Never assume malice where ignorance and incompetence would suffice instead. Those two things are actually not the same thing at all, depending on how you define “willful.”
Yes, that is a good summary of Hanlon's Razor, a sort of corollary to Occam's Razor about mot creating unnecessary entities in your conceptual models.
Hanlon's Razor is a good first approximation or initial approach to a situation, not the end of the discussion. There are many situations where incompetence may appear to be an explanation, but is in fact not the root cause, and may even be being actively used as a cover for malicious actions.
The point of the razor is that it is up to us to sort out the difference, not to just jump to a conclusion that it is malice, or that it is incompetence.
In this case, Amazon has had plenty of time, resources, and skilled people to see the need and implement an escalation & resolution pathway. That they have so persistently failed to do so for so long indicates a cause beyond mere incompetence. Even if they are not being as actively malicious as the malware distributors, they clearly and actively DGAF.
> That they have so persistently failed to do so for so long indicates a cause beyond mere incompetence.
So you are claiming that they have had so many opportunities to do the right thing, that they aren't merely incompetent, but are in bed with the evil doers? That would be a huge claim, to say the least.
There are many options between incompetence and being actually 'in bed with', which I read to mean 'knowingly cooperating with', the criminals.
The first example is that it's simply more profitable for them to turn a blind eye unless one of the relationships becomes a public problem. They wouldn't be actively aiding and abetting the crime, but neither are they stepping up to ensure that it isn't happening on their systems. It's being complicit several steps beyond incompetence, but not the same level as active cooperation.
And, considering that Amazon has no shortage whatsoever of funds and skilled people to prioritize anything they want to prioritize, I'd say more than sufficient time has passed that they're at least at something resembling this sort of willfully ignorant stage.
How many FTEs should they have dedicated to triaging security complaints from (relatively speaking) randos on the Internet about their customers?
Also, would you take that job?
Some poor support person probably got this and punted because they couldn't pattern match to something in their handbook.
For every thoughtful, detailed security report there are about 500 others that involve voices from appliances, self-xss, csrf on logout and 5G coronavirus. It is extremely difficult for L1 support to make sense of these. Having a support contract or attracting attention on the forums are decent ways to pop out from the background noise.
Not to worry, they'll replace their overworked human staff with sentiment analysis bots which will do an equally uneven job of sorting the wheat from the chaff, with even less hope of appeal.
Malice is the wrong term for it even if we accept the premise. (I do not but that is another can of worms.) Malice implies a desire to hurt people. It would be utilitarian callousness if anything, negligence if there were legal obligations shirked. There is no law against just poor customer service like being a jerk isn't illegal.
