BRAiN Blog

Camembert

Sepp Jeremiah Morris -

translated to english, from my CV Website

(Because of NDA guidelines I have to be a bit broader and less specific.)

I normally never write about my jobs, but this time I’m making an exception.

The systems we worked on were so‑called “Secure Devices.” These machines were locked down so hard that they could only run a handful of approved programs. Nice for security—terrible for showing off any bonus skills. In other words, outside our regular workload we had zero room to shine … and this inside a company that drills the Leadership Principles into you on day one!

Invent and Simplify

I wasn’t having it. Our department had only just launched when I arrived, so I rolled up my sleeves right away: I built an offline toolbox that gave my teammates the freedom—and the power—to excel. With it we could finally deploy those extra talents for the Amazons benefit. Looking back, it was a brilliant move, even if it cost me a stack of after‑hours work on top of a full‑time job—and all without compromising security.

Frugality

One of the most‑used (and officially approved) tools was an AutoHotkey script—simple, brutally effective automation for repetitive tasks. A colleague and I drafted and coded it together. Result: a 33.92 % improvement in average handling time. I even got an accolade for it. The numbers were measured across all dutch teams, comparing the week before and the week after launch; roughly 80 % of collegueas used the tool every day.

Security I

The first security concern I flagged to management was on the original systems themselves. After a few tests I managed to open a two‑way connection to the outside world… which I routed only to one of my own servers at home so nothing unsafe could leak. I won’t share the details of that internal exploit here—there’s a chance it might still work—but I documented everything and passed it to my superiours. To my disbelief, nothing was done. And this after Amazon had put so much effort into hermetically sealing those machines.

Security II — Learn and Be Curious?

I got added to an internal group called “Champions.” Supposedly the best Associates in EMEA—frankly, I found the concept a bit cringey. I was also drafted as a tester for the new systems, advertised as more secure and more capable than the old ones. Spoiler: functionality actually took a dive. Yet after a few tweaks all my tools ran fine on the new boxes.

Curiosity kicked in, so I started poking around the new environment—and wow, what a nightmare. I’m no battle‑hardened security guru, but this thing had more holes than a rust‑eaten bucket. Classic hack job. Nowhere near production‑ready. With a three‑line script of my own I bypassed the signature check on the updater. That’s just one example I handed to the engineers. Background processes were running with full‑system access and most of them could be hijacked by just glancing at them.

In a meeting an engineer told me, “Oh no no no! That should not be possible! Thank you, Mr Morris.” Everything would be fixed before worldwide rollout, he assured me. Never heard back. But trust me: those boxes are less secure than the previous ones. As the saying goes, if it ain’t broke, why “replace” it?

OPVA

My final project, OPVA (Open Van Dale Alternative), never got finished. It was meant to be our internal spell‑check solution; the workstations only had a partial English checker. My new database and tool would have provided an offline spell‑checker on the spot—vital under our security policy. In the end I simply opened the database to everyone: https://opva.nl.

That was my answer to the proposal that we had to use physical dictionaries.

END

Can’t say much about the ending. I’d have liked to stay longer at Amazon, but our department was trimmed down hard. Downside of a one‑year contract during a cost‑cutting spree…

admin access?