Capital One Hacker Indictment–How it Could Impact Amazon–Futurum Tech Podcast
On this edition of Futurum Podcast, we are addressing the Capital One, AWS hacking fiasco, Apple security issues with iOS, and its MacBook, Huawei’s ability to adapt to life beyond not being part of the Android ecosystem, and Ericsson’s partnership with Deutsche Telekom, and delivering new public, private mobile solutions to industrial campus networks.
Our Main Dive
This episode covered a variety of topics, including our Main Dive on the indictment of the Capital One hacker, Suzanne Thompson, some additional lawsuits that have been filed related to this case, one of which is against GitHub and Amazon and, most importantly, how the timing for any bad press related to Amazon’s AWS is not ideal. Amazon and Microsoft are the two finalists for the $10B DoD JEDI cloud infrastructure contract that is due to be awarded literally any day now. As such, any press, especially bad press as it relates to allegations of any nature about infrastructure security, is probably something that Amazon isn’t crazy about.
Our Fast Five
We dig into this week’s interesting and noteworthy news:
- For our Fast Five discussion, we explore Ericsson and Deutsche Telekom’s* strategic campus networks partnership, which is all about delivering mobile solutions at industrial sites. *Note you’ll find deeper coverage on this topic linked at the bottom of this article.
- We’ll cover some big news related to Apple’s operating system, and how a long-term iOS attack potentially compromised Apple devices.
- Continuing on the device front, we touch base on the news that the U.S. trade ban strikes Huawei — again. Huawei’s Mate 30 and Mate Pro 30, scheduled to launch on September 18th, reportedly won’t be able to ship with the licensed version of Android and associated Google’s apps and services and what that could potentially mean.
- We head back to Apple again to cover briefly the news you want to know if you travel with your 15” MacBook Pro.
- We’ll wind up our Fast Five segment on Mahindra and Adjoint’s blockchain solution* for secure enterprise finance and management and insurance services across locations and what the future looks like on that front. *Note you’ll find deeper coverage on this topic linked at the bottom of this article.
This week we’ll talk about review bombing podcasts and what’s happening there.
Crystal Ball: Future-um Predictions and Guesses
We talk about review bombing podcasts and what’s happening there.
Shelly Kramer: Welcome to this week’s edition of the Futurum Tech Podcast. This is your host, Shelly Kramer, a Partner, and a Senior Analyst at Futurum Research.
I’m joined this week, by my colleagues and fellow analysts, Olivier Blanchard, and Ron Westfall. Welcome, gentlemen.
Ron Westfall: Good day.
Olivier Blanchard: It’s good to be here.
Shelly Kramer: Great to hear your cheerful voices this Friday.
Before we get started, I need to do some due diligence, and let you know that, the Futurum Tech Podcast is for information and entertainment purposes only. Over the course of this podcast, we will talk about several companies that are publicly traded. We may reference that fact, and their equity share price, but please, do not take anything that we say as a recommendation about what you should do with your investment dollars.
We are not investment advisors, and we ask that you not treat us as such.
With that piece of business out of the way, I’m going to start off the conversation this afternoon, talking about Suzanne Thompson. Suzanne is the Capital One hacker who was indicted this week, and the claims against her point to the fact that she was able to manipulate firewall vulnerabilities, to mine cryptocurrency, which is actually called, crypto-jacking.
Not only was she able to access Capital One, she was able to gain access to, I think about 30 other companies. The thing that interests me most about this, first of all, it’s a big deal. It’s a big deal for Capital One, although I think that the reality is, we live in a day and age where, it’s another day, another company hacked, and let’s move on, but what I am interested in, in particular about this is that, Suzanne is a former employee of Amazon, and the conversation around this hacking is that, Capital One used Amazon’s AWS cloud server, and that the vulnerability was something that actually, perhaps Amazon knew about, and did not fix.
The problem here, while all that’s being sorted out is that, Amazon and Microsoft are the two final contenders for The Pentagon’s $10 billion Jedi Cloud Services contract. What interests me is that, there probably couldn’t be a worse time for Amazon’s AWS to be in the news about firewall vulnerabilities, when the government is very soon to make a decision about this Jedi contract. Anybody have any thoughts on that one?
Olivier Blanchard: Well, the first thing that comes to mind is, okay, so we have a very sophisticated, very effective and talented hacker at work here, and number one, she was caught, so that’s one positive. But, the other is that, I think we need to be able to differentiate the difference between maybe a lax IT security infrastructure at Capital One, and the type of firewalls and other security protocols that would exist around a government, and especially critical government operations’ use of IT.
I think that, while AWS may have vulnerabilities, and probably does … Every system has vulnerabilities. Some of them are human, some of them are technical, et cetera. I think that the level of protection around data, around servers would be much higher with the US government, and especially defense, and very high end, deep kernel applications, than they would be for a company like Capital One.
It shouldn’t be that way, and maybe I’m wrong to assume that the government would have better safeguards, but I think that’s … We’re talking about apples and oranges, maybe. If nothing else, it might be a good line of defense for Amazon, when asked the question in court.
Shelly Kramer: Well, actually, one of the things that I didn’t mention is, a lawsuit was filed in California in early August, against Capital One by some consumers who were angry about the breach.
A subsequent suit was filed the following week, so just a couple of weeks ago, naming both GitHub, and Amazon as defendants. This suit alleges that Amazon knew about this vulnerability that made the hack possible, and took no action to fix it.
While I agree with you, and we may be talking a little bit about apples and oranges, I’m also thinking about the people who are making these decisions at the federal government level, and with all due respect, I think sometimes, their knowledge about some of these nuances, leaves a little something to be desired.
What I mean is that, we have a situation where there’s been some contention already, around this Jedi contract. Oracle has made a big stink about not being included. They have another lawsuit that they just filed as a matter of fact.
Now, it’s come down to Microsoft and Amazon. There’s already some concerns at the administrative level about Amazon, because we all know about the president’s animosity towards Jeff Bezos, and Amazon, so there’s some issues at play there, and I think my broadest point is that, anything that allows anyone to say, “Ooh, Amazon. Not sure.” Doesn’t help in their ability to compete effectively for this contract.
Ron Westfall: It’s obviously a contract that is driving a great deal of competitive turbulence in the fact that, yes, this is a massive PR fallout for AWS, although, we still don’t know if that’s going to be decisive in the final selection, but as a wild card, we still have players like Oracle, suing in the courts, to have the process reconsidered, in terms of broadening the selection of possibilities.
This is a soap opera that is not beneficial to any of these cloud players, except for Microsoft, and as a Capital One customer, it’s also a object lesson, in terms of what not to do, in terms of handling, and messaging the issue.
Every time I log in to do … For example, a checking account transaction, there is a big icon at the top, saying, “If you want more information about the massive data breach, click this.” It’s like, at this point, I think you could take that down. You don’t need to be reminding people every single day, that this happened.
I think the average user has moved on. They’re like, “Okay, either I’ve already moved my checking account, because I don’t trust Capital One.” Or, “I’m just going to stick with you all, because it’s just too much hassle to do it.” But, to have that there as a daily reminder is, just not a good move at this juncture.
Finally, it’s fascinating that, Miss Paige Thompson, the hacker could have gotten away with more, if she hadn’t bragged about it online, and as a result, was reported. That is certainly an indictment of both AWS and Capital One in that, this is something that could have bled even more, had it not been for the ego, the vanity of the hacker.
Shelly Kramer: Right, that was, that was just pretty insane. Well, you know what? The reality of it is, in no time, I imagine we’ll know the answer to this, and see what the DOD decides to do with that $10 billion.
We’re going to move on now, and Olivier to talk about some big news, with regard to the Apple iOS.
Olivier Blanchard: Yes, so my theme I think, this week, is Apple. I wanted to talk about Huawei in advance of their event in a few days, but I guess we’ll cover that next week.
I just happened to find two stories this week about Apple that, were disturbing, and one that I’ve been arguing about for quite some time, and it’s the fact that, iPhones can be hacked.
Up until now, the general idea was that, even though iPhones could be hacked, it was too costly, too difficult, not really cost-effective to massively attach iPhones, as opposed to Android phones.
Google researchers who are tasked with identifying hacks of this type around the world, have identified one that involves iPhones. Apparently, what was happening is, a number of websites, and unfortunately, the websites have not been named, or identified yet, at least not to the public, but these websites were infecting iPhones with malware essentially.
It was a string of websites, all doing different things, slightly differently to attack 14 different security flaws, or vulnerabilities in iOS. Apparently, these sites were active at least since 2017 according to the study, and had thousands of visitors per week, so this is scary.
What it was able to do is, actually take control of your phone, get all the way down into the kernel, and be able to access all sorts of things, including the types of communications that you would have on third party apps like WhatsApp.
It didn’t actually break the encryption of those apps, but what it did is, by taking over the phone essentially, it could allow a hacker to access that information, by essentially using the phone’s token.
You still have end to end encryption, but if you’re actually in on one of the ends of those communications, you have access to video, you have access to photos, you have access to text.
What this does, and I’m sure that that story will develop, and we’ll find out more about it, but what this does is, make you rethink the notion that, although Apple has spent a lot of time, and a lot of money creating a nice, secure ecosystem for its devices, and its iOS, the conventional wisdom about iPhones being unbreakable, and hackers not being able to get into iPhones is now out the window as of this week. Although it’s less likely that an iPhone user will have their phone hacked, it is now entirely possible, and the math has changed.
I should add one more little thing, something that you guys mentioned in the main topic segment, which was that, had the hacker not made mistakes online by bragging about what she had done, we might not have found out about it, or at least not as quickly.
In this particular case, even though the attacks are very sophisticated, and the hackers have managed to do something that was considered almost impossible up until now, they also made some mistakes. Among them, they were very amateurish mistakes.
I think that they hardwired this one particular server into their code, so it made them really easy to track. They also left a lot of code open, so that anybody nearby could access the information that they were seeing, as opposed to encrypting it, or keeping it very, very centralized.
What we have here, and the belief is that, whoever was behind this, had a lot of money behind it, and was probably a state actor, using third party contractors to write some of the code, and then filling in some of the rest themselves, and didn’t have the experience, and the sophistication to actually plug those holes properly, and use the right protocols.
Just something to keep an eye on, and something to be aware of, if you happen to be an iPhone user.
Shelly Kramer: Well, and to keep your operating system as up to date as possible, too. I think people forget about that.
Olivier Blanchard: Yeah, and be careful what websites you visit too.
Shelly Kramer: Ron, we’re going to learn a little bit about Ericsson and Deutsche Telekom. What’s going on there?
Ron Westfall: Yes, let’s hop across the pond, and take a snapshot of two major themes that are going on in the industry. One is, industrial IoT, which I think is broadly understood as being a major 5G use case, like okay, why do the operators need to go through with all these investments? Why do enterprises need to pay attention, and actually upgrade to 5G?
The other aspect is, campus networks, and how 5G can enable transformation and innovation within those environments. This is a good alliance to demonstrate how both of these trends are going to have an impact.
For example, Deutsche Telekom, obviously the top operator in Germany, but also the top one in Europe overall, in terms of sales is, very much a driver of what is going to happen in Europe.
They see the campus networks of many of their enterprise customers, particularly industrial sites as being a hotbed for new revenue for new innovation and so forth. This is interesting because, it enables a blending of the best of public networks, and the best of private networks.
Usually, they’re viewed as exclusive. One, for example, private networks is only suitable for specific industrial and enterprise applications, and don’t bother with the public network, but what Ericsson and Deutsche Telekom are demonstrating is that, yes, yeah, you want to use private network capabilities to provide network slices that enable the dedicated secure connections that are critical for many of these high demand applications. For example, precision supply chain, precision manufacturing, using robots that are putting together technology and so forth.
Obviously, you cannot afford low latency in these connections. That would be disruptive to say the least, if not downright fatal for an enterprise, if these connections aren’t operating as they need.
That’s where you need not only the 5G bandwidth, which is a difference maker, but it’s enabling the lower latency, so that the delays are well below 10 milliseconds for example, and in a vast improvement over say, the 4G LTE 40 millisecond latency, which has become accepted.
In the meantime, the public networks will be available, to not only allow for high quality voice and data services, but to also enable more flexible partner onboarding when they’re at a site, and things of that nature.
Sometimes the question comes up, “Well, why not just use WIFI?” We understand that WIFI is certainly part of the mix, but it just doesn’t perform as effectively as 5G, in terms of at least a voice component. The voice aspect alone, warrants having a 5G presence at many of these sites. You cannot just exclusively rely on WIFI, which is best-suited for data applications, and there is the fact that, sometimes WIFI is not available, sometimes it’s not secure, et cetera.
This is really something that it will drive 5G investments, and fire up the imagination like, why do we need to adopt this technology?
Yes, it’s insightful in that, it’s showing that industrial IoT can definitely be used not only in a manufacturing environment, but also in factory shop floors, logistics centers, our familiar airports, and harbors and so forth.
On a final note, this is a logical extension of the relationship that Ericsson fortified with Deutsche Telekom, when over a year ago, it was selected as the co-major supplier for Deutsche Telekom’s 5G build out, replacing Nokia as the radio access network provider. That was a major upset, and we’re seeing fruit bear out for Ericsson, as well as Deutsche Telekom, in terms of that strategic shift, and Deutsche Telekom’s suppliers.
In the meantime, Huawei remains the other co-supplier, however, this is definitely demonstrating that Ericsson, at least when it comes to driving 5G industrial site build outs, has the upper hand right now, within Germany.
Shelly Kramer: Yeah, that’s really interesting, and actually, a great setup for me, because I’m going to talk about Huawei, and the fact that the US black list is striking again, as it relates to Huawei’s flagship series phones, the Mate 30, and the Mate 30 Pro, which are expected to be announced on September 18th.
While there have been some rumors of some really cool functionality that these phones will have, a new report that out indicates that, these phones, due to the US black list, will not be able to be sold with the licensed version of Android, and any Google apps or services, due to the US ban on sales to Huawei. Even though there’s a temporary reprieve that the government announced last week, it doesn’t apply to any new products, such as the Mate 30.
What this means is that, of course, Huawei announced its own operating system called, The Harmony OS in early August, as an alternative to Android, but what this means for Huawei is that, it could very well be an impediment to sales of these new products, simply because, you won’t be able to use any Google apps, no Gmail, no YouTube, no Drive. That could be a big deal, when it comes to people wanting to think about buying these new phones.
Olivier, we’re going to talk some more about Apple now, right?
Olivier Blanchard: Yes, we are.
Yeah, I didn’t mean to make it all about Apple, but just, this is like a travel advisory. I don’t know if you recall but, I think it was a week, maybe two weeks ago, the US-based airlines were starting to ban certain types of MacBook devices from being checked in luggage, because of a battery fire risk in a very limited number of 15″ MacBook Pros, specifically.
Well, I suppose being able to differentiate between those MacBooks, and all of the other MacBooks was too difficult, and too timely by TSA, so now, there apparently is a complete ban on transporting your MacBook Pros in your checked luggage.
If you do have to fly with your MacBook Pro, at least for the foreseeable future, put it in your carry on, not in your checked luggage, and you should be fine.
This should not necessarily be seen as all MacBook Pros having a fire risk. I think it’s more of a procedural thing, to make it simple and streamlined for TSA to handle this.
Shelly Kramer: Who checks a computer, anyway? I would never in a million years.
Olivier Blanchard: I know who, people who have multiple computers, and multiple devices, and are probably using a Surface, or a Chromebook, or something smaller on the plane, and just check their big, 15″ … Because, we’re talking about a 15″ MacBook here, not the 13″, and that’s a coffee table, honestly. They’re great, but it’s not the most portable thing to take with you on the plane.
Shelly Kramer: Yeah, but I still … As much as those cost, and I have several … Book computers, I would never trust it to check it.
Olivier Blanchard: Oh, sure.
Shelly Kramer: But, you know what? Ron, now we’re going to talk about Tech Mahindra, and Adjoint’s blockchain solution, which I think is really cool.
Ron Westfall: Right on! Yes, this is a great opportunity to talk about what on the horizon can potentially provide salvation, a solution to hacker hell. That technology is blockchain, and yes, it’s been a bit over-hyped. It’ll take a while for the ecosystem, and for the major players out there, to get it working in a mainstream sort of way, at least certainly beyond cryptocurrency applications, but what Tech Mahindra is doing, to further the cause of blockchain is, partnering with an outfit called, Adjoint, which specializes in financial management solutions.
They are looking to enable financial institutions to quite simply use blockchain, to not only avoid for example, the manual data input errors that can mar financial reports, or out of order input errors and so forth, but to extend that universal trust, and secure access that is critical to enabling all these transactions over the internet to be just that, trusted.
As we see with the Capital One fallout, that’s really just not there today, or into the foreseeable future, using existing client server implementations.
On a specific note for the alliance, they are obviously targeting the financial management and insurance segments, and looks to address specifically upholding general data protection regulation requirements in the European market, GDPR, and that’s taking on more prominence.
Already, the EU is handing out fines for GDPR violations, and we can anticipate that the US and major parts of Asia will be following suit with similar requirements that quite simply, put priority and the emphasis on protecting consumer data privacy, and enterprise data privacy, and so forth.
There’s just been too many infractions, too many mishandlings of the data, to avoid this issue, so we’ll see regulators in governments definitely step up more, in terms of also addressing this issue.
An additional note is, the fact that they’re claiming innovative breakthrough, however, this is where the marketing hyperbole is just there. We already see major blockchain in players like IBM already, working with the financial and insurance institutions out there, to enable blockchain assurances.
For example, IBM has been working with the American Association of Insurance services, as well as the insurance giant, AIG to use blockchain to enable these trusted transactions.
Likewise, we’ve seen Microsoft work with the consortium of partners, in particular Maersk, the major shipping container outfit, to provide blockchain innovative marine insurance capabilities, because as it turns out, marine insurance is very complex. It changes from country, to country, and from environment, to environment, so it’s not like just signing up for auto insurance. It requires a great deal of multiple transactions and forms and so forth.
What the good news here is, that we’re seeing this steadily building up, that we are seeing pilots that are now translating into full-fledged trials, and that people are getting more confidence.
Yes, there are going to be misfires. There are going to be abandoned trials and so forth, because the players involved don’t know quite yet, how to put it into the mainstream, but you can bet now, with the IBMs, and the Microsofts, and Tech Mahindras, and their major partner really proving that these can work in these major use case instances, this will usher in blockchain, actually finally making the traction we’ve expected for a while in 2020.
Shelly Kramer: That’s really awesome. It’ll be great to see what happens there.
Well, we’re going to move on to the tech bites section of this podcast, and today, we’re going to talk about podcast bombing. Yes, it’s a thing, and angry fans keep wrecking podcasts with one star reviews.
Olivier, you and I talked a lot about this, this afternoon before the show started. You want to tackle this a little bit?
Olivier Blanchard: Yeah, it’s the sort of thing that’s been happening a while on different platforms we’ve seen this. As a writer, who has several books co-authored, and also just plain 100% authored out there, getting reviews is already difficult enough. Getting positive reviews isn’t really the problem, it’s just getting the reviews, period.
But, whether it’s Amazon, or a podcast, whether it’s books, or products, or an Uber driver, or an Airbnb operator, your business, online anyway, lives and breathes reviews. That’s the tie that either raises, or lowers your boat, so they’re very important.
Reviews that therefore been a vulnerability I guess, for a lot of products, and a lot of companies that operate online, because it’s so easy to game the system against somebody else.
Although Amazon and other outfits have done a really good job … Yelp is one of them, on cracking down on negative reviews, and especially guerilla campaigns of negative reviews, where the negative reviews might not actually be legitimate. They’re coming from some black hat operator somewhere, taking money from Company A, to spread dirt, or essentially use reviews negatively against a competitor, Company B.
This is a company that the companies are trying to tackle, and I think that now, it’s only normal that we’re seeing the same sort of behaviors happening in the podcast space, especially since podcasts have become so popular. It’s like the next frontier of negative guerrilla campaigns, and sabotaging of reviews.
Shelly Kramer: Yeah, you know, it was a really interesting article in The Verge on this topic, and we’ll include a link to this article in the show notes, but a lot of times, it’s angry fans.
Some of these podcasts they’ve bombed are of course, politically motivated, but some of them are just angry fans, and the power that people have on Instagram, on Facebook, on Twitter, when somebody says, “I’ve been done wrong in some way.” In some instances, fans just go crazy, and swarm, and do what they can, whether it’s leaving a negative podcast review, leaving a negative Amazon review, and it can really destroy people.
It can destroy their credibility. It can be emotionally very upsetting, and I think it’s indicative of the times in which we live today, that we have so much technology at our fingertips, and things that are really, really cool, and channels, and mediums that we can use to reach an audience, or to connect with other people, and it’s just a shame that it’s so easy to game those systems.
All right, well, now that we’ve talked about tech bites, we’re going to use this topic as our crystal ball topic, so, our predictions, what’s going to happen? What’s going to happen as it relates to podcasting, or some of these other things in the next few years, in the next five years? That seems such a long period of time these days, but what’s going to happen? What do you think, Olivier? What’s your crystal ball prediction?
Olivier Blanchard: Well, I think that’s one area where actually artificial intelligence and machine learning can get ahead of the problem. By setting some parameters, the algorithms can identify. You should be able to at least flag reviews that seem disingenuous, or that are too quick, or automated.
For example, the type of negative review that’s going to be less than five words, for instance. We’re already seeing those being implemented on certain platforms, might get flagged, and you might be required to add a little bit more context.
That’s one way that smart automation might be able to mitigate this type of problem, and not completely eliminate it, but at least mitigate it somewhat.
Shelly Kramer: Yeah, I agree with you. I think that, some of these instances are also happening, because somebody is smart enough to develop a coordinated attack, and some of this is just all automated, so technology being able to identify that, mitigate it, I think that we’ve seen a lot with Amazon, good and bad. Amazon has really, really cracked down on their … algorithms have become much, much more sophisticated, in terms of what they’re allowing, in terms of reviews, so I think that’s good.
Ron, what do you think?
Ron Westfall: Yeah, so this is like the downside of the flash mob application that was so popular a few years ago, and this is something that will be with us, regardless.
To Olivier’s point, it’s really about how can it be better contained, better managed, so that the worst, most egregious abuses aren’t unchecked? Definitely AI will be a part of this, but I also see blockchain as being a technology that can help alleviate some of the worst of abuse out there.
It’s a function of again, the trusted community capability. It’s enabling those who are part of a blockchain node, to have a confidence like, okay, whoever is positing this review is legit. I don’t have to think twice. I don’t have to think, okay, they’re here on behalf of somebody else, or again, they’re a part of that black hat operation.
It’ll become if not impossible, exceedingly different to game the system that way, so yeah, this is again, that five to 10-year timeframe. This is something that won’t be stalled overnight, and it will be an ongoing issue, into the foreseeable future.
However, the good news is, these capabilities will make a difference, and can provide a technological check on these abuses, beyond any possible regulatory provisions.
Shelly Kramer: Well, that’s something to look forward to. I know I do.
Well, I think that, that’s it. That’s a wrap for our Futurum Tech Podcast today, and Ron and Olivier, thank you so much for … as always, for showing up, and sharing your gray matter.
For our audience, thanks for listening, and be sure and click the subscribe button if you haven’t done that yet, and we’ll see you here again next time.
For more in-depth analysis, here are some recently published articles from the Futurum team related to these conversations:
Disclaimer: The Futurum Tech Podcast is for information and entertainment purposes only. Over the course of this podcast, we may talk about companies that are publicly traded and we may even reference that fact and their equity share price, but please do not take anything that we say as a recommendation about what you should do with your investment dollars. We are not investment advisors and we do not ask that you treat us as such.