Locked Down - The Security Podcast

In 2022/3 I discovered that I had been the victim of complex repeat pattern digital offending by partie(s) using Amazon Kindle Fire tablets to access my personal privileged data, application data, images, contact data, Prime video and shopping data, Alexa logs and voice data. On discovering the depth of the hack I immediately contacted Amazon in the US as would be the norm as an ethical hacker to give full disclosure. I spoke to Amazon's Principal Engineer who arranged meetings with the Head of Amazon Security for devices and a three hour meeting ensued. Logged access to the hack data was provided and from that a workflow followed to patch major huge vulnerabilities in the Amazon Fire Kindle ecosystem. These had come from poor design planning of the Kindle's authentication model, device provisioning and API model and the lack of communication between device management folk and the user experience team.Amazon had time and grace to get these fixed, alongside two other issues which remain unfixed (including a huge privacy breach in the Amazon Echo range of products that is still unpatched as of June 12th 2025). I am giving Amazon 90 days from today to fix that or I will go public with that matter and the fallout from that could be even bigger than the issues with the bugs and holes I came to Amazon with in summer 2023. I am aware from an internal whisteblower at the highest level in Amazon whose messages and recorded audio I retain, of procedures and practices that do not paint Amazon in a good light took place in the weeks after I gave full disclosure to Amazon's Head of Security. I am also very aware of pressure placed on a major US news publishing company to not run the story (see the link https://practical-tech.com/2023/06/13/how-an-amazon-fire-kids-tablet-was-allegedly-used-to-stalk-a-security-pro/ where part of the story in sanitised format was published). However, this is a major vulnerability that Amazon chose not to communicate to end users, end users where the devices were in the hands of children and vulnerable adults globally. Where Amazon did not release changelogs or security errata or any CVE data. Which just looks like you're trying to make sure as few people as possible know.Additionally Amazon did not publish the risks of this and also the wider definition of the huge problem and the consequences of that issue to the Security Exchange Commission (the SEC) in their 10Q and 8Q filings. And have never sought to do so. Amazon have failed to answer emails and messages since Steven J Vaughn Nicholls, one of the world's foremost respected technology journalists ran the story.I've asked the Head of Amazon Security repeatedly to jump in. He's chosen not to do so. I've reached out to Amazon's Investor Relations and they have a responsibility, at the earliest opportunity to now engage with the SEC to explain the conduct of Amazon in misleading the markets and also not taking the opportunity to engage with end users especially those where these bugs and vulnerabilities that were used to attack myself, my children and my family and people in my homes, vehicles, and my office (by virtue of Alexa being my default assistant on my phone).And Amazon having failed to live up to the expectations of the community and their customers whose privacy and safety they failed to take seriously. Yet when a globally respected security author, friend of Amazon, journalist and podcaster comes to you with actual evidence of domestic abuse perpetuated using your technology you circle the wagons and hope it goes away.Listen in, I think we can establish that was not the best course of action.

This show was recorded INSIDE BBC Broadcasting House in Central London interviewing the amazing Bill Thompson for a second time. We talk about digital transformation, digital rights, security of data and reputation. Recorded live on the studio floor of the BBC Science team responsible for BBC ClickBrought to you by Voxiferi Broadcasting

Sat down with me today is Lance James, Chief Scientist at Flashpoint. Flashpoint are probably THE guys to go to when you think about emerging threat. If you've seen Mr Robot, Flashpoint is about as close to that as it gets, except real world. Threat identification, planning and looking at emerging threat globally, looking at terrorist threat, cyber terrorism, ransomware etc. Lance is a good friend and I always panic before recording as he and I will laugh like drains if allowed. Lance is the author of "Phishing Exposed", former Deloitte, working with CBC, CNN, the BBC, the David Lawrence Show, ZDNet, Wired News, CSO, USA Today, Fox News, and the Washington Post and now seen live on US TV as a security anchorman. He's also my drinking buddy.

The RSA Conference organising committee do an amazing job every year to spend 365 days putting together the best conference they can and the continual planning for other geographic RSA events. I'm joined on the show by Todd Inskeep and he and I detail why attending RSA, being an exhibitor or an attendee is so vital to be taken credibly and to increase your chances of succeeding in security or dealing with emerging threat.

Jim Reavis is one of my trusted long term friends in the world of security. He has built up with tenacity the global presence of the CSA and to work hard to ensure that tools that have come of CSA have slowly but surely affected the way governments understand threat.

Ever seen the thriller series "Person of Interest" ? In the show an overarching computer called "The Machine" knows and sees everything, Nuix an Australian company staffed by former military intelligence staffers has produced just that. Keith and I discuss.

Bastille-Networks are clever folk. They are in the top three IoT security companies on the planet and Marc Newlin is a smart engineer, listen in because there is a vulnerability he has discovered which should concern us all. I'm not going to spoil this - Go listen....