Hacker News new | ask | show | jobs
by smeagol 4998 days ago
we're incredibly sorry about all of this.

honestly, this was all accidental. it was a pet project we started to toy with Glacier and a week later i accidentally hit the Like button sending a ping to my friends on FB. bless my friends for being so influential i guess. shame on us for using Rails carelessly.

if you have any experience with startups, you'll know that 99% of the things you launch go nowhere--this project was no different. we honestly thought our site was of absolutely no consequence. we're truly thankful so many people found it useful, but trust me we're sorry there was a hole.

however, just to be clear:

- about 20 accounts were exposed, including me and my buddy - i emailed all of them, and wiped out the credentials - they quickly responded (i saw the updates come in)

thankfully, AWS is designed for such situations. with a few clicks, people deactivated their credentials (both IAM and main account) and regenerated new credentials. the fact that all the early signups were techies who know their way around AWS really saved us.

one more thing: the correct quote is:

"Glacier is built for durability of 99.999999999%"

also: i agree with ryan--don't trust 10-minute old startups :-)
5 comments
adriand 4998 days ago
Classy response. Now here's your chance to take lemons and make lemonade. Clearly your pet project is something that people find really interesting and useful. So it went public before you intended and had some security flaws: oh well, that's in the past now. Write your mea culpa about how much you learned from this experience, hit the front page of HN again, sign up a bunch of users, and go get some venture capital. Good luck!
link
AVTizzle 4998 days ago
Couldn't agree more. There is a silver lining here is thick. Leverage it and win.
link
justindocanto 4998 days ago
Somebody fund this guys 'how to make lemonade' book right now. Best advice on here.
link
jspthrowaway 4998 days ago
Contacted a PR person in between the last thread and this one, I'm guessing? That's a rapid 180.

You have a long way to go in my mind, in terms of fixing the initial response. You probably have help now, which is great, but your initial kneejerk demonstrates underlying trouble to me which you need to fix.

You're in a tough spot, too, because you can't delete those godawful comments without looking suspicious.

link
smeagol 4998 days ago
huh? you realize this was a pet project right? we're two dudes with no jobs.
link
jspthrowaway 4998 days ago
You repeatedly write some form of that assertion (we're two nerds) as if it is supposed to excuse something. I honestly couldn't give a rat's ass regarding who you are. I care about your actions and your actions alone. Stop making excuses!

I'd like you to apologize not only for the disclosure, but also to the reporter for how you treated him in the other thread. The entire other thread of your responses is disgusting, and you don't get to write it off because of your gender, quantity, or employment status. Own your comments and stop excusing them with that bullshit line.

I have to admit that I would also be pleased if your service disappeared until you're working with somebody who has a little more experience with secure Web applications; this mistake betrays your experience. Since we all started somewhere, though, I can only hope you fix this on your own.

link
whyleyc 4998 days ago
Why did you share Ryan's email address in a previous comment and why have't you deleted it yet ?
link
hollerith 4997 days ago
On Hacker News, you cannot delete or edit a comment except during the first 2 hours of the comment's existence.
link
whyleyc 4997 days ago
Which answers part two of my question but not part one ...
link
hollerith 4997 days ago
Right. We're still waiting for an answer to why he published his critic's email address.
link
mintplant 4997 days ago
Knee-jerk reaction?
link
kooshball 4998 days ago
To be honest this is a much better response than the previous on in the other thread.

Also, can you explain what "Glacier is built for durability of 99.999999999%" actually means, if not uptime?

link
biot 4998 days ago
Think of durability like the bank telling you that your money is 99.99999999% secure in their vault, but you can only access it from 9 to 5, Monday to Friday. The bank's "uptime" is really low (40 hours / 168 hours * 100%) but your money's "durability" is quite high.
link
smeagol 4998 days ago
RE: durability:

http://aws.amazon.com/glacier/faqs/#How_durable_is_Amazon_Gl...

link
anonymouz 4997 days ago
Thanks, I would find it helpful if you could also explain that on your homepage. The statement "Amazon Glacier is designed to provide average annual durability of 99.999999999% for an archive" is quite clear and meaningful, but "Glacier is built for durability of 99.999999999%" just seems like a non-sensical marketing blurb.

If I got my math right, this means that they expect to lose on average about 10 bytes per stored terabyte per year. (Of course these losses, should they occur, would probably be not uniformely distributed).

link
Evbn 4997 days ago
Yeah, it is more like 1 file in a 100 billion gets lost.
link