[HN Gopher] Former Uber executive charged with paying 'hush mone... ___________________________________________________________________ Former Uber executive charged with paying 'hush money' to conceal breach Author : PatrolX Score : 148 points Date : 2020-08-20 19:14 UTC (3 hours ago) (HTM) web link (www.npr.org) (TXT) w3m dump (www.npr.org) | curiousllama wrote: | > "Need to get certainty of what he has, sensitivity/exposure of | it and confidence that he can truly treat this as a [bug] bounty | situation... resources can be flexible in order to put this to | bed but we need to document this very tightly" - Kalanic | | Looks to me like this is why Kalanic was not indicted. If he | deferred, said "handle it, keep it legal, and document it for any | investigation," that's really all you can ask from a CEO. | | Whether or not this is REALLY what he meant (or just a way to | cover his butt) is up for debate. But it would be a good defense | imo. | bigmattystyles wrote: | How is this any different than paying ransomware? Is that also | illegal? If anything, it seems like he/Uber are the victims of | blackmail. And I have no love for Uber. | pdw wrote: | He's not accused of paying off the hackers. Rather he's accused | of hiding the incident from an ongoing FTC investigation. They | list various ways in which he supposedly concealed the hack | from the FTC, e.g. they claim he set up up a false paper trail | to make it look as if the hack was a harmless bug bounty | submission. | bagacrap wrote: | to be fair, the first sentence of the article does make it | seem as though the crime was paying the hackers off | bigmattystyles wrote: | Would you have to disclose a ransomware attack? | ta738383 wrote: | As someone who has been falsely accused of a crime in the past, | I'd just like to remind people that being charged with something | does not make you guilty, it's an allegation. I know you know | this,but society today seems to be treating allegations like | convictions | throwaway2474 wrote: | It seems to me that Kalanick was often "aware" of things but | conveniently avoids scrutiny. How is this? Uber did so many | questionable things under his leadership. And he managed to | totally dodge the Levandowski saga. | bsder wrote: | > It seems to me that Kalanick was often "aware" of things but | conveniently avoids scrutiny. How is this? | | Because the VC's funded Uber precisely _because_ they knew that | Kalanick was an asshole? | | The people who gave him money did so with the expectation that | he would pull out all the stops to become a mega-monopoly. | | To top it off, Kalanick had been screwed by VC's before, so he | made a particular point to structure stock ownership in such a | way that he kept control. It's still not clear what deals were | made to actually get him to go away. | | Finally, I expect that Kalanick probably knows where all the | bodies are buried. So, he probably knows even _more_ shady | things that were going on than have been exposed. So, he has | leverage. | A4ET8a8uTh0 wrote: | He is a savvy politician. You are definitely onto something | here. The guy has a very carefully curated public image. It is | genuinely impressive how opinion of him is higher than the | company he runs. | | Edit: I was convinced by the arguments. I was holding onto old | idea of him. Clearly things have changed. | oivey wrote: | Is it higher? He resigned as CEO of Uber due to a flurry of | scandals, including the Levandowski one. Do people really | separate Uber's shady business practices from his leadership? | I'd be surprised if investors do, although they may just not | care or view it as a good thing. | | It is impressive that he's avoided any criminal or civil | suits. I don't know that he's guilty of anything, but with | the number of scandals swirling around him it's surprising | that someone hasn't at least tried to sue him. | ashtonkem wrote: | Does he have a carefully curated public image? I'm not very | well connected, but people in my personal life don't think | very highly of him. | dylan604 wrote: | Is he though? I thought he was pretty much considered a | fratbro. The stories of the bro culture that permeated Uber | HQ were pretty damning. There's also video of him drunkenly | arguing with an Uber driver. The stories are plentiful. If | that's the image he's curating, then it sounds like lots of | politicians past and present, so maybe you're right. | renewiltord wrote: | How unusual. He was 'fired' as CEO _because_ public opinion | of him was damaging the company. | site-packages1 wrote: | I follow the tech news a bit more than the average person | (but perhaps about average for the HN crowd), and my opinion | of his leadership really couldn't be lower. Perhaps it's | lower than Uber itself though as well because while I have | little to no respect for the Uber culture, I generally agree | that actions like theirs in the rideshare space, despite | being heavy handed and pushy, spur innovation and put | regulators on the defensive, which in turn forces regulators | to adapt faster than they normally would--like a forest fire | can lead to a stronger ecosystem. | TT3351 wrote: | "Corporation, n. An ingenious device for obtaining individual | profit without individual responsibility." Ambrose Bierce 1906 | vmception wrote: | Its extremely out of character that he can't pay more hush money | to get out of the charge of paying hush money | | Why isnt Uber Inc helping him get a "Deferred Prosecution | Agreement" so that he can _kickback_ and relax | EE84M3i wrote: | He's the CSO of cloudflare now, so I doubt he does much | relaxing. | | Other thread: https://news.ycombinator.com/item?id=24227059 | droidno9 wrote: | Just to be clear, the complaint charges Sullivan under these two | federal criminal statutes: | | 18 U.S. Code SS 1505. Obstruction of proceedings before | departments, agencies, and committees -- [...] Whoever corruptly, | or by threats or force, or by any threatening letter or | communication influences, obstructs, or impedes or endeavors to | influence, obstruct, or impede the due and proper administration | of the law under which any pending proceeding is being had before | any department or agency of the United States, or the due and | proper exercise of the power of inquiry under which any inquiry | or investigation is being had by either House, or any committee | of either House or any joint committee of the Congress-- | | Shall be fined under this title, imprisoned not more than 5 years | or, if the offense involves international or domestic terrorism | (as defined in section 2331), imprisoned not more than 8 years, | or both. | | 18 U.S. Code SS 4. Misprision of felony -- Whoever, having | knowledge of the actual commission of a felony cognizable by a | court of the United States, conceals and does not as soon as | possible make known the same to some judge or other person in | civil or military authority under the United States, shall be | fined under this title or imprisoned not more than three years, | or both. | | 18 USC SS 4 is independent of any federal investigation, unlike | SS 1505. The complaint itself lists quite damning facts. Have a | read, it's quite readable. [0] | | [0] https://assets.documentcloud.org/documents/7041237/Joseph- | Su... | droidno9 wrote: | There's a recent case on Misprision of felony from the 9th | Circuit, which has jurisdiction over California. [0] | | "The panel affirmed the long-established federal rule that | "[t]o establish misprision of a felony," under 18 U.S.C. SS 4, | "the government must prove beyond a reasonable doubt: '(1) that | the principal . . . committed and completed the felony alleged; | (2) that the defendant had full knowledge of that fact; (3) | that he failed to notify the authorities; and (4) that he took | affirmative steps to conceal the crime of the principal."" | | [0] https://www.whitecollarbriefly.com/2017/06/07/9th-circuit- | cl... | drtillberg wrote: | The CSO informed the CEO so ... this is individual concealment? | | The better question is: If the CSO was not previously an AUSA, | would the prosecutors have charged this conduct? | tempsy wrote: | this reminds me that Joe has ties to Tesla's security team (ex | Uber) which is embroiled in a whistleblower lawsuit that allege | they spied and hacked employee devices _and_ the insane eBay | security team lawsuit in which the security team allegedly sent a | severed pig head to a small town blogger they thought was working | for Amazon | | https://www.bloomberg.com/news/features/2019-03-13/when-elon... | | https://www.wsj.com/articles/ebay-harassment-campaign-pig-co... | | great legacy | holidayacct wrote: | If you see an individual paying hush money to conceal a breach, | check the commit history asap. | foolfoolz wrote: | this sounds like every parent of every killer ever "he was a good | kid. he would never do this" | edmundsauto wrote: | It also sounds like the parent of every good kid. There is no | signal in this statement. | dang wrote: | " _Please respond to the strongest plausible interpretation of | what someone says, not a weaker one that 's easier to | criticize. Assume good faith._" | | https://news.ycombinator.com/newsguidelines.html | | We detached this subthread from | https://news.ycombinator.com/item?id=24229084. | [deleted] | nickff wrote: | > " this sounds like every parent of every killer ever "he was | a good kid. he would never do this" " | | I understand that the HN mentality has become very cynical, but | if your only contribution to this conversation is a sardonic | simile, comparing someone you don't know to a murderer, you | should consider biting your tongue. | bogomipz wrote: | The OP was not comparing someone to a murderer. They were | pointing out a phenomenon of denial whereby people refuse to | believe that some person they know could ever be capable of | some criminal doing. You should consider that you may have | misunderstood. | colinmhayes wrote: | If your only contribution is defending shitty character | testimony you should consider biting your tongue. If there's | no actual evidence I don't want to hear about what a nice guy | he is. | dang wrote: | Sorry, this isn't cool. Internet forums are far too quick | to form flash mobs of judge, jury, and executioner. In | nearly every case this turns out to be missing critical | information. Moreover the instinct to do it is reflexive; | it has nothing to do with the particulars of any situation | --it's just an opportunity to have an experience that | somehow we seem driven to recreate over and over again. | | Because the tendency is overwhelmingly in this vicious and | vengeful direction, having HN be the kind of community we | want requires that we all make a conscious effort not to go | there by default. | | https://news.ycombinator.com/newsguidelines.html | [deleted] | PatrolX wrote: | U.S. Attorney Anderson announces charges against Joseph Sullivan | for alleged cover-up of Uber hack (Video) | | https://www.youtube.com/watch?v=QEPRm2E_PUw | mrandish wrote: | IANAL but this seems far from a slam dunk to successfully | prosecute. The charge is that he tried to cover up something that | they aren't charging as a crime while they were investigating an | unrelated thing they also aren't charging as a crime. And the | legal department recommended and approved the bug bounty and the | CEO was fully informed. | adrr wrote: | I really don't understand how this is a crime. Bug bounty is | basically hiring consultants to find bugs. They found a bug that | allowed consultant to download all the data. Uber paid the | consultant the designated bounty. It is a done deal. | | Implications that this is an actual breach are large. Does that | mean if I hire a red team of independent consultants and they | managed to gain access to one of my backups, i have to report it | as a breach? Thats the worst case scenario. | | The best case scenario is all companies have to pull bug bounty | programs because any bug found is now considered a breach. This | actually very bad for the industry. Bug bounties are very | effective part of a comprehensive strategy to safe guard customer | data. | EE84M3i wrote: | In a bug bounty program, you agree to the terms before | participating and in particular those terms include not | exfiltrating data. | | These hackers were not participants in the bugbounty program, | and extorted money from Uber. They were not in anyway | "consultants", even retroactively. | | But that's not the issue at hand here, the issue at hand is the | cover-up while Uber was being investigated about a similar | breach. | | It is also curious that HackerOne was the middleman here. I do | wonder how much they knew of what was going on. | closeparen wrote: | >those terms include not exfiltrating data | | Is there a way to determine that your credentials are | sufficient to download an S3 object without actually | downloading it? | | How would you know whether you'd found an information | disclosure vulnerability without peeking at the information? | czbond wrote: | I can see it - a trusted 'intermediary' who has trust and | expertise to both clients. | EE84M3i wrote: | Yes and no. The indictment explicitly mentions the hackers | got paid through HackerOne but didn't have a HackerOne | account. HackerOne manually sending a payout so large | manually via Bitcoin no less is strange to say the least. | | https://www.hackerone.com/resources/reporting/the-2020-hack | e... says they paid out $40mil in 2019 and undoubtedly | would have been much smaller in 2016. This would have been | a whale for them and their cut. | [deleted] | jforman wrote: | There is no mens rea or actual harm involved in legit white hat | hacking, including white hat hacking that is incentivized | through bug bounties, so this activity is not criminal. | | We don't know all of the specifics here, but for the feds to go | after it one must assume that there was mens rea for the | underlying offense (i.e., the hackers were in fact black hat) | and there was actual harm (i.e., the hackers kept the stolen | data and either intended to or did in fact use it for criminal | purposes). | | And in order to go after charges of obstruction and misprision, | the DoJ must also believe that Sullivan was clearly aware that | this behavior was criminal, and he intentionally sought to | cover it up. This isn't much of a stretch because the FTC was | probing it, so there was ample opportunity for him to respond | incorrectly (and, allegedly, criminally) to FTC's questions | during their probe. | AmericanChopper wrote: | In practice the line between bug bounties and extortion can | often be a bit blurry, as well as the line between proving an | exploit exists and actually exploiting it. | | I think you'd need a lot more information to draw a | reasonable conclusion. That said the prosecutors arguments | that $100,000 is so much that it implies criminality, and | that NDAs are non-standard (or that they also imply | criminality) is complete and utter BS, and instantly makes me | incredibly skeptical of the theories they're operating on. | capableweb wrote: | > During this time, two hackers contacted Sullivan by email and | demanded a six-figure payment in exchange for silence. [...] | The criminal complaint alleges that Sullivan took deliberate | steps to conceal, deflect, and mislead the Federal Trade | Commission about the breach. | | https://www.justice.gov/usao-ndca/pr/former-chief-security-o... | | Doesn't seem like a bug bounty when you're being demanded to | pay something, and when you're later asked about it you | conceal, deflect and mislead about it. | [deleted] | meigetsu wrote: | One question for any attorneys here - if the FTC were not | investigating the 2014 hack, would there not be any charges for | these alleged actions? The indictment doesn't seem to mention any | statutes violated except for in connection to impeding the | existing investigation. | droidno9 wrote: | 18 U.S. Code SS 4. Misprision of felony -- Whoever, having | knowledge of the actual commission of a felony cognizable by a | court of the United States, conceals and does not as soon as | possible make known the same to some judge or other person in | civil or military authority under the United States, shall be | fined under this title or imprisoned not more than three years, | or both. | | This statute doesn't require an active investigation. | refurb wrote: | From what I've read Sullivan claimed the decision to not inform | the feds was one made by Uber's legal team. I have no idea if | that's accurate, but it's a good reminder that a companies | lawyers _look out for the best interests of the company_ , not | individual employees. | | I've read that if you start to get involved in a legal issue at | work like this, you need to get your own lawyer and keep your | mouth shut. | chromedev wrote: | Same with HR | jedberg wrote: | I know Joe, I've worked both with and for him. Frankly, this | sounds completely out of character for him. He's someone who has | a strong moral compass and has been catching black hats for over | 20 years. | | There has to be more to this story. I feel like he was probably | railroaded by Uber's legal team/CEO and they did things he may | not have been fully aware of. That's the only explanation I can | come up with. | | I look forward to him having his day in court to vindicate | himself. | lhorie wrote: | My admittedly limited understanding/speculation (from what I | saw disclosed in the media and the timing of the events) is | that this breach came to light shortly after Dara took over as | CEO (presumably from a review of finances), and that Dara then | voluntarily disclosed the breach to the public as part of | Uber's reputation house cleaning effort, and that the failure | to disclose the breach was the reason for Joe's termination. | | I don't know whether Uber had a proper bug bounty program setup | at the time this happened, nor whether this could be considered | one, so I can't comment on the specifics. | mascafe wrote: | Your views conflict with facts | | 1) | https://web.archive.org/web/20200414123312/http://www.ubersc... | | 2) https://arstechnica.com/tech-policy/2017/12/new-letter- | top-u... | x87678r wrote: | I'm a bit surprised this is a criminal offense. | | What control does the FTC have over storage of personal data | anyway? | kodablah wrote: | The criminal offense is not the hack, it's the concealment. | dylan604 wrote: | I thought the corporate shield prevented employees from | criminality. Isn't this the argument used against all of the | financial malfeasance? | coworkerthrow wrote: | I worked with people who worked with him before Uber. When the | news came out they were surprised. They thought he was the | scapegoat. | | I never worked with him. That personal anecdote does not | exonerate him at all but it does give me second thoughts. Truth | is nuanced sometimes. | jedberg wrote: | > When the news came out they were surprised. They thought he | was the scapegoat. | | Same. My initial thought was that Uber threw him under the bus. | I still think that. ___________________________________________________________________ (page generated 2020-08-20 23:00 UTC)