IP Address May Associate Lyft CTO With Uber Data Breach

An anonymous reader writes: According to two unnamed Reuters sources the IP address of Lyft CTO Chris Lambert has been revealed by Uber's investigations to be associated with the accessing of a security key that was accidentally deposited on GitHub in 2014 and used to access 50,000 database records of Uber drivers later that year. However, bearing in mind that the breach was carried out through a fiercely protectionist Scandinavian VPN, and that Lambert was a Google software engineer before become CTO of a major technology company, it does seem surprising that he would have accessed such sensitive data with his own domestic IP address.

Guilty!

[sinij]

If RIAA and CSI taught us anything is that both IP and DNA are definitive proof of guilt. Since Chris Lambert was shown to have both, we can be certain he did it.

Re:

[Lakitu]

No, one of almost an infinite amount of alternative theories is that the CTO of a major technology company didn't have his home WiFi secured and some enterprising criminal hijacked it to hack Uber. A much more plausible theory is that the Lyft guy used a Swedish VPN sometimes.

The Uber key was posted publicly on github in March of 2014, and was presumably publicly available until Uber realized their mistake when they were breached in February 2015. It's pretty ridiculous to say that they could have eliminate

Re:

[Anonymous Coward]

The problem here is that the IP has accessed a text file, not a database. That's one. Two, Uber says that they've examined and 'ruled out' every address but one of all that accessed the aforementioned key for a period of several months. I just looked at the daily logs to the login page of my quite obscure squirrelmail installation, and I see something like 7,000 IP addresses. Supposing that the Github account in question is as obscure as this installation, then you have at least few hundred thousand address

Thankfully...

[Rei]

Uber has long proven themselves to be eminently trustworthy and never scheming up shady ways to try to drive their competition out of business, so we can just take them at their word on this.

Re:Thankfully...

[phantomfive]

Exactly. Whenever an accusation starts with our competitor may have been evil..., wait for corroborating evidence.

Re:

[Anonymous Coward]

You don't take two unnamed people at their word? How dare you!

Re:

[Triklyn]

hell, even if they did do this, good

fuck uber.

you don't get international competitors to team up against a company unless that company is trying to fuck everyone and everything.

holy hell.

i don't often root for chinese anticompetitive behavior... but fuck uber.

and fuck uber for making me bedfellows with those assholes.

Re:

[Anonymous Coward]

So, you drive a cab I assume?

No way. His English is way too good and I can't smell his BO through my monitor. Plus, he didn't go off on a needless tangent for several paragraphs before he got to his point.

Re:Thankfully...

[Triklyn]

hells no, and i can probably count the number of cab rides i've taken in my life using my hands and feet.

i don't like them flaunting consumer protections, i don't like that whole period they were like, "oh insurance? what's that? and why can't our driver's personal insurance foot the fucking bill?"
i don't like how their executives think the idea of mudslinging journalists that criticize them is a fun idea.
i don't like how their idea of damage control is to try to bury, bury bury, until someone fucking dies

i don't like how their idea of fair competition is to spam their competitors with fake pickup requests
i don't like how their fucking profit margin comes straight out of their contracter's pockets
i don't like how their fucking car payment tie-in apparently is financially calamitous to their drivers

so, no, i don't drive a cab, i'm just not enamored of evil.

Re:

[caluml]

i can probably count the number of cab rides i've taken in my life using my hands and feet.

So 2^20 then? 1048576 is a lot of cab rides.

Re:

[Triklyn]

obviously,

born in a cab, live in a cab, now in a cab, die in a cab,

when i'm dead, i'll have my ashes scattered to the corners of the earth in cabs.

Cabs are love, cabs are life.

Re:

[tripleevenfall]

I for one welcome taxi cartels and their anticompetitive practices

Re:Thankfully...

[rockmuelle]

Uber is great in the same way Pets.com was great: they're burning their investor's money to run an unsustainable business. I loved getting 40lb bags of dog food delivered for free and I love paying less than the driver is making for my Uber rides. As a consumer, I win!

What's new about Uber compared to Pets.com is that Uber is the VC world's experiment in seeing if they can create illegal businesses and then use their huge piles of money to change the law in their favor. This is what should really scare everyone.

-Chris

Re:

[Coisiche]

unless that company is trying to fuck everyone and everything.

I think every company operates like that, under the guise of "delivering shareholder value".

I'm sure there are companies without shareholders that also operate like that, but never to same extreme in my experience.

Re:

[kilfarsnar]

unless that company is trying to fuck everyone and everything.

I think every company operates like that, under the guise of "delivering shareholder value".

I'm sure there are companies without shareholders that also operate like that, but never to same extreme in my experience.

Yep, they don't have to deal with a bunch of otherwise disinterested parties shouting about their money.

Re:

[tripleevenfall]

you don't get international competitors to team up against a company unless that company is trying to fuck everyone and everything.

Well, you could get competitors to team up against you by eating their lunch and beating them at their own games. That would be one way.

Re:

[Triklyn]

they typically wouldn't team up.

like how assad and the rebels are teaming up against isis... wait, that's not it...

how the US UK and USSR teamed up to fight the nazis. there we go.

sure everyone hated stalin, like everyone HATED stalin. and they were probably pretty sure they'd have a problem with him somewhere down the road... but Hitler, fuck hitler.

Re:

[TechyImmigrant]

Accessing Github is crime?

Re:

[farble1670]

Accessing Github is crime?

no, but using the information found there for cyber warfare against your competition is.

Chris Lambert has been revealed by Uber's investigations to be associated with the accessing of a security key that was accidentally deposited on GitHub in 2014 and used to access 50,000 database records of Uber drivers later that year.

or maybe you are suggesting the "you made it easy for me to commit the crime" defense? like, you left your bike unlocked, therefore it's mine for the taking?

The perfect cover?

[rmdingler]

However, bearing in mind that the breach was carried out through a fiercely protectionist Scandinavian VPN, and that Lambert was a Google software engineer before become CTO of a major technology company, it does seem surprising that he would have accessed such sensitive data with his own domestic IP address.

What a great defense... there's no way it's me.

Re:The perfect cover?

[DRJlaw]

The report emphasises that the IP address is not the one associated with the act of the breach itself; instead it was obtained by a process of elimination as Uberâ(TM)s investigations team worked through all the IPs which accessed a critical security key that had accidentally been deposited on the public code-sharing and versioning platform GitHub in March of 2014 â" approximately nine months before the breach occurred.

The only one it could not account for is, according to the report, a Comcast IP address associated with Lambert.

Translation: We believed everyone else but this guy is a right bastard (because he works for Lyft) and thus assuredly guilty.

Life imitating art?

[ramriot]

Sounds exactly like something from Mr Robot, IP address CTO of organisation found in logs related to hacking server farm.

Like, we trust the logs, after someone has Owned the system, sure let me know how that goes!

Re:

[GameboyRMH]

Damn, beaten - this sounds exactly like part of Mr. Robot's plot...seems way too easy & convenient. What kind of total noob would hack from their home IP anyway?

We trust what Uber says now?

[Anonymous Coward]

A company run by crooks with a scam as their business model. Uber is the one that blundered its own key then failed to secure its databases. Now they are blame shifting.

Re:

[NotDrWho]

a scam as their business model

Last time I checked, their business model was to offer a valuable service that people really like in exchange for money. That's not what I would call a "scam."

Re:We trust what Uber says now?

[deadweight]

My new airline is really cheap. I skip things like a 100 hour inspections, 135 certs, opspecs, and all the other things that make running an airline a huge PITA. I have a plane, what more do you want?

Re:

[slashdice]

Sadly, you're describing Flytenow and airpooler. Except their pilots aren't paid.

Re:

[NostalgiaForInfinity]

My new airline is really cheap. I skip things like a 100 hour inspections, 135 certs, opspecs, and all the other things that make running an airline a huge PITA. I have a plane, what more do you want?

I really don't give a f*ck about your "100 hour inspections" or your "135 certs"; those are meaningless theater, something you can easily cheat on if you want to and that doesn't make me one iota safer.

What i care about is: (1) what is your track record, (2) what are your financials, and (3) what is your insura

Re:

[GlennC]

What i care about is: (1) what is your track record, (2) what are your financials, and (3) what is your insurance.

Why should you care about those things? If the plane crashes or the baggage crew loses your luggage, you can give them a 1-star rating...that'll teach them.

Re:

[NostalgiaForInfinity]

Why should you care about those things?

The track record should be self evident. Financials and insurance are good measures because they reflect the confidence of investors and insurance risk estimators, people who have actual money at stake when a plane crashes and hence have an incentive to make correct risk assessments.

Re:

[Lakitu]

How are inspections meaningless? They're only meaningless if they're meaningless.

In this post you are claiming to believe that we live in a universe where inspections are fundamentally impossible of providing any value or accomplishing anything in any way. Judging by the fact that you believe you can accurately inspect an airline's track record, financials, and insurance (without those having been cheated on at all!), I'm sure you must have just made some kind of mistake.

Re:

[NostalgiaForInfinity]

In this post you are claiming to believe that we live in a universe where inspections are fundamentally impossible of providing any value or accomplishing anything in any way.

Some inspections are very valuable, namely the inspections where the inspector and his organization faces stiff personal and corporate liabilities and hence have a strong economic incentive to assess risks correctly. Accountants and insurance companies perform those kinds of inspections.

Government regulators and government inspection p

Re:

[Lakitu]

namely the inspections where the inspector and his organization faces stiff personal and corporate liabilities and hence have a strong economic incentive to assess risks correctly. Accountants and insurance companies perform those kinds of inspections.

Government regulators and government inspection programs generally lack these incentives, and that makes their inspections pretty much worthless.

What about government regulators and inspection programs which require certification or inspection from one of the entities you listed in the above paragraph? Because, guess what, that's what a lot of government inspections and certifications are.

Re:

[NostalgiaForInfinity]

You should be able to answer your own question based on what I said: does the certifying entity stand to lose large amounts of money if the thing they are certifying fails? Can you figure it out?

Re:

[Lakitu]

I'm glad you've changed your mind since your original post! Nice chat.

Re:

[Lakitu]

You should be able to answer your own question based on what I said: does the certifying entity stand to lose large amounts of money if the thing they are certifying fails? Can you figure it out?

Let's have a look at some options.

(a) Airline wishes to keep its reputation and passengers alive, inspects planes thoroughly. Does so in-house or faces severe financial consequences in the event of failure.

(b) Airline wishes to keep its reputation and passengers alive, pays an outside entity (with its own reputation and financial incentives) to inspect planes thoroughly.

(c) Government requires that all airlines pass certain safety standards so that start-up airlines can't crash their dilapidated planes into

Re:

[deadweight]

1 - track record is I am not dead that you know of. 2 - My financials are not available to you and what that has to do with my airplane I am not sure. It has 2 wings and most of the paint is still on. Are you one of those demanding passengers that wants me to clean it too? 3 - I have no valid insurance because no insurance company in the world will cover part 135 or 121 flights done without proper 135/121 inspections and rated pilots.

Re:

[deadweight]

Just so you know, your Randian paradise airline system was tried long ago. It killed so many people the better airlines were BEGGING the government to step in before this whole newfangled flying machine thing just collapsed and died due to public mistrust. $10,000,000 per SEAT? OMFG I am rolling on the floor. It is extraordinarily difficult to get 10% of that and most of my quotes are for $1,000,000 for the entire plane and that is instantly void the second I take off on a 135 flight absent the right certs.

Re:

[deadweight]

I am a commercial pilot AND have a car. I think I know the difference.

Re:We trust what Uber says now?

[Richard_at_work]

Just like a restaurant which doesn't give a toss about minimum wage, where its ingredients come from, the cleanliness of the kitchens or the reliability of the refrigeration - but the customers love the public face, service and price, so that restaurant should be given a break when it comes to following the rules other restaurants have to abide by...

Re:

[Solandri]

Just like a restaurant which doesn't give a toss about minimum wage, where its ingredients come from, the cleanliness of the kitchens or the reliability of the refrigeration - but the customers love the public face, service and price, so that restaurant should be given a break when it comes to following the rules other restaurants have to abide by...

If you do a lot of traveling, restaurants in most of the world operate exactly that way. You don't exactly see massive reports of food poisoning sickening or

Re:

[Triklyn]

http://safefoodinternational.o... [safefoodin...tional.org]

interesting, you don't hear about big food poisoning cases because unless it's big it doesn't break the news, and those generally involve contamination in an industrial setting.

and you don't hear about food poisoning cases on the small scale because they're pretty common.

Re:

[NostalgiaForInfinity]

Let's say you travel to some country where government health certification is voluntary. Would you rather eat in a dirty restaurant that got bad Yelp reviews but has a government certification, or eat in a restaurant that looks spotlessly clean and has excellent Yelp reviews but you don't see a government certification sticker?

Government health certificates for restaurants are pretty much useless, just like taxi licensing schemes.

Re:

[dave420]

You seem to be confusing your broken, dysfunctional part of the world with the entire world. This is going to blow your mind, but some places have great health certification, and great taxis. Those are the places which are fighting companies which seek to decrease the standard by which they do business.

Re:We trust what Uber says now?

[Nidi62]

a scam as their business model

Last time I checked, their business model was to offer a valuable service that people really like in exchange for money.

People really like cocaine and meth, but exchanging those for money is just as illegal as operating illegal cabs.

Re:

[mobby_6kl]

Cocaine's pretty awesome though, so who cares.

Re:

[Nidi62]

Cocaine's pretty awesome though, so who cares.

Yes, yes, we all know cocaine's a hell of a drug.

Re:

[Nidi62]

That's a great example of false equivalence [wikipedia.org], and you're a great example of an idiotic sack of shit. Go fuck yourself, bitch boy.

Ok, how about this then. I set up a freight shipping line that is much cheaper because I don't worry about those pesky rest rules, maintenance, or even making sure my drivers have CDLs. Since low cost shipping is a very valuable service this should be perfectly legal? Nope, just as illegal as Uber is.

Actually, this is plausible.

[Anonymous Coward]

All the smarts in the world won't fix a fat finger. You accessed the DB from your super secure VPN, disconnected your VPN, forgot it was disconnected, reconnected -- and, oh shit, there you are: Your personal IP has been revealed. This is why you use things like Tails, folks, or you do your dirty work in a VM -- then securely delete the VM. :)

Re:

[GameboyRMH]

do your dirty work in a VM -- then securely delete the VM. :)

Or run the VM like a LiveCD from a read-only filesystem - what happens in RAM stays in RAM...

Re:

[petermgreen]

VM or not you need to set things up so that your client box CANNOT access the internet without using the VPN. If you have a system where a VPN failure results in a direct connection you will almost certainly end up making a direct connection sooner or later.

You think??

[Type44Q]

it does seem surprising that he would have accessed such sensitive data with his own domestic IP address.

No fucking shit...

Re:

[kilfarsnar]

It depends on your definition of a sensitive IP address.

Well my IP address cries at the slightest thing, so yeah.

Re:

[Bob the Super Hamste]

Your IP address is John Boehner?

Nobody to blame but yourself...?

[Sneeka2]

So some doofus posted the keys to the kingdom on Github, and they're crying foul if a competitor picks them up to take a peek behind the curtain?

I mean, yeah, sure, that's not the gentlemen's way of doing things, but waddaya expect?!

Re:

[farble1670]

but waddaya expect?!

retarded reasoning.

you left your bicycle on your porch without a lock, whaddya expect?
you walked down a dark street at night, whaddya expect?
you left your car unlocked and your wallet on the seat, whaddya expect?
you set down your backpack containing a laptop in the seat next to you on the train and turned your head, whaddya expect?
you threw out some paperwork that listed your social security number and other personal information, whaddya expect? ...

see where that goes? enjoy your uptopia where making a mist

Re:

[praxis]

I am not sure what protection under the law has to do with anything. Sneeka2 did not mention anything about protections, only the stupidity of Uber's maneuver. Posting a private key in a public place is pretty dumb. Not revoking and changing your keys once you discover the mistake is also stupid. Expecting someone who finds the key to not use it is also stupid.

The things you mentioned are also risks, to different degrees. I don't leave my car unlocked with my wallet on the street. I find that stupid. I shre

I just dropped my monocle, and my pink mustache!

[NotDrWho]

Shocking! Harumph!

Protectionist?

[pr0nbot]

I don't know why a VPN provider would favour trade tariffs.

Perhaps "protective" was meant?

https://en.wikipedia.org/wiki/... [wikipedia.org]

Maybe he was just curious?

[Anonymous Coward]

In the sense of "there's no way this can be real, can it?".

Mr Robot

[HongPong]

Elliot changed the IP address to implicate him. No surprise!

Corporate Persons

[Chris Johnson]

So wait. Not only does Uber choose to commandeer Slashdot at every opportunity to spout off how great it is through increasingly vehement sockpuppet ACs and the pushing of clickbait articles, it ALSO feels the need to pull you aside and fill you in on its paranoid fantasies?

Man, 'corporate personhood' is weird. This is distinctly a personality that's consistent and recognizable. Just yeah.

Excuse me, Uber. I think I see somebody over there that I know D:

Re:

[metrix007]

You're one of those idiots who attributes every comment you disagree with to a sockpuppet, huh.

Re:

[KGIII]

Fucking shill.

(I keed, I keed indeed.)

The article alleges no connection, though.

[shess]

Apparently they leaked the key on GitHub, and allege that this IP address visited the page - along with tens of thousands of other visitors.

If I were CTO of a company, and I saw a Slashdot posting about "YourCompetitor leaked all of their keys on GitHub!", I would probably click through. ESPECIALLY if I were in charge of preventing similar leaks from the company I worked for.

Re: The article alleges no connection, though.

[ZFox]

If nothing else, to blacklist whoever committed it from employment at your company.

What happened to headlines like:

[angularbanjo]

Reuters Routers Rout Russian (probably)

Such access is not surprising at all.

[shess]

Apparently Uber leaked the keys on GitHub, and allege that this IP address visited the page - along with tens of thousands of other visitors. It wasn't some sort of Mission Impossible nighttime raid or anything, they published things publicly.

If I were CTO of a company, and I saw a Slashdot posting about "YourCompetitor leaked all of their keys on GitHub!", I would probably click through. ESPECIALLY if I were in charge of preventing similar leaks from the company I worked for.

Hell, I'd probably keep an ey

Re:

[0100010001010011]

I'd probably keep an eye on what kinds of things my competitor published on GitHub

That's not how Gists work. Reading the old article a lot of people seem to assume that this was published via git. Gists are just a place to store plain text.

He actually has a permament public static IP?

[Zeorge]

Don't know how it works in other countries. But, some USA ISP's will give you a static public facing IP and then release every so often. Just curious...

This sounds dubious

[quantaman]

According to documents filed in the case, the company learned months after the hack that someone had used an Uber digital security key to access the driver database. A copy of the key was inadvertently posted by Uber on one of its public pages on the code development platform GitHub in March of 2014, prior to the breach, the court filings show, and remained there for months.

After Uber discovered the unauthorized download, it examined the Internet Protocol addresses of every visitor to the page during the time between when the key was posted and when the breach occurred, according to court documents. The Uber review concluded that "the Comcast IP address is the only IP address that accessed the GitHub post that Uber has not eliminated" from suspicion, court papers say.

So for months this key was sitting on a public website and they've managed to eliminate every other address from suspicion?

Unless the actual URL was somehow hidden that sounds very unlikely, I'd wager there are hacking groups who write robots to crawl around the web looking for private keys.

We don't even know in what form the key was posted, if it were sitting in some chunk of code that Uber had posted to GitHub I wouldn't be in the least surprised that the Lyft CTO decided to checkout the project to see what the rival company was doing.

Seriously?

[GeekWithAKnife]

Would I be stupid enough to leave my home address near the murder weapon?!

I move to drop this investigation immediately it's obviously nonsense because I am a really smart person.

As you know, smart people do not do stupid things(tm)

Re:

[TechyImmigrant]

>Would I be stupid enough to leave my home address near the murder weapon?!

Isn't is the murder weapon that can be left somewhere and the home address that is pretty permanently fixed in one place?

Re:

[farble1670]

^^^ pretty much. i love the "no one could be THAT stupid" defense. so really, all i need to do to get away with a crime is to make sure i'm really obvious when i commit it?

ONE VPN?

[sexconker]

ONE?
Everyone knows you have to go through 7 proxies.

It's not that he's Guilty

[WillAffleckUW]

It's that he needs to be imprisoned without bail, tried, sentenced, and all assets stripped from him and any trusts he set up.