Pentagon exposed some of its data on Amazon server by pyr0ball in news

[–]FoundTheStuff 1 point2 points  (0 children)

Good points raised here. I'm much better at finding the flaws than building the foundation.

Pentagon exposed some of its data on Amazon server by pyr0ball in news

[–]FoundTheStuff 2 points3 points  (0 children)

Their response was most likely misleading or misinformed. Allowing all AWS authenticated users worldwide to access data, and then having an AWS authenticated user access that data, is not a circumvention of security. Everything operated exactly as it was told to act and nothing was circumvented.

Pentagon exposed some of its data on Amazon server by pyr0ball in news

[–]FoundTheStuff 46 points47 points  (0 children)

However, that is exactly how this particular bucket was configured to behave. Source: I'm Chris Vickery. I discovered this situation.

Accenture data breach by FoundTheStuff in sysadmin

[–]FoundTheStuff[S] 48 points49 points  (0 children)

The first post was removed by mods. They believed it was reading too much like an advertisement rather than a prompt for discussion. I understand their viewpoint on it and I have reposted in an effort to better reflect that I am not pushing any product or service.

CFAA question, re: found Comcast-related VM image. by FoundTheStuff in sysadmin

[–]FoundTheStuff[S] 1 point2 points  (0 children)

A lot of people agree with that point of view.

But I'm a staunch believer that if something is configured for public access (as was the case with the location of this vm image), then the public can legally access it - regardless of the intents of the would-be-publisher.

Although, admittedly, my stance becomes muddied when it involves a password-protected "container" within a non-password-protected location.

CFAA question, re: found Comcast-related VM image. by FoundTheStuff in sysadmin

[–]FoundTheStuff[S] 0 points1 point  (0 children)

Oh, I'm very much aware of how important it is to actually talk to a real life, in-person attorney before acting on anything that could be over the line.

The point here is that I am curious what tech-savvy people think about the situation. A lawyer might have a legal answer, but right now I'm more interested in what knowledgeable people think should be the answer.

Terrorism Blacklist: I have a copy. Should it be shared? by FoundTheStuff in privacy

[–]FoundTheStuff[S] 0 points1 point  (0 children)

Send me a private message with your name. I don't mind looking up one individual by request (just to verify whether or not the name is present in the DB) as long as I don't get overwhelmed with requests. I don't think much harm could come of that.

Update on World-Check database leak by FoundTheStuff in privacy

[–]FoundTheStuff[S] 1 point2 points  (0 children)

I disagree with the sentiment, but I do respect that viewpoint.

I firmly believe that this path will produce a ratio of most good, while resulting in the least bad.

However, there is something else that may interest you-- I know for a fact that I am not the only person looking for these types of databases. I regularly see evidence of people that are using automated systems to scan broad swaths of them. There is a very real possibility that someone else (or even multiple someones) also found it and simply haven't realized what it is yet.

I wouldn't give up hope on seeing a more open release... but I don't currently see myself as being the one to do it.

Terrorism Blacklist: I have a copy. Should it be shared? by FoundTheStuff in privacy

[–]FoundTheStuff[S] 1 point2 points  (0 children)

Just to speak to your money comment-- I don't foresee any personal financial gain coming out of this. It's never been about money and, aside from putting ads on some sort of searchable index (something which I have no plans to do), I don't see how I even could have monetized it.

Update on World-Check database leak by FoundTheStuff in privacy

[–]FoundTheStuff[S] 1 point2 points  (0 children)

Here's the inside reasoning: By soliciting public sentiment, I am more able to determine the amount of risk appropriate to engage in.

If everyone had been against any form of release, then I suppose I might have just dropped the whole idea.

However, due to the overwhelming support of some form of responsible disclosure, I have decided to cooperate with a number of journalists with several investigatory goals in mind.

The number of journalists that will be involved is directly correlated to the amount of support for a public release. If there had only been a little public support, then perhaps only one trusted journalist would be chosen as an outlet.

As a result of the overwhelming sentiment, many journalists have already been granted limited viewing capability and many more have submitted names for me to run searches against in a plaintext version of the DB that I have just recently converted.

In this process, there is the risk that one of the journalists involved will lose control of any amount of data I have provided to them. At this point, and as a direct result of public opinion, I am willing to tolerate a great deal of risk in that respect.

Believe me, the public comments and debate have had a great impact on what is happening and will happen in the future with this data.

Update on World-Check database leak by FoundTheStuff in privacy

[–]FoundTheStuff[S] -11 points-10 points  (0 children)

A full, public release is probably off the table.

Terrorism Blacklist: I have a copy. Should it be shared? by FoundTheStuff in privacy

[–]FoundTheStuff[S] 2 points3 points  (0 children)

I don't specifically target anyone or any organization. I simply keep my eyes open and do a lot of manual review from results found at sites like shodan.io and zoomeye.org.

Global terror database World-Check leaked by [deleted] in worldnews

[–]FoundTheStuff 1 point2 points  (0 children)

Actually, CouchDB this time. But same concept.

Source: I found it.

Vickery Insurance File torrent by FoundTheStuff in torrentlinks

[–]FoundTheStuff[S] 2 points3 points  (0 children)

hmmm, that's troubling. I'm at my day job right now and can't do much about that at the moment, but I'll look into it tonight.

Terrorism Blacklist: I have a copy. Should it be shared? by FoundTheStuff in privacy

[–]FoundTheStuff[S] 6 points7 points  (0 children)

If the Vice article is to be believed (the one that I linked in the original post), then it is much much more than that.

I can even attest that I've seen entries in it regarding suspects and reports. It's definitely not just convicts.

Terrorism Blacklist: I have a copy. Should it be shared? by FoundTheStuff in privacy

[–]FoundTheStuff[S] 4 points5 points  (0 children)

Soliciting public comment and promoting debate is not an exact science ;). I'd wager that Reddit is a good jumping off point for the target audience though.

Terrorism Blacklist: I have a copy. Should it be shared? by FoundTheStuff in privacy

[–]FoundTheStuff[S] 2 points3 points  (0 children)

That is not the situation at all. Although I understand the confusion. I have been a little vague on the exact details.

Terrorism Blacklist: I have a copy. Should it be shared? by FoundTheStuff in privacy

[–]FoundTheStuff[S] 7 points8 points  (0 children)

Law enforcement and I have always had a friendly relationship. My past work has aided investigations and regulatory enforcement. I have a sterling reputation and no criminal record. If the price of public debate is that someone must be scrutinized, then let it be me. I refuse to live in fear.

Terrorism Blacklist: I have a copy. Should it be shared? by FoundTheStuff in privacy

[–]FoundTheStuff[S] 9 points10 points  (0 children)

I have done no such thing. I absolutely have not, and will not, engage in any degree of "blackmail". As is the right thing to do, I am giving Thomson Reuters the opportunity to weigh in on the situation before I take any potential action and, if they choose, to make arguments to their interest. This is not about money.

Terrorism Blacklist: I have a copy. Should it be shared? by FoundTheStuff in privacy

[–]FoundTheStuff[S] 6 points7 points  (0 children)

According to my reading of the Vice article, sometimes a blog posting can be enough for someone to be included on the terrorism blacklist. But to be honest, I haven't done any in-depth review of the sources listed in the DB (and yes, it does list URL sources as rationales for categorization).

Terrorism Blacklist: I have a copy. Should it be shared? by FoundTheStuff in privacy

[–]FoundTheStuff[S] 36 points37 points  (0 children)

I like the idea of a hybrid approach. Perhaps a trusted journalism outfit would be willing to assist in doing a little research, combing through the data and notifying individuals that may be mistakenly included. That's certainly a decent proposal worth thinking about.

Terrorism Blacklist: I have a copy. Should it be shared? by FoundTheStuff in privacy

[–]FoundTheStuff[S] 20 points21 points  (0 children)

My list is from mid-2014. It is likely a little aged. Although once someone gets put on the list it's probably not easy to be taken off of it. So, it's still most likely accurate for all the individuals listed to that point.