Tag Archives: Sources
SAN FRANCISCO/WASHINGTON (Reuters) – A 20-year-old Florida man was responsible for the large data breach at Uber Technologies Inc last year and was paid by Uber to destroy the data through a so-called “bug bounty” program normally used to identify small code vulnerabilities, three people familiar with the events have told Reuters.
Uber announced on Nov. 21 that the personal data of 57 million passengers and 600,000 drivers were stolen in a breach that occurred in October 2016, and that it paid the hacker $ 100,000 to destroy the information. But the company did not reveal any information about the hacker or how it paid him the money.
Uber made the payment last year through a program designed to reward security researchers who report flaws in a company’s software, these people said. Uber’s bug bounty service – as such a program is known in the industry – is hosted by a company called HackerOne, which offers its platform to a number of tech companies.
Reuters was unable to establish the identity of the hacker or another person who sources said helped him. Uber spokesman Matt Kallman declined to comment on the matter.
Newly appointed Uber Chief Executive Dara Khosrowshahi fired two of Uber’s top security officials when he announced the breach last month, saying the incident should have been disclosed to regulators at the time it was discovered, about a year before.
It remains unclear who made the final decision to authorize the payment to the hacker and to keep the breach secret, though the sources said then-CEO Travis Kalanick was aware of the breach and bug bounty payment in November of last year.
Kalanick, who stepped down as Uber CEO in June, declined to comment on the matter, according to his spokesman.
A payment of $ 100,000 through a bug bounty program would be extremely unusual, with one former HackerOne executive saying it would represent an “all-time record.” Security professionals said rewarding a hacker who had stolen data also would be well outside the normal rules of a bounty program, where payments are typically in the $ 5,000 to $ 10,000 range.
HackerOne hosts Uber’s bug bounty program but does not manage it, and plays no role in deciding whether payouts are appropriate or how large they should be.
HackerOne CEO Marten Mickos said he could not discuss an individual customer’s programs. “In all cases when a bug bounty award is processed through HackerOne, we receive identifying information of the recipient in the form of an IRS W-9 or W-8BEN form before payment of the award can be made,” he said, referring to U.S. Internal Revenue Service forms.
According to two of the sources, Uber made the payment to confirm the hacker’s identity and have him sign a nondisclosure agreement to deter further wrongdoing. Uber also conducted a forensic analysis of the hacker’s machine to make sure the data had been purged, the sources said.
One source described the hacker as “living with his mom in a small home trying to help pay the bills,” adding that members of Uber’s security team did not want to pursue prosecution of an individual who did not appear to pose a further threat.
The Florida hacker paid a second person for services that involved accessing GitHub, a site widely used by programmers to store their code, to obtain credentials for access to Uber data stored elsewhere, one of the sources said.
GitHub said the attack did not involve a failure of its security systems. “Our recommendation is to never store access tokens, passwords, or other authentication or encryption keys in the code,” that company said in a statement.
‘SHOUT IT FROM THE ROOFTOPS’
Uber received an email last year from an anonymous person demanding money in exchange for user data, and the message was forwarded to the company’s bug bounty team in what was described as Uber’s routine practice for such solicitations, according to three sources familiar with the matter.
Bug bounty programs are designed mainly to give security researchers an incentive to report weaknesses they uncover in a company’s software. But complicated scenarios can emerge when dealing with hackers who obtain information illegally or seek a ransom.
Some companies choose not to report more aggressive intrusions to authorities on the grounds that it can be easier and more effective to negotiate directly with hackers in order to limit any harm to customers.
Uber’s $ 100,000 payout and silence on the matter at the time was extraordinary under such a program, according to Luta Security founder Katie Moussouris, a former HackerOne executive.
“If it had been a legitimate bug bounty, it would have been ideal for everyone involved to shout it from the rooftops,” Moussouris said.
Uber’s failure to report the breach to regulators, even though it may have felt it had dealt with the problem, was an error, according to people inside and outside the company who spoke to Reuters.
“The creation of a bug bounty program doesn’t allow Uber, their bounty service provider, or any other company the ability to decide that breach notification laws don’t apply to them,” Moussouris said.
Uber fired its chief security officer, Joe Sullivan, and a deputy, attorney Craig Clark, over their roles in the incident.
“None of this should have happened, and I will not make excuses for it,” Khosrowshahi, said in a blog post announcing the hack last month.
Clark worked directly for Sullivan but also reported to Uber’s legal and privacy team, according to three people familiar with the arrangement. It is unclear whether Clark informed Uber’s legal department, which typically handled disclosure issues.
Sullivan and Clark did not respond to requests for comment.
In an August interview with Reuters, Sullivan, a former prosecutor and Facebook Inc (FB.O) security chief, said he integrated security engineers and developers at Uber “with our lawyers and our public policy team who know what regulators care about.”
Last week, three more top managers in Uber’s security unit resigned. One of them, physical security chief Jeff Jones, later told others he would have left anyway, sources told Reuters. Another of the three, senior security engineer Prithvi Rai, later agreed to stay in a new role.
Reporting by Joseph Menn in San Francisco and Dustin Volz in Washington; Additional reporting by Heather Somerville and Stephen Nellis in San Francisco; Editing by Jonathan Weber and Bill Rigby
NEW YORK/LOS ANGELES (Reuters) – Amazon.com Inc (AMZN.O) has scrapped plans to launch an online streaming service bundling popular U.S. broadcast and cable networks because it believes it cannot make enough money on such a service, people familiar with the matter told Reuters.
The world’s largest online retailer has also been unable to convince key broadcast and basic cable networks to break with decades-old business models and join its a la carte Amazon Channels service, the sources said and has backed away from talks with them.
The reversals come a month after the abrupt departure of Roy Price from his job as head of Amazon Studios, the company’s high-profile television production division, following an allegation of sexual harassment, which he has contested.
They show how difficult it is for Amazon to change entrenched habits in the U.S. entertainment business in the same way that it has done in retail, cloud computing and other areas.
An Amazon spokeswoman declined to comment.
Video has become an important tool for Amazon in generating subscriptions for its U.S. $ 99-a-year Prime membership service. It is on track to spend some $ 4.5 billion or more on video programming this year, analysts estimate.
On Monday it made waves in the entertainment world with the purchase of global television rights to “The Lord of the Rings,” planning a multi-season series to draw more viewers to Prime.
At the same time, Amazon is looking to offer a wide variety of television channels through Prime. It originally aimed to offer a limited bundle of key broadcast and cable networks for a set fee, similar to offerings from Alphabet Inc’s (GOOGL.O) YouTube and Hulu.
Such an offering, known in the industry as a “skinny bundle,” is a way of capturing younger viewers who are dropping traditional, expensive cable or satellite TV packages in favor of channels watchable on smartphones and tablets.
But in recent weeks, Amazon decided not to move ahead with a service on the grounds that it would yield too low a profit margin and did not necessarily indicate the direction the TV business will eventually go, the sources told Reuters.
Amazon could still decide to change course and introduce a skinny bundle, but the talks are over, the sources said.
Instead, Amazon has decided to focus on building out its Amazon Channels service, where Prime customers can subscribe to HBO, Showtime, Starz and other networks on an a la carte basis, according to the sources.
Those networks have standalone subscription services, but the advantage of Amazon Channels is that it groups together separate subscriptions and makes them available through the Amazon Video app.
Amazon has built up Amazon Channels to include more than 140 television and digital-only networks in the United States, but its efforts to get the most-watched TV channels have stalled, the sources told Reuters.
Sources familiar with the talks said Amazon has run up against the same obstacle that has stymied firms such as Apple Inc (AAPL.O) and Verizon Communications Inc (VZ.N) in their efforts to launch TV services: the traditional cable bundle.
Twenty-First Century Fox Inc (FOXA.O), Viacom Inc (VIAB.O) and other media firms typically require cable companies or other partners to take their weaker channels along with their stronger ones, to prevent the weaker ones withering on the vine.
Amazon did not want to do that. It also asked networks for provisions that are foreign to the entertainment business, including discounts based on the volume of subscribers it brings in. “That might be standard in selling, but it is not how it works with content,” said one industry source.
The Seattle-based company, known for taking a long-term view of businesses, is willing to wait, sources told Reuters. It is working on the assumption that as pay-TV subscriptions decline over time, more TV networks will be tempted to go direct to consumers online and therefore be available for Amazon Channels, they said.
TV executives say Amazon is a top-notch marketer of video programming and could eventually help their bottom lines.
“They market our theatrical library better than we have because they have the data,” said an executive at one premium channel, who declined to be named.
Some programmers, including Discovery Communications Inc (DISCA.O), are already using Amazon to test their own streaming services before selling them to the public.
“They are an excellent petri dish,” said Paul Guyardo, chief commercial officer of Discovery.
Reporting By Jessica Toonkel in New York, Lisa Richwine in Los Angeles and Jeffrey Dastin in San Francisco; Editing by Jonathan Weber and Bill Rigby
When it comes to getting the most value out of data, successful companies take a practical approach, first defining their own data strategy and then determining the tools needed to get it done. A good example of this is Airbnb, which set their own data strategy and tools to help users more accurately price their home listings. Too often, however, companies fail to lay out a clear strategy, instead relying on the available tools to show them where they need to go. Unfortunately, these tools usually serve up packaged metrics with data that is too detailed and lacks cohesion.
The mobile marketing data landscape
In VentureBeat’s The State of Marketing Analytics: Insights in the age of the customer, author Jon Cifuentes writes:
“Enterprises are stuck between fragmented data silos…There’s customer data, inventory data, log data, search data, reporting, analytics, CRM, session data, et. al – with different vendors supporting each. While “real-time” customer data sounds nice in theory, the actual process of broadcasting this information through the organization is time-consuming, expensive, fragmented, and frustrating.”
These cobbled-together sources and tools provide directional insight but don’t align with initial expectations, particularly as companies start requiring custom insights and metrics. In fact, most companies quickly find themselves in exactly the situation they had hoped to avoid – working in increasingly complex systems with considerably higher non-value added workloads.
The challenge for companies is: how do you align your data vision with your unique acquisition, engagement and monetization strategies?
Purpose-built tools like app analytics, A/B testing, marketing automation, etc. have done a great job in recent years of allowing non-technical people to analyze data, run tests and engage users. However, since these tools were built for single-use cases and by separate companies with proprietary data stores, they have failed to address a core issue: the need to access the same user data in order to truly provide a personalized experience to each user.
Data-capture tools and user engagement tools also need to be integrated in order to provide a full picture of how changes impact the product downstream. For instance, teams need to be able to apply user actions from app analytics to run A/B tests, which will in turn impact the user experience.
The path forward
The solution exists at the platform level: unifying data sources before applications are built on top of them, with a flexible 2-way structure that enables real-time integration between event and user data, at all levels in the stack, and not just based on basic pre-determined rules with segmentations on top.
This type of structure makes it possible for events to be enriched by boundless user attributes (user state) and enables contextual analytics. This, in turn, produces a robust targeting framework, because now the user state can be updated in any manner, in real-time. For example, Glassdoor utilizes this methodology to deliver real-time dynamic notifications of job alerts to users based on their prior behavior when browsing the Glassdoor website.
While many marketing vendors are fighting to define themselves as integrated or unified marketing platforms, most still need to reach deeper down the stack and unify product and marketing tools with data tools at a platform level. Because they refer to the same data source, there will be no discrepancies between insights and actions. For example, segments defined for analytics will maintain the same properties in A/B testing or content delivery. Applications developed on top of unified data platforms will be inherently more flexible and manageable.
Omniata is coming out of beta on September 24th! You can reach us at email@example.com to learn more. Though just coming out of beta, we’re already tracking 300 million monthly active users, 2 billion events per day, and handling over 17,000 requests per second!
Alex Arias is the CEO and cofounder of Omniata, a unified data, analytics and user engagement platform. For more than 10 years, Alex has been an entrepreneur and driver of innovation in digital services, working previously at Digital Chocolate and EA. He’s been helping companies define their own Data Value Journey since cofounding Omniata two and a half years ago.
Big data company Cloudera is preparing to launch major new open-source software for storing and serving lots of different kinds of unstructured data, with an eye toward challenging heavyweights in the database business, VentureBeat has learned.
The storage engine, Kudu, is meant as an alternative to the widely used Hadoop Distributed File System and the Hadoop-oriented HBase NoSQL database, borrowing characteristics from both, according to a copy of a slide deck on Kudu’s design goals that VentureBeat has obtained. The technology will be released as Apache-licensed open-source software, the slides show.
Cloudera has had one of its early employees leading a small team to work on Kudu for the past two years, and the company has begun pitching the software to customers before an open-source release at the end of this month, a source familiar with the matter told VentureBeat.
That source and others believe Kudu could present a new threat to data warehouses from Teradata and IBM’s PureData (formerly Netezza), and other vendors. It may also be used as a highly scalable in-memory database that can handle massively parallel processing (MPP) workloads, not unlike HP’s Vertica and VoltDB, the sources say. And one day Kudu — which works across multiple data centers with RAM and fast solid-state drives (SSDs) — could even play a part in backup and disaster recovery.
Cloudera declined to comment.
However Cloudera chooses to market Kudu, it’s clear that the software is a big step forward for the company, not only in the company’s efforts to outdo other Hadoop vendors, but also in its quest to become a prominent player in enterprise software.
Not that Cloudera is a nobody. It’s worth almost $ 5 billion, according to one recent estimate, it has considerable backing from Intel, and it’s been positioning itself as a competitor to much larger database companies, like IBM and Oracle. But the fact is, fellow Hadoop vendor Hortonworks has gained credibility after it went public last year, and Hadoop company MapR is still around, too.
Cloudera recently doubled down on the rising Apache Spark open-source big data processing framework, but Spark is something Cloudera has been working on for years. And a few months ago, Cloudera brought new Python capability to Hadoop, following its acquisition of DataPad last year. Those are important efforts, but Kudu is something entirely new, something that can give the company freshness as it grows toward an initial public offering.
So what is Kudu, then?
It’s “nearly as fast as raw HDFS for scans” and, at the same time, “nearly as fast as HBase for random access,” according to one slide from a presentation on Kudu’s design goals. But Kudu is not meant to be a drop-in substitute for HDFS or HBase. “There are still places where these systems will be optimal, and Cloudera will continue to support and invest in them,” a slide said.
Kudu could be used for time-series data, or real-time reporting, or model building, according to another slide.
And it’s important to note that Kudu isn’t a SQL query engine for pulling up specific data. Cloudera has Impala for that, and others have Hive for that. Kudu has an “early integration” with Impala, and Spark support is coming, according to a slide.
The Kudu application programming interface (API) works with Java — the common language of Hadoop — as well as C++. Kudu’s architecture allows for operation across sites, according to one slide. That makes it comparable to Google’s Spanner and the Spanner-inspired CockroachDB. That could make Kudu a great choice for big companies looking to store their big data around the world.
Is Kudu well adopted, though? No, not yet.
“Looking for beta customers,” a slide said.
Powered by VBProfiles