undefined | Better HN

0 pointsrobertlagrant2y ago0 comments

That makes no sense, though. Some network and compute are running for this to happen. Someone needs to pay the bill. It's not obvious it should be the cloud service, if that's not the agreement.

0 comments

6 comments · 4 top-level

plorkyeran2y ago· 1 in thread

They charge ten times as much for an unauthorized PUT as they do for an unauthorized GET, and I feel fairly confident in saying that it does not cost them ten times as much.

robertlagrantOP2y ago

That seems like a different issue to "who should pay at all".

iampims2y ago· 1 in thread

AWS rakes in multi billion dollars in profit every year. They can definitely eat the costs of unauthorized requests to s3 buckets.

vbezhenar2y ago

At this point I believe that convoluted pricing is their business model. I got hit by their “tiny font price” twice, paying extraordinary money for trivial things. And I barely used AWS.

margalabargala2y ago

This is part of doing business for the cloud provider.

The cost of running compute to deal with unauthorized requests for an arbitrary extant S3 bucket, is the same as the cost of running compute to deal with unauthorized requests for nonexistent S3 buckets.

If I generated a billion requests to an S3 bucket that did not exist, Amazon would have to decline that traffic in the same way. Since the recipient did not exist, there would be no one to bill.

I as the attacker should not be able to add on a sticky note saying "btw you can charge X user for this malicious traffic" and have Amazon actually honor that.

EDIT: Here's an analogy. Say a business in a city has a front lawn that they must pay to maintain. Sometimes people walk on the grass as a shortcut to the business. Some subset of those people also enter the business as a customer. Would it be fair for the business to charge those people more to account for the extra landscaping bill they cause?

But the answer doesn't matter, because that's not what happened. What happened here is more like, someone left a note on the front door of the business saying "My name is X, and I walked on your grass last night", and so that day the business charges more to any customer whose credit card says their name is X.

immibis2y ago

When thy receive a request to a non-existent bucket why don't they charge it to the lexicographically closest customer?

j / k navigate · click thread line to collapse