WYSK: 03/25/22

This Week: 1. Quitting Prime; 2. Gas Prices; 3. ICS Security; 4. Lapsus$

WYSK: 03/25/22

What you should know from the week of 03/25/22:

  • Quitting Prime: Why "customer obsession" isn't necessarily a virtue;
  • Gas Prices: Rising gas prices provide insights into
  • ICS Security: The White House issues warnings on ICS security;
  • Lapsus$: Terrorized by a 16yr old: Okta and Microsoft breached by Lapsus$ extortion gang, and alleged "mastermind" is arrested.

Quitting Prime:

Amazon used a sneaky tactic to make it harder to quit Prime and cancellations dropped 14%, according to leaked data
Amazon intentionally drew out the process of canceling a Prime membership with layers of confirmations and prompts, internal documents show.

Amazon's focus on "customer obsession" has earned them much praise, and even helped them avoid antitrust lawsuits. However, customer obsession is not the same as customer care, focusing more on possession of the customer:

Amazon intentionally drew out the process of canceling a Prime membership under a project code-named "Iliad," according to internal documents obtained by Insider.

Hannah Towey and Eugene Kim's article walks through the onerous process a user has to go through to cancel a prime subscription.

To my knowledge, use of dark patterns like this is not illegal. But it is indicative of an anti-consumer mindset that seeks to override a customer's expressed desire in order to increase profits.

Gas Prices:

Here’s What’s Really Behind Skyrocketing Gas Prices
Oil and gas executives are cashing in on Russia’s war and using it to boost their bottom line at the expense of working class Americans.

High gas prices are hurting Americans (and basically the rest of the world as well, but this is an American-targeted article). These prices are frequently reported as being tied to Russia's (a major energy exporter) invasion of Ukraine, but More Perfect Union notes that these high prices aren't as simple as they seem.

Even before Russia invaded Ukraine, Big Oil giants Shell, Chevron, BP, and Exxon were taking advantage of inflated prices to make a combined $75.5 billion in profits.

The article quotes energy executives noting their record profits:

“Now extraordinary times call for extraordinary measures and we made 2021 a momentous year for Shell,” Shell CEO Ben van Beurden said recently.
“We have more cash than we know what to do with,” Murray Auchincloss, BP Chief Financial Officer told investors.

On a recent earnings call, Shell told stockholders, “Our Adjusted Earnings were some $19 billion for the year.”

“We expect to generate over $100 billion in excess cash,” Exxon Mobil CFO Kathy Mikells said during an investor presentation in March.

Chevron is also making record profits: “By the end of 2021, we had one of our most successful years ever… “Full year earnings were over $15 billion, the highest since 2014.”

Particularly egregiously, More Perfect Union notes that:

Exxon knowingly violated sanctions on Russia to work with Russian state-owned oil company Rosneft on oil and gas projects.

And addresses revelations from Exxon's lobbying I wrote on back in July.

Robinson Meyer in The Atlantic also wrote this week on US energy issues, where he notes that Saudi Arabia is markedly not living up to their part of the 1945 deal between the US and Saudi Arabia where the US guaranteed Saudi security in return for oil.

What about asking Saudi Arabia to drill more? Well, the White House actually did ask last summer, long before the war began. The Saudis declined. That relationship has frayed partially because of our new status as a major oil producer. The U.S. is no longer just Saudi Arabia’s largest customer; it is also the kingdom’s largest competitor. Today, Saudi leaders won’t even take Joe Biden’s calls.

And Meyer ends with a grim warning:

The most likely outcome is that nothing changes. The United States will take its oil and let it fetch the highest price on the world market. The dissipation of America’s natural resources will continue, and we’ll muddle through, safe in the belief that nothing too bad could really happen. We might be all right for a while, until we aren’t.

ICS Security:

Statement by President Biden on our Nation’s Cybersecurity | The White House
This is a critical moment to accelerate our work to improve domestic cybersecurity and bolster our national resilience. I have previously warned

The White House issued vague warnings about Industrial Control System security this week:

...I have previously warned about the potential that Russia could conduct malicious cyber activity against the United States...Today, my Administration is reiterating those warnings based on evolving intelligence that the Russian Government is exploring options for potential cyberattacks.

This announcement was bolstered by some releases from CISA on "Tactics, Techniques, and Procedures of Indicted State-Sponsored Russian Cyber Actors Targeting the Energy Sector," as well as a report suggesting that some Russian threat actors were scanning some US energy systems.

While this news is not very data-dense, it is significant in that the White House is suggesting that Russia could commence cyberattacks against US critical infrastructure.


Lapsus$: Oxford teen accused of being multi-millionaire cyber-criminal
Police say they’ve arrested seven teenagers as part of their investigation into a hacking group.

Lapsus$ is relatively new but has become one of the most talked about and feared hacker cyber-crime gangs, after successfully breaching major firms like Microsoft and then bragging about it online.

Unlike many criminal hacking gangs, Lapsus$ does not rely on deploying ransomware, but rather breaches companies and extorts them by threatening to release damaging information unless they are paid.

The news broke this week that Lapsus$ had hacked Okta, a widely-used Identity and Access Management company (a provider of authentication and security services), as well as Microsoft.

Additionally this week, UK police claim to have arrested several of the group. They aren't your usual  batch of criminals:

A 16-year-old from Oxford has been accused of being one of the leaders of cyber-crime gang Lapsus$.
City of London Police said: "Seven people between the ages of 16 and 21 have been arrested in connection with an investigation into a hacking group. They have all been released under investigation. Our inquiries remain ongoing."

There are lots of takeaways from this, but I'll limit myself to one that is really striking me: companies talk a big game about protecting customers from all sorts of "advanced" attackers—conjuring an image of shadowy and hardened criminals or intelligence agencies. Too often, though, it ends up just being a bunch of bored 16-year olds with poor decision-making abilities.

We need to incentivize better security. And we need to provide a better and more appealing future for the next generation.

Have you liked this content and want more? Subscribe today!

Interest piqued? Disagree? Reach out to me at TwelveTablesBlog [at] protonmail.com with your thoughts.

Photo by Tamara Gak on Unsplash