When your Uber driver is a spy
Another attack vector brought to you by the gig economy.
Like other migrating beasts, hackers travel huge distances for feeding, breeding, and breaking things every summer -- at Defcon in Las Vegas. The way they move about the city is driven primarily by the availability of free booze at corporate parties or the convenience of air-conditioned infosec habitats; the heat makes them torpid. As such, everyone takes taxis, Ubers, and Lyfts everywhere, day and night.
The mostly-male migration forgoes the braggadocio of colorful plumage as seen in avian species. Instead, they establish social dominance and attract attention of potential mates and recruiters by bragging. Thus, according to my taxi-related experiences while covering the conference over the years, Las Vegas car drivers overhear way more of infosec's boasting and swagger than they probably should.
Ferrying hackers and feds during "hacker summer camp" has got to be a dream gig for a spy. How could it not be? Spying on hackers is usually more trouble than it's worth. Thanks to Uber and Lyft's gig economy it's much easier. No union, no problem (for them at least).
Case in point is GQ's story The Spy Who Drove Me. Two weeks ago at the Aspen Security Forum, a high-horse homeland security conference, journalists from GQ and Washington Post (among others) kept ending up with a conspicuously curious Uber driver.
Gloria the Uber driver picked up journos on the conference's first night. The next morning, correspondents compared notes about how she'd pumped them for information on the ride to the conference. "I'll tell you something if you tell me something," she said to one reporter. Through Gloria's chatty admissions, reporters began piecing together that she'd been to North Korea, and knew who Director of National Intelligence Dan Coats was -- surprisingly well. That's when GQ decided to turn the tables on her.
GQ's reporter, Julia Ioffe, texted Gloria for a ride with the express stated purpose of interviewing the Uber driver for a story. According to Ioffe, the exchange got weird really fast:
"Since I saw your face yesterday, I've been wondering," [Gloria] said, "are you from a Russian background?"
(...) How the hell did Gloria know I was from Russia? I certainly hadn't mentioned it, and my last name wasn't on my Uber profile. And, since I'm Jewish, I don't even look particularly Russian—that is, classically Slavic. What else did Gloria know, and how did she know it?
How did you know? I asked her.
Gloria resorted to flattery. "Because your face is so beautiful," she cooed. "The dark hair and the light eyes and the white skin."
Upset, the reporter again asked Gloria, "How did you know I was from Russia?" The driver continued trying to derail Ioffe with compliments.
Ms. Ioffe repeated the question a third time. So what is going on with Putin now?" Gloria asked. "What is happening?"
On the last night Ms. Ioffe and a colleague booked an Uber and, surprise surprise, they got Gloria. The driver asked them what people at the conference were saying about North Korea. The other journalist replied, "Well, it seems like people don't really know that much of what's going on there. But you've been to North Korea, right?" When Gloria didn't respond, he repeated the question twice, each time receiving silence.
GQ described what happened next:
"Gloria," Shane pressed on. "When were you in North Korea?"
"A couple years ago," she mumbled after a long silence.
"What were you doing there?"
Silence. "I'd like to go back," she finally said.
Shane, who had also come to see our suspicions of Gloria as silly and paranoid, was now suspicious all over again, as was I. "What were you doing in North Korea, Gloria?" he asked again. "Tell me, Gloria."
"You know," Gloria began, finally catching her footing. "You're so cute. I like you. I like you so much. I really do. I like you so, so much. And we can become friends. You can come visit me in Colombia, and we can be good friends. I like you so much."
Needless to say, Gloria's artless social engineering skills could use some work. If she was indeed a spy, she wasn't a very good one — certainly not one that would get much traction at Defcon, anyway. Hackers may love to run their mouths, but the phrase "don't bullshit a bullshitter" might as well be the conference's tagline.
Putting Defcon in the equation is where the Uber driver who secretly livestreamed hundreds of passengers becomes even more worryingly relevant.
Let's not forget, what that Uber driver did wasn't technically illegal.
That's because he was in Missouri, which is a one-party consent state. Meaning, when the conversation is a private, in-person conversation, recording is legal as long as one of the parties is aware of the recording. If you have any friends going to Defcon this month, you may want to tell them that another exciting one-party consent state is Nevada. Fun times ahead!
But there's being paranoid, and then there's when drivers are actually out to get you. Never mind Gloria's graceless and obvious attempts at socially engineering bewildered and surprised journalists. I'm remembering the taxi ride I took on the last day of Defcon in 2013.
I always chat up Vegas taxi drivers because they do indeed hear and blab about conference chatter; for this reporter they're great sources of information. My taxi driver for Defcon 21 was that and more, showing me that drivers ferrying security researchers to and fro know exactly who their fares are — and some hate them. While taking me to the conference, he told me he'd joked with a previous fare (an FBI employee) about blinding hackers, but actually thought a better way to punish and stop hackers would be to chop their fingers off.
Compared to him, Gloria would've been a welcome amusement -- for me, and definitely for many Defcon attendees. She wouldn't win any of Defcon's social engineering "Capture The Flag" (CTF) contests. But as some of my Defcon buddies would say, "spies gonna spy," and seasoned infosec pros who aren't at the conference to inadvertently brag themselves into handcuffs (it happens) would probably enjoy some cat-and-mouse repartee in a sort-of professional courtesy kind of way.
I mean, if we have to choose our captive poisons, in our world of broken privacy, Gloria is preferable to the freaky anger and resentment coursing through some people's veins these days. Like that cab driver.
All of it -- the Uber spy, people hating hackers for security disasters, and privacy violations opened up by arrogant ridesharing companies -- combines into a spinning sign of the times. Round and round it goes. Where it'll stop, nobody knows.