back to article Amazon turns up spectacularly late to 'transparency' party, pours a large one

Amazon has finally released details of the info snooping governments from around the world demand of the retail and cloudy biz. The company said in a subdued blog post that it would publish a bi-annual information request report. It comes after Amazon – unlike its tech rivals – spent years resisting going public with the data …

  1. Tromos

    Other people who purchased Anthrax spores were also interested in...

    1. VinceH

      ...anthrax spores.

    2. Anonymous Coward
      Anonymous Coward

      ...smallpox spores

      ...mustard gas

      ...depleted uranium

      1. James O'Shea

        "..smallpox spores

        ...mustard gas

        ...depleted uranium"

        Feh. Smallpox doesn't do spores. I can make my own mustard gas (anyone with access to even a high school chem lab can) and I don't want _depleted_ uranium. Tungsten-carbide handles all my armoured fighting vehicle killing needs nicely, what I want is the Mother of All Improvised Explosive Devices.

  2. choleric

    No need

    The thing with Amazon, for their retail section at any rate, is that there is no need for the security services to ask them for access. Amazon send all order confirmation emails utterly unencrypted. All the spooks need to do is stick a packet reader onto a network somewhere (which they have done already) and Bob's their uncle.

    1. Anonymous Coward
      Anonymous Coward

      Re: No need

      "Amazon send all order confirmation emails utterly unencrypted."

      You make it sound like they are the only ones not encrypting order confirmations. Who does?

      1. Trevor_Pott Gold badge

        Re: No need

        220 mail.example.org ESMTP service ready

        EHLO myserver.fuckoffNSA.com

        250-myserver.fuckoffNSA.com knows encryption won't actually stop the NSA

        250 STARTTLS

        STARTTLS

        220 Go ahead

        1. choleric

          Re: No need

          What Trevor said. I should have been clearer that I meant the lack of encryption on the SMTP connection from Amazon's outgoing email server to your email server. I'm not expecting Amazon to pull a Facebook and go all PGP on us. However, I would like them to take some basic steps towards preserving a customer's privacy.

          1. Anonymous Coward
            Anonymous Coward

            Re: No need

            I should have been clearer that I meant the lack of encryption on the SMTP connection from Amazon's outgoing email server to your email server

            Yup, but the relevant RFC doesn't actually mandate encryption for MTA to MTA traffic.

            1. Tomato42
              Boffin

              Re: No need

              just because it's not required doesn't mean it's not a good idea, even with A(EC)DH or self-signed certs

              1. Anonymous Coward
                Anonymous Coward

                Re: No need

                just because it's not required doesn't mean it's not a good idea, even with A(EC)DH or self-signed certs

                Hmm. That would protect it against "casual" intercept (if there is such a thing), but not against any Man in the Middle attack (you have no way of checking other than by prior arrangement that the cert you see is genuinely that of the receiving MTA) so it can be argued that the gain may not be as great, and people may end up with a false sense of security. Interesting challenge.

        2. Anonymous Coward
          Anonymous Coward

          Re: No need

          220 mail.example.org ESMTP service ready

          EHLO myserver.fuckoffNSA.com

          250-myserver.fuckoffNSA.com knows encryption won't actually stop the NSA

          250 STARTTLS

          STARTTLS

          220 Go ahead

          That sends me back to the last Access All Areas hacker conference in London a while back where I watched a 13 year old girl email a friend, straight from a Linux telnet prompt. Or slightly later when I asked my guys to recompile sendmail to mask the version number.

          1. DanDanDan

            Re: No need

            > Or slightly later when I asked my guys to recompile sendmail to mask the version number.

            Ahh security by obscurity... no wonder you're posting as AC

            1. Anonymous Coward
              Anonymous Coward

              Re: No need

              Ahh security by obscurity... no wonder you're posting as AC

              LOL, nice assumption, but wrong. It was what happens when government appointed white hat hackers are grasping at straws to show they have done an audit when you have sewn up everything so tight they couldn't find anything else to write about - they start talking about version numbers :).

              1. DanDanDan

                Re: No need

                Ah... audits. Say no more! Those who can, do. Those who can't audit/train.

  3. Stevie

    Bah!

    Doubleplus one star.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022