The title makes it seem like this is a major or systemic issue, but the article content essentially says this was a one-off, potentially a mistaken omission that was fixed within 24 hours. The article itself even states that the Post routinely discloses its ties to Bezos in its reporting and this was an anomaly. I used to read the Post (I’m not a subscriber anymore) but I do distinctly remember seeing such a disclosure all over the place. Is this an attempt at outrage clicks?
Edit: people saying I didn’t read the article apparently didn’t read it themselves. From the article:
> The Post has resolutely revealed such entanglements to readers of news coverage or commentary in the past … since 2013, those of Bezos, who founded Amazon and Blue Origin. Even now, the newspaper's reporters do so as a matter of routine.
So at minimum the article disagrees with itself, but it seems the outrage bait is working hook line and sinker.
Edit 2: To try and be a little clearer here: the article is trying to (but in my opinion doing a really poor job of) make a distinction between the disclosures that the non-editorial WaPo authors do, and the disclosures that the editorial authors do, with the assertion that the editorial authors are worse at it.
> On at least three occasions in the past two weeks
Bezos announced a relaunch of the Opinion section earlier in the year, I don't think it's unreasonable to wonder if there has been a policy change. Three times in two weeks is a lot.
> potentially a mistaken omission that was fixed within 24 hours
potentially, yes. Responsible news organizations post correction notices when they make an omission like this, but WaPo did not (despite having a history of doing so, again, a notable change in practice)
Do Editorial and Opinion sections of news papers do "conflict of interest" disclosures as a matter of course? It seems like it should be assumed that an Opinion article is expressly a biased article, written by someone with an interest in the topic at hand. If the NY Times wrote an editorial on schools or on medicaid, I wouldn't really expect to see a line disclosing the number of editorial staff members with children in the school systems or with family members receiving medicaid.
And this is an honest question, I don't know what the WP standard for their Editorial and Opinion pages were prior to Bezos' ownership, nor what the broader industry standard was before say 2016.
> And this is an honest question, I don't know what the WP standard for their Editorial and Opinion pages were prior to Bezos' ownership, nor what the broader industry standard was before say 2016.
Fortunately, the NPR journalists do know, as the article states:
>> The Post has resolutely revealed such entanglements to readers of news coverage or commentary in the past[...]
Great, and that's followed by
> Even now, the newspaper's reporters do so as a matter of routine.
So, we know they "resolutely revealed" this in the past (but that is of course not the same word as "unfailingly" or even "always"), and we know that they continue to do so even to this day "as a matter of routine". But neither of those tells us anything about the current frequency compared to the past frequency. Likewise it tells us nothing about whether the "matter of routine" changed since before Bezos took ownership.
Similarly it says nothing about the wider industry. Oh sure, they tell us:
> Newspapers typically manage the perception with transparency.
And they tell us that viewing it as a conflict of interest is "conventional", but again no information about how the WPs frequency (either before or after Bezos took ownership) compares to the industry as a whole, nor whether that frequency has actually changed.
Again some numbers would be instructive here. The article says "at least 3 times in the last 2 weeks" this has occurred (and apparently been subsequently corrected). But how many times was it necessary in the last 2 weeks? If the WP published 4 articles in the last 2 weeks that would have normally had one of these disclosures, missing 3 out of 4 is a different thing than if the WP published 200 such articles in the last 2 weeks.
I know it's always been a lot to ask our news reporters to actually do some fact gathering, but it hardly seems unreasonable to ask for any sort of comparative information when asserting there is a change people should be concerned about.
> Great, and that's followed by > Even now, the newspaper's reporters do so as a matter of routine.
What's the issue with the follow up?
The headline says "WaPo no longer does B". I quoted the bit that says "in the past, WaPo used to resolutely do A and B" to answer your question about whether we should expect B at all, and your riposte is "the NPR article continues to say WaPo still does A". The NPR article is about WaPo stopping B, and now you have a historical baseline for B.
I'm not interested in the pivot to arguing about whether news articles ought to share raw data; the way it works now is via editors, editorial standards and fact-checkers that determine if the facts support the wording. Ultimately, news outfits like NPR and the Washington Post live and die by their reputations.
edit: more thoughts on quantification
"Resolutely" is a stout word, IMO, which to me is a word one might be talked down to using when they mean "always" but do not have the time to prove before the publishing deadline, or need to add linguistic error-bars. If it were an option in a survey, I'd place it higher than "almost always" and just below "always"
The issue is that the followup contradicts the idea that there has been a change of any note. If I tell you in one breath:
"Bernie Sanders has reduced is fighting for civil rights in worrying ways"
And in a second breath tell you that:
"Bernie Sanders has resolutely fought for civil rights in the past and even now does so as a matter of routine"
You would probably find those statements at odds with one another. You quite reasonably might want me to quantify what is different currently from recent and also prior past behavior. You might also reasonably want me to quantify his behavior in "fighting for civil rights" against his contemporaries, both past and current. What I would not expect is for you to take and hold those two statements at face value, finding that a satisfactory report on the state of things.
It's certainly possible that there is no contradiction. It might be true that he was resolute in the past, and routinely did do to date, but in the past month has missed 50 votes on civil rights legislation. But even then you'd probably want to know how many votes he misses as a regular course. You might want to know how many votes he did enter during that same time period. You might want to know whether or not he was sick or otherwise absent for health reasons.
And that's my issue at the moment. The article says "3 times in the last 2 weeks an event happened". It also tells you that the WP "resolutely" (but again notably not "always") does not allow the specific event to happen. It also tells you that the WP "routinely" (but again not "always" and without any relative comparison to "resolutely") does not allow the specific event to happen even to this very day. So why are we supposed to be worried that it happened 3 times in this last 2 weeks? By their own words, it must have happened at other times in the past, or they would have used words like "always" and "unfailingly" to describe both past and current behavior. So what makes these particular 3 times worrying? Have they never failed to do so 3 times in 2 weeks ever in their history? What about 2 times? They don't say, we have no numbers and without numbers or any sort of relative comparison we have no way to gauge whether the current behavior is or is not worrisome.
> Bernie Sanders has resolutely fought for civil rights in the past and even now does so as a matter of routine"
I see where the disconnect is. Please read the sibling thread about the differences between Opinion (responsible for editorials, and subject of the NPR article) and news department (does reporting on actual news journalism). Opinion & News have different org charts under the WaPo banner. In my prior comment, A = disclosures in journalism, B = disclosures in editorials. They are not the same thing in a way that can be applied to a singular Bernie.
> They don't say, we have no numbers and without numbers or any sort of relative comparison we have no way to gauge whether the current behavior is or is not worrisome.
The number of op-eds are a small part on this article about the vibe-shift at the Washington Post: NPR provided additional context with the words of people who used to work there, mentioned thr waves of resignations and subscriber cancellations, noted WaPo declined to comment on this story. Make of that what you may.
> In my prior comment, A = disclosures in journalism, B = disclosures in editorials. They are not the same thing in a way that can be applied to a singular Bernie.
I can see that reading but even with that, comparative numbers are still useful. If we continue to assume that the words in this story were carefully chosen to be what they are (which I think we both are doing that, so I don't think I'm making an out of bounds assumption here), why the "3 times in the past 2 weeks" phrasing? Why not "has stopped" (or even "appears to have stopped" if you want to hedge)? Back to my original question of "is 3 times in the past 2 weeks" 100% of the time? Is it 50%? 1%?
If 3 times is 100% of the number of times it should have happened, how many times did it happen in the 2 weeks prior to that? Or the month prior? Is 3 "conflicted" op-eds in 2 weeks high? normal? low?
Have they missed disclosures in the past? Multiple in a short window? How frequently? How many?
The current incidents were apparently corrected without any specific call out (a practice becoming far too common in the news I agree), how does that compare to previous times when they have corrected a disclosure?
We have no facts to go on. We have information, as you put it:
> about the vibe-shift at the Washington Post ... words of people who used to work there ... [mention of] the waves of resignations and subscriber cancellations, noted WaPo declined to comment on this story.
So we have implications that this means something, and maybe it does, but again we have implications. What I "make of it" is that the Post continues to be in a state of disarray, as it has been for some time now. And that's about all I make of it. And I specifically decline to make anything about "declining to comment" on a story. Second only to the police, you should shut your mouth and say nothing to the press. Everything you say can and will be used against you.
Even now, the newspaper's reporters do so as a matter of routine.
Reporting and editorial are separate units in newspapers; the point being made is that, while reporting continues to properly disclose potential ownership conflicts of interest, editorial and op-ed, following Bezos taking direct control of them, are not doing so.
Of course, the Post is Bezos' toy, and there's no law that says he can't use editorial as a megaphone for his personal interests without disclosing them (or, in fact, even use the reporting side for the same purpose!), but you can't do that and still claim that the paper has any of the Grahams' pedigree left in it, and this is very much a change from Bezos' earlier ownership, in which he largely stayed hands-off on editorial decisions.
Not only does gp seem to have a poor grasp on the differences between Opinion and news reporting, they also fail to correlate the problem with Bezos' ownership, so it seems to them like NPRs article is conflicting with itself when it isn't, in the slightest.
There are two additional recent ones mentioned in the article:
> On Oct. 15, the Post heralded the military's push for a new generation of smaller nuclear reactors. "No 'microreactor' currently operates in the United States, but it's a worthy gamble that could provide benefits far beyond its military applications," the Post wrote in its editorial.
> A year ago, Amazon bought a stake in X-energy to develop small nuclear reactors to power its data centers. And through his own private investment fund, Bezos has a stake in a Canadian venture seeking nuclear fusion technology.
and
> Three days after the nuclear power editorial, the Post weighed in on the need for local authorities in Washington, D.C., to speed the approval of the use of self-driving cars in the nation's capital. The editorial was headlined: "Why D.C. is stalling on self-driving cars: Safety is a phony excuse for slamming the brakes on autonomous vehicles."
> Fewer than three weeks before, the Amazon-owned autonomous car company Zoox had announced D.C. was to be its next market.
Edit to respond to your edit: these are the opinion pages, not reporting.
It doesn't appear that you read the article at all. It states the first disclosure was added later, and without comment. And there are two other mentions of conflict of interest. Nothing you wrote is true other than that you aren't a subscriber to the Post.
Respectfully, you either skimmed this article to support your point or didn't pay proper attention. I see no ambiguity in this article - none - whatsoever. This is about Bezos's changes to the WaPo opinion pages (including their opinion editorial board), a shift to topics that matter to Bezos, and a clear loss of discipline or intent in conflict of interest disclosures when discussing such topics.
> The Post has resolutely revealed such entanglements to readers of news coverage or commentary in the past … since 2013, those of Bezos, who founded Amazon and Blue Origin. Even now, the newspaper's reporters do so as a matter of routine.
What this is saying:
- Previously, WaPo disclosed conflicts of interest.
- They still disclose in their news articles (as opposed to in their editorials).
> So at minimum the article disagrees with itself
No.
> Edit 2: To try and be a little clearer here: the article is trying to (but in my opinion doing a really poor job of) make a distinction between the disclosures that the non-editorial WaPo authors do, and the disclosures that the editorial authors do, with the assertion that the editorial authors are worse at it.
Everyone else seems to understand but you. By the way, "non-editorial WaPo authors" are called reporters or journalists.
The very second sentence of the article disproves your first sentence.
"On at least three occasions in the past two weeks, an official Post editorial has taken on matters in which Bezos has a financial or corporate interest without noting his stake. In each case, the Post's official editorial line landed in sync with its owner's financial interests."
So, no, this isn't one-off. You need to re-read the article more closely.
It says the news section is more diligent and that the opinion pages/editorial are the ones omitting disclosures repeatedly.
And it wasn't fixed entirely - usually fixes to an article are declared in the article, and they didn't do that when they inserted the disclosure after the fact.
AWS doesn’t even have a “devops team” nor even any devops job roles. AWS also does not use Terraform (which is what the article says everyone was replaced with) at any significant scale, so this article is similar junk.
This one mentions terraform by name (though that doesn't necessarily imply its in use, though having worked in large companies I would argue that sweeping statements about a popular technology not being used is likely to be wrong)
AWS does not have dedicated devops roles. All AWS SWEs are expected to take oncall shifts and respond to incidents, manage build pipelines, etc rather than having specific devops people to do it for them. The article you linked claiming 40% of them were fired is total junk. You can believe that or not, I don’t care.
The last one is a ProServe role, which is a consulting role that spends their time working in customer environments, which is where they may encounter terraform. It does not mean anything about internal use of terraform.
Again, I’d be wary making sweeping generalisations like that.
I already showed you that AWS has (or hires) DevOps people with publicly available information, maybe the article is incorrect but you’re clearly not better informed, so maybe cut it with the rude commentary.
Within AWS this role falls under the Systems Engineer job family. It is not a devops role, and its involvement in events like today would be the same involvement as every other SWE at Amazon.
Just do a quick google search for that “40% of devops laid off” and you’ll see that it’s actually an old article from months ago that multiple people, including AWS employees, are saying is bullshit and unsourced.
edit: found another source that says this 40% number came from an AWS consultant that worked with customers to help them be better at DevOps, and it was 40% of their specific team that was laid off. Even if it were true, it has nothing to do with the internal operations of AWS services. This is why it’s important to understand the information you’re sharing before making judgements off of it.
Seems wild that you would promote job titles you don’t hire for, makes me think that it’s reasonable for news outlets to refer to those roles in the same way honestly.
You seem to be kind of annoyed that somebody on the internet hasn’t taken your assertion that you just sort of generally Know Better as strongly as you’d like. You could probably put this entire discussion to bed by clarifying your current position at AWS and how your job there gives you direct knowledge of their devops practices.
It makes a direct claim of hundreds of cloud staff being laid off.
You know what though? I’m not wasting my time with you, the fact was that this was all over social media. Then a huge outage- my original comment was factually accurate even if we contend that the article itself was bunk. And AWS clearly hires DevOps staff.
You’ve not even disproved anything you’re just making me play internet fetch. I’m not replying anymore.
> It makes a direct claim of hundreds of cloud staff being laid off.
I don't have any dog in this fight, but I don't see where this article makes your case. From your article:
> We understand around 100 jobs are at stake.
> Sources familiar with AWS operations who requested anonymity told The Register most of the layoffs affected people in marketing and outreach roles, although chatter on sites like Blind suggests folks in frontline support and in other positions may have been affected, too.
Source: Former AWS Professional Services employee.
Notice the job description:
As part of the AWS Managed Operations team, you will play a pivotal role in building and leading operations and development teams dedicated to delivering high-availability AWS services, including EC2, S3, Dynamo, Lambda, and Bedrock, exclusively for EU customers.
They aren’t looking for DevOpe engineers to work alongside the “service teams” - the teams that build and support internal AWS services. They are working with AWS customers who may already be using Terraform. AWS has a large internal consulting division staffed with full time employees. When they work with customers they will use Terraform if needed.
I work for Amazon (AWS for 4 years then “the website” side of the house for the last 3)
The previous commenter is correct, there is no NOC or devops team and I’ve not encountered a Devops job family and I’ve never seen terraform internally.
Within AWS, the service teams that work these outages are the same ones that design the service, fix bugs, deploy the pipelines, be oncall, etc. the roles that fill these teams are pretty much one of three types: nde, sde, sysde. They typically use cdk if they’re doing AWS things, else they’ll use internal tooling.
The job you posted is a customer facing consultant like role - customers use terraform so having a customer facing consultant type that knows how customer-y things work is a good decision.
You could both be right if they are trying to expand terraform use from a beachhead to the entire company. You need to hire people with prior experience for such things.
> One of the benefits of Litestream 0.5.0 is that there’s now an official litestream Docker image. All of my previous Docker containers required a lot of boilerplate to download the correct version of Litestream and make it available in my container, but now it reduces to a single Dockerfile line
There’s been an official Litestream container image for over 3 years at this point (since version 0.3.4, it’s at the same Docker Hub as 0.5.0).
Oh, thanks for the correction! I can't believe I never noticed that. I've updated the post.
After your comment, I thought, "Oh, I should contribute a PR to the repo to add the Docker badge so the Docker image is obvious to everyone," but it turns out the badge has been right there for four years.[0]
What I suspect happened is that I tried to use the Litestream Docker image once, discovered that image was amd64-only (until 0.3.9), so I didn't use it because I needed ARM, and then I just kept copy/pasting my workaround from project to project.
Homelabbing is a hobby for most people involved in it, and like other hobbies, some people dip their toes in it while others go diving in the deep end. But would you say it’s “overkill” for a hobbyist fisher to have multiple fishing poles? Or for a hobbyist painter to try multiple sets of paintbrushes? Or a hobbyist programmer to know multiple programming languages?
There’s a lot of overlap between “I run a server to store my photos” and “I run a bunch of servers for fun”, which has resulted in annoying gatekeeping (or reverse gatekeeping) where people tell each other they are “doing it wrong”, but on Reddit at least it’s somewhat being self-organized into r/selfhosted and r/homelab, respectively.
CloudTrail logs for the last 90 days are enabled by default, cannot be turned off, and are immutable, even by root. If you view this “event” as starting when Arko was supposed to have their access terminated, that’s within the 90 day window and you can indeed trust the logs from that period.
CloudTrail's 90-day immutable Event History only logs management events (IAM changes, instance launches, bucket creation). It does NOT log:
* S3 object reads/writes (GetObject, PutObject) - these are "data events" requiring explicit configuration[0]
* SSH/RDP to EC2 instances - CloudTrail only captures AWS API calls, not OS-level activity[1]
With root access for 11 days, someone could modify gem files in S3, backdoor packages, SSH into build servers - none of it would appear in the logs they reviewed. Correct?
SSH is totally irrelevant here. Having AWS root account access doesn’t give you any ability to SSH to or otherwise access running instances. You could access data on those instances by cloning the EBS volumes or modifying build pipelines or changing network access or similar, but these would all show up in CloudTrail even without data events enabled.
For S3 objects, you don’t necessarily need data events to identify if tampering happened. S3 objects are immutable as well, so if any changed you would see that reflected in the creation date and new hashes that S3 attaches as tags, which you can correlate with application logs to see if they match up or not. It’s not as simple as data logging, sure.
But you’re also missing the key component here that they did not say they only just enabled CloudTrail logs, they’re saying they just now enabled CloudTrail log alerting. We don’t have any idea if data events were enabled or not, or if things like flow logs were enabled or not, or what other investigation tools they have running at the application layer. However, even if none of existed, there’s still a lot more audit-ability of events that happen in an AWS account than you’re implying, even the root account.
Ahh you’re right, there are some that just initiate a connection via something like Session Manager, but those connections where AWS initiates the connection for you are logged in CloudTrail, even without data events, and root doesn’t give you any ability to directly SSH into an instance outside of those methods (you cannot, for example, use root to find out what the private keys are for logging into an instance) so we’re back to the fact that any such access would be auditable.
Even without data events, there are clues you could infer from management events that somebody is going through buckets. ListBuckets and GetBucketLocation are management events and are seen often by someone enumerating buckets to exfil data from. The fact that this actor was someone very familiar with the account might make this a moot point though as they would know exactly which bucket to go to and what region its in.
You can still generate the QR code in the desktop and scan it with your phone camera. The device receiving the file does not have to be the device that scans the code.
Of the big three cloud providers, only GCP uses containers for customer isolation, and they do so with the supervision of gVisor. It’s certainly possible to do container isolation securely, but it takes extra steps and know-how, and I don’t think anyone is even considering using gVisor or similar for the type of developer workflows being discussed here.
AWS and Azure both use VM-level isolation. Cloudflare uses V8 isolates which are neither container nor VM. Fly uses firecracker, right?
This topic is kind of unnecessary for the type of developer workflows being discussed that the majority of readers of this article are doing, though. The primary concern here is “oops the agent tried to run ‘rm -rf /‘“, not the agent trying to exploit a container escape. And for anyone who is building something that requires a better security model, I’d hope they have better resources to guide them than the two sentences in this article about prompt injection.
What scares me most is what happens when some attacker attempts to deploy a "steal all environment variable credentials and crypto wallets" prompt injection attack in a way that is likely to affect thousands or millions of coding agent users.
The public land situation in the western US is vastly, vastly different from the situation in the east. Just like you’re saying comparing the US to the UK are two different situations, you also have to treat parts of the US separately.
Almost all of the US’s public lands are west of the Rockies. If you live in Colorado, California, Oregon, Washington then you can basically throw a rock and hit some public lands. East of the Rockies, you can go your entire life without ever even seeing public lands.
That's not quite true. There are huge in number, small in overall size, amounts of public land east of the Mississippi. They're mostly all state forests, nature preserves, etc, etc and 99.9% of them are wholly unremarkable and barely utilized because you can only hike in so many identical forests or walk to the top of comparable hills before you get bored.
50+yr ago they were far more utilized (per capita) because they weren't closed to motorized recreation and hunting and fishing hadn't yet been regulated with intent to discourage participation.
But yes, the vast BLM lands out west have no analogue in the east.
Ironically this makes the lands in the east more wild, because nobody goes into them, because they're so boring. There's also some quite large areas of Eastern state land that're really far from most people, and they're not tourists destinations, so they only get a few locals.
But the comparison between West and East gets crazier. In the West, people'll drive for an entire day just to get to one specific remote area. Whereas in the East, some untouched forest could be an hour and a half away and "that's too far." You could walk through a forest which is actually 3 different forests in a half hour, whereas out West it's just miles and miles of the same desert or mountain.
We don't really know how to appreciate nature unless it's a majestic overlook.
That’s because restic is not opinionated about where and how you store your backups. Restic provides a nice interface to create the backups, and then lets you choose where you want to store them (and how access to them is managed), be it locally or via SFTP or S3 or many other backends. Any security properties related to S3 are not in the scope of what restic is meant to do.
It’s pretty simple to enable versioning and object lock on your S3 bucket, but it is another step if you’re using restic. Sure, if you just want all of that taken care of for you, you can use tarsnap, but you’re paying a 5x+ premium for it.
The other nice thing about restic is that since it’s just the client-side interface, it allows others to provide managed storage. Borgbase.com is a storage backend that is supported by Restic that supports append-only backups, and is cheaper than tarsnap.
I would like to see an explicit discussion of what permissions are needed for what operation. I would also like to see a clearly specified model in which backups can be created in a bucket with less than full permissions and, even after active attack by an agent with those same permissions, one can enumerate all valid backups in the bucket and be guaranteed to be able to correctly restore any backup as long as one can figure out which backup one wants to restore.
Instead there are random guides on medium.com describing a configuration that may or may not have the desired effect.
Again, this isn’t at all in the scope of restic’s docs. If you’re using S3 as the storage, it’s on you to understand how S3 works and what permissions are needed, just like it’s on you to understand how your local file system works and file permissions work if you use the local file system as a backend.
If you don’t understand S3 or don’t want to learn, then that’s fine, and you can pay the premium to tarsnap for simplifying it for you. But that’s your choice, not an issue with restic.
If you think differently, have you submitted a PR to restic’s docs to add the information you think should be there?
Interesting play on the debate- but after the response to restic's original decision to upstream Object Store permissions and features... to the Object Store, along with my attempts to explain S3 to several otherwise reasonably technical people....
I think people are frequently trapped in some way of thinking (not sure exactly) that doesn't allow them to think of storage as anything other than Block based. They repeatedly try to reduce S3 to LBA's, or POSIX permissions (not even modern ACL type permissions), or some other comparison that falls apart quickly.
Best I've come up with is "an object is a burned CD-R." Even that falls apart though
I still completely disagree. It’s on me to understand IAM. It should not be on me to understand the way that restic uses S3 such that I can determine whether I can credibly restore from an S3 bucket after a compromised client gets permission to create objects that didn’t previously exist. Or to create new corrupt versions of existing objects.
For that matter, suppose an attacker modifies an object and replaces it with corrupt or malicious contents, and I detect it, and the previous version still exists. Can the restic client, as written, actually manage the process of restoring it? I do not want to need to patch the client as part of my recovery plan.
(Compare to Tarsnap. By all accounts, if you backup up, your data is there. But there are more than enough reports of people who are unable to usefully recover the data because the client is unbelievably slow. The restore tool needs to do what the user needs it to do in order for the backup to be genuinely useful.)
I think you two may be talking past each other a bit here. Bear in mind I am not a security expert, just a spirited hobbyist; I may be missing something. As stated in my digital resilience audit, I actually use both Tarsnap and restic for different use cases. That said:
Tarsnap's deduplication works on the archive level, not on the particular files etc within the archive. Someone can set up a write-only Tarsnap key and trust the deduplication to work. A compromised machine with a write-only Tarsnap key can't delete Tarsnap archive blobs, it can only keep writing new archive blobs to try to bleed your account dry (which, ironically, the low sync rate helps protect against - not a defense for it, just a funny coincidence).
restic by contrast does do its dedupe at the file level, and what's more it seems to handle its own locks within its own files. Upon starting a backup, I observe restic first creates a lock and uploads it to my S3 compatible backend - my general purpose backups actually use Backblaze B2, not AWS S3 proper, caveat emptor. Then restic later attempts to delete that lock and syncs that change too to my S3 backend. That would require a restic key to have both write access and some kind of delete access to the S3 backend, at a minimum, which is not ideal for ransomware protection.
Many S3 backends including B2 have some kind of bucket-level object lock which prevent the modification/deletion of objects within that bucket for, say, their first 30 days. But this doesn't save us from ransomware either, because restic's own synced lock gets that 30 day protection too.
I can see why one would think you can't get around this without restic itself having something to say about it. Gemini tells me that S3 proper does let you set delete permissions at a granular enough level that you can tell it to only allow delete on locks/, with something like
# possible hallucination.
# someone good at s3 please verify
{
"Sid": "AllowDeleteLocksOnly",
"Effect": "Allow",
"Action": "s3:DeleteObject",
"Resource": "arn:aws:s3:::backup-bucket/locks/*"
}
But, I have not tested this myself, and this isn't necessarily true across S3 compatible providers. I don't know how to get this level of granularity in Backblaze, for example, and that's unfortunate because B2 is about a quarter the cost of S3 for hot storage.
The cleanest solution would probably be to have some way for restic to handle locks locally, so that locks never need to hit the S3 backend in the first place. I imagine restic's developers are already aware of that, so this seems likely to be a much harder problem to solve than it first appears. Another option may be to use a dedicated, restic-aware provider like BorgBase. It sounds like they handle their own disks, so they probably already have some kind of workaround in place for this. Of course, as others have mentioned, you may not get as many nines out of BB as you would out of one of the more established general-purpose providers.
P.S.: Thank you both immensely for this debate, it's helped me advance the state of my own understanding a little further.
Edit: people saying I didn’t read the article apparently didn’t read it themselves. From the article:
> The Post has resolutely revealed such entanglements to readers of news coverage or commentary in the past … since 2013, those of Bezos, who founded Amazon and Blue Origin. Even now, the newspaper's reporters do so as a matter of routine.
So at minimum the article disagrees with itself, but it seems the outrage bait is working hook line and sinker.
Edit 2: To try and be a little clearer here: the article is trying to (but in my opinion doing a really poor job of) make a distinction between the disclosures that the non-editorial WaPo authors do, and the disclosures that the editorial authors do, with the assertion that the editorial authors are worse at it.