back to article Don't panic, Chicago, but an AWS S3 config blunder exposed 1.8 million voter records

A voting machine supplier for dozens of US states left records on 1.8 million Americans in public view for anyone to download – after misconfiguring its AWS-hosted storage. ES&S says it was notified by UpGuard researcher Chris Vickery of the vulnerable database that contained personal information it collected from recent …

  1. Anonymous Coward
    Anonymous Coward

    The Cloud...

    Other peoples computers you can leave private data on

    1. Adam 52 Silver badge

      Re: The Cloud...

      It doesn't really matter whose server it is, if you connect it to the Internet and stick a webserver on the front with no authentication then you've been a bit foolish.

      AWS makes that a bit easier - the Internet bit is there by default and the no authentication part is a couple of check boxes away.

      AWS could help; the interface to their permissions system involves some really horrible JSON or yaml over a multitude of different web pages, it's hard to test and their documentation recommends bad practice - like this:

      "Effect":"Allow",

      "Action":"s3:*",

      "Resource":"*"

    2. Anonymous Coward
      Anonymous Coward

      Re: The Cloud...

      Other peoples computers you can leave private data on

      Hmm, you'll have that problem with *any* outsourced facility. This has little to do with Amazon, more with the people who stored data there without any protection.

  2. Anonymous Coward
    Trollface

    Still got nothing to hide?

    A wee bit offtopic, sorry I know, but with news like this I always wonder if people still feel that they "got nothing to hide" when the government tries to get even more access into our personal lives.

    Yes, this is a bit of a troll but also meant quite seriously.

  3. Anonymous Coward
    Holmes

    It's Chicago - they all voted for Hilllary

    Nothing to see here...

    1. chivo243 Silver badge
      Big Brother

      Re: It's Chicago - they all voted for Hilllary

      As a native of the Chicago area, I will just say when it comes to politics -

      "There are no mistakes."

    2. Aodhhan

      Re: It's Chicago - they all voted for Hilllary

      ...you forgot to say, they all voted for Hillary "twice".

      HA!

      1. WolfFan Silver badge

        Re: It's Chicago - they all voted for Hilllary

        ...you forgot to say, they all voted for Hillary "twice".

        No, they didn't. What happened is that everyone who has ever resided in Chicago, everyone who has ever been in Cook or DuPage Counties, everyone who has ever thought of perhaps visiting Cook County one day, going back to the 19th century, voted for Hillary. That's the Chicago Way.

        Merely voting twice limits the possible number of votes.

  4. FlamingDeath Silver badge

    AWS genius

    How they managed to convince people to pay per CPU cycle I'll never know

    Alot of their marketing guff names are like something out of startrek but in reality they are just granular frontends to a broader set of systems that have been available for decades in OSS

    Does anybody know what a AWS™ Elastic™ Beanstalk™ is?

    Or what a Amazon™ Lightsale™ is?

    Maybe Amazon™ Glacier™?

    How about a AWS™ Snowmobile™?

    This one sounds really cool, no idea what it does, but MAN, it does sound really cool

    Amazon™ Redshift™?

    AWS™ Greengrass™?

    I reckon if I looked hard enough I would probably find: AWS™ tax™ avoider™

    But in a more jazzy marketingyish buzzword

  5. Howard Hanek
    Childcatcher

    It's Not As Bad As All That

    .....in Chicago many of the names on the voter rolls are long dead and the others likely to be criminal aliases.....

    1. Anonymous Coward
      Anonymous Coward

      Re: It's Not As Bad As All That

      Well, that's the Chicago Way, right? Get in their face. Punch back twice as hard. If they put one of ours in the hospital, you put one of theirs in the morgue... and then make him vote.

  6. Winkypop Silver badge
    Holmes

    I'll just leave this here....

    Cloud computing!

  7. GrapeBunch

    Inquayling Minds ...

    ... so, when somebody steals the identity of your dead grandfather, can it still affect your credit rating?

    Forget what happens when your identity is stolen, that won't change the result of any election.

    1. Adam 52 Silver badge

      Re: Inquayling Minds ...

      Very, very hard to steal my identity. I'm me and nothing short of death is really going to change that.

  8. Daedalus

    Don't panic - well maybe.

    People with better than short memories will recall Trumpton's demand for electoral rolls from various US states. They were told, yes this is technically public information, but we charge to give it to you. In fact, political parties routinely buy this info for their campaigns. Every year we get info sheets from the League of Women Voters telling us where and when we vote (note that in the dynamic individualistic USA, you're supposed to find out for yourself with too much govt. assistance). The LWV gets our names and addresses (and probably ages) just like the parties do, and in fact those same items of info are available for mail spammers etc.

    The last 4 digits of the SS number are not supposed to be public, AFAIK. They can be used to gain access to certain websites, mostly as verification for name, address, age etc. OTOH they are routinely printed in mail you get from your bank, mutual fund etc. Thank God they stopped using the whole SS on medical insurance cards. What were they thinking?

  9. Aodhhan

    Yes yes we know...

    most of the information is easy enough to get; however, you're missing the point.

    Don't believe for a second its only name, address and age. There are other items, such as political party, when you voted, possibly items of interest to you, etc.

    Not to mention the fact the work is already done... and possibly with your name on it!!

    Then, if you're truly a InfoSec professional and not trying to spin this favorably for the democrat's in Chicago (which is likely the case in many posts)... you'd understand it's another database breach via AWS; once again... there is a failure in information security policy; oh yes... and another failure to protect private information by an organization primarily run and manned by democrats.

    Hah... I'm an independent politically so I had to say this last bit.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like