As much as I hate them, this is likey because a customer misconfigured their bucket and not on Amazon.
this post was submitted on 07 Apr 2024
265 points (100.0% liked)
Security
113 readers
1 users here now
Confidentiality Integrity Availability
founded 4 years ago
MODERATORS
Just like when users get "hacked" a lot of the time it was just their own lack of security practices and not the service provider. Obviously there are exceptions and I hate defending tech giants but end users are often to blame.
There's no reason for amazonaws.com to be on search engine at all. Which is just as simple as placing a robots.txt with deny all declaration. Then no user would have to worry about shit like this.
Who said that?
Many other customers instead want to get that, maybe they are hosting images for their website on S3, or other public files that are meant to be easily found
If the file isn't meant to be public, then it's the fault of the webmaster which placed it on a public bucket or linked somewhere in a public page
Also: hosting files on Amazon S3 is super expensive compared to normal hosting, only public files that are getting lots of downloads should be using that. A document that's labeled for "internal use only" should reside on a normal server where you don't need the high speed or high availability of AWS and in this way you can place some kind of web application firewall that restricts access from outside the company/government.
For comparison, it's like taking a $5 toll road for just a quarter of mile at 2 am. There's no traffic and you're not in hurry, you can go local and save that $5
There's also the question of what happens if they just ignore the robots.txt file
robots.txt doesn't have to be followed. It doesn't block crawling.
I work in a HIPAA-covered industry and if our AWS and GCP buckets are insecure that's on us. Fuck Amazon, but a hammer isn't responsible for someone throwing it through a window and a cloud storage bucket isn't responsible for the owner putting secret shit in it and then enabling public access.
Amazon is only doing what someone told it to do. This is improper handling of documents and not a problem with Amazon itself.
Such examples of OpSec competence make it easy to dismiss the majority of government conspiracy theories IMHO.
Compartmentalisation helps
If no one actually knows the plan other than the guy in charge, no one can leak the plan:
An example of compartmentalization was the Manhattan Project. Personnel at Oak Ridge constructed and operated centrifuges to isolate uranium-235 from naturally occurring uranium, but most did not know exactly what they were doing. Those that knew did not know why they were doing it. Parts of the weapon were separately designed by teams who did not know how the parts interacted.
True, and interesting since this can be used as a statistical lever to ignore the exponential scaling effect of conditional probability, with a minor catch.
Lemma: Compartmentalization can reduce, even eliminate, chance of exposure introduced by conspirators.
Proof: First, we fix a mean probability p of success (avoiding accidental/deliberate exposure) by any privy to the plot.
Next, we fix some frequency k~1~, k~2~, ... , k~n~ of potential exposure events by each conspirators 1, ..., n over time t and express the mean frequency as k.
Then for n conspirators we can express the overall probability of success as
1 ⋅ p^tk~1~^ ⋅ p^tk~2~^ ⋅ ... ⋅ p^tk~n~^ = p^ntk^
Full compartmentalization reduces n to 1, leaving us with a function of time only p^tk^. ∎
Theorem: While it is possible that there exist past or present conspiracies w.h.p. of never being exposed:
- they involve a fairly high mortality rate of 100%, and
- they aren’t conspiracies in the first place.
Proof: The lemma holds with the following catch.
(P1) p^tk^ is still exponential over time t unless the sole conspirator, upon setting a plot in motion w.p. p^t~1~k^ = p^k^, is eliminated from the function such that p^k^ is the final (constant) probability.
(P2) For n = 1, this is really more a plot by an individual rather than a proper “conspiracy,” since no individual conspires with another. ∎
I added more JPEG for OP:
Okay, the question I have, is why any government from a developed country would ever use something like AWS or something that everyone can obtain access to rather than making their own private solutions to these problems?
It's easier to hire someone who knows aws than to train someone on your custom thing. I don't really agree, but that's mostly the reasoning.
Not to mention in house solutions are basically guaranteed to cost more than AWS to get something even close to as comparable. A basic service like Lambda is complex as fuck and has had billions of dollars poured into making it what it is today.
Another question could be : which developed country is not yet using the popular AWS already and why ?
For example : https://press.aboutamazon.com/2023/10/amazon-web-services-to-launch-aws-european-sovereign-cloud
Customers, AWS Partners, and regulators welcoming the new AWS European Sovereign Cloud include the German Federal Office for Information Security (BSI), German Federal Ministry of the Interior and Community (BMI), German Federal Ministry for Digital and Transport, Finland Ministry of Finance, National Cyber and Information Security Agency (NÚKIB) in the Czech Republic, National Cyber Security Directorate of Romania, SAP, Dedalus, Deutsche Telekom, O2 Telefónica in Germany, Heidelberger Druckmaschinen AG, Raisin, Scalable Capital, de Volksbank, Telia Company, Accenture, AlmavivA, Deloitte, Eviden, Materna, and msg group
In Portuguese: https://www.serpro.gov.br/menu/noticias/noticias-2023/serpro-lanca-nuvem-de-governo
Brazillian government launched its own cloud service to support the government agencies, everything stored and administer in Brazilian territory, making it independent from private companies and international governments.
🎉 Hooray!
I expect the same reasons they're mostly all using Microsoft Office, Windows, and Active Directory. Because it's cheaper than doing it yourself.
Aaand that search query got me some files with the top secret flag. Fortunately, they seem to be internal memos on things that are already known to the public, so nothing too immediately dangerous.
My big question is, why in the ever-loving fuck are these files outside of SIPRNET?
Cloud cloud cloud, cloudy cloud, cloudy cloudy cloud cloud.
-Management
Contractors and third parties with security clearance. Did you really think any US government agency actually tightened things down properly after Snowden?
Is it illegal to have these or just distribution is illegal? I'm worried about the implications of you downloading but it isn't like anyone will care.
As for how they got there, perhaps via scan-to-email from the Mar-a-Lago copy- and bathroom.
This shit has been happening for far far longer than cheeto. It's bipartisan military organization incompetence, and the exact issue that allowed the Snowden leaks to occur.
The markings tell people with clearance how to handle the documents more than anything else. You have no way of knowing if it's a legit marking.
What's the over-under on this being a honeypot?
Yeah i saw this before