back to article GitHub ordered to hand over access logs to Uber

GitHub has been ordered to hand over records on some of its users to taxi-booking app Uber after unsuccessfully challenging a subpoena. Last month, Uber announced its driver database had been hacked in May 2014, but it had only noticed in September of that year. Uber discovered that a supposedly secret database access key had …

  1. This post has been deleted by its author

    1. This post has been deleted by its author

  2. Anonymous Coward
    Anonymous Coward

    Company leaves keys in front door of premiss (for 5 months), gets robbed and brings surrounding businesses to court for access to their 7 months of CCD recordings in case the robber was stupid, not wearing a balaclava and hanging around in the parking lot kicking at their front door for two months before they left the keys in the front door.

    To me it sounds like something that the police should be doing and not an incompetent privately held company that gives away the keys to their own data. They should not be allowed access to any data that they do not own, and probably not even the data that they own. They will probably just publish it all as well. *facepalm* stupid judge, what happened to common sense, when did it become an endangered species ?

    This company deserves to be fined out of existence by a data protection agency for their incompetence, shame that they are based in the US where there is no data protection. But they do operate in some countries with strict data protection laws. They should be in some hot water.

    1. bazza Silver badge

      It might be a typical American company with an American attitude towards its corporate responsibilities, but its offices abroad have to play by the local laws. They have an office in Amsterdam which can probably be sued by any EU citizen.

      It is amazing how the USA doesn't have any useful data protection laws. Presumably businesses over there lobby against such things. Doing so is self defeating in the long run. Sure, they don't want to have to do 'data protection' because it is a cost item on their balance sheet, which harms their profit margin. But that's nothing compared to being wiped out as a company because your clients have got fed up with doing business with you.

      If there was a law saying that you had to bear data protection costs as a normal part of your business then so would your competitors. Then you would be less likely to lose the faith of your clients and would not be disadvantaged by your competitors. That's a far safer business proposition than saying "meh, we'll take the chance". Which is what Uber have done to date and are now suffering the consequences.

      They are going to have to do something about their poor reputation sooner rather later. Taking short cuts on safety, privacy and licensing will ultimately wipe them out. There's a reason why countries have cab licensing laws; they are for the protection of the public and the cab company.

      Hypothetical scenario: Cab driver commits a string of hideous crimes, victims cannot sue his licensed employer because being licensed means they take all reasonable precautions. But victims could sue an unlicensed employer like Uber because by definition they are not taking all reasonable precautions. Uber's business model is the latter, and they're taking a bet that all of their drivers will never be serial rapists, etc.

    2. Anonymous Coward
      Anonymous Coward

      Maybe going forward, Github should turn off all visitor logging.

  3. Sanctimonious Prick
    Devil

    What If...

    They (Uber) find that it was "Canuck Intelligence" masquerading as Chinese hackers, masquerading as North Korean hackers? Oh, much fun.

    1. bazza Silver badge

      Re: What If...

      What if we're one of Uncle Sam's numerous intel agencies?!

  4. Kevin McMurtrie Silver badge
    Childcatcher

    So... I can check my private security key into GitHub, wait for my computer to get hacked, and then I have a right to spy on GitHub's visitors?

    1. JDX Gold badge

      If you leave your car unlocked it's still a crime for someone to steal things from it.

      1. DropBear

        "If you leave your car unlocked it's still a crime for someone to steal things from it"

        Surely that entitles me to burst into the supermarket who's lot I had my car parked on, demanding they immediately hand over CCTV recordings from any camera pointed towards my car, or else.

        1. Tom 13

          Re: demanding they immediately hand over CCTV recordings

          If you're car was stolen there, yes, with the caveat that it has to be between the time you parked your car in the lot and the time you noticed it was stolen. The area is public, they've recorded something in that area, and the recordings are material evidence in the commission of a crime.

      2. Anonymous Coward
        Anonymous Coward

        If you leave your car unlocked it's still a crime for someone to steal things from it.

        Data is not "Stolen", it is "Copied" - It takes about five years of university studies for layers to get that wrong, you got in only one line ;-)

  5. Anonymous Coward
    Anonymous Coward

    The Cloud....

    Apparently now means using other people's computers to store your data and making them accountable for identifying people who access it.

    1. Oninoshiko

      Re: The Cloud....

      That's kinda what it always meant.

  6. clocKwize
    Facepalm

    Where does the fault lie?

    "secret access key" to the database... You mean password.

    Posted to a gist, which was probably a secret gist, but it's still accessible by anyone who knows the url... I'm assuming they are trying to find the engineer who probably accidentally posted it with a paste of some code.

    Is it their fault alone? Probably not.. Keys should be stored in configuration files or ENV, not code. If that was the case the whole team is responsible for never fixing that massively bad practice

    1. Anonymous Coward
      Anonymous Coward

      Re: Where does the fault lie?

      "secret access key" to the database... You mean password.

      Perhaps you mean "passphrase"? Could it possibly be that the access key that was used is akin to an ssh key??

  7. Anonymous Coward
    Anonymous Coward

    Time for GitHub Europe?

    This sets a dangerous precedent, even by the standards of the American software-security landscape.

    Many European companies host projects on GitHub which under the increasingly draconian laws may be at some point in the future considered 'illegal'. We all know by now that the US Gov does not operate according to its own already lax laws with regard to probable cause, jurisdiction, etc.. but this now means that any European company or project can be held hostage to some crackpot startup like Uber for any reason whatsoever.

    If Github wants to survive, they seriously need to consider pulling a LavaBit and acting fast - they have 30 days to incorporate a business presence somewhere in the EU, arrange hosting, and begin migrating their infrastructure. They need to shut down all operations in the US and relocate their employees, leaving only a P.O. Box to receive their sundry court orders, which they can then process at their leisure under EU legal protection.

    1. Charlie Clark Silver badge

      Re: Time for GitHub Europe?

      You mean something like Gitlab?

      For anything really important you can't beat hosting your own stuff.

      1. Anonymous Coward
        Anonymous Coward

        Re: Time for GitHub Europe?

        How come I've never heard of this? Thanks for the tip.. this industry is harsh when your customers and just pick up and go with a click of the mouse.

        At any rate, the point remains, Github has to at least evacuate their company officers before they get hit with legal process and end up marooned in the US like the LavaBit guy..

        1. Charlie Clark Silver badge

          Re: Time for GitHub Europe?

          Somebody else had to tell me about it. Part of the problem with the current crop of VC funded stuff is the way the media gets co-opted to talk about the companies and products. There was a terrible article on El Reg in this vein a while back about Github being the essentially the only viable choice for repositories because of "the network effect".

          Personally, apart from the fact that choice is good, I also prefer Mercurial over Git for VCS. But I also have a reasonably intense dislike of the GitHub UX. I also went as far as reading the T&C's and deciding I prefer the Bitbucket ones (Atlassian is clever enough to be selling technology not just a userbase).

  8. Ian Michael Gumby

    Uber using github?

    So, riddle me this...

    You're a for profit company and you store your secret sauce on a third party's system?

    Granted there are two types of repositories, public and private. If you're using a free repository, then its public and anyone can view your code. If you're using a private repository, then you're paying for the privilege of only letting certain people to access your code.

    Assuming that Uber isn't that stupid of a company and is paying for the use of a repo, then they have the rights to GitHub's logs on who accessed what when it comes to specific and relevant accounts.

    1. Charlie Clark Silver badge

      Re: Uber using github?

      SaaS is all the rage in the states at the moment. I know lots of companies who have no infrastructure just lots of faith in "the cloud".

      However, I'm not sure this is relevant here as the item in question may not have had anything to do with a repository. Gist's are Github's pastebins. Really quite worrying if someone did copy some access codes to a gist rather than a properly anonymised pastebin or hackers forum. Be that as it may, you'd really hope it wouldn't make much difference with 2FA for anything sensitive and virtually no straight online access to the database. Really trying hard to think when that would ever be needed. Then again, slick UIs are all you seem to need nowadays to hoover up the VC cash.

  9. Anonymous Coward
    Anonymous Coward

    so..

    "hand over your logs because it's no big effort for you to hand over your logs"?

    1. Tom 13

      Re: so..

      No, because there's probable cause to investigate a crime.

      There's nothing in this article that suggests Uber were storing their secret sauce on GitHub (or even that one of their coders* used GitHub), only that part of their secret sauce which is identifiable as secret has been found in a public area of GitHub.

      *Because yes, as insane as it sounds I am aware of a coder working on a project downloading a piece of hacking software to install on his local PC because the IT staff protected parts of the network. Yes, he was summarily fired when it was discovered. No he wasn't prosecuted because there were enough f*ckups on the part of the IT staff that he would have been able to mount a defense (how did he get the rights to install the software in the first place?) Given this, I have no trouble imaging a developer using unauthorized resources to perform his work.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like