Moving away from a few megacorps would mean consumers have choice in selecting an alternative provider who takes privacy and security more seriously. Today that choice doesn’t exist because Google, Amazon, Facebook, and other big tech companies don’t face competition either due to a traditional monopoly/oligopoly traits, extreme capital advantages, or network effects.
Customers have the choice to not use Amazon today, but how would you give them visibility into who takes privacy and security more seriously? Is Walmart safer? Target? How about my local retailer that only takes orders by phone and types them into a spreadsheet on a poorly protected computer?
Not surprised, considering that they spin every little feature into its own AWS service. it would be an insane task to easily control the data flow, retention policy and anything like that.
> "These inaccurate, unsubstantiated and dated claims don’t reflect our commitment to keeping personal information safe. Amazon has comprehensive, long-established privacy and security policies, procedures and technologies in place.
Every company has Policies. Zero companies have Realities which match their policies. This means nothing.
> We regularly audit our services to ensure compliance and have zero tolerance for employees at all levels who do not follow our policies,"
The only people who trust security auditors are people who haven't been through a security audit. Many companies who've been hacked were audited. This means nothing.
While security audits are woefully behind the times, they’re not nothing. They do make companies take security seriously, to an extent. The problem with security is that it’s often not enough, you just need one weak spot to break through.
> Every company has Policies. Zero companies have Realities which match their policies. This means nothing.
Throughout the years I've grown a dislike of company policies.
They feel like a tool designed to discard accountability down the totem pole.
An executive asks an underling to write a policy, he publishes the report with or without a revision or care, and from thereon any and all responsibility regarding a problem is automatically circumscribed to the poor entry-level bastard who was forced to something remotely related to the policy.
I personally know a couple ex-Amazon people who thought it was a good place to work and thrived there. Of course, that's not worthy of writing a newspaper article about :-/
I'm not saying it is or it isn't. But ask yourself, which viewpoint sells more newspapers?
It’s odd to see security issues at a company revealed by a whistleblower instead of a breach. Usually I’d expect if an insider working in security notices problems, that’s good for their career because it’s their job to find and fix that stuff. Obviously if it doesn’t work that way at Amazon, that’s a huge problem.
Yeah...this speaks to endemic corruption within the company as well as just a completely rotten management.
It is unfortunate but true that with successes come a certain develish breed of human, as well as encouraging some of the worst behavior in otherwise decent folk. Whenever you get a certain level of money involved you can be sure you are dealing with criminals, two bit liars, and psycopaths.
Sounds like the mgmt psycos over at amazon have rediscovered the old red tape as a quick way to keep costs down. Just another reason these big biz need proper regulatory oversight, the psychos will still come but at least it should get easier to throw them in a cell when they are discovered.
Every time I read articles like these, I get dissapointed about the state of the internet.
The only thing you know that is likely to be true is that someone got fired from Amazon, and thats it.
You don't know if they are telling the truth.
You don't know if they were in the right.
You don't know if Amazon was fixing the problem, and they decided to be an asshole and go over their bosses because they felt that not enough was being done.
You don't know if their actions were compromizing the buisness operations.
E.t.c and so on.
If you read this and feel like Amazon did something wrong, you are part of the problem. Don't believe anything that ist backed by clearly cited sources. Which that article clearly lacks. But alas, you clicked and scrolled, so as far as politico.eu is concerned, thats all that you needed to do.
The only thing you know that is likely to be true is that someone got fired from Amazon.
From the article:
> The warnings about privacy and compliance failures at Amazon come from three former high-level information security employees — one EU-based and two from the U.S.
So 3 employees involved with security and not 1 employee. Also, they were pushed out AFTER alerting about security issues.
> So 3 employees involved with security and not 1 employee. Also, they were pushed out AFTER alerting about security issues.
How much credibility do you put in such testimonies though? Especially if everyone is a "anonymous source", you can basically invent just about anything and publish it and pretend for it to be a genuine article without any fact under the hood.
A corporation is composed of people who are paid to do a specific job, with an interest in keeping said job by making decisions and doing tasks towards a central goal, a corporation generally behaves vastly more rationally for any given scenario. Furthermore, the particular structure of the corporation which determines the actions directly affects the corporation survival, where historically poorly structured corporations that end up with scandals tend to last a very short time.
So with Amazon, considering it has survived for quite some time, and additionally with all the optics it has on it from any political entity or person trying to score popular points by being "anti-big-corporation", Id argue that this decision to fire was likely made after much collaboration with higher level execs and legal involved, well understanding what the consequences would be, including attention at reviewing their privacy compliance.
This is a really good point and an example of how real investigative journalism is not present in this story.
Was the journalist approached by a co-ordinated group of three former Apple high-level security execs in order for them to Greenwald&Snowden-style inform the public, themselves openly inviting massive career risk (even when "anonymous"), with real skin in the game and thus with real credibility worthy of maybe oh even up to government investigation?
Or did this journalist have a python script that emailed every single public address of all ex-employees of every BigTech corp, looking for responses, robotically fishing out clickbait headlines that harbour the feintest enough outline of what integrity might look like?
Obviously, there's a wide range between these two extremes, including Real Investigative Journalism that oftentimes co-ordinates the investigation itself. But, that is extinct, and since provenance is not established well in the article, my default is, assume the worst, in every case. Yes, literally, bots wrote this article, it means exactly nothing. Fugazi.
Thank you, this is exactly it. And it's not either like anyone should consider a newspaper report the final word on the issue, but there is a reasonable amount of information presented here, and it should warrant an official investigation into Amazon's data practices at the very least.
Good, because then you can verify your claims in court. Which Amazon will not be able to counter. So they will fear the light.
Like their friends, secret services doing their illegal things, but they are protected by "National Security" claims, Amazon not.
So you would rather that whistleblowers would only be given attention by media outlets if they are publicly outed alongside the revelations that they usually bring?
Tell me, how well did that go for Edward Snowden and Chelsea Manning?
Edward Snowden wasn’t a whistleblower. He stole US intelligence material as a contractor, leaked it to the press and fled the country to avoid facing criminal charges.
The whistleblowing process is not break the law then claim whistleblower protection. You report wrongdoing to a specific, independent body and are offered protection against retribution.
A better example of the system is the whistleblower on Trump’s first impeachment, who is still protected under law and still can’t have their identity revealed publicly.
Edit: To clarify, this only applies to the federal government. I only bring it up since you named two individuals who were associated with the federal government. With Amazon and other private companies, leaking to the press is effective and encouraged.
Doing something in an illegal way doesn't mean you didn't do the thing. Especially when the thing is exposing illegal activity by the body empowered to enforce law.
There is a difference in whistleblowing the wrondoing of a person or company and the wrongdoing of the government.
In Snowdens case who would have been the independent body and who could have offered protection inside the USA?
Journalists do check the credentials of the people they include in articles like this. They don't just take randos at their word. These people are anonymous to you but not to the journalist. If you simply don't believe the writer that's a totally different issue - but people at major outlets like Politico don't just invent sources and stories out of whole cloth like you suggest.
You're getting downvoted a lot, but these days I too place very little confidence in a story that cites anonymous sources, regardless of whatever supposed gravitas the publication is supposed to carry.
Honest question: where do you place the goalpost with regards to news on corporate malpractice?
If not from whistleblowers, which have a long track record of being persecuted extensively and subjected to very personal and very damaging retaliatory attacks if not for anonymity, then in your eyes what warrants questions?
Several U.S./EU employees saying strikingly similar things, especially regarding certain HR BS which is often employed against employees by way of exploitive control.
Court records are often at least public record, may be sealed but it is trivial to go check this stuff...
There is no fact that there is no data leak because it's impossible to prove.
If the hackers don't go public to make money from the data you just don't know.
So you have to read it with a just a little critical thinking.
Is politico.eu a site with a reputation or just someone's uncle's blog? Do they have an incentive here? Have they done hatchet jobs before? Do they do them commonly?
This is a claim about a particular company? Is this kind of claim contrary to that company's historical record? Is it consistent with it?
Are the claims specific? Are they capable of being falsified? Could other people familiar with what has been claimed confirm it somehow? Will the publication and journalist take a reputational hit if it is all false because they've been had?
And do you know something? We always needed to do this. In life when hearing claims verbally at work or wherever. When reading old-school newsprint. When listening to politicians, public servants, experts, academics.
And here we are still assessing sources and looking for argument from evidence.
Now yours:
> "The only thing you know that is likely to be true is that someone got fired from Amazon, and thats it."
Not looking so hot. But that's fine. That's really ok.
Disgruntled employees can be risky. Like Stamos, and the way the NYTimes took Facebook's efforts to tackle abuse in 2019 as evidence of their previous "indifference". If anything you do can be twisted against you, why bother?
I want to see more information about their background. If they've been fired already, they're not going to lose much from going public with this.
Yeah, Amazon is a massive target for hackers, but hasn’t had any particularly bad breaches that I can remember. I’m sure their security/privacy is far from perfect, but it seems to be pretty effective.
FWIW I’ve never worked for Amazon, but I have quite a few friends and former coworkers at AWS. We’ve had discussions about security and privacy, and the general sense I got from them is that Amazon has more of a focus on security and privacy than any tech company they’ve previously worked for.
> They also noted that AWS is largely run separately from the rest of the company.
So this maybe isn't surprising. One deals with mere customers, the other with businesses that have money and lawyers. AWS is also newer than Amazon, right?
They are a juicy target. Their doorknobs are doubtless getting rattled all the time. We haven’t heard anything, but also they have to know they’re breached before they tell anyone. Let’s see what happens over the next couple of years.
What reasons are there to believe that someone who‘s in the middle of a lawsuit with their former employer will tell the truth? For what I know this „leak“ might be part of their strategy to win the lawsuit.
Its good they are sounding the alarm, for example, Crypto AG had their cryptographer employees continually find security flaws only to have upper management tell them to work on something else, only to find out after 50 years that it was a CIA operation selling backdoored products to nation states.
With nothing being outside the realm of possibility, removing the need for trust should be priority number one.
> Crypto AG had their cryptographer employees continually find security flaws only to have upper management tell them to work on something else
I would be very interested if you could share accounts of this happening.
From the declassified documents I have studied the Crypto AG "backdoor" consisted of misleading customers that less complex models (with smaller keys) would be suitable for their communications, working with the NSA to word end user documentation in a way that makes it unclear how important specific settings are, and providing technical designs to the NSA for review.
At no point do I believe there was a security flaw that an employee would have found that would have compromised the operation, since it was simply a series of steps that weakened the strength of the encryption from "mathematically impossible" to "requires a purpose built supercomputer." This route provided plausible deniability to everyone involved (remember that other cryptographers also evaluated Crypto AG products and would work to secretly exploit any flaws they found "for the bad guys").
Interestingly before the CIA/BND deal, the French attempted to secretly buy the company and do the exact same thing.
This is a great discussion and not at all my point. I don't care who tried to compromise what, the consumer and along with their data is beholden to multiple masters.
Just in case you did not see this before - there has been a talk about the Crypto AG and some of the background at last year's replacement for the CCCongress: https://media.ccc.de/v/rc3-103955-cryptoleaks
This level of incompetence is bound to come out and so given the lack of any high profile security fails from Amazon, I am inclined to not believe the article. I hope I am right because they have a lot of data, a lot.
“We had an insecure vulnerability that we knew about for five years," the second former U.S.-based employee said. "That's unacceptable. I mean, we knew about it."
In my experience, knowing about a vulnerability and knowing how to fix it are magnitudes of effort apart. Main reason I saw companies avoid fixing vulnerabilities was third party libraries. Third party libraries had switched to a new version of JDK or Node and upgrading production environments carried a lot of risk or would break other libraries. Companies stayed on old versions because they “worked” and eventually were unable to pick up security fixes. It’s one big advantage that startups have over the behemoths.
Upgrading dependencies on products with millions of users without breaking anything is one of the most thrilling and rewarding things I’ve ever done.
"The quality of the controls that Amazon has in place is appalling. We found hundreds of thousands of accounts where the employee is no longer there but they still have system access..."
> because Amazon has a poor grasp of what data it has, where it is stored and who has access to it.
I see this more and more in companies where microservices have become prevalent but data strategy hasn't kept pace. Data gets decentralized and services end up storing data from other services, leading to duplication and shadow data that is almost impossible to maintain and control. A coherent data strategy is very important but for many companies hasn't been considered until the problem is well established and painful to overcome.
reply