Eighteen months ago, FreshBooks CEO Mike McDerment did something that might blow your mind. In secrecy, he started a brand new company to compete with his existing one.
Finding Space to Experiment.
In my recent interview with McDerment, he described a moment in the winter of 2013 when he had been feeling uneasy about the steady growth of his business. Freshbooks, which had long been the darling of the DIY bookkeeping industry, needed to keep innovating to remain competitive.
The reality, which McDerment recognized, is that software products, by their very nature, are malleable and constantly changing. In today’s business landscape, consumers expect products to be constantly improving.
But how do you make major changes in a way that does not disrupt existing users? Especially when their livelihood depends on your product?
How does a company allow for the exploration required for innovation without screwing up what it’s already getting right?
McDerment asked himself these questions. And he believes he’d found the answer by rolling out an updated product, but not under the FreshBooks brand.
And so, he started BillSpring.
Newcomer BillSpring could market its product as “in development,” thereby creating the space for experimentation and attracting new users with its updated design.
Sure, this strategy is logical, but it’s jarringly unconventional. However, McDerment says Freshbooks has sought to establish a culture of putting people at the center of every decision, so for him, it was an obvious move.
FreshBooks took the coveted first place spot in the highly competitive Great Places to Worksurvey. The secret sauce, according to McDerment, is the company’s ability to embody a human-centric approach to all facets of the business: from product development, to hiring and training.
Employees aren’t the only people who matter when it comes to making decisions at FreshBooks. Customers are in constant focus–a concept McDerment calls customer proximity.
To make sure that all team members understand customers, all newly hired employees spend a month in customer service. And this pitstop in customer service occurs without exception, not even for the new CFO, who had taken three companies public. Despite not having any customer-facing interactions, he too spent 30 days getting to know customers on the front lines of customer service.
As a result of this mentality, the company is hyper-sensitive to customer satisfaction. So in retrospect, the decision to create a completely separate brand is no surprise. In fact, it’s a considerate way of introducing change.
A Considerate Approach to Introducing Change.
Whether change is as simple as a minor feature update or something as significant as starting a whole new company to compete with, the consideration of the impact on all people involved should always remain at the forefront.
It’s not just what Freshbooks values, but as so many companies have proven, it’s just good business.
Eighteen months after the experiment, Billspring had shown improvements in business performance and customer satisfaction, exceeded those of Freshbooks. At this point, McDerment finally decided it was time to come out of hiding, dissolving the Billspring brand and merging the products back under Freshbooks.
“When we launched we didn’t want our users to worry. So if they said ‘you know what? It’s great but not right for me’ then they could return to Freshbooks classic,” McDerment says. “We did everything in our power to not destabilize our users’ business, and so the vast majority of people recognized that and chose the new version when they had the chance.”
The Takeaway: Create the Conditions for Innovation.
The extreme stealth-mode approach may not be the right answer for other companies looking to navigate change and growth, but creating the conditions for change and growth is–for the organization and, more importantly, the real people they serve.
Despite the radical time and cost investment, McDerment stands by his 18-month experiment to deliver positive outcomes for its employees and customers. Ultimately, affording the freedom of time and space is what has enabled the award-winning success that the company enjoys today.
This is a story about marijuana that begins in a drawer of dead birds. In the specimen collections of the California Academy of Sciences, curator Jack Dumbacher picks up a barred owl—so named for the stripes than run across its chest—and strokes its feathers. It looks like a healthy enough bird, sure, but something nefarious once lurked in its liver: anticoagulant rodenticide, which causes rats to bleed out, and inevitably accumulates in apex predators like owls. The origin of the poison? Likely an illegal cannabis grow operation in the wilds of Northern California.
“It’s a mess out there,” says Dumbacher. “And it costs taxpayers millions of dollars to clean up the sites.”
Marijuana doesn’t just suddenly appear on the shelves of a dispensary, or the pocket of a dealer. Someone’s gotta grow it, and in Northern California, that often means rogue farmers squatting on public lands, tainting the ecosystem with pesticides and other chemicals, then harvesting their goods and leaving behind what is essentially a mini superfund site. Plenty of growers run legit, organic operations—but cannabis can be a dirty, dirty game.
As cannabis use goes recreational in California, producers are facing a reckoning: They’ll either have to clean up their act, or get out of the legal market. Until the federal prohibition on marijuana ends, growers here can skip the legit marketplace and ship to black markets in the many states where the drug is still illegal. That’s bad news for public health, and even worse news for the wildlife of California.
If you’re buying cannabis in the United States, there’s up to a 75 percent chance that it grew somewhere in California. In Humboldt County alone, as many as 15,000 private grows churn out marijuana. Of those 15,000 farms, 2,300 have applied for permits, and of those just 91 actually have the permits.
Researchers reckon that 15 to 20 percent of private grows here are using rodenticide, trying to avoid damage from rats chewing through irrigation lines and plants. Worse, though, are the growers who hike into rugged public lands and set up grow operations. Virtually all of them are using rodenticide. “At very high doses the rodenticides is meant to kill by basically stopping coagulation of blood,” says Dumbacher. “So what happens is if you get a bruise or a cut it you would you would literally bleed out because it won’t coagulate.”
And what’s bad for the rats can’t be good for the barred owl. How the poison might affect these predators isn’t immediately clear, but researchers think it may weaken them.
Scientists are used to seeing rodenticides in owl livers—but usually, those animals are picking off rats in urban areas. Not so for these samples. “When we actually looked at the data, it turned out that some of the owls that were exposed were from remote areas parts of the forest that don’t have even roads near them,” says Dumbacher. When researchers took a look at satellite images of these areas, they were able to pick out illegal grow operations and make the connection: Rodenticides from marijuana cultivation are probably moving up the food chain.
The havoc that growers are wreaking in Northern California is worryingly similar to the environmental bedlam of the past. “We can’t just take exactly the same historical approach that California did with the Gold Rush,” says Mourad Gabriel, executive director of the Integral Ecology Research Center and lead author of the study with Dumbacher. It was a massive inundation of illegal gold and mining operations that tore the landscape to pieces. “150 years down the road, we are still dealing with it.”
And Northern California’s problems have the potential to become your problem if you’re buying marijuana in a state where it’s still illegal. “We have data clearly demonstrating the plant material is contaminated, not just with one or two but a plethora of different types of pesticides that should not be used on any consumable product,” says Gabriel. “And we find it on levels that are potentially a threat to humans as well.”
Across from an old cookie factory in Oakland, California sits a lab that couldn’t look more nondescript. It’s called CW Analytical, and it’s in the business of testing marijuana for a range of nasties, both natural and synthetic. Technicians in lab coats shuffle about, dissolving cannabis in solution, while in a little room up front a man behind a desk consults clients.
Running this place is a goateed Alabama native named Robert Martin. For a decade he’s risked the ire of the feds to ensure that the medical marijuana sold in California dispensaries is clean and safe. But in the age of recreational cannabis, the state has given him a new list of enemies to test for. If you’re worried about consuming grow chemicals like the owls are doing, it’s scientists like Martin who have your back.
“We’re trying to do it in legitimate ways, not painting our face or putting flowers in our hair,” says Martin. “We’re here to show another face of the industry.” Clinical. Empirical.
Labs like these—the Association of Commercial Cannabis Laboratories, which Martin heads, counts two dozen members—are where marijuana comes to pass the test or face destruction. Martin’s team is looking for two main things: microbiological contaminants and chemical residues. “Microbiological contaminants could come in the form of bacteria or fungi, depending on what kind of situation your cannabis has seen,” says Martin. (Bad drying or curing habits on the part of the growers can lead to the growth of Aspergillus mold, for instance.) “Or on the other side, the chemical residues can be pesticides, herbicides, things like that.”
The biological bit is pretty straightforward. Technicians add a cannabis sample to solution, then spread it on plates that go into incubators. “What we find is of all the flowers that come through, about 12 to 13 percent will come back with a high level of aerobic bacteria and about 13 to 14 percent will come back with a high level of fungi and yeast and mold,” says laboratory manager Emily Savage.
With chemical contaminants it gets a bit trickier. To test for these, the lab run the cannabis through a machine called a mass spectrometer, which isolates the component parts of the sample. This catches common chemicals like myclobutanil, which growers use to kill fungi.
Starting July 1 of this year, distributors and (legal) cultivators have to put their product through testing for heavy metals and bacteria like E. coli and chemicals like acephate (a general use insecticide). That’s important for average consumers but especially medical marijuana patients with compromised health. One group of researchers has even warned that smoking or vaping tainted marijuana could lead to fatal infections for some patients, as pathogens are taken deep into the lungs.
“This is why we have to end prohibition and regulate and legalize cannabis, so that we can develop the standards that everybody must meet,” says Andrew DeAngelo, director of operations of the Harborside dispensary in Oakland.
After testing, a lab like CW has to report their results to the state, whose guidelines may dictate that the crop be destroyed. If everything checks out, the marijuana is cleared for sale in a dispensary. “That gives the public confidence that these supply chains are clean for them and healthy for them,” says DeAngelo.
That safety comes at a price, though. To fund the oversight of recreational marijuana, California is imposing combined taxes of perhaps 50 percent. “They’re too high,” says DeAngelo. He’s worried that the fees will push users back into the black market, where plants don’t have to hew to the same strict safety standards. “This shop should be a lot fuller than it is right now.”
And the black market gets us right back to the mess we started off in. Illegal cultivation is bad for consumers and bad for the environment. The only real solution? The end of prohibition. At the very least, the owls would appreciate it.
Mathematics is full of weird number systems that most people have never heard of and would have trouble even conceptualizing. But rational numbers are familiar. They’re the counting numbers and the fractions—all the numbers you’ve known since elementary school. But in mathematics, the simplest things are often the hardest to understand. They’re simple like a sheer wall, without crannies or ledges or obvious properties you can grab ahold of.
Original story reprinted with permission from Quanta Magazine, an editorially independent publication of the Simons Foundation whose mission is to enhance public understanding of science by covering research developments and trends in mathematics and the physical and life sciences.
Minhyong Kim, a mathematician at the University of Oxford, is especially interested in figuring out which rational numbers solve particular kinds of equations. It’s a problem that has provoked number theorists for millennia. They’ve made minimal progress toward solving it. When a question has been studied for that long without resolution, it’s fair to conclude that the only way forward is for someone to come up with a dramatically new idea. Which is what Kim has done.
“There are not many techniques, even though we’ve been working on this for 3,000 years. So whenever anyone comes up with an authentically new way to do things it’s a big deal, and Minhyong did that,” said Jordan Ellenberg, a mathematician at the University of Wisconsin, Madison.
Over the past decade Kim has described a very new way of looking for patterns in the seemingly patternless world of rational numbers. He’s described this method in papers and conference talks and passed it along to students who now carry on the work themselves. Yet he has always held something back. He has a vision that animates his ideas, one based not in the pure world of numbers, but in concepts borrowed from physics. To Kim, rational solutions are somehow like the trajectory of light.
If the connection sounds fantastical it’s because it is, even to mathematicians. And for that reason, Kim long kept it to himself. “I was hiding it because for many years I was somewhat embarrassed by the physics connection,” he said. “Number theorists are a pretty tough-minded group of people, and influences from physics sometimes make them more skeptical of the mathematics.”
But now Kim says he’s ready to make his vision known. “The change is, I suppose, simply a symptom of growing old!” wrote Kim, 53, in one of the first emails we exchanged for this story.
He has recently hosted a conference that brought together number theorists and string theorists. He has also drafted articles that begin to describe his inspiration to a mathematical community that is not accustomed to thinking about numbers through such direct analogy with the physical world.
Yet one stumbling block remains—a last piece of the physics-math analogy that Kim still has to work out. He hopes that by inviting others into his vision, especially physicists, he’ll have the help he needs to complete it.
The Ancient Challenge
Rational solutions to equations exert a strong pull on the human mind. They are satisfying in the way of puzzle pieces falling perfectly into place. For that reason, they are the subject of many of the most famous conjectures in mathematics.
The rational numbers include the integers and any number that can be expressed as a ratio of two integers, such as 1, –4 and 99/100. Mathematicians are particularly interested in rational numbers that solve what are called “Diophantine equations” — polynomial equations with integer coefficients, like x2 + y2 = 1. These equations are named after Diophantus, who studied them in Alexandria in the third century A.D.
Rational solutions are hard to find in any kind of comprehensive way because they don’t follow any geometric pattern. Think about that equation x2 + y2 = 1. The real-number solutions to that equation form a circle. Take away all the points on that circle that can’t be expressed as a fraction and you’re left with all the rational solutions, which don’t form such a tidy object. The rational solutions appear to be scattered randomly around the circumference of the circle.
“The condition for a point to have rational coordinates is not a geometric condition at all. You can’t write an equation that the rational points have to satisfy,” Kim said.
It’s often easy to find a single rational solution, or even many of them. But mathematicians, who don’t like loose ends, are more interested in identifying all the rational solutions. That’s much harder. It’s so hard, in fact, that proving even the barest statement about the number of rational solutions is enough to make you a mathematical luminary. In 1986 Gerd Faltings won the Fields Medal, math’s highest honor, primarily for solving a problem called the Mordell conjecture and proving that certain classes of Diophantine equations have only finitely many rational solutions (rather than infinitely many).
Faltings’ proof was a landmark result in number theory. It was also what mathematicians refer to as an “ineffective proof,” meaning that it didn’t actually count the number of rational solutions, let alone identify them. Ever since, mathematicians have been looking for a way to take those next steps. Rational points look like random points on the ordinary graph of an equation. Mathematicians hope that if they change the setting in which they think about the problem, those points will start to look more like a constellation that they can describe in some precise way. The trouble is, the known land of mathematics doesn’t provide such a setting.
“To get effective results on rational points, it definitely has the feeling that there’d have to be a new idea,” said Ellenberg.
At present, there are two main proposals for what that new idea could be. One comes from the Japanese mathematician Shinichi Mochizuki, who in 2012 posted hundreds of pages of elaborate, novel mathematics to his faculty webpage at Kyoto University. Five years later, that work remains largely inscrutable. The other new idea comes from Kim, who has tried to think about rational numbers in an expanded numerical setting where hidden patterns between them start to come into view.
A Symmetry Solution
Mathematicians often say that the more symmetric an object is, the easier it is to study. Given that, they’d like to situate the study of Diophantine equations in a setting with more symmetry than the one where the problem naturally occurs. If they could do that, they could harness the newly relevant symmetries to track down the rational points they’re looking for.
To see how symmetry helps a mathematician navigate a problem, picture a circle. Maybe your objective is to identify all the points on that circle. Symmetry is a great aid because it creates a map that lets you navigate from points you do know to points you have yet to discover.
Imagine you’ve found all the rational points on the southern half of the circle. Because the circle has reflectional symmetry, you can flip those points over the equator (changing the signs of all the y coordinates), and suddenly you’ve got all the points in the northern half too. In fact, a circle has such rich symmetry that knowing the location of even one single point, combined with knowledge of the circle’s symmetries, is all you need to find all the points on the circle: Just apply the circle’s infinite rotational symmetries to the original point.
Yet if the geometric object you’re working with is highly irregular, like a random wandering path, you’re going to have to work hard to identify each point individually—there are no symmetry relationships that allow you to map known points to unknown points.
Sets of numbers can have symmetry, too, and the more symmetry a set has, the easier it is to understand—you can apply symmetry relationships to discover unknown values. Numbers that have particular kinds of symmetry relationships form a “group,” and mathematicians can use the properties of a group to understand all the numbers it contains.
The set of rational solutions to an equation doesn’t have any symmetry and doesn’t form a group, which leaves mathematicians with the impossible task of trying to discover the solutions one at a time.
Beginning in the 1940s, mathematicians began to explore ways of situating Diophantine equations in settings with more symmetry. The mathematician Claude Chabauty discovered that inside a larger geometric space he constructed (using an expanded universe of numbers called the p-adic numbers), the rational numbers form their own symmetric subspace. He then took this subspace and combined it with the graph of a Diophantine equation. The points where the two intersect reveal rational solutions to the equation.
In the 1980s the mathematician Robert Coleman refined Chabauty’s work. For a couple of decades after that, the Coleman-Chabauty approach was the best tool mathematicians had for finding rational solutions to Diophantine equations. It only works, though, when the graph of the equation is in a particular proportion to the size of the larger space. When the proportion is off, it becomes hard to spot the exact points where the curve of the equation intersects the rational numbers.
“If you have a curve inside an ambient space and there are too many rational points, then the rational points kind of cluster and you have trouble distinguishing which ones are on the curve,” said Kiran Kedlaya, a mathematician at the University of California, San Diego.
And that’s where Kim came in. To extend Chabauty’s work, he wanted to find an even larger space in which to think about Diophantine equations—a space where the rational points are more spread out, allowing him to study intersection points for many more kinds of Diophantine equations.
Spaces of Spaces
If you’re looking for a larger kind of space, along with clues about how to use symmetry to navigate it, physics is a good place to turn.
Generally speaking, a “space,” in the mathematical sense, is any set of points that has geometric or topological structure. One thousand points scattered willy-nilly won’t form a space—there’s no structure that ties them together. But a sphere, which is just a particularly coherent arrangement of points, is a space. So is a torus, or the two-dimensional plane, or the four-dimensional space-time in which we live.
In addition to these spaces, there exist even more exotic spaces, which you can think of as “spaces of spaces.” To take a very simple example, imagine that you have a triangle—that’s a space. Now imagine the space of all possible triangles. Each point in this larger space represents a particular triangle, with the coordinates of the point given by the angles of the triangles it represents.
That sort of idea is often useful in physics. In the framework of general relativity, space and time are constantly evolving, and physicists think of each space-time configuration as a point in a space of all space-time configurations. Spaces of spaces also come up in an area of physics called gauge theory, which has to do with fields that physicists layer on top of physical space. These fields describe how forces like electromagnetism and gravity change as you move through space. You can imagine that there’s a slightly different configuration of these fields at every point in space—and that all those different configurations together form points in a higher-dimensional “space of all fields.”
This space of fields from physics is a close analogue to what Kim is proposing in number theory. To understand why, consider a beam of light. Physicists imagine the light moving through the higher-dimensional space of fields. In this space, light will follow the path that adheres to the “principle of least action”—that is, the path that minimizes the amount of time required to go from A to B. The principle explains why light bends when it moves from one material to another—the bent path is the one that minimizes the time taken.
These larger spaces of spaces that come up in physics feature additional symmetries that are not present in any of the spaces they represent. These symmetries draw attention to specific points, emphasizing, for example, the time-minimizing path. Constructed in another way in another context, these same kinds of symmetries might emphasize other kinds of points—like the points corresponding to rational solutions to equations.
Connecting Symmetry to Physics
Number theory has no particles to track, but it does have something like space-time, and it also offers a way of drawing paths and constructing a space of all possible paths. From this basic correspondence, Kim is working out a scheme in which “the problem of finding the trajectory of light and that of finding rational solutions to Diophantine equations are two facets of the same problem,” as he explained last week at a conference on mathematical physics in Heidelberg, Germany.
The solutions to Diophantine equations form spaces—these are the curves defined by the equations. These curves can be one-dimensional, like the circle, or they can be higher-dimensional. For example, if you plot (complex) solutions to the Diophantine equation x4 + y4 = 1, you get the three-holed torus. The rational points on this torus lack geometric structure—that’s what makes them hard to find—but they can be made to correspond to points in a higher-dimensional space of spaces that do have structure.
Kim creates this higher-dimensional space of spaces by thinking about ways you can draw loops on the torus (or whatever space the equation defines). The loop-drawing procedure goes as follows. First, choose a base point, then draw a loop from that point to any other point and back again. Now repeat that process, drawing paths that connect your base point with every other point on the torus. You’ll end up with a thicket of all possible loops that begin and end at the base point. This collection of loops is a centrally important object in mathematics—it’s called the fundamental group of a space.
You can use any point on the torus as your base point. Each point will have a unique thicket of paths emanating from it. Each of these collections of paths can then be represented as a point in a higher-dimensional “space of all collections of paths” (like the space of all possible triangles). This space of spaces is geometrically very similar to the “space of spaces” physicists construct in gauge theory: The way collections of paths change as you move from one point to another on the torus strongly resembles the way fields change as you move from one point to another in real space. This space of spaces features additional symmetries not present on the torus itself. And while there is no symmetry between the rational points on the torus, if you go into the space of all collections of paths, you can find symmetries between the points associated to the rational points. You gain symmetries that were not visible before.
“A phrase I use sometimes is that there is a kind of ‘hidden arithmetic symmetry’ encoded in these paths that is highly analogous to the internal symmetries of gauge theory,” Kim said.
Just as Chabauty did, Kim finds rational solutions by thinking about intersection points in this larger space he’s constructed. He uses symmetries of this space to narrow in on the intersection points. His hope is to develop an equation that detects these points exactly.
In the physics setting, you can imagine all possible paths that a ray of light could take. This is your “space of all paths.” The points in that space that interest physicists are the points corresponding to time-minimizing paths. Kim believes the points corresponding to thickets of paths emanating from rational points have something of this same quality — that is, the points minimize some property that comes up when you start to think about the geometric form of Diophantine equations. Only he hasn’t yet figured out what that property might be.
“What I started out trying to find” was a least-action principle for the mathematical setting, he wrote in an email. “I still don’t quite have it. But I am pretty confident it’s there.”
An Uncertain Future
Over the past few months I’ve described Kim’s physics-inspired vision to several mathematicians, all admirers of Kim’s contributions to number theory. When presented with this take on his work, however, they didn’t know what to make of it.
“As a representative number theorist, if you showed me all the awesome stuff Minhyong has been doing and asked me if this was physically inspired, I’d say, ‘What the hell are you talking about?’” Ellenberg said.
So far, Kim has made no mention of physics in his papers. Instead, he’s written about objects called Selmer varieties, and he’s considered relationships between Selmer varieties in the space of all Selmer varieties. These are recognizable terms to number theorists. But to Kim, they’ve always been another name for certain kinds of objects in physics.
“It should be possible to use ideas from physicists to solve problems in number theory, but we haven’t thought carefully enough about how to set up such a framework,” Kim said. “We’re at a point where our understanding of physics is mature enough, and there are enough number theorists interested in it, to make a push.”
The primary obstacle to the development of Kim’s method lies in the search for some kind of action to minimize in the space of all thickets of loops. This kind of perspective comes naturally in the physical world, but it doesn’t make any obvious sense in arithmetic. Even mathematicians who follow Kim’s work closely wonder whether he’ll find it.
“I think [Kim’s program] is going to do a lot of great things for us. I don’t think we’re going to get as sharp an understanding as Minhyong wants where rational points are honestly classical solutions to some kind of arithmetic gauge theory,” said Arnav Tripathy, a professor of mathematical physics at Harvard University.
Today the language of physics remains almost entirely outside the practice of number theory. Kim thinks that’s almost certainly going to change. Forty years ago, physics and the study of geometry and topology had little to do with one another. Then, in the 1980s, a handful of mathematicians and physicists, all towering figures now, found exact ways to use physics to study the properties of shapes. The field has never looked back.
“It’s almost impossible to be interested in geometry and topology nowadays without knowing something about [physics]. I’m reasonably sure this will happen with number theory” in the next 15 years, Kim said. “The connections are so natural.”
_Original story reprinted with permission from Quanta Magazine, an editorially independent publication of the Simons Foundation whose mission is to enhance public understanding of science by covering research developments and trends in mathematics and the physical and life sciences.
SAN FRANCISCO/WASHINGTON (Reuters) – A 20-year-old Florida man was responsible for the large data breach at Uber Technologies Inc last year and was paid by Uber to destroy the data through a so-called “bug bounty” program normally used to identify small code vulnerabilities, three people familiar with the events have told Reuters.
FILE PHOTO – The logo of Uber is seen on an iPad, during a news conference to announce Uber resumes ride-hailing service, in Taipei, Taiwan April 13, 2017. REUTERS/Tyrone Siu
Uber announced on Nov. 21 that the personal data of 57 million passengers and 600,000 drivers were stolen in a breach that occurred in October 2016, and that it paid the hacker $ 100,000 to destroy the information. But the company did not reveal any information about the hacker or how it paid him the money.
Uber made the payment last year through a program designed to reward security researchers who report flaws in a company’s software, these people said. Uber’s bug bounty service – as such a program is known in the industry – is hosted by a company called HackerOne, which offers its platform to a number of tech companies.
Reuters was unable to establish the identity of the hacker or another person who sources said helped him. Uber spokesman Matt Kallman declined to comment on the matter.
Newly appointed Uber Chief Executive Dara Khosrowshahi fired two of Uber’s top security officials when he announced the breach last month, saying the incident should have been disclosed to regulators at the time it was discovered, about a year before.
It remains unclear who made the final decision to authorize the payment to the hacker and to keep the breach secret, though the sources said then-CEO Travis Kalanick was aware of the breach and bug bounty payment in November of last year.
Kalanick, who stepped down as Uber CEO in June, declined to comment on the matter, according to his spokesman.
A payment of $ 100,000 through a bug bounty program would be extremely unusual, with one former HackerOne executive saying it would represent an “all-time record.” Security professionals said rewarding a hacker who had stolen data also would be well outside the normal rules of a bounty program, where payments are typically in the $ 5,000 to $ 10,000 range.
HackerOne hosts Uber’s bug bounty program but does not manage it, and plays no role in deciding whether payouts are appropriate or how large they should be.
HackerOne CEO Marten Mickos said he could not discuss an individual customer’s programs. “In all cases when a bug bounty award is processed through HackerOne, we receive identifying information of the recipient in the form of an IRS W-9 or W-8BEN form before payment of the award can be made,” he said, referring to U.S. Internal Revenue Service forms.
According to two of the sources, Uber made the payment to confirm the hacker’s identity and have him sign a nondisclosure agreement to deter further wrongdoing. Uber also conducted a forensic analysis of the hacker’s machine to make sure the data had been purged, the sources said.
One source described the hacker as “living with his mom in a small home trying to help pay the bills,” adding that members of Uber’s security team did not want to pursue prosecution of an individual who did not appear to pose a further threat.
The Florida hacker paid a second person for services that involved accessing GitHub, a site widely used by programmers to store their code, to obtain credentials for access to Uber data stored elsewhere, one of the sources said.
GitHub said the attack did not involve a failure of its security systems. “Our recommendation is to never store access tokens, passwords, or other authentication or encryption keys in the code,” that company said in a statement.
‘SHOUT IT FROM THE ROOFTOPS’
Uber received an email last year from an anonymous person demanding money in exchange for user data, and the message was forwarded to the company’s bug bounty team in what was described as Uber’s routine practice for such solicitations, according to three sources familiar with the matter.
Bug bounty programs are designed mainly to give security researchers an incentive to report weaknesses they uncover in a company’s software. But complicated scenarios can emerge when dealing with hackers who obtain information illegally or seek a ransom.
Some companies choose not to report more aggressive intrusions to authorities on the grounds that it can be easier and more effective to negotiate directly with hackers in order to limit any harm to customers.
Uber’s $ 100,000 payout and silence on the matter at the time was extraordinary under such a program, according to Luta Security founder Katie Moussouris, a former HackerOne executive.
“If it had been a legitimate bug bounty, it would have been ideal for everyone involved to shout it from the rooftops,” Moussouris said.
Uber’s failure to report the breach to regulators, even though it may have felt it had dealt with the problem, was an error, according to people inside and outside the company who spoke to Reuters.
“The creation of a bug bounty program doesn’t allow Uber, their bounty service provider, or any other company the ability to decide that breach notification laws don’t apply to them,” Moussouris said.
Uber fired its chief security officer, Joe Sullivan, and a deputy, attorney Craig Clark, over their roles in the incident.
“None of this should have happened, and I will not make excuses for it,” Khosrowshahi, said in a blog post announcing the hack last month.
Clark worked directly for Sullivan but also reported to Uber’s legal and privacy team, according to three people familiar with the arrangement. It is unclear whether Clark informed Uber’s legal department, which typically handled disclosure issues.
Sullivan and Clark did not respond to requests for comment.
In an August interview with Reuters, Sullivan, a former prosecutor and Facebook Inc (FB.O) security chief, said he integrated security engineers and developers at Uber “with our lawyers and our public policy team who know what regulators care about.”
Last week, three more top managers in Uber’s security unit resigned. One of them, physical security chief Jeff Jones, later told others he would have left anyway, sources told Reuters. Another of the three, senior security engineer Prithvi Rai, later agreed to stay in a new role.
Reporting by Joseph Menn in San Francisco and Dustin Volz in Washington; Additional reporting by Heather Somerville and Stephen Nellis in San Francisco; Editing by Jonathan Weber and Bill Rigby
Kitten videos are harmless, right? Except when they take over your phone.
Researchers have found something new to worry about on the internet. It turns out that a muffled voice hidden in an innocuous YouTube video could issue commands to a nearby smartphone without you even knowing it.
The researchers describe the threat in a research paper to be presented next month at the USENIX Security Symposium in Austin, Texas. They also demonstrate it in this video.
Voice recognition has taken off quickly on phones, thanks to services like Google Now and Apple’s Siri, but voice software can also make it easier to hack devices, warned Micah Sherr, a Georgetown University professor and one of the paper’s authors.