Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Databases Privacy Security The Internet Transportation

IP Address May Associate Lyft CTO With Uber Data Breach (reuters.com) 103

An anonymous reader writes: According to two unnamed Reuters sources the IP address of Lyft CTO Chris Lambert has been revealed by Uber's investigations to be associated with the accessing of a security key that was accidentally deposited on GitHub in 2014 and used to access 50,000 database records of Uber drivers later that year. However, bearing in mind that the breach was carried out through a fiercely protectionist Scandinavian VPN, and that Lambert was a Google software engineer before become CTO of a major technology company, it does seem surprising that he would have accessed such sensitive data with his own domestic IP address.
This discussion has been archived. No new comments can be posted.

IP Address May Associate Lyft CTO With Uber Data Breach

Comments Filter:
  • Guilty! (Score:5, Funny)

    by sinij ( 911942 ) on Thursday October 08, 2015 @08:02AM (#50685347)
    If RIAA and CSI taught us anything is that both IP and DNA are definitive proof of guilt. Since Chris Lambert was shown to have both, we can be certain he did it.
    • by Anonymous Coward

      The problem here is that the IP has accessed a text file, not a database. That's one. Two, Uber says that they've examined and 'ruled out' every address but one of all that accessed the aforementioned key for a period of several months. I just looked at the daily logs to the login page of my quite obscure squirrelmail installation, and I see something like 7,000 IP addresses. Supposing that the Github account in question is as obscure as this installation, then you have at least few hundred thousand address

  • Thankfully... (Score:5, Insightful)

    by Rei ( 128717 ) on Thursday October 08, 2015 @08:04AM (#50685353) Homepage

    Uber has long proven themselves to be eminently trustworthy and never scheming up shady ways to try to drive their competition out of business, so we can just take them at their word on this.

    • Re:Thankfully... (Score:4, Interesting)

      by phantomfive ( 622387 ) on Thursday October 08, 2015 @08:06AM (#50685365) Journal
      Exactly. Whenever an accusation starts with our competitor may have been evil..., wait for corroborating evidence.
      • by Anonymous Coward

        You don't take two unnamed people at their word? How dare you!

    • Re: (Score:2, Interesting)

      by Triklyn ( 2455072 )

      hell, even if they did do this, good

      fuck uber.

      you don't get international competitors to team up against a company unless that company is trying to fuck everyone and everything.

      holy hell.

      i don't often root for chinese anticompetitive behavior... but fuck uber.

      and fuck uber for making me bedfellows with those assholes.

      • unless that company is trying to fuck everyone and everything.

        I think every company operates like that, under the guise of "delivering shareholder value".

        I'm sure there are companies without shareholders that also operate like that, but never to same extreme in my experience.

        • unless that company is trying to fuck everyone and everything.

          I think every company operates like that, under the guise of "delivering shareholder value".

          I'm sure there are companies without shareholders that also operate like that, but never to same extreme in my experience.

          Yep, they don't have to deal with a bunch of otherwise disinterested parties shouting about their money.

      • you don't get international competitors to team up against a company unless that company is trying to fuck everyone and everything.

        Well, you could get competitors to team up against you by eating their lunch and beating them at their own games. That would be one way.

        • they typically wouldn't team up.

          like how assad and the rebels are teaming up against isis... wait, that's not it...

          how the US UK and USSR teamed up to fight the nazis. there we go.

          sure everyone hated stalin, like everyone HATED stalin. and they were probably pretty sure they'd have a problem with him somewhere down the road... but Hitler, fuck hitler.

  • by rmdingler ( 1955220 ) on Thursday October 08, 2015 @08:06AM (#50685363) Journal

    However, bearing in mind that the breach was carried out through a fiercely protectionist Scandinavian VPN, and that Lambert was a Google software engineer before become CTO of a major technology company, it does seem surprising that he would have accessed such sensitive data with his own domestic IP address.

    What a great defense... there's no way it's me.

    • by DRJlaw ( 946416 ) on Thursday October 08, 2015 @08:14AM (#50685403)

      The report emphasises that the IP address is not the one associated with the act of the breach itself; instead it was obtained by a process of elimination as Uberâ(TM)s investigations team worked through all the IPs which accessed a critical security key that had accidentally been deposited on the public code-sharing and versioning platform GitHub in March of 2014 â" approximately nine months before the breach occurred.

      The only one it could not account for is, according to the report, a Comcast IP address associated with Lambert.

      Translation: We believed everyone else but this guy is a right bastard (because he works for Lyft) and thus assuredly guilty.

  • Life imitating art? (Score:5, Interesting)

    by ramriot ( 1354111 ) on Thursday October 08, 2015 @08:12AM (#50685391)

    Sounds exactly like something from Mr Robot, IP address CTO of organisation found in logs related to hacking server farm.

    Like, we trust the logs, after someone has Owned the system, sure let me know how that goes!

    • Damn, beaten - this sounds exactly like part of Mr. Robot's plot...seems way too easy & convenient. What kind of total noob would hack from their home IP anyway?

  • by Anonymous Coward on Thursday October 08, 2015 @08:14AM (#50685399)

    A company run by crooks with a scam as their business model. Uber is the one that blundered its own key then failed to secure its databases. Now they are blame shifting.

    • a scam as their business model

      Last time I checked, their business model was to offer a valuable service that people really like in exchange for money. That's not what I would call a "scam."

      • by deadweight ( 681827 ) on Thursday October 08, 2015 @08:39AM (#50685573)
        My new airline is really cheap. I skip things like a 100 hour inspections, 135 certs, opspecs, and all the other things that make running an airline a huge PITA. I have a plane, what more do you want?
        • Sadly, you're describing Flytenow and airpooler. Except their pilots aren't paid.
        • My new airline is really cheap. I skip things like a 100 hour inspections, 135 certs, opspecs, and all the other things that make running an airline a huge PITA. I have a plane, what more do you want?

          I really don't give a f*ck about your "100 hour inspections" or your "135 certs"; those are meaningless theater, something you can easily cheat on if you want to and that doesn't make me one iota safer.

          What i care about is: (1) what is your track record, (2) what are your financials, and (3) what is your insura

          • by GlennC ( 96879 )

            What i care about is: (1) what is your track record, (2) what are your financials, and (3) what is your insurance.

            Why should you care about those things? If the plane crashes or the baggage crew loses your luggage, you can give them a 1-star rating...that'll teach them.

            • Why should you care about those things?

              The track record should be self evident. Financials and insurance are good measures because they reflect the confidence of investors and insurance risk estimators, people who have actual money at stake when a plane crashes and hence have an incentive to make correct risk assessments.

          • by Lakitu ( 136170 )

            How are inspections meaningless? They're only meaningless if they're meaningless.

            In this post you are claiming to believe that we live in a universe where inspections are fundamentally impossible of providing any value or accomplishing anything in any way. Judging by the fact that you believe you can accurately inspect an airline's track record, financials, and insurance (without those having been cheated on at all!), I'm sure you must have just made some kind of mistake.

            • In this post you are claiming to believe that we live in a universe where inspections are fundamentally impossible of providing any value or accomplishing anything in any way.

              Some inspections are very valuable, namely the inspections where the inspector and his organization faces stiff personal and corporate liabilities and hence have a strong economic incentive to assess risks correctly. Accountants and insurance companies perform those kinds of inspections.

              Government regulators and government inspection p

              • by Lakitu ( 136170 )

                namely the inspections where the inspector and his organization faces stiff personal and corporate liabilities and hence have a strong economic incentive to assess risks correctly. Accountants and insurance companies perform those kinds of inspections.

                Government regulators and government inspection programs generally lack these incentives, and that makes their inspections pretty much worthless.

                What about government regulators and inspection programs which require certification or inspection from one of the entities you listed in the above paragraph? Because, guess what, that's what a lot of government inspections and certifications are.

                • You should be able to answer your own question based on what I said: does the certifying entity stand to lose large amounts of money if the thing they are certifying fails? Can you figure it out?

                  • by Lakitu ( 136170 )

                    I'm glad you've changed your mind since your original post! Nice chat.

                    • by Lakitu ( 136170 )

                      You should be able to answer your own question based on what I said: does the certifying entity stand to lose large amounts of money if the thing they are certifying fails? Can you figure it out?

                      Let's have a look at some options.

                      (a) Airline wishes to keep its reputation and passengers alive, inspects planes thoroughly. Does so in-house or faces severe financial consequences in the event of failure.

                      (b) Airline wishes to keep its reputation and passengers alive, pays an outside entity (with its own reputation and financial incentives) to inspect planes thoroughly.

                      (c) Government requires that all airlines pass certain safety standards so that start-up airlines can't crash their dilapidated planes into

          • 1 - track record is I am not dead that you know of. 2 - My financials are not available to you and what that has to do with my airplane I am not sure. It has 2 wings and most of the paint is still on. Are you one of those demanding passengers that wants me to clean it too? 3 - I have no valid insurance because no insurance company in the world will cover part 135 or 121 flights done without proper 135/121 inspections and rated pilots.
      • by Richard_at_work ( 517087 ) on Thursday October 08, 2015 @08:48AM (#50685633)

        Just like a restaurant which doesn't give a toss about minimum wage, where its ingredients come from, the cleanliness of the kitchens or the reliability of the refrigeration - but the customers love the public face, service and price, so that restaurant should be given a break when it comes to following the rules other restaurants have to abide by...

        • Just like a restaurant which doesn't give a toss about minimum wage, where its ingredients come from, the cleanliness of the kitchens or the reliability of the refrigeration - but the customers love the public face, service and price, so that restaurant should be given a break when it comes to following the rules other restaurants have to abide by...

          If you do a lot of traveling, restaurants in most of the world operate exactly that way. You don't exactly see massive reports of food poisoning sickening or

          • http://safefoodinternational.o... [safefoodin...tional.org]

            interesting, you don't hear about big food poisoning cases because unless it's big it doesn't break the news, and those generally involve contamination in an industrial setting.

            and you don't hear about food poisoning cases on the small scale because they're pretty common.

        • Let's say you travel to some country where government health certification is voluntary. Would you rather eat in a dirty restaurant that got bad Yelp reviews but has a government certification, or eat in a restaurant that looks spotlessly clean and has excellent Yelp reviews but you don't see a government certification sticker?

          Government health certificates for restaurants are pretty much useless, just like taxi licensing schemes.

          • by dave420 ( 699308 )
            You seem to be confusing your broken, dysfunctional part of the world with the entire world. This is going to blow your mind, but some places have great health certification, and great taxis. Those are the places which are fighting companies which seek to decrease the standard by which they do business.
      • by Nidi62 ( 1525137 ) on Thursday October 08, 2015 @09:18AM (#50685827)

        a scam as their business model

        Last time I checked, their business model was to offer a valuable service that people really like in exchange for money.

        People really like cocaine and meth, but exchanging those for money is just as illegal as operating illegal cabs.

        • Cocaine's pretty awesome though, so who cares.

          • by Nidi62 ( 1525137 )

            Cocaine's pretty awesome though, so who cares.

            Yes, yes, we all know cocaine's a hell of a drug.

  • by Anonymous Coward
    All the smarts in the world won't fix a fat finger. You accessed the DB from your super secure VPN, disconnected your VPN, forgot it was disconnected, reconnected -- and, oh shit, there you are: Your personal IP has been revealed. This is why you use things like Tails, folks, or you do your dirty work in a VM -- then securely delete the VM. :)
    • do your dirty work in a VM -- then securely delete the VM. :)

      Or run the VM like a LiveCD from a read-only filesystem - what happens in RAM stays in RAM...

    • VM or not you need to set things up so that your client box CANNOT access the internet without using the VPN. If you have a system where a VPN failure results in a direct connection you will almost certainly end up making a direct connection sooner or later.

  • it does seem surprising that he would have accessed such sensitive data with his own domestic IP address.

    No fucking shit...

  • by Sneeka2 ( 782894 ) on Thursday October 08, 2015 @08:29AM (#50685485)

    So some doofus posted the keys to the kingdom on Github, and they're crying foul if a competitor picks them up to take a peek behind the curtain?

    I mean, yeah, sure, that's not the gentlemen's way of doing things, but waddaya expect?!

    • but waddaya expect?!

      retarded reasoning.

      you left your bicycle on your porch without a lock, whaddya expect?
      you walked down a dark street at night, whaddya expect?
      you left your car unlocked and your wallet on the seat, whaddya expect?
      you set down your backpack containing a laptop in the seat next to you on the train and turned your head, whaddya expect?
      you threw out some paperwork that listed your social security number and other personal information, whaddya expect? ...

      see where that goes? enjoy your uptopia where making a mist

      • by praxis ( 19962 )

        I am not sure what protection under the law has to do with anything. Sneeka2 did not mention anything about protections, only the stupidity of Uber's maneuver. Posting a private key in a public place is pretty dumb. Not revoking and changing your keys once you discover the mistake is also stupid. Expecting someone who finds the key to not use it is also stupid.

        The things you mentioned are also risks, to different degrees. I don't leave my car unlocked with my wallet on the street. I find that stupid. I shre

  • Protectionist? (Score:4, Informative)

    by pr0nbot ( 313417 ) on Thursday October 08, 2015 @08:32AM (#50685511)

    I don't know why a VPN provider would favour trade tariffs.

    Perhaps "protective" was meant?

    https://en.wikipedia.org/wiki/... [wikipedia.org]

  • by Anonymous Coward

    In the sense of "there's no way this can be real, can it?".

  • Elliot changed the IP address to implicate him. No surprise!

  • Corporate Persons (Score:5, Insightful)

    by Chris Johnson ( 580 ) on Thursday October 08, 2015 @10:00AM (#50686175) Homepage Journal

    So wait. Not only does Uber choose to commandeer Slashdot at every opportunity to spout off how great it is through increasingly vehement sockpuppet ACs and the pushing of clickbait articles, it ALSO feels the need to pull you aside and fill you in on its paranoid fantasies?

    Man, 'corporate personhood' is weird. This is distinctly a personality that's consistent and recognizable. Just yeah.

    Excuse me, Uber. I think I see somebody over there that I know D:

  • by shess ( 31691 ) on Thursday October 08, 2015 @10:06AM (#50686219) Homepage

    Apparently they leaked the key on GitHub, and allege that this IP address visited the page - along with tens of thousands of other visitors.

    If I were CTO of a company, and I saw a Slashdot posting about "YourCompetitor leaked all of their keys on GitHub!", I would probably click through. ESPECIALLY if I were in charge of preventing similar leaks from the company I worked for.

  • Reuters Routers Rout Russian (probably)
  • Apparently Uber leaked the keys on GitHub, and allege that this IP address visited the page - along with tens of thousands of other visitors. It wasn't some sort of Mission Impossible nighttime raid or anything, they published things publicly.

    If I were CTO of a company, and I saw a Slashdot posting about "YourCompetitor leaked all of their keys on GitHub!", I would probably click through. ESPECIALLY if I were in charge of preventing similar leaks from the company I worked for.

    Hell, I'd probably keep an ey

    • I'd probably keep an eye on what kinds of things my competitor published on GitHub

      That's not how Gists work. Reading the old article a lot of people seem to assume that this was published via git. Gists are just a place to store plain text.

  • Don't know how it works in other countries. But, some USA ISP's will give you a static public facing IP and then release every so often. Just curious...
  • by quantaman ( 517394 ) on Thursday October 08, 2015 @10:19AM (#50686327)

    According to documents filed in the case, the company learned months after the hack that someone had used an Uber digital security key to access the driver database. A copy of the key was inadvertently posted by Uber on one of its public pages on the code development platform GitHub in March of 2014, prior to the breach, the court filings show, and remained there for months.

    After Uber discovered the unauthorized download, it examined the Internet Protocol addresses of every visitor to the page during the time between when the key was posted and when the breach occurred, according to court documents. The Uber review concluded that "the Comcast IP address is the only IP address that accessed the GitHub post that Uber has not eliminated" from suspicion, court papers say.

    So for months this key was sitting on a public website and they've managed to eliminate every other address from suspicion?

    Unless the actual URL was somehow hidden that sounds very unlikely, I'd wager there are hacking groups who write robots to crawl around the web looking for private keys.

    We don't even know in what form the key was posted, if it were sitting in some chunk of code that Uber had posted to GitHub I wouldn't be in the least surprised that the Lyft CTO decided to checkout the project to see what the rival company was doing.


  • Would I be stupid enough to leave my home address near the murder weapon?!

    I move to drop this investigation immediately it's obviously nonsense because I am a really smart person.

    As you know, smart people do not do stupid things(tm)
    • >Would I be stupid enough to leave my home address near the murder weapon?!

      Isn't is the murder weapon that can be left somewhere and the home address that is pretty permanently fixed in one place?

    • ^^^ pretty much. i love the "no one could be THAT stupid" defense. so really, all i need to do to get away with a crime is to make sure i'm really obvious when i commit it?

  • ONE?
    Everyone knows you have to go through 7 proxies.

  • It's that he needs to be imprisoned without bail, tried, sentenced, and all assets stripped from him and any trusts he set up.

Real programmers don't comment their code. It was hard to write, it should be hard to understand.

Working...