Amazon turns up spectacularly late to 'transparency' party, pours a large one Amazon has finally released details of the info snooping governments from around the world demand of the retail and cloudy biz. The company said in a subdued blog post that it would publish a bi-annual information request report. It comes after Amazon – unlike its tech rivals – spent years resisting going public with the data …
"..smallpox spores
...mustard gas
...depleted uranium"
Feh. Smallpox doesn't do spores. I can make my own mustard gas (anyone with access to even a high school chem lab can) and I don't want _depleted_ uranium. Tungsten-carbide handles all my armoured fighting vehicle killing needs nicely, what I want is the Mother of All Improvised Explosive Devices.
The thing with Amazon, for their retail section at any rate, is that there is no need for the security services to ask them for access. Amazon send all order confirmation emails utterly unencrypted. All the spooks need to do is stick a packet reader onto a network somewhere (which they have done already) and Bob's their uncle.
What Trevor said. I should have been clearer that I meant the lack of encryption on the SMTP connection from Amazon's outgoing email server to your email server. I'm not expecting Amazon to pull a Facebook and go all PGP on us. However, I would like them to take some basic steps towards preserving a customer's privacy.
just because it's not required doesn't mean it's not a good idea, even with A(EC)DH or self-signed certs
Hmm. That would protect it against "casual" intercept (if there is such a thing), but not against any Man in the Middle attack (you have no way of checking other than by prior arrangement that the cert you see is genuinely that of the receiving MTA) so it can be argued that the gain may not be as great, and people may end up with a false sense of security. Interesting challenge.
220 mail.example.org ESMTP service ready
EHLO myserver.fuckoffNSA.com
250-myserver.fuckoffNSA.com knows encryption won't actually stop the NSA
250 STARTTLS
STARTTLS
220 Go ahead
That sends me back to the last Access All Areas hacker conference in London a while back where I watched a 13 year old girl email a friend, straight from a Linux telnet prompt. Or slightly later when I asked my guys to recompile sendmail to mask the version number.
Ahh security by obscurity... no wonder you're posting as AC
LOL, nice assumption, but wrong. It was what happens when government appointed white hat hackers are grasping at straws to show they have done an audit when you have sewn up everything so tight they couldn't find anything else to write about - they start talking about version numbers :).
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
