Integrity


2 mins


recorded on iPhone using the default Safari browser

This is a post about integrity.

A couple of days ago, there was news that Capital One credit card company had been hacked.  A former AWS engineer utilized her knowledge of how AWS works to gain access to one of the AWS roles that Capital One used to store customer data in S3, which is their simple storage service.

Once she gained access to that account, or pardon me, that role she was able to download just scores and scores and scores of customer data files from S3. Accidentally leaving S3 buckets publicly accessible is a common error, so common in fact, that the dashboard presents several layers of warnings when a bucket is set to public.  It's something that is easy to get wrong if you're careless.

This hack wasn't (apparently) due to one of those common S3 security mistakes that customers still do make. It appears centered on two pieces: a misconfigured WAF (web application firewall) and the hacker's knowledge of AWS roles.

Um, so, holy shit. That really leads into two big questions for me:

Question One

Does this mean that every major account - every big customer data target - is now potentially susceptible to an attack launched by an AWS engineer or an ex-AWS engineer?

Question Two

How in the world does AWS screen for behaviors like this when they’re interviewing?

Amazon is well-known for having a difficult interview process that is described by employees as "...making you feel like cattle", which is not a great endorsemement.

I've gone through that process and got a rejection, though no reason(s) was shared with me.  "We don't share feedback", I was told, which is unusual... just that "...I wouldn't be a fit".

Now, I'm 57 years old, weigh 190 lbs, have a Mohawk + dress like a cross between a billionaire and a cage fighter.  I speak with the confidence of someone who knows what the fuck he's talking about. 

It's potentially initimidating, but... no one has ever questioned my integrity.  Ever.

Seeing that the hack - which may also include several more large companies as targets - is alleged to have been committed by an ex-AWS engineer, I really want to know how they can misjudge such an important, fundamental character trait like that.