[HN Gopher] Former Uber executive charged with paying 'hush mone...
___________________________________________________________________
Former Uber executive charged with paying 'hush money' to conceal
breach
Author : PatrolX
Score : 148 points
Date : 2020-08-20 19:14 UTC (3 hours ago)
(HTM) web link (www.npr.org)
(TXT) w3m dump (www.npr.org)
| curiousllama wrote:
| > "Need to get certainty of what he has, sensitivity/exposure of
| it and confidence that he can truly treat this as a [bug] bounty
| situation... resources can be flexible in order to put this to
| bed but we need to document this very tightly" - Kalanic
|
| Looks to me like this is why Kalanic was not indicted. If he
| deferred, said "handle it, keep it legal, and document it for any
| investigation," that's really all you can ask from a CEO.
|
| Whether or not this is REALLY what he meant (or just a way to
| cover his butt) is up for debate. But it would be a good defense
| imo.
| bigmattystyles wrote:
| How is this any different than paying ransomware? Is that also
| illegal? If anything, it seems like he/Uber are the victims of
| blackmail. And I have no love for Uber.
| pdw wrote:
| He's not accused of paying off the hackers. Rather he's accused
| of hiding the incident from an ongoing FTC investigation. They
| list various ways in which he supposedly concealed the hack
| from the FTC, e.g. they claim he set up up a false paper trail
| to make it look as if the hack was a harmless bug bounty
| submission.
| bagacrap wrote:
| to be fair, the first sentence of the article does make it
| seem as though the crime was paying the hackers off
| bigmattystyles wrote:
| Would you have to disclose a ransomware attack?
| ta738383 wrote:
| As someone who has been falsely accused of a crime in the past,
| I'd just like to remind people that being charged with something
| does not make you guilty, it's an allegation. I know you know
| this,but society today seems to be treating allegations like
| convictions
| throwaway2474 wrote:
| It seems to me that Kalanick was often "aware" of things but
| conveniently avoids scrutiny. How is this? Uber did so many
| questionable things under his leadership. And he managed to
| totally dodge the Levandowski saga.
| bsder wrote:
| > It seems to me that Kalanick was often "aware" of things but
| conveniently avoids scrutiny. How is this?
|
| Because the VC's funded Uber precisely _because_ they knew that
| Kalanick was an asshole?
|
| The people who gave him money did so with the expectation that
| he would pull out all the stops to become a mega-monopoly.
|
| To top it off, Kalanick had been screwed by VC's before, so he
| made a particular point to structure stock ownership in such a
| way that he kept control. It's still not clear what deals were
| made to actually get him to go away.
|
| Finally, I expect that Kalanick probably knows where all the
| bodies are buried. So, he probably knows even _more_ shady
| things that were going on than have been exposed. So, he has
| leverage.
| A4ET8a8uTh0 wrote:
| He is a savvy politician. You are definitely onto something
| here. The guy has a very carefully curated public image. It is
| genuinely impressive how opinion of him is higher than the
| company he runs.
|
| Edit: I was convinced by the arguments. I was holding onto old
| idea of him. Clearly things have changed.
| oivey wrote:
| Is it higher? He resigned as CEO of Uber due to a flurry of
| scandals, including the Levandowski one. Do people really
| separate Uber's shady business practices from his leadership?
| I'd be surprised if investors do, although they may just not
| care or view it as a good thing.
|
| It is impressive that he's avoided any criminal or civil
| suits. I don't know that he's guilty of anything, but with
| the number of scandals swirling around him it's surprising
| that someone hasn't at least tried to sue him.
| ashtonkem wrote:
| Does he have a carefully curated public image? I'm not very
| well connected, but people in my personal life don't think
| very highly of him.
| dylan604 wrote:
| Is he though? I thought he was pretty much considered a
| fratbro. The stories of the bro culture that permeated Uber
| HQ were pretty damning. There's also video of him drunkenly
| arguing with an Uber driver. The stories are plentiful. If
| that's the image he's curating, then it sounds like lots of
| politicians past and present, so maybe you're right.
| renewiltord wrote:
| How unusual. He was 'fired' as CEO _because_ public opinion
| of him was damaging the company.
| site-packages1 wrote:
| I follow the tech news a bit more than the average person
| (but perhaps about average for the HN crowd), and my opinion
| of his leadership really couldn't be lower. Perhaps it's
| lower than Uber itself though as well because while I have
| little to no respect for the Uber culture, I generally agree
| that actions like theirs in the rideshare space, despite
| being heavy handed and pushy, spur innovation and put
| regulators on the defensive, which in turn forces regulators
| to adapt faster than they normally would--like a forest fire
| can lead to a stronger ecosystem.
| TT3351 wrote:
| "Corporation, n. An ingenious device for obtaining individual
| profit without individual responsibility." Ambrose Bierce 1906
| vmception wrote:
| Its extremely out of character that he can't pay more hush money
| to get out of the charge of paying hush money
|
| Why isnt Uber Inc helping him get a "Deferred Prosecution
| Agreement" so that he can _kickback_ and relax
| EE84M3i wrote:
| He's the CSO of cloudflare now, so I doubt he does much
| relaxing.
|
| Other thread: https://news.ycombinator.com/item?id=24227059
| droidno9 wrote:
| Just to be clear, the complaint charges Sullivan under these two
| federal criminal statutes:
|
| 18 U.S. Code SS 1505. Obstruction of proceedings before
| departments, agencies, and committees -- [...] Whoever corruptly,
| or by threats or force, or by any threatening letter or
| communication influences, obstructs, or impedes or endeavors to
| influence, obstruct, or impede the due and proper administration
| of the law under which any pending proceeding is being had before
| any department or agency of the United States, or the due and
| proper exercise of the power of inquiry under which any inquiry
| or investigation is being had by either House, or any committee
| of either House or any joint committee of the Congress--
|
| Shall be fined under this title, imprisoned not more than 5 years
| or, if the offense involves international or domestic terrorism
| (as defined in section 2331), imprisoned not more than 8 years,
| or both.
|
| 18 U.S. Code SS 4. Misprision of felony -- Whoever, having
| knowledge of the actual commission of a felony cognizable by a
| court of the United States, conceals and does not as soon as
| possible make known the same to some judge or other person in
| civil or military authority under the United States, shall be
| fined under this title or imprisoned not more than three years,
| or both.
|
| 18 USC SS 4 is independent of any federal investigation, unlike
| SS 1505. The complaint itself lists quite damning facts. Have a
| read, it's quite readable. [0]
|
| [0] https://assets.documentcloud.org/documents/7041237/Joseph-
| Su...
| droidno9 wrote:
| There's a recent case on Misprision of felony from the 9th
| Circuit, which has jurisdiction over California. [0]
|
| "The panel affirmed the long-established federal rule that
| "[t]o establish misprision of a felony," under 18 U.S.C. SS 4,
| "the government must prove beyond a reasonable doubt: '(1) that
| the principal . . . committed and completed the felony alleged;
| (2) that the defendant had full knowledge of that fact; (3)
| that he failed to notify the authorities; and (4) that he took
| affirmative steps to conceal the crime of the principal.""
|
| [0] https://www.whitecollarbriefly.com/2017/06/07/9th-circuit-
| cl...
| drtillberg wrote:
| The CSO informed the CEO so ... this is individual concealment?
|
| The better question is: If the CSO was not previously an AUSA,
| would the prosecutors have charged this conduct?
| tempsy wrote:
| this reminds me that Joe has ties to Tesla's security team (ex
| Uber) which is embroiled in a whistleblower lawsuit that allege
| they spied and hacked employee devices _and_ the insane eBay
| security team lawsuit in which the security team allegedly sent a
| severed pig head to a small town blogger they thought was working
| for Amazon
|
| https://www.bloomberg.com/news/features/2019-03-13/when-elon...
|
| https://www.wsj.com/articles/ebay-harassment-campaign-pig-co...
|
| great legacy
| holidayacct wrote:
| If you see an individual paying hush money to conceal a breach,
| check the commit history asap.
| foolfoolz wrote:
| this sounds like every parent of every killer ever "he was a good
| kid. he would never do this"
| edmundsauto wrote:
| It also sounds like the parent of every good kid. There is no
| signal in this statement.
| dang wrote:
| " _Please respond to the strongest plausible interpretation of
| what someone says, not a weaker one that 's easier to
| criticize. Assume good faith._"
|
| https://news.ycombinator.com/newsguidelines.html
|
| We detached this subthread from
| https://news.ycombinator.com/item?id=24229084.
| [deleted]
| nickff wrote:
| > " this sounds like every parent of every killer ever "he was
| a good kid. he would never do this" "
|
| I understand that the HN mentality has become very cynical, but
| if your only contribution to this conversation is a sardonic
| simile, comparing someone you don't know to a murderer, you
| should consider biting your tongue.
| bogomipz wrote:
| The OP was not comparing someone to a murderer. They were
| pointing out a phenomenon of denial whereby people refuse to
| believe that some person they know could ever be capable of
| some criminal doing. You should consider that you may have
| misunderstood.
| colinmhayes wrote:
| If your only contribution is defending shitty character
| testimony you should consider biting your tongue. If there's
| no actual evidence I don't want to hear about what a nice guy
| he is.
| dang wrote:
| Sorry, this isn't cool. Internet forums are far too quick
| to form flash mobs of judge, jury, and executioner. In
| nearly every case this turns out to be missing critical
| information. Moreover the instinct to do it is reflexive;
| it has nothing to do with the particulars of any situation
| --it's just an opportunity to have an experience that
| somehow we seem driven to recreate over and over again.
|
| Because the tendency is overwhelmingly in this vicious and
| vengeful direction, having HN be the kind of community we
| want requires that we all make a conscious effort not to go
| there by default.
|
| https://news.ycombinator.com/newsguidelines.html
| [deleted]
| PatrolX wrote:
| U.S. Attorney Anderson announces charges against Joseph Sullivan
| for alleged cover-up of Uber hack (Video)
|
| https://www.youtube.com/watch?v=QEPRm2E_PUw
| mrandish wrote:
| IANAL but this seems far from a slam dunk to successfully
| prosecute. The charge is that he tried to cover up something that
| they aren't charging as a crime while they were investigating an
| unrelated thing they also aren't charging as a crime. And the
| legal department recommended and approved the bug bounty and the
| CEO was fully informed.
| adrr wrote:
| I really don't understand how this is a crime. Bug bounty is
| basically hiring consultants to find bugs. They found a bug that
| allowed consultant to download all the data. Uber paid the
| consultant the designated bounty. It is a done deal.
|
| Implications that this is an actual breach are large. Does that
| mean if I hire a red team of independent consultants and they
| managed to gain access to one of my backups, i have to report it
| as a breach? Thats the worst case scenario.
|
| The best case scenario is all companies have to pull bug bounty
| programs because any bug found is now considered a breach. This
| actually very bad for the industry. Bug bounties are very
| effective part of a comprehensive strategy to safe guard customer
| data.
| EE84M3i wrote:
| In a bug bounty program, you agree to the terms before
| participating and in particular those terms include not
| exfiltrating data.
|
| These hackers were not participants in the bugbounty program,
| and extorted money from Uber. They were not in anyway
| "consultants", even retroactively.
|
| But that's not the issue at hand here, the issue at hand is the
| cover-up while Uber was being investigated about a similar
| breach.
|
| It is also curious that HackerOne was the middleman here. I do
| wonder how much they knew of what was going on.
| closeparen wrote:
| >those terms include not exfiltrating data
|
| Is there a way to determine that your credentials are
| sufficient to download an S3 object without actually
| downloading it?
|
| How would you know whether you'd found an information
| disclosure vulnerability without peeking at the information?
| czbond wrote:
| I can see it - a trusted 'intermediary' who has trust and
| expertise to both clients.
| EE84M3i wrote:
| Yes and no. The indictment explicitly mentions the hackers
| got paid through HackerOne but didn't have a HackerOne
| account. HackerOne manually sending a payout so large
| manually via Bitcoin no less is strange to say the least.
|
| https://www.hackerone.com/resources/reporting/the-2020-hack
| e... says they paid out $40mil in 2019 and undoubtedly
| would have been much smaller in 2016. This would have been
| a whale for them and their cut.
| [deleted]
| jforman wrote:
| There is no mens rea or actual harm involved in legit white hat
| hacking, including white hat hacking that is incentivized
| through bug bounties, so this activity is not criminal.
|
| We don't know all of the specifics here, but for the feds to go
| after it one must assume that there was mens rea for the
| underlying offense (i.e., the hackers were in fact black hat)
| and there was actual harm (i.e., the hackers kept the stolen
| data and either intended to or did in fact use it for criminal
| purposes).
|
| And in order to go after charges of obstruction and misprision,
| the DoJ must also believe that Sullivan was clearly aware that
| this behavior was criminal, and he intentionally sought to
| cover it up. This isn't much of a stretch because the FTC was
| probing it, so there was ample opportunity for him to respond
| incorrectly (and, allegedly, criminally) to FTC's questions
| during their probe.
| AmericanChopper wrote:
| In practice the line between bug bounties and extortion can
| often be a bit blurry, as well as the line between proving an
| exploit exists and actually exploiting it.
|
| I think you'd need a lot more information to draw a
| reasonable conclusion. That said the prosecutors arguments
| that $100,000 is so much that it implies criminality, and
| that NDAs are non-standard (or that they also imply
| criminality) is complete and utter BS, and instantly makes me
| incredibly skeptical of the theories they're operating on.
| capableweb wrote:
| > During this time, two hackers contacted Sullivan by email and
| demanded a six-figure payment in exchange for silence. [...]
| The criminal complaint alleges that Sullivan took deliberate
| steps to conceal, deflect, and mislead the Federal Trade
| Commission about the breach.
|
| https://www.justice.gov/usao-ndca/pr/former-chief-security-o...
|
| Doesn't seem like a bug bounty when you're being demanded to
| pay something, and when you're later asked about it you
| conceal, deflect and mislead about it.
| [deleted]
| meigetsu wrote:
| One question for any attorneys here - if the FTC were not
| investigating the 2014 hack, would there not be any charges for
| these alleged actions? The indictment doesn't seem to mention any
| statutes violated except for in connection to impeding the
| existing investigation.
| droidno9 wrote:
| 18 U.S. Code SS 4. Misprision of felony -- Whoever, having
| knowledge of the actual commission of a felony cognizable by a
| court of the United States, conceals and does not as soon as
| possible make known the same to some judge or other person in
| civil or military authority under the United States, shall be
| fined under this title or imprisoned not more than three years,
| or both.
|
| This statute doesn't require an active investigation.
| refurb wrote:
| From what I've read Sullivan claimed the decision to not inform
| the feds was one made by Uber's legal team. I have no idea if
| that's accurate, but it's a good reminder that a companies
| lawyers _look out for the best interests of the company_ , not
| individual employees.
|
| I've read that if you start to get involved in a legal issue at
| work like this, you need to get your own lawyer and keep your
| mouth shut.
| chromedev wrote:
| Same with HR
| jedberg wrote:
| I know Joe, I've worked both with and for him. Frankly, this
| sounds completely out of character for him. He's someone who has
| a strong moral compass and has been catching black hats for over
| 20 years.
|
| There has to be more to this story. I feel like he was probably
| railroaded by Uber's legal team/CEO and they did things he may
| not have been fully aware of. That's the only explanation I can
| come up with.
|
| I look forward to him having his day in court to vindicate
| himself.
| lhorie wrote:
| My admittedly limited understanding/speculation (from what I
| saw disclosed in the media and the timing of the events) is
| that this breach came to light shortly after Dara took over as
| CEO (presumably from a review of finances), and that Dara then
| voluntarily disclosed the breach to the public as part of
| Uber's reputation house cleaning effort, and that the failure
| to disclose the breach was the reason for Joe's termination.
|
| I don't know whether Uber had a proper bug bounty program setup
| at the time this happened, nor whether this could be considered
| one, so I can't comment on the specifics.
| mascafe wrote:
| Your views conflict with facts
|
| 1)
| https://web.archive.org/web/20200414123312/http://www.ubersc...
|
| 2) https://arstechnica.com/tech-policy/2017/12/new-letter-
| top-u...
| x87678r wrote:
| I'm a bit surprised this is a criminal offense.
|
| What control does the FTC have over storage of personal data
| anyway?
| kodablah wrote:
| The criminal offense is not the hack, it's the concealment.
| dylan604 wrote:
| I thought the corporate shield prevented employees from
| criminality. Isn't this the argument used against all of the
| financial malfeasance?
| coworkerthrow wrote:
| I worked with people who worked with him before Uber. When the
| news came out they were surprised. They thought he was the
| scapegoat.
|
| I never worked with him. That personal anecdote does not
| exonerate him at all but it does give me second thoughts. Truth
| is nuanced sometimes.
| jedberg wrote:
| > When the news came out they were surprised. They thought he
| was the scapegoat.
|
| Same. My initial thought was that Uber threw him under the bus.
| I still think that.
___________________________________________________________________
(page generated 2020-08-20 23:00 UTC)