Thursday, September 12, 2019

Inside Job: Amazon.com Employee Stole Credit Data of 106 Million

Amazon.com is rotten to its core. This latest case of "employee gone bad" (https://heavy.com/news/2019/07/paige-adele-thompson/) is yet another example of the widespread patterns of misbehavior, misconduct and mismanagement by Amazon.com employees that have been ongoing for the better part of two decades. From alleged money laundering to racketeering to computer fraud, the culture of misconduct and malfeasance starts at the top with the win-at-any cost disruptor model espoused by Amazon.com executives. A few examples for reference:

Misconduct stemming from office of the CEO: In 2013, dozens of Amazon.com employees and the CEO's own wife were caught flooding Brad Stone's book, The Everything Store, with unfavorable reviews to keep the book from damaging the reputation of Amazon.com and its CEO. (http://readindies.blogspot.com/2016/08/amazons-blackened-soul.html)

Misconduct organized and ordered by executives: In 2018, at least 50 Amazon employees were caught creating fake accounts on Ebay and accused of multiple federal crimes, including criminal conspiracy, fraud and racketeering. (http://robertstanek.blogspot.com/2019/08/amazon-employees-caught-creating-fake-accounts.html)

Misconduct organized and ordered by executives: In 2019, Amazon.com was caught in a highly unethical and likely criminal pay-for-praise scheme involving several hundred employees. (http://robertstanek.blogspot.com/2019/08/amazon-caught-in-pay-for-praise-scheme.html)

Although the SEC, FTC and DOJ are all circling Amazon.com with possible intent to act, the federal crimes, misdeeds and abuses of Amazon.com executives and employees have so far carried on with impunity—more likely due to the deep (dare I say, cozy) relationships Amazon.com has with the Justice Department, U.S. Intelligence and hundreds of other government agencies than a lack of evidence. However, with the deepest secrets of our government, including the Sensitive, Secret and Top Secret information of the Justice Department (https://aws.amazon.com/stateandlocal/justice-and-public-safety/) , U.S. Intelligence (https://aws.amazon.com/federal/us-intelligence-community/)and more (https://aws.amazon.com/government-education/defense/), hosted on Amazon’s cloud servers, this latest case of "employee gone bad" is likely too hard to overlook.

To wit, the Amazon.com employee involved in the theft of the credit data of over 100 million people did so by using the knowledge gained working in Amazon’s Web Services division as a software engineer to hack into the data Capital One stored on Amazon’s servers. This data was stored in the Amazon Simple Storage Service, also referred to as Amazon S3, which is a service offered by Amazon Web Services to supposedly securely store the data of thousands of companies. Care to guess where many of the deepest secrets of the Justice Department, U.S. Intelligence and hundreds of other U.S. agencies are stored? Yep, Amazon S3.

While Capital One, like Amazon.com, largely downplayed the extent of the damage done in the data breach, the estimated dollar cost of the damages, as stated by Capital One itself, are telling: $100 to $150 million in damages. (https://www.inc.com/minda-zetlin/paige-thompson-capital-one-hack-former-amazon-engineer-social-security-numbers.html). Most troubling about all this? The (technically "former") Amazon.com employee involved used knowledge and skills gained from 2015 – 2016 to hack the Capital One data stored on Amazon’s S3 servers in 2019. This was an inside job. Amazon Web Services tactics, techniques and security surely should have changed considerably in 3 years—however, clearly they had not. Sort of like the lengthy Amazon Web Services S3 outage on February 28, 2017 that was so bad Amazon couldn’t even get into its own servers to warn anyone—a problem that occurred because of gross mismanagement involving Amazon Web Services procedures and tactics. Other examples of gross mismanagement? How about:

* the days’ long outage in April 2011 that Amazon didn’t make a public statement about for a week,

* the infamous Friday the 13th outage of September 2013 that left regional customers without service for several hours due to a simple load balancing misconfiguration,

* the lengthy Amazon Web Services S3 outage in November 2014 because of the failure of the AWS CloudFront DNS server,

*  or the 10-hour outage in June 2016 due to stormy weather that hit numerous prime websites and businesses.

As I stated previously, the culture of misconduct and malfeasance starts at the top of the company while the patterns of misbehavior, misconduct and mismanagement extend throughout the entire organization. More examples of mismanagement and failure of Amazon Web Services:

2017 - https://www.datacenterknowledge.com/archives/2017/03/02/aws-outage-that-broke-the-internet-caused-by-mistyped-command

2017 - https://www.datacenterknowledge.com/uptime/equinix-power-outage-one-reason-behind-aws-cloud-disruption

2015 - https://www.datacenterknowledge.com/archives/2015/09/24/heres-what-caused-sundays-amazon-cloud-outage

2015 - https://www.datacenterknowledge.com/archives/2015/09/21/amazon-data-center-outage-affects-netflix-heroku-others

2013 - https://www.datacenterknowledge.com/archives/2013/09/13/network-issues-cause-amazon-cloud-outage

2012 - https://www.datacenterknowledge.com/archives/2012/10/27/cascading-failures-caused-amazon-outage

2012 - https://www.datacenterknowledge.com/archives/2012/07/03/multiple-generator-failures-caused-amazon-outage

2012 - https://www.datacenterknowledge.com/archives/2012/06/30/amazon-data-center-loses-power-during-storm

2012 - https://www.datacenterknowledge.com/archives/2012/06/29/another-outage-amazon-cloud

2011 - https://www.datacenterknowledge.com/archives/2011/08/15/amazon-provides-more-details-on-dublin-outage

2011 - https://www.datacenterknowledge.com/archives/2011/04/29/amazon-networking-error-caused-cloud-outage

2011 - https://www.datacenterknowledge.com/archives/2011/04/21/major-amazon-outage-ripples-across-web

2010 - https://www.datacenterknowledge.com/archives/2010/12/13/amazon-hardware-failures-caused-outage

2009 - https://www.datacenterknowledge.com/archives/2009/07/19/outage-for-amazon-web-services

With this much going wrong and the regulatory hammer looming, is there any wonder why there is an outflow of executives, including Zumwalt, Blackburn, Wilson, Jain, and Chew for starters. In his new book, Talking to Strangers, Malcolm Gladwell talks about Harry Markopolos, the guy who gift-wrapped and delivered the Bernie Madoff ponzi scheme to the SEC. Much like the case of Amazon.com, federal regulators spent years ignoring Markopolos and what was plain to see before their eyes. They couldn’t be bothered to conduct a thorough and proper investigation. Like Harry Markopolos told Malcolm Gladwell: "the truth is in the math"; "people have too much faith in large organizations"; "the emperor has no clothes".

The truth of Amazon.com is in the math too—in the patterns of misconduct and malfeasance that start at the top of the company. Indeed, the emperor has no clothes, and that’s something I have said before as well.

Circling back, bottom line, this person worked for Amazon S3 as a software engineer, subsequently hacked Amazon S3 and did so using intimate first-hand knowledge gained while employed at Amazon S3. This intimate first-hand knowledge included information about possible vulnerabilities, how those vulnerabilities potentially could be exploited and exactly how Amazon S3 worked. As a former Amazon S3 software engineer, this person knew exactly what to do and where to go once she got into Amazon S3. So let's call this hack what it was: An inside job. If Amazon.com were a bank and a former teller knew the contents of the bank vault and then robbed safety deposit boxes 7, 17 and 73 of their contents, everyone would call this what it was: an inside job. Well, that’s exactly what happened. This was an inside job. This former employee knew exactly the vulnerabilities to look for, how they could be exploited and which deposit boxes to steal—and she learned it all while working at Amazon S3.

Thanks for reading, I’m William Robert Stanek, Microsoft’s #1 author for nearly 20 years, and author of over 250 topselling books.

--

Addendum: Interesting comments earlier on Facebook and in private regarding said employee's role at Amazon.

As explained in the article, this person was employed by Amazon as a software engineer for S3 from 2015-2016. The Capital One data was stolen from Amazon's S3 servers in 2019. This was done using insider knowledge and tactics gained while working for Amazon. Amazon and Capital One both have underplayed how damaging this whole thing was... though Capital One admits this is likely to cause the company $100 - $150 million in damages.


P.S> This case gets curiouser and curiouser when you dig below the surface. Basically, the "employee" did the crime then gift-wrapped herself for authorities by not only giving them a trail of breadcrumbs to follow but copping to the crime on social media. This ensured quick arrest and abrupt ends to certain internal investigations (and primarily at Amazon.com). Inquiring minds might want to hazard a few guesses why. Two obvious questions for starters: What else might have been uncovered with continued, deep investigation? Who else might have been uncovered? I’m sure the curious can discern others.

Monday, September 2, 2019

Amazon Reviews: Broken System

Between 1 in 3 and 2 in 3 product reviews on Amazon.com are fake. They are bought and paid for. They are written by friends and family. They are swapped and traded on Facebook. They are incentivized from readers. Talking about this problem as I have for nearly 2 decades now has made me the repeat target of the thousands who make their living writing reviews, the millions of sellers who benefit from the fake praise and the dozens of Amazon employees working the system for personal and/or professional benefit.

Having reported problems with reviews to Amazon hundreds of times over decades and received repeated, direct retaliation from Amazon employees for doing so, I learned the hard way about the active involvement of Amazon employees in Amazon’s own marketplace, whether to ensure the success of themselves, family or associates or simply to ensure the failure of particular targets. This occurring repeatedly despite state and federal laws protecting those who report criminal activity, corporate malfeasance and other corporate wrongdoings from retaliation by those they are reporting.

Letters and emails to Amazon executives were answered with retaliation, as were letters and emails written to Amazon’s own legal team. This occurred because of the hundreds of billions of dollars of commerce that flow through Amazon annually. This occurred because those who rock the boat are targeted and thrown overboard. This occurred because of Amazon’s deep ties with local, state and federal government. This occurred because Amazon's executives buy entire newsrooms. This occurred because the truth could utterly destroy Amazon's marketplace dominance.

With control within the government and within the media, Amazon knows it has little to fear. Maybe a decade or so from now they’ll get a fine with a slap on the wrist despite ongoing, widespread corruption and corporate malfeasance. How quaint of them to recently throw their hands up in the air and declare they can no longer guarantee their marketplace. Meanwhile their own employees have steered billions in sales from one direction into another, harmed the sales of this product to ensure the success of that and more. Meanwhile Amazon employees have enriched themselves, their families, their friends, their associates. Meanwhile their executives have become billionaires by ensuring not even the truth affects the flow of commerce across their server engines.

If you know me, you know I’ve written many times about this problem, this widespread corruption. You know Amazon has targeted my books repeatedly because I’ve spoken out, because I’ve complained about my books being bombarded with unfavorable reviews by unscrupulous competitors, because I’ve let others know that Amazon itself was part of the problem. Speaking out about this problem has cost me millions of sales and tens of millions in earnings—and yet I will continue to speak out. I will not be silenced by Amazon’s continued heavy-handed retaliation or the criminal actions of its employees or others.

For those who don’t know me, please do take the time to read the numerous articles I’ve written about this problem. You’ll find the articles here at Linkedin, in my personal blogs (http://robertstanek.blogspot.com/ and http://williamstanek.blogspot.com), at Go Indie (http://readindies.blogspot.com/) and on my websites (http://www.williamrstanek.com and http://www.robert-stanek.com/). You’ll find posts about this problem going back to 2003 here @ http://www.robertstanek.com/rsblog.htm. I do of course write as William Stanek, Robert Stanek, William R. Stanek and William Robert Stanek.

Thanks for reading, I’m William Robert Stanek, Microsoft’s #1 author for nearly 20 years, and author of over 250 topselling books.


Inside Job: Amazon.com Employee Stole Credit Data of 106 Million

Amazon.com is rotten to its core. This latest case of "employee gone bad" ( https://heavy.com/news/2019/07/paige-adele-thompson/ )...