companies which seek to decrease the standard by which they do business.
Nobody to blame but yourself...? by Sneeka2 · 2015-10-08 01:29 · Score: 2

So some doofus posted the keys to the kingdom on Github, and they're crying foul if a competitor picks them up to take a peek behind the curtain?
I mean, yeah, sure, that's not the gentlemen's way of doing things, but waddaya expect?!

--
Bitten Apples are still better than dirty Windows...
Protectionist? by pr0nbot · 2015-10-08 01:32 · Score: 3, Informative

I don't know why a VPN provider would favour trade tariffs.
Perhaps "protective" was meant?
https://en.wikipedia.org/wiki/...
Re:Actually, this is plausible. by GameboyRMH · 2015-10-08 02:04 · Score: 2

do your dirty work in a VM -- then securely delete the VM. :)
Or run the VM like a LiveCD from a read-only filesystem - what happens in RAM stays in RAM...

--
"When information is power, privacy is freedom" - Jah-Wren Ryel
Re:You think?? by kilfarsnar · 2015-10-08 02:36 · Score: 2

It depends on your definition of a sensitive IP address.
Well my IP address cries at the slightest thing, so yeah.

--
"What the American public doesn't know is what makes them the American public." -Ray Zalinsky (Tommy Boy)
Corporate Persons by Chris+Johnson · 2015-10-08 03:00 · Score: 5, Insightful

So wait. Not only does Uber choose to commandeer Slashdot at every opportunity to spout off how great it is through increasingly vehement sockpuppet ACs and the pushing of clickbait articles, it ALSO feels the need to pull you aside and fill you in on its paranoid fantasies?
Man, 'corporate personhood' is weird. This is distinctly a personality that's consistent and recognizable. Just yeah.
Excuse me, Uber. I think I see somebody over there that I know D:
The article alleges no connection, though. by shess · 2015-10-08 03:06 · Score: 5, Insightful

Apparently they leaked the key on GitHub, and allege that this IP address visited the page - along with tens of thousands of other visitors.
If I were CTO of a company, and I saw a Slashdot posting about "YourCompetitor leaked all of their keys on GitHub!", I would probably click through. ESPECIALLY if I were in charge of preventing similar leaks from the company I worked for.
This sounds dubious by quantaman · 2015-10-08 03:19 · Score: 2

According to documents filed in the case, the company learned months after the hack that someone had used an Uber digital security key to access the driver database. A copy of the key was inadvertently posted by Uber on one of its public pages on the code development platform GitHub in March of 2014, prior to the breach, the court filings show, and remained there for months.
After Uber discovered the unauthorized download, it examined the Internet Protocol addresses of every visitor to the page during the time between when the key was posted and when the breach occurred, according to court documents. The Uber review concluded that "the Comcast IP address is the only IP address that accessed the GitHub post that Uber has not eliminated" from suspicion, court papers say.
So for months this key was sitting on a public website and they've managed to eliminate every other address from suspicion?
Unless the actual URL was somehow hidden that sounds very unlikely, I'd wager there are hacking groups who write robots to crawl around the web looking for private keys.
We don't even know in what form the key was posted, if it were sitting in some chunk of code that Uber had posted to GitHub I wouldn't be in the least surprised that the Lyft CTO decided to checkout the project to see what the rival company was doing.

--
I stole this Sig