back to article Video-editing upstart bares users' raunchy flicks to world+dog via leaky AWS bucket

A British video-editing startup exposed what is claimed to be "thousands" of user-uploaded videos, including family films and home-made pornography, in an unsecured Amazon AWS bucket. Research by Noam Rotem and Ran Locar, for security biz vpnMentor, revealed that VEED.io left an AWS bucket completely unsecured and hosting what …

  1. Sgt_Oddball Silver badge
    Paris Hilton

    I wonder if....

    Amazon could just warn owners that they have poor or no security when any kind of datasets get created. From databases, to image/videos etc.

    Maybe look for certain metadata and close off public access instead of leaving it to the clueless admins to leave the barn door wide open?

    Afterall, which is more frustrating, not being able to access data or having everyone and their dog have access?

    Paris because I'm probably oversimplifing things...

    1. robert_swift

      Re: I wonder if....

      AWS provides a number of tools for this, and other monitoring approaches… But this seems to be such a basic failing that mo amount of tooling is likely to help them… It’s situations like this that fuel the “uurgh! cloud!” negativity in relation to security, yet AWS (as the cloud host) have done nothing wrong here… Look up their “shared responsibility model”, they don’t shy away from this topic at all…

      1. Doctor Syntax Silver badge

        Re: I wonder if....

        But why do we see so many examples of this? Is AWS insecure by default so users are failing to secure it or is it secure but inconveniently so that users are deliberately turning security off?

        Amazon need to make it more difficult to use insecurely than securely so that nobody would jumpt through the hoops to do that.

        1. Alister Silver badge

          Re: I wonder if....

          The former. S3 buckets have no public access by default.

          The trouble is that the people who set these up cannot be arsed to spend the time correctly allowing secure connections to them, and instead just turn off all the default security.

          1. hakuli

            Re: I wonder if....

            I'm curious about whether Amazon's intervention to shore up the access had any unintended consequences... like, say, knocking the video editing service in question offline temporarily...

          2. Alister Silver badge
            Facepalm

            Re: I wonder if....

            Note that when I said "the former" I actually meant "the latter"

          3. Locky Silver badge
            Childcatcher

            Re: I wonder if....

            The former. S3 buckets have no public access by default.

            Google Cloud on the other hand....

          4. Doctor Syntax Silver badge

            Re: I wonder if....

            "and instead just turn off all the default security."

            Which I suspected. It should be made more difficult to do this than to work with appropriate security, for instance, keep annoyingly turning security back on.

          5. sjback

            Re: I wonder if....

            AWS has done a lot to the S3 interface to warn users every step of the way when they are making buckets public - even putting a gigantic yellow "Public" by the bucket name. And yes, their default policy is to block all access except to bucket creator. What is really difficult/convoluted is granting limited access to S3 - I remember my first time trying to use roles to get our CI/CD server access to a particular bucket...

            Since the AWS interface is fairly easy to use, I can see giving the 1st year intern the task of configuring a bucket. Lack of experience and getting frustrated probably leads to just clicking the "allow world +dog" button frequently. "I'll fix it later" never happens and the bucket is ignored...until it's not.

        2. sabroni Silver badge

          Re: Amazon need to make it more difficult to use insecurely than securely

          That's a great idea!

          How do you achieve it?

          1. Doctor Syntax Silver badge

            Re: Amazon need to make it more difficult to use insecurely than securely

            A couple of things. One, ensure it can only be done by a confusing user interface where anything wrong in the process leaves it secure. The other, which I've suggested above, is to ignore what the user sets and periodically just going back to default. Perhaps send out an email "We've noticed that you must have accidentally left your AWS system insecure so we've repaired that for you."

            After a few cycles update the email to explain why it's really bad. Or maybe do that first and then switch to the "We've fixed it" non-explanatory version.

            1. sbivol

              Re: Amazon need to make it more difficult to use insecurely than securely

              > a confusing user interface where anything wrong in the process...

              ...ends with the user now having a Prime subscription.

              They could use the same approach when attempting to disable security.

              1. NeilPost Bronze badge

                Re: Amazon need to make it more difficult to use insecurely than securely

                “Alexa, is there a hole in my bucket”??

                1. Michael Wojcik Silver badge

                  Re: Amazon need to make it more difficult to use insecurely than securely

                  In the case of S3 buckets, I can think of a better use for the sharpened stick.

        3. prinz

          Re: I wonder if....

          >> But why do we see so many examples of this?

          1. Because the whole purpose of the "Cloud" is to get rid of icky -- and expensive -- tech people.

          If an organization has to hire someone who actually knows what they are doing, the huge cost savings for going to the Cloud get blasted out of the water.

          2. Amazon, et al, do not want to be responsible for the security of millions of hosted software instances. Read the fine print in the contract - the customer is responsible, NOT the "Cloud" provider. Thus, they provide the tools for the customer, but no more, as any more may imply that they are responsible in some way.

      2. FlamingDeath

        Re: I wonder if....

        "AWS (as the cloud host) have done nothing wrong here… Look up their “shared responsibility model"

        I have to disagree, the words 'Amazon' and 'Responsibility' placed into the same sentence is an oxymoron. Has anyone ever thought how much computer crime is committed through AWS servers?

        These are paying customers of course and that's as far as Amazons responsibility goes, taking their money and not asking questions or probing what their infrastructure is doing. The same goes with Cloudflare. These people think they can solve every problem with an algorithm while ignoring the harm their lack of responsibilty brings

    2. Cynic_999 Silver badge

      Re: I wonder if....

      "

      Afterall, which is more frustrating, not being able to access data or having everyone and their dog have access?

      "

      Depends what you are using it for. Many people deliberately *want* everyone to have access to whatever they have uploaded. Similar to most people who upload videos to "Youtube"

      1. Doctor Syntax Silver badge

        Re: I wonder if....

        Not really. I'd have thought most people would want to provide controlled access. They might, for instance, want people to see their YT videos but not be able to edit them or just upload something else in their place. Or if the material is commercial in confidence they might not want anyone to see it.

    3. Donn Bly

      Re: Ooooh...

      Awhile back I set up an S3 bucket and intentionally left it open to the public, with the only contents some marketing videos to be embedded on a website.

      Amazon repeatedly emailed me to warn me that it was insecure, and eventually said that if I didn't log in and re-reverify that the settings were intentional that they would shut off the insecure access.

      So in other words, they ALREADY do what you suggest, and if insecure buckets are out there it is because the owners did it to themselves against multiple warnings from Amazon.

      1. Michael Wojcik Silver badge

        Re: Ooooh...

        And in this case, the VEEDiots repeatedly ignored messages from the researchers, and from the Register. They're clearly not competent.

        Personally, I'm still (despite the continual deluge of evidence) a bit amazed that people use services like this. Really, folks. You're trusting a startup with no reputation or record with your sensitive data. Even their name is stupid. Would you buy medications from a startup named PILZ.io? (Yes, I suppose many of these people would.)

      2. MachDiamond Silver badge

        Re: Ooooh...

        "So in other words, they ALREADY do what you suggest, and if insecure buckets are out there it is because the owners did it to themselves against multiple warnings from Amazon.

        You received the notices because you were the sole person running that bucket. Try to imagine a company with nobody in charge. One of those new orgs were nobody gets their own desk and you can skateboard down the halls with your smelly dog in tow. The person with the contact email account decides one day that a real job that pays in money rather than stock options is what they really need and all of the those notices go to an email account that's no longer active after that person re-reverified that wide open is what they wanted. Maybe that was due to a coworker having it off with their significant other. Nobody is in charge so nobody knows who should have been responsible so there is no place to put any blame.

        Is there any reason why an account being used by a for-profit company should be set to "public"?

    4. Aodhhan

      Re: I wonder if....

      Securing data in the cloud, isn't the responsibility of the cloud provider (believe it or not)... even if they provide a database and leave it open to everyone. This is cloud security 101 stuff.

      Just like: if you purchase an application and use it at home (especially cloud connected devices/software), it's your responsibility to ensure it's secure.

      In the cloud, it's YOUR responsibility to ensure any CLOUD APPLICATION you are using meets security best practices/standards.

      Common sense should tell you, if something is free or low cost, then chances are, they aren't taking a lot of security precautions.

  2. Roopee
    Gimp

    What sort of idiot...

    ...would upload their home-made pornography to an online video-editing website, least of all a free, unknown one?

    1. Charlie Clark Silver badge
      Coat

      Re: What sort of idiot...

      Doesn't Cartman's law state that all porn will at some point be available on a free website?

      1. Aussie Doc
        Paris Hilton

        Re: What sort of idiot...

        Been a long time since people have watched porn in 240p, I'd imagine.

        From what I'm told.

        By other people.

        Not me.

    2. Anonymous Coward
      Anonymous Coward

      Re: What sort of idiot...

      The same ones that store it on their phones and grant media access to any app that requests it.

    3. Anonymous Coward
      Anonymous Coward

      Re: What sort of idiot...

      Ones that needed to edit things that weren't......ummmmm....impressive without a touch up?

      Maybe VEED.io has the best enlargement algorithms in the "free" video editting world?

    4. Ima Ballsy
      Coat

      Re: What sort of idiot...

      Did they publish a list of users yet, Just asking for a friend .....

      1. Yet Another Anonymous coward Silver badge

        Re: What sort of idiot...

        >Did they publish a list of users yet

        Yes but only their porn name

        1. Ima Ballsy
          Facepalm

          Re: What sort of idiot...

          Well, If you happen to see Jon Hung Lo, will you let me know ?

    5. Anonymous Coward
      Anonymous Coward

      Re: What sort of idiot...

      the same sort of idiot that lets speakers with mikes and internet connections into their home, because blue light and cool, etc.

    6. Tikimon Silver badge
      FAIL

      Re: What sort of idiot...

      "...would upload their home-made pornography to an online video-editing website, least of all a free, unknown one?"

      Oh, just a normal person, unfamiliar with the dystopic nightmare that is technology. Only some ignorant snowflake with an expectation that their stuff is safe, not "shared" or left open to the whole world.

      Don't blame the user when a system is hard to correctly use. Remember, it's SUPPOSED to do what it says on the box. Users should not have to know lots of background about tech companies and anticipate what might go wrong. That's a sign of a badly done product.

      1. Michael Wojcik Silver badge

        Re: What sort of idiot...

        I'm usually on board with the "don't blame the user" argument, as my past posts will show. In this case, though, there are quite a few red flags, significant user action was required (it's not the same as recording a potentially-embarrassing scene with your phone and failing to secure that device), and people were uploading particularly sensitive data.

        While it's clear that the people behind this service should be banned from creating software until they've passed some remedial courses in basic thinking, in this case I feel at least some of the users share a significant portion of the blame.

    7. jelabarre59 Silver badge

      Re: What sort of idiot...

      Not that I have any, but I expect if I *did*, and some hacker got hold of it, watching it could be punishment in itself. Unless they were looking for comedy pr0n (in which case it wouldn't be very good for that either, just sad).

      1. Anonymous Coward
        Anonymous Coward

        At Jelabarre59...

        To quote Old Man Henderson, "Dude, I fucked a Shoggoth and *you're* freaking me out."

  3. steviebuk Silver badge

    Because hipsters know best

    "According to VPN Mentor, VEED ignored attempts in mid-October to alert them to the breach"

    Probably why they ignored it. Why listen to sense when we're hipster and unless you agree to our startup plan, we don't want to listen to you.

    That's the general way I see hipsters. I've seen a few over the years that were just like that, follow their "plan" and never question their "plan" or be made redundant.

    1. LDS Silver badge

      Re: Because hipsters know best

      If they are a British company, they still fall under GDPR. And if they allowed to upload contents that contain sensitive data like sexual preferences without the proper legal permissions they are even in hotter water - especially if not all parties involved in the video were aware of it.

      Ignoring attempts to be notified and ignoring the leak and the GDPR requirements about it looks utterly stupid to me. Unless they were very busy shifting money to places where the upcoming fee won't be able to find them.

      1. Mike 16 Silver badge

        Re: Because hipsters know best

        -- If they are a British company, they still fall under GDPR. --

        For a while. But the Big Johnson is going to fix all that, soon-ish.

        1. Doctor Syntax Silver badge

          Re: Because hipsters know best

          He'd still need to rescind/replace the current DPA which implements it.

    2. Nunyabiznes Silver badge

      Re: Because hipsters know best

      VEED probably typed the reply to address for their AWS bucket wrong and are blissfully ignorant.

  4. GreggS

    Still

    It's one way to get your search rankings up

    1. chivo243 Silver badge

      Re: Still

      I see what you did...

  5. STOP_FORTH
    WTF?

    Honest question

    I have never used Amazon AWS. Could their default set-up not be made secure rather than "open to world plus dog"?

    1. Anonymous Coward
      Anonymous Coward

      Re: Honest question

      The default is secure. This changed ages ago. You have to actively open up buckets now.

      I suspect there might be another angle here, which is that they might be using GUIDs on filenames to make URLs hard to guess, which means your only "security" against the whole lot being breached is the bucket list permission.

      "Bucket list", see what I did there? I hope this company dies horribly.

    2. Anonymous Coward
      Anonymous Coward

      Re: Honest question

      It is - you need to alter your storage buckets from the default of "private" to "public".

      And no, this isn't a new policy - https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-policy.html

      However...if you want to give access to buckets or objects, you need to either make them public OR manage access via your application. Guess what people choose?

      1. Fading
        Holmes

        Re: Honest question

        That does sound the most likely explanation - especially for the "free" user upload section (why build in a secure application access layer for the "free accounts") .

    3. GruntyMcPugh Silver badge

      Re: Honest question

      We still have am AWS bucket from a 'Cloud' project that failed to deliver. It was secure when we got it, and I have a tool 'CloudBerry Explorer' which allows me to check the permissions etc. The really odd thing I find about this though, is that when I authenticate to AWS, I don't get delivered directly to our bucket, but a couple of levels above, so I have to drill down. But that means I can see lots of other buckets, and I always found that odd, I know obscurity is no security, but being able to see the the bucket makes it easier to exploit from the outset.

  6. NanoMeter

    The rule is

    Don't do anything online, you should or could do offline.

  7. Anonymous Coward
    Anonymous Coward

    If something is free...

    ... you are the product being sold. This also applies if you are paying for it.

    The cloud - other peoples computers you have no control over.

    1. Anonymous Coward
      Anonymous Coward

      Re: If something is free...

      It won't get better if you pick it...

      The Pope poos in the woods.

      Bears are Catholic.

      1. phuzz Silver badge

        Re: If something is free...

        "Bears are Catholic."

        Yes, but only Americans are allowed to arm them.

        1. Alister Silver badge

          Re: If something is free...

          Indeed.

          "the right of the people to keep and arm Bears, shall not be infringed."

          1. WolfFan Silver badge
            Coat

            Re: If something is free...

            Ahem.

            https://www.gettrumpybear.com/

            No, this is not a joke site. It's for real. It's armed, it's dangerous, it's a grizzly, it's got a red tie. Certain people have bought one just to attach it to a rope.

            Now exiting Texas, pursued by a bear.

            1. Grooke

              Re: If something is free...

              That bear looks more like Alec Baldwin's impersonation of Trump than Trump XD

            2. TomG

              Re: If something is free...

              Don't mess with Texas.

          2. phuzz Silver badge

            Re: If something is free...

            Thanks for explaining my joke ;)

      2. Phil O'Sophical Silver badge
        Stop

        Re: If something is free...

        The Pope poos in the woods.

        Well, he should stop! Doesn't he know that today is World Toilet Day?

        1. Michael Wojcik Silver badge

          Re: If something is free...

          So what? The woods are part of the world, and thus part of the World Toilet.

  8. Rich 11 Silver badge

    Rule 34

    All you can do is hope that nobody's downloaded your self-starring grumble flicks and recognised you.

    This is why I always wrap a plastic bag tightly around my head when starring in a porn film.

    1. WolfFan Silver badge

      Re: Rule 34

      So... that would be a very short film before you pass out from lack of oxygen?

    2. jelabarre59 Silver badge

      Re: Rule 34

      This is why I always wrap a plastic bag tightly around my head when starring in a porn film.

      Go for the Guy Fawkes mask and "Yakkety Sax" for the theme music.

  9. IGotOut

    The stupid thing..

    Is there are a stack of quality, easy to use, free editing tool avaibke on most platforms.

    1. Anonymous Coward
      Anonymous Coward

      Re: The stupid thing..

      Everything is better in the Cloud, and preferably with Internet of Things too.

      Don't Believe The Hype

    2. baud Bronze badge

      Re: The stupid thing..

      Sometime, for a 5-min job, finding, downloading and installing an editing tool is a bit much, instead of just finding the appropriate online tool. Of course when I did this I didn't upload anything that I wanted to keep private (it was a Youtube video and it ended up as another Youtube video).

      But for anything longer, I'll use a local tool of course (last time I used shotcut, which crashed on average once per hour, so it didn't stayed on my machine once the project was done)

  10. Mark 85 Silver badge

    Why?

    Why are they even storing the flicks? It should be upload, convert, tweek, download, and then the server erases it. Unless the company has ulterior motives (blackmail?) there's no reason to keep them. It would also save cash on storage costs.

    1. MachDiamond Silver badge

      Re: Why?

      " It would also save cash on storage costs."

      Storage is so cheap. With the right ToS/privacy policy, you don't have any legal problems except for kiddie flicks. Today's amateur pr0n star is tomorrow's statesman or perhaps, failed candidate, depending on if they have enough money for you to "accidentally delete" that bit of video.

  11. Aussie Doc
    Pint

    I don't know.

    "All you can do is hope that nobody's downloaded your self-starring grumble flicks and recognised you."

    I don't know. Would be a great way to stop people from talking to me.

    "Hey, do I know you from somewhere?"

    Yeah, I used to do really kinky porn.

    <Awkward silence ensues>

  12. MachDiamond Silver badge
    Big Brother

    Buckets of profit

    Get yourself a FB account under a false name that you only access while at the San Francisco public library. Hmmm, ok, maybe that's not a good place with all of those windows.

    Download all of the self-made pr0n, find some good frames to screen grab, post the images to FB and see if they can suggest some names to go with the faces. (just the faces you slime, Only Mr. Clinton's privates are super well known to the average punter. Maybe Jennifer Lawarence's lady bits too, but we digress). FB will likely give you an FB user name as well. Just to be helpful. With the FB user name, Spokeo may be able to sell you a full bio on the person including a home address, wife's name, kids, etc. Forget the phishing emails saying they've been spying on you through your web cam while you watch dirty movies (yeah right, I don't have a cam on my desktop), you can actually send a clip. Should be worth a few bob.

    1. Anonymous Coward
      Anonymous Coward

      Re: Buckets of profit

      Seems you've given this a lot of thought...

      1. MachDiamond Silver badge

        Re: Buckets of profit

        Naw, what I posted was easy to figure out based on other exploits I've seen described.

        Miscreants are already using photos to stalk people by looking them up on FB to see if FB will identify them. There are data aggregators that charge a one time fee that is a pittance for a bio based on no more than an FB user name. Some of the info may even be mostly accurate. Extend that to somebody in a home made pr0n production that may not be too happy about their performance being made public and Shekels can be made.

        It's another argument against self-inflicted surveillance and posting anything personal online. The divider between "The Cloud" and completely public is vanishingly thin.

  13. Speeednet

    Maybe Epstein did kill himself after all

    1. MachDiamond Silver badge

      I would expect that if he wasn't given direct assistance to leave this world, he may have been talked into going DIY by a kindly person that smoked heavily showing him surveillance photos/vids and some examples of the more extreme methods of torture employed around the world.

      If there is anything to the conspiracy that the "body" claimed to be Mr Epstein was a stand-in, he may still be someplace being encouraged to spill names, dates, record locations until the examiners are satisfied that they know the scope of any potential fallout.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019