Internet Archive certainly made creative arguments, all of which were soundly rejected under Summary Judgment. This had the opposite effect on the future we both want.
Under discovery in the case, it turned out that Internet Archive didn't keep accurate records of what they loaned out either. Another example of sloppy engineering that directly impacts their core mission.
The fate of the organization now rests on the outcome of other lawsuits. In one, Internet Archive argues that they are allowed to digitize and publish Frank Sinatra records because the pops and crackles on them makes it Fair Use.
If they did all this cleanly under a different LLC, I'd sit back and enjoy the show. But they didn't.
Don't forget the time Brewster tried to run a bank -- Internet Archive Federal Credit Union. Or that the physical archives are stored on an active fault line and unlikely to receive prompt support during an emergency. Or that, when someone told him that archives are often stored in salt mines he replied, "cool, where can I buy one?"
Restating my love for Internet Archive and my plea to put a grownup in charge of the thing.
Washington Post: The organization has “industry standard” security systems, Kahle said, but he added that, until this year, the group had largely stayed out of the crosshairs of cybercriminals. Kahle said he’d opted not to prioritize additional investments in cybersecurity out of the Internet Archive’s limited budget of around $20 million to $30 million a year.
Military grade has different meanings. I’ve worked in the electronics industry a long time and will say with confidence that the pcbs and chips we sent to the military were our best. Higher temperature ranges, much more thorough environmental testing, many more thermal and humidity cycles, lots more vibration testing. However we also sell them for 5-10x our regular prices but in much lower quantities. It’s a failed meme in many instances as the internet uses it though.
Hot take, this is the way it should be. If you want better security then you update the requirements to get your certification.
Security by its very nature has a problem of knowing when to stop. There's always better security for an ever increasing amount of money and companies don't sign off on budgets of infinity dollars and projects of indefinite length. If you want security at all you have bound the cost and have well-defined stopping points.
And since 5 security experts in a room will have 10 different opinions on what those stopping points should be— what constitutes "good-enough" they only become meaningful when there's industry wide agreement on them.
There never will be an adequate industry-wide certification. There is no universal “good enough” or “when to stop” for security. What constitutes “good enough” is entirely dependent on what you are protecting and who you are protecting it from, which changes from system to system and changes from day to day.
The budget that it takes to protect against a script kiddy is a tiny fraction of the budget it takes to protect from a professional hacker group, which is a fraction of what it takes to protect from nation state-funded trolls. You can correctly decide that your security is “good enough” one day, but all it takes is a single random news story or internet comment to put a target on your back from someone more powerful, and suddenly that “good enough” isn’t good enough anymore.
The Internet Archive might have been making the correct decision all this time to invest in things that further its mission rather than burning extra money on security, and it seems their security for a long time was “good enough”… until it wasn’t.
We can’t all have the latest EPYC processors with the latest bug fixes using Secure Enclaves and homomorphic encryption for processing user data while using remote attestation of code running within multiple layers of virtualization. With, of course, that code also being written in Rust, running on a certified microkernel, and only updatable when at least 4 of 6 programmers, 1 from each continent, unite their signing keys stored on HSMs to sign the next release. All of that code is open source, by the way, and has a ratio of 10 auditors per programmer with 100% code coverage and 0 external dependencies.
Then watch as a kid fakes a subpoena using a hacked police account and your lawyers, who receive dozens every day, fall for it.
No, it’s your demeanor that is unbecoming and not worth engaging with. Villianizing your poor behavior not successfully baiting people into replying as you want is childish too. Take a breather.
A non-grownup analysis is to criticize a decision in hindsight. If Internet Archive shifted funds to security, it would mean cutting something from its mission. Given their history, it makes sense IMHO to spend on the mission and take the risk. As long as they have backups, a little downtime won't hurt them - it's not a bank or a hospital.
Downtime aside, best practices for running a library generally include not leaking usernames, email addresses, and eight years of front desk correspondence.
They sell paid services to universities and governments, so downtime isn't a great look either.
> best practices for running a library generally include not leaking usernames, email addresses, and eight years of front desk correspondence
That's incorrect IMHO: You are describing outcomes; practices are about procedures. In particular, necessary to the understanding and use of best practices is that do not guarantee outcomes.
Any serious management balances risks, which includes the inevitability, though unpredictable, of negative outcomes. It's impossible to prevent them - not NASA, airlines, surgeons, etc, can prevent them all, and they accept that.
It's a waste of resources to spend more preventing them than you lose overall. Best practices do not provide perfect outcomes; they provide the most reduced trade-offs in risk and cost.
Thank you for showing up here and being open to feedback. But I have to ask: shouldn't Cloudflare be running and reviewing reports to catch this before it became such a problem? It's three clicks in Tableau for anyone who cares, and clearly nobody does. And this isn't the first time something like this has slipped through the cracks.
I tried reaching out to Cloudflare with issues like this in the past. The response is dozens of employees hitting my LinkedIn page yet no responses to basic, reproduceable technical issues.
You need to fix this internally as it's a reputational problem now. Less screwing around using Salesforce as your private Twitter, more leadership in triage. Your devs obviously aren't motivated to fix this stuff independently and for whatever reason they keep breaking the web.
The reality that HackerNews denizens need to accept, in this case and in a more general form, is: RSS feeds are not popular. They aren't just unpopular in the way that, say, Peacock is unpopular relative to Netflix; they're truly unpopular, used regularly by a number of people that could fit in an american football stadium. There are younger software engineers at Cloudflare that have never heard the term "RSS" before, and have no notion of what it is. It will probably be dead technology in ten years.
I'm not saying this to say its a good thing; it isn't.
Here's something to consider though: Why are we going after Cloudflare for this? Isn't the website operator far, far more at-fault? They chose Cloudflare. They configure Cloudflare. They, in theory, publish an RSS feed, which is broken because of infrastructure decisions they made. You're going after Ryobi because you've got a leaky pipe. But beyond that: isn't this tool Cloudflare publishes doing exactly what the website operators intended it to do? It blocks non-human traffic. RSS clients are non-human traffic. Maybe the reason you don't want to go after the website operators is because you know you're in the wrong? Why can't these RSS clients detect when they encounter this situation, and prompt the user with a captive portal to get past it?
I'm old enough to remember Dave Winer taking Feedburner to task for inserting crap into RSS feeds that broke his code.
There will always be niche technologies and nascent standards and we're taking Cloudflare to task today because if they continue to stomp on them, we get nowhere.
"Don't use Cloudflare" is an option, but we can demand both.
"Old man yells at cloud about how the young'ns don't appreciate RSS."
I mean that somewhat sarcastically; but there does come a point where the demands are unreasonable, the technology is dead. There are probably more people browsing with JavaScript disabled than using RSS feeds. There are probably more people browsing on Windows XP than using RSS feeds. Do I yell at you because your personal blog doesn't support IE6 anymore?
Spotify and Apple Podcasts use RSS feeds to update what they show in their apps. And even if millions of people weren't dependent on it, suggesting that an infrastructure provider not fix a bug only makes the web worse.
I'm not backing down on this one: This is straight up an "old man yelling at the kids to get off his lawn" situation, and the fact that JGC from Cloudflare is in here saying "we'll take a look at this" is so far and beyond what anyone reasonable would expect of them that they deserve praise and nothing else.
This is a matter between You and the Website Operators, period. Cloudflare has nothing to do with this. This article puts "Cloudflare" in the title because its fun to hate on Cloudflare and it gets upvotes. Cloudflare is a tool. These website operators are using Cloudflare The Tool to block inhuman access to their websites. RSS CLIENTS ARE NOT HUMAN. Let me repeat that: Cloudflare's bot detection is working fully appropriately here, because RSS Clients are Bots. Everything here is working as expected. The part where change should be asked is: Website operators should allow inhuman actors past the Cloudflare bot detection firewall specifically for RSS feeds. They can FULLY DO THIS. Cloudflare has many, many knobs and buttons that Website Operators can tweak; one of those is e.g. a page rule to turn off bot detection for specific routes, such as `/feed.xml`.
If your favorite website is not doing this, its NOT CLOUDFLARE'S FAULT.
Take it up with the Website Operators, Not Cloudflare. Or, build an RSS Client which supports a captive portal to do human authorization. God this is so boring, y'all just love shaking your first and yelling at big tech for LITERALLY no reason. I suspect its actually because half of y'all are concerningly uneducated on what we're talking about.
As part of proxying what may be as much as 20% of the web, Cloudflare injects code and modifies content that passes between clients and servers. It is in their core business interests to receive and act upon feedback regarding this functionality.
Sure: Let's begin by not starting the conversation with "Don't use Cloudflare", as you did. That's obviously not only unhelpful, but it clearly points the finger at the wrong party.
I get what you're saying, and on a philosophical level you're probably right. If a website owner misconfigures their CDN to the point of impeding legitimate traffic then they can fail like businesses do everyday. Survival of the fittest. But with the majority of web users apparently running stock Chrome, on a practical level the web still has to work. I went looking for car parts a number of months ago and was blocked/accosted by firewalls over 50% of the time. Not all Cloudflare-powered sites. There isn't enough time in the day to take every misconfigured site to task (unless you're Bowerick Wowbagger [1]), so I believe the solution will eventually have to be either an altruistic effort from Cloudflare or from government regulation.
My mother has a WordPress site talking about hedgehogs and at this point it seems like it's only a matter of time before Matt's vendetta shows up in her site footer.
There’s a ‘sport’ where contestants see who can kick a rolled up hedgehog over the most garden fences. Maybe that one? Or it was a Sean Lock joke. I forget.
Pretty sure that today's PDFs are infinitely more secure that EXE's in the 1990's. There is a sandbox and no native code execution in PDFs.
(That is, unless you use Adobe's PDF reader, which seems to support JS for some weird reason and has an RCE almost every month. But given there are tons of alternatives, you must really not care about security to use it for personal purposes)
Time to plug SumatraPDF[0] which I love! It's super lightweight and fast. It isn't able to edit the files though. What do you use to edit them? At this point I just use the reader included in Firefox
He's been in ego preservation mode since at least February and he really, really needs to get the hell off the internet for six months and possibly heal. It's a spiral and it's painful to watch.
"In 2005, Harvard University and Suffolk University researchers worked with local police to identify 34 "crime hot spots" in Lowell, Massachusetts. In half of the spots, authorities cleared trash, fixed streetlights, enforced building codes, discouraged loiterers, made more misdemeanor arrests, and expanded mental health services and aid for the homeless. In the other half of the identified locations, there was no change to routine police service.
The areas that received additional attention experienced a 20% reduction in calls to the police. The study concluded that cleaning up the physical environment was more effective than misdemeanor arrests."
They probably read your comment as three things instead of two (I did at first and had to take a second look). Tighter binding between the paired items might make it read better, instead of the awkwardly placed comma:
> There is zero relation between filth/crime and living in the city centre.
Under discovery in the case, it turned out that Internet Archive didn't keep accurate records of what they loaned out either. Another example of sloppy engineering that directly impacts their core mission.
The fate of the organization now rests on the outcome of other lawsuits. In one, Internet Archive argues that they are allowed to digitize and publish Frank Sinatra records because the pops and crackles on them makes it Fair Use.
If they did all this cleanly under a different LLC, I'd sit back and enjoy the show. But they didn't.
reply