In major goof, Uber stored sensitive database key on public GitHub page

Ride-sharing service subpoenas GitHub for IP addresses that accessed security key.

Read the whole story

 

[darkangel666]

Iphtashu Fitz[/url]":3548fw2b]

yakumo[/url]":3548fw2b]if the key is posted in public, how is anyone using it at fault?

Mainly because the database itself is likely not publicly accessible. Whoever used this key would have had to broken into Ubers corporate network to exploit it.

The article says that database was accessed from an IP not associated with Uber, so it looks like database IP itself was also publicly available. Usually, to accuse someone in unauthorized data access this person should access data against the reasonable measures to guard the data by the owner. In this case keys were place in public access, no reasonable measures to guard data were taken. So court shouldn't grant Uber's request to disclose IPs of those who accessed the guthub project. Uber pretty much gave database keys to public for anyone to access.

 

[darkangel666]

Github actually has several hosting plans. Free plan Uber used is intended for open source projects of (potentially) wider public interest. Were the projects shared by Uber actually intended to be publicly used, or Uber just tried to save money and used the free plan for purely internal project?

Other (paid) github plans include totally private hosting, control-by-login hosting, when the project owner decides which github users get access. One example of control-by-login I know is an Unreal gaming engine, when Unreal charges developers $20/month for access, and also pays github for such setup.