Hacker News new | past | comments | ask | show | jobs | submit login

Actually looks like she worked for Amazon on S3. So there might have been some insider knowledge. From the complaint below, and googling her name you can find her resume

I won't link it here, but here's a screenshot of a snippet: https://i.imgur.com/NezWVKw.png

I know that reading the actual linked content on HN is verboten, but the Bloomberg story says

"Thompson was previously an Amazon Web Services employee. She last worked at Amazon in 2016, spokesman Grant Milne said. The breach described by Capitol One didn’t require insider knowledge, he said."

“Didn’t require” is a very precise way of stating a truth about the vulnerability that was exploited, while neither confirming nor denying whether her role at Amazon was in some way responsible for her discovering the vulnerability.

(If I could query all AWS permissions for publicly exploitable permissions, that would comply, for example.)

The AWS spokesman quoted in the article also explicitly says it wasn't a vulnerability.

Do you consider an access control misconfiguration to be a vulnerability? Does Amazon?

Point stands; they’re being very careful to say that there aren’t any CVEs, but they are also very carefully not saying whether she abused the privileges of her role to identify misconfigurations more rapidly than she could have otherwise.

Detailed knowledge of a system gives you all kinds of knowledge about how to exploit it. You don't need special access if you know X% of users misconfigure feature Y.

It's not about knowing that X% are misconfigured, it's about whether special access or circumstances led to locating them more efficiently than the general public could have.

Special access can make the difference between "locating X% of misconfigured users in a single admin panel query" and "locating X% of misconfigured users by scanning every S3 bucket in existence without being caught".

Or to draw a weak analogy, knowing that a closed-source PRNG algorithm is defective does not necessarily help locate all keys generated by it, but having access to force it to generate numbers for you (or to study its source code) absolutely does help.

The parts about Amazon was added later after the article was originally published. Maybe they read HN and found her Gitlab account like was posted below before this was published. Most of those news sites back referral link lists.

Oh cool I use the same LaTeX template as her for my resume. Mine is blue instead of pink though! https://github.com/posquit0/Awesome-CV

Don’t forget to mention that on your next interview!


I feel modern CV is a little clumsy. Especially how it handles columns. You like this better? The example provided I don't love, but I'm not a designer, it looks good enough I think.

I use it too. I think it looks good enough, definitely better than my last horrible-looking resume. It seems to work well with a bit more text compared to many.

If you put data in the cloud, make sure you encrypt with keys only you have even when they promise all sorts of assurances of oversight and process in addition to “we use AES”.

This right here. Take away any outsiders ability to access things. I also feel AWS and the rest should be able to notify you when files untouched en masse for years are being accessed and it should set off alarms like crazy. If not acted upon then its the issue of whoever got those emails.

You can. It’s cloudwatch. Also at least put these things in glacier so you have some time between the download request and when they get the file to hopefully stop it.

If you put data in the cloud...

assume it is no longer private.

As opposed to on your computer connected to the internet?

Pretty much doubt there'd be much insider knowledge, guessing in 2015 a L4(entry) System engineer is going to be pretty much spending 80% of their time building new regions by hand...

Not much really there to learn

Looks well qualified to run the coding bootcamp in her prison.

Only facing up to 5 years apparently. I wonder if that will change over time. Considering her hack is worse than what Aaron Swartz hacked (not PII) I cant believe she only gets 5 years.

> worse than what Aaron Swartz hacked (not PII)

Violation of copyright would appear to be a significantly worse offense according to present US law.

IANAL, but I believe part of the issue is that breaching a hundred million records is one data breach, but exfiltrating a few thousand journals is one infringement per journal.

In point of fact, the prosecutor on Swartz case (Stephen Heymann) had previous authored an article describing how the Internet age allowed crime to scale, enabling hackers to commit thousands of criminal acts per second. It's my personal belief that Heymann wanted to use Swartz' case as a validation of this belief.

(Source: The Idealist: Aaron Swartz and the Rise of Free Culture on the Internet, ISBN 978-1476767727)

“Up to” limits on sentencing are different from what people actually get. Swartz supposedly would have got 6 months recommended by the prosecutor. https://mashable.com/2013/01/17/aaron-swartz-prosecutor-orti...

That is a lot of buzzwords.

Are Git and SVN really considered IDEs?

Not to anyone even remotely in the industry.

I think the minimum to be considered an IDE, you need to be able to edit, possibly compile depending on the language, and run/debug from within the same tool. By last loose definition, I've joked my most used "IDE" would be bash. I can edit with vim, compile/link with make/gcc/ld, and debug using gdb or run my bins directly.

I mean it's an integrated development environment in that I can access all of my tools from one centralized location, the bash shell, but certainly not integrated in the sense that I have a GUI that hides the nuances of commands of various tools behind menus and friendlier non-command-line names and making it appear that the half dozen or so tools are a single entity.

I also use Visual Studio for Windows development and I've been switching between VS Code and PyCharm for Python development.

But are git and svn an IDE? No. They are both merely source control management systems.

Are they even considered programs?

yes, they are programs. They, like most of the truly important software, don't have a UI, but they run none the less.

My point was going to be that these are concepts and protocols rather than programs, and that you would use an actual program (eg TortoiseGit) to actually use it.

But then I read your comment and realised in *nix the program is actually called "git". So I concede :-)

Looks like she only worked there until 2016? Or is that just a resume from 3 years ago?

> Looks like she only worked there until 2016? Or is that just a resume from 3 years ago?

The last commit in the Git repository where her resume is located shows this:

    commit 44e40140ab1ccdd47d8b56a8a78fc532d5b3386d
    (HEAD -> master, origin/master, origin/HEAD)
    Author: Paige Thompson <paige********@gmail.com>
    Date:   Thu Jan 10 14:38:02 2019 -0800
        update linkedin address
    diff --git a/cv.pdf b/cv.pdf
    index bf26140..add1ea9 100644
    Binary files a/cv.pdf and b/cv.pdf differ
If we assume this is the only repository she has, then the resume seems to be up to date.

Unlikely. S3 was publicly rebuilt in the wake of the 2017 S3pocalypse.

What does this refer to?

Some S3 eng accidentally dropped a big chunk of the servers that were the s3 equivalent of an hdfs nameserver, ie mapping blob name to location info, as part of an unrelated config change.

While attempting to recover, the s3 team discovered and/or decided the nameserver needed a full restart. That's when they discovered the info in the nameserver had grown so large since the last full restart years previous that it took far longer than expected to restart the nameserver. Right around that point in time my guess is they realized just how shit their morning was going to be. And their afternoon.

Somewhere in there, they realized that their health dashboard depended on s3 working.

Though to be fair, as an aws customer, we -- along with the rest of internet -- were well aware that stuff was badly broken.

I feel terribly for whoever did this, because IIRC, he or she just fat fingered part of a command in a standard playbook, and the config script had no safeguards. I personally took down a company you've heard of in the exact same way; I knocked all pops off the internet because the config script had a hard requirement around certain values that was neither communicated to me nor checked. And I was trying to figure out wtf I did to a system that I was not particularly familiar with while receiving forwarded texts from the CEO about cascading datacenter down alerts.

If you don't mind me asking, what was the punishment for what you did?

Just taking the company dark and being personally embarrassed. There was no punishment, though there was a lot of teasing. Also spending 4-ish weeks cleaning up the mess that was made.

Likely referring to the February 28th, 2017 S3 Service Disruption in the Northern Virginia (US-EAST-1) Region, for which Amazon published a postmortem at https://aws.amazon.com/message/41926/

Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact