Jesus Christ, you can't just leave your S3 bucket open, guys. There are lots of warnings from Amazon before you end up doing that, and it's so easy to not do (pre-signed URLs if you really need a URL).
I guess it's rather interesting to see the reactions from the media and HN comments. Sort of reflects the relative politics:
- Patreon leak. Media didn't go download everyone's data and threaten to get info. HN blamed Patreon.
- GiveSendGo (a terrible name imho). Media downloads the data and threatens to get info. HN blames the hacker.
I think I'm going to choose consistency here. I hate these data breach guys, but it's sort of like I hate mosquitos. If I could cleanse the Earth of them I would, but I can't. So I accept they are just a natural constraint. But if your hotel has mosquitos I'm going to blame your hotel.
This 'hack' is dealing with amateurish security. If you're in a controversial place you've got to do better. GiveSendGo has a lot of work to do (unless this was something weird this specific campaign did). And their security position on this was terrible: https://techcrunch.com/2022/02/08/ottawa-trucker-freedom-con...
> TechCrunch contacted GiveSendGo co-founder Jacob Wells with details of the exposed bucket on Tuesday. The bucket was secured a short time later, but Wells did not respond to our questions, including if GiveSendGo planned on informing about the security lapse those whose information was exposed.
Patreon is a bay area startup with loads of VC funding. Their engineering team is well paid and people hold them to a higher standard.
GiveSendGo has amateurish security because it's an amateurish company.
Think of it this way. Patreon's security failure made bay area techies look bad because it turned out that you couldn't just hire a bunch of them and expect things to go well. GiveSendGo's security failure makes bay area techies look bad because it turns out cloud security isn't as easy as they'd like to think.
Also taking down small sites that provide services to the out group of the bay area is unacceptable in a democracy. It invites legislative reprisal.
I guess it's rather interesting to see the reactions from the media and HN comments. Sort of reflects the relative politics:
- Patreon leak. Media didn't go download everyone's data and threaten to get info. HN blamed Patreon.
- GiveSendGo (a terrible name imho). Media downloads the data and threatens to get info. HN blames the hacker.
I think I'm going to choose consistency here. I hate these data breach guys, but it's sort of like I hate mosquitos. If I could cleanse the Earth of them I would, but I can't. So I accept they are just a natural constraint. But if your hotel has mosquitos I'm going to blame your hotel.
This 'hack' is dealing with amateurish security. If you're in a controversial place you've got to do better. GiveSendGo has a lot of work to do (unless this was something weird this specific campaign did). And their security position on this was terrible: https://techcrunch.com/2022/02/08/ottawa-trucker-freedom-con...
> TechCrunch contacted GiveSendGo co-founder Jacob Wells with details of the exposed bucket on Tuesday. The bucket was secured a short time later, but Wells did not respond to our questions, including if GiveSendGo planned on informing about the security lapse those whose information was exposed.