Category Archives: Amazon Hacks

Hachette, Fire Phone, Site Cleanup

Send to Kindle
Louis Christophe François Hachette
Louis Christophe François Hachette

The dustup between Amazon and Hachette continues, with both sides accusing the other of bad faith. Amazon recently launched a propaganda website accusing Hachette of illegal collusion, among other things. In that website, Amazon encouraged readers to email Hachette CEO, Michael Pietsch, with some suggested topics to include in said emails.<!–more–>

Mr. Pietsch has responded with a denial of all of Amazon’s accusations, playing catch-up in the out-of-court PR game.

…the net result of which is that nobody really cares much. Amazon appears to me to have the better PR team in the game. I predict, for better or worse, that Amazon will prevail.

 

FirePhoneThe Fire Phone, announced with much fanfare, was heralded by some to just be another intrusion on your privacy. Interestingly, the Fire Phone may not be doing all that well. In my opinion, that doesn’t really matter much in the long run. Jeff Bezos has a long history of marketing mistakes, but also has a long history of quickly analyzing and fixing those mistakes, and coming back even stronger. He is a master of “fail fast and often.”

Meanwhile, the famous Amazon PR machine is cranking out tales of exclusive offers and enthusiastic developer acceptance of the Fire Phone.

MalwareIconI have been doing some cleanup and “hardening” on this site, in response to a script-kiddie attack. The attack is a massive, distributed attack, probably from hundreds, if not thousands of different botnets (although a few of the attackers appear to be a bit more sophisticated than the typical script-kiddie). The nature of most the attacks at this point is a series of brute-force login attempts. Amazopia is not the only target of these attacks; it appears to be an Internet-wide attack on all WordPress sites. Even though I have taken numerous steps to protect Amazopia against this sort of attack, and it is not likely that brute-forced login attempts will succeed (I hope!), I have still seen occasions when the attacks have come so fast and furious that they amount to a DDOS attack, and significantly impact the performance on this site.

To counter this, I have disabled the ability to even get to the Amazopia.com login screen. Which means new subscriber wannabees can’t register. I don’t think that is a great loss, because Amazopia gets very few comments despite hundreds of new subscriber registrations every week (only subscribers can leave comments — up until I restricted that, I was getting so many spam comments every day that I was spending way too much time moderating). I strongly suspect that the vast majority of subscriber registrations are actually splog-bots looking for weaknesses in the site. If you want to track Amazopia, you can use our RSS feed, and if you really want a subscriber account here, you can request one through our contact page.

Your Heart Might be Bleeding…

Send to Kindle

Two days ago (as of the time I’m writing this), a very serious bug in the OpenSSL system was discovered independently by two researchers, both of whom reported it immediately. For details of how all that came about, you can probably find all of the sordid details in Wikipedia by now.

Why am I writing about this? Because there is a high probability that you have been affected by this bug. I don’t know if Amazon ever used any of the buggy versions of OpenSSL, since they aren’t saying one way or the other. If they have, I would bet money they have already fixed that by the time you are reading this.

Ironically, since I don’t use the HTTPS encryption protocol on this site, Amazopia has probably not been compromised, although I don’t know that for sure (I have a support ticket open with my hosting provider asking about that). Not that a cybercrook would find anything valuable enough here to be interesting anyway. But if you have logged into any site in the last year that does use HTTPS (your bank, Amazon, PayPal, and a few thousand others), you may have already given up everything needed to execute a successful identity theft and clean out everything you own.

Especially if you are among the 90% (or more) of folks who use the SAME PASSWORD on every account you have. I’m not going to ask — you know who you are.

I’m getting dozens of emails assuring me that such-and-such organization has carefully checked their systems and found no evidence of compromise. You probably are, too.

The problem is, the HeartBleed Bug allows a cybercrook to compromise a system without leaving ANY EVIDENCE!! And the problem has been out there for about a year, during which time is has been installed on more than 60% of all webservers. Which means that all those folks trying to reassure you that your data is safe with them are either utterly clueless, or lying. This is potentially the most serious bug ever to hit the internet.

The upside of all this, if there is one, is that there are a lot of bad guys out there who use OpenSSL. Hopefully, all of them have been pwned by now. Cybercrime may actually decrease for a spell, while the cybercrooks scramble in a panic to re-secure their own stuff. And spend some time sweating profusely over it.

Meanwhile, what can you do to protect yourself? Unfortunately, not much. And the little you can do is going to be tedious. Mostly, you just have to wait for the folks you do business with to patch their systems. Here are my suggestions:

  1. Get LastPass (or a similar service — there are several, but LastPass is the one I use)
  2. Use it to change the password on every account you access on the internet to a unique, strong one. Yes, ALL of them.

Do it now. Then do it again for each site from which you get a “reassuring” email.

 

Edit: I just got the reply to my support ticket. My hosting provider installed the patch that fixed the HeartBleed Bug yesterday.

Mighty Amazon – Hacked?

Send to Kindle

Yesterday, around 3pm EDT, the Amazon website started having “technical difficulties.” Since my wife is an FBA seller, she noticed almost immediately that the seller portal was unresponsive. I didn’t notice the outage myself, since I was on a client project at the time. Plus, I managed to buy a bunch of stuff earlier in the day with no problem. It’s not yet clear what the problem was, but there is some speculation that the site was hacked. The reports of the duration of the outage were equally contradictory, varying from 15 minutes to “nearly an hour.”  (Note from Mrs. Amazopia:  I find it amusing that the seller side of amazon was down for a good ten hours one day last week, but since the buyer side was working, no panic ensued – at least among the general populace.  It was a bit of a different story with the third-party sellers!)

Just to be on the safe side, I changed my Amazon password, and so should you. I will be watching carefully for information about whether any of my financial information has been compromised. If the site really was hacked, I expect that will be reported directly by Amazon.

Reports about the amount of money Amazon lost were varied. One report was that the loss was about $5 million.   (Another note from Mrs. Amazopia:  These loss estimates are ridiculous.  When a person is intent on buying something on Amazon.com, and Amazon.com isn’t working, does he immediately run somewhere else – even online – to buy it?  Nope, he waits until Amazon.com comes back up and he goes and buys his stuff.  I am sure there are some services for which Amazon lost income, but most buying just continued as usual, after Amazon.com came back online.)  There were some other folks who guesstimated the cost to Amazon of this outage, and came up with… about enough money to buy the Washington Post, (which strangely enough, was “hacked” itself a few days ago).

The news about the sale of WaPo to Jeff Bezos practically lit up the Internet last week. There again, most of the “news” was inaccurate, since the sale has not actually happened yet, but is scheduled to close sometime in the next few months. That story was also muddled from a political angle, with Liberals either rejoicing that WaPo had found a “saviour” or lamenting that the new owner might just shutter the place, and Conservatives predicting that WaPo’s financial death spiral would accelerate as a result of the acquisition. Yesterday, there was an article published in WaPo by a retired Washington Post employee named Allan Sloan who was whining about the fact that Jeff Bezos would not respond to his requests to clarify his political leanings, and therefore might be a *gasp* closet Libertarian. I find the fact that Mr. Bezos spent a bit less than 1% of his net worth to play with the dinosaurs amusing, but I think I’ll pass on predicting exactly how that will play out.

Mr. Sloan, maybe the reason that Mr. Bezos didn’t respond to your request for information on his political orientation is because he doesn’t consider that to be any of your business. You can just deal with the market uncertainty of your shares in WaPo the same way the rest of us have to deal with market uncertainty in general.

Photo of Jeff Bezos from WikiMedia Commons