"authorized" is a funny word choice here. I don't work for Uber, so AFAIK authorization doesn't apply.Accessing them from Uber’s protected computers requires a unique security key that is not intended to be available to anyone other than certain Uber employees, and no one outside of Uber is authorized to access the files.
when people use the word "authorized" in the context of computer systems, especially lawyers, they're not talking about the possibility of reprimand from your boss, they're talking about the Computer Fraud and Abuse Act, which has been interpreted by courts to mean that you need explicit permission granted by the owner of a computer even to access data served unsecured on the open internet. and no, 200 OK doesn't count as explicit permission. it doesn't matter who you are or who you work for or what set of entirely legitimate keys you may have, explicit authorization outside the system always applies if you don't want to catch a felony.
Interesting. http://en.m.wikipedia.org/wiki/Protected_computer That's some serious bullshit right there. Any computer connected to the internet is a 'protected computer'. So it seems that you all are trespassing on Hubski the moment I decide it to be so. And look at this: Even if I move our servers to Amsterdam, the bullshit still applies. Thanks for the education.The definition of "protected computer" includes government computers, financial institution computers, and any computer "which is used in interstate or foreign commerce or communications."
(B) which is used in interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States.
Reminds me of the addendum at the bottom of any email from a doctor's office,"Information in this transmission is intended only for the person(s) to whom it is addressed and may contain privileged and/or confidential information. If you are not the intended recipient, any disclosure, copying or dissemination of the information is unauthorised and you should delete/destroy all copies and notify the sender."
No. I blame Paul Graham and web programming being where people learn to program now. Graham encourages kids to start with "I want to found a startup, all the cool hackers drop out and found startups[1][2][3][4]" and then as an afterthought try to come up with a product, so the startup scene looks like that software engineering class every CS student takes where you have to come up with some product, any product, and then implement it. Except there's a ton of money involved. Then, because they've been reading blogs by web guys their whole short career, they truly believe that the right way to build something is to throw something together as quickly as possible and only think very hard about things when they break. Don't fear failure right? The thing is, that only works if you really know what you're doing, so your "throw something together" will be more right than wrong. The whole Silicon Valley scene downright encourages half-baked ideas with shoddy implementations, with a shiny layer of design porn thrown on top in the hopes you don't notice.
I agree with bfv's comment from a engineering perspective, but PG's also made the comment that the reason the tech world's insanity works is because of the economics of it right now. The startups that go on to succeed tend to generate > 100x return on investment. So at the moment, it pays to keep churning out lots of companies with little attention to software quality or security. As long as 1/30 of them succeed, they can brush the failures under the rug.
But that was the whole problem back in '99: all these companies generated "value" without actually generating "profit." The economics "right then" was that people with no understanding of tech were swapping tech stocks with each other on the assumption that they would somehow magically generate money at some point in the future therefore they were valuable NOW. Imgur has like a quarter billion dollar valuation. Do you see Imgur returning a quarter billion dollars to anyone?
Oh believe me, I'm waiting for the day when it all collapses. And there's plenty of companies that fall into your description. But I'm saying that the 1 dropbox that makes a billion dollars pays for all the crap ideas that turn into bootstrap-covered-node-js-designed-docker-contained vaporware.
This actually happened to me once, I was making a Twitter bot with Twitter4J for fun and I uploaded my code to GitHub so I can access it accross computers. Not-so-smartly I forgot that I had my Twitter app access keys in plain text on the GitHub page. A couple of months later the bot started tweeting strange messages and I found out GraemeA had used the keys to tweet messages. Pretty funny.
Yup. It is so scarily easy to upload keys, passwords, etc. into github without realizing it. Especially if you are working with a build system. You set it up, forget about it, upload it to github so your partner can build too, and whoopsies. All your databases and everything else is suddenly there for the taking. I'm working on some CSS shit for a pretty high level app right now. Most of the stuff the team is working on it way over my head. Apparently the company believes in "microsystems" so there are at least 6 different endpoints we connect to and 4 servers you have to set up before you can see the front end. Everything was fine and git-ignored and there were warnings everywhere. Then they updated the build system. One merge later we had all the build.example.xzy files and the main engineer's build.xyz file. I probably would have never noticed, and it was still in a private dev brand, but I'm glad someone did sooner rather than later. The reality is, even smart people make mistakes. And it turns out the super geniuses aren't really all that smart about the tiny details. That's why you have 3rd party security consultants. They don't have to be a genius with bold ideas and phenomenal code. All they have to do is check the little shit. Especially with the rate of growth some start ups are experiencing, I wouldn't be surprised if we see more and more fundamental flaws being exposed. I'm just going to laugh when someone injects code or is able to drop a table in the "next big app".
Even though he was joking I'm pretty sure he will. Which is a good thing really, much better he find a exploit than someone else. My joke twitter account could have easily been a professional one and GraemeA could haev easily been someone with bad intentions. It'd be great if there was a tool to scan github repos for things that look like keys and find unsanitized database inputs, bobby-tables.exe I'd call it.
That's why you have 3rd party security consultants
It's a shame the more vunerable startups can't afford these people, my older brother joked that he'd make a 'hack' for the game I'm making as soon it's released.I'm just going to laugh when someone injects code or is able to drop a table in the "next big app".
My older brother shows me these failures all the time. They're bloody hillarious, there was this one time a Garry's Mod(Pretty popular multiplayer game if you've not heard of it) server had a user function which basically just sent commands to the server. Turns out they were ran with console privileges and he used it to clear all server ranks, admin himself and do a lot of trolling.
I seem to recall that there is, but it's used for nefarious groups rather than for good. Edit: LinkIt'd be great if there was a tool to scan github repos for things that look like keys and find unsanitized database inputs, bobby-tables.exe I'd call it.
Thanks for that link. It was pretty nice of Amazon to drop the charges. The hackers should release their program as a paid software restricted to people's own repos for more money, hackers or not I don't mind as long as my project is safe from mistakes.