How does that work for a scenario where specific and intentional actions were taken by an individual or group of individuals, that may or may not have been illegal?
You can’t analyze an armed robbery prosecution as an accident without ignoring all of the most significant aspects of the case.
That sounds exactly backwards.
Depends on the scope of the analysis. You can analyze why the security systems allowed for that armed robbery to happen and recommend how to prevent this from happening in the future. You can analyze what societal factors and incentive structures lead to this and similar robberies and how to reduce the likelyhood of that occuring in the future.
For all of this the question of guilt doesn't matter at all.
On another note, future whistleblowers could, I suppose, cite this as a reason why they cannot keep their mouth shut.
this whole article is just the rich people version of ' yeah my cousin beat up a mascot once but in his defense that mascot was awful too'
So they set out to describe it as „an accident“ because „blameless post-mortems“ are something people really like?
Also this article falls into the trap of trying to sound smart by using, sorry, „by effecting the usage of“ big fancy words. I’ve read Supreme Court transcripts and judgements, and I can understand them. This is overtaxing my buzzword ingestion.
As someone who has operated bug bounty programs, understanding what processes might have prevented things from going off the rails _in spite of_ internal actors with different motivations is very helpful to me. Placing all of the blame on an individual removes the opportunity to improve things.
It seems to me that there's another option. Describe the problem thusly:
> A Lyft employee grabbed our data storage access keys from Github. He, or someone else then used these keys to grab PII that Uber was legally required to safeguard. Uber management and/or legal actively worked to cover all of this up and mislead the FTC about the nature and size of the breach.
>
> Given these facts, what processes and procedures can we change or create to ensure that the PII we're charged with safeguarding remains safe and guarded, that any threat to or breach of said information is detected as soon as is reasonably possible, and that any attempts of management and/or legal to cover up any such incidents are detected and reported to the appropriate authorities?
What’s the backstory here? Did an Uber competitor buy the database from a hacker? Then Uber found out which is how they found the data breach happened? Am I reading that right?
That sounds very shady whoever the competitor was.
https://www.reuters.com/article/uk-uber-tech-lyft-hacking-ex...
Reading between some lines, what Uber thinks happened is that Chris Lambert, the CTO of Lyft accessed the Github repository that had the improperly stored key (they know the IP address of the only person who they couldn't rule out and that IP was associated with Chris elsewhere online). But then the actual hack using those credentials was carried out via NordVPN so they can't be sure who actually downloaded the material.
Later on, Uber was interviewing a Lyft engineer who let them know that Lyft had a copy of the driver database, so they reverse engineered how they could have downloaded it and found their exposed credentials.
Then why bring it up?
> My analysis will treat this as an accident.
Isn't the point of an analysis to determine what happened? Not to start with a preconceived idea and make the analysis fit that?
It's hard to trust a source repeatedly claiming to be neutral after spending the first few paragraphs espousing their biases.
(for the the case docket if some of HN wants to use recap extension https://free.law/recap and burn some PACER credit. It's free to make a PACER account and use up to $30 a quarter, they won't bill you).
Missed opportunity to call this section Uber Eats.
