It's now six or seven weeks since we went pubic following Steven J Vaughn Nicholls, the world famous trusted and lauded US technology editor in his story about my having been hacked and stalked using Amazon Fire devices.

Now nearly 100k people have downloaded and listened to Episodes 1-4 we have further disclosure that has been made available by folk within Amazon and also software engineers in the community regarding Amazon having been aware of issues with SLO / SSO and security issues with FireOS 5.x - 7.x during the period 2017 to 9th June 2023 when it was finally patched.

And a county police force in the UK, Wiltshire Police now look extremely lax, naive, inexperienced and they should be very very embarrassed.

I am meeting with them and their Digital Forensic Team (finally) in the next few weeks. They should be humble embarrassed and ashamed of what a shower of shit they are. I look foward to the Chief Constable of Wiltshire releasing a public facing apology before Christmas and I look foward to and fully expect interim damages from Wiltshire Police for their failures.

Episode 6 out soon.

There are good people in the world. Ethical folk who are engineers and programmers, programme leads and operational staff. Often they are managed by those who play the angles. Who would rather the bad news never saw the light of day.

But when you're an SEC listed company, fined days prior by the US Department of Justice and the FTC for a smaller breach than the one you've just had walked in the door that now affects the legacy privacy of tens of millions of devices in the field then you have an absolute responsibility to communicate to your users.

In fact the DoJ ruling stated that Amazon was orded "notify users of its retention and deletion practices and controls;". Immediately two major vulnerabilities which impacted that ruling were on the desk of the Head of Security regarding retention of data and privacy and cached credentials allowing a device to become a trusted hardware token.

With the fourth major bug being the fact that software flaws in Cloudview and logging meant you were unable to deregister Kids Fire devices at all from the Web UI.

So what happens when someone blows the whistle when Amazon tried to cover all this up ???

Decent people do exist. Shame Amazon can't keep hold of them. Maybe they should send him a stock award and an apology.

So knowing for absolute fact that I am the subject of industrial scale stalking and hacking, the devices left with my ex wife being subject to the flaws and bugs relating to cached credentials and the Amazon Photo and Amazon Alexa lack of forced authentication (alongside an aged device logging bug) I was determined to engage with Amazon properly. Engaging with the Head of Security at Amazon and Ring in Seattle one on one. With live data supplied from Cloudwatch the immutable tamperproof platform that Amazon use to log all retail and operational activity.

I had no idea the storm that was about to break. But it's enough to put a Devizes girl in prison.

Amazon FireOS is a fork of stock Android. And what must be remembered it is it has to support a lot of software repo's and a lot of older libraries. However Amazon not licencing Android from Google and not partaking in the Play ecosystem is one matter. Amazon have only got to support a limited range of graphics chipsets and a limited range of hardware mainboards so it's NOT a lot of work. There are mainstream open source Linux distributions supporting PPC Intel ARM who have to do a lot more work than Amazon.

Amazon FireOS tablets have always been two to three distributions behind Google. Have always failed to have security standards aligned with Google. No file encryption or SD card encryption. No Knox equivalent etc. So you'd expect if you have older stable dev trees that you would take security and privacy seriously.

I proved categorically that Amazon did no such thing

In 2022/23 I discovered major discrepancies in the data I had been sent by Amazon regarding two tablets bought for my children in 2017. This followed a contentious toxic divorce and my suspicion that the tablets had been used by my ex-wife to stalk, monitor, eavesdrop and to gain unlawful access to documents, photos, audio, contact information and location information during 2018 to 2020.

But I couldn't work out how as I'd changed passwords religiously. I had two factor authentication.

It surely wasn't possible that an attack vector could be the two tablets, the cheapest plastic technology we owned.

Imagine my horror when I discovered four major bugs in FireOS and in the design and architecture of Fire operations.