Former Uber CISO Appealing His Conviction

Joe Sullivan, Uber’s CISO during their 2016 data breach, is appealing his conviction.

Prosecutors charged Sullivan, whom Uber hired as CISO after the 2014 breach, of withholding information about the 2016 incident from the FTC even as its investigators were scrutinizing the company’s data security and privacy practices. The government argued that Sullivan should have informed the FTC of the 2016 incident, but instead went out of his way to conceal it from them.

Prosecutors also accused Sullivan of attempting to conceal the breach itself by paying $100,000 to buy the silence of the two hackers behind the compromise. Sullivan had characterized the payment as a bug bounty similar to ones that other companies routinely make to researchers who report vulnerabilities and other security issues to them. His lawyers pointed out that Sullivan had made the payment with the full knowledge and blessing of Travis Kalanick, Uber’s CEO at the time, and other members of the ride-sharing giant’s legal team.

But prosecutors described the payment and an associated nondisclosure agreement that Sullivan’s team wanted the hackers to sign as an attempt to cover up what was in effect a felony breach of Uber’s network.

[…]

Sullivan’s fate struck a nerve with many peers and others in the industry who perceived CISOs as becoming scapegoats for broader security failures at their companies. Many argued ­ and continue to argue ­ that Sullivan acted with the full knowledge of his supervisors but in the end became the sole culprit for the breach and the associated failures for which he was charged. They believed that if Sullivan could be held culpable for his failure to report the 2016 breach to the FTC ­- and for the alleged hush payment—then so should Kalanick at the very least, and probably others as well.

It’s an argument that Sullivan’s lawyers once again raised in their appeal of the obstruction conviction this week. “Despite the fact that Mr. Sullivan was not responsible at Uber for the FTC’s investigation, including the drafting or signing any of the submissions to the FTC, the government singled him out among over 30 of his co-employees who all had information that Mr. Sullivan is alleged to have hidden from the FTC,” Swaminathan said.

I have some sympathy for that view. Sullivan was almost certainly scapegoated here. But I do want executives personally liable for what their company does. I don’t know enough about the details to have an opinion in this particular case.

Tags: , , , ,

Posted on October 19, 2023 at 7:08 AM16 Comments

Comments

anon October 19, 2023 8:23 AM

I believe they should have originally charged him along with the entire C suite and board of directors.

Clive Robinson October 19, 2023 9:28 AM

@ ALL,

On the likely assumption he was scapegoat’d not just for Uber but as others have noted in the past “for the whole industry”, it is not unreasonable to ask,

1, Why Mr Sullivan?
2, Has he been discriminated against?

If I suspect the answer to the second is as some suspect true, and also there was clearly an agreement equivalent to a conspiracy at Uber…

Why are no others being brought into a prosecution for their participation, which in some cases appears to be considerably more involved than Mr Sullivan was.

Which ever way you look at it, the FTC do not apparently come out of this looking at all honest and upright themselves.

P Coffman October 19, 2023 11:39 AM

I am sympathetic to the former CISO as well. However, there is one thing: one would pay an honest white hat hacker crew on time, possibly upon completion of their services. A report had been written, yet the findings might take months to clean up. During the interim, anybody can discover these vulnerabilities. This imagined scenario might result in some unfair finger-pointing. There should be a policy of indemnification.

Andy October 19, 2023 11:49 AM

Also of note:

Following the jury verdict in May 2023, Judge William Orrick of the US District Court for the Northern District of California sentenced Sullivan to three years of probation and 200 hours of community service and ordered him to pay a $50,000 fine.

I would guess that this appeal’s cost exceed 50K. He’s mostly going for a clean record for future employment

Wannabe techguy October 19, 2023 4:03 PM

@Clive
re: your last paragraph
agreed and in fact the whole Fed gov is not honest or upright, no matter who’s supposedly in charge,

vas pup October 19, 2023 5:12 PM

Twitter glitch allows CIA informant channel to be hijacked
https://www.bbc.com/news/technology-67137773

“The US Central Intelligence Agency (CIA) account on X, formerly known as Twitter, displays a link to a Telegram channel for informants.

But Kevin McSheehan was able to redirect potential CIA contacts to his own Telegram channel.

“The CIA really dropped the ball here,” the ethical hacker said.

The CIA is a US government organisation known for gathering secret intelligence information, often over the internet, from a vast network of spies and tipsters around the world

Its official X account, with nearly 3.5 million followers, is used to promote the agency and encourage people to get in touch to protect US national security.

Mr McSheehan, 37, who lives in Maine, in the US, said he had discovered the security mistake earlier on Tuesday.

“My immediate thought was panic,” he said.

“I saw that the official Telegram link they were sharing could be hijacked – and my biggest fear was that a country like Russia, China or North Korea could easily intercept Western intelligence.”

At some point after 27 September, the CIA had added to its X profile page a link – https://t.me/securelycontactingcia – to its Telegram channel containing information about contacting the organisation on the dark net and through other secretive means.

The channel said, in Russian: “Our global mission demands that individuals be able to reach out to CIA securely from anywhere,” while warning potential recruits to “be wary of any channels that claim to represent the CIA”.

But a flaw in how X displays some links meant the full web address had been truncated to https://t.me/securelycont – an unused Telegram username.

As soon as Mr McSheehan noticed the issue, he registered the username so anyone clicking on the link was directed to his own channel, which warned them not to share any secret or sensitive information.

“I did it as a security precaution,” he said.”

Chris Becke October 20, 2023 1:35 AM

If he recieved legal advice then surely its the legal team that should be disbarred / lose their licenses to practice at the very least.

JonKnowsNothing October 20, 2023 4:25 AM

@Chris Becke

re: If he received legal advice then surely its the legal team that should be disbarred / lose their licenses

In the USA, it doesn’t work like that. Makes for good movies and TV serials but in real life, it goes according to the volumes of legal cases that make up case law and any flaws in the court proceedings.

It is also a matter of minutia, the tiniest words on the page count, in literal format. Skipping over these tiny details of the court’s proceedings leads most of us, non lawyers, to draw lines direct from A-Z. In the legal sphere you have to go every step on the way A-B-C-D… Z. At any letter stop you have opportunities for something to slide off the judicial pathway.

Also, many corporations now include a benefits clause for senior executives that the company will pay all their legal fees. So the company pays the lawyers, and consumers pay the company for their products, so that the company can pay the lawyers to defend the company and executives against any claims of wrong doing.

If you have such a benefit in your contract, you are fortunate. Sometimes it takes years before a case will be made and one can hope the company is still in business, so you have legal representation semi-equal to the state.

  • The State has unlimited resources to bring against a person.
  • A Person has only what they can pay for out of pocket, or hope that they get a public defender (which has a limited budget) or use a fund-raising scheme to pay for 5* legal fees. This latter method of funding legal fees, is actively being considered for some type of criminal charge (money laundering, fraud, misuse of fund raising donations).

One might be tempted to think that the fastest way to conviction is via bankruptcy.

Chris Becke October 20, 2023 7:26 AM

@JonKnowsNothing: I work as a developer in an industry that is heavily regulated. When I deal with “lega” it is to find out how to correctly comply with some or other regulation. It would be, to my mind, highly problematic if it was even (legally) possible for their role to be to advise me on how to to avoid or bypass regulations.

The incentives would be perverse and every company would be engaged in a race to the ethical bottom.

Oh…

Jaime Smith October 20, 2023 9:27 AM

@Chris Becke: It is often legal’s job to tell tech people to avoid regulation. The most glaring example is PCI. Nearly every legal team, when approached with the question “What do I do about PCI”, will respond with “Our first recommendation is to stay out of scope of PCI regulation”.

Legal often tells a business how to conduct themselves in a way that they don’t need to conform to a certain set of regulations – it’s almost always cheaper and easier to do so.

Don’t want to deal with HazMat – hire a contractor to handle material. Don’t want to deal with PCI – contract with a service provider that will issue tokens in place of card numbers. These statements are all very nuanced and it’s legal’s job to give you the advice you need to stay out of scope.

anon October 21, 2023 7:14 AM

anon • October 19, 2023 8:23 AM

I believe they should have originally charged him along with the entire C suite and board of directors.

Responding to my own post, it has occured to me that $100000 is within the CIO’s budget authority and its likely that this was done without any requirement for additional board level approval.

Christopher Drake November 16, 2023 1:24 AM

Having personally pitched high-security products to about 100 CISO’s from global significant businesses, and watched them first-hand “do nothing” to protect themselves or their users, I can hand-on-heart swear that a CISO absolutely deserves all punishment received.

If you’re a CISO, and you’re pitched a solution to a real problem, and you make the decision to “do nothing” (or worse, not even test if the solution even works as claimed), YOU are the problem. If you don’t even ask the price of the solution, you’re utterly incompetent (or worse – you know those kickbacks you get for deploying big-name vendor legacy products? You know why you get those kickbacks? it’s because those products are less secure than contemporary ones: WAKE UP!!! you’re being bribed to make your company insecure.)

It’s not the managements fault: they’re not the ones who understand cyber problems, and they’re not the ones who caused them – it’s the CISO, for making the unilateral decision to ignore the problem.

JonKnowsNothing November 16, 2023 2:36 AM

@Christopher Drake, All

There are several issues with your pronouncement

(USA)
1) Management is 100% responsible for the activities of the corporation.
2) No individual or even an upper manager can initial any activity or reorganization or implementation without budget, review, approval by other members of the ruling management and for big ticket items the board of directors.
3) A department head/manager/director can only preform duties within the scope of their position and using the approved financial budget for approved budget items.

No one can pull funds for massive security changes without financial approval and big changes require approval by the board of directors.

It does not matter if senior managers “understand” or the board of directors “understand”, the decision is theirs. Not you, me or the guy on the first floor. They are in charge, have the responsibility and everyone else is just a minion in the system.

The primary exception is for criminal actions, corruption and fraud.

The question hinges on whether the exchange of information happened, and what took place after that exchange and if the decision was within the scope of the department.

Every day, in every software and firmware companies on the planet, there are millions of lines of crap-code and bug databases with millions of logged error conditions. Most of these get ignored; some for 20years or more.

Who is at fault for crap code? The code that allows security flaws to happen in the first place? The code that never gets fixed or the fixes that are not sufficient or cannot fully resolve the problem (forever and ever and ever and ever).

There are notable cases in the software industry where Do Nothing is the correct answer.

Of interest is a recent MSM article about Big Tech facing a new threat to their immunity under Section 230. The case revolves around the crap-code used by social media and not the direct content. The crap-code allows prohibited content to be viewed by embargoed groups who gain access to that content.

Perhaps if Big Tech loses its immunity there will be less crap-code.

===

ht tps://arstechnica . com/tech-policy/2023/11/meta-google-fail-to-smack-down-child-safety-lawsuit-with-section-230-hammer/

  • Judge tosses social platforms’ Section 230 blanket defense in child safety case
  • Judge: Section 230 doesn’t cover platform design defects allegedly harming kids
  • complaint alleged that tech companies were guilty of negligently operating platforms with many design defects

Clive Robinson November 16, 2023 8:30 AM

@ JonKnowsNothing, ALL,

Re : Verification of being.

“Perhaps if Big Tech loses its immunity there will be less crap-code.”

In some ways it would be nice if the Big Tech Corps “get a smack upside their head” but people need to remember something the judge appears not to have done, or possibly never even realised.

That is,

“For every perceived harm stopped, atleast another is created, and there is no reason for the harms to be of equal magnitude or obvious.”

These current arguments are spinning around “children” but two elephants are sitting in the room farting loudly, yet everyone is pretending they do not hear them.

Elephant 1 asks “What is a child?”

Elephant 2 asks “How can you tell?”

In this particular case involving “claimed mental harm to children”, the first question’s test is not going to be determined by age at midnight on an aniversary of the day they were born. Further it is a massive conciet to presume it can be by any go/nogo test. Worse it fails to consider that there is in reality not two groups –of Children / not children– but three. That is in a growth issue measured by an unrelated distinquisher there is always going to be a transition group.

Yet this is almost exactly what we do every time in legislation, use an arbitary and unrelated measure and then rediculously a line is drawn with it. So with it comes harm not just to the target group that is to be identified but the rest of community as a whole.

But the second question is a fun one, which is a variation on the Turing test, and the failure of the likes of “code signing”. Which as they are verified “knowns” reveals a massive failing in logic not just by legislators but by virtually everyone who does not think sufficiently about how you would create and implement such a test.

Most of our modern “legislative tests” are actually “not fit for purpose” due to a fundemental conciet, which is an assumption based around “Evidence”. Contrary to what most are led to believe, evidence used by the process of law in a court is not real therefore not reliable in any meaningful sense. This is because it is not tangible or physical, it is at best a piece of,

1, Intangible information
2, Of unverifiable provinence.

Thus the “beyond reasonable doubt” burden of proof can not be met.

As has been observed by others and as I’ve mentioned before,

“You can not prove who you are.”

Any identity assigned to you by those who claim to be in authority or even claimed by yourself, is actually not possible to prove[1]. It’s one of the less obvious reasons why bio-metrics are never going to be a sensible idea.

Put simply,

“The ID is information that is ‘a pointer to a physical object, not the physical object’.”

As should be well known to anyone who’s worked in the technical side of the ICT industry for a while, pointers are unreliable and cause more major problems than anyone can easily list. Sadly these are just a fraction of the harms caused by information about information being unreliable.

As I pointed out in conversations on this blog with @Nick P years ago “code signing” proves nothing about the code it supposadly “makes golden”. And as has been shown in many ways that which @Nick P and myself discussed and identified have all come to be revealed by the very many harms they have created.

So back to question two and Turing tests.

Put simply the Turing test is about trying to “test” if something “is” what it claims to be by the exchange of only information. As we should know it does not work in part because the claims can not be verified as the information can not be verified, and well it’s also easy to falsify.

Thus I could claim to be in any of the three groups,

1, Child
2, Transition (adolescent)
3, Adult

And you would have no way of determaning it by what information I send you.

Any attempt to make the system “work as wanted” creates a massive harm in breaching everyones privacy, but ultimately will always fail against those who decide they want to claim to be in a different group.

Thus the more obvious issues are,

1, No reliable distinquisher.
2, No reliable way to verify.
3, Loss of privacy.
4, Easy falsifcation of records.

From these alone it can be seen what some of the potential for harms to the whole of society can be.

As I’ve noted before, humans are good at making evils to rail against, it’s why we have mobs, vigilantes and burning of witches etc in our history and more modern cancell culture and the like.

What people forget is we “create the beast” of “moral outrage” within society, and it’s “whiped up” for profit/gain and entertainment. Sadly to the point where only “the blood of innocents” will abate but never stop it…

[1] The one example most will have heard of is “I am Sparticus” from the 1960 Movie, however even now few know about “the beast” and the harms that led upto it,

https://culturematters.org.uk/index.php/arts/films/item/2185-i-am-spartacus-by-peter-frost

JonKnowsNothing November 16, 2023 11:49 AM

@Clive, All

Your explanation of the problem of cohort identity is quite through and lots of stuff is done by “won’t someone think of …” mode.

However, crap-code is crap-code. It is the code with anything from a simple typo to a buffer overflow. It’s all pretty much logged into bug databases.

There is no cohort problem there. There is an education, competence and financial problem, with financial being the biggest reason for crap-code to exist.

  • hardly any company will assign someone to fix P4 code

IM(not)HO, P4 and Error Warnings on compile should not be Low Priority. I’ve done my share of Error Warning Clean Up only to see my co-workers reintroduce more warnings. If we cannot even clean up P4 code and constantly introduce compiler generated warnings, is it any surprise that the internet is awash with crap-code?

The question of who is responsible is at the heart of this case. Now that the great media blitz is over, and there is less overt pressure from the W$$ there may be a better chance to determine Who What Where When and How.

Enron took a long time to bring down. It wasn’t for the want of people telling others about what was going on. It took a tipping point for the collapse to happen and it fell across an entire range of industries. It took decades to sort out; that some of those industries that were forced by applied laws and government pressures into insolvency had little to do with the problems uncovered. Yet they took a mighty blow all the same.

Some years back, Marisa Mayer then CEO of Yahoo, hired Alex Stamos to fix their security problems. It did not go well there either. It took quite some time before information began to leak about what happened. Most of that information is not in WikiP.

  • iirc(badly) When Stamos tried to improve the security system, there was a breach or leak but it was not from within his department. Mayer had given secret access to the NSA for their own backdoor(s) into Yahoo. The NSA left the backdoor(s) open and shyte happened.

===

ht tps://en.wikipedi a.o rg/wiki/Enron

  • Enron Corporation was an American energy, commodities, and services company based in Houston, Texas
  • At the end of 2001, it was revealed that Enron’s reported financial condition was sustained by an institutionalized, systematic, and creatively planned accounting fraud, known since as the Enron scandal. Enron has become synonymous with willful corporate fraud and corruption. The scandal also brought into question the accounting practices and activities of many corporations in the United States and was a factor in the enactment of the Sarbanes–Oxley Act of 2002. The scandal also affected the greater business world by causing, together with even larger fraudulent bankruptcy WorldCom, the dissolution of the Arthur Andersen accounting firm, which had been Enron and WorldCom’s main auditor for years.

ht tps://en.wikipedia. org/wiki/Enron_scandal

  • When news of widespread fraud within the company became public in October 2001, the company declared bankruptcy and its accounting firm, Arthur Andersen – then one of the five largest audit and accountancy partnerships in the world – was effectively dissolved. In addition to being the largest bankruptcy reorganization in U.S. history at that time, Enron was cited as the biggest audit failure

  • Arthur Andersen was charged with and found guilty of obstruction of justice for shredding the thousands of documents and deleting e-mails and company files that tied the firm to its audit of Enron.[115] Although only a small number of Arthur Andersen’s employees were involved with the scandal, the firm was effectively put out of business; the SEC is not allowed to accept audits from convicted felons. The company surrendered its CPA license on August 31, 2002, and 85,000 employees lost their jobs.[116][117] The conviction was later overturned by the U.S. Supreme Court due to the jury not being properly instructed on the charge against Andersen.[118] The Supreme Court ruling theoretically left Andersen free to resume operations. However, the damage to the Andersen name has been so great that it has not returned as a viable business even on a limited scale.

ht tps://en.wikipedia. org/wiki/Marisa_mayer#Yahoo!_(2012%E2%80%932017)

  • On November 8, 2017, along with several other present and former corporate CEOs, Mayer testified before the United States Senate Committee on Commerce, Science, and Transportation regarding major security breaches at Yahoo during 2013 and 2014

h ttps://en.wikipedia.o rg/wiki/Alex_Stamos

  • Alex Stamos is a Greek American[1] computer scientist and adjunct professor at Stanford University’s Center for International Security and Cooperation.[2] He is the former chief security officer (CSO) at Facebook. His planned departure from the company, following disagreement with other executives about how to address the Russian government’s use of its platform to spread disinformation during the 2016 U.S. presidential election, was reported in March 2018.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.