All this talk about banks being safe yada yada and cloud hosting not safe for US50k. Real banking companies (with billions of dollars on hand) do use commodity cloud hosting including Linode, for even sensitive parts. Take for example Natwest online banking login. On initial login page they load a cookie via an image from www.advanced-web-analytics.com and then once you enter a customer number the next page loads a ...drum roll... javascript file from www.omni-traffic.com. Now who can tell me what one can do when you have control over the Javascript on a banking login page?
Ah crap. It looks they have been moved to Amazon EC2, ~8 months ago they were hosted on conventional Linode VPSs. Points still stands though.
In my experience working on a US financial website, a bank would never consider using a VPS like Linode to store actual banking and customer data. It's not even close to Level 1 PCI compliant.
Not sure about this PCI complaint stuff, but perhaps this is why major banking companies jumped from Linode to EC2? Much improvement? Although I must say I have friends working on banking websites in the UK that dont know the whole picture, its not unreasonable to assume that these things are fucked up.
From what I know, PCI compliance is firstly, just a guideline. It's not like OSHA, but IANAL.
I also know there are "levels" of PCI compliance. The highest one, which reputable banks should be following, is very strict AFAIK, and includes provisions for controlling who has access to the physical hardware, encryption levels, etc. The fact that a Linode VPS can be 'rooted' via their management software by a sysadmin working for Linode would, from what I can tell, make them unqualified to be used to store banking transaction & customer data, though perhaps I am wrong.
Well tomg, when I researched this ~8 months ago there were at least 2 US financial websites that were using the same specialized analytic company that injected JS into banking login pages that were hosted on Linode VPSes.
Oh I don't doubt you. I'm not an expert on this, heck, I wasn't even allowed on to the actual servers (because of said compliance). I don't know the guidelines for login pages or what kind of security third party JS libs are supposed to have (also PCI is not a law, afaik).
What I'm asserting is that the servers that store the actual banking and customer data have very high security standards. It's one thing to store front end website code on a VPS, it's a totally other thing to store your database with customer & bank data on Linode.
The bitcoin breach seems analogous to Bank of America storing your account information on Linode and trusting it as the Real Data. Does that make sense?
[quote]
The bitcoin breach seems analogous to Bank of America storing your account information on Linode and trusting it as the Real Data. Does that make sense?
[/quote]
//reply to tomg, but seem HN stops nested replies beyond a certain level
At the end of day you can have millions of dollar of security, auditing, PCI compliance tests passing, developers that celebrate every Friday that everything is secure, data is hosted on premise etc... But if you leave the login page javascript to a third party hosted on Linode then you might as well be BoA storing your data on a mySQL linode instance. So in a nutshell it kind of undermines the work you guys do.
That's very true, and TBH I'm a bit surprised these banks are allowing that. IME doing frontend code for banks is that they're very strict on third party libs, even ones hosted by the bank itself, right down to only approving certain versions of the lib.
What the fuck is it? Following the link /l it is immediately asking for my details without telling WTF it is - is a grade A example of retarded marketing.
Gemfury is a cloud server for your private [tool] packages. Once uploaded,
your packages can be securely installed to any host. It's simple, reliable,
and hassle-free.
When did we go from standard measure of per second for these types of things, you know, requests per second, transactions per second, to per minute? Statistics eh?
tl;dr - giving an article a skim read it appears these devices wont allow facebook or youtube etc... so my point is probably mute..
Learning begins? Or we further Facebook's cause (along with other activities that are complete waste of time, gaming and streaming poor comedy). In Thailand at lot kids / teenagers / young adults have a netbook or laptop or a smartphone, if you are being a mr nosy you are guaranteed to see the little blue bar at the top of the screen and face palm, the wealth of information that is out there..
> i believe [...] ClojureScript running on top of Node.Js be a better fit?
Why? Python is likely to be installed in far more environment than Node, and for scripting, Clj on top of Python provides the faster startup of Python interpreters without the callback spaghetti inherent to Node. Because even if Clojure(Script) handles functions better than Javascript (both in verbosity — fns are no more verbose than lets — and in its scoping handling) it's still callback spaghetti.
1) Have you been using a shared computer?
2) Did you have a weak password?
3) Do you use same password (or a small pool of passwords) for most sites and service?
Answering yes to any of the above and you really should not be posting on HN
I should add "Have you been accessing sensitive sites such as your Google accounts" on a shared computer." The HN reference was to distinguish if the poster's complaint was worth of a discussion or is it one of 100k+ people a day that get caught by keyloggers/phishing/social-engineering through their own stupidity (like accessing Google wallet on a shared computer)
So for your DOM manipulation you say you understand the quirks and difference between WebKit and IE7, what about the host of over rendering engines, mobile/tablet/desktop and different OS editions. I bet there exists dozen of bugs in your implementation. But thats how startups waste money I guess. If JQuery isnt your style use another abstraction library or a lightweight version of jQuery, combined with minification, gzipping or a CDN, rolling your own (at your current level) is just STUPID, risky and a waste of money. Typical NIH.
Can you clarify non-profit, non-profit nowadays means very little, ICANN is non-profit and is about to fuck up top-top level domains so their CEO can buy a helicopter. Do you draw a salary and how much?
You're not wrong that this is sometimes the case, but definitely worth noting that plenty of the best charities in the world are non-profits with some salaried employees, it doesn't automatically make them evil.
For sure, I hope you dont object I've just registered adsbycappuccino, my idea is to make it a non-profit ad agency that does work for benefit of charities, in my business plan Ive decided to pay myself $120k pa (is yours the same? we can share a coffee and talk) presuming we get that via donations and running some commercial ads in the roration. It should take off as those stupid HN readers will see non-profit and put some rockets behind my startup. Sweet.. :D
Yeah, that's an example of it being bad, what I'm saying is that a charitee with paid staff isn't automatically evil, it's not so black and white.
For example, let's say this charity has a range of options for getting free advert spots on sites for charities. Option A is to have people who care but don't have the experience, and they get X monthly impressions. Option B is to pay someone a low full-time wage, say $30k, and they get Y monthly impressions. Option C is to pay a fantastic salesman $120k/year and he can pull in Z monthly impressions. Until you know the numbers, is option C guaranteed to be bad for the charity?
And of course that's just an example of a high salary - my first comment, that you replied to, was talking more about charities like Oxfam, where without any paid staff they just couldn't operate, they're far too big to be run on a 100% volunteer basis. But people they do employ are paid lower-than-typical salaries for their positions, and a large number of their work force are indeed volunteers.
Agreed. But with no transparency it pays to be cynical. In addition, bootstrapping it by asking HN to commit their time and web space whilst drawing a salary is a bit of a slap in the face from day 1. Im sure a consortium of true HN readers could get this off the ground without salary employees, maybe in six months then it would make sense to appoint salary positions such as a treasurer and top-notch biz dev person.
I'd go so far as to argue that I have trouble trusting non-profits that do not pay their staff. If a not for profit wants to compete for good people, they need to pay them a living wage.
Indeed, but perception is a powerful thing, a non-profit for charities especially. Microsoft and [insert-evil-company-of-choice] could be non-profit if you soak up any remaining revenue by salary/bonuses. I mean ICANN is non-profit and the CEO already has put a down payment on a learjet from his new $185,000 tld registrar. My point is that they are soliciting free work from HN readers on some illusion of acting like a charity (it might turn out legit and verifiable, who knows) whilst being as transparent as a SOPA.
Ah crap. It looks they have been moved to Amazon EC2, ~8 months ago they were hosted on conventional Linode VPSs. Points still stands though.