(no title)

Buckets are default deny, takes several steps to enable public access with warnings along the way, if you use web console.

>If this assumption is true, it begs the question. Why do people act like public cloud storage is more secure than "private", on prem storage?

#1 risk people are concerned about is dataloss where cloud wins.

That's where cloud is more secure comes from. I've not lost any data in GCS or S3.

But same cannot be said for local copies of data.

321 strategy is best for most cases.

IMO, "cloud" usually translates to web based development. I think a lot of HN readers are at a higher level than your average developer, making these types of issues seem crazy to have, and getting into web development seems to be easier than other types of development. This may just be perception, as the place to find web tutorials is already in the environment they will be used in. I know web developers get a lot of hate, and I'm not trying to perpetuate that (especially going on almost 20 years as one), but I do think the ease of getting into web development is a contributing factor to the surprise most of us have at issues like this. In general, I think most web developers don't really know what they are doing, as they try to just get up and running without even knowing to think about security. It seems like a fake it until you make it type of industry, compared to other types of development. I try to keep up in other areas of development, and understand that security isn't something to be bolted on at a later stage of development, but I also started my professional career learning network administration and security before I ever started web development. Lots of developers get their application working, are too afraid to start looking into what they could improve, and that includes looking into security. This has been my personal experience any time I've tried mentoring other developers, and by nature of being web based, security is a much bigger deal than in a private network.

It's because systems are highly complex and there are a thousand little things that you need to know to use them. Once you have experience working with it (or even reading enough docs), you know which of those thousand things should take up the most space in your mind.

But if you are new and are pressed for time, you only look at maybe a fraction of those thousand things, and inevitably you miss some important things.

AWS used to not have sane defaults for S3 buckets.

> The interesting thing is, most people wouldn't do the same things (say, chmod 777 all the things) on a public NAS.

I ran one of those for years in a place where the median user had a science Ph.D. This happened more than once.

People also made public FTP upload folders or had PHP accepting uploads to save time.

I’m skeptical that this is more common in S3 versus being a popularity contest, and reflecting the likelihood that some “temporary troubleshooting” mistake will be noticed in S3 is much greater than on a private server.

Reconsider your assumption. Why does ransomware work? It's because the same people who have habits and/or systems that make compromise of them possible and likely are also given full write and delete access as well as, of course, read access.

What would a ransomware attack look like if the same kind of employee who downloads bootleg versions of PDF editors was only given read access to the files they need and write access to only their own files? It'd look like a big nothing.

The fact that we see ransomware attacks that affect entire huge corporations and organizations gives an idea of how many "admins" (who don't deserve the title) give 777 permissions to everyone.

> most people wouldn't do the same things (say, chmod 777 all the things)

I wouldn't be so sure about that, it still happens a lot that this is the default reply in many help forums.

Cloud permissions are just more complicated, which means people make mistakes like this. No one is intentionally setting their buckets to be world readable.

The same reason people 777 on Linux, stuff does not work how I fix the problem quicky.

Sadly, clueless devs do chmod 777 all the times.

> Why do people act like public cloud storage is more secure than "private", on prem storage?

Because Microsoft, Google, Amazon told them that the "cloud is more secure".