531
submitted 7 months ago by lemmyreader@lemmy.ml to c/security@lemmy.ml
top 50 comments
sorted by: hot top controversial new old
[-] AmbiguousProps@lemmy.today 166 points 7 months ago

As much as I hate them, this is likey because a customer misconfigured their bucket and not on Amazon.

[-] Lucien@hexbear.net 24 points 7 months ago

Yeah, I work for a Federal agency, and I can confirm this is an extremely plausible situation. Was probably a contractor.

load more comments (1 replies)
[-] cybersandwich@lemmy.world 18 points 7 months ago

I have never configure s3 buckets for an enterprise personally, but I have used AWS for some personal projects. The control panel pretty clearly warns you if you try to open the bucket to the public. "This is unsafe. Everyone can see everything you idiot!"

They must be doing it through the CLI.

load more comments (4 replies)
[-] Cornelius_Wangenheim@lemmy.world 67 points 7 months ago* (last edited 7 months ago)

Documents marked "not for public release" aren't classified. They're what's called controlled unclassified information (CUI). It's anything from PII, law enforcement victim records to sensitive (but unclassified) technical manuals. There's dozens of categories if anyone cares to look at them: https://www.archives.gov/cui/registry/category-marking-list

They shouldn't be sitting out there, but it's also not a crime.

load more comments (7 replies)
[-] reverendsteveii@lemm.ee 61 points 7 months ago

I work in a HIPAA-covered industry and if our AWS and GCP buckets are insecure that's on us. Fuck Amazon, but a hammer isn't responsible for someone throwing it through a window and a cloud storage bucket isn't responsible for the owner putting secret shit in it and then enabling public access.

[-] zalgotext@sh.itjust.works 19 points 7 months ago

Yeah I hate Amazon as much as the next person, but this is a people/process problem, not an Amazon problem. Amazon doesn't know or care what you put into an AWS bucket (within reason, data tracking, etc, blah blah blah). People taking classified documents and uploading it to an Internet-connected cloud service is procedurally wrong on so many levels.

load more comments (3 replies)
load more comments (4 replies)
[-] echo@lemmings.world 60 points 7 months ago

Amazon is only doing what someone told it to do. This is improper handling of documents and not a problem with Amazon itself.

[-] Septimaeus@infosec.pub 55 points 7 months ago

Such examples of OpSec competence make it easy to dismiss the majority of government conspiracy theories IMHO.

[-] TankieTanuki@hexbear.net 10 points 7 months ago
[-] TheDoctor@hexbear.net 9 points 7 months ago

Basically “I can always tell” as an actually fallacy. Neat

[-] comfydecal@infosec.pub 4 points 7 months ago

Cool resource, thanks for the share!

[-] Septimaeus@infosec.pub 4 points 7 months ago* (last edited 7 months ago)

lol yes. But it’s not the regular evidence of shoestring infrastructure and lack of process that casts doubt on these grand conspiracies. It’s the diminishing conditional probability, over time, that they are somehow always the exception.

load more comments (3 replies)
[-] Maggoty@lemmy.world 10 points 7 months ago

I go back to the veteran comedian every time.

We can't even stop our privates from telling their stripper girlfriend about the mission they're going on the next day, and people think there's a giant conspiracy out there where nobody talks...

Then there's the Warrantless Wiretap program under the Bush Administration. Cheney kept the authorization memo in his personal lawyer's safe. Only 7 people knew it existed. Shit still leaked.

[-] Septimaeus@infosec.pub 5 points 7 months ago* (last edited 7 months ago)

Only 7. That’s perfect. I forget who said “three may keep a secret if two are dead” but of all the mustache twirling pricks in that admin, Cheney should have known.

Edit: it’s Ben Franklin’s joke, apparently. I doubt he’d mind.

[-] TheDoctor@hexbear.net 10 points 7 months ago

Legit, if you want to know if a conspiracy is true, just wait 20-50 years and the CIA will declassify the related documents. Most of them are open secrets that happen to be difficult to corroborate as they’re happening. Very few rely on outright secrecy. More just plausible deniability during the period where the public would be up in arms about it.

[-] nehal3m@sh.itjust.works 9 points 7 months ago

They dropped this to make themselves look incompetent!

[-] Septimaeus@infosec.pub 7 points 7 months ago

4D chess by the deep state!

[-] Gradually_Adjusting@lemmy.world 4 points 7 months ago

"No! This is not how the game is meant to be played."

[-] AcidLeaves@hexbear.net 5 points 7 months ago* (last edited 7 months ago)

Right, because people never make simple mistakes 🙄

People who get paid half a mill to code mess up basic stuf like this by accident all the time

[-] Septimaeus@infosec.pub 6 points 7 months ago

I mean, I agree with you. I’m not claiming “there are no good toupees.” I’m pointing to [the alopecia market] as evidence that [a pill to cure baldness] couldn’t be kept secret by the [shadowy cabal of elites with gorgeous hair] for very long.

load more comments (2 replies)
[-] cloud_herder@lemmy.world 39 points 7 months ago

To be fair, it’s probably more about the IT contractors and consulting firms that didn’t implement security policies or configurations correctly on the S3 buckets for the governments they’re working for. The AWS products aren’t opening up things to the public internet without auth. Which I bet most of you knew.

Example: Accenture left a trove of highly sensitive data on public servers (2017)

[-] BoisZoi@lemmy.ml 34 points 7 months ago

I added more JPEG for OP:

[-] shininghero@kbin.social 24 points 7 months ago

Aaand that search query got me some files with the top secret flag. Fortunately, they seem to be internal memos on things that are already known to the public, so nothing too immediately dangerous.

My big question is, why in the ever-loving fuck are these files outside of SIPRNET?

[-] GenderNeutralBro@lemmy.sdf.org 22 points 7 months ago

Cloud cloud cloud, cloudy cloud, cloudy cloudy cloud cloud.

-Management

load more comments (1 replies)
[-] wizardbeard@lemmy.dbzer0.com 13 points 7 months ago

Contractors and third parties with security clearance. Did you really think any US government agency actually tightened things down properly after Snowden?

[-] jkrtn@lemmy.ml 5 points 7 months ago

Is it illegal to have these or just distribution is illegal? I'm worried about the implications of you downloading but it isn't like anyone will care.

As for how they got there, perhaps via scan-to-email from the Mar-a-Lago copy- and bathroom.

[-] wizardbeard@lemmy.dbzer0.com 7 points 7 months ago

This shit has been happening for far far longer than cheeto. It's bipartisan military organization incompetence, and the exact issue that allowed the Snowden leaks to occur.

load more comments (2 replies)
load more comments (1 replies)
[-] AceFuzzLord@lemm.ee 21 points 7 months ago

Okay, the question I have, is why any government from a developed country would ever use something like AWS or something that everyone can obtain access to rather than making their own private solutions to these problems?

[-] hackerwacker@lemmy.ml 41 points 7 months ago

It's easier to hire someone who knows aws than to train someone on your custom thing. I don't really agree, but that's mostly the reasoning.

[-] JDubbleu@programming.dev 5 points 7 months ago

Not to mention in house solutions are basically guaranteed to cost more than AWS to get something even close to as comparable. A basic service like Lambda is complex as fuck and has had billions of dollars poured into making it what it is today.

[-] v_krishna@lemmy.ml 27 points 7 months ago

Amazon has a government cloud offering https://aws.amazon.com/govcloud-us/

[-] lemmyreader@lemmy.ml 6 points 7 months ago

Another question could be : which developed country is not yet using the popular AWS already and why ?

For example : https://press.aboutamazon.com/2023/10/amazon-web-services-to-launch-aws-european-sovereign-cloud

Customers, AWS Partners, and regulators welcoming the new AWS European Sovereign Cloud include the German Federal Office for Information Security (BSI), German Federal Ministry of the Interior and Community (BMI), German Federal Ministry for Digital and Transport, Finland Ministry of Finance, National Cyber and Information Security Agency (NÚKIB) in the Czech Republic, National Cyber Security Directorate of Romania, SAP, Dedalus, Deutsche Telekom, O2 Telefónica in Germany, Heidelberger Druckmaschinen AG, Raisin, Scalable Capital, de Volksbank, Telia Company, Accenture, AlmavivA, Deloitte, Eviden, Materna, and msg group

[-] psmgx@lemmy.world 5 points 7 months ago

Cloud presents several advantages,and GovCloud is a thing.

Like, Amazon has SCIF cloud offerings. These leaks were cuz some dumbass contractor exposed a repo to the internet

[-] golden_zealot@lemmy.ml 4 points 7 months ago

I expect the same reasons they're mostly all using Microsoft Office, Windows, and Active Directory. Because it's cheaper than doing it yourself.

load more comments (5 replies)
[-] OrlandoDeCabron@hexbear.net 19 points 7 months ago

Went and looked at the documents that show up, both are on "russian hacking". 100% honey pot if I've ever seen one.

[-] AffineConnection@lemmy.world 18 points 7 months ago

So many of the results I see are incredibly obvious fakes.

[-] Finalsolo963@lemmy.blahaj.zone 10 points 7 months ago

What's the over-under on this being a honeypot?

[-] MetaCubed@lemmy.world 6 points 7 months ago* (last edited 7 months ago)

My bets are on ~~"cloud infrastructure is bad for highly secret information" rather than "public web honeypot with zero obfuscation"~~ Edit: likely fake. The sensationalist in me would love it if this was real because it would confirm my "cloud storage bad" biases, but alas, the document markings dont appear to be consistent with my understanding of official US Government confidentiality/secrecy markings

load more comments (2 replies)
[-] JonsJava@lemmy.world 7 points 7 months ago* (last edited 7 months ago)

In their defense:

load more comments
view more: next ›
this post was submitted on 07 Apr 2024
531 points (95.9% liked)

Security

5041 readers
4 users here now

Confidentiality Integrity Availability

founded 5 years ago
MODERATORS