Documents marked “not for public release” aren’t classified. They’re what’s called controlled unclassified information (CUI). It’s anything from PII, law enforcement victim records to sensitive (but unclassified) technical manuals. There’s dozens of categories if anyone cares to look at them: https://www.archives.gov/cui/registry/category-marking-list
They shouldn’t be sitting out there, but it’s also not a crime.
The first result I got was labeled “classified: top secret - not for public release” so
the label is more broadly applied than just CUI.my assumption that the document was legit was wrong.That’s pretty obviously fake. This is what the real markings look like: https://www.archives.gov/files/isoo/training/marking-booklet-revision.pdf
I mean, here’s the document. Unfortunately I am literally incapable of reading the dense material you provided, so you’ll have to be the judge. https://s3.amazonaws.com/tabroom-files/tourns/16458/postings/23658/Sunvite2021FinalsBriefing1.pdf
100% fake.
I work in a HIPAA-covered industry and if our AWS and GCP buckets are insecure that’s on us. Fuck Amazon, but a hammer isn’t responsible for someone throwing it through a window and a cloud storage bucket isn’t responsible for the owner putting secret shit in it and then enabling public access.
Yeah I hate Amazon as much as the next person, but this is a people/process problem, not an Amazon problem. Amazon doesn’t know or care what you put into an AWS bucket (within reason, data tracking, etc, blah blah blah). People taking classified documents and uploading it to an Internet-connected cloud service is procedurally wrong on so many levels.
It could be both. In the absence of more data, I’m reserving my judgement.
No, it literally cannot be both, full stop. There should rigorous, well defined procedures and processes for handling classified data, and chiefly among those should be something along the lines of “don’t upload classified documents to a publicly-available internet-connected location/service/filestore/etc”. If it’s not, a security officer has not done their job.
What kills me about S3 is that the use cases for publicly accessing S3 contents over HTTP have got to be vanishingly small compared to every other use of the service. I appreciate there’s legacy baggage here but I seriously wonder why Amazon hasn’t retired public S3 and launched a distinct service or control for this that’s harder to screw up.
Public access is disabled by default and it warns you when you enable it. How much more idiot proof does it need to be?
Honestly, I’m for removing the option and moving that “feature” somewhere else in AWS entirely. And those warnings aren’t really a thing when using IaC. Right now it’s still a “click here for self harm” button, even with the idiot proofing around it.
Wouldn’t say so, loads of people and organisations use it as a pseudo-CDN of sorts AFAIK
To be fair, it’s probably more about the IT contractors and consulting firms that didn’t implement security policies or configurations correctly on the S3 buckets for the governments they’re working for. The AWS products aren’t opening up things to the public internet without auth. Which I bet most of you knew.
Example: Accenture left a trove of highly sensitive data on public servers (2017)
I added more JPEG for OP:
Okay, the question I have, is why any government from a developed country would ever use something like AWS or something that everyone can obtain access to rather than making their own private solutions to these problems?
It’s easier to hire someone who knows aws than to train someone on your custom thing. I don’t really agree, but that’s mostly the reasoning.
Amazon has a government cloud offering https://aws.amazon.com/govcloud-us/
deleted by creator
and circular things roll back down hill so easily it’s constantly amazing that anyone’s dumb enough to try it this day and age… buuut then I guess there’s always that child who’s satisfied shoving all shapes through the square hole…
Another question could be : which developed country is not yet using the popular AWS already and why ?
For example : https://press.aboutamazon.com/2023/10/amazon-web-services-to-launch-aws-european-sovereign-cloud
Customers, AWS Partners, and regulators welcoming the new AWS European Sovereign Cloud include the German Federal Office for Information Security (BSI), German Federal Ministry of the Interior and Community (BMI), German Federal Ministry for Digital and Transport, Finland Ministry of Finance, National Cyber and Information Security Agency (NÚKIB) in the Czech Republic, National Cyber Security Directorate of Romania, SAP, Dedalus, Deutsche Telekom, O2 Telefónica in Germany, Heidelberger Druckmaschinen AG, Raisin, Scalable Capital, de Volksbank, Telia Company, Accenture, AlmavivA, Deloitte, Eviden, Materna, and msg group
Cloud presents several advantages,and GovCloud is a thing.
Like, Amazon has SCIF cloud offerings. These leaks were cuz some dumbass contractor exposed a repo to the internet
I expect the same reasons they’re mostly all using Microsoft Office, Windows, and Active Directory. Because it’s cheaper than doing it yourself.
This comment makes it clear you’ve never worked in government IT.
Hell, I’m still in college for an IT degree, so no I haven’t worked in government IT.
The US government fucking sucks at it.
I really wish it wasn’t the case.
Aaand that search query got me some files with the top secret flag. Fortunately, they seem to be internal memos on things that are already known to the public, so nothing too immediately dangerous.
My big question is, why in the ever-loving fuck are these files outside of SIPRNET?
Contractors and third parties with security clearance. Did you really think any US government agency actually tightened things down properly after Snowden?
Is it illegal to have these or just distribution is illegal? I’m worried about the implications of you downloading but it isn’t like anyone will care.
As for how they got there, perhaps via scan-to-email from the Mar-a-Lago copy- and bathroom.
This shit has been happening for far far longer than cheeto. It’s bipartisan military organization incompetence, and the exact issue that allowed the Snowden leaks to occur.
The markings tell people with clearance how to handle the documents more than anything else. You have no way of knowing if it’s a legit marking.
Obligatory, I am not a lawyer.
If random citizen finds it on the street they can’t be punished for having it. But the government can repossess the document at any time.
“cloud first” is a mantra that not even the FedGov can refuse.
Mostly cuz the largest, data mining, and ad-driven companies in the world told them it was better.
So many of the results I see are incredibly obvious fakes.
Second result for me was a document about Russian hackers and their demands that we enstate trump as president after he lost.
In their defense:
Yeah i saw this before
deleted by creator
