back to article FORK ME! Uber hauls GitHub into court to find who hacked database of 50,000 drivers

Uber has subpoenaed GitHub to unmask netizens suspected of hacking its database of thousands of taxi drivers. The ride-booking app vendor is trying to force GitHub [PDF] to hand over the IP addresses of anyone who visited a particular gist post between March and September 2014. That gist is believed to have contained a login …

  1. Mark 85

    I thought this was part of their business model...

    In keeping with its image as a gas tank of ethics running on empty, Uber does not provide an explanation for why it did not inform its drivers their details had been swiped until it decided to file a lawsuit five months later.

    Boils down to that not only don't give a crap about their customers, they don't give a crap about their drivers. We've seen that they don't screen as such or much care with assults on passengers, etc. so why would the care about their drivers?

    1. Robert Helpmann??
      WTF?

      Re: I thought this was part of their business model...

      The post noted that the company had "not received any reports of actual misuse of information as a result of this incident."

      This is a bit suspicious. Perhaps it has to do with the method of notification being the placement of a small ad in a local newspaper?

    2. Anonymous Coward
      Anonymous Coward

      "...the unique security key..."

      Yeah, "pAssWord123".

  2. Notas Badoff
    Joke

    Grease-palm

    Instead of face-palm splat it sounds like *sploosh* and the lights go dark.

  3. Anonymous Coward
    Holmes

    How is this github's problem?

    That Uber posted their login key for all to see? If they can't use the system responsibly, they shouldn't be allowed to host their code there.

    Offering a year of free credit monitoring after the fact is such a shitty way of handling these things.

    1. Anonymous Coward
      Anonymous Coward

      Re: How is this github's problem?

      How is this github's problem?

      That Uber posted their login key for all to see?

      From an investigative point of view it would have made sense - somehow this user must have picked this up. Even though that doesn't mean they were involved in the actual hack, it could provide another breadcrumb to track if this information was gathered immediately after the breach.

      The problem is the latter: if you're digging, that data needs to be requested by the people running the investigation and they need to do this when it is still fresh. You know, the same time you're supposed to tell people that you screwed up and leaked their details?

      Doing this so late strikes me more as a route to distract from the above, a way to state to the (remaining) shareholders that "your quest for justice has been impeded" or some similar PR, and to set up for blaming a flagging performance on the hack instead of the rather massive legal (not to mention ethical) issues with the business model.

      Just my opinion..

    2. Bob Vistakin
      Facepalm

      Re: How is this github's problem?

      Exactly. Get Vint Cerf in whilst you're at it - if it wasn't for him, none of this would have happened.

      Memo to Uber: The horse bolted because you left the door open.

    3. Eddy Ito

      Re: How is this github's problem?

      Knowing Uber that year of free credit monitoring covers the period 13 May 2014 to 12 May 2015.

  4. The Nazz

    A step too far?

    Katherine Tassi said the breach covered "current and former Uber driver partner names and driver’s license numbers,"

    I'm not a taxi driver, but if i were, why the fuck are they storing drivers partners names for? Who i get to be intimate with, on a good week, make that month, should be none of their buisness.

    Good luck dealing with the Mrs though.

    1. Anonymous Coward
      Anonymous Coward

      Re: A step too far?

      Maybe (like Walmart associates) Uber really sees their drivers as partners.

      Yeah right.

      1. Eddy Ito

        Re: A step too far?

        Let me guess, if you're a "partner" you aren't an employee so it nicely sidesteps that whole hassle of the company doing the usual income tax duties, providing benefits, etc. You know, all that pesky government paperwork that normal companies have to do.

    2. Adam 1

      Re: A step too far?

      It's not uncommon for an employer to hold next of kin contact details.

  5. streaky
    Terminator

    Heh

    Uber wasting a lot of money to find out an IP address that'll be a VPN or open proxy in China or one of the IS controlled parts of Iraq or something.

    It's always the hipster tech companies that understand the internet the least, not sure why.

    1. Loud Speaker

      Re: Heh

      I thought there was hard evidence it was 192.168.0.1 they were looking for.

      1. Hans 1
        Joke

        Re: Heh

        >I thought there was hard evidence it was 192.168.0.1 they were looking for.

        Better: 127.168.0.1

    2. Anonymous Coward
      WTF?

      Re: Heh

      "Uber wasting a lot of money to find out an IP address that'll be a VPN or open proxy in China or one of the IS controlled parts of Iraq or something."

      You are probably right but even l33t haxxors have been known to screw up. What I don't understand is why the police haven't been involved and ruled in or out this line of investigation months ago. Why on earth is a private company taking another one to court when a seemingly criminal act has happened?

      Quis custodiet hipsterae?

      Jon

      1. scote

        Re: Heh

        According to the article uber already know the public IP address. Clearly that has not helped them identify the person, therefore they want to link that with information held by git gist

    3. cantankerous swineherd

      Re: Heh

      I'm betting it's the NSA.

  6. Michael Habel

    You know its too early on a Saturday Morning when....

    You misread "Drivers" as an Individual actually driving a Vehicle, and not the Computery type of stuff One would generally speaking hope to find on this Site.

    1. P. Lee

      Re: You know its too early on a Saturday Morning when....

      I thought hacking 50k drivers was quite impressive. It took me a while to realise what they were talking about.

      1. Anonymous Coward
        Anonymous Coward

        Re: You know its too early on a Saturday Morning when....

        > I thought hacking 50k drivers was quite impressive.

        Some impressive road rage display, ain't it?

  7. Anonymous Coward
    Anonymous Coward

    Here is an IP address for you...

    127.0.0.1

    That's what they should be looking at now, and should have been looking at a blue moon ago. There is so many things wrong with their timeline that any affected driver might want to file a lawsuit too.

    Anything they do now, almost 10 months after the breach, is just distraction so that investors see them doing *something*...

    1. Michael Habel

      Re: Here is an IP address for you...

      Please show me the way to go 127.0.0.1 I seem to recall some Reg SWAG that hat that written on it.

      1. tfewster
        Joke

        Re: Here is an IP address for you...

        "Show me the way to go localhost"? "Show me the way to go ~" would be better.

        But what would you expect from someone who couldn't ping 127.0.0.1 ;-)

        Another one I liked was "Get your warez at 127.0.0.1"

  8. Doctor Syntax Silver badge

    Logic fail

    "an IP address not associated with an Uber employee and otherwise unknown to Uber"

    Until they identify who it was they can't possibly know whether or not it was a Uber employee.

    1. Anonymous Coward
      Anonymous Coward

      Re: Logic fail

      > Until they identify who it was they can't possibly know whether or not it was a Uber employee.

      But they can know whether a certain IP address is "associated" with any of their employees, which is what they actually said, as quoted by yourself.

      I gather their forensic guys know their stuff and therefore used the right terminology. It is awfully hard to prove who is operating the computer that is taking a certain action from a certain IP address at a certain time--the closest you can get in practice is to provide circumstantial evidence that links usage of a specific IP address to a specific person, then it's up to your really persuasive lawyer to sell that to the court / jury as evidence of guilt.

      1. Doctor Syntax Silver badge

        Re: Logic fail

        They may have a list of IP addresses for, say, their employees' homes. But the address used could belong to an employee's parents' home, for example. Until they know who owns the address - and they haven't indicated that they do - they can't know that it doesn't belong to an employee's relative, favourite bar or whatever. And this is starting to read like something Sir Humphrey would have said.

  9. Christoph

    March last year?

    Hey you, explain why you visited an obscure web page nearly a year ago! What do you mean you can't remember? That's very suspicious!

  10. silent_count

    Bloody cheek

    Having demonstrated that they can't be trusted with the personal details of their drivers, Uber now wants a court to hand over even more personal details for them to mis-handle.

  11. Anonymous Coward
    Anonymous Coward

    Clearly there is no competent helmsman:

    http://hackaday.com/2015/02/27/stumbling-upon-an-uber-vulnerability/

  12. shovelDriver

    They said: ". . . from an IP address not associated with an Uber employee and otherwise unknown to Uber . . ."

    Taking them at their word, if they don't know, how do they know it was not associated with an Uber employee? Just because it wasn't an IP address assigned or controlled by Uber doesn't mean an employee couldn't have used a Proxy or a computer not associated with the Uber network.

    Any judge with even a smidgen of tech savvy would laugh the suit out of court based on that alone. Given that they "believe" the GitHub post contained a key, the entire thing is nothing more than a fishing expedition. Where is evidence - amounting to proof under Rules of Evidence - that this had anything to do with GitHub? Or that a "key" was ever made available on the site? More likely an employee had possession when he or she walked out, er, drove out the door.

    As I said, any Judge not willing to be laughed out of court would laugh the suit out before he or she becomes a part of the countersuit.

    Logic is a bitch. If A=B and B=C, then C=A. I wonder how many judges passed their logic classes? Or even took one?

    1. Mark 85

      Logic is a bitch. If A=B and B=C, then C=A. I wonder how many judges passed their logic classes? Or even took one?

      Uh... judges in the States are usually lawyers. So...logic classes???? Not was we know them, Jim.

  13. Anonymous Coward
    Anonymous Coward

    Credit monitoring

    A year of credit monitoring is a joke. That'll just tell you someone's tried to/is trying to/did use the hacked info to do something in your name; you still have to fight the credit reporting firm, debtor, health insurer, etc etc etc to prove it wasn't you. And if the bad guys sell on your info and it doesn't get used until more than a year later, you don't know unless you've taken it upon yourself to pay for credit monitoring on your own.

    I think _at least_ 10 years of credit monitoring AND assistance with fighting any illegitimate use of your hacked info should be the minimum hacked businesses must provide. Maybe then they'll start taking our private data more seriously. (but I still doubt it)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like