CloudFlare Exec Arrested

Investment Analysis Clubs Saul’s Investing Discussions
1

https://www.nytimes.com/2020/08/20/technology/joe-sullivan-u…

But the charges drew an important distinction between failing to protect Uber’s computer network and failing to tell the authorities about it. Prosecutors said that Mr. Sullivan committed two felonies when he didn’t disclose the 2016 incident to federal investigators who were already investigating a similar data breach that had occurred two years earlier.

A spokesman for Mr. Sullivan, who is now the chief information security officer at the internet company Cloudflare, said Mr. Sullivan had acted with the approval of Uber’s legal department and there was no merit to the charges against him.

Not a fan of seeing one of my execs jailed. Also Uber had a wretched culture. Thinking seriously of trimming my NET position.

Curious what others make of a guy this high up being hauled off to the pokey.

28 Likes
2

Not a fan of seeing one of my execs jailed. Also Uber had a wretched culture. Thinking seriously of trimming my NET position.

Curious what others make of a guy this high up being hauled off to the pokey.

I believe he has been charged but not arrested or jailed. And he hasn’t been convicted of anything yet. But it seems unlikely that he would be charged in this type of case without significant evidence. It is interesting that he was a high level executive at Facebook as well. While this occurred at Uber, I would be concerned with indequate vetting when Cloudflare hired him as well as his performance at Cloudflare. I’m not sure yet about adjusting my position in Cloudflare since I was otherwise very bullish on its potential.

Dave

1 Like
3

Brittlerock,

Yes, selling your entire position on this seems like a kneejerk reaction. The stock is up >100% YTD. How’s that disappointing?

Bnh

10 Likes
4

Disappointed with steady 50% revenue growth? Send me the ones that didn’t disappoint you please!

Thanks for bringing this to our attention. No criminal-related press is good press. My conviction in NET has been increasing steadly for months. I recently balanced out my NET and FSLY holdings (FSLY used to be 2x NET). I am taking a wait-and-see approach here. I can’t imagine this can damage the company long-term.

9 Likes
5

Not so impressed by this story and will obviously hold on to my shares. I remember the CEO of JD.com got arrested in 2018, which obviously caused a lot of turmoil for the stock as well. Happy to say today that I didn’t trim my position back then.

Paul (Long NET, JD)

1 Like
6

When the Chief Information Security officer for a company gets arrested, and the company’s product depends upon it being secure - and his alleged crime deals with this exact issue - this data point is not mean to be impressive, just noted. They have had some major glitches recently. And he was at the helm at Uber when they had some major issues. And on top of that Uber, where he was a top dog when these alleged crimes were committed had a notoriously toxic culture. It is not possible to quantify this but it deserves to be considered and not casually dismissed, though it may of course turn out to be meaningless in the grand scheme of things. Corporate culture is important. Like attracts like. And it should go without saying that we don’t want to see our top execs hauled off to the pokey.

Cloudflare deserves higher scrutiny at this time.

42 Likes
7

Cloudflare deserves higher scrutiny at this time.

I agree. Reading the NYT and several other articles about Sullivan and Uber was disconcerting. It’s not clear how much of the behavior was due to former Uber chief executive Kalanick versus Sullivan. Did he merely not want to rock the boat and just reported the breach to the legal team and then didn’t push the matter or did he actively participate in hushing up the story?

According to NPR, the Uber “bug bounty” of $100,000 normally paid to “white hat” hackers was much larger than the typical cap of $10,000. Also, Uber required the hackers to sign nondisclosure agreements that falsely said that the hackers did not take or store any data.

https://www.npr.org/2020/08/20/904113981/former-uber-executi…

So far the news doesn’t seem to have made much impact on shareholders’ perceptions. The stock price is down a bit, but so are many other tech companies.

For more context, the Times article emphasized Sullivan’s role in Uber’s culture and mentioned another employee, Anthony Levandowski, who plead guilty to stealing trade secrets.

This reminded me of a past New Yorker article discussing Levandowski and the complexity of evaluating the claims of criminal wrongdoing in technology companies because of the nature of the culture.

Covering up a hacking attempt seems more straightforward than determining if lines of code are trade secrets, but building and explaining a case involving technology to a jury is difficult.

From the New Yorker article:

https://www.newyorker.com/magazine/2018/10/22/did-uber-steal…

On the second day of the trial, [judge William] Alsup told Waymo’s legal team, “What you want to hide from the public does not deserve to be hidden.” . . .

The jurors, among them a property manager who spoke limited English and a telephone-line repairman with a high-school diploma, spent much of their time looking bored or bewildered. Occasionally, they fell asleep. . . . “I’m not sure I totally understood what was going on,” one of the jurors told me after a day in court. “I wanted to get a murder trial, but I got this.”

I expect that the case against Sullivan could play out over a long time, and its complexity could minimize the effect on the company’s business and stock price. However, if the case leads to the discovery of something easy to explain and digest, that would be different.

Also from the New Yorker:

Silicon Valley has always been built as much on treachery as on innovation . . . Levandowski seemed constantly ready to abandon his teammates and threaten defection, often while working on an angle to enrich himself. He is a brilliant mercenary, a visionary opportunist, a man seemingly without loyalty. He has helped build a technology that might transform how the world functions, and he seems inclined to personally profit from that transformation as much as possible. In other words, he is an exemplar of Silicon Valley ethics.

In the article, neither Google/Waymo nor Uber come across as having ideal corporate cultures, nor do other Silicon Valley companies. I’m not sure how much is due to the author’s shaping of what he reports versus an accurate description of a competitive and complex culture.

However, Google and others discussed in the article have done well since then, unlike Uber. Whether Sullivan’s charges will be a blip, just as Google’s decision to hire Levandowski (and give him incredible free reign) was to its fortunes or more serious remains to be seen.

All the best,

Raymond

5 Likes
8

I’d say there’s a 98% chance this is a non-issue, that it was in the past. And no one is irreplaceable. If CRWD can thrive without co-founder Dmitri Alperovitch, Cloudflare will easily replace this guy - assuming they will.

The money’s solid, tech widely admired by top techies on our board. And these things are by far the most important.

I just want to do a little digging around and pay closer attention now. If our stocks are like our kids this is the moment one of them comes home late with bloodshot eyes, after being driven home by a kid I’m no fan of. So I’m gonna ask him to hang out with me a little more and make sure we’re cool.

6 Likes
9

‘Do some diggin around’
What I found, edited, from Jan 2018 New York Time Article:

Matt Kallman, an Uber spokesman, said, “We stand by our decision to very publicly disclose the 2016 data breach — not because it was easy, but because it was the right thing to do.”
Through a spokesman, Mr. Kalanick declined to comment.
Uber started its bounty program in March 2016, challenging hackers to find bugs that could specifically lead to the exposure of sensitive user data. The higher risk the bug was, the more Uber would pay. In Uber’s calculus, the payouts were better than learning about a vulnerability only after attackers had abused it.
By the time Mr. Sullivan got This Hakers email, Uber had paid rewards to hundreds of hackers. Mr. Sullivan forwarded the John Doughs note to his team for vetting and, if all checked out, patching and payment.
Uber’s security team used nicknames for hackers, particularly the colorful, anonymous ones who engaged with the company. This Hacker was called “Preacher” for his admonitions that Uber should be better at security.

What is now at issue is whether Uber executives broke the law with the $100,000 payment and should have quickly notified customers or officials of the discovery. The issue is not legally clear cut.
Laws concerning bug bounties are ambiguous. The Justice Department weighed into bug disclosure programs for the first time in July and largely left it to organizations to decide what access they will authorize for hackers and what they can do with the data. In Uber’s case, its bounty guidelines authorized and encouraged hackers to look for vulnerabilities that exposed its most sensitive user data.
Breach disclosure laws also differ state to state. The state laws most relevant to Uber’s case require disclosure if names are exposed in combination with driver’s license numbers in a “breach of security.”
Brandon received two payments of $50,000 each from Uber on Dec. 8, 2016, according to the emails. Uber continued trading emails with Brandon during 2017, until the conversation dwindled.
Last fall, when two outside law firms for Uber learned about the payment to the hacker, they advised the company that the incident should have been disclosed, according to an Uber employee familiar with the matter. Mr. Sullivan and Mr. Clark, the lawyer who directly oversaw the bounty payment, were fired for not seeking outside counsel on the issue of whether to disclose, this person said. (Me here: keyword ‘outside’. Sullivan was fired alongside ‘the lawyer that directly oversaw the bounty’).

In a later interview in the Washington Post, Sullivan talked about the difference between stopping a hacker and creating a better internet and that his best days were spent doing the later. At the end of the article he said, that his “next step professionally had to be towards a team that pushes security out, proactively, to as much of the internet as possible”.

4 Likes
10

Great info!

I don’t know if the general publish will catch the nuance here but if the issue is only about disclosing a bounty payment this should be a non-issue. This is a very common practice! The handling will be where the focus goes. This is equivalent to paying a consultant for an audit. I would call the legal action a regulatory battle, or an attempt to set precedent and define better guidelines, perhaps.

Here is a good article on it which talks about Uber and what a company can do to protect itself (the first one is just silly since it would require telling the hacker to not attack a certain way. It would be like getting in a fight and says “you can hit me but only in the shoulder”:

https://www.pbwt.com/data-security-law-blog/bug-bounty-progr…
"The DOJ guidelines do, indeed, provide a useful framework but they raise a series of significant issues that remain unanswered. In particular, what steps must a company take when a bug bounty researcher uncovers sensitive information? Is that discovery subject to state and federal data breach reporting requirements?

This is good background but more general:
https://techbeacon.com/security/why-every-organization-needs…
"Why every organization needs a bug bounty program

This is what a bug bounty program is about: Ethical hackers help businesses detect vulnerabilities before the bad guys beat them to it. In other words, running a bug bounty program is getting ahead of the game by being proactive and predictive. A bug bounty is an alternative way to detect software and configuration errors that can slip past developers and security teams, and later lead to big problems.

…bug bounties are about creating a culture of openness, transparency, and responsibility. Even if your company doesn’t offer bug bounties, you need to establish a vulnerability disclosure policy (https://hacken.io/research/education/hackenproof-guide-to-vu…) as soon as possible.

Another term for this is responsible disclosure policy: A legal statement stating that your company won’t prosecute ethical hackers who detect vulnerabilities in your products. Startups and young organizations that haven’t adopted such policies are missing out."

I assume it is the Vulnerability Disclosure Policy that is at the heart of the legal issues, but also seems a little subjective. This is worth a read from the link in the quote above:
"Is there a difference between a Vulnerability Disclosure Policy and a Bug Bounty Program?

Bug Bounty Program is essentially a Vulnerability Disclosure Program with a monetary reward system that has been clearly defined. Thus, companies that have Bug Bounty Programs make an even louder statement about commitment to security, since they proactively state that they will pay for any vulnerabilities found on their site/product by ethical hackers.

Some companies forgo the VDP statement altogether and simply redirect ethical hackers to a Bug Bounty Page instead.

I could be totally wrong here but it sounds like this is all going to come down to the judgment call their legal council made based on available guidelines; how they were interpreted at the time.

4 Likes
11

I may’ve missed something on this Bug Bounty Program, but if the hackers broke in and took some customer info wouldn’t that pose a problem for the guy who hired them? (Just wondering, here.)

12

As I reported from the NYT article of Jan 2018
‘The Justice Department weighed into bug disclosure programs for the first time in July and largely left it to organizations to decide what access they will authorize for hackers and what they can do with the data.’ Me Here: that’s July 2017, that the DOJ began investigating this 2016 case against Sullivan.
I agree with your statement Rafesusername
‘I could be totally wrong here but it sounds like this is all going to come down to the judgment call their legal council made based on available guidelines; how they were interpreted at the time.’

Me again: I think the interpretation of what is wrong doing in this situation is more than nebulous. The market hasn’t decided yet; but, I’m in at 8% of portfolio and will buy more if this drops significantly.

1 Like
13

‘that’s July 2017, that the DOJ began investigating this 2016 case against Sullivan.’

I wrote that substantially inaccurately.

It was July 2017 that the DOJ began investigating this type of case. In 2016 when Sullivan was fired for ‘not bringing in outside counsel’, the DOJ was ‘ largely leaving it to organizations to decide what access they will authorize for hackers and what they can do with the data’.

I hope that’s more clear and why I’m looking to add if this get blown up and the price drops because of it.

Thanks,

Jason

1 Like
14

if the issue is only about disclosing a bounty payment this should be a non-issue. This is a very common practice!

My read is that the issue is whether Sullivan/Uber post-facto covered up the hack and extortion attempt by subsequently paying off the hacker via the bug bounty program. For instance, the bug bounty program with which I’m familiar require advance registration and that the person make a good faith effort to not actually access private information, just demonstrate how it can be accessed. Neither of those requirements were apparently met in this case, where someone tried to extort money out of Uber after accessing lots of Uber’s user’s private information.

The case may be decided on some legal detail, and apparently Sullivan did have approval from Uber’s legal department.

What this means for Cloudflare is still anyone’s guess. With different corporate legal advice, people at companies will often behave in different ways.

7 Likes
15

Bnh,
My post seems to have been removed. Be that as it may, what I said is what I meant, I asserted that I might be over-reacting. If this all blows over as a non-issue I can always buy back into NET. Until such time I would rather just not be an owner. I hold executive management to a high standard.

I realize that an indictment is not a conviction. But indictments do not occur for no reason (usually). There are other investment opportunities that are free of clouds, I will put my money there and keep my eyes open.

Many of us were invested in the First Internet Bank a few years ago. They underwent a short attack, but as it turned out there seemed to be considerable merit about the charges leveled against the integrity of executive management. At the time my attitude and reaction was similar. I sold my position. I don’t believe that anyone was ever convicted of any crimes at First Internet Bank, but I never returned to that investment. There just seemed to be better places for my money.

I simply stated my reaction. As has been emphasized on this board over and over again, don’t blindly follow anyone, make up your own mind based on the information at hand and take responsibility for your own decisions.

13 Likes