The interesting thing is, most people wouldn't do the same things (say, chmod 777 all the things) on a public NAS.
If this assumption is true, it begs the question. Why do people act like public cloud storage is more secure than "private", on prem storage?
Do users expect safe defaults (as in, "default deny")?
Is it just a matter of attitude, where people think public cloud is more secure because it's not managed by (potentially short-staffed) corporate IT teams, even if it's not completely managed by the cloud provider?
Buckets are default deny, now. But for many many years they were not, and the defaults almost certainly changed due to the many many examples of "accidental exposure".
I'd love to know what the original architects of S3 think now, looking back, of S3 buckets being globally unique.
AWS has certainly enjoyed a class of vulnerabilities caused by the way they allocate resources and expose them over DNS, but S3 is just a simple namespace.
Can you explain what you mean by "for many years they were not [default deny]"? I've been using S3 for 10+ years and I can't remember a time when they were ever open-by-default.
If you mean there were years where it was dangerously easy to accidentally open up a bucket, you'll get no disagreement from me. But I can't think of a time when they weren't default deny.
IMO, "cloud" usually translates to web based development. I think a lot of HN readers are at a higher level than your average developer, making these types of issues seem crazy to have, and getting into web development seems to be easier than other types of development. This may just be perception, as the place to find web tutorials is already in the environment they will be used in. I know web developers get a lot of hate, and I'm not trying to perpetuate that (especially going on almost 20 years as one), but I do think the ease of getting into web development is a contributing factor to the surprise most of us have at issues like this. In general, I think most web developers don't really know what they are doing, as they try to just get up and running without even knowing to think about security. It seems like a fake it until you make it type of industry, compared to other types of development. I try to keep up in other areas of development, and understand that security isn't something to be bolted on at a later stage of development, but I also started my professional career learning network administration and security before I ever started web development. Lots of developers get their application working, are too afraid to start looking into what they could improve, and that includes looking into security. This has been my personal experience any time I've tried mentoring other developers, and by nature of being web based, security is a much bigger deal than in a private network.
It's because systems are highly complex and there are a thousand little things that you need to know to use them. Once you have experience working with it (or even reading enough docs), you know which of those thousand things should take up the most space in your mind.
But if you are new and are pressed for time, you only look at maybe a fraction of those thousand things, and inevitably you miss some important things.
AWS used to not have sane defaults for S3 buckets.
> The interesting thing is, most people wouldn't do the same things (say, chmod 777 all the things) on a public NAS.
I ran one of those for years in a place where the median user had a science Ph.D. This happened more than once.
People also made public FTP upload folders or had PHP accepting uploads to save time.
I’m skeptical that this is more common in S3 versus being a popularity contest, and reflecting the likelihood that some “temporary troubleshooting” mistake will be noticed in S3 is much greater than on a private server.
Reconsider your assumption. Why does ransomware work? It's because the same people who have habits and/or systems that make compromise of them possible and likely are also given full write and delete access as well as, of course, read access.
What would a ransomware attack look like if the same kind of employee who downloads bootleg versions of PDF editors was only given read access to the files they need and write access to only their own files? It'd look like a big nothing.
The fact that we see ransomware attacks that affect entire huge corporations and organizations gives an idea of how many "admins" (who don't deserve the title) give 777 permissions to everyone.
I'm sorry, but no, most ransomware attacks are not caused by admins giving their ignorant and irresponsible end users root access to everything.
Most ransomware attacks start by phishing an end user who already has appropriately limited permissions for their job function.
The real damage comes from the attacker exploiting widely known vulnerabilities, almost always in Microsoft Windows, to escalate their own privileges irrespective of the permissions of the end user they phished.
Microsoft Windows is by far the most significant factor here, not dumbass end users with root access.
Of course Windows is a huge factor, but 1) nobody said anything about giving users root access, and 2) this has happened plenty of times with data stored on non-Windows systems, too, that weren't compromised.
Trying to make it an either-or thing is not correct. It's multiple things, but the lack of real permissions is a non-trivial percentage of cases.
Everything is possible, I know, but the amount of hacks related to S3 misconfigurations (https://github.com/nagwww/s3-leaks), including major companies, still makes me wonder.
Cloud permissions are just more complicated, which means people make mistakes like this. No one is intentionally setting their buckets to be world readable.
If this assumption is true, it begs the question. Why do people act like public cloud storage is more secure than "private", on prem storage?
Do users expect safe defaults (as in, "default deny")?
Is it just a matter of attitude, where people think public cloud is more secure because it's not managed by (potentially short-staffed) corporate IT teams, even if it's not completely managed by the cloud provider?
Or is there something else?