top | item 33912974

(no title)

So… a federal jury found this guy guilty, but here we have a friend of his who is going to be totally neutral in a reevaluation?

So they set out to describe it as „an accident“ because „blameless post-mortems“ are something people really like?

Also this article falls into the trap of trying to sound smart by using, sorry, „by effecting the usage of“ big fancy words. I’ve read Supreme Court transcripts and judgements, and I can understand them. This is overtaxing my buzzword ingestion.

discuss

floober|3 years ago

> So they set out to describe it as „an accident“ because „blameless post-mortems“ are something people really like?

As someone who has operated bug bounty programs, understanding what processes might have prevented things from going off the rails _in spite of_ internal actors with different motivations is very helpful to me. Placing all of the blame on an individual removes the opportunity to improve things.

simoncion|3 years ago

> Placing all of the blame on an individual removes the opportunity to improve things.

It seems to me that there's another option. Describe the problem thusly:

> A Lyft employee grabbed our data storage access keys from Github. He, or someone else then used these keys to grab PII that Uber was legally required to safeguard. Uber management and/or legal actively worked to cover all of this up and mislead the FTC about the nature and size of the breach.

> Given these facts, what processes and procedures can we change or create to ensure that the PII we're charged with safeguarding remains safe and guarded, that any threat to or breach of said information is detected as soon as is reasonably possible, and that any attempts of management and/or legal to cover up any such incidents are detected and reported to the appropriate authorities?

stefan_|3 years ago

But the bug bounty policy was very clear on all of this and this extortionist never concealed his intentions. And all this text can come up with is "what if we loop in even more people". Indeed this description made it very clear that the existing processes were intentionally subverted; what can more processes do for avoiding that when it happens by decision of the CSO and CEO?

tptacek|3 years ago

The point isn't to determine Sullivan's guilt or innocence. That's already happened. The point is to mine actionable information for other startups out of it. That's McGeehan's whole M.O. with all of his writing.