[rys]

He does explain it in his blog post. He changed it after the erratic communication and actions of RC leadership, then after realising what they were really doing, left them to complete their “security audit”, assuming they’d discover it themselves and take appropriate action as part of that. That never happened (which is wild), so he let them know.

They still don’t seem to be in complete control or understanding of the infrastructure they forcefully took control of.

[james_marks]

From Arko’s post I get the sense he actually cares about security.

Seeing that he still has root, which means others may, changing root is the most benevolent thing he can do.

It immediately means he has the only unauthorized access instead an unknown many, and that they’ll now cycle keys like they should have in the first place.

[skywhopper]

Also seems pretty obvious that there was no clear chain of command for the operators. The board themselves certainly aren’t deeply involved given the statement by the one board member about how they couldn’t be bothered to communicate with the community about what was happening because they are so busy in their day jobs.

So who should Arko contact? The guy who’s his “boss” just suspended a bunch of access, twice, and emailed contradictory things. Given how sloppy the overall security situation clearly was and continues to be, I’m guessing no one really understands how AWS security works except for Andre anyway.

[anon84873628]

I appreciate these viewpoints. I still think Arko would have been better off communicating quickly and proactively to Haught any changes he made or security issues he discovered, despite however confused or contradictory Haught had been. As you say, RC is the "boss" in this relationship (they unambiguously own the AWS infrastructure and sign the consulting checks). So that is your duty as the professional in the room. And it would have at least protected his image when we now get to this point.

Of course hindsight is 20/20. The whole debacle is a shame.