LAPD loses job applicant details, Project Zero pokes holes in iOS, AWS S3 whack-a-mole continues, and more Here is a quick roundup of the recent happenings in the world of computer security beyond what we've already reported. Also, look out this week for our Black Hat, DEF CON, and Bsides Las Vegas coverage: our vultures out in the Nevada desert will produce a string of articles from the hacking conferences. Amazon closes one open …
Well, to be fair, it appears to be disk status reports, not what you do with your files.
It is, however, just another example of a company choosing to do what it wants with your bandwidth "with the best of intentions" and "to improve customer service" because it can, without wondering if it has the right.
I think that we should start invoicing our bandwidth under default terms, as in €100/month flat rate, for unauthorized usage of our bandwidth. That would probably set things straight pretty quick.
"Why would an SSD need to spy on users? Is anything safe?".
No.
IT isn't about odd concepts such as "safe" and "secure", it's about hoarding data (any data) and then finding ways to flog that data to the highest bidder. Even if you pay for a service (say office 365), your data is still being stored, analyzed and sold.
"Even if you pay for a service (say office 365), your data is still being stored, analyzed and sold."
And if you DON'T pay for the service, probably the only reason for it to exist is to sell your data.
Last month I signed up to a free Excel forum. Within a couple of days I was getting spam from domains at the hosting company that hosts the forum, and in a couple more days from elsewhere on the planet -- all to the spamtrap that I'd set up for it. }:-)
https://www.mrexcel.com/forum/excel-questions/1104708-cannot-run-macro-add-post5317833.html#post5317833
"Late last week, a Register ad-sales exec who buys shoes from StockX.com got an email from the e-tailer asking him to reset his account password. "
Are you trying to encourage the use of ad blockers on your site ElReg?
Or would less ad revenue still pay for expensive shiny things for the ad execs while the writes get their bread and water^H^H^Halcohol rations reduced?
Mildly surprised you passed over Kevin "@GossiTheDog" Beaumont's latest escapades. Whilst poking around S3 checking for signs any of his employers' data was leaking, he found an enormous cache of WAF logs for the main websites of a rollcall of household names, including several well-known UK high street banks. Starts here: https://twitter.com/GossiTheDog/status/1156555634936074242
Full list of filenames (named for the customer) is on the OpenSecurity.global page linked down the thread. My bank and telco are on the list. No customer notification from any of 'em so far, so I suspect they're going to end up saying hello to the ICO's little friend (a huge fine).
"If so it should take a lot of hard work to make them public."
Have you never witnessed the troubleshooting process when security is involved? Do you:
a) try and understand the process, check individual components for logs/hits and ensure everything is understood and functioning as expected.
b) remove all security and try and reapply it later...
To use the phrase "left open" in regard to the Amazon S3 buckets gives the impression that by default these are insecure, and users have to do something to make them secure.
This is absolutely NOT the case, Users have to actively disable the default security to make them public. They are not "left open", they are "made open".
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
