resist1984 @resist1984@social.privacytools.io

@jubes when a small company outsources to CloudFlare, they're often over-estimating the threat of outsider attack while under-estimating the threat of CF compromise (cloudbleed or CF exploiting the data). And if the threat manifests into a DoS attack, admins usually aren't aware that CF is non-gratis for high traffic.

@jubes As someone worked in the trenches of several fortune 500 corps, I've been forced to interact with incompetent services & poorly designed tools to interface w/those svcs many times. The waste is stark yet hard to quantify mathematically (& if it were quantified there's not generally a path to present it to upper management - such trouble makers risk getting cut loose)

@jubes It's far easier for a manager to justify the choice to outsource than it is to take responsibility for an internal disaster where you had control over all the moving parts. Managers don't get sacked for the mere decision to outsource, so outsourcing is the /safest/ path.. the path of least risk for a manager's job security.

@jubes I think you are implying that #GDPR compliance is somehow the end of the story. It's an abuse of the spirit that drives the GDPR's data minimization clause. It would be too ambitious for the GDPR to restrict who can be a data processor, so it's important as users to refuse unreasonable data sharing, like that of CloudFlare.

@jubes Non-profit or not, if an org opts to use #CloudFlare amid its huge list of ethical issues (https://codeberg.org/swiso/website/issues/141), ethical users have a duty to condemn it. Users don't have a duty to the bottom line.

@jubes the business case for #Liberapay (as a non-profit) is not to maximise profits. An ethics-lacking profit-driven business may use CloudFlare if their bottom line justifies it, but that's not the economic model that #Liberapay users are expecting.

@jubes #CloudFlare actually directly and deliberately /reduces/ availability by blocking legitimate Tor users. Availability is the most important security factor and they arbitrarily marginalize users who take steps for their own security, forcing unreasonable exposure.

@jubes CF has taken over 10% of the web, which makes them a highly desirable target. And when attacked such as when #cloudbleed happened, the impact is unacceptably devestating. All users on the affected sites had to change their passwords.

@jubes When someone reported #Cloudflare-proxied child porn to CF, instead of taking corrective action CF doxxed the person who reported it to the admins running the site that hosted the porn, who then publically smeared the whistle blower to solicit attack on that person. This proves that CF cannot be trusted with sensitive information.

@jubes Management loves to outsource b/c when shit hits the fan, finger pointing is a form of job security. It's not good for users though.

@jubes #Liberapay uses #CloudFlare (a recipe for disaster in itself), so we're blocked from checking the hosting provider, but Liberapay bluntly states that #AMZN is their hosting provider. It's a given that a service must trust their own insiders, but making a tech giant an insider kills trust particularly given a history of breaches.

@jubes Is Capone, Amazon-Swiggy-Juspay, & Liberapay only using AWS for storage? AWS is also a hosting service, so I thought AWS was where these financial services ran their web server. The Capital One attack was executed by a contractor who worked for Amazon. Perhaps their insider access gave awareness of the malconfig.

@jubes Even if the containers are secure, the financial institutions are still exposing sensitive data to #Amazon. Amazon is big, with untrustworthy insiders, proven by the Capital One #dataleak.

#Bolsonaro supports the violent #Trump-supporting insurrectionists. I won't go to #Brazil until he's out. When will that be? 2023? BTW, is the "Social Liberal Party" much more right wing than it sounds?

@jubes @gerowen i'm assuming all hashes are designed to be fast and simple to compute.. at least, I've not heard of hashes that are deliberately computationally slow.

@gerowen @jubes i guess the critical question is how much of it was hashed. If just 4 digits were hashed, it would be trivial to hash and compare 10,000 combinations.

@abloo well if it's an #Amazon gift card, not using it ensures Amazon $30 in profits, while using it gives them profits on $30 in goods. Damage is done, so I'd say either give it back to the giver or sell it.

@Wetrix https://content.time.com/time/health/article/0,8599,1968042,00.html

@Wetrix https://westminsterresearch.westminster.ac.uk/item/8y84q/analytic-thinking-reduces-belief-in-conspiracy-theories https://digest.bps.org.uk/2017/04/05/why-more-highly-educated-people-are-less-into-conspiracy-theories http://edition.cnn.com/2010/HEALTH/02/26/liberals.atheists.sex.intelligence/index.html