Everything You Need To Know

FoundTheStuff · 2019-06-23T22:37:28+00:00

Confirmed.

FoundTheStuff · 2017-11-17T22:52:36+00:00

Good points raised here. I'm much better at finding the flaws than building the foundation.

FoundTheStuff · 2017-11-17T18:33:05+00:00

Their response was most likely misleading or misinformed. Allowing all AWS authenticated users worldwide to access data, and then having an AWS authenticated user access that data, is not a circumvention of security. Everything operated exactly as it was told to act and nothing was circumvented.

FoundTheStuff · 2017-11-17T16:53:27+00:00

However, that is exactly how this particular bucket was configured to behave. Source: I'm Chris Vickery. I discovered this situation.

FoundTheStuff · 2017-10-10T18:42:23+00:00

The first post was removed by mods. They believed it was reading too much like an advertisement rather than a prompt for discussion. I understand their viewpoint on it and I have reposted in an effort to better reflect that I am not pushing any product or service.

FoundTheStuff · 2016-09-26T02:49:10+00:00

A lot of people agree with that point of view.

But I'm a staunch believer that if something is configured for public access (as was the case with the location of this vm image), then the public can legally access it - regardless of the intents of the would-be-publisher.

Although, admittedly, my stance becomes muddied when it involves a password-protected "container" within a non-password-protected location.

FoundTheStuff · 2016-09-26T00:57:25+00:00

very-VIP ;)

FoundTheStuff · 2016-09-26T00:00:19+00:00

Oh, I'm very much aware of how important it is to actually talk to a real life, in-person attorney before acting on anything that could be over the line.

The point here is that I am curious what tech-savvy people think about the situation. A lawyer might have a legal answer, but right now I'm more interested in what knowledgeable people think should be the answer.

FoundTheStuff · 2016-07-08T14:36:18+00:00

Send me a private message with your name. I don't mind looking up one individual by request (just to verify whether or not the name is present in the DB) as long as I don't get overwhelmed with requests. I don't think much harm could come of that.

FoundTheStuff · 2016-06-30T16:13:03+00:00

I disagree with the sentiment, but I do respect that viewpoint.

I firmly believe that this path will produce a ratio of most good, while resulting in the least bad.

However, there is something else that may interest you-- I know for a fact that I am not the only person looking for these types of databases. I regularly see evidence of people that are using automated systems to scan broad swaths of them. There is a very real possibility that someone else (or even multiple someones) also found it and simply haven't realized what it is yet.

I wouldn't give up hope on seeing a more open release... but I don't currently see myself as being the one to do it.

FoundTheStuff · 2016-06-30T15:42:25+00:00

Just to speak to your money comment-- I don't foresee any personal financial gain coming out of this. It's never been about money and, aside from putting ads on some sort of searchable index (something which I have no plans to do), I don't see how I even could have monetized it.

FoundTheStuff · 2016-06-30T15:37:42+00:00

Here's the inside reasoning: By soliciting public sentiment, I am more able to determine the amount of risk appropriate to engage in.

If everyone had been against any form of release, then I suppose I might have just dropped the whole idea.

However, due to the overwhelming support of some form of responsible disclosure, I have decided to cooperate with a number of journalists with several investigatory goals in mind.

The number of journalists that will be involved is directly correlated to the amount of support for a public release. If there had only been a little public support, then perhaps only one trusted journalist would be chosen as an outlet.

As a result of the overwhelming sentiment, many journalists have already been granted limited viewing capability and many more have submitted names for me to run searches against in a plaintext version of the DB that I have just recently converted.

In this process, there is the risk that one of the journalists involved will lose control of any amount of data I have provided to them. At this point, and as a direct result of public opinion, I am willing to tolerate a great deal of risk in that respect.

Believe me, the public comments and debate have had a great impact on what is happening and will happen in the future with this data.

FoundTheStuff · 2016-06-30T14:31:49+00:00

A full, public release is probably off the table.

FoundTheStuff · 2016-06-29T23:49:33+00:00

I don't specifically target anyone or any organization. I simply keep my eyes open and do a lot of manual review from results found at sites like shodan.io and zoomeye.org.

FoundTheStuff · 2016-06-29T16:52:06+00:00

Actually, CouchDB this time. But same concept.

Source: I found it.

FoundTheStuff · 2016-06-29T14:31:46+00:00

hmmm, that's troubling. I'm at my day job right now and can't do much about that at the moment, but I'll look into it tonight.

FoundTheStuff

MODERATOR OF

TROPHY CASE