The only thing you know that is likely to be true is that someone got fired from Amazon, and thats it.
You don't know if they are telling the truth.
You don't know if they were in the right.
You don't know if Amazon was fixing the problem, and they decided to be an asshole and go over their bosses because they felt that not enough was being done.
You don't know if their actions were compromizing the buisness operations.
E.t.c and so on.
If you read this and feel like Amazon did something wrong, you are part of the problem. Don't believe anything that ist backed by clearly cited sources. Which that article clearly lacks. But alas, you clicked and scrolled, so as far as politico.eu is concerned, thats all that you needed to do.
From the article:
> The warnings about privacy and compliance failures at Amazon come from three former high-level information security employees — one EU-based and two from the U.S.
So 3 employees involved with security and not 1 employee. Also, they were pushed out AFTER alerting about security issues.
How much credibility do you put in such testimonies though? Especially if everyone is a "anonymous source", you can basically invent just about anything and publish it and pretend for it to be a genuine article without any fact under the hood.
Is politico.eu a site with a reputation or just someone's uncle's blog? Do they have an incentive here? Have they done hatchet jobs before? Do they do them commonly?
This is a claim about a particular company? Is this kind of claim contrary to that company's historical record? Is it consistent with it?
Are the claims specific? Are they capable of being falsified? Could other people familiar with what has been claimed confirm it somehow? Will the publication and journalist take a reputational hit if it is all false because they've been had?
And do you know something? We always needed to do this. In life when hearing claims verbally at work or wherever. When reading old-school newsprint. When listening to politicians, public servants, experts, academics.
And here we are still assessing sources and looking for argument from evidence.
Now yours:
> "The only thing you know that is likely to be true is that someone got fired from Amazon, and thats it."
Not looking so hot. But that's fine. That's really ok.
FWIW I’ve never worked for Amazon, but I have quite a few friends and former coworkers at AWS. We’ve had discussions about security and privacy, and the general sense I got from them is that Amazon has more of a focus on security and privacy than any tech company they’ve previously worked for.
> They also noted that AWS is largely run separately from the rest of the company.
So this maybe isn't surprising. One deals with mere customers, the other with businesses that have money and lawyers. AWS is also newer than Amazon, right?
I want to see more information about their background. If they've been fired already, they're not going to lose much from going public with this.
Several U.S./EU employees saying strikingly similar things, especially regarding certain HR BS which is often employed against employees by way of exploitive control.
Court records are often at least public record, may be sealed but it is trivial to go check this stuff...
With nothing being outside the realm of possibility, removing the need for trust should be priority number one.
I would be very interested if you could share accounts of this happening.
From the declassified documents I have studied the Crypto AG "backdoor" consisted of misleading customers that less complex models (with smaller keys) would be suitable for their communications, working with the NSA to word end user documentation in a way that makes it unclear how important specific settings are, and providing technical designs to the NSA for review.
At no point do I believe there was a security flaw that an employee would have found that would have compromised the operation, since it was simply a series of steps that weakened the strength of the encryption from "mathematically impossible" to "requires a purpose built supercomputer." This route provided plausible deniability to everyone involved (remember that other cryptographers also evaluated Crypto AG products and would work to secretly exploit any flaws they found "for the bad guys").
Interestingly before the CIA/BND deal, the French attempted to secretly buy the company and do the exact same thing.
[1] particl.io
Every company has Policies. Zero companies have Realities which match their policies. This means nothing.
> We regularly audit our services to ensure compliance and have zero tolerance for employees at all levels who do not follow our policies,"
The only people who trust security auditors are people who haven't been through a security audit. Many companies who've been hacked were audited. This means nothing.
Throughout the years I've grown a dislike of company policies.
They feel like a tool designed to discard accountability down the totem pole.
An executive asks an underling to write a policy, he publishes the report with or without a revision or care, and from thereon any and all responsibility regarding a problem is automatically circumscribed to the poor entry-level bastard who was forced to something remotely related to the policy.
I'm not saying it is or it isn't. But ask yourself, which viewpoint sells more newspapers?
It is unfortunate but true that with successes come a certain develish breed of human, as well as encouraging some of the worst behavior in otherwise decent folk. Whenever you get a certain level of money involved you can be sure you are dealing with criminals, two bit liars, and psycopaths.
Sounds like the mgmt psycos over at amazon have rediscovered the old red tape as a quick way to keep costs down. Just another reason these big biz need proper regulatory oversight, the psychos will still come but at least it should get easier to throw them in a cell when they are discovered.
I see this more and more in companies where microservices have become prevalent but data strategy hasn't kept pace. Data gets decentralized and services end up storing data from other services, leading to duplication and shadow data that is almost impossible to maintain and control. A coherent data strategy is very important but for many companies hasn't been considered until the problem is well established and painful to overcome.
In my experience, knowing about a vulnerability and knowing how to fix it are magnitudes of effort apart. Main reason I saw companies avoid fixing vulnerabilities was third party libraries. Third party libraries had switched to a new version of JDK or Node and upgrading production environments carried a lot of risk or would break other libraries. Companies stayed on old versions because they “worked” and eventually were unable to pick up security fixes. It’s one big advantage that startups have over the behemoths.
Upgrading dependencies on products with millions of users without breaking anything is one of the most thrilling and rewarding things I’ve ever done.
Is it hard to imagine? Does it really matter anymore? There are [non-Amazon] breaches every few years with 100m+ records.
It will happen and people will be shocked and outraged and then it will happen again. Wash, rinse, repeat.
Yikes. Not exactly confidence-inspiring.
