Re: Someone at Amazon fix this NOW

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I care about security. Actually as security researcher it's my job to care about cybersecurity. I also know that going toto the public can help (actually it helped me with Amazon AWS before). I was just unsure if this mailing list was appropriate for it.

On Aug 13, 2017 3:29 PM, Phillip Hallam-Baker <phill@xxxxxxxxxxxxxxx> wrote:
Internet Security is an IETF concern.

Unfortunately, most people in IETF seem to think security is limited to stopping mass surveillance. Confidentiality is a security concern, of course. But it is not the only security concern.

The security concern that most Internet users are concerned about personally is theft. That is the main reason that the WebPKI was designed and built. The primary motive was to prevent theft of credit card numbers. 

I think that everyone working on protocol design should understand the real security concerns. Integrity attacks are almost always more damaging than confidentiality. Hijack BGP and you can invade a country without firing a shot (see the episode in South Ossettia).

The attacks are moving up the stack. But they are still our problem if we want to remain relevant.

What has happened here is that the lower levels of the corporation in question have been hollowed out into a set of rigid processes that are blind to actual facts. It is not the only large corporation that has done that. When that happens, the only way to reboot is to escalate. Since the victim of the crime attempted every escalation process the company offered, it is necessary to go outside those processes.

I also have a process. I begin with a personal contact if I have one. Then I escalate to a public forum where I know there are employees who will ensure the issue gets the appropriate attention and so on.

At this point it is one incident of fraud involving $1,500. But left unaddressed it will be a few thousand within months. The template for the attack is public now. I read the article and thought, how do we stop this, the criminals will be reading it and asking how they can apply it. And they won't just be targeting Amazon.


On Sun, Aug 13, 2017 at 3:27 AM, Matthias Merkel <moritz30@xxxxxxxxxxx> wrote:
Well. This is nothing good but what does the IETF have to do with it?


---- On So, 13 Aug 2017 05:54:17 +0200 phill@xxxxxxxxxxxxxxx wrote ----



You have two problems:

1) Your complaints department is not reading the emails sent.

2) Your customers are being defrauded by someone who understands your system.

Not good. 




[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]