this post was submitted on 06 Jun 2024
393 points (100.0% liked)

196

16549 readers
1982 users here now

Be sure to follow the rule before you head out.

Rule: You must post before you leave.

^other^ ^rules^

founded 1 year ago
MODERATORS
 
top 35 comments
sorted by: hot top controversial new old
[–] xantoxis@lemmy.world 132 points 5 months ago

I hate amazon as much as the next guy but the way this works is documented and well-known. The people who stored it there fucked up.

[–] stevedidwhat_infosec@infosec.pub 94 points 5 months ago (1 children)

Today friends, we will learn about google dorks.

Dorks are common parameters that can be used to quickly locate things that should not be on the internet.

https://github.com/Ishanoshada/GDorks

https://www.stationx.net/google-dorks-cheat-sheet/

[–] sandalbucket@lemmy.world 8 points 5 months ago (1 children)

And if google dorks aren’t interesting enough, because google does not index enough public buckets for you, then we get to learn about gray hat warfare too :)

[–] stevedidwhat_infosec@infosec.pub 8 points 5 months ago (1 children)

Allow me to introduce the often abused Computer Fraud and Misuse act: https://en.m.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act

If you’d like to lose the ability to use ANY sort of technology for decades if not indefinitely, go ahead with the greyhat stuff.

The sector of lawfully using your knowledge for good is ever expanding and pays well. I’d strongly advise using your powers for good and dodge any unnecessary risk if you enjoy doing what you do.

9/10 times, it ain’t worth the risk. Being strategic and thinking things over carefully (err on the side of least action) is going to benefit you

[–] sandalbucket@lemmy.world 15 points 5 months ago (1 children)

My apologies, allow me to elaborate - grayhatwarfare.com is a cybersecurity company that crawls and indexes publicly-available blob stores, like s3 buckets, azure storage accounts, digital ocean spaces, and google cloud object stores. They offer limited search capabilities for free, no account-wall.

They are a legitimate cybersecurity company, despite their name.

My employer is working on a sensitive data scanning service, to alert clients in case their information surfaces in these buckets (even if they do not own the bucket), leveraging the grayhatwarfare api. In short, allowing us to detect and remediate the problem, which I hope you will agree is a white-hat activity :)

I do not publicly condone breaking the law. I reserve the right to criticize the DMCA tho ;)

[–] stevedidwhat_infosec@infosec.pub 10 points 5 months ago

Good to know! Hadn’t heard of these peeps before, appreciate the clarification and new info!

[–] mondoman712@lemmy.ml 77 points 5 months ago (2 children)

brb going to upload some fanfics as pdfs to S3 with not for public release in the title

[–] stevedidwhat_infosec@infosec.pub 23 points 5 months ago

We call this search engine flooding from where I’m from 😉

[–] Crozekiel@lemmy.zip 9 points 5 months ago

It all basically reads like fan-fic already tbh. Or maybe like... How do I explain it... These look like documents Cosplaying as top-secret information. They are LARP-ing as top-secret documents. For an alternate timeline.

[–] mikyopii@programming.dev 47 points 5 months ago

Those aren't what classified markings look like. It's fake.

[–] Hedlosa@lemmy.blahaj.zone 31 points 5 months ago (1 children)

This is a honeypot, stop it.

[–] Valmond@lemmy.world 6 points 5 months ago

But I like honey?

[–] Sorse@discuss.tchncs.de 29 points 5 months ago (1 children)
[–] clearedtoland@lemmy.world 18 points 5 months ago (1 children)

Wait. It’s hosted on a Russian site or that’s your system language?

I refuse to look myself and end up on a CIA list lol

[–] Sorse@discuss.tchncs.de 27 points 5 months ago (1 children)

That’s my system language.

As far as I know Google isn’t a Russian site

[–] lud@lemm.ee 2 points 5 months ago

They didn't ask if Google was a Russian site, they asked if the PDF was hosted on a Russian site (which is a no, in site case)

[–] Sanctus@lemmy.world 28 points 5 months ago (5 children)

Has anyone read the document? It doesn't actually look legitimate.

[–] atocci@lemmy.world 33 points 5 months ago

What? You're doubting the legitimacy of the top secret J.O.R.D.A.N. bill? What next, you'll call the L.E.B.R.O.N. bill into question as well? I'm flabbergasted at your unending skepticism.

[–] djsoren19@yiffit.net 17 points 5 months ago (2 children)

A lot of them look legit, mostly because they are boring. I scanned a few, it's stuff like the air force's memo on how to deal with press, or a memo alleging a number of Russian cybersecurity attacks on U.S. assets.

If someone was going to fake releasing stuff like this, they probably wouldn't do it with such boring documents, they'd put some shit about aliens in there.

[–] stevedidwhat_infosec@infosec.pub 10 points 5 months ago (1 children)

Mmm. So I agree with your initial assessment, but the later rationale not so much

Disinformation is the tool used by war today. Russia is doing A LOT of it as of late coming up on this election cycle and could easily push propaganda and fake news via channels like this.

Similarly, and on the other side of this coin, the US could also do this to push propaganda. You cannot trust things for face value on the internet.

[–] djsoren19@yiffit.net 3 points 5 months ago (1 children)

Again, if it was propoganda I think it would be more incendiary. You're free to go through the information if you wish, and there probably are some juicy secrets somewhere in the mess of files, but my spotcheck made me yawn. If you don't want to live in a world with no truth, you have to start thinking about the intent of the author. If the intent of the author here was to plant misinformation, or to sow division, then they did a terrible job at it. What little I read gave me no interest in reading more.

[–] stevedidwhat_infosec@infosec.pub 2 points 5 months ago

We’re on the same page here, I think it’s pretty likely that a lot of this stuff isn’t actually dangerous. Snowden leaks point out massive constructs to automatically read in info and essentially create a DB of intel

And that was years ago. I find it highly unlikely that anything serious would slip through and go unnoticed on a search engine like google.

Discord tho…

[–] Sanctus@lemmy.world 1 points 5 months ago

Boring does not mean legit. In fact, misinformation should look exactly like the real thing.

[–] Dunklets@lemmy.world 11 points 5 months ago

Yeah it's not real

[–] OrnateLuna@lemmy.blahaj.zone 4 points 5 months ago (1 children)

Yeah especially the acronyms, JEDI, LEBRON, JORDAN c'mon one. Even astrophysicists aren't that bad

[–] bamboo@lemmy.blahaj.zone 12 points 5 months ago

To be fair, the department of defence did have the $10 billion JEDI cloud contract that Amazon and Microsoft were fighting for a few years ago, so it's not much of a stretch.

[–] OrnateLuna@lemmy.blahaj.zone 1 points 5 months ago

Yeah especially the acronyms, JEDI, LEBRON, JORDAN c'mon one. Even astrophysicists aren't that bad

[–] bamboo@lemmy.blahaj.zone 22 points 5 months ago
[–] bungobingo82@sh.itjust.works 19 points 5 months ago* (last edited 5 months ago)

Not classified. Wouldn't surprise me if you could find improperly stored proprietary info if you scrolled long enough but not from the US gov. Maybe for some private company that didnt pay for an IT dept though. Also taking a look at the docs, they look fake as fuck.

[–] Iheartcheese@lemmy.world 16 points 5 months ago (3 children)

WHY ISN'T OUR GOVERNMENT SELF HOSTING THIS SHIT

[–] asphalt@lemmy.dbzer0.com 4 points 5 months ago

Free market myeahhh murricaa

[–] thesmokingman@programming.dev 3 points 5 months ago

It’s cheaper to use a platform as a service than it is to build your own distributed data centers around the world and hire thousands of engineers worldwide to maintain it. At the federal level, there can be requirements for FedRAMP or a restriction to federal equipment.

[–] bungobingo82@sh.itjust.works 2 points 5 months ago

They do, this is fake

[–] thepreciousboar@lemm.ee 15 points 5 months ago

Well, to amazon credit, they only offer cloud services. If government officials are dumb enough to store confidential documents in webservers without any authentication, it's not Amazon's fault (also, assuming you find real documents, the fact they are indexed by google, means that those links are also stored on publicly accessible pages, like forums or link directories, that's the only legit way it can be found by google crawlers; that's double dumb)

[–] Gullible@sh.itjust.works 5 points 5 months ago

Well I’ll be darned. Danged, even. Between this and Amazon price gouging existing customers, it feels as if something has happened behind the scenes.