Threads for montolio

  1. 5
    rjpcasalino avatar rjpcasalino 5 years ago | link | on: NHS hit by ransomware attack, hospitals across country shutting down

    This is what happens when people don’t update Windows!

    1. 1
      jm avatar jm 5 years ago | link

      How can you determine that? Are you joking?

    1. 27
      friendlysock avatar friendlysock 6 years ago | link | on: Amazon's AWS S3 cloud storage evaporates: Top websites, Docker stung

      Remember folks, The Cloud is just somebody else’s computer. :)

      1. 37
        soulcutter avatar soulcutter 6 years ago | link

        They’re still better at managing it than me.

        1. 2
          ianloic avatar ianloic 6 years ago | link

          Sure, but what if you don’t need something as complex as s3? If I just want to serve static files I can probably manage that just fine - probably better than AWS can manage something as complex as s3.

          1. 3
            danielrheath avatar danielrheath 6 years ago | link

            Internally I’m sure S3 is super complex, but none of that is exposed to me.

            If you were using the AWS-recommended setup for a static site on s3 (that is, putting a CDN in front of it) then you likely didn’t notice the outage at all (for a few hours you couldn’t post new stuff but existing content is served out of your CDN).

            1. 1
              montolio avatar montolio 6 years ago | link

              Had a static site setup exactly this way on us-east-1 and it went down.

              Was able to get a back up working on Firebase is about 30 minutes.

        2. 6
          inactive-user avatar inactive-user 6 years ago | link

          If you’re doing it right it’s several people’s computers.

          1. 1
            LibertarianLlama avatar LibertarianLlama 6 years ago | link

            Possession is an obsolete concept. If you can ssh into it it might as well be yours.

            1. 3
              ralish avatar ralish 6 years ago | link

              I’m just going to assume you don’t run multi-user systems.

              1. 1
                ssl avatar ssl 6 years ago | link

                Let’s be honest - is anyone running them outside of shell services and webhosting?

                1. 2
                  1amzave avatar 1amzave 6 years ago | link

                  Uh…yes? Think universities, engineering companies (real ones, not YCStartupprgonnabegoneintwomonths.ly), research labs…

          1. 2
            montolio avatar montolio 6 years ago | link | on: F5Bot - Get an email when you're mentioned on Lobste.rs, Hacker News, or Reddit!

            Could use a forgot password function.

            1. 1
              code avatar code 6 years ago | link

              Yeah. I’m working on that. I’ve had a couple users email me, and I’ve manually reset their passwords. If you need me to manually reset yours, just let me know.

            1. 7
              Sietsebb avatar Sietsebb 6 years ago | link | on: Now sites can fingerprint you online even when you use multiple browsers

              “From the negative perspective, people can use our cross-browser tracking to violate users' privacy by providing customized ads,” Yinzhi Cao, the lead researcher who is an assistant professor in the Computer Science and Engineering Department at Lehigh University, told Ars. “Our work makes the scenario even worse, because after the user switches browsers, the ads company can still recognize the user. […]”

              The value of work like this is evident: certainly there are advertisers looking for privacy vulnerabilities like this one, and if they find a hole they’ll keep it secret and exploit it. It’s good to have people finding these holes on behalf of the advertised-to, and publishing them so they can be fixed.

              A question: is it usual to publish immediately when one discovers a privacy vulnerability? Would it be good to treat privacy vulnerabilities like (other) security vulnerabilities, and give browser vendors a head start to fix the vulnerability before it is published?

              1. 9
                chadski avatar chadski 6 years ago | link

                I’m not sure what could be done to fix this vulnerability. Scanning for WebGL capabilities isn’t exactly a bug, nor is checking the system font list.

                As usual, the best defense is turning off javascript.

                1. 3
                  LibertarianLlama avatar LibertarianLlama 6 years ago | link

                  If you did you wouldn’t even be able to post that.

                  1. 6
                    chadski avatar chadski 6 years ago | link

                    True, I use a selective whitelist. You could also disable just WebGL.

                    1. 1
                      montolio avatar montolio 6 years ago | link

                      Selectively enabling WebGL for sorted that request it would be nice as a privacy option. Sort of how browsers treat Java and Flash.

                      1. 1
                        chadski avatar chadski 6 years ago | link

                        Hmm, I did find CanvasBlocker for Firefox:

                        Users can choose to block the <canvas> API entirely on some or all websites

                2. 7
                  mjn avatar mjn 6 years ago | link

                  If it was a really specific bug with a clear fix, I’d treat it like a security vulnerability and give the vendor a chance to fix it first. But this is more like a design flaw than a specific exploit, and I think it’s unlikely those can be fixed without substantial public discussion, because you need to build consensus around a design change and argue about the tradeoffs. For example, that’s how the privacy leak through the CSS :visited selector was eventually fixed.

                1. 1
                  montolio avatar montolio 6 years ago | link | on: Top mentioned books on stackoverflow.com

                  Filtering to the Javascript tag still contains the “Effective C++” book? Typing in tags also gives unusual or unexpected results. Maybe it has a set list of books.