GitHub sued in class-action lawsuit for "supporting hacking"
-
Gotta love people not knowing what the word "hacking" means.
https://www.courtlistener.com/recap/gov.uscourts.cand.345666/gov.uscourts.cand.345666.3.0.pdf
Capital One and GitHub are being sued over allegations of not doing enough to protect customers after a massive data breach that affected over 100 million people
The lawsuit alleges the two companies failed to "exercise reasonable care" in protecting over 100 million customers affected by the breach.
https://thehill.com/policy/cybersecurity/455993-lawsuit-filed-against-github-in-wake-of-capital-one-data-breach
GitHub 'Actively Encourages' Hacking, Lawsuit After Capital One Hack Says
"GitHub had an obligation, under California law, to keep off (or to remove from) its site Social Security numbers and other Personal Information," the suit says.
GitHub sued for aiding hacking in Capital One breach
Class-action lawsuit filed in California against Capital One... and GitHub???
-
I'm not sure why GitHub hasn't taken this down, given that it's apparently GitHub's job to delete any file containing any social security number or something.
-
@ben_lubar no social security number on there is mine
-
@ben_lubar said in GitHub sued in class-action lawsuit for "supporting hacking":
I'm not sure why GitHub hasn't taken this down
Liar.
-
If you count high enough, your list will contain a digitized copy of every illegal, copyrighted, and classified document in existence.
-
The lawsuit cites GitHub as "supporting hacking" because of a repository owned by a security researcher in [checks notes] Bengaluru, India.
The lawsuit claims GitHub intentionally left a repository containing personal information up for over 3 months, despite them finding out about it 4 days before the end of that time window and reporting it immediately and getting a response from CapitalOne ten days later.
-
The lawsuit simultaneously claims that GitHub has over 85 million code repositories and also that GitHub is fully conscious of and responsible for the contents of every single one of those repositories, even months before they're first alerted to a problem.
-
@error said in GitHub sued in class-action lawsuit for "supporting hacking":
If you count high enough, your list will contain a digitized copy of every illegal, copyrighted, and classified document in existence.
-
@ben_lubar said in GitHub sued in class-action lawsuit for "supporting hacking":
No, I don't have any security number listed there. (It seems the quote ate the link text I'm replying to)
Edit: why the raw doesn't show the link text?
-
@sockpuppet7 said in GitHub sued in class-action lawsuit for "supporting hacking":
@ben_lubar said in GitHub sued in class-action lawsuit for "supporting hacking":
No, I don't have any security number listed there. (It seems the quote ate the link text I'm replying to)
Edit: why the raw doesn't show the link text?
did they not invent javascript where you live yet
-
@ben_lubar said in GitHub sued in class-action lawsuit for "supporting hacking":
@sockpuppet7 said in GitHub sued in class-action lawsuit for "supporting hacking":
@ben_lubar said in GitHub sued in class-action lawsuit for "supporting hacking":
No, I don't have any security number listed there. (It seems the quote ate the link text I'm replying to)
Edit: why the raw doesn't show the link text?
did they not invent javascript where you live yet
follow-up: can I move there it seems better than here for that reason alone
-
@ben_lubar said in GitHub sued in class-action lawsuit for "supporting hacking":
@ben_lubar said in GitHub sued in class-action lawsuit for "supporting hacking":
@sockpuppet7 said in GitHub sued in class-action lawsuit for "supporting hacking":
@ben_lubar said in GitHub sued in class-action lawsuit for "supporting hacking":
No, I don't have any security number listed there. (It seems the quote ate the link text I'm replying to)
Edit: why the raw doesn't show the link text?
did they not invent javascript where you live yet
follow-up: can I move there it seems better than here for that reason alone
It's (much) worse than you think.
Theme from Terry Gilliam's "Brazil" - by Geoff Muldaur and Michael Kamen – 03:28
— Citizen Insomniac
-
@boomzilla said in GitHub sued in class-action lawsuit for "supporting hacking":
It's (much) worse than you think.
It's not that bad. We have much less money, but most stuff has a worsened cheaper version for our market. And you get used to the murder rate until you get killed. Or someone on your family get killed, but you could die of a heart attack there in the US, it's just one more thing to kill us. We don't have hurricanes, that's a good thing, right?
Oh, and I'm pretty sure nobody invented JavaScript here, but they did invent lua, and I don't think that would be too different if it occupied the space JavaScript does in our world.
-
@sockpuppet7 said in GitHub sued in class-action lawsuit for "supporting hacking":
It's not that bad.
Man...quit stepping on my jokes!
-
@ben_lubar said in GitHub sued in class-action lawsuit for "supporting hacking":
The lawsuit cites GitHub as "supporting hacking" because of a repository owned by a security researcher in [checks notes] Bengaluru, India.
Yeah, that made me facepalm. I don't see any affiliation with GitHub except that GitHub is in the name.
Would it be worth GitHub banning "GitHub" in repository names from non-official repositories in the future? Maybe.
@ben_lubar said in GitHub sued in class-action lawsuit for "supporting hacking":
I'm not sure why GitHub hasn't taken this down, given that it's apparently GitHub's job to delete any file containing any social security number or something.
So maybe this should be in the unpopular opinions thread or something, but I don't think the complaint is entirely unreasonable. Maybe this is since I'm used to working with the government where data loss prevention (DLP) software is more commonly used to check data at rest/in transit for Social Security Numbers etc. There may be false positives but when you have an entire file that matches the pattern... might be worth a look.
That said, while it's not entirely unreasonable, I don't think it has any legal basis. I think in the plaintiffs' initial complaint they're just throwing everything at the wall to see what will stick. Having read through the whole complaint, I don't think there's anything that's going to stick to GitHub there. The use of the "Awesome-Hacking" repository might actually backfire on them. That district is (relatively!) technology-savvy, and Judge Westmore doesn't seem to be an exception.
-
@heterodox said in GitHub sued in class-action lawsuit for "supporting hacking":
So maybe this should be in the unpopular opinions thread or something, but I don't think the complaint is entirely unreasonable. Maybe this is since I'm used to working with the government where data loss prevention (DLP) software is more commonly used to check data at rest/in transit for Social Security Numbers etc. There may be false positives but when you have an entire file that matches the pattern... might be worth a look.
Doing that would jeopardize GitHub's safe harbor from several US laws (including the DMCA and the Communications Decency Act).
-
@Unperverted-Vixen said in GitHub sued in class-action lawsuit for "supporting hacking":
Doing that would jeopardize GitHub's safe harbor from several US laws (including the DMCA and the Communications Decency Act).
I would argue it would not.
(m) Protection of Privacy.—Nothing in this section shall be construed to condition the applicability of subsections (a) through (d) on—
(1) a service provider monitoring its service or affirmatively seeking facts indicating infringing activity, except to the extent consistent with a standard technical measure complying with the provisions of subsection (i); or
(2) a service provider gaining access to, removing, or disabling access to material in cases in which such conduct is prohibited by law.I read "condition the applicability" to mean either positively or negatively (i.e., you don't gain safe harbor or safe harbor "bonus points" but you also don't lose safe harbor).
However, IANAL (in many senses) and the language of the statute is rather dense so take that with a grain of salt.
Either way I'd say a common-sense interpretation of the law should not penalize a provider for removing material that is obtained illegally or otherwise violates the law. I have nothing more than that to say on the legal front.
-
@heterodox The real
is the US insistence on using the SSN for important stuff.
-
@Rhywden said in GitHub sued in class-action lawsuit for "supporting hacking":
@heterodox The real
is the US insistence on using the SSN for important stuff.this ten digit number is apparently more important than a human life
it's not like computers can count that high in what rounds down to zero seconds
-
@levicki said in GitHub sued in class-action lawsuit for "supporting hacking":
@heterodox Once you claim that you are fully moderating content (as opposed to just hosting user content and acting upon reports of ToS violations) you lose safe harbour provisions and expose yourself to very expensive legal action.
All you're doing is repeating what @Unperverted-Vixen said. I don't think that's fully correct, especially if you're using automated mechanisms and the moderating you're doing is not for copyright violations. But I said my piece above and am not going to go into it again.
-
@Rhywden said in GitHub sued in class-action lawsuit for "supporting hacking":
@heterodox The real
is the US insistence on using the SSN for important stuff.Yeah, they should handle it like banks, where your account number is a closely guarded secret except to everyone you've ever given a check.
-
@error said in GitHub sued in class-action lawsuit for "supporting hacking":
@Rhywden said in GitHub sued in class-action lawsuit for "supporting hacking":
@heterodox The real
is the US insistence on using the SSN for important stuff.Yeah, they should handle it like banks, where your account number is a closely guarded secret except to everyone you've ever given a check.
Good comparison, as both of those seem brain dead. My bank account number is quite obviously not a secret. (No, I won’t post it here, but that doesn’t mean it’s not true)
Likewise, using your SSN like it’s a super secret code is just wrong.
-
Luckily, you also need a routing number, which is a secure 2-factor authentication method and definitely not something you can just Google and look up.
-
@topspin said in GitHub sued in class-action lawsuit for "supporting hacking":
Likewise, using your SSN like it’s a super secret code is just wrong.
It's just used as an identifier. Any other ID number would have the same issue.
-
It's too bad there's no such thing as a zero-knowledge proof or this would seem like a silly problem to still exist in 2019.
Edit: at least you wouldn't have to give out your secret identifier to third parties
-
@error said in GitHub sued in class-action lawsuit for "supporting hacking":
Luckily, you also need a routing number, which is a secure 2-factor authentication method and definitely not something you can just Google and look up.
I know I'm
ing at the joke, but in all seriousness, even if you weren't being facetious, the routing number is right on the check too.
-
It's just one of those things that you have to fill in on an online form that feels like it's more secure but is actually just more effort.
-
@error said in GitHub sued in class-action lawsuit for "supporting hacking":
It's too bad there's no such thing as a zero-knowledge proof or this would seem like a silly problem to still exist in 2019.
Does proving that some people have absolutely zero useful knowledge really help?
-
@error said in GitHub sued in class-action lawsuit for "supporting hacking":
It's just one of those things that you have to fill in on an online form that feels like it's more secure but is actually just more effort.
It's not for security. It's for accounting. It's like the area code in phone numbers. And it's meant to be like that and nothing more.
-
@Gąska said in GitHub sued in class-action lawsuit for "supporting hacking":
it's like the area code in phone numbers
Shirley you can't think 7 digits is sufficient address space for even US phone numbers alone (Dallas needs 3 area codes for itself.)Edit: I guess you mean account numbers are not globally unique... Which may be true. I never thought about it.
-
@error not my problem. The feds came up with numbering scheme for bank offices, the feds figure out what to do when they run out of numbers ¯\_(ツ)_/¯
-
It sounds like the same brillant minds who conceived of XML namespaces as URIs.
-
@error They just look like URIs. A bigger pain in practice is the local prefix; formally it has no meaning other than as a shorthand for the “URI” but some tools insist otherwise because they're only partially namespace-aware.
Could be worse: could be someone strung together the whole service you're dealing with Perl and all it's doing is regexps and string substitution so woe betide you actually using XML or even failing to put in newlines between elements…
-
@Rhywden said in GitHub sued in class-action lawsuit for "supporting hacking":
@heterodox The real
is the US insistence on using the SSN for important stuff.
-
@levicki said in GitHub sued in class-action lawsuit for "supporting hacking":
If I am not mistaken, safe harbour provisions exist not just for copyright violations but for other illegal activity as well.
You are mistaken.
DMCA's liability shield is only for copyright infringement: "A service provider shall not be liable for monetary relief, or, except as provided in subsection (j), for injunctive or other equitable relief, for infringement of copyright by reason of the provider’s [...]"
CDA's liability shield specifically exempts federal criminal law: "Nothing in this section shall be construed to impair the enforcement of section 223 or 231 of this title, chapter 71 (relating to obscenity) or 110 (relating to sexual exploitation of children) of title 18, or any other Federal criminal statute."
That being said, the complaint isn't that GitHub violated a criminal law (that'd be impossible, they don't have the knowledge or intent), it's that they were civilly negligent, and there's no way GitHub doesn't meet the safe harbor provisions of the CDA (you specifically can meet them even if you're monitoring, screening, and deleting -- that's what that safe harbor is).
-
@topspin said in GitHub sued in class-action lawsuit for "supporting hacking":
My bank account number is quite obviously not a secret
But your credit card number is! Funny how that works.
-
-
@anonymous234 said in GitHub sued in class-action lawsuit for "supporting hacking":
@topspin said in GitHub sued in class-action lawsuit for "supporting hacking":
My bank account number is quite obviously not a secret
But your credit card number is! Funny how that works.
A "secret" where normal and expected use means revealing it to the cashier. Yeah.
-
@topspin It's both a public and private key. You have to reveal it to people, you just hope they don't use it for anything other than what they promised.
-
@anonymous234 I used to work at phone retail store. We've had hundreds of active cards in our system and I could charge any of them for any amount whenever I wanted with just a few clicks. It was scary.
-
@anonymous234 said in GitHub sued in class-action lawsuit for "supporting hacking":
@topspin It's both a public and private key. You have to reveal it to people, you just hope they don't use it for anything other than what they promised.
that's not how asymmetric cryptography works
credit cards are a password that's also your username
-
@error said in GitHub sued in class-action lawsuit for "supporting hacking":
It's too bad there's no such thing as a zero-knowledge proof or this would seem like a silly problem to still exist in 2019.
Honest question: Are any of those zero-knowledge protocols actually used in production anywhere? AFAIK, they're only popular in academia.
-
@Gąska said in GitHub sued in class-action lawsuit for "supporting hacking":
I used to work at phone retail store. We've had hundreds of active cards in our system and I could charge any of them for any amount whenever I wanted with just a few clicks. It was scary.
Just today, I learned that all you need to do to block a certain amount of money on a credit card is call the issuer and tell the automated system the number and amount. The whole credit card system seems crazy to me now.
-
@dfdub said in GitHub sued in class-action lawsuit for "supporting hacking":
Just today, I learned that all you need to do to block a certain amount of money on a credit card is call the issuer and tell the automated system the number and amount. The whole credit card system seems crazy to me now.
That's a holdover from before swipe terminals were common.
-
@Unperverted-Vixen said in GitHub sued in class-action lawsuit for "supporting hacking":
swipe terminals
Another
, since they're just as "secure". But honestly, when I heard the sentence "Our computer system is down, let me just call Visa" and then overheard the conversation with the automated system, my facial expression was somewhere between and 
. Even if everything else about this was totally okay and secure, it feels wrong to spell out an amount over the phone and rely on the automated system's voice recognition to understand it correctly. Because apparently, using the keypad for that was not considered a better option for some reason.
-
@dfdub said in GitHub sued in class-action lawsuit for "supporting hacking":
@Unperverted-Vixen said in GitHub sued in class-action lawsuit for "supporting hacking":
swipe terminals
Another
, since they're just as "secure". But honestly, when I heard the sentence "Our computer system is down, let me just call Visa" and then overheard the conversation with the automated system, my facial expression was somewhere between and . Even if everything else about this was totally okay and secure, it feels wrong to spell out an amount over the phone and rely on the automated system's voice recognition to understand it correctly. Because apparently, using the keypad for that was not considered a better option for some reason.You didn't happen to visit MicroCenter did you? Because I had to be on the other side of that conversation just a few hours ago...
But yeah. Depending on the issuer, you need card number, amount, sometimes a merchant ID, and then you can authorize any amount, and get an authorization code, which you can then use to actually charge the card.
(Notably, no CVV)Related: the UPS for our store server keeps things going for about 45 minutes without power.
-
@dfdub said in GitHub sued in class-action lawsuit for "supporting hacking":
Because apparently, using the keypad for that was not considered a better option for some reason.
I would imagine the logic is that it's pretty easy to automate (i.e. spam) the "manual fallback" process if it relies solely on DTMF tones (e.g. using an old 14.4k modem) and somewhat more difficult (but not impossible) to use a TTS engine to automatically block/hold amounts from a large number of cards. Also, at least Visa then have a recording of the supposed employee's voice to play back in case of dispute.
AACS encryption key controversy - Wikipedia
