Just read the federal complaint, my highlights and summary:<p>- Hackers downloaded a bunch of PII from Uber<p>- Uber CISO paid them a 100k bounty with bitcoin to sign an NDA with their hacking handles, but they wouldn't give real names<p>- Uber staff traced them down, found their real names, then met them in person and got them to sign NDAs with real names<p>- FTC is mad because CISO tried to make it seem like it wasn't a data breach vs bug report through the bounty program.<p>- Their 2014 breach was from "an AWS access ID and secret key in software code posted to GitHub"<p>- In 2016 to FTC "SULLIVAN elaborated that it was common at the time to write access IDs and other secrets directly into code when that code needed to call for information from another service." - oof<p>- SULLIVAN received an email from “johndoughs@protonmail.com” claiming to have found a “major vulnerability in uber,” and that “I was able to dump uber database and many other things.”<p>- <i>in 2016 breach, the hackers used to stolen credentials to... get the AWS keys that were still in their github code, but was now private</i><p>-"Similarly, Uber argued that the industry at large had become more adept since 2014
at protecting private data in the cloud, and that Uber should not be judged for “what a company
did then (back when the company was much smaller and the technology at issue was evolving)
according to the standards that the agency thinks are appropriate now (given the current
sophistication of the company and current industry best practices).” Uber made these arguments
via letter in April 2017, approximately five months after the 2016 Breach."<p><a href="https://assets.documentcloud.org/documents/7041237/Joseph-Sullivan-Complaint.pdf" rel="nofollow">https://assets.documentcloud.org/documents/7041237/Joseph-Su...</a>
Just to be clear, the complaint charges Sullivan under these two federal criminal statutes:<p>18 U.S. Code § 1505. Obstruction of proceedings before departments, agencies, and committees -- [...] Whoever corruptly, or by threats or force, or by any threatening letter or communication influences, obstructs, or impedes or endeavors to influence, obstruct, or impede the due and proper administration of the law under which any pending proceeding is being had before any department or agency of the United States, or the due and proper exercise of the power of inquiry under which any inquiry or investigation is being had by either House, or any committee of either House or any joint committee of the Congress—<p>Shall be fined under this title, imprisoned not more than 5 years or, if the offense involves international or domestic terrorism (as defined in section 2331), imprisoned not more than 8 years, or both.<p>18 U.S. Code § 4. Misprision of felony -- Whoever, having knowledge of the actual commission of a felony cognizable by a court of the United States, conceals and does not as soon as possible make known the same to some judge or other person in civil or military authority under the United States, shall be fined under this title or imprisoned not more than three years, or both.<p>18 USC § 4 is independent of any federal investigation, unlike § 1505. The complaint itself lists quite damning facts. Have a read, it's quite readable. [0]<p>[0] <a href="https://assets.documentcloud.org/documents/7041237/Joseph-Sullivan-Complaint.pdf" rel="nofollow">https://assets.documentcloud.org/documents/7041237/Joseph-Su...</a>
It seems to me that Kalanick was often “aware” of things but conveniently avoids scrutiny. How is this? Uber did so many questionable things under his leadership. And he managed to totally dodge the Levandowski saga.
This is especially interesting because Joe Sullivan is the current Chief Security Officer at Cloudflare. I'm curious to see what happens to his role at Cloudflare, will CF stand behind him or give him the boot considering the optics here...
I really don't understand how this is a crime. Bug bounty is basically hiring consultants to find bugs. They found a bug that allowed consultant to download all the data. Uber paid the consultant the designated bounty. It is a done deal.<p>Implications that this is an actual breach are large. Does that mean if I hire a red team of independent consultants and they managed to gain access to one of my backups, i have to report it as a breach? Thats the worst case scenario.<p>The best case scenario is all companies have to pull bug bounty programs because any bug found is now considered a breach. This actually very bad for the industry. Bug bounties are very effective part of a comprehensive strategy to safe guard customer data.
I know Joe, I've worked both with and for him. Frankly, this sounds completely out of character for him. He's someone who has a strong moral compass and has been catching black hats for over 20 years.<p>There has to be more to this story. I feel like he was probably railroaded by Uber's legal team/CEO and they did things he may not have been fully aware of. That's the only explanation I can come up with.<p>I look forward to him having his day in court to vindicate himself.
From what I've read Sullivan claimed the decision to not inform the feds was one made by Uber's legal team. I have no idea if that's accurate, but it's a good reminder that a companies lawyers <i>look out for the best interests of the company</i>, not individual employees.<p>I've read that if you start to get involved in a legal issue at work like this, you need to get your own lawyer and keep your mouth shut.
As someone who has been falsely accused of a crime in the past, I'd just like to remind people that being charged with something does not make you guilty, it's an allegation. I know you know this,but society today seems to be treating allegations like convictions
I worked with people who worked with him before Uber. When the news came out they were surprised. They thought he was the scapegoat.<p>I never worked with him. That personal anecdote does not exonerate him at all but it does give me second thoughts. Truth is nuanced sometimes.
My first thought on hearing this news was the famous essay "The Al Capone Theory of Sexual Harassment."<p><a href="https://blog.valerieaurora.org/2017/07/18/the-al-capone-theory-of-sexual-harassment/" rel="nofollow">https://blog.valerieaurora.org/2017/07/18/the-al-capone-theo...</a><p>Basically it states that for a long time, sexual harassers were given a blind eye with excuses like "he's good for our bottom line." But it turns out this isn't true. It turns out people who act unethically in <i>one</i> way often act unethically in <i>other</i> ways, that (among other things) hurt the bottom line.
He is currently the CISO of CloudFlare. <a href="https://blog.cloudflare.com/why-im-joining-cloudflare/" rel="nofollow">https://blog.cloudflare.com/why-im-joining-cloudflare/</a><p>Hopefully eastdakota is preparing a statement about his departure.
Another Uber security guy was hired by Tesla and somehow came up related to the Gigafactory drug running stuff:<p>> Tesla then hired a new senior manager of Global Security named Nick Gicinto. He was told that Gicinto and team were “spying on Tesla employees using devices to monitor emails, cell phones, and data communications from Tesla employees. Hansen expressed concern to his supervisors regarding what he believed was illegal conduct.”<p>> In fact, Gicinto and his team allegedly used these same tactics at Uber under Jeff Jones, former head of security who was also hired at Tesla with another security employee Jacob Nocon.<p>> In a lawsuit filed in the United States District Court, District of Northern California, Waymo LLC v. Uber Technologies, Inc., (Case No.:17-cv-00939-WHA). Jones, Gicinto, and Nocon all “allegedly engaged in numerous illegal methods of investigations such as wiretapping and hacking.” These behaviors are all outlined in the “Jacob’s Letter” filed in this case.<p><a href="https://patriotssoapbox.com/business/tesla-whistle-blower-alleges-ties-between-sr-management-organized-crime/" rel="nofollow">https://patriotssoapbox.com/business/tesla-whistle-blower-al...</a>
> <i>“Companies like Uber are the caretakers, not the owners, of customers’ personal information,” said U.S. Attorney Anderson (for the Northern District of California)</i>[1]<p>I would like that to be true, but everything I've read indicates otherwise. Uber, Google, Facebook, banks, and credit bureaus have my personal information, but I am <i>not</i> the owner of that information. I've been told that they own it, at least under U.S. laws. If I do own it, why can't I demand that credit bureaus delete all my personal information?<p>The quote comes from the prosecutor of the Uber executive. If anyone should know the law regarding who owns your personal information, he should. Is he right or wrong?<p>[1] <a href="https://www.justice.gov/usao-ndca/pr/florida-man-and-canadian-national-plead-guilty-hackingextortion-conspiracy" rel="nofollow">https://www.justice.gov/usao-ndca/pr/florida-man-and-canadia...</a> [this was a link in the featured article]
The CSO informed the CEO so ... this is individual concealment?<p>The better question is: If the CSO was not previously an AUSA, would the prosecutors have charged this conduct?
U.S. Attorney Anderson announces charges against Joseph Sullivan for alleged cover-up of Uber hack (Video)<p><a href="https://www.youtube.com/watch?v=QEPRm2E_PUw" rel="nofollow">https://www.youtube.com/watch?v=QEPRm2E_PUw</a>
> “Need to get certainty of what he has, sensitivity/exposure of it and confidence that he can truly treat this as a [bug] bounty situation... resources can be flexible in order to put this to bed but we need to document this very tightly“ - Kalanic<p>Looks to me like this is why Kalanic was not indicted. If he deferred, said “handle it, keep it legal, and document it for any investigation,” that’s really all you can ask from a CEO.<p>Whether or not this is REALLY what he meant (or just a way to cover his butt) is up for debate. But it would be a good defense imo.
For what it's worth, and I'm no lawyer, it doesn't look like he's facing anything near 5 years.<p>For the misprision offense (18 USC 4), the guidelines are based on the underlying felony, less 9 levels, capped at 19. Assuming CFAA/wire fraud, a 2B.1 offense, that's:<p><pre><code> 6
+8 for the >$95,000 loss
+2 if involved harvesting email addresses (not charged?)
+2 for evasion across jurisdictions
+2 for exfiltrating trade secrets overseas
+2 for intent to exfiltrate customer PII
</code></pre>
That reads to me a worst-case underlying level of 24, or a 15 for the misprision, which is 18-24 months; remove any of those constraints and it's a "Zone C" offense that doesn't require imprisonment at all.<p>The more painful charge appears to be the Obstruction (18 USC 1505), for which the guidelines appear to go:<p><pre><code> 14
+3 for substantial interference to an investigation
+2 for extensive planning
</code></pre>
That worst-cases to 19, 30-37 months. Still not close to 5 years, though, and I'd assume (please correct me!) that these sentences group, since the underlying conduct is the same.<p>(I assume this case settles?)
While working at Uber, Joe Sullivan's head of Global Threat Intelligence hired Ergo to carry out surveillance against Uber's legal foes. <a href="https://www.theverge.com/2016/7/10/12127638/uber-ergo-investigation-lawsuit-fraud-travis-kalanick" rel="nofollow">https://www.theverge.com/2016/7/10/12127638/uber-ergo-invest...</a>
From the criminal complaint:<p>> The hackers’ ransom was paid in December 2016 via bitcoin, even though the hackers by that time had refused to sign the NDAs in their true names and had not yet been identified by Uber. Uber’s staff continued to work on identifying the hackers and were able to eventually identify them in January 2017, at which point SULLIVAN dispatched security staff to interview both hackers and obtain signed NDAs from them in their true names.<p>How did they identify them, and is the DOJ going after the hackers too?<p>edit: finished reading the PDF:<p>>H. The Hackers Pleaded Guilty to Federal Crimes.
>>50. On August 2, 2018, a Grand Jury in the Northern District of California returned an indictment charging Brandon Charles GLOVER and Vasile MEREACRE with crimes related to extortion involving computers under 18 U.S.C. § 1030(a)(7)(B) and 1030(c)(3)(A). The indictment alleged that GLOVER and MEREACRE, between December 2016 and January 2017, conspired to extort a online employment-oriented service (“COMPANY ONE”) by obtaining over 90,000 confidential user accounts and using those accounts as a means to obtain money.
this reminds me that Joe has ties to Tesla’s security team (ex Uber) which is embroiled in a whistleblower lawsuit that allege they spied and hacked employee devices <i>and</i> the insane eBay security team lawsuit in which the security team allegedly sent a severed pig head to a small town blogger they thought was working for Amazon<p><a href="https://www.bloomberg.com/news/features/2019-03-13/when-elon-musk-tried-to-destroy-tesla-whistleblower-martin-tripp" rel="nofollow">https://www.bloomberg.com/news/features/2019-03-13/when-elon...</a><p><a href="https://www.wsj.com/articles/ebay-harassment-campaign-pig-cockroach-blog-11593009038" rel="nofollow">https://www.wsj.com/articles/ebay-harassment-campaign-pig-co...</a><p>great legacy
One question for any attorneys here - if the FTC were not investigating the 2014 hack, would there not be any charges for these alleged actions? The indictment doesn't seem to mention any statutes violated except for in connection to impeding the existing investigation.
How is this any different than paying ransomware? Is that also illegal? If anything, it seems like he/Uber are the victims of blackmail. And I have no love for Uber.
IANAL but this seems far from a slam dunk to successfully prosecute. The charge is that he tried to cover up something that they aren't charging as a crime while they were investigating an unrelated thing they also aren't charging as a crime. And the legal department recommended and approved the bug bounty and the CEO was fully informed.
Its extremely out of character that he can’t pay more hush money to get out of the charge of paying hush money<p>Why isnt Uber Inc helping him get a “Deferred Prosecution Agreement” so that he can <i>kickback</i> and relax
The documents dumped by Martin Tripp in the Tesla case were pretty juicy. Looks like they had a full access to his personal phone, round the clock surveillance on him and constant hacking of his accounts. So much so that one of the security guys working for Tesla turned a whistleblower (Sean Gouthro).<p>Documents are taken down since a court ordered Martin to take them off the public display.
This is about lying to the FTC, not about paying off hackers to keep data private. Ransomware has shown that the latter is accepted even if not exactly legal.<p>> The database included the drivers’ license numbers for approximately 600,000 people who drove for Uber.<p>Drivers licenses are deterministic and can be generated by knowing full name and DOB and state. They aren't PII.