1. 3

    We’re a small shop (~15 folks, ~10 eng), but old (think early 2000s, using mod_perl at the time). Not really a startup but we match the description otherwise so:

    It’s a Python/Django app, https://actionk.it, which some lefty groups online use to collect donations, run their in-person event campaigns and mailing lists and petition sites, etc. We build AMIs using Ansible/Packer; they pull our latest code from git on startup and pip install deps from an internal pip repo. We have internal servers for tests, collecting errors, monitoring, etc.

    We have no staff focused on ops/tools. Many folks pitch in some, but we’d like to have a bit more capacity for that kind of internal-facing work. (Related: hiring! Jobs at wawd dot com. We work for neat organizations and we’re all remote!)

    We’ve got home-rolled scripts to manage restarting our frontend cluster by having the ASG start new webs and tear the old down. We’ve scripted hotfixes and semi-automated releases–semi-automated meaning someone like me still starts each major step of the release and watches that nothing fishy seems to be happening. We do still touch the AWS console sometimes.

    Curious what prompts the question; sounds like market research for potential product or something. FWIW, many of the things that would change our day-to-day with AWS don’t necessarily qualify as Solving Hard Problems at our scale (or 5x our scale); a lot of it is just little pain points and time-sucks it would be great to smooth out.

    1. 6

      FYI, I get a “Your connection is not private” when going to https://actionk.it. Error is NET::ERR_CERT_COMMON_NAME_INVALID, I got this on Chrome 66 and 65.

      1. 2

        Same here on Safari.

        1. 1

          Sorry, https://actionkit.com has a more boring domain but works :) . Should have checked before I posted, and we should get the marketing site a cert covering both domains.

        2. 1

          Firefox here as well.

          1. 1

            Sorry, I should have posted https://actionkit.com, reason noted by the other comments here.

          2. 1

            https://actionk.it

            This happens because the served certificate it for https://actionkit.com/

            1. 1

              D’oh, thanks. Go to https://actionkit.com instead – I just blindly changed the http://actionk.it URL to https://, but our cert only covers the boring .com domain not the vanity .it. We ought to get a cert that covers both. (Our production sites for clients have an automated Let’s Encrypt setup without this problem, for the record :) )

            1. 13

              Even if the FTC and the DOJ don’t proactively do anything about this, I can’t imagine there not being lawsuits over it.

              I don’t understand why people give Google so much leeway when it comes to being a crappy company. Their behavior is worse than anything Microsoft’s ever done, but they get always get a free pass.

              1. 5

                What are some examples of bad behavior that Google has done that is worse than Microsofts?

                1. 3

                  I don’t understand why people give Google so much leeway when it comes to being a crappy company.

                  It is also strange that so many good hackers, even prominent FLOSS hackers want to work for them. Building a big spy machine is apparently ok when you have cool perks and a big salary. Whatever happened to ethics?

                  1. 2

                    Most people there are not building a “big spy machine”.

                    1. 4

                      Most people at the NSA are not building a “big spy machine,” either.

                1. 16

                  Reading the review, it sounds like you can probably go through Google’s cache or an Internet Archive for the affected pages, and find random (private) HTTPS sessions in the public caches.

                  I’m finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings. We’re talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything.

                  Unbelievable.

                  1. 1

                    I believe they waited until major search engines had purged this data from the cache, to make this public. So you could, but can’t anymore.

                    1. 13

                      Google is actively purging data, but at the time of publication there was still secret data readily discoverable. To say nothing of all the other “not major” search engines which can also have caches. Nobody knows who or where this data has been cached.

                      1. 4

                        Nope. Read Tavis’s summary in the Google report, also there have been reports on Twitter of data being found in search engine caches

                        1. 4

                          All search engines and other services that caches things like Yandex, Baidu, NSA and lots of others are probably not so eager to purge their caches/loot.

                      1. 4

                        “Sites that only support Flash are exempted, as are the top 10 sites on the web for a year: YouTube.com, Facebook.com, Yahoo.com, VK.com, Live.com, Yandex.ru, OK.ru, Twitch.tv, Amazon.com, and Mail.ru”

                        Ok, so they didn’t really change anything for the majority of browsing. They really just “turned on the youtube html5 beta but for all websites for all users”, ie. it will prefer html5, but sites can still veto it and do whatever they feel like. I thought they could have done this step years ago and at this point they should be treating flash and flash video as a “ do you want to enable flash for this site, just this once, always?” banner.

                        1. 20

                          According to Peter Kasting (a Chrome dev) all the news sites are getting it wrong: https://plus.google.com/+PeterKasting/posts/5ioK3cbucKz?sfc=true

                          1. 3

                            Exempting the top 10 websites seems pretty silly too; they’re allowed to have shitty security and the rest of us aren’t?

                            1. 3

                              Breaking the top sites is just going to drive users to another browser

                              1. 5

                                In my experience, it drives users to other websites. Bear in mind the fact that the ‘average’ user doesn’t know the difference between Google, Google Chrome and the Internet.

                                If over 50% of web users couldn’t use their sites, I’m sure the big websites would come up with an html5 player very quickly.

                                1. 3

                                  For what it’s worth, twitch took about a year to develop a HTML5 player. It’s in general availability now, but it took a long time to fully develop it.

                                  Relevant links: https://blog.twitch.tv/html5-player-turbo-beta-starts-today-135d1b7baa65#.95js7ln4u https://help.twitch.tv/customer/portal/articles/2477288

                                  1. 3

                                    Yeah, html5 playback wasn’t a massive priority at that time. I understand that development can take some time, but we’ve known about the demise of flash for a long time now. And users having to click a button to activate flash isn’t a huge deal, the site is still usable.

                                  2. 1

                                    I’m sure in reality it’s a mix, and Google are hedging their risks.

                                    1. 1

                                      Depends on the website.

                                      I’d use something else instead of youtube/amazon - there’s always somewhere else to get entertainment/shop, but there isn’t an alternative to facebook - it’s what too many social groups use, and if you want to keep being included in those groups you have to use it.

                                      1. 3

                                        I use facebook too, sans flash, and it works fine! :-)