Sounded more like concern over whether "special requests" where needed to access the data on S3.

thanks cb.

yeah the typo isn't in the code. the request is correct and requests permission for the custom header. the problem is that this line in the config:

is not actually generating the allow header in the response for "x-user-session". It's generating the other three headers, but ignoring that one.

wow that seems nuts. i got 1 TB of downloads on astraweb for $50. it was on discount but still, i would expect amazon to be way cheaper, not more expensive. not exactly analogous but why is it so different?

I don't know enough about Astraweb.

My guess is that AWS doesn't care to be competitive in downloading data from S3. It would be such a small amount of money compared to the money they make by locking people into the whole AWS suite of services.

And TBH, given their suite of services its probably a rare use case that you regularly want to remove that much data from S3. Of all the companies I know that are keeping ridiculously large amounts of data in S3 they're also doing all processing and storing of the processed data in AWS as well (either in something like dynamo or in a database hosted on EC2 machines). The data really only comes out when one of their 'users' makes a request of their app and they have to retrieve the data specific for that request.

Edit: And aside from price, the bigger reason you don't want to download that much data from S3 is performance. You can transfer data extremely fast when you're inside the AWS network. If you're transferring large amounts of data through the interwebz its going to be slow.

So, with complex requests, you're sending two requests, one OPTIONS request, then the actual GET/PUT/whatever requests. And it's the options response that has to have those headers to tell the browser it's okay to make the request. It looks like the OPTIONS request isn't getting through to the application where the above settings even apply.

Try this:

http://stackoverflow.com/questions/1...haring-on-iis7

Edit: it's possible you know all this and tried everything, but you may want to be explicit in the question itself and include all these details, actual request/response texts, and how you're generating the options response, etc, because otherwise there's not enough context.

Also, any particular reason why standard case isn't used for headers? They are supposed to be case-insensitive, but it kind of sticks out and there could be a bug somewhere along the way it's triggering.

Has everyone been following the MongoHQ breach (http://security.mongohq.com/notice#security-breach)? I have had emails from about 5 different providers (CircleCI, Ink File Picker, Buffer to name a few).

While I appreciate that MongoHQ has been very open about the breach, and done a good job revoking API keys and contacted affected parties, the fact that this happened in the first place is completely unacceptable.

Almost every day now I see sites post on Hacker News about how they have been hacked and are now putting in a load of security practices to make sure it doesnt happen again... but its too late!! Their customers personal data has already been stolen. Putting an article on Hacker News saying how they are going to 'do better next time' is simply not good enough.

/rant

Your rant feels slightly misguided.

Security breaches are going to happen. People **** up and there are smart people out there that want to do bad things and almost no company has the ability or resources to be 100% secure.

Given that, the best route forward seems to be to encourage a culture of openness about these incidents. In terms of what happened, what were the root causes of the vulnerability, and what did the company do to address what happened.

If in that discussion it becomes clear that the security breach was due to incompetence or poor decision making by the company then by all means we (as an industry or as consumers) should punish the company both with a loss of business or potentially with legal action. But if its something unexpected or unforseeable or even just a random one-off **** up the best thing seems to be to just deal with it, learn from it, and move on.

I agree with the first part of this. Security breaches happen, and if an attacker is determined enough, there is a high chance they will succeed in penetrating a system, but if you are a company providing cloud database hosting, then your system should be beyond bullet proof.

I have seen some smaller sites fall victims of attack and its clear there was little they could do about it, but for a company specialising in storing sensitive data, this should never happen.

But thats like saying that airlines responsible for flying millions of passengers/year should have safety systems that are beyond bullet proof. It's not possible - and we only get close by being really open about the problems that we do have.

Websites containing personal data and credit cards are being hacked at a much higher rate than aeroplanes....

Things like encrypting AWS tokens should be standard practice... those keys (in some cases) can provide unlimited access to amazon web services. If someone had stolen my AWS key and ran up several thousand dollars of bills on amazon, I am pretty sure MongoHQ wouldnt step up to cover the costs.

Sure. But the airline industry has had decades to review safety issues and address them. Regardless, my point is more that you can't just say that certain sites should be 100% secure. Its not realistic.



I 100% agree and its why I said I thought your rant was slightly misguided (and not wrong). This is a legitimate complaint. And finding out that they weren't doing this would make me wary of continuing to do business with them.

But this is separate from the original security breach.

I guess bullet proof was the wrong choice of phrase... agreed, nothing is going to be 100% secure, but I do think that a lot of startups dont put enough emphasis on security until its too late. Hopefully they will get better.

yeah, he knows all about preflighting. the problem here is that the server is ignoring the header directives he's configuring it to send. i'm pretty sure it's just an iis7 config thing that anyone who admins those servers could answer in a second. not sure why he used lowercase, but it seems to work fine on the get requests so i don't think that's the issue.

i'll tell him to add some more info and request / response examples though -- that's a good idea.

but they should

I don't want to pay $250,000 to fly across the Atlantic. So I'm cool with not actually having a 100% safe airline*.





* And there would still be accidents. Because 100% safety isn't possible.

When it worked for get requests, did he get a different options response with the correct headers or did the get request skip the preflighting? Or did the browser ignore the mismatch?

actually i think get requests skip the preflighting....

Actual rules are kind of complicated, but if you have a custom header, it should go through preflighting. But I'm not sure if browsers follow all these rules as spec'ed I've seen tons of inconsistent behavior.

yeah you may be right. in any case the GETs are working, maybe with preflighting maybe without. i'll have to check and get him to add the info to the post, but he doesn't work on weekends.

Does anyone own a Nexus phone here? I've never seen one in the wild.

I just bought an LG phone for $200. I use Virgin Mobile, so Nexus isn't possible to use.

A few of my friends have the Samsung S3 phone. I was shocked to see that my phone is superior to theirs in every way. I can multi-task, lock screens, the internet is way faster, everything is just snappier, and the battery lasts all day. Best of all, this phone has almost no bloatware, so there is no need to root the thing to get rid of all the terrible apps I don't want to use. It even let me remove the Virgin mobile apps.

Pretty happy with the purchase. The difference between Android 2 & 3 -vs- Jelly Bean is astounding. Just completely different. I had my last phone for 2 years. I was holding out for a Mozilla phone, but this one was starting to die out. Still wish I could get something besides Android or iPhone, but there doesn't seem to be any dumb phones I can use.

New phones better than old phones? Crazy.

Did they sell 9 million this weekend?

I worked for a healthcare company trying to write a gargantuan Ajax-based app in 2003, except we didn't know it was called Ajax. We are actually bringing back XML to a hidden frame, but the concepts are very similar. I had to basically write the "plumbing" on the fly for the app as we developed and requirements became clear. I kept thinking this is going to become a lot easier when someone writes a nice generic framework for it.

I'm happy with my s4 but kind of wish I could undo the buying. I kind of want a phone that is fully compatible with Replicant

If the Nexus 4 drops a lot in price due to the 5 being out I might buy an extra one just to play with Ubuntu Phone (only Nexus 4 and Galaxy Nexus officially supported right now)...or maybe the Nexus 5 is the official target for Ubuntu Phone? [release was supposed to be around October, right?]

Either way I kind of like the idea of developing in QML and having it work on all devices. Their "appstore" system also sounds interesting

What do Apple / Linux web-dev houses do in regards to making things work in IE. Is there basically one person working on the design on a windows machine and pushing the changes? Seems like a dependency nightmare.

It's a pain. If you customer is mostly big corporations they generally are using IE of some flavor in the office. Too many bugs are because we aren't doing enough testing in IE and wait for the customer to bring it our attention...