Millions of scraped public social net profiles left in open AWS S3 box US social network data aggregator LocalBlox has been caught leaving its AWS bucket of 48 million records – harvested in part from public Facebook, LinkedIn and Twitter profiles – available to be viewed by anyone who stopped by. Security biz Upguard wandered by on February 18, and found the publicly accessible files in a …
....is a bit extreme unless they did it maliciously. Fining their company and them personal based on their wage or wealth would be a start. I mention their wealth as they could hide their wage by just paying themselves a $1 a year or month like Steve Jobs use to (I'm not suggesting he did it for nefarious reasons. Just only example I know of where he paid himself $1)
...should be set to allow only the owner/creator. I'm only starting to deal with systems in AWS and haven't set any up, so maybe that is the default and the folks responsible for this wen out of their way to screw things up. Maybe there were no tools that would allow the auditing of permissions. Maybe the cat's out of the proverbial bag and the only thing we can do is to point and laugh so those who made this mistake know to never do it again.
> maybe that [no public access] is the default
Yes, it’s the default.
Trouble is when you want to share a file on S3 with someone else, your choice is either
(a) do some fancy thing to make a single-use time-limitted URL that you can share, or
(b) make the content public temporarily - with the danger of forgetting to change it back to private afterwards.
I think this must explain many of the S3 screwups we’ve heard about.
Poorly configured AWS S3 buckets have been an source of shame for Amazon Web Services and its users.
I'm not sure why a poorly configured S3 bucket is a source of shame for AWS, any more than a poorly configured router would be a source of shame for Cisco.
To borrow parlance from gamers: "git gud". Before you do something, understand what you're doing and why. Ask questions. Read the strat guide. Grind it out in QA. If you fail to do these things and put yourself and your employer at risk, the shame is yours.
It's json data,
That points to JavaScriptolicious developers. The current year's "fast, productive, web-scale" mindset is likely to apply, visionarily driven by PHB's "big data" (more like "burp data") vision
These guys develop ultra-complex stuff before gitting gud in any way, shape or form. Or reading the manual for that matter.
I do believe it's time to nuke them from space* and put and end to screwing over just about every one on the planet. Although, from reports, there damn few left who haven't been slurped, filed, indexed, and sold.
*Nuke several times as it's the only way to be sure.
Don't forget all the {cough, cough} backup copies scattered all over the world.
You know the ones that they can use to tell you that 'Yes, we have deleted all your crap...'. People will forget about the dozens of copies that they hold that are scattered all over the globe.
20 seconds after you have agreed that it is gone, the DB's will notice a discrepancy and restore 'your crap' from one of said backup copies.
FaceBook really is BigBrother. There is simply no getting away from BB.
They are worse than any government yet known for spying on you and your life.
Zuckerberg, testifying before Congress in the wake of the Cambridge Analytica scandal, insisted Facebook users have control over their data. From this case it looks more like no one has much control over it.
Had a profile on there years ago, went back the other day and tried to delete my account, facebook won't comply, wants a scan of my ID card ? WTF ?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
