In case you're unfamiliar with him: if you're a startup person, Ryan McGeehan (the author here) has some of the best resources on building security programs available on the Internet:<p><a href="https://scrty.io/" rel="nofollow">https://scrty.io/</a>
> My analysis will treat this as an accident.<p>How does that work for a scenario where specific and intentional actions were taken by an individual or group of individuals, that may or may not have been illegal?<p>You can’t analyze an armed robbery prosecution as an accident without ignoring all of the most significant aspects of the case.
> The breach remained undetected for an unknown period of months before an interview with an engineer at a competing company disclosed that an executive at their employer had a copy of an Uber database<p>What’s the backstory here? Did an Uber competitor buy the database from a hacker? Then Uber found out which is how they found the data breach happened? Am I reading that right?<p>That sounds very shady whoever the competitor was.
It is helpful that this was written from a blameless perspective, as it remains clear that the attempt to retroactively re-designate the breach as an authorized bug-bounty act was deceptive and self-serving.
courtlistener page with the docket for the case: <a href="https://www.courtlistener.com/docket/18443231/united-states-v-sullivan/" rel="nofollow">https://www.courtlistener.com/docket/18443231/united-states-...</a><p>(for the the case docket if some of HN wants to use recap extension <a href="https://free.law/recap" rel="nofollow">https://free.law/recap</a> and burn some PACER credit. It's free to make a PACER account and use up to $30 a quarter, they won't bill you).
> I don’t believe Joe is a criminal, but my personal opinions about his guilt don’t matter.<p>Then why bring it up?<p>> My analysis will treat this as an accident.<p>Isn't the point of an analysis to determine what happened? Not to start with a preconceived idea and make the analysis fit that?<p>It's hard to trust a source repeatedly claiming to be neutral after spending the first few paragraphs espousing their biases.
The US Attorney's Office press release about the case: <a href="https://www.justice.gov/usao-ndca/pr/former-chief-security-officer-uber-convicted-federal-charges-covering-data-breach" rel="nofollow">https://www.justice.gov/usao-ndca/pr/former-chief-security-o...</a>
My takeaway: whenever private data has inadvertently become available to outside actors, you should treat as a breach, even if you don't have evidence of exfiltration or malicious use, and even if you first found out about the issue from a bug bounty program (legitimate or otherwise).
So… a federal jury found this guy guilty, but here we have a friend of his who is going to be totally neutral in a reevaluation?<p>So they set out to describe it as „an accident“ because „blameless post-mortems“ are something people really like?<p>Also this article falls into the trap of trying to sound smart by using, sorry, „by effecting the usage of“ big fancy words. I’ve read Supreme Court transcripts and judgements, and I can understand them. This is overtaxing my buzzword ingestion.