Though it's no excuse, it's not surprising people leave it open, it's too hard to figure out how to lock it down.
Amazon needs to share some of the blame here and create a sane UI.
Default settings are usually NO public read, and it actually takes more work to make stuff publicly readable on S3 than to just leave it as private.
I am thinking the biggest stuff up with this vendor is that they made the entire bucket or bucket key available publicly, which is a pretty dumb, and deliberate thing.
If you wanted people to access resumes on an individual basis via a known web link, then just make the documents individually publicly readable, but don't make the entire bucket readable by default.
Better still, use Amazon's 'one time' or time based permissions to make sensitive files only available to a certain person or for a limited time.
Re: UI - Amazons new S3 console is spades better than their old one - plenty of auditing and analytics tools there too which can prevent silly mistakes like this.
While true, and a very sensible default, this misses one crucial point.
Setting granular permissions for an S3 bucket is hideously difficult. Want to limit access to a whitelisted set of users or origins? Write a bucket policy. This is where the UI completely fails.
0: The policies can become awfully difficult to understand even for straightforward use cases.
1: You can have policies with sensible rule sets, but the S3 UI doesn't allow to pick-and-attach any of them.
2: The "permissions" tab has a very convenient and extremely dangerous option as the top item: "allow access for any logged in user"
I'll let the last one sink in. It's not "any logged in user in MY organisation", it's really "ANY logged in AWS user". Putting the bucket essentially world-readable by accident is far too easy.
Also, it's amusing that they're blaming this mysterious third-party "TalentPen" whose search results are so scant that they have this very article as one of the top hits. Wouldn't TigerSwan be equally liable for vetting their vendors?
You name it, I've probably come across it - lots are for hosting static content of websites which is pretty common, but there are also website and database backups, user uploaded content (from a sensitive 'dating' website), development and staging environments with sensitive internal information, a sea of CVs etc.
The hardest part is trying to responsibly disclose this stuff to the businesses - trying to find a security contact is often impossible, leaving it up to info@ or support@ emails.
And obviously AWS aren't the only cloud storage provider out there... there is more to be found with the other providers.
That sounds more likely. AWS permissions are tricky, but not so tricky that it's easy to leave a bucket wide open like that. In my experience, they're much more likely to lock out someone who should be able to access them than to allow someone who shouldn't. Just bad practice to give up and allow anyone in.
[1] https://www.washingtonpost.com/news/worldviews/wp/2013/06/12...
My first job out was the worst. Easily half of the "tell me about a time when you.." questions required me to be vague and speak about skills instead of projects, people, customers or goals. I was lucky because the CEO of that company was a friend of a friend and they did a number of classified projects themselves.
If it had been all civilians or non-IC connected firm, it would have been awful.
As a reaction to all that, I went deep into the open source community and blogging with the goal of always having projects and a portfolio I could talk about and show. Best decision I ever made.
Hiring is not very competitive for government work. They are usually hiring warm bodies with clearances rather than talent.
If you're going from government cleared work to something completely different it's still fine to get a reference from people you worked with, just there are some pieces that are filtered
If you're leaving the intel community, chances are your references are really pertinent. All the "I can't say" responses will derail a lot of interviewers though.
Not so sure about that.
The majority of interviews in the HN bubbles is hours of technical questions and quizzes, where the interviewers will not ask a single question about your resume.
Outside of this bubble, the more mature interviewers, who did hundreds and hundreds of interviewers, are not moved by a "This is confidential... I could talk about -other thing- instead".
Let's see some independent analyses of this dataset. Start turning on the right lights and the roaches will scatter.
