> > it's the difference between a $200m raise with a bunch of untested API endpoints and a $10m raise with them.
> I'm tired of companies with API endpoints that leak data like a sieve. This is why companies need some skin in the privacy game.
There is a world of difference between “untested” and “insecure” API endpoints. What seems to have been cut in the example isn’t a permissions model, but some form of automated integration testing.
I’ve seen horribly insecure APIs with 100% code coverage, and I’ve personally burned myself on untested API endpoints where the privacy implementation was _too_ restrictive for what my customers were trying to do.
I've worked with Firebase Hosting for around three years, using Firebase Functions instead of Cloud Run, but in your particular example, you can configure your Firebase Hosting to rewrite requests against your Cloud Run instances as documented in https://firebase.google.com/docs/hosting/full-config#rewrite....
This doesn't require handling an OPTIONS request for every endpoint, which I agree could be fairly simple, but Firebase Hosting configuration could very well be less invasive than this change in the rest of the codebase.
Meta might not be legally able to buy “the next big thing” in international markets. Neither the EU nor the US are particularly “friendly” to them right now, and pretty much anything Meta does in the social media category is going to run up against anti-trust regulation.
Instagram was probably the last time Facebook could have gotten away with that sort of thing in the North American and European markets. I’m being cautious to only include those markets because I’m not familiar with the regulatory environment elsewhere.
> No deadlocks, races, etc to worry about because lock graph concurrency is complicated.
I’ve spent the last two and a half years mainly programming in single-threaded NodeJS environments with a focus on heavy same-task concurrency, and I’ve still run into deadlocks and races, despite the lack of OS threads involved.
However, your point that context switching is expensive, and is why thread-per-core architectures are so common, still holds.
> Even simpler: do not upload copyrighted materials to Dropbox, Google Drive, etc.
As the article illustrates, it’s not actually that simple. Cloud services that terminate accounts (and probably instantly delete everything, to comply with GDPR, CCPA, etc.) for perceived copyright infringements will always and necessarily suffer from a false positive rate.
We’ll likely never truly learn what this false positive rate is, but that it will always exist is reason enough to give pause to the thought that services should “just terminate their account” if they think it’s infringing on intellectual property laws.
The only good answer here is an unqualified “Use a local backup”. The terms of use for non-business cloud storage absolve the providers of all responsibility for data loss, even when they have incorrectly taken punitive action against you.
Though their timing is incorrect. We noticed this at 9:26 AM EST and their posting says it "started" at 10:11 AM EST.