Massive US military Social Media Spying Archive Left Wide Open in AWS S3 Buckets

DooKey

[H]F Junkie
Joined
Apr 25, 2001
Messages
13,500
Three misconfigured AWS S3 buckets have been discovered wide open on the public internet containing "dozens of terabytes" of social media posts and similar pages - all scraped from around the world by the US military to identify and profile persons of interest. When it rains it pours on government ineptitude. How the heck do you leave this much data just laying around for anyone to find? Tax dollars at work........

Vickery told The Register today he stumbled upon them by accident while running a scan for the word "COM" in publicly accessible S3 buckets. After refining his search, the CENTCOM archive popped up, and at first he thought it was related to Chinese multinational Tencent, but quickly realized it was a US military archive of astounding size.
 
Three misconfigured AWS S3 buckets have been discovered wide open on the public internet containing "dozens of terabytes" of social media posts and similar pages - all scraped from around the world by the US military to identify and profile persons of interest. When it rains it pours on government ineptitude. How the heck do you leave this much data just laying around for anyone to find? Tax dollars at work........

Vickery told The Register today he stumbled upon them by accident while running a scan for the word "COM" in publicly accessible S3 buckets. After refining his search, the CENTCOM archive popped up, and at first he thought it was related to Chinese multinational Tencent, but quickly realized it was a US military archive of astounding size.
This is not just a governmental thing..there have been multiple disclosures..one of the many reaons having your data on the public cloud is not a good idea.
 
Actually, I think there is more too this than what this guy believes.

The data would be representative of what is called "Open Source Intelligence". It's all about seeing what you can figure out about an enemy from what he leaves lying around for the world to see. What I don't get is why this data would be stored on Amazon Web Services and that is what bothers me about it. Now a contractor company, that's a different thing entirely. Maybe a developer wanting to develop new tools for Open Source work might as for and get a shit ton of data in order to develop or test their product.

The thing is, there is a mix of data from two separate commands and that means something. It's not data that was being store specifically for either command but by a third party possibly associated with them possibly not. Someone finds your Army medical records on am Amazon cloud service repository, who's repository is it. Certainly it looks like an Army medical repository, but was it taken from the Army and simply put on Amazon?

I suppose we might here an Army denial or explanation or the sound of someone falling on their sword.

Oh, and if it actually was the Army contracted for cloud storage with Amazon, is the fuck up the Army's or Amazon's?
 
What the hell is the military doing using a commercial cloud service.

I get social media posts aren't classified info, but still.
 
Last edited:
Just reinforces the sentiment that the ONLY way to make sure data isn't lost, stolen, exposed or misused is to not collect it in the first place.

Collecting people's personal data must be illegal regardless of whether you happen to be a private company, the military or some three letter agency.
 
Just reinforces the sentiment that the ONLY way to make sure data isn't lost, stolen, exposed or misused is to not collect it in the first place.

Collecting people's personal data must be illegal regardless of whether you happen to be a private company, the military or some three letter agency.

Yea this is wishful thinking.

Define "people's" as in which people's data ?
 
This is not just a governmental thing..there have been multiple disclosures..one of the many reaons having your data on the public cloud is not a good idea.

Its not "having your data on the public cloud" that makes it insecure. Properly configured cloud services can be just as secure as internet connected on premise resources. It's entirely about knowing what the fuck you're doing, not just dumping stuff out on some public server willy nilly. Just because Microsoft or Amazon is managing the physical resources on the other end does not mean you don't have to be responsible for the security of the what you store on them. Encryption and other security measures are still important. Yes it's always safer to store something physically offline, you just have to be smart about what you're doing in the "cloud." These people obviously were not.

OR Maybe somebody wanted this stuff to be found.
 
All people, regardless of citizenship, allegiance or geographical location.

Yup, look, I applaud, no, I wish what you are saying could come true.

I'm sure you understand why I can't believe it could happen.

Maybe it's just that if it does happen, it'll have to happen without me, or despite me.

I suppose it's a worth while goal so despite my cynicism, I wish you luck with it. I truly do cause if you could pull it off, the world would be a better place.

Except that illegal implies laws, and laws don't actually prevent anything so.... there's that.
 
brilliant.jpg
 
Its not "having your data on the public cloud" that makes it insecure. Properly configured cloud services can be just as secure as internet connected on premise resources. It's entirely about knowing what the fuck you're doing, not just dumping stuff out on some public server willy nilly. Just because Microsoft or Amazon is managing the physical resources on the other end does not mean you don't have to be responsible for the security of the what you store on them. Encryption and other security measures are still important. Yes it's always safer to store something physically offline, you just have to be smart about what you're doing in the "cloud." These people obviously were not.

OR Maybe somebody wanted this stuff to be found.

The problem is that Amazon, Microsoft and other market how great it is to have everything on the "cloud" so you can easily access it from anywhere, but then don't do the extra due diligence of making sure the user actually knows what they are doing.

It is perfectly fine to make a high quality, very sharp sword, but if you market and sell it to a 10 year old, something bad is going to happen. Seems there are a lot of 10 year olds running things that are put on the internet lately :)
 
Rule #2: People are dumber than you think is even possible.
And don't forget Rule #3: People are lazier than you think possible.

Case in point -- security patch guy at Equifax who didn't get around to patching their servers for 6 months allowing 143 million credit reports to go public.
 
Yeah, but its also planting intelligence.
Could just as well be an operation to disseminate false information with the purpose of having the other governments target their own people.
Cheap, effective.. at minimum will send other intelligence agencies spinning its wheels.. as well as potentially tagged/ seeded with programs or some shit.
 
Hmmm... If I remember correctly the default setting for S3 buckets is private. Someone actually had to change a setting to make the S3 bucket public.
 
Yeah, but its also planting intelligence.
Could just as well be an operation to disseminate false information with the purpose of having the other governments target their own people.
Cheap, effective.. at minimum will send other intelligence agencies spinning its wheels.. as well as potentially tagged/ seeded with programs or some shit.

Bruce Lee was a master of distraction, he was also extremely fast, but the shaking off-hand caught your attention long enough that there was no way you were going to stop his jab.

Hmmm... If I remember correctly the default setting for S3 buckets is private. Someone actually had to change a setting to make the S3 bucket public.

Which only adds more credence to the idea that this a threat-entity information operation. Public data is public, anyway, but that won't matter once the WHARRGARBL gets started. The US attention span is like those youtube videos of the Russian guys starting giant diesel motors by hand and riding them like bulls. Once it gets going, it's just going to fuck some shit up.
 
Yeah Icpiper does that to me all the time.


I'm not the government

I don't work for the government

The limit of my involvement with the government is that I do software support on the IT Enterprise for completely isolated software development networks. The work is my company's contract for the Army. My company has other contracts that are not for the Army. It's a big world. It's my skills + my TS Clearance that makes me attractive for this work.

I used to work for the Army, Military Intelligence, did RADAR Intercept work and later I trained soldiers how to use the first real automated intelligence processing systems. Supported several tactical systems used by the Army in Iraq etc, Biometrics and such.

But I'm not the government, just a dude with a job and some life's experiences.
 
Last edited:
So in a kinda-sorta-maybe way you are trying to say you work for the NSA?
 
Back
Top