Friday, 12 January 2018

Uber’s Secret Tool for Keeping the Cops in the Dark

quote [ At least two dozen times, the San Francisco headquarters locked down equipment in foreign offices to shield files from police raids.

they’d been trained to page a number that alerted specially trained staff at company headquarters in San Francisco. When the call came in, staffers quickly remotely logged off every computer in the Montreal office, making it practically impossible for the authorities to retrieve the company records they’d obtained a warrant to collect. The investigators left without any evidence. ]

Diabolically effective response to the fact that uber's business model invites police raids.

[SFW] [business] [+4]
[by HoZay@5:17amGMT]

Comments

rndmnmbr said @ 6:47am GMT on 12th Jan [Score:5 Underrated]
I'll argue the opposite of foobar. Uber runs by the playbook of a gypsy cab company, deliberately flouts well-considered local cab regulation, dumps maintenance and insurance costs off on ill-prepared and ill-informed drivers, and expects to get away with by wrapping it up in the mystique of a Silicon Valley startup with a nice app. I'm sure the "jackbooted thugs" had a proper search warrant, and Uber is deliberately obstructing justice. The sooner that company is dismantled and ground to dust under the government's heel as a warning to all others who think they can flout safety and regulation, the better.
foobar said @ 4:27pm GMT on 12th Jan
Obviously they didn't have a valid warrant, otherwise they'd either have what they wanted or Uber would be held in contempt of court.

You can't on the one hand criticize Uber for maybe possibly violating some arcane local regulation, and not even directly, but by proxy, and then absolve the government of following due process.

And I don't know how you can possibly call any cab regulation "well considered" with a straight face.
Taxman said @ 10:52pm GMT on 12th Jan
That has to be the laziest argument ever.

A warrant is invalid because the suspect has thwarted the ability to search and seize?

So I assume a la Grand Theft Auto, if you get away from the cops after robbing a bank you haven’t committed a crime because procedure says you were supposed to be arrested.

Workers on site are not held in contempt because the “lockers” of the machines are remotely doing so. On site personnel will most likely correctly claim they do not have the keys to unlock the computers. The people locking the computers (and the person that made the page/call) are most definitely obstructing justice.

I know hating on the government is low-hanging fruit but how about we pretend to have the illusion that the agency that got a judge to sign off on a warrant wasn’t doing so just to stick it to the innocent little company that’s just trying to get by.
5th Earth said @ 12:49am GMT on 13th Jan
I think what Foobar was trying to say is, if the warrant was valid and Uber had the thing they warrant was for, then one of two things would have happened:

1: The investigators would have obtained what they were looking for.
2: Uber would be held in contempt for failing to produce what the investigators were looking for.

Since neither of these things happened, one of these things is implied to be true:

1: The investigators could not prove the existence of what they were looking for.
2: Uber actually didn't have it.
3: The warrant was invalid or in some way deficient.

In any case, it remains to be seen if any contempt charges will be brought.
Taxman said @ 1:33am GMT on 13th Jan
Oh no, I understand what he was saying.

Where I disagree is that search warrants do not have to be as specific as he seems to imply. That, somehow, if ANYTHING is different than what was expected is found we all throw up our hands and have to go home.

Also, a suspect is not required to cooperate. That is their right. You are detained, interviewed, and have the right to remain silent. The search has been planned long before we physically arrived and several scenarios have been planned out.

If you think by the time we've gotten a warrant we NEED you to cooperate to make our case, more surprises are coming your way.

Furthermore, if you think that we show up to search your "safe" and the door clunks shut and you grin and say "Woops I don't have the key" that:

A) That somehow makes the warrant deficient (?)
B) That it proves you don't have the search target because we can't access it
C) You're off the hook and the case is closed

Guess again.
5th Earth said @ 1:50am GMT on 13th Jan
Oh, I agree they are not off the hook. At a minimum, the investigators are going to get a new warrant and try again. And I'm sure Uber has something to hide. But clearly something went wrong because the investigators didn't get what they want and no one is being detained (yet).

Re: deficient warrants, I mean that the warrant was, for example, too limited in its scope to cover the desired materials. I.e. The material were stored in a location not specified in the warrant. If you have a warrant to search my house, but the documents are in my safety deposit box at a bank, you're shit out of luck unless you get a warrant to search there too. I doubt the investigators are that stupid, but that's just an example.
Taxman said @ 2:53am GMT on 13th Jan [Score:1 Informative]
Foreign country apparently, so I'd have to get International's take on it.

I will admit that I am surprised (even in Canada) that they didn't take the physical computers.

Detaining is just for the scene. Again, the people on-site would, literally, probably no longer have access (key).

They went for the computers and basically got locked out because of a direct action by the suspect to an outside source (which is being reported on in the link). In THIS country that's obstruction and our AUSA's would have a field day.

Agreed that if our warrant specified your house I can't search your safety deposit box... but that implies I know about the safety deposit box... which would then be included in the original enforcement action request (warrant).
foobar said @ 3:36am GMT on 13th Jan
In this case the safety deposit box isn't within reach of the court that issued the warrant.
Taxman said @ 2:17pm GMT on 13th Jan
But it WAS within reach of the court that issued the warrant. The computers were there, unlocked. A foreign party remotely locked the computers specifically to prevent access. This is the same as you throwing illegal ledgers into a safe as we enter your property.

Our warrant is not suddenly invalid, our jurisdiction is not suddenly outside of reach.

Same thing if you throw your ledgers into the trunk of a car and drive down the street. My warrant is for 123 Main Street but the suspect fled. The post-op will show this. The warrant was valid, the suspect changed the expected situation.
foobar said @ 3:33pm GMT on 13th Jan
I think this is where you're misunderstanding. The data was on a server in San Francisco, not the local desktop.

If I'm on a long distance call with someone when served with a warrant, the person on the other end of the line isn't under any obligation to answer questions.
Taxman said @ 8:23pm GMT on 13th Jan
No, I read the article and have other ways of seeing what went on with the case.

For you, from the article:

“The Uber HQ team overseeing Ripley could remotely change passwords and otherwise lock up data on company-owned smartphones, laptops, and desktops as well as shut down the devices.

The accomplices that locked the computers were located at the San Francisco HQ.

They remotely locked down the computers on which the data was stored. Again, UBER complied.

In case there is any question:

From the same article: “The judge in the Quebec tax authority’s lawsuit against Uber wrote that “Uber wanted to shield evidence of its illegal activities” and that the company’s actions in the raid reflected “all the characteristics of an attempt to obstruct justice.””
foobar said @ 4:34am GMT on 14th Jan
That doesn't really add up. If it were just encrypted workstations, then they should simply be able to subpoena the key from the local office, and thus I don't understand the objection.

It's SOP in any data centric company to have at least some basic hardening against a physical attack on the office. That isn't obstruction of justice; the authorities can just deliver the warrant to the company's lawyer and whatever relevant data can be provided.

If they just burst in with guns and start grabbing workstations, a responsible company will have provisions to ensure that destroys data. You can't expect people to disable security procedures if you don't let them.

It kind of seems like this has been too filtered through technical illiterates to see what actually happened. Again, it's SOP to issue a remote wipe on a phone no longer in possession of the person that's supposed to have it. If they ignore the chain of command, they shouldn't be surprised if security protocols work as they're supposed to.

If anything, this shows that Uber is a little too lax security wise. If they'd been doing it right, they would no longer be able to hand over the data on those workstations. Of course anything important should be backed up, but it should not be retrievable from stolen equipment.
Taxman said @ 1:16am GMT on 15th Jan
I'm sorry it doesn't add up for you, however, it's how UBER had the offices set up in this case. The Quebec authorities came back for physical files off those computers the next day.

I have rarely seen SOP to be the destruction of data. In fact, UBER was quick to come out, in the same article, and tell the judge they didn't destroy the data.

In the US, 18 U.S. Code § 1519 can add up to 20 years onto your sentence if we already have you to rights through digital records.

I know the answer due to a colleague, but you should find it strange that there are no reported stories of UBER pulling this kind of activity in the US.

Furthermore, the government is not "stealing" when they seize items from civilians, they have a legal right to do so. You, on the other hand, do NOT have the right to destroy/lock that equipment just because it is in the government's possession. That is obstruction. As you can see, it didn't work out so well for UBER.
foobar said @ 2:20am GMT on 15th Jan
I have rarely seen SOP to be the destruction of data.

That is SOP when equipment with sensitive data goes missing. In some cases it's a legal requirement that data cannot be retrieved from equipment unless it's in authorized hands. Warrant or not, that's not some thug that just bursts in and takes the equipment. Whether you want to call that stealing or not isn't relevant, the procedures are going to be the same. Just because someone yells "Police!" doesn't mean they actually are.

This seems to me like the sort of wishful thinking that comes out of law enforcement circles for a form of encryption that's secure except to them. That's not possible. If the system is sound even under physical attack, it doesn't matter who's attacking.

That doesn't mean the government can't get data it has a legal right to. It just means it has to do it the way civilized people do, and through the proper chain of command and courts and lawyers, not thugs and guns.
foobar said @ 3:25am GMT on 13th Jan
There's a fourth implication, though it's really a subset of the third: Uber has the information, but not within the jurisdiction the warrant was issued.

A Quebec court has no more authority over something stored in San Francisco than you, I, or Judge Judy.

Contempt charges weren't brought. This happened over two and a half years ago. Uber Montreal cooperated with the court to the extent of its authority.
foobar said @ 3:35am GMT on 13th Jan
The people locking the computers (and the person that made the page/call) are most definitely obstructing justice.

The people locking the computers wouldn't be obstructing justice; neither local law nor local courts have any authority. A warrant issued by a Quebec court or a law passed by a Quebec legislature has no more force than one issued by me, personally.

The person making the call is more debatable, but it seems like there are plenty of ways around that.

I know hating on the government is low-hanging fruit but how about we pretend to have the illusion that the agency that got a judge to sign off on a warrant wasn’t doing so just to stick it to the innocent little company that’s just trying to get by.

It's not hating on the government to demand that they remain bound by the law. If they want access to something, they have to get a warrant from a court that has jurisdiction.
Taxman said[1] @ 2:49pm GMT on 13th Jan
Taking your illegal ledgers, throwing them in a safe, and locking the door as we enter the property is obstruction.

Hiring someone to lock that safe FOR YOU makes you guilty of obstruction, the other person is aiding/abetting the commission of a crime, and (because it’s a unit specifically created for this purpose) conspiracy to commit a crime.

Using foreign nationals to commit the crime from afar makes it a federal affair for both countries involved and adds some pretty serious ramifications.

As I said below, UBER surrendered everything the very next day after speaking to their counsel.

The story linked is romanticizing the idea that UBER (a company) was able to stop Canadian authorities (for a single day) using remote computer technology.
foobar said @ 5:54am GMT on 12th Jan [Score:1 Interesting]
There's absolutely nothing wrong with this. It's just good security, which I would certainly hope a company with as much personal information as Uber has would practice. It shouldn't be possible for thugs in jackboots to get at information, whether they're cops or not.

The rule of law applies at least as much to the government as to anyone else. They have to properly craft their warrants to target the information they want, by the law, and in the proper jurisdiction. That might not be the most convenient court to them.
Taxman said[1] @ 11:17pm GMT on 12th Jan
As you’ll notice in the article it says computers were locked in foreign offices. I can’t speak for their policies but I’d love to see them try that shit here to any of the common three lettered agencies.

We’d seize all of the equipment as evidence until the key was provided. It would either be imaged and cracked by our CIS’s or it would sit in our storage facilities aging like fine wine. Then next week/month when you replace all that equipment? Boom, another search and seizure.

Oh noes?! Locked again? Seized for evidence. Storage.

Man, this is getting expensive for one of us.

^ all within the rule of law.
foobar said @ 3:19am GMT on 13th Jan
Taxman said @ 2:24pm GMT on 13th Jan
You’re moving the goal posts, donnie.

The above article is about a warrant not compelling the seizure of emails stored in a foreign country.

In the Quebec case, the information was at the site the authorities showed up at. The computers (safes) were locked by remote parties to prevent access. The seizable material was still ON-SITE, but was now blocked behind a digital door.

To be clear, UBER surrendered the information listed in the warrant the very next day.

They are testing the boundaries of what they can do within the law. None of it is working in the US, according to counsel.

foobar said @ 3:34pm GMT on 13th Jan
See my comment above. It's exactly the same, the data was stored elsewhere.
Taxman said @ 8:33pm GMT on 13th Jan
Again, you’re incorrect. The data were on the computers themselves.

Uber’s excuse was that it ALSO contained employee data which they “felt the need to protect.”

They (UBER) were wrong, their counsel and a judge agreed, and they complied.
0123 said[1] @ 5:27pm GMT on 12th Jan

In many cities, conventional taxi drivers are the epitome of the working poor, eschewing social assistance, and working 12 and 14 hour shifts. Allowing Uber to do an end run around local regulation, as many cities have done to one degree or another, has created in a grossly unfair playing field, were conventional cab drivers are finding it hard to maintain their already meagre livelihoods. Screwing over these workers, so that a scaly tech company with appalling business practices can thrive, is beneath contempt.

Fuck Uber. If you have the option, take a cab.


Mythtyn said @ 8:52pm GMT on 12th Jan
They'll all be replaced by automation in the next 10 years anyway.
0123 said @ 9:33pm GMT on 12th Jan

'On a long enough timeline, the survival rate for everyone drops to zero.'
raphael_the_turtle said @ 7:11pm GMT on 12th Jan
Another option was contemplated for times when Uber wanted to be less transparent. In 2016 the security team began working on software called uLocker. An early prototype could present a dummy version of a typical login screen to police or other unwanted eyes, the people say. But Uber says no dummy-desktop function was ever implemented or used, and that the current version of uLocker doesn’t include that capability.

Right. Sure it wasn't.

Post a comment
[note: if you are replying to a specific comment, then click the reply link on that comment instead]

You must be logged in to comment on posts.



Posts of Import
4 More Years!
SE v2 Closed BETA
First Post
Subscriptions and Things
AskSE: What do you look like?

Karma Rankings
arrowhen
ScoobySnacks
HoZay
XregnaR
lilmookieesquire