• xantoxis@lemmy.world
    link
    fedilink
    arrow-up
    126
    ·
    6 months ago

    I hate amazon as much as the next guy but the way this works is documented and well-known. The people who stored it there fucked up.

    • sandalbucket@lemmy.world
      link
      fedilink
      arrow-up
      7
      ·
      6 months ago

      And if google dorks aren’t interesting enough, because google does not index enough public buckets for you, then we get to learn about gray hat warfare too :)

      • stevedidwhat_infosec@infosec.pub
        link
        fedilink
        arrow-up
        8
        ·
        6 months ago

        Allow me to introduce the often abused Computer Fraud and Misuse act: https://en.m.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act

        If you’d like to lose the ability to use ANY sort of technology for decades if not indefinitely, go ahead with the greyhat stuff.

        The sector of lawfully using your knowledge for good is ever expanding and pays well. I’d strongly advise using your powers for good and dodge any unnecessary risk if you enjoy doing what you do.

        9/10 times, it ain’t worth the risk. Being strategic and thinking things over carefully (err on the side of least action) is going to benefit you

        • sandalbucket@lemmy.world
          link
          fedilink
          arrow-up
          15
          ·
          6 months ago

          My apologies, allow me to elaborate - grayhatwarfare.com is a cybersecurity company that crawls and indexes publicly-available blob stores, like s3 buckets, azure storage accounts, digital ocean spaces, and google cloud object stores. They offer limited search capabilities for free, no account-wall.

          They are a legitimate cybersecurity company, despite their name.

          My employer is working on a sensitive data scanning service, to alert clients in case their information surfaces in these buckets (even if they do not own the bucket), leveraging the grayhatwarfare api. In short, allowing us to detect and remediate the problem, which I hope you will agree is a white-hat activity :)

          I do not publicly condone breaking the law. I reserve the right to criticize the DMCA tho ;)

  • mondoman712
    link
    fedilink
    arrow-up
    74
    ·
    6 months ago

    brb going to upload some fanfics as pdfs to S3 with not for public release in the title

    • Crozekiel@lemmy.zip
      link
      fedilink
      English
      arrow-up
      9
      ·
      6 months ago

      It all basically reads like fan-fic already tbh. Or maybe like… How do I explain it… These look like documents Cosplaying as top-secret information. They are LARP-ing as top-secret documents. For an alternate timeline.

    • clearedtoland@lemmy.world
      link
      fedilink
      English
      arrow-up
      17
      ·
      6 months ago

      Wait. It’s hosted on a Russian site or that’s your system language?

      I refuse to look myself and end up on a CIA list lol

        • lud@lemm.ee
          link
          fedilink
          arrow-up
          2
          ·
          6 months ago

          They didn’t ask if Google was a Russian site, they asked if the PDF was hosted on a Russian site (which is a no, in site case)

    • atocci@lemmy.world
      link
      fedilink
      arrow-up
      30
      ·
      6 months ago

      What? You’re doubting the legitimacy of the top secret J.O.R.D.A.N. bill? What next, you’ll call the L.E.B.R.O.N. bill into question as well? I’m flabbergasted at your unending skepticism.

      • bamboo@lemmy.blahaj.zone
        link
        fedilink
        English
        arrow-up
        11
        ·
        6 months ago

        To be fair, the department of defence did have the $10 billion JEDI cloud contract that Amazon and Microsoft were fighting for a few years ago, so it’s not much of a stretch.

  • bungobingo82@sh.itjust.works
    link
    fedilink
    arrow-up
    18
    ·
    edit-2
    6 months ago

    Not classified. Wouldn’t surprise me if you could find improperly stored proprietary info if you scrolled long enough but not from the US gov. Maybe for some private company that didnt pay for an IT dept though. Also taking a look at the docs, they look fake as fuck.

  • thepreciousboar@lemm.ee
    link
    fedilink
    arrow-up
    14
    ·
    6 months ago

    Well, to amazon credit, they only offer cloud services. If government officials are dumb enough to store confidential documents in webservers without any authentication, it’s not Amazon’s fault (also, assuming you find real documents, the fact they are indexed by google, means that those links are also stored on publicly accessible pages, like forums or link directories, that’s the only legit way it can be found by google crawlers; that’s double dumb)