[HN Gopher] Someone hacked YandexTaxi and ordered all available ...
___________________________________________________________________
Someone hacked YandexTaxi and ordered all available taxis to the
same location
Author : aaur0
Score : 231 points
Date : 2022-09-01 18:40 UTC (4 hours ago)
(HTM) web link (twitter.com)
(TXT) w3m dump (twitter.com)
| tpmx wrote:
| I'd like to think Ukrainan hackers were behind this.
| andrewxdiamond wrote:
| It being the work of Russian dissidents would be much better in
| my opinion
| robot9000 wrote:
| Yes. Russia bad.
| coffeeblack wrote:
| Isn't it?
| hinkley wrote:
| This is what happens when optimists win and the realists are cut
| out of the conversation.
|
| As a taxi service, I believe I would want to know if I'm about to
| have a shortage of taxis in any one area of town, and I'd better
| only have a concentration in one area of town for an event the
| entire world is talking about, like a reunion tour or a
| championship game.
|
| Even with the hack, the moment all of the taxis started
| converging on one area of town, alarms should have been going off
| and managers should have been asking questions. But that's not
| what happened, because we say yes the moment money enters the
| conversation, without bothering to ask what it says about you as
| a person if you'll do anything for money, or for that matter if
| the money is even real or just a trick to get our attention.
| tenebrisalietum wrote:
| There are always going to be individuals that say yes the
| moment money enters the conversation, as long as food and
| housing cost money and there is the possibility of going
| without.
| mike_hock wrote:
| Universal Basic Income now!
| tjs8rj wrote:
| It's already so hard to build a large company, you just don't
| have the resources to chase super rare, low pain outcomes.
|
| This is the first time this has happened and the total cost of
| it is at most a few hours revenue. They'll likely add
| safeguards to prevent such a thing now, but if they ran the
| company preparing for every possible way things could go wrong,
| they'd get absolutely nothing done.
| onion2k wrote:
| _low pain outcomes_
|
| All your customers thinking your app isn't secure any more
| isn't "low pain".
| ivan_gammel wrote:
| 99% of customers won't care, because they will only briefly
| see the news, this hack did not harm them, they don't care
| that much about security of an app and they don't have a
| good alternative.
|
| The impact of such incidents on company reputation and
| revenue is often exaggerated.
| munk-a wrote:
| A few customers will have strong negative opinions "I was
| waiting at the airport in the rain for four hours!" but
| most people will indeed shrug this off. It's a much
| different issue than what happens when payment systems
| are compromised.
|
| A lot more people care if they're informed their credit
| card was stolen and told to carefully watch statements
| for the next month - that leverages a real PITA cost on
| the customer.
| and-not-drew wrote:
| That's got nothing to do with what we're talking about.
|
| The first comment didn't say they should have spent more
| time on security, it said they should have spent time
| creating a system to detect if too many taxis were in one
| spot.
|
| I think we can all agree that security is valuable and
| should be prioritized, but spending time worrying about how
| to stop who is already in your system from sending all the
| cabs to the wrong place seems like a waste of time.
|
| Hell, IF (big if) the worst thing a hacker could do once
| they had access YandexTaxi's servers is send a bunch of
| cabs to the wrong place, you could almost spin that in a
| positive light. "We spent so much time protecting customer
| data that all they could do is send our divers to the wrong
| place".
| tcgv wrote:
| Good reasoning. Hindsight bias comes to mind:
|
| - https://en.wikipedia.org/wiki/Hindsight_bias
| monksy wrote:
| When you build a product, your customers expect, and pay, you
| to be an expert and dedicated to that domain. Not some kind
| of fly by night scam.
| zibby8 wrote:
| This is such a ridiculous take I'm having trouble
| understanding if it's satire or not.
| renewiltord wrote:
| When you write a comment, you have to be responsible.
| Others might read it and take it seriously and your
| advice might lead to death and dismemberment. If you
| aren't willing to get insurance before commenting, don't
| comment. Leave it to the professionals with licences.
| monksy wrote:
| This is more of what happens when you do the least effort to
| build a product to make a buck. They're probably optimized for
| the average happy path, however flooding isn't a concern until
| someone gets upset.
| munk-a wrote:
| In most areas taxi-companies use a zone-based system where cars
| will flag what zone they're in (rarely automatically using GPS
| and more often via button presses) this is an effort by the cab
| company to keep their vacant vehicles well distributed to keep
| a high response rate and increase customer turnover.
|
| It also happens to have the side benefit that an operator
| watching the flagged zones would be able to see this kind of an
| issue happening in advance and maybe check into why every cab
| is suddenly bee-lining it to zone 3.
| jetzzz wrote:
| Message from hackers at the driver's phone says: "Girls and guys,
| stop feeding the yellow, work with Wheely".
| aaur0 wrote:
| Someone hacked #YandexTaxi and ordered all available taxis to
| Kutuzov Prospect in Moscow. Now there is a huge traffic jam with
| taxis. It's like James Bond movie.
| DonHopkins wrote:
| Elevator Pitch:
|
| jammr.com: It's like Uber for Traffic Jams!
| EwanG wrote:
| I suspect you're kidding, but you know, having lived through a
| few very long traffic jams I could imagine some scenarios where
| I'd be willing to pay for:
|
| 1) Rickshaw or cargo bike with a narrow pull along trailer to
| let me use the bathroom 2) Similar setup with food and drink 3)
| Similar setup with a few gallons of gas if I've gotten a bit
| too close to empty 4) More expensive (XL?) version of the
| service where I am getting delivery from a helicopter (since
| drones flying over congested traffic is not an FAA approved
| delivery method)
|
| You might not be able to make this a daily thing, but when
| things get bad I suspect the margins might be unreal.
| [deleted]
| squarefoot wrote:
| Quite surprised that Uber still operates in Russia given the
| situation.
| Gunnerhead wrote:
| Uber was selling it's stake back in February [1]. Not sure of
| the results of that, but maybe it's a contractual licensing
| issue?
|
| https://www.bloomberg.com/news/articles/2022-02-28/uber-to-a...
| rdxm wrote:
| donkarma wrote:
| is this the future of self driving cars?
| unixbane wrote:
| there were already such bugs before, and my analysis is that
| even the older ECU cars before the 2000s had such bugs, just
| nobody bothers to look for them (also ECUs have been causing
| deaths from bugs but they just assume its the driver's fault).
| self driving cars will be the next order of magnitude of
| problems. ECU 1x, smart 10x, self driving 100x.
|
| > In July 2015, IT security researchers announced a severe
| security flaw assumed to affect every Chrysler vehicle with
| Uconnect produced from late 2013 to early 2015.[120] It allows
| hackers to gain access to the car over the Internet, and in the
| case of a Jeep Cherokee was demonstrated to enable an attacker
| to take control not just of the radio, A/C, and windshield
| wipers, but also of the car's steering, brakes and
| transmission.[120] Chrysler published a patch that car owners
| can download and install via a USB stick, or have a car dealer
| install for them.[120]
|
| > https://en.wikipedia.org/wiki/Chrysler#Chrysler_Uconnect
| xwdv wrote:
| No, the future is to command all self driving cars to
| immediately accelerate to 100 mph and do not stop for whatever
| reason no matter what. Pure remote code execution.
| nytesky wrote:
| I've had this worry for years of a state level attack via
| network connected FSD cars. But I'm hardly alone, it was shown
| in a Fast and Furious movie, so people are thinking of it.
| donkarma wrote:
| oh yeah that was the first thing I thought of when I saw this
| _jal wrote:
| First mention of using driverless vehicles as weapons I
| recall was _Daemon_ by Daniel Suarez.
|
| https://en.wikipedia.org/wiki/Daemon_(novel_series)
| gpm wrote:
| IRobot (the film) predates that and uses the idea
| https://en.wikipedia.org/wiki/I,_Robot_(film)
|
| I forgot if any of the IRobot short stories used the
| concept - if they do they would predate the movie.
| plasticchris wrote:
| https://en.m.wikipedia.org/wiki/Sally_(short_story)
|
| First mention of self driving cars becoming sentient and
| turning on humans I'm aware of, from 1953!
| wsinks wrote:
| Maybe one day I'll re-read Daemon. A book not so far ahead
| of its time.
|
| Might feel a little too close to home to re-read.
|
| I'll never forget the gig worker assembly scene.
| hendrikrassmann wrote:
| Don't forget the eighth 'The Fast and the Furious' movie.
| [deleted]
| quantumduck wrote:
| Not the future, it did already happen, albeit on a smaller
| scale with Cruise: https://www.thedrive.com/news/a-swarm-of-
| self-driving-cruise...
|
| The worst part is they were never really transparent about what
| the issue was.
| marginalia_nu wrote:
| Beep beep, motherfucker!
| reaperducer wrote:
| _is this the future of self driving cars?_
|
| My prediction: Ransomware hits self-driving cars.
|
| You're locked in the car until you Venmo the bad guys some
| credits.
|
| To encourage compliance, the stereo starts playing the sound of
| running water.
| fffobar wrote:
| And the future of the planned 6-th generation unmanned combat
| aircraft ...
| LinuxBender wrote:
| I think you are right. I think the unknowns are, how tiny will
| the script be that commands all the cars into a lake and will
| it be a cloud hack or a local broadcast hack?
| netsharc wrote:
| First, a command to download updated GPS maps that says
| "There's now a bridge over that lake"...
| rurp wrote:
| Yep, I've had Google Maps direct me to drive into a wall or
| an empty field more than a couple times over the years.
| It's not uncommon for people to get stranded or even killed
| by blindly following bad GPS directions. The maps are often
| quite bad in less traveled areas. And these are the non-
| malicious cases!
| aaaaaaaaata wrote:
| How about just driving you by billboards on, or for, Alphabet
| controlled properties?
| doesnotexist wrote:
| Needs this music
| https://www.youtube.com/watch?v=JEyEkbOlMfA&t=690s
| crtasm wrote:
| and then some https://www.youtube.com/watch?v=07tYdd7drSE
| aaron695 wrote:
| inasio wrote:
| Back in the day (1960s?) two relatives of mine had a prank battle
| going on. One of them posted an add in the local newspaper
| offering to buy old Christmas trees, at the address of their
| adversary. Half the city showed up, were told trees were not in
| fact being bought, and everybody dumped the trees at their door.
| meibo wrote:
| Seems like a great way to stock up your firewood supply for the
| next winter, if you manage to target it in a way that doesn't
| cause half the city to show up, but maybe a little less than
| that?
| zeven7 wrote:
| Pine is really smokey and burns fast
| eropple wrote:
| It's not. You don't want to burn softwoods; they're resinous
| and create a ton of smoke.
| marssaxman wrote:
| A pile of Christmas trees makes for a _terrific_ January
| beach bonfire.
| jbverschoor wrote:
| Someone also seems to have hacked this post on twitter... it's
| not loading
| gaius_baltar wrote:
| Some nitter instances also show it:
| https://nitter.42l.fr/runews/status/1565319649683804160#m
|
| You can also search for #YandexTaxi :
| https://nitter.42l.fr/search?q=%23YandexTaxi
| edm0nd wrote:
| https://www.bleepingcomputer.com/news/technology/twitter-is-...
| [deleted]
| r721 wrote:
| Yeah, there's a spike on downdetector's chart:
| https://downdetector.com/status/twitter/
| Barrin92 wrote:
| this is also something that's oddly absent from the self-driving
| debates. Mass deployment of the same models or apis in automated
| systems is very brittle because it means errors are highly
| correlated. it's like a form of central planning.
|
| individual drivers or individual taxi firms in a market due to
| their decentralization are much more robust to any kind of
| individual failure.
|
| People often ask "is the car smarter than the driver?" but the
| correct question would be if the car, or system is more diverse
| than the aggregate knowledge of _all_ the participants.
| karmanyaahm wrote:
| Yes. Additionally, this is a commonly cited win of cars in cars
| v. public transport. You can take your car anywhere in the
| zombie apocalypse*, whereas any system that requires central
| planning (trains) are more likely to break.
|
| Making cars (human or machine driven) depend on a centralized
| service basically takes away that advantage.
|
| * assuming you have enough fuel/battery
| r721 wrote:
| Google-translated Kommersant article: https://www-kommersant-
| ru.translate.goog/doc/5538017?_x_tr_s...
| smm11 wrote:
| Daemon, by Daniel Suarez. Not to ruin it, but computers summon
| all smart cars at once for a task.
| eps wrote:
| That was not a very good book.
| noir_lord wrote:
| I enjoyed it but it was a case of his ability to come up with
| interesting ideas exceeding his abilities as a writer.
|
| It desperately needed a better editor.
| hangsi wrote:
| This reminds me of a classic (non-internet powered) version of
| this where every business in London was sent to some unsupecting
| resident's address in order to win a bet, clogging the streets in
| the process: The Berners Street Hoax of 1810.
|
| https://en.wikipedia.org/wiki/Berners_Street_hoax
| googlryas wrote:
| Just to point out some possibly ambiguous phrasing, but the
| person pulling the prank was trying to win the bet - the
| tradespeople and visitors were called there to use their
| services(ie chimney sweeps thought they were going to sweep a
| chimney), not that they themselves were going to claim some
| prize.
| wmeredith wrote:
| What does "all available" mean in this context? YandexTaxi
| operates in 1000+ cities and is connected to 700,000 drivers.
| MaKey wrote:
| This happened in Moscow, so probably all available taxis in
| Moscow.
| gdy wrote:
| Nope, just dozens of taxi app accounts were hacked and used
| to order taxis to the same street. That's a tiny fraction of
| over 70'000 taxis in Moscow.
| unixbane wrote:
| lol get rekt. i wish business people would immediately imagine
| this every time a software product is pitched to them
___________________________________________________________________
(page generated 2022-09-01 23:00 UTC)