No Im not being ignorant. Companies exist to make profits. Their contractors are offered a voluntary position and I’ve always had great service. It’s not that complicated.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Hackers Stole Data From 57 Million Uber Drivers and Customers, Uber Paid $100K to Hide Attack
- Thread starter MacRumors
- Start date
- Sort by reaction score
Are you shady?
Or are you one of the sums that aren’t? I’m confused by your question.
And I have no cares what other passengers are like... Were you not the one to sign up as a driver? Did Uber force you to drive?
Passengers... I can’t imagine. Then again, I also only order Uber Black Cars to or from the airport, and only if my trip is longer than 4 days, since that’s when I’d break even on Uber’s rate vs. parking.
If drivers were aware of themselves, they’d realise that working for Uber is essentially free data farming and mapping logistics for their one and only end goal: Fully autonomous, driverless ride sharing, to which their drivers are making it happen for them at an accelerated rate. Their drivers are digging their own occupational graves. They just ordered 24,000 fully autonomous Volvos. It’s finally happening!
What about the sexual assault that the prior CEO tried to cover up? Yeah this company is beyond crooked and I’m glad I deleted my account many months ago.
You're the only that stereotyped all the drivers as being shady so you must have a reason to not like uber drivers. Same thing with people that are racist they hate because they have had bad experience with some people so they generalize all of those types into a bunch. Do you not think that we know about what will eventually happen with autonomous cars... Not all of us plan on having this as a career but some use it as a transitioning job or to make some extra cash if we are struggling...Are you shady?
Or are you one of the sums that aren’t? I’m confused by your question.
And I have no cares what other passengers are like... Were you not the one to sign up as a driver? Did Uber force you to drive?
Passengers... I can’t imagine. Then again, I also only order Uber Black Cars to or from the airport, and only if my trip is longer than 4 days, since that’s when I’d break even on Uber’s rate vs. parking.
If drivers were aware of themselves, they’d realise that working for Uber is essentially free data farming and mapping logistics for their one and only end goal: Fully autonomous, driverless ride sharing, to which their drivers are making it happen for them at an accelerated rate. Their drivers are digging their own occupational graves. They just ordered 24,000 fully autonomous Volvos. It’s finally happening!
Yes. I was pointing towards the dark side of Human Nature and that we are all searching for the biggest advantage and have an inclination to apply shady practices. Not only Uber not only big companies. A statement of desperation, really.
Speak for yourself. Don’t project your own shady inclinations on the rest of us.
There is a misunderstanding here. I was not projecting my own shady inclinations onto someone, I was referring to the obvious fact that power corrupts. This is documented by historians, studied by scientists and experienced/known by everyone. The more we learn about the business practices of Apple the more questionable I find them. And with every iPhone we buy we do the same as Uber or Apple or whoever: hunting the biggest advantage while keeping our moral circle relatively small. The incentives of our system are poorly aligned with the goal of maximizing happiness and well being. So in the sense of 'one man's gain is another man's loss' I was indeed speaking for everyone. But that is banal: Whatever you do, it has consequences.
That's what was thinking. I have never (and would never) used Uber but my son said that they only take cards and they must be registered with the app.
In some states it is. But maybe not if it's part of a bug bounty program.
The Uber execs hid the hack payout as a bug bounty payment, and in fact the practical results and assumptions are strikingly similar:
- In bug bounty programs, a bug finder can be paid a lot to keep their hack secret. (Even cheap Apple pays over $100,000 for some security bugs.)
- In bug bounty programs, a bug finder is known to the company, but not turned over to authorities, same as in this case.
- In bug bounty programs, a bug finder is often put under NDA (as these hackers were) to not reveal the hack took place.
- In bug bounty programs, a bug finder is relied upon to not sell the data they accessed, in return for being paid.
Uber is an absolutely horrid company. Nobody should ever give them their money. Glad I dodged that TRAIN.
there is a pretty significant difference. the person who finds a bug or exploit in a bug bounty program isn't supposed to *actually use* that exploit or steal any data. At that point, you usually forfeit your right to a bounty and the company typically contacts the police.
that last bit "a bug finder is relied upon to not sell the data they accessed, in return for being paid" is a bit misleading, as bug bounty programs are usually much wider in scope that just data breaches, and people who access data aren't supposed to be doing at scale.
No different from this case. Uber knows who the two hackers are.
They signed an NDA and agreed to never sell the data in return for a payment. And no evidence has been seen that they have broken their agreement.
True, bug bounty hunters are supposed to access as litlle as possible to prove the exploit.
But there's no preset limit. If a DB call returns a ton of data, then it does.
What I'd like to know is exactly how these two guys contacted Uber. What words did they use. Did they threaten to use the data at all? Or did they just threaten to reveal how easily they got in. Etc.
One big distinction is that ethical hackers don’t say “give us money or we will release what we have found.” It sounds like that’s what happened, though who knows.
1.) Yea, but the nature of the agreement is typically about disclosing the vulnerability itself, not the data. They're called "bug bounty" programs, not "data bounty" programs. But still, you're right I suppose. There is no evidence that they've breached their contract, and we don't know the exact details of that contract.
2.) This is where I disagree with you. It's highly unlikely that a single API call returned the user details of 57 million people.
From the OP:
"Uber suffered a massive data breach last year that exposed the personal data of 57 million customers and drivers, reports Bloomberg. The attack occurred in October of 2016 and included personal information from 50 million Uber riders and 7 million Uber drivers.
Two hackers reportedly accessed a private GitHub repository used by Uber's software engineers and then used those credentials to breach an Amazon Web Services account that contained an archive of rider and driver information.
Email addresses and phone numbers were stolen from riders, while hackers were able to obtain email addresses, phone numbers, and driver's license numbers from drivers. Uber says social security numbers and trip location data were not accessed in the attack."
A bug bounty would have been "uhh, uber, one of your private repos with sensitive credentials isn't actually all that private. You might want to fix that. Give us $$ and we'll tell you how we accessed the repo"
Actually USING those credentials past perhaps testing to see if they were legitimate, on the other hand, is well past the ethics of bug bounty programs. That's more like "ok we got you now, give us money or we'll leak everything".
You're right, I too would like to know that how these guys contacted Uber and the nature of their communications. Their words *do* matter in order to understand the scope of Uber's crimes. But I don't think we need to know what those words were to determine that crimes were committed. These guys did more than point out an exploit, they actually used that exploit to download data. And seeing that they had AWS credentials of some kind, they didn't need to do that to prove their point. As far as I'm concerned, both parties are guilty, and *how* guilty Uber is is just a matter of the form and nature of the communication between the two parties, as you correctly pointed out.
EVERYTIME I try to give Uber a chance, something like THIS happens. That service is general is just wack.
