This isn't an uber problem - it's a startup tech problem - no one wants to take security seriously because it's a cost sink that only averts risk, does not actually make a company revenue. I have seen ssn's store insecurely, open api's with customer data, old frameworks and languages that no longer receive security patches. Nearly every startup says they take security seriously, because that's the right answer to say, but very very very few actually do. This is just another minor blip in the otherwise very large system of data available everywhere. Your data is not safe, trust me on that.
I've done InfoSec for a bunch of startups, none seem to grasp the importance of security by design and how it can play an integral role in the business. It's exhausting to have to battle a neon-haired developer that wants to just write code (rightfully so,) not following a process or standards often engaging in arguments just to be right. Imagine one person going asking an entire engineering org to create security priorities until business gets a hold of those and comes back to yell at you for delaying sprints, yep, that's InfoSec for you. Also, any business that says "We take security seriously" isn't. That's a boilerplate they plucked out of the legalese to CYA.
I certainly agree with your comment, since it reflects my experience in a lot of cases. But
"We take security seriously"
Why would such a statement legally cover your ass? From a legal perspective it sounds as dubious as warnings on a Truck "Stay back 10 metres. Truck is not responsible for damage"
I can't disagree. However, it doesn't deter businesses from using it as it demonstrates intent to maintain certain security posture, regardless of how ill-conceived that posture might be. That said, the statement is touchy feely, and will more than likely not hold true in the court of law when pressure tested.
I meant not offense to those with neon-colored hair, correct on the PHB read. Also, Wally is based on a person I worked with. Apparently, he worked with Scott Adams back in the PacBell days.
This is largely a usability issue. There have been folks in the performance community complaining in the same way for years. Then all of a sudden React comes along and lots of people started talking about performance because the framework made their primary task (building a website) easier.
Security is much harder than it needs to be currently. Every time I deal with an OpenSSL error I die a little inside. We have scam "security researchers" distracting us on Twitter with spurious reports every week.
Asking people to "think more" is a lost cause. We need better tools that make it easier to solve problems in the critical path that encourage more secure defaults than the last ones did. Most other solutions are unlikely to make an impact.
this isn't a startup tech problem - it's a startup customer problem. no customer wants to pay significantly more for a good or service to ensure that the company takes security seriously because they want the lowest cost.
It may be a good idea to not pull such a shitty in an EU country from May 2018.
According to the General Data Protection Regulation (2016/679). Appart from regular audits you may run into the following consequences :
a fine up to 20000000 EUR or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater (Article 83, Paragraph 5 & 6[18]).
Ask companies like Microsoft, Volkswagen, Renault, Daimler or Google and they can you assure you that the responible entities don't look kindly at corporate bullshit PR statements, which the likes of Uber seem so fond of.
The GDPR is going to be a big blow for the European tech startup scene. For companies in the US, they can just enter Europe once they've addressed its requirements. European companies on the other hand need to implement it from day one.
The fine is interesting because it is easy to minimize by creating a subsidiary per country. That very effectively shields annual worldwide turnover.
"As a result of the failures described in Paragraph 18, on or about May 12, 2014, an intruder
was able to access consumers’ personal information in plain text in Respondent’s Amazon S3
Datastore using an access key that one of Respondent’s engineers had publicly posted to
GitHub, a code-sharing website used by software developers. The publicly posted key
granted full administrative privileges to all data and documents stored within Respondent’s
Amazon S3 Datastore."
For a particular six-month period, Uber only monitored access to the account information of a select group. Who? Certain high-profile users, including Uber executives.
What was the upshot? In May 2014, an intruder used an access key an Uber engineer had publicly posted on a code-sharing site to access the names and driver’s license numbers of 100,000 Uber drivers, as well as some bank account information and Social Security numbers. The FTC says Uber didn’t discover the breach for almost four months.
The proposed settlement prohibits Uber from misrepresenting its privacy and security practices. It also requires Uber to put a comprehensive privacy program in place and to get independent third-party audits every two years for the next 20 years. You can file a public comment about the settlement until September 15, 2017.
prohibited from misrepresenting how it monitors internal access to consumers’ personal information;
prohibited from misrepresenting how it protects and secures that data;
required to implement a comprehensive privacy program that addresses privacy risks related to new and existing products and services and protects the privacy and confidentiality of personal information collected by the company; and
required to obtain within 180 days, and every two years after that for the next 20 years, independent, third-party audits certifying that it has a privacy program in place that meets or exceeds the requirements of the FTC order.
> prohibited from misrepresenting how it monitors internal access to consumers’ personal information;
I don't understand why one would need an agreement between Uber and the FTC explicitly mentioning this. Is it not illegal if a company misrepresents its compliance to the regulator?
> required to implement a comprehensive privacy program …
> required to obtain within 180 days, and every two years after that for the next 20 years, independent, third-party audits certifying that it has a privacy program in place that meets or exceeds the requirements of the FTC order
This is worth noting, it clearly alludes to a need for "privacy champion" (or "privacy engineer/compliance officer/deputy CIO") for any business that deals with sensitive (to regulatory compliance) personal information. It's not enough to write a token "/about/privacy.html" and relegate any and all of the system requirements that arise due to regulatory compliance.
I hope other startups take note of this, and plan to allocate resources to this in their roadmap. I don't care when exactly you plan to do it - make sure it's there in your TODO list of things before the regulator comes knocking on your doors.
Also, I was unable to find any number or estimate of cost of compliance mentioned in the settlement. I would really prefer when a government agency agrees to settle with a business they make it public how much the business was fined as well as the future cost of compliance. This information would hopefully make it clear to future businesses to take privacy issues seriously.
> I don't understand why one would need an agreement between Uber and the FTC explicitly mentioning this. Is it not illegal if a company misrepresents its compliance to the regulator?
Breach of a consent order is a fast track into the court supervising the order, and the terms are usually more specific (and thus easier to demonstrate) than the underlying law, and violating the consent order can risk basically reopening the original litigation with it full potential consequences (not just those for the narrow violation the provision of the order at issue would involve under the bare law), so often consent orders will have restrictions that are special cases of restrictions that already exist in law.
Imagine how deep the hands go or who is on Uber side that the result of FTC settlement is statement tht forbids Uber from... breaking the law. Amazing! Me and you would be heading to jail for the claims they did. Not uber.
It also somehow reminds me of 911 commision. It eventually got so sidetracked that the result of the findings were that pretty much two planes hit towers and then they collapsed. End of investigation.
I mean, isn't the whole "you gon' get audited for decades" bit about how this usually goes? The audit is the actual teeth here, if the auditor finds issues any time in the next decade, they start assigning fines like in the 10k per infraction per day-not-yet-fixed range or something.
(2) this is a pretty good ruling in that it can't put the horse back into the barn but it can make sure Uber ups their game.
(3) this has absolutely nothing whatsoever to do with 9/11, either peripherally or through analogy, and misrepresenting the findings of the 911 commission to this extent is pretty poor. I have some friends who are total conspiracy nuts when it comes to 9/11 and even they do a better job that this.
