• AmbiguousProps@lemmy.today
    link
    fedilink
    English
    arrow-up
    169
    arrow-down
    2
    ·
    8 months ago

    As much as I hate them, this is likey because a customer misconfigured their bucket and not on Amazon.

    • Tak@lemmy.ml
      link
      fedilink
      arrow-up
      60
      ·
      8 months ago

      Just like when users get “hacked” a lot of the time it was just their own lack of security practices and not the service provider. Obviously there are exceptions and I hate defending tech giants but end users are often to blame.

    • cybersandwich@lemmy.world
      link
      fedilink
      arrow-up
      18
      ·
      8 months ago

      I have never configure s3 buckets for an enterprise personally, but I have used AWS for some personal projects. The control panel pretty clearly warns you if you try to open the bucket to the public. “This is unsafe. Everyone can see everything you idiot!”

      They must be doing it through the CLI.

    • pop@lemmy.ml
      link
      fedilink
      arrow-up
      4
      arrow-down
      16
      ·
      edit-2
      8 months ago

      There’s no reason for amazonaws.com to be on search engine at all. Which is just as simple as placing a robots.txt with deny all declaration. Then no user would have to worry about shit like this.

      • Moonrise2473@feddit.it
        link
        fedilink
        arrow-up
        13
        ·
        8 months ago

        Who said that?

        Many other customers instead want to get that, maybe they are hosting images for their website on S3, or other public files that are meant to be easily found

        If the file isn’t meant to be public, then it’s the fault of the webmaster which placed it on a public bucket or linked somewhere in a public page

        Also: hosting files on Amazon S3 is super expensive compared to normal hosting, only public files that are getting lots of downloads should be using that. A document that’s labeled for “internal use only” should reside on a normal server where you don’t need the high speed or high availability of AWS and in this way you can place some kind of web application firewall that restricts access from outside the company/government.

        For comparison, it’s like taking a $5 toll road for just a quarter of mile at 2 am. There’s no traffic and you’re not in hurry, you can go local and save that $5

  • Cornelius_Wangenheim@lemmy.world
    link
    fedilink
    arrow-up
    67
    ·
    edit-2
    8 months ago

    Documents marked “not for public release” aren’t classified. They’re what’s called controlled unclassified information (CUI). It’s anything from PII, law enforcement victim records to sensitive (but unclassified) technical manuals. There’s dozens of categories if anyone cares to look at them: https://www.archives.gov/cui/registry/category-marking-list

    They shouldn’t be sitting out there, but it’s also not a crime.

    • Liz@midwest.social
      link
      fedilink
      English
      arrow-up
      5
      arrow-down
      1
      ·
      edit-2
      8 months ago

      The first result I got was labeled “classified: top secret - not for public release” so the label is more broadly applied than just CUI. my assumption that the document was legit was wrong.

          • Rivalarrival@lemmy.today
            link
            fedilink
            English
            arrow-up
            4
            ·
            edit-2
            8 months ago

            In a properly classified document, each paragraph will be preceded by a “portion marking” indicating the level of classification and possibly compartmentalization. For example, the “(U)” in this quote, indicating the paragraph is Unclassified.

            (U) Lorem ipsum dolor sit amor consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.

            A Top Secret document would have one or more portions with a “(TS)”

            (TS) Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur.

            Additionally, an “overall classification marking” is also required. This is a marking at the top and bottom of every page of the document, providing the overall classification (and compartmentalization) of the document, even if all the portions on that particular page are unclassified. “TOP SECRET” at the top and bottom of the page.

            Finally, the document needs a classification authority block, indicating who classified the document, why it was classified, and when it should be declassified.

            The absence of portion markings, overall markings, and classification block, or misuse of any (“Not for public release”) is a good indication that the document is fake.

  • Alien Nathan Edward@lemm.ee
    link
    fedilink
    English
    arrow-up
    61
    ·
    8 months ago

    I work in a HIPAA-covered industry and if our AWS and GCP buckets are insecure that’s on us. Fuck Amazon, but a hammer isn’t responsible for someone throwing it through a window and a cloud storage bucket isn’t responsible for the owner putting secret shit in it and then enabling public access.

    • zalgotext@sh.itjust.works
      link
      fedilink
      arrow-up
      19
      ·
      8 months ago

      Yeah I hate Amazon as much as the next person, but this is a people/process problem, not an Amazon problem. Amazon doesn’t know or care what you put into an AWS bucket (within reason, data tracking, etc, blah blah blah). People taking classified documents and uploading it to an Internet-connected cloud service is procedurally wrong on so many levels.

        • zalgotext@sh.itjust.works
          link
          fedilink
          arrow-up
          7
          ·
          8 months ago

          No, it literally cannot be both, full stop. There should rigorous, well defined procedures and processes for handling classified data, and chiefly among those should be something along the lines of “don’t upload classified documents to a publicly-available internet-connected location/service/filestore/etc”. If it’s not, a security officer has not done their job.

        • nxdefiant@startrek.website
          link
          fedilink
          arrow-up
          1
          ·
          8 months ago

          The north east US is dotted with high (physical) security Amazon data centers . I promise those aren’t hosting files you can search Google for, if you know what I mean.

    • dejected_warp_core@lemmy.world
      link
      fedilink
      arrow-up
      2
      ·
      edit-2
      8 months ago

      What kills me about S3 is that the use cases for publicly accessing S3 contents over HTTP have got to be vanishingly small compared to every other use of the service. I appreciate there’s legacy baggage here but I seriously wonder why Amazon hasn’t retired public S3 and launched a distinct service or control for this that’s harder to screw up.

      • capital@lemmy.world
        link
        fedilink
        arrow-up
        6
        ·
        8 months ago

        Public access is disabled by default and it warns you when you enable it. How much more idiot proof does it need to be?

        • dejected_warp_core@lemmy.world
          link
          fedilink
          arrow-up
          1
          ·
          8 months ago

          Honestly, I’m for removing the option and moving that “feature” somewhere else in AWS entirely. And those warnings aren’t really a thing when using IaC. Right now it’s still a “click here for self harm” button, even with the idiot proofing around it.

  • echo@lemmings.world
    link
    fedilink
    arrow-up
    60
    ·
    8 months ago

    Amazon is only doing what someone told it to do. This is improper handling of documents and not a problem with Amazon itself.

  • Septimaeus@infosec.pub
    link
    fedilink
    arrow-up
    55
    ·
    8 months ago

    Such examples of OpSec competence make it easy to dismiss the majority of government conspiracy theories IMHO.

    • Maggoty@lemmy.world
      link
      fedilink
      arrow-up
      10
      ·
      8 months ago

      I go back to the veteran comedian every time.

      We can’t even stop our privates from telling their stripper girlfriend about the mission they’re going on the next day, and people think there’s a giant conspiracy out there where nobody talks…

      Then there’s the Warrantless Wiretap program under the Bush Administration. Cheney kept the authorization memo in his personal lawyer’s safe. Only 7 people knew it existed. Shit still leaked.

      • Septimaeus@infosec.pub
        link
        fedilink
        arrow-up
        5
        ·
        edit-2
        8 months ago

        Only 7. That’s perfect. I forget who said “three may keep a secret if two are dead” but of all the mustache twirling pricks in that admin, Cheney should have known.

        Edit: it’s Ben Franklin’s joke, apparently. I doubt he’d mind.

      • Septimaeus@infosec.pub
        link
        fedilink
        arrow-up
        4
        ·
        edit-2
        8 months ago

        lol yes. But it’s not the regular evidence of shoestring infrastructure and lack of process that casts doubt on these grand conspiracies. It’s the diminishing conditional probability, over time, that they are somehow always the exception.

          • Septimaeus@infosec.pub
            link
            fedilink
            arrow-up
            4
            ·
            edit-2
            8 months ago

            If we flip a fair coin once, the odds of not getting tails is 50%. If we flip twice, the odds diminish to 25%. Flip 20 times, the odds diminish to 0.000001%.

            This is the conditional probability that makes the concealment of large and/or longterm conspiracies implausible: we say that the odds of getting heads on the 100th toss, conditioned on the probability of having already gotten heads 99 times, is less than a billion billion billion to one.

            And the grander the conspiracy, i.e. the more individuals involved, the more “coin flips” regularly occur, and the faster these infinitesimal odds are reached — hence the expression “too many minions spoil the plot.”

            So while mistakes are indeed unsurprising, the fact that none have ever uncovered big old conspiracies (especially the likes of flat earth, fake moon landing, aliens, etc.) suggests the odds of their veracity are, at this point, vanishingly small.

            • TankieTanuki [he/him]@hexbear.net
              link
              fedilink
              English
              arrow-up
              1
              ·
              8 months ago

              Gotcha.

              I think it’s important to agree on a definition of “conspiracy theory” and also on what qualifies as spoiling or revealing the plot in these discussions. Otherwise we’re probably talking about different things.

    • TheDoctor [they/them]@hexbear.net
      link
      fedilink
      English
      arrow-up
      10
      ·
      8 months ago

      Legit, if you want to know if a conspiracy is true, just wait 20-50 years and the CIA will declassify the related documents. Most of them are open secrets that happen to be difficult to corroborate as they’re happening. Very few rely on outright secrecy. More just plausible deniability during the period where the public would be up in arms about it.

    • AcidLeaves [he/him, he/him]@hexbear.net
      link
      fedilink
      English
      arrow-up
      8
      arrow-down
      3
      ·
      edit-2
      8 months ago

      Right, because people never make simple mistakes 🙄

      People who get paid half a mill to code mess up basic stuf like this by accident all the time

      • Septimaeus@infosec.pub
        link
        fedilink
        arrow-up
        6
        ·
        8 months ago

        I mean, I agree with you. I’m not claiming “there are no good toupees.” I’m pointing to [the alopecia market] as evidence that [a pill to cure baldness] couldn’t be kept secret by the [shadowy cabal of elites with gorgeous hair] for very long.

    • irmoz@reddthat.com
      link
      fedilink
      arrow-up
      2
      ·
      edit-2
      8 months ago

      Compartmentalisation helps

      If no one actually knows the plan other than the guy in charge, no one can leak the plan:

      An example of compartmentalization was the Manhattan Project. Personnel at Oak Ridge constructed and operated centrifuges to isolate uranium-235 from naturally occurring uranium, but most did not know exactly what they were doing. Those that knew did not know why they were doing it. Parts of the weapon were separately designed by teams who did not know how the parts interacted.

      • Septimaeus@infosec.pub
        link
        fedilink
        arrow-up
        1
        ·
        edit-2
        8 months ago

        True, and interesting since this can be used as a statistical lever to ignore the exponential scaling effect of conditional probability, with a minor catch.

        Lemma: Compartmentalization can reduce, even eliminate, chance of exposure introduced by conspirators.

        Proof: First, we fix a mean probability p of success (avoiding accidental/deliberate exposure) by any privy to the plot.

        Next, we fix some frequency k1, k2, … , kn of potential exposure events by each conspirators 1, …, n over time t and express the mean frequency as k.

        Then for n conspirators we can express the overall probability of success as

        1 ⋅ ptk~1~ ⋅ ptk~2~ ⋅ … ⋅ ptk~n~ = pntk

        Full compartmentalization reduces n to 1, leaving us with a function of time only ptk. ∎

        Theorem: While it is possible that there exist past or present conspiracies w.h.p. of never being exposed:

        1. they involve a fairly high mortality rate of 100%, and
        2. they aren’t conspiracies in the first place.

        Proof: The lemma holds with the following catch.

        (P1) ptk is still exponential over time t unless the sole conspirator, upon setting a plot in motion w.p. pt~1~k = pk, is eliminated from the function such that pk is the final (constant) probability.

        (P2) For n = 1, this is really more a plot by an individual rather than a proper “conspiracy,” since no individual conspires with another. ∎

  • shininghero@kbin.social
    link
    fedilink
    arrow-up
    25
    arrow-down
    1
    ·
    8 months ago

    Aaand that search query got me some files with the top secret flag. Fortunately, they seem to be internal memos on things that are already known to the public, so nothing too immediately dangerous.

    My big question is, why in the ever-loving fuck are these files outside of SIPRNET?

    • wizardbeard@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      13
      ·
      8 months ago

      Contractors and third parties with security clearance. Did you really think any US government agency actually tightened things down properly after Snowden?

    • jkrtn@lemmy.ml
      link
      fedilink
      arrow-up
      6
      arrow-down
      1
      ·
      8 months ago

      Is it illegal to have these or just distribution is illegal? I’m worried about the implications of you downloading but it isn’t like anyone will care.

      As for how they got there, perhaps via scan-to-email from the Mar-a-Lago copy- and bathroom.

      • wizardbeard@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        7
        ·
        8 months ago

        This shit has been happening for far far longer than cheeto. It’s bipartisan military organization incompetence, and the exact issue that allowed the Snowden leaks to occur.

      • PsychedSy@lemmy.dbzer0.com
        link
        fedilink
        arrow-up
        2
        ·
        8 months ago

        The markings tell people with clearance how to handle the documents more than anything else. You have no way of knowing if it’s a legit marking.

      • Maggoty@lemmy.world
        link
        fedilink
        arrow-up
        2
        ·
        edit-2
        8 months ago

        Obligatory, I am not a lawyer.

        If random citizen finds it on the street they can’t be punished for having it. But the government can repossess the document at any time.

    • psmgx@lemmy.world
      link
      fedilink
      arrow-up
      3
      arrow-down
      1
      ·
      8 months ago

      “cloud first” is a mantra that not even the FedGov can refuse.

      Mostly cuz the largest, data mining, and ad-driven companies in the world told them it was better.

  • Dizzy Devil Ducky@lemm.ee
    link
    fedilink
    English
    arrow-up
    25
    arrow-down
    4
    ·
    8 months ago

    Okay, the question I have, is why any government from a developed country would ever use something like AWS or something that everyone can obtain access to rather than making their own private solutions to these problems?

    • hackerwacker@lemmy.ml
      link
      fedilink
      arrow-up
      41
      ·
      8 months ago

      It’s easier to hire someone who knows aws than to train someone on your custom thing. I don’t really agree, but that’s mostly the reasoning.

      • JDubbleu@programming.dev
        link
        fedilink
        arrow-up
        5
        ·
        8 months ago

        Not to mention in house solutions are basically guaranteed to cost more than AWS to get something even close to as comparable. A basic service like Lambda is complex as fuck and has had billions of dollars poured into making it what it is today.

      • MotoAsh@lemmy.world
        link
        fedilink
        arrow-up
        3
        ·
        edit-2
        8 months ago

        and circular things roll back down hill so easily it’s constantly amazing that anyone’s dumb enough to try it this day and age… buuut then I guess there’s always that child who’s satisfied shoving all shapes through the square hole…

    • lemmyreader@lemmy.mlOP
      link
      fedilink
      English
      arrow-up
      6
      ·
      8 months ago

      Another question could be : which developed country is not yet using the popular AWS already and why ?

      For example : https://press.aboutamazon.com/2023/10/amazon-web-services-to-launch-aws-european-sovereign-cloud

      Customers, AWS Partners, and regulators welcoming the new AWS European Sovereign Cloud include the German Federal Office for Information Security (BSI), German Federal Ministry of the Interior and Community (BMI), German Federal Ministry for Digital and Transport, Finland Ministry of Finance, National Cyber and Information Security Agency (NÚKIB) in the Czech Republic, National Cyber Security Directorate of Romania, SAP, Dedalus, Deutsche Telekom, O2 Telefónica in Germany, Heidelberger Druckmaschinen AG, Raisin, Scalable Capital, de Volksbank, Telia Company, Accenture, AlmavivA, Deloitte, Eviden, Materna, and msg group

    • psmgx@lemmy.world
      link
      fedilink
      arrow-up
      5
      ·
      8 months ago

      Cloud presents several advantages,and GovCloud is a thing.

      Like, Amazon has SCIF cloud offerings. These leaks were cuz some dumbass contractor exposed a repo to the internet

    • golden_zealot@lemmy.ml
      link
      fedilink
      English
      arrow-up
      4
      ·
      8 months ago

      I expect the same reasons they’re mostly all using Microsoft Office, Windows, and Active Directory. Because it’s cheaper than doing it yourself.

    • MetaCubed@lemmy.world
      link
      fedilink
      arrow-up
      6
      ·
      edit-2
      8 months ago

      My bets are on “cloud infrastructure is bad for highly secret information” rather than “public web honeypot with zero obfuscation” Edit: likely fake. The sensationalist in me would love it if this was real because it would confirm my “cloud storage bad” biases, but alas, the document markings dont appear to be consistent with my understanding of official US Government confidentiality/secrecy markings

      • capital@lemmy.world
        link
        fedilink
        arrow-up
        3
        ·
        8 months ago

        If S3, it’s not cloud storage’s fault some dummies enable public access to buckets which is disabled by default.

        • MetaCubed@lemmy.world
          link
          fedilink
          arrow-up
          3
          ·
          8 months ago

          Youre correct it’s not the provider’s fault, but it’s much harder in my very biased opinion to accidentally expose a secure 100% internal intranet than it is to accidentally put a top secret document in a public data bucket.

          But it’s a moot argument in this case anyway. Fake documents means these are likely exposed just to troll folks like us.