[sloshnmosh]

I contacted Amazon to report an advertiser out of Tel Aviv that was using JavaScript hosted on CloudFront to fingerprint user's devices and if an Android device was detected a fake media player or fake CAPTCHA would trick user's into accepting push notifications for fake virus warnings to install questionable apps from the Play Store.

This script also pushed ads for a fake AdBlock app that was a dropper for banking trojan apps.

Amazon refused to do anything about it.

More info:

https://forum.xda-developers.com/t/massive-mobile-advertisin...

[TechBro8615]

I wouldn’t be so quick to rush into a future where Amazon takedowns are as easy as YouTube DMCA requests.

[DSingularity]

Yes! Let’s stay in a present where Israeli hackers-for-hire can help dictatorships capture and murder dissidents.

At a minimum we should demand transparency and accountability from all of these scale-enabling organizations.

[ben_w]

Obviously I am not in favour of that either.

Making takedowns automatic on any user report means the dictators take down the apps of the dissidents.

In the absence of AI that would necessarily have to be good enough to also radically change society and the economy, the only solution I can even think of is a big increase in funding for the policing of apps. Who exactly would fund that? Governments would want to use such powers to pursue their own agendas, while Big Tech taking a proportion of App Store income is already being called “[Apple|Google] tax”.

[funcDropShadow]

Or we could use a different architecture for our applications that isn't so easily taken down. You know like locally installed apps, that can do something without the cloud overlord pushing new code with every pixel or character that is transmitted.

[ben_w]

How would that stop, to go up-thread a bit, "an advertiser … that was using JavaScript … to fingerprint user's devices and if an Android device was detected a fake media player or fake CAPTCHA would trick user's into accepting push notifications for fake virus warnings to install questionable apps from the Play Store"?

[DSingularity]

Why can’t we we reduce cloud provider margins and use that money to fund it!

I mean — why is this not obvious? Force these companies to adhere to certain regulatory standards - the minimum of which is transparency and accountability.

[etherealG]

I’m sad to see you being downvoted. I agree completely. Somehow the richest company in the world paying for this burden on us all is a bad idea :/

[hef19898]

I guess your founder and CEO being victim of something similar helps in these decisions. Or not.

[mrits]

I wish we could just go back to the pre amazon days where we didn't have problems in the middle east

[DSingularity]

This is besides the point. Just because the Middle East has been in turmoil since it was neo-colonized after WW2 doesn’t mean it’s okay for massive corporations to exert this much influence.

Also, while we are on this subject, your language has some pretty orientalist vibes to it. I wonder who you think created these problems and who feeds them today?

[mrits]

You should have closed with "How do you like them apples?"

[DSingularity]

I’m confused. Do you support corporations having this kind of unchecked power or do you support the neo-colonial strategies that have left places like the Middle East in turmoil for the past century?

[jjice]

Given two sides of a spectrum, one will take that one that aids their argument most. We need a healthy middle, like most cases.

[DSingularity]

No dispute there. That’s why you should push for accountability and transparency. When we discover groups like NSO, we (the public) should be able to use FOIA like mechanisms to query these cloud providers and check if they are doing business with these criminals. We should be able to see who exactly approved their application and why they didn’t fail whatever standards we (the public) have decided that cloud providers should uphold. Maybe the standards had gaps or maybe there is corruption. Either way, the public has a method for feedback into key parts of society: cloud providers.

Voting with the dollar doesn’t work anymore.

[dpifke]

In the meantime, Google and Amazon simply ignore all complaints about spam originating from their networks.

In the olden days of the internet, ISPs that ignored abuse complaints would be blocked by their peers. Now that Gmail and AWS are too big to block, they act with impunity.

[JumpCrisscross]

> In the meantime, Google and Amazon simply ignore all complaints about spam originating from their networks

How did we get to equating selling tools for murdering journalists to spam in just three comments?

[dpifke]

I don't see where anyone in this thread said that the two are equivalent?

Amazon (and others') pervasive shitty handling of non-DMCA abuse reports seems relevant, however.

[ta988]

This is complicated when you see how non-ethical companies like Lyft are messing with competition I wouldn't be surprised they would flood provider with spam-reports...

[giantg2]

It doesn't really matter how difficult it is. What this demonstrates is that AWS is not a public utility and will be swayed by mob rule to take down companies that are no longer "acceptable".

[kjaftaedi]

One would hope Amazon is capable of having a reasonable terms of service and enforcing it without the need for government intervention.

[TechBro8615]

Sure, but the OP was an anecdote about an individual that requested Amazon to cease rendering services to a third party. No government was involved.

[jjoonathan]

It feels like this is more a result of Amazon not being able to connect you with the right escalation path to verify & act on these claims than a considered decision to ignore them.

Does anyone here know what an individual reporter should do? Is there an escalation ramp that exists but was so poorly marked that neither sloshnmosh nor Amazon support was able to find it? Does the ramp go through other organizations (e.g. report to CERT or some other org first and come back with a case ID)? Does the ramp not exist and need to be built?

[londons_explore]

Doesn't cloudfront generally act like cloudflare? Ie. We don't inspect your content. Law enforcement are the only people who can stop us hosting a site.

[jorvi]

Cloudflare has taken voluntary action on sites 2 (or 3?) times now. They can no longer claim complete neutrality. I don't know about Cloudfront.

[ignoramous]

If you violate policy (of which there are likely many varied yet incontestable interpretations), AWS pulls the rug out from under you faster than one can say "neutral". That's excluding they do not make newer policies on-the-fly.

Ex A: https://signal.org/blog/looking-back-on-the-front/

[0xbadcafebee]

It has nothing to do with "neutrality", they have Terms of Service like every single service provider in the world. If you violate them, there goes your infra. Spreading malware is almost certainly a violation of AWS' ToS (Amazon engs, correct me if needed)

[meowface]

It's a little more complicated than that in Cloudflare's case. The debate isn't really relevant to AWS/CloudFront or anyone else, but Cloudflare has famously had a policy of not kicking off any customers as long as they abide by US law. The CEO publicly identifies as a free speech absolutist. (Malware/phishing/etc. is still removed, since it's illegal.)

The CEO publicly broke their policy on this on two occasions: the neo-Nazi website The Daily Stormer, and 8chan. In each case, only after a long saga played out.

For The Daily Stormer: after they mocked the deceased victim of the Charlottesville rally, Cloudflare received public pressure to boot them but refused, and then the owner subsequently tried to troll them/the public by claiming Cloudflare executives secretly supported their ideology, causing them to finally be removed. (https://blog.cloudflare.com/why-we-terminated-daily-stormer/ )

For 8chan: Cloudflare received a lot of heat for not removing them after the first and second incidents of posters becoming mass shooters, eventually removing them after the third mass shooting. (https://blog.cloudflare.com/terminating-service-for-8chan/)

I forget the term/aphorism for this (like "double-bind", sort of), but they put themselves in an awkward position because they're probably one of the most neutral service providers out there - still far more than probably anyone else to this day - but by marketing themselves as 100% neutral, being only 99.99999% neutral created lots of lasting negative PR that people still regularly bring up.

Any other company would've kicked those people off way sooner and there would've been little to no publicity, because they routinely do such things, but now Cloudflare is hated by both the pro-censorship and the anti-censorship crowd. (See: https://en.wikipedia.org/wiki/Cloudflare#Mass_Shootings and everything below. It's quite a rollercoaster.)

[xorcist]

> Malware/phishing/etc. is still removed, since it's illegal.

They are known for protecting DDoS-for-hire and Cryptolocker services.

[stevenicr]

clouflare stopped being like that long ago. they publicly posted that they will take down stuff they makes the ceo worry, and they will inspect what your users are reading/sharing - and notify agencies with powers and guns when they find stuff from now/then on.

- no longer a dumb pipe, no longer neutral, actually active in directing law enforcement to take you down and possibly take people out.

[stevenicr]

I just have to wonder if people downvote this thinking it's not possibly true, or they just don't like what is said.

Link to relative info is posted on another comment (https://news.ycombinator.com/item?id=27884821) - but for those who have not read it, here is an excerpt from a 2019 cloudflare post/statement:

"...what we have done to try and solve the Internet’s deeper problem is engage with law enforcement and civil society organizations to try and find solutions. Among other things, that resulted in us cooperating around monitoring potential hate sites on our network and notifying law enforcement when there was content that contained..."

So I stand by the statement, I can't see any other way to read it.

[livinginfear]

Why is this being downvoted? It's demonstrably true.

https://blog.cloudflare.com/why-we-terminated-daily-stormer/

[Volt]

Is Cloudflare a "pipe"? I don't think so.

[stevenicr]

reason for "no longer a dumb pipe," - is that I believe that was the 'defense' aka reason being used for a while to push back against different groups that were accusing and then trying to public shame cloudflare; for protecting alt-right(?) I know there were a few PR pieces pushed in the UK or Euro press about some things - maybe hookers or something.. anyway for a while cloudflare was all like, we are just a really big pipe that pushes data and can absorb ddos.. we don't get into content moderation or opposite-net-neautrality.. there were complaints that some groups 'on the right side of history (or whatever)' - were trying to take down the stormer site I think it was and that their co-ordinated takedown attempts were failing as cloudflare was protecting the send/receive, being a pipe, not a judge.. This is what I believe ATT was using as a defense some time ago; they don't stop drug dealers from making calls they just provide the 'pipe' There was also some groups complaining about cloudflare making it hard to find servers - to find jurisdiction, again uk /euro I think - I have those articles saved on one of my systems.. and may be linked to a HN comment long ago - where I said chipping away at this pipe thine will lead to a bifurcated internet - where we will have internet place X internet place Y - and companies like cloudflare may have to turn into a dozen different companies to keep up with the changing 'this speech is not okay' rules for various places..

funny how fast things can change.

I believe many of cloudflare's early customers especially felt protected and safe because of the stances - and I bet most don't know about the 180..

I also think most average web people would think if you set 'whatever' for your DNS - that the dns routing is basically a dumb pipe - it's not spying on you and sending copies of your data to gun agencies.

Just as I think most people would not expect their cell phone company or internet provider to spy on data and send snippets of your communications to agents. I would not expect my web server co to deep packet inspect all comms looking for bad things. (not without a warrant and being directed to look at a specific line, now a whole data center / cell co, etc.)

I think it was a terrible choice to make for cloudflare, but I know not an easy one either way.

So 'pipe' is a term that has been used in this way for a while now in similar fashion I thought - and it's not meant literally like a copper water line.

Also in some ways cloudflare has been a pipe - a pipe for flowing data that would be choked by ddos attack if were to try to send/receive across the net in most other ways kinda of.

[adreamingsoul]

The AWS forums are going to be the best way to start a discussion with people who can escalate.

[berto4]

always a narrative/explanation...right on

[jjoonathan]

If there is no escalation path, that's a big problem, and nobody here is pretending otherwise.

[Kiro]

It's always the other way around. A company can never do anything right. HN will always find an ulterior motive.

[b112]

It feels like this is more a result of Amazon not being able to connect you with the right escalation path to verify & act on these claims than a considered decision to ignore them.

Those two things are actually the same thing, both are wilfully ignoring situations like this.

[seanmcdirmid]

Never assume malice where ignorance and incompetence would suffice instead. Those two things are actually not the same thing at all, depending on how you define “willful.”

[toss1]

Yes, that is a good summary of Hanlon's Razor, a sort of corollary to Occam's Razor about mot creating unnecessary entities in your conceptual models.

Hanlon's Razor is a good first approximation or initial approach to a situation, not the end of the discussion. There are many situations where incompetence may appear to be an explanation, but is in fact not the root cause, and may even be being actively used as a cover for malicious actions.

The point of the razor is that it is up to us to sort out the difference, not to just jump to a conclusion that it is malice, or that it is incompetence.

In this case, Amazon has had plenty of time, resources, and skilled people to see the need and implement an escalation & resolution pathway. That they have so persistently failed to do so for so long indicates a cause beyond mere incompetence. Even if they are not being as actively malicious as the malware distributors, they clearly and actively DGAF.

[seanmcdirmid]

> That they have so persistently failed to do so for so long indicates a cause beyond mere incompetence.

So you are claiming that they have had so many opportunities to do the right thing, that they aren't merely incompetent, but are in bed with the evil doers? That would be a huge claim, to say the least.

[toss1]

There are many options between incompetence and being actually 'in bed with', which I read to mean 'knowingly cooperating with', the criminals.

The first example is that it's simply more profitable for them to turn a blind eye unless one of the relationships becomes a public problem. They wouldn't be actively aiding and abetting the crime, but neither are they stepping up to ensure that it isn't happening on their systems. It's being complicit several steps beyond incompetence, but not the same level as active cooperation.

And, considering that Amazon has no shortage whatsoever of funds and skilled people to prioritize anything they want to prioritize, I'd say more than sufficient time has passed that they're at least at something resembling this sort of willfully ignorant stage.

[csharptwdec19]

It's malice but from a different aspect; willful malice in the name of 'cost cutting'.

[xyzzy123]

How many FTEs should they have dedicated to triaging security complaints from (relatively speaking) randos on the Internet about their customers?

Also, would you take that job?

Some poor support person probably got this and punted because they couldn't pattern match to something in their handbook.

For every thoughtful, detailed security report there are about 500 others that involve voices from appliances, self-xss, csrf on logout and 5G coronavirus. It is extremely difficult for L1 support to make sense of these. Having a support contract or attracting attention on the forums are decent ways to pop out from the background noise.

[blacksmith_tb]

Not to worry, they'll replace their overworked human staff with sentiment analysis bots which will do an equally uneven job of sorting the wheat from the chaff, with even less hope of appeal.

[Nasrudith]

Malice is the wrong term for it even if we accept the premise. (I do not but that is another can of worms.) Malice implies a desire to hurt people. It would be utilitarian callousness if anything, negligence if there were legal obligations shirked. There is no law against just poor customer service like being a jerk isn't illegal.

[Forbo]

Never assume ignorance where greed would suffice.

[wolverine876]

Amazon could do it if they wished; they don't want to.

[atatatat]

Never assume ignorance where a scumbag can take new default level of societal ignorance and hide behind it....

[duxup]

They can be very different things.

Poor communication channels happen even when folks don't want it to. Humans are bad at doing such things.

[ericbarrett]

Did they reply in the negative or just not respond?

[achow]

How does it matter?

No response is a response and in this kind of situation it is explicit "I will not do anything and I'm dishonest enough to not acknowledge that.".

[jabberwik]

To me, a negative response says "We have evaluated our policy and decided that we will not stop this." A non-response says "A frontline agent didn't know how to make a call on a non-downtime ticket from a non-customer so now it's in a bureaucratic black hole and nobody has actually read your email and probably never will." Which is still crappy, but not really malicious in the same way.

[ericbarrett]

I was curious, not being cynical toward sloshnmosh. Much can be inferred from Amazon's choice of reply.

[squarefoot]

That NSO Group infrastructure was burned, the one you reported (still) isn't.

[reaperducer]

Amazon refused to do anything about it.

Actually "refused" to do anything about it, or didn't respond to you?

[Scoundreller]

I’ve had government agencies claim it’s not a refusal/rejection if they refuse at the moment and claim you might (with no guarantee) have success if you try later.

I call it a “constructive refusal”.

[smokelegend]

i.e. "differed success"