1. 5

    This is what happens when people don’t update Windows!

    1. 1

      How can you determine that? Are you joking?

    1. 27

      Remember folks, The Cloud is just somebody else’s computer. :)

      1. 37

        They’re still better at managing it than me.

        1. 2

          Sure, but what if you don’t need something as complex as s3? If I just want to serve static files I can probably manage that just fine - probably better than AWS can manage something as complex as s3.

          1. 3

            Internally I’m sure S3 is super complex, but none of that is exposed to me.

            If you were using the AWS-recommended setup for a static site on s3 (that is, putting a CDN in front of it) then you likely didn’t notice the outage at all (for a few hours you couldn’t post new stuff but existing content is served out of your CDN).

            1. 1

              Had a static site setup exactly this way on us-east-1 and it went down.

              Was able to get a back up working on Firebase is about 30 minutes.

        2. 6

          If you’re doing it right it’s several people’s computers.

          1. 1

            Possession is an obsolete concept. If you can ssh into it it might as well be yours.

            1. 3

              I’m just going to assume you don’t run multi-user systems.

              1. 1

                Let’s be honest - is anyone running them outside of shell services and webhosting?

                1. 2

                  Uh…yes? Think universities, engineering companies (real ones, not YCStartupprgonnabegoneintwomonths.ly), research labs…

          1. 2
            1. 1

              Yeah. I’m working on that. I’ve had a couple users email me, and I’ve manually reset their passwords. If you need me to manually reset yours, just let me know.

            1. 7

              “From the negative perspective, people can use our cross-browser tracking to violate users' privacy by providing customized ads,” Yinzhi Cao, the lead researcher who is an assistant professor in the Computer Science and Engineering Department at Lehigh University, told Ars. “Our work makes the scenario even worse, because after the user switches browsers, the ads company can still recognize the user. […]”

              The value of work like this is evident: certainly there are advertisers looking for privacy vulnerabilities like this one, and if they find a hole they’ll keep it secret and exploit it. It’s good to have people finding these holes on behalf of the advertised-to, and publishing them so they can be fixed.

              A question: is it usual to publish immediately when one discovers a privacy vulnerability? Would it be good to treat privacy vulnerabilities like (other) security vulnerabilities, and give browser vendors a head start to fix the vulnerability before it is published?

              1. 9

                I’m not sure what could be done to fix this vulnerability. Scanning for WebGL capabilities isn’t exactly a bug, nor is checking the system font list.

                As usual, the best defense is turning off javascript.

                1. 3

                  If you did you wouldn’t even be able to post that.

                  1. 6

                    True, I use a selective whitelist. You could also disable just WebGL.

                    1. 1

                      Selectively enabling WebGL for sorted that request it would be nice as a privacy option. Sort of how browsers treat Java and Flash.

                      1. 1

                        Hmm, I did find CanvasBlocker for Firefox:

                        Users can choose to block the <canvas> API entirely on some or all websites

                2. 7

                  If it was a really specific bug with a clear fix, I’d treat it like a security vulnerability and give the vendor a chance to fix it first. But this is more like a design flaw than a specific exploit, and I think it’s unlikely those can be fixed without substantial public discussion, because you need to build consensus around a design change and argue about the tradeoffs. For example, that’s how the privacy leak through the CSS :visited selector was eventually fixed.

                1. 1

                  Filtering to the Javascript tag still contains the “Effective C++” book? Typing in tags also gives unusual or unexpected results. Maybe it has a set list of books.