Massive US Military Social Media Spying Archive Left Wide Open In AWS S3 Buckets (theregister.co.uk) 85
An anonymous reader quotes a report from The Register: Three misconfigured AWS S3 buckets have been discovered wide open on the public internet containing "dozens of terabytes" of social media posts and similar pages -- all scraped from around the world by the U.S. military to identify and profile persons of interest. The archives were found by veteran security breach hunter UpGuard's Chris Vickery during a routine scan of open Amazon-hosted data silos, and these ones weren't exactly hidden. The buckets were named centcom-backup, centcom-archive, and pacom-archive. CENTCOM is the common abbreviation for the U.S. Central Command, which controls army operations in the Middle East, North Africa and Central Asia. PACOM is the name for U.S. Pacific Command, covering the rest of southern Asia, China and Australasia.
"For the research I downloaded 400GB of samples but there were many terabytes of data up there," he said. "It's mainly compressed text files that can expand out by a factor of ten so there's dozens and dozens of terabytes out there and that's a conservative estimate." Just one of the buckets contained 1.8 billion social media posts automatically fetched over the past eight years up to today. It mainly contains postings made in central Asia, however Vickery noted that some of the material is taken from comments made by American citizens. The databases also reveal some interesting clues as to what this information is being used for. Documents make reference to the fact that the archive was collected as part of the U.S. government's Outpost program, which is a social media monitoring and influencing campaign designed to target overseas youths and steer them away from terrorism.
"For the research I downloaded 400GB of samples but there were many terabytes of data up there," he said. "It's mainly compressed text files that can expand out by a factor of ten so there's dozens and dozens of terabytes out there and that's a conservative estimate." Just one of the buckets contained 1.8 billion social media posts automatically fetched over the past eight years up to today. It mainly contains postings made in central Asia, however Vickery noted that some of the material is taken from comments made by American citizens. The databases also reveal some interesting clues as to what this information is being used for. Documents make reference to the fact that the archive was collected as part of the U.S. government's Outpost program, which is a social media monitoring and influencing campaign designed to target overseas youths and steer them away from terrorism.
It was already public (Score:1, Interesting)
Unless they're claiming these were private posts the spooks somehow hacked into, it's just another public copy of already public data.
Re: (Score:1)
The thing is the reason I "want to think it's ok to post in public" is because I don't think my government should spy on me. At all.
Sure they may consider it useful but ..
What if in the US rather than saying "Oh we must have access to anything which can be encrypted" they instead said "We won't use any information gathering even if it's un-encrypted and in the public, and we won't ask anyone else for it either and such information can't be used against anyone / usage of such information would automatically
More Obama-era spying programs (Score:1, Interesting)
Thanks Democrats for voting that clown in. He took the Bush-era surveillance and expanded it by leaps and bounds. It's time we appoint a special prosecutor and investigate all of the abuses of the Obama administration.
Re:S3 buckets are locked down by default (Score:5, Insightful)
a) Amazon buckets didn't always come that way, it took some pressure for Amazon to accept that this was a poor default setting.
b) In most of these cases, it's simply incompetence - I can't get OAuth to work, let's just set it to public and hope nobody guesses the bucket name.
Re: (Score:2)
In most of these cases, it's simply incompetence - I can't get OAuth to work, let's just set it to public and hope nobody guesses the bucket name.
I want to know how people guessed the bucket name: I'm impressed that they do.
Re: (Score:2)
Well, let's start with the usual suspects. Did a contractor / employee have access to it, and, I don't know, have the WeatherBug application running in the background?
Re: (Score:3)
Why worry about "social media" when US and UK gov policy is been created by decades of well placed spies.
Other nations don't worry about social media in the same way the USA wasted billions trying to "sway" people.
"Social media" does not change a persons faith and what their faith will always command them to do.
Smart nations, faiths, cults, criminals just line their spies up at UK
Why use AWS? (Score:3, Interesting)
Why doesn't the military store their own stuff?
Re:Why use AWS? (Score:5, Informative)
Same reason they don't build their own airplanes, ships, guns, etc...
Re: Why use AWS? (Score:2, Funny)
His too stupid what?
Re: Why use AWS? (Score:1)
Reliance of Her Majesty the Queen and the British empire?
Re:Why use AWS? (Score:4, Insightful)
That's not a great comparison.
Making their own planes and guns would be like making their own processors and hard drives. They would never do that.
The question was more about why they store their data on somebody elses computers. This would be like keeping their guns in someone elses warehouse, where that somebody makes the keys and locks to that warehouse.
Re: (Score:1)
Because it is more cost effective to have the private sector do it, as they can subsidize the cost of collection by selling the data onto other customers (marketing, foreign governments) rather than have the US army do it.
Re: (Score:3)
Think of a world that allowed to US mil to spend millions on its own internal, secure networks.
Thats billions in build and long term support contracts lost to the shareholders and outside contractors.
What the US mil could secure for millions has been given to contractors to look after for billions. That money is gone. The once very secret and secure US mil data is.... ????
Re: (Score:1)
All the best storage experts smoke pot so their services have to be bought from the private sector.
I kid, I kid.
Re: (Score:3)
Money? That and if this happened on a military install, they'd be sporting an even larger black eye than they currently have ("You trusted Amazon? What's wrong with you?" vs. "Our nation's elite military 'cyber-warriors' can't secure a simple database from opportunistic h@x0rs...how the hell are they going to protect us from {enemy}?"). The first one is a gaff, the second one is a congressional inquisition into 'what exactly do you do with all that money we give you.'
Re: (Score:2)
In the mid-1990s my company was doing some ship model testing. We rented the tow tank at the U.S. Navy's David Taylor Research Center (now David Taylor Model Basin).
If it was on social media is it Public Domain? (Score:1)
If you can still claim copyright etc, it doesn't mean you can claim anything on social media is 'secret'. If so. this is nothing more than what every Sysadmin with half a brain has been saying... containers on machines you don't control are not secure.
Re: (Score:2)
A book about the Democratic party is pretty much guaranteed to be PR, either by a party supporter or by an opponent. In neither case should it be believed. Instead watch what it does and how it acts. The same is true for the other parties.
A Democratic event is more revealing, but attending at more than a low level event requires approval by those higher up in the party. While there are obvious reasons why this is necessary, it mitigates against trusting what you see as being an accurate mirror of the in
what is /. (Score:2)
It's like I was telling them (Score:2, Interesting)
If it's in the cloud, even the secure cloud, it's open.
You may not think it is, but it is.
And, yes, other nations do - and will - have access to it.
The US military hackers show their competence once (Score:1)
... again.
I'm sure Russia is super-scared.
As for that guy who some day suggested that all other people was inferior: https://slashdot.org/comments.... [slashdot.org]
At-least those willing to relocate to the US.. Well.. I'm pretty sure some Russian and even North Korean computer users will know their shit and could had been interested in doing something in the US too.
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Unreasonable? (Score:1)
Justice says it is only reasonable to have encryption if they can read it.
It they can only protect it as well as this, reasonable is a sad story.
Told someone today... (Score:5, Funny)
...as my company switches to AWS Workspaces, someone asked me what AWS is. I explained it and summarized: it's a very powerful and capable platform, yet its users are perfectly capable of powerfully shooting themselves in both feet.
UK Parliamentary data (Score:2)
UK Parliament moved their email and documents into the *Microsoft* cloud in Ireland......
(From Snowden): CIA was/is spying on all its allies, and each day a brief on legislation was prepared for Bush (and later Obama) on who was considering what legislation. If it was bad for the USA, it could be headed off. The joke being that when allied leaders called the President he already knew the details of the legislation they were going to talk about, and already had lined up talking points and counter allies as l
Re: (Score:2)
It's quite staggering that GCHQ would permit the highest law making body in the land to put its data into a cloud they know they and NSA have access to. Exposing the law making process to known foreign surveillance.
Exposing the law making process to surveillance available to only a select few is not a bug, it's a feature [investopedia.com].
FTFY.
Is it legal? (Score:2)
In other shocking news.... (Score:2)
Factor of 10 compression? (Score:2)
GZIP is more like a factor of 3-4 times for text. The only way they could get a factor of 10 compression ratio would be if they were using something like PAQAR 4.5, which I kinda doubt...