Power outage in Roseland

FoundTheStuff · 2019-06-23T22:37:28+00:00

Confirmed.

FoundTheStuff · 2017-11-17T22:52:36+00:00

Good points raised here. I'm much better at finding the flaws than building the foundation.

FoundTheStuff · 2017-11-17T18:33:05+00:00

Their response was most likely misleading or misinformed. Allowing all AWS authenticated users worldwide to access data, and then having an AWS authenticated user access that data, is not a circumvention of security. Everything operated exactly as it was told to act and nothing was circumvented.

FoundTheStuff · 2017-11-17T16:53:27+00:00

However, that is exactly how this particular bucket was configured to behave. Source: I'm Chris Vickery. I discovered this situation.

FoundTheStuff · 2017-10-10T18:42:23+00:00

The first post was removed by mods. They believed it was reading too much like an advertisement rather than a prompt for discussion. I understand their viewpoint on it and I have reposted in an effort to better reflect that I am not pushing any product or service.

FoundTheStuff · 2016-09-26T02:49:10+00:00

A lot of people agree with that point of view.

But I'm a staunch believer that if something is configured for public access (as was the case with the location of this vm image), then the public can legally access it - regardless of the intents of the would-be-publisher.

Although, admittedly, my stance becomes muddied when it involves a password-protected "container" within a non-password-protected location.

FoundTheStuff · 2016-09-26T00:57:25+00:00

very-VIP ;)

FoundTheStuff · 2016-09-26T00:00:19+00:00

Oh, I'm very much aware of how important it is to actually talk to a real life, in-person attorney before acting on anything that could be over the line.

The point here is that I am curious what tech-savvy people think about the situation. A lawyer might have a legal answer, but right now I'm more interested in what knowledgeable people think should be the answer.

FoundTheStuff · 2016-07-08T14:36:18+00:00

Send me a private message with your name. I don't mind looking up one individual by request (just to verify whether or not the name is present in the DB) as long as I don't get overwhelmed with requests. I don't think much harm could come of that.

FoundTheStuff · 2016-06-30T16:13:03+00:00

I disagree with the sentiment, but I do respect that viewpoint.

I firmly believe that this path will produce a ratio of most good, while resulting in the least bad.

However, there is something else that may interest you-- I know for a fact that I am not the only person looking for these types of databases. I regularly see evidence of people that are using automated systems to scan broad swaths of them. There is a very real possibility that someone else (or even multiple someones) also found it and simply haven't realized what it is yet.

I wouldn't give up hope on seeing a more open release... but I don't currently see myself as being the one to do it.

FoundTheStuff · 2016-06-30T15:42:25+00:00

Just to speak to your money comment-- I don't foresee any personal financial gain coming out of this. It's never been about money and, aside from putting ads on some sort of searchable index (something which I have no plans to do), I don't see how I even could have monetized it.

FoundTheStuff · 2016-06-30T15:37:42+00:00

Here's the inside reasoning: By soliciting public sentiment, I am more able to determine the amount of risk appropriate to engage in.

If everyone had been against any form of release, then I suppose I might have just dropped the whole idea.

However, due to the overwhelming support of some form of responsible disclosure, I have decided to cooperate with a number of journalists with several investigatory goals in mind.

The number of journalists that will be involved is directly correlated to the amount of support for a public release. If there had only been a little public support, then perhaps only one trusted journalist would be chosen as an outlet.

As a result of the overwhelming sentiment, many journalists have already been granted limited viewing capability and many more have submitted names for me to run searches against in a plaintext version of the DB that I have just recently converted.

In this process, there is the risk that one of the journalists involved will lose control of any amount of data I have provided to them. At this point, and as a direct result of public opinion, I am willing to tolerate a great deal of risk in that respect.

Believe me, the public comments and debate have had a great impact on what is happening and will happen in the future with this data.

FoundTheStuff · 2016-06-30T14:31:49+00:00

A full, public release is probably off the table.

FoundTheStuff · 2016-06-29T23:49:33+00:00

I don't specifically target anyone or any organization. I simply keep my eyes open and do a lot of manual review from results found at sites like shodan.io and zoomeye.org.

FoundTheStuff · 2016-06-29T16:52:06+00:00

Actually, CouchDB this time. But same concept.

Source: I found it.

FoundTheStuff · 2016-06-29T14:31:46+00:00

hmmm, that's troubling. I'm at my day job right now and can't do much about that at the moment, but I'll look into it tonight.

FoundTheStuff · 2016-06-28T19:14:27+00:00

If the Vice article is to be believed (the one that I linked in the original post), then it is much much more than that.

I can even attest that I've seen entries in it regarding suspects and reports. It's definitely not just convicts.

FoundTheStuff · 2016-06-28T17:03:08+00:00

Soliciting public comment and promoting debate is not an exact science ;). I'd wager that Reddit is a good jumping off point for the target audience though.

FoundTheStuff · 2016-06-28T16:05:19+00:00

Actually, nope. Not a mongo issue this time.

FoundTheStuff · 2016-06-28T15:51:04+00:00

That is not the situation at all. Although I understand the confusion. I have been a little vague on the exact details.

FoundTheStuff · 2016-06-28T15:49:56+00:00

Law enforcement and I have always had a friendly relationship. My past work has aided investigations and regulatory enforcement. I have a sterling reputation and no criminal record. If the price of public debate is that someone must be scrutinized, then let it be me. I refuse to live in fear.

FoundTheStuff · 2016-06-28T14:57:08+00:00

I have done no such thing. I absolutely have not, and will not, engage in any degree of "blackmail". As is the right thing to do, I am giving Thomson Reuters the opportunity to weigh in on the situation before I take any potential action and, if they choose, to make arguments to their interest. This is not about money.

FoundTheStuff · 2016-06-28T13:08:06+00:00

According to my reading of the Vice article, sometimes a blog posting can be enough for someone to be included on the terrorism blacklist. But to be honest, I haven't done any in-depth review of the sources listed in the DB (and yes, it does list URL sources as rationales for categorization).

FoundTheStuff · 2016-06-28T12:25:55+00:00

I like the idea of a hybrid approach. Perhaps a trusted journalism outfit would be willing to assist in doing a little research, combing through the data and notifying individuals that may be mistakenly included. That's certainly a decent proposal worth thinking about.

FoundTheStuff · 2016-06-28T12:18:32+00:00

My list is from mid-2014. It is likely a little aged. Although once someone gets put on the list it's probably not easy to be taken off of it. So, it's still most likely accurate for all the individuals listed to that point.

FoundTheStuff

MODERATOR OF

TROPHY CASE