Hacker News new | ask | show | jobs
by maximilianroos 376 days ago
> One of the challenges faced by our Java service was its inability to quickly provision and decommission instances due to the overhead of the JVM. ... To efficiently manage this, we aim to scale down when demand is low and scale up as demand peaks in different regions.

but this seems to be a totally asynchronous service with extremely liberal latency requirements:

> On a regular interval, Password Monitoring checks a user’s passwords against a continuously updated and curated list of passwords that are known to have been exposed in a leak.

why not just run the checks at the backend's discretion?
2 comments
potatolicious 376 days ago
> "why not just run the checks at the backend's discretion?"

Because the other side may not be listening when the compute is done, and you don't want to cache the result of the computation because of privacy.

The sequence of events is:

1. Phone fires off a request to the backend. 2. Phone waits for response from backend.

The gap between 1 and 2 cannot be long because the phone is burning battery the entire time while it's waiting, so there are limits to how long you can reasonably expect the device to wait before it hangs up.

In a less privacy-sensitive architecture you could:

1. Phone fires off request to the backend. Gets a token for response lookup later. 2. Phone checks for a response later with the token.

But that requires the backend to hold onto the response, which for privacy-sensitive applications you don't want!

link
paxys 376 days ago
Especially since the request contains the user's (hashed) passwords. You definitely don't want to be holding that on the server for longer than necessary.
link
ivan_gammel 376 days ago
Is it really a problem? Client can pass an encryption key with the request and then collect encrypted result later. As long as computation is done and result is encrypted, server can forget the key, so cache is no longer a privacy concern.
link
potatolicious 376 days ago
You can, and in situations where the computation is unavoidably long that's what you'd do. But if you can do a bit of work to guarantee the computation is fast then it removes a potential failure mode from the system - a particularly nasty one at that.

If you forget to dump the key (or if the deletion is not clean) then you've got an absolute whopper of a privacy breach.

Also worth noting that you can't dump the key until the computation is complete, so you'd need to persist the key in some way which opens up another failure surface. Again, if it can't be avoided that's one thing, but if it can you'd rather not have the key persist at all.

link
ivan_gammel 375 days ago
„UPDATE checks SET result=?, key=null“

Is it that hard?

Also I don’t think persisting a key generated per task is a big privacy issue.

link
maximilianroos 376 days ago
thanks!
link
lilyball 376 days ago
> why not just run the checks at the backend's discretion?

Presumably it's a combination of needing to do it while the computer is awake and online, and also the Passwords app probably refreshes the data on launch if it hasn't updated recently.

link