Major AWS outage across US-East region breaks half the internet A major outage is affecting Amazon Web Services (AWS), with even Amazon's own web page reported to be offline and dozens of other online services and websites affected, including disruption in the UK. AWS reported an issue to its Health Dashboard at 12:11 AM PDT (7:11 UTC) of increased error rates and latencies for multiple …
There's really no excuse for British companies to be reliant on that region in most cases - yes some services only operate out of us-east-1 but I bet a whole bunch of these are just places where technical teams used the default region because it didn't occur to anybody to change it.
Now, don’t underestimate the abacus. In skilled hands it’s a very sophisticated calculating device. Furthermore it requires no power, can be made with any materials you have to hand, and never goes bing in the middle of an important piece of work.
So an electric one would be particularly pointless...
"There's really no excuse for British companies to be reliant on that region in most cases"
An analysis on the BBC lunchtime news suggested that a technical sub-component (e.g. DNS) based in US-east-1 may be sued by the hosting services based in UK/EU. So the customer is not either directly or knowingly using US-based services at any level.
"a technical sub-component (e.g. DNS) based in US-east-1 may be sued by the hosting services based in UK/EU"
I know that people can be sued for almost any reason in the USA, but suing "DNS", rather than a person/organisation, in the USA seems to be taking things a bit far! lol
Not sure if this is representative (anon obv.) but some software I use seems to connect to US East too eagerly.
Some software I have to use for work (in UK) is from a US company.
If even the slightest issues on AWS UK, it does not sensibly seem to fall back to something "close" e.g. Ireland, or another European AWS zone, instead it invariably ends up on USA East zone.
Once it is on US East (even if issues on that AWS zone) it seems loath to leave (even though UK is set as default AWS zone)
Whether that's a software issue or an AWS issue I do not know
Doubtful. There are so many vestigial links to us-east-1 (being the first AWS region) that you can host whatever you want outside of the region...you're still exposed to internal AWS process and control planes operated there.
Everyone wants distributed cloud and a hyperscaler breakup, yet no-one seems to be willing to pay the tens of billions required. So here we are.
It's worse than British companies being reliant on it, as the GovUK OneLogin system went down. It appears private and personal data is going off-shore! So that'll make all your personal data subject to a DOGE/CIA data grab if they so wish. To me, this is shocking. Why aren't the UK Gov't system on sovereign IT estate. It's not like they don't have the hardware and expertise available. Passing business to Tony Blair's mates I guess.
"Why aren't the UK Gov't system on sovereign IT estate”
That’ll be because there is no sovereign IT estate. And it’s not just ‘build a datacenter or two’ it’s all the infrastructure stack behind it.
Think of it like this, suppose the government were to now work towards and pay for a completely UK-baed system, effectively replicating AWS / Azure infrastructure. However the sheer cost of doing this would require the closure of 25 major hospitals, a 10% reduction in NHS funding and 15% reduction in pension and other benefits - but, possibly, in ten years the UK would be ‘independent’.
Or the tabloid press run with ‘Government spaffs all this money on bespoke UK system, pensioners starve, while a commercial setup is already there and would cost a fraction of the price’. It's a tough call, yes of course, with the wisdom of 20/20 hindsight really should have gone for a homegrown solution a decade or more ago. But we didn’t and neither did anyone else.
Why would they?
No this incident doesn’t necessarily mean that private data is being shipped offshore (well maybe it is but that’s another matter), what it does mean is that AWS is not quite as resilient as you might think or hope.
Anyone who reads the 'On-Call’, or ‘Who Me’ sections of here will be aware of the dangers inherent of the mysterious legacy ‘box’ in the corner which everyone is afraid to touch!
The UK government had more than enough datacentres to build out its own cloud prior to 2012, but through the buy-not-build mindset throw money at the US cloud providers rather than grow UK capability.
That is a lot of money that mostly exits the UK domestic economy, leaving the government unable to pay pensioners...
Yes hindsight is telling us the Tories didn't really have a clue as to how to run a country, not saying Labour are going to be any better and to do a fair comparison we really need to have them in office for the vast majority of the next 45 years...
However, with the Whitehouse demonstrating it will resort to extortion, a government that wishes to remain "sovereign" is going to have to bite the bullet...
the problem is - as i understand it that the issue isn't nessicarily that people designed stuff in the way that meant they where reliant on US-EAST-1, what happened is they are reliant on a service in their local region i.e London, but it's services (probably unbeknown to them) are reliant on US-EAST-1, dynamodb global tables and also IAM are two key that are reliant on it.
The other thing is US-EAST-1 used to be critical for AWS for billing, so that will likely mean lots of services have a reliance on that.....
In a nutshell, most people will have followed AWS best practice and ensured that their platform could handle the failure of a zone/region etc, but Amazon haven't ensured that their regions be able to stand up to the failure of US-EAST-1.
I think that that statement is a little unclear. It may mean that for some types of data being stored in European regions, Amazon has a choice of either breaking US law, or breaking the law in whichever the region the data is being held in.
I'm pretty sure that I know which would win, but if, for example, large amounts of personal data as defined by GDPR-UK relating to UK individuals deliberately being located within, say, EU-WEST-2 (as I've been told is the main UK region) was being demanded by US agencies, this may trigger a diplomatic spat between the UK government and the US, with Amazon being caught in the middle. In theory, making a decision either way could cause serious fallout and fines for Amazon.
Of course, the US laws demanding that data should be handed over almost certainly contain a gag order, to prevent the company hosting the data from letting anyone in the UK (or anywhere else) know it has happened.
After the passing of the US Cloud Act, every government outside of the US should have done a risk review of their cloud usage. Did they? I doubt it.
Since that act was passed, the only sensible option for governments other than the US was to stop using US owned cloud services.
I am not an AWS architect, but it came as a bit of a shock to me that even though you opt to keep data and processing local to a region in your geopolitical domain, that US-EAST-1 could be s SPOF. That alone would make me think twice about even using AWS as a service, but that is my opinion, and I'm not in any way able to influence any decisions over this. Would this also affect local AWS private instances where you're using Amazon services to maintain local resources? (Please bear with me, I'm not that AWS knowledgeable).
OK. You've encrypted it. How do you process it in the Cloud without storing the keys in the Cloud?
You can decrypt it locally as you bring it down for local processing, but if you use it in the Cloud, Cloud based processes need to decrypt it, and if the keys are in the Cloud, they're just as vulnerable to being snaffled by the US as the data they're trying to protect!
I've never understood the argument of encryption being the solution. Maybe someone can enlighten me as to what I've missed.
Never use the "server side encryption" (SSE) function of things like S3 because they are totally dependent on the Cloud Service Provider's (CSPs) tooling and the data is processed unencrypted on the CSP infrastructure. I made it a hard requirement for storing sensitive data in the cloud; S3 SSE was necessary for all class of data, but insufficient for sensitive data.
For that we also use "client side encryption".
In this, the keys need not be stored "in the clear"; they can be stored in HSMs (even on-prem HSMs), and pulled into compute memory for use in encryption/decryption. Good software even fragments that key throughout memory so it's not contiguous and need not even be in the same locations during an execution.
Is this impossible to break? No, but it would require the CSP to take a memory snapshot of your machine and then try to find where the fragments exist and reconstruct the key. Or perhaps try and find the credentials to the HSM and spoof network traffic with the necessary identity to get the HSM to release the keys.
This is an active attack and a LOT different to the CSP handing over of keys they possess to the authorities.
What you have described is a hardware key store.
A HSM doesn't just store keys to be brought in to memory, the keys should never leave HSM* and the HSM does all the encryption and decryption.
* Except when they are exported, encrypted by a HSM key, for importing to another HSM.
If you were to be storing the keys in an HSM, you would require to always process your data on the systems with such a primed HSM. As I understand it, this completely negates the flexibility that Cloud provide. No scaling beyond the systems with the keys in the HSM, no moving regions.
If you give a facility to move the keys around, then the keys could be stolen through the same route, and if the keys are in locked keystores, the key for the keystore also has to be available.
If you want automated processing in the cloud, the cloud has to have some way of accessing the data.
If you have any doubt about what amazon would do, simply look at the latest king don temper tantrum with Zelenskyy. He didn't do exactly what don wanted, so the response was predictable. Cut up Ukraine into pieces. Imagine what would happen to Bezos if amazon did not comply with a trumper order. Its pretty clear, the us is now a dicktatorship.
So...you're not wrong, but there's some nuance to this. You can store all your PII or whatever data entirely outside of the impacted region, in this case us-east-1, and still be impacted by an outage.
Why? Because this isn't an issue with where data is held, it's an issue with services (assuming EC2 based on the latest updates) AWS uses *internally* to power a crapton of other services. Losing access to the metadata store in DynamoDB, which seems to be something either that happened simultaneously or was a big cascading fault from the EC2 issue, causes problems across all regions because that's where AWS stores information about state and configuration for its services, as I understand it.
AWS has been on a regionalising spree recently which has mitigated some of these issues, but there are still some key services powered by critical infra in us-east-1 (like Lambda, to give another example) which could logically lead to what looks to be a SPOF issue. Clearly there is tight coupling for some services in us-east-1 which AWS should have addressed yesterday (or maybe 5 years ago).
If you're wondering where your car is, don't worry, you'll get it back next month.
In the UK, that's actually not stealing. The criminal offence of Theft is defined as taking property with the intent to permanently deprive the owner of it.
This made it functionally impossible to prosecute car thieves/joyriders because they could always say they just fancied a razz in that natty GTi and were going to take it back afterwards. Honest! The intent therefore couldn't be proved.
As a result, we have a specific offence of "Taking without the owner's consent" (TWOC) for cars to cover theft and/or joyriding.
Of course, removing a book from a bookshop without payment is theft. It's up to the bookshop whether they wish to allow refunds on a once-read book. The "refund an unread ebook" dodge on Kindle is iffy, since the marginal cost to Amazon of delivering that eBook is basically zero. It's more along the lines of fraud than theft - obtaining goods or services by deception.
It's morally wrong, though I have no sympathy for Amazon. I'd be more concerned whether the author still gets their royalty (probably not on a refunded ebook - whereas a theft from a physical bookshop is on the retailer. The publisher & author have had their cut).
..since the marginal cost to Amazon of delivering that eBook is basically zero.
It should be, but it isn't-
https://kdp.amazon.com/en_US/help/topic/G200644210
UK Delivery Costs = £0.10/MB
If you opt for the 70% royalty rate. If you let Amazon keep 65% of your sale price, delivery is then 'free'. But 10p/MB is just a tad extortionate for delivery, especially when they're the publisher, and part of the traditional publishers job is getting books into stores. So should really come out of Amazon's 30%, but that wouldn't have helped Bezos buy a superyacht or three.
I'd be more concerned whether the author still gets their royalty (probably not on a refunded ebook
Nope, refunds are clawed back from royalties. Except of course Amazon keeps the delivery fee. But the strangest part is this-
https://kdp.amazon.com/en_US/help/topic/G201541130
Authors are able to earn a maximum of 3,000 Kindle Edition Normalized Pages (KENP) Read per title per customer. This means that each time your Kindle eBook is borrowed and read, you can receive credit for up to 3,000 pages. We believe this results in an equitable distribution of the KDP Select Global Fund.
For royalties from books enrolled in Kindle Unlimited.. Which gets a bit weird, or interesting because it gives you an idea of how many people actually finished the book. I think some authors try to game KENP with the dreaded 'page turners' where pages might only be a couple of paragraphs.
Perhaps I misunderstand, but isn't DNS at its heart a highly specialized data base lookup and retrieval system? "You give it a name e.g."upyours.com" and it gives you back a set of structured information provided by the operators of upyours.com telling you how to send traffic to upyours.com. While DNS does screw up at times, isn't it more likely in this case that Amazon provided them with a faulty record?
I wonder if they will now start using hosts file like so many did in the past when they were unable to correctly configure their DNS.
I have actually seen environments with scripts or GPO's that updated the hosts files.
Alternately WINS was often used to plaster over DNS holes as well, at least in Windows environments.
A colleague complained he had to actually go round his house and physically turn off lights when he left for work today instead of Alexa doing it as he went out of the door.
He didn't get much sympathy, another colleague asked if he needed a plaster for his overworked finger.
By problems in the US. Hmm.
Time for reminders about "it is just someone else's computer", if it is in another country it's really not under your control (especially when "you" are a branch of government) and it is just hosting, not some specialised ability that isn't available elsewhere.
I strongly suspect this is the case. Some aspect of DynamoDB (directly) or indirectly (other AWS services that use DynamoDB) depends on something in US-East-1.
Much like the Azure Central-US-1 (IIRC) region having a wobble breaks Azure world wide (I should note MS have said they are working to reduce this dependency).
Eliminating all single points of failure in a complex system is hard.
"Eliminating all single points of failure in a complex system is hard.
Yes and no:-)
The real issue is that reliability and the removal of SPOFs etc. is expensive....which is why it hasn't happened yet.
How many times have you architected a properly resilient system, only to find it's been decimated by people counting beans:-)
...in Amazon's basket might result in this omnishambles.
Why are bank websites/services and HMRC even using non-Europe Region AWS?
And why are banks even using AWS for stuff that their sites absolutely need to work?
Does nobody do DR trials and simulations any more?
Just imagine if the UK had Digital ID hosted on AWS.
But it is the same with any Cloud based service, as others keep on pointing out is that it is a server on somebody else’s infrastructure that you have no control over - and no idea what other services it relies on to keep it running.
It only takes one domino somewhere to fall over and the who lot goes down.
So far they have bodged there way to getting back on line fairly quickly - I am still waiting in expectation of the multi-day outage that will come one day. Only then will companies directors/boards get the message that it is a bad idea.
Just imagine a ransomware attack getting into the M$, Google/Amazon/Azure/AWS world, and look at JLR, M&S and how long they took to recover
2 issues beyond there is clearly no internal failover / resilience inside AWS
1, Bean counters do not like the idea of parallel clouds, so having AWS + Azure and being able to fail over = costs
2. From what I have read (so I do not know for sure), making some apps work across multiple cloud providers is not easy/possible *
*see recent story of Us being stuck in Azure
There are those who prefer Glocks, and those who prefer Walthers or Sig Sauers, but I put my trust in my 9 mm Grissini.
New version of spray & pray: Get a Sig P320, throw it, and you're bound to hit someone. But a gentlemans choice might be a Rohrbaugh R9, but I don't know if they're still being made after Remington bought them. Taran seems to be cornering the gucci market, thanks to careful product placement, and I'm sure that in the right hands, a well-dried Grissini could be just as lethal as a pencil.
The snake-oil Cloud sales people say that in the event of a failure of a particular region, you can move your application to another region, pretty seamlessly, especially if you pay for hot-standby and data duplication in another region.
But they sell all the benefits, without detailing the problems and issues. If they don't mention them, they're not lying, are they. And I'll bet that any resilience promises about guaranteed uptime are either fenced to so little damages as to be laughable, or are actually meaningless weasel words that don't guarantee anything meaningful.
Budget is one thing, but we have to do a DR trial every year. Regulated industry and so. And we have to prove that we can hop for more than one day on one leg. Always done over a weekend.
And often we find that some new-fangled system is not redundant and that the problem cannot be solved asap and we have to do a second trial that year.
One year was so "interesting" that manglement announced the reserved date for a third run with the incentive, that the fourth would be over christmas with the group of the third run.
Those are clearly not yours, as those are refusing to operate for no reason.
Should have used FreeCAD and other free replacement software - as that won't ever refuse to stop operating (if you need some certain functionality, you might need to pay a programmer to add it, but it seems that such costs will be less than what AutoDesk charges in the end).
I still think, regardless of my feelings on the competition commission letting it happen, that on prem Vmware is still the best option.
when you factor in shite like this, random outages, random cost rises, random engineers based on india that have been working 80 hour weeks unplugging stuff, VMware & Nutanix are still the way to go with on prem OpenStack too.
Even with with 400%+ rises its cheaper than cloud
I've just opened the Gail's app and got a message about a connection error.
Fortunately the app seems, unusually, to have competent developers because it then gave me a popup saying "anyway, here's your QR code to scan in a shop while this gets sorted out", which is a great deal more intelligent a response than I've had from apps from Boots or Tesco.
"Gail's is just a massively overpriced version of Greggs"
Even Greggs is an overpriced version of Greggs these days: showing my age here, but I remember when I first started buying Greggs cheese and onion pasties they cost around 37p or thereabouts, and when there was a price increase (maybe once a year or something) they went up a penny or two at a time… Yes, inflation and time passes and all that, but they're almost £2 now and seem to jump up in price almost every couple of months… :-(
"The Cloud" is just somebody else's computer / network. If you are making your business rely on the cloud then you should have contingencies when the services go down. Unlike having your own kit you manage you are beholden to the cloud provider as to when they feel like bringing your services back - you're just one of thousands, your business is not a priority.
Unless it's literally 'your' network, it's always someone else's network. Even if it's in the same building as you. And especially if 'your' network relies on talking to 'other' networks to GSD*. Risk vs resilience isn't just a cloud thing. (*Get Sh*t Done).
So why dont AWS do it themselves?
To be clear, this isnt a refutation of cloud as a solution, so all the snarky ' Its just someone else computer' comments merely show ignorance. Its a sign that well architected systems are necessary wherever they're hosted.
No its not ignorance, with on Prem you can physically see, feel and touch ALL the kit as well as being in control of it.
The real challenge will be identifying anything that is dependent on a cloud based service and working out how to get around it when it is not there
The JCB going through your network link is as always one other consideration, although in that case if you are clod based then EVERYTHING will be down.
Anyone have a link to the Downfall parody Hitler rant created for a major Amazon outage maybe 12 to 15 years ago? Those parodies are still as thick as fleas on Youtube and I find three more recent ones specifically for Amazon but not the original I'm thinking of. It would be a highly apt time to bump it back up the ratings.
"Anyone who works for Cisco, HP or Veeam leave the room!" (it's that old)
Unrelated to today's outage, but one of the best Downfall parodies I remember was about ACS:Law who sued file sharers. A detailed article on the business is a good start to fully appreciate the parody:
https://arstechnica.com/tech-policy/2010/09/amounts-to-blackmail-inside-a-p2p-settlement-letter-factory/
Then enjoy the rant video at the end of this article:
https://torrentfreak.com/acslaws-anti-piracy-downfall-sends-hitler-crazy-101004/
...to see if they tested resiliency properly. In most cases, I imagine they'll find they tested what they could and had at some point to rely on the cloud provider's assurances.
There'll be even more people thinking maybe they should take a look at this resiliency plan thing, some time in the future, if they get round to it.
Unfortunately, too many people think it's the inevitable sort of thing that happens from time to time when using computers.
Just like when a whole generation in the 90's / 2000's were led to believe that having to reboot your computer daily was normal.
Just wait until the critical infrastructure gets outdated, and the generation replacing them knows no better, and we have traffic lights breaking, aircraft feeling from the skies, and power stations in emergency shutdown, just because a minimum wage employee in another country typos a DNS update
I would very much like to know why HMRC is doing anything in US-East-1, let alone having enough critical infra there to be vulnerable to a region failure.
The gov.uk AWS sites ought to be in EU-West-2 (London), perhaps with fallbacks in EU-West-1 (Ireland) or other close-partner EU regions likeEU-Central-1 (Frankfurt) if needed.
I would not expect the UK Government to be exfiltrating any more UK data than absolutely necessary (hint: it's not) to the US. And, no, I don't consider Five Eyes an excuse.
Why is it using a 3rd party foreign provider? It's the UK Government, employing millions of people (the NHS alone is 1.3 Million). Surely with that sort of scale it can run it's own datacentres - hell, it could even offer the services to local Councils (perish the thought that they'd think strategically about saving us all a few quid).
It must be my age (and the fact I retired from paid employment several years ago) but ISTR the USP when the internet was being rolled out beyond the military and college networks was that it obviated a SPOF. But then, that was before it became a profit centre for some and “cloud” services were loaded onto a bandwagon. Now AI is being loaded up, I’m just waiting for the wheels to fall off.
And that's how the 'Internet' works today.
What has changed is the definition of said Internet, from the original interconnected network(s), to meaning the applications which rely on the Internet to function. In this case the Internet didn't suffer any issues, however an application which uses the Internet to work did have an issue.
It's down now. (11:00 Eastern.)
I get to be paid to visit El Reg because a certain project can't be accessed. Gee. Did I tell the 'C' bos to NOT set things up in the cloud? Didn't I say so _in writting_? Why, yes I did. I can't wait to see whose fault this is.
That's exactly my point, that which works now without digital ID won't suddenly stop working or degrade if/when Digital ID arrives. The nay sayers that jumped on Kier's "make it easier to access your money" seem to have turned this into it somehow would be harder to access your money without Digital ID (if/whenit exists) - well yes comparatively, but no harder than it would be today.
That's exactly my point, that which works now without digital ID won't suddenly stop working or degrade if/when Digital ID arrives. The nay sayers that jumped on Kier's "make it easier to access your money" seem to have turned this into it somehow would be harder to access your money without Digital ID (if/whenit exists) - well yes comparatively, but no harder than it would be today.
I don't have any problems with accessing my money right now, so I fail to see how an extra layer of Digital IDiocy will make that easier. I don't have mobile banking apps on any of my phones, because phones get lost or stolen. Inserting a layer of Digital IDiocy that forces a dependency on a phone just increases the risks and hassle, if/when that phone is lost or stolen. So then a transaction might need
1) A working/charged phone
2) A working Digital IDiot system
3) A working mobile network
4) A working bank system
Then ancillary stuff, like how will the IDiot card authenticate? Will it mean having to have Bluetooth enabled, draining battery and increasing security vulnerabilities? Then privacy aspects. Like my transactions with my bank are my business. Will the IDiot Card require location services enabled so HMG and approved 3rd parties know where I am and transaction details?
But basically a whole lot of new risks and hassles for no actual benefit.
Well you've proved the point, Digital ID will make zero difference to how you access your money today (which sounds like you go outside and visit physical branches or cash machines).
Digital ID is unlikely to be used for getting cash out (although it could be used to verify you are the card holder rather than entering a PIN). It's just another way of identifying yourself, supposedly more secure than a passport or driving license.
A friend has some official digital id app - it holds his passport, driving licence, and some other UK government id’s, It has proved so far to be of little real use outside of the few UK government bodies that use it, everywhere else that wants id, wants to see original hard copy id.
So the latest was Halfords, where not only did they want to see his (paper) V5C but also his actual plastic card driving licence. When asked, the reply was that the app wasn’t on the list of approved formats.
Well you've proved the point, Digital ID will make zero difference to how you access your money today (which sounds like you go outside and visit physical branches or cash machines).
It varies. So all the usual banking and payment things. Only now another layer of Digital IDiocy that might insert itself to make life harder and less convenient. Much as it promised last time Labour pulled this stunt. So it would be 'convenient' for me to get the states permission to buy alchohol, tobacco. Or not, if Nanny says 'No'.
Digital ID is unlikely to be used for getting cash out (although it could be used to verify you are the card holder rather than entering a PIN). It's just another way of identifying yourself, supposedly more secure than a passport or driving license.
One never knows with creeping compulsion. But there a lot of unknowns, costs and security vulnerabilities to discover. Along with perhaps needing a suspension of disbelief, or asking pointed questions, like why aren't passports or driving licences secure enough? But it's going to waste billions in direct costs, or indirect, if banks, retailers etc have to pay to support this system.
"like why aren't passports or driving licences secure enough"
Ask country X why their passports are easy to forge. Not everybody is eligible for a driving license.
The thing with (a properly implemented) digital ID is that it is simply an authentication mechanism, in this case run by UK.gov. As much as it would be possible to log when and where said ID has been used (and it would make sense to do that, whereby you yourself can view your history), that's the most that should be done by UK.gov. It's up to whatever organisation wants to participate in digital ID to perform authorisation on whether they allow digital Bob to use their services or not, the government simply provides verification that digital Bob really does represent real Bob.
It's up to whatever organisation wants to participate in digital ID to perform authorisation on whether they allow digital Bob to use their services or not
So at the moment, that's just going to be every employer, and every employee. Well, except for employers who currently have no problem hiring illegal immigrants, and the IDiot card will do nothing to stop that.
the government simply provides verification that digital Bob really does represent real Bob.
Nope. The real Bob might still be a virtual Bob because ID theft is a thing, and IDiot cards have the potential to make this worse. And if its anything like the old ID Card proposals, there'll be fines for failing to provide information, providing incorrect information, but no compensation if the IDiot Card gets hacked or compromised. Pay say, £1m in compensation if that happens, then perhaps I'd get one. If it really is secure, government would have no problem with making that offer. Otherwise it might end up like India's card, their minister claimed it was secure and hackers promptly gave the minister a thorough fisking based purely on the data he flashed on his card.
As for ID theft, that will be rather harder with a digital ID. The process of acquiring a digital ID should be secure enough that should a re-application come in for the same person, then flags will be raised requiring further verification.
As opposed to today where you can whip up a fake ID, some fake bank statements, fake utility bills and hey presto you now have credit in the name of Bob.
As opposed to today where you can whip up a fake ID, some fake bank statements, fake utility bills and hey presto you now have credit in the name of Bob.
And tomorrow, you might be able to use that fake ID to enroll as Bob. Or you have Bob's phone, and therefore must be Bob. But still a lot of unknowns, like exactly how the enrollment process will work, or the authentication. Maybe if Alice has access to Bob's phone, Alice can tap it and becomes Bob. Or maybe the app will flash a pic of Bob, and someone will have to decide if the person with the phone is Bob, or not. Or if the ID requires a photo, then everyone will have to provide one, which will make facial recognition via surveillance more effective. Or not, because anyone who isn't in the database won't be easily identifiable..
Well if Bob enrols Alice's biometrics on his device, or shares his passcode with Alice then sure Alice can pretend to be Bob if Alice has Bob's device. Is Alice Bob's mum, you didn't specify?
Meanwhile when Balaclava Boy swipes Bob's unlocked phone, the digital ID app still requires the same biometrics to be opened so Balaclava Boy is unable to identify as Bob.
Meanwhile when Balaclava Boy swipes Bob's unlocked phone, the digital ID app still requires the same biometrics to be opened so Balaclava Boy is unable to identify as Bob.
Or Alice swipes Bob's phone, and unlocks it. Which is presumably easy enough to do given the number of phones that get stolen. They wouldn't be worth stealing, if they couldn't be unlocked and used. Then if the IDiot app depends on the phone's security, if that can be bypassed then Alice is still Bob, and the IDiot app might be none the wiser.. Which could also be an (in)convenience thiing. So use biometrics to unlock phone. Smile for the camera! Then would I need to do that again to authenticate to the app?
If that relies on the phone security, and that can be broken, then so is the assumption that this will provide secure ID authentication.
Or watch this video-
https://www.youtube.com/watch?v=fufnzxyv2Ps
Where my favorite Black Belt Barrister points out that "the GOV.UK One Login system — the UK Government’s new digital identity platform that is supposed to unify access to all online government services. Yet, behind the scenes, the system’s security operations have been outsourced to a company based in Romania, raising major questions about data protection, privacy, cybersecurity, and national security.
Especially after a government Red Team seemed able to hack the developers fairly easily, and pointed out that the 'secure' identity platform was being developed by unvetted staff on insecure systems..
Funny that, your favourite BBB used to be my favourite BBB when he was creating videos about, well, barrister related stuff. Then he realised there's money to be made pandering to a certain section of the population who seem, how to say, anti-establishment (not sure I'm using that correctly, but hey). Then he started pumping out daily videos about nothing much, filled with sponsored segments.
Similar to how the venerable Dr (PhD) John Campbell was giving sound advice at the beginning of the pandemic, then again realised where the real money is to be made with his wink winks, and threw all the published science to the side and misinterpreted plenty of non-sensical fringe-science.
Anyway enough of reviewing YouTubers. So BBB is scared that it's outsourced to Romania, a country which adheres to GDPR legislation. When does BBB know the first thing about outsourcing and IT? Sure he knows law, he's a black belt, but no mention of being anything related to IT.
The alternative is to not outsource it and keep it all in house - back to my last statement, the government is hardly competent when it comes to IT (well perhaps a lot more than IT but I digress). So how would keeping it in house be better. Is there any information who this Romanian outfit are? Do they have a bespoke authentication product that's used by other companies/countries? Are they just some guys bedroom PC? More information would be good before one starts speculating about insecurity, but BBB is best when there's no actual information and plenty of speculation.
...when Amazon pull the biggest D.o.S. there's ever been?
Governments
If things become too cloudy, you've then got whole economies at the mercy of the cloud owner or their mistakes. You'd think that this event would wake up governments as to the grave perils that lie in proprietary clouds that lock customers in. I'm not holding my breath on that one...
Whose fault is this? It's your own stupid fault! Shouldn't have relied on Amazon, Azure or Google, but on your own VPS server. Like I do, and everything's humming along nicely thank you.
People are stupid and incompetent choosing one of the big Cloud providers. And it ain't cheap either. People are just lazy choosing AWS because it's a big name and they believe they can't go wrong with it. Their clueless boss will sign off on it regardless.
The boss and the entire board of directors own shares of Amazon. Very likely preferred shares.
Corporations don't buy from other corporations based on price and quality. They buy based on stock performance. And conflict of interest on a level that USED to be illegal.
And of course, backhanders and collusion.
From the BBC :o)
AWS is a US giant with a large global footprint, having positioned itself as the backbone of the internet.
It provides tools and computers which enable around a third of the internet to work, it offers storage space and database management, it saves firms from having to maintain their own costly set-ups, and it also connects traffic to those platforms.
That's how it sells its services: let us look after your business's computing needs for you.
But today something very mundane went very wrong: a common kind of outage known as a Domain Name System (DNS) error.
People who work in the tech industry will be rolling their eyes right now.
This common error can cause a lot of havoc.
"It's always DNS!" is something I hear a lot.
https://www.bbc.co.uk/news/articles/cev1en9077ro
And it's only going to get worse.
I was browsing jobs in my region recently, and without exception, pay rates ARE falling.
The occasional calls for out of region work are roughly the same. Stagnate or falling. And the contract schedules are getting shorter and shorter.
The only people taking short term, low pay positions are NOT the people who are going to try their best. Ever.
The tech bros ALL think their shiny is flawless and there is no need for maintenance and monitoring and if so, then one person can handle the 1000+ variables, no problem. Their hubris is breathtaking. In an auto-asphyxiation way.
I just happened to sit down in front of my TV at midnight PDT or just after to watch a movie. But the Amazon Prime app on my Apple TV didn't show any of my saved shows. Thought maybe it was some weird app problem so I rebooted my Apple TV, no luck. I thought I'd logout and back in on the app but I wasn't able to login - said I had the wrong password. So at this point I'm worried my account has been hacked and they've reset my password. I'm imagining someone ordering a bunch of stuff, me being unable to talk to a human at Amazon to stop it, and even if my credit card losses are covered they'd eat up the $300 credit I had from a recent return and Amazon might not give that back.
So I go to amazon.com on my desktop and try to login, hoping I can tell it to reset my password if they haven't changed the email already but I can't even get past entering my username - it says I need to enable cookies. I temporarily turn off my cookie autodelete extension, no luck. I try Chrome which I hardly ever use and don't have configured with any extensions (it is sort of a sanity test or backup in case a web site refuses to cooperate with Firefox but I really need to access it) With Chrome it still says I need to enable cookies. OK, so this isn't someone hacking my account at least!
Next I google "is amazon down" and a couple of the downdetector type sites show a huge spike in that in just the last 15 minutes or so! If I had sat down in front of my TV like 2 minutes earlier I probably could have started the movie and not had all that hassle.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
