Actually looks like she worked for Amazon on S3. So there might have been some insider knowledge. From the complaint below, and googling her name you can find her resume
I know that reading the actual linked content on HN is verboten, but the Bloomberg story says
"Thompson was previously an Amazon Web Services employee. She last worked at Amazon in 2016, spokesman Grant Milne said. The breach described by Capitol One didn’t require insider knowledge, he said."
“Didn’t require” is a very precise way of stating a truth about the vulnerability that was exploited, while neither confirming nor denying whether her role at Amazon was in some way responsible for her discovering the vulnerability.
(If I could query all AWS permissions for publicly exploitable permissions, that would comply, for example.)
Do you consider an access control misconfiguration to be a vulnerability? Does Amazon?
Point stands; they’re being very careful to say that there aren’t any CVEs, but they are also very carefully not saying whether she abused the privileges of her role to identify misconfigurations more rapidly than she could have otherwise.
Detailed knowledge of a system gives you all kinds of knowledge about how to exploit it. You don't need special access if you know X% of users misconfigure feature Y.
It's not about knowing that X% are misconfigured, it's about whether special access or circumstances led to locating them more efficiently than the general public could have.
Special access can make the difference between "locating X% of misconfigured users in a single admin panel query" and "locating X% of misconfigured users by scanning every S3 bucket in existence without being caught".
Or to draw a weak analogy, knowing that a closed-source PRNG algorithm is defective does not necessarily help locate all keys generated by it, but having access to force it to generate numbers for you (or to study its source code) absolutely does help.
The parts about Amazon was added later after the article was originally published. Maybe they read HN and found her Gitlab account like was posted below before this was published. Most of those news sites back referral link lists.
I feel modern CV is a little clumsy. Especially how it handles columns. You like this better? The example provided I don't love, but I'm not a designer, it looks good enough I think.
I use it too. I think it looks good enough, definitely better than my last horrible-looking resume. It seems to work well with a bit more text compared to many.
If you put data in the cloud, make sure you encrypt with keys only you have even when they promise all sorts of assurances of oversight and process in addition to “we use AES”.
This right here. Take away any outsiders ability to access things. I also feel AWS and the rest should be able to notify you when files untouched en masse for years are being accessed and it should set off alarms like crazy. If not acted upon then its the issue of whoever got those emails.
You can. It’s cloudwatch. Also at least put these things in glacier so you have some time between the download request and when they get the file to hopefully stop it.
Pretty much doubt there'd be much insider knowledge, guessing in 2015 a L4(entry) System engineer is going to be pretty much spending 80% of their time building new regions by hand...
Only facing up to 5 years apparently. I wonder if that will change over time. Considering her hack is worse than what Aaron Swartz hacked (not PII) I cant believe she only gets 5 years.
IANAL, but I believe part of the issue is that breaching a hundred million records is one data breach, but exfiltrating a few thousand journals is one infringement per journal.
In point of fact, the prosecutor on Swartz case (Stephen Heymann) had previous authored an article describing how the Internet age allowed crime to scale, enabling hackers to commit thousands of criminal acts per second. It's my personal belief that Heymann wanted to use Swartz' case as a validation of this belief.
(Source: The Idealist: Aaron Swartz and the Rise of Free Culture on the Internet, ISBN 978-1476767727)
I think the minimum to be considered an IDE, you need to be able to edit, possibly compile depending on the language, and run/debug from within the same tool. By last loose definition, I've joked my most used "IDE" would be bash. I can edit with vim, compile/link with make/gcc/ld, and debug using gdb or run my bins directly.
I mean it's an integrated development environment in that I can access all of my tools from one centralized location, the bash shell, but certainly not integrated in the sense that I have a GUI that hides the nuances of commands of various tools behind menus and friendlier non-command-line names and making it appear that the half dozen or so tools are a single entity.
I also use Visual Studio for Windows development and I've been switching between VS Code and PyCharm for Python development.
But are git and svn an IDE? No. They are both merely source control management systems.
My point was going to be that these are concepts and protocols rather than programs, and that you would use an actual program (eg TortoiseGit) to actually use it.
But then I read your comment and realised in *nix the program is actually called "git". So I concede :-)
Some S3 eng accidentally dropped a big chunk of the servers that were the s3 equivalent of an hdfs nameserver, ie mapping blob name to location info, as part of an unrelated config change.
While attempting to recover, the s3 team discovered and/or decided the nameserver needed a full restart. That's when they discovered the info in the nameserver had grown so large since the last full restart years previous that it took far longer than expected to restart the nameserver. Right around that point in time my guess is they realized just how shit their morning was going to be. And their afternoon.
Somewhere in there, they realized that their health dashboard depended on s3 working.
Though to be fair, as an aws customer, we -- along with the rest of internet -- were well aware that stuff was badly broken.
I feel terribly for whoever did this, because IIRC, he or she just fat fingered part of a command in a standard playbook, and the config script had no safeguards. I personally took down a company you've heard of in the exact same way; I knocked all pops off the internet because the config script had a hard requirement around certain values that was neither communicated to me nor checked. And I was trying to figure out wtf I did to a system that I was not particularly familiar with while receiving forwarded texts from the CEO about cascading datacenter down alerts.
Just taking the company dark and being personally embarrassed. There was no punishment, though there was a lot of teasing. Also spending 4-ish weeks cleaning up the mess that was made.
Likely referring to the February 28th, 2017 S3 Service Disruption in the Northern Virginia (US-EAST-1) Region, for which Amazon published a postmortem at https://aws.amazon.com/message/41926/
I won't link it here, but here's a screenshot of a snippet: https://i.imgur.com/NezWVKw.png