[cperciva]

I've worked with Amazon Web Services security people in the past, and while they're not perfect (nobody is) I have always had the impression that they take security seriously. AWS has many very large customers, including the US government and companies handling HIPAA-restricted data; based on the assumption that Amazon employees don't want to be thrown in jail for 10 years, I think it's safe to say that if EC2 is is "0wned" as you claim, it's certainly not well known within Amazon.

[tptacek]

For what it's worth, accidentally (or even negliently) violating HIPAA is fantastically unlikely to get you charged criminally.

[cperciva]

I agree -- but fraudulently violating HIPAA (e.g., if you advertised "this is a safe place to put your HIPAA data" while knowing that it wasn't safe) is probably a rather different matter.

[rbranson]

Yeah but "0wning" EC2 would most certainly get you charged criminally under a number of laws.

[tptacek]

Colin was implying that negligent management of EC2 could leave Amazon employees criminally liable. Obviously anybody who "owned up" EC2 is already a criminal.