Hacker Newsnew | comments | ask | jobs | submit | trapexit's commentslogin

Yes. https://forums.aws.amazon.com/thread.jspa?threadID=149690


nicpottier 12 days ago | link

Note that until it gets patched, you can go to your ELB config and disable TLS support, which I believe (someone please correct me if not) will protect you from this particular attack. Whether the cure is better than the disease is up to you.


ccpost 12 days ago | link

Disabling TLS in the ELB config seemed to work for me until AWS finishes the patch rollout. (Looks like they're partway on the rollout.)


You can (and should) set up an AWS CloudWatch alert on your account that will send you an email or SMS notification when your monthly bill exceeds a set threshold.


zwass 125 days ago | link

I was surprised how incredibly difficult that is to set up. Eventually I dead-ended following the instructions when CloudWatch told me there were 0 metrics to choose from for monitoring...


sharpy 125 days ago | link


There are a couple of things that are easy to overlook when using billing metrics.

1. All billing metrics are stored in us-east-1 even for usages in other regions.

2. If you are using consolidated billing, billing metrics will be published under the linked account, and will only be visible to that account.

Hope that helps.


chimeracoder 125 days ago | link

> 1. All billing metrics are stored in us-east-1 even for usages in other regions.

...what? Is this true? If so, can someone explain the logic behind this?


ceejayoz 124 days ago | link

It's true, and probably means a set of instances in us-east-1 are the ones computing and storing billing costs for users.


sharpy 123 days ago | link

Doing so allows customers to easily view the total estimated spend, rather than having to go to each region and add it up.


vertis 125 days ago | link

Yeah, I've done that now, but it's 'after the horse has bolted'


With a razor blade and a photocopier.


unimpressive 285 days ago | link

So you cut out the parts you don't want seen and then put a sheet of black underneath?


nether 285 days ago | link

Or no sheet underneath at all.


Set up a t1.micro instance on AWS and run a VPN server on it. The VPN instance accepts connections on port 25, etc. and forwards it over the VPN to your home server.

Your ISP sees nothing but encrypted traffic between you and your VPN server.

Alternately, buy a rackmount server and colo it. Authorities would need a warrant to seize it, just the same as they would to seize the server that's running in your basement.


plg 290 days ago | link

yeah I've thought about that, both ssh tunnelling to/from home from some hosted machine (e.g. AWS, or Linode, etc). The problem (from my point of view) is that the hosted machine is in someone else's "house". Even if it is a co-lo.... it is still sitting in someone else's house.

Thanks for the suggestion though. It gets part-way there


The input space is too small for SHA1 to effectively anonymize. The NANP, for example, has less than 10^9 possible numbers; it would be a very simple task to create a rainbow table mapping every possible phone number to its corresponding SHA1 hash.

For the same reason, you can't just use a simple cryptographic hash to "anonymize" data such as birthdates, zip codes, SSNs, or PINs.

Using a key derivation function with a very high cost factor can mitigate this to some extent (e.g. making it take 5 seconds on an average CPU to generate the hash from a phone number), but it by no means makes for secure anonymization; eventually computing power will catch up.

Encrypting the number with a secret key (or using an HMAC), and destroying the key after the anonymization takes place might be a reasonably secure way of doing this, however.


anonymous 292 days ago | link

Maybe just salt each number with a random salt?


Yes. Definitely pre-sell. Not only does this fund your development efforts, it is the ultimate validation that you have actually come up with a product that people want to buy. There's a big difference between people saying they would buy something--and actually pulling out a credit card.

Offer your "charter members" 10% or 20% off for life in exchange for a 3 or 6 month prepay. Reverse the risk by guaranteeing their money back if they don't love it.

If you can't get clients to pre-pay, then your offer is not compelling enough.


poppysan 302 days ago | link

I think he means dev services, not necessarily a product. It's still a good idea, but you must be one hell of a salesman or have some folks who truly believe in you.


trapexit 302 days ago | link

Oh, yeah, I misunderstood. I thought he was taking a course on how to build web apps in Rails so he could create his own product, not work for other people.

Pre-selling a contract software development service when you haven't yet learned how to do it is going to be a lot more of a challenge.

Much easier (and much more lucrative) to pre-sell a product and then pay someone else to build it.


Welcome to contract work!

Customers paying late is a fact of life, and from time to time you'll need to be persistent and/or agressive about collections.

Get in touch with your contact at the client company and let them know you haven't been paid for your work yet. Ask for a contact in their Accounts Payable department. Follow up with that person and make sure that your invoice got entered into their system. Make it clear to them that they're past due, and unless you receive payment on the next banking day that you will begin assessing the late fee you stipulated in your contract (you did stipulate a late fee, right?)

If you're dealing with quality clients, they'll almost never just try to stiff you on the payment; instead, it's because their accounting processes are completely disorganized (sometimes intentionally!). If your client isn't a large, trustworthy, stable company, always get your payment up-front. Even if they are a big company you trust, get an advance; it'll help tide you over while you're waiting for them to pay your net-15 invoice... net-90.

After consulting for more than four years, my past-due receivables balance (which at one point exceeded $200,000!) finally went to down to $0 only last week. And that's because I stopped taking on new work.

I've had customers who were nearly 90 days behind on payment (I used to be really bad / lazy about collections) and required almost a dozen followup emails and calls to get things straightened out. As far as I can tell, it was never out of outright malice, just the general disorganization and reluctance to part with cash that you find at big companies.

Don't take any aggressive / adversarial actions until you've exhausted all the polite request options. Give them the benefit of a doubt (unless your contact is already the person who writes the checks, and has no excuse). Be polite, firm, and extremely persistent. Get a commitment that you will be paid before date X, and if you haven't been paid in full by then, assess your late fee and start calling / emailing on alternate days until you do get paid, or until your patience is exhausted. Get lawyers involved only as a last resort. And next time, get paid in advance. :)


Watch the 3rd video (Rob Walling) on this page: http://www.microconf.com/videos-2012.html

The whole video is well worth watching, but he covers channels specifically at around 37 minutes in.


Coincidentally, I just discovered today that you can also do a forward-delete on a Mac laptop keyboard by hitting Fn+Delete. Very useful for e.g. sending a ⌘⌦ (Ctrl-Alt-Del) to a VirtualBox VM.



Freelancers / consultants, I'm doing some research and would appreciate your input. Help a fellow entrepreneur out and maybe learn something valuable in the process.

If nothing else, you may get some referrals from me down the line. "Where can I find a good developer for X?" is a question I hear not infrequently.

I'd like to talk about your business goals and experiences with finding clients. This would be a short phone call / Skype call.

Email: bwb@holo.org


stcollective 374 days ago | link


add me skype: sergiomelotorres from Portugal




Lists | RSS | Bookmarklet | Guidelines | FAQ | DMCA | News News | Feature Requests | Bugs | Y Combinator | Apply | Library