The Cloud...
Other peoples computers you can leave private data on
A voting machine supplier for dozens of US states left records on 1.8 million Americans in public view for anyone to download – after misconfiguring its AWS-hosted storage. ES&S says it was notified by UpGuard researcher Chris Vickery of the vulnerable database that contained personal information it collected from recent …
It doesn't really matter whose server it is, if you connect it to the Internet and stick a webserver on the front with no authentication then you've been a bit foolish.
AWS makes that a bit easier - the Internet bit is there by default and the no authentication part is a couple of check boxes away.
AWS could help; the interface to their permissions system involves some really horrible JSON or yaml over a multitude of different web pages, it's hard to test and their documentation recommends bad practice - like this:
"Effect":"Allow",
"Action":"s3:*",
"Resource":"*"
A wee bit offtopic, sorry I know, but with news like this I always wonder if people still feel that they "got nothing to hide" when the government tries to get even more access into our personal lives.
Yes, this is a bit of a troll but also meant quite seriously.
...you forgot to say, they all voted for Hillary "twice".
No, they didn't. What happened is that everyone who has ever resided in Chicago, everyone who has ever been in Cook or DuPage Counties, everyone who has ever thought of perhaps visiting Cook County one day, going back to the 19th century, voted for Hillary. That's the Chicago Way.
Merely voting twice limits the possible number of votes.
How they managed to convince people to pay per CPU cycle I'll never know
Alot of their marketing guff names are like something out of startrek but in reality they are just granular frontends to a broader set of systems that have been available for decades in OSS
Does anybody know what a AWS™ Elastic™ Beanstalk™ is?
Or what a Amazon™ Lightsale™ is?
Maybe Amazon™ Glacier™?
How about a AWS™ Snowmobile™?
This one sounds really cool, no idea what it does, but MAN, it does sound really cool
Amazon™ Redshift™?
AWS™ Greengrass™?
I reckon if I looked hard enough I would probably find: AWS™ tax™ avoider™
But in a more jazzy marketingyish buzzword
People with better than short memories will recall Trumpton's demand for electoral rolls from various US states. They were told, yes this is technically public information, but we charge to give it to you. In fact, political parties routinely buy this info for their campaigns. Every year we get info sheets from the League of Women Voters telling us where and when we vote (note that in the dynamic individualistic USA, you're supposed to find out for yourself with too much govt. assistance). The LWV gets our names and addresses (and probably ages) just like the parties do, and in fact those same items of info are available for mail spammers etc.
The last 4 digits of the SS number are not supposed to be public, AFAIK. They can be used to gain access to certain websites, mostly as verification for name, address, age etc. OTOH they are routinely printed in mail you get from your bank, mutual fund etc. Thank God they stopped using the whole SS on medical insurance cards. What were they thinking?
most of the information is easy enough to get; however, you're missing the point.
Don't believe for a second its only name, address and age. There are other items, such as political party, when you voted, possibly items of interest to you, etc.
Not to mention the fact the work is already done... and possibly with your name on it!!
Then, if you're truly a InfoSec professional and not trying to spin this favorably for the democrat's in Chicago (which is likely the case in many posts)... you'd understand it's another database breach via AWS; once again... there is a failure in information security policy; oh yes... and another failure to protect private information by an organization primarily run and manned by democrats.
Hah... I'm an independent politically so I had to say this last bit.