I've always felt that the business model is nickel & diming for things like storage/bandwidth and locking in customers with value-add black box services that you can't easily replace with open source solutions.
Just took a random server: https://instances.vantage.sh/aws/ec2/m5d.8xlarge?duration=mo... - to get a decent price on it you need to commit to three years at $570 per month(no storage or bandwidth included). Over the course of 3 years that's $20520 for a server that's ~10K to buy outright, and even with colo costs over the same time frame you'll spend a lot less, so not exactly crushing those margins to dust.
They're deployed on Azure and have a deep partnership with Microsoft, so they can't "simply" use a different cloud.
Also, recommending a black box managed solution isn't an option for some large companies that have their own hardware & datacenters and which may want to use open source solutions they can easily deploy, fork and support themselves to keep costs under control.
They are one of the most well capitalized company/startup/foundation/non-profit in the planet and just spent 6,5 billion to hire a designer.
They should be using the best technical and cheapest solution, and they owe it to their investors. At their scale they will never be able to use anything else than a cloud solution.
They could solve these issues at the number of users they report, for a monthly bill below 25 million dollars.
"6,311 database instances running the PostgreSQL-compatible and MySQL-compatible editions of Amazon Aurora processed more than 376 billion transactions, stored 2,978 terabytes of data, and transferred 913 terabytes of data" - https://aws.amazon.com/blogs/aws/how-aws-powered-prime-day-2...
> At their scale they will never be able to use anything else than a cloud solution.
That's definitely not true, and there are many companies doing higher volumes at a fraction of the cost-per-query.
Although scale doesn't force companies into public-cloud database systems, considerations like capital, time-to-market, and business strategy often do. In this case, OpenAI is trading a significantly higher per-query cost for benefits like improved agility, turnkey compliance, etc.
Well, I have a brain with neural pathways and chemicals running around its various parts influencing how I experience and process my emotions.
Without text written by humans to construct its knowledgebase, an LLM would not be able to conjure up any sort of response or "feeling", as it isn't AI by any stretch of the imagination.
Not sure why this is being downvoted, but it's absolutely true.
If you're using these models to generate code daily, the costs add up.
Sure, I'll give a really tough problem to o3 (and probably over ChatGPT, not the API), but on general code tasks, there really isn't meaningful enough difference to justify 4x the cost.
In some countries whenever you print a receipt, a copy is also sent to the IRS equivalent of that country. Obviously there are events where that can't happen due to technical reasons outside of the store's control.
Which countries? And, again, I doubt that this is the full picture because there are many cases where people simply don't "print a receipt" perfectly legally...
Germany for example mandates printing a receipt. The receipt must be stored in a certified storage inside the cash register and is signed cryptographically, including the hash of the previous receipt such that there is a hash-chain of printed receipts. Therefore each printed receipt that the customer takes home (and maybe at some point hands in to the tax office for some reason) can be used to check the integrity of the cash register storage and all prior receipts in the chain.
Same in Portugal. Sync with the tax authority can be immediate or deferred (every x days). Obviously, you can still invoice manually using a receipt book, in case of failure or unavailability of software systems.
Thanks! European red tape madness strikes again... At least in France cash registers are not mandatory (for now...) so there is a way around this madness.
This is a bit more than just red tape madness, it's a strategy to make businesses more transparent.
This is about trying to reduce non-reported transactions and too many people dodging their reporting. Even if the rules for cash registries and reporting are detailed,
a) that's not really expensive for businesses - it's easy to automate and there are quite a number of competitors;
b) compared to accounting and tax rules, they are dead simple.
Receipts or invoices are the basis for a firm's whole economic activity, including the underpinning of their financial reporting, their tax burdens etc. And businesses failing to provide receipts erodes not only the tax base, but also any rights a consumer may have.
Its actually less red tape. Getting a second copy of a given invoice is trivial, processing of invoices for tax rebates is also mostly automatic (such as health and education expenses); tax invoicing uses well-defined formats, so its trivial to migrate between systems, and perform all kinds of analysis. Also, it increases transparency - you know that eg. the VAT you're paying is not ending in the vendor's pockets.
> ... the new reality also includes the fact that many other states are seeking to draw closer to us. 13% of global trade is with the United States. That's a lot. 87% of the world's trade is with other countries. And they all want predictability and reliable rules. Europe can deliver that. We must now use this momentum to open up new markets for our companies and establish as close a relationship as possible with many countries that have the same interests as us.
Emphasis mine; While everyone is certainly a fan of brining back local manufacturing (and I think we should be looking to do more of this in Europe as well) the speed and lack of planning with which team Trump decided to start putting into action tariffs as well as reducing their military support has made the US a very unreliable partner in the eyes of the world.
Instead of bowing down to Trump's whims, the world is forging new trade partnerships which may very well be to the detriment of the US, which has thrown a lot of soft power out the window within a matter of weeks.
Nixon and Reagan also tried to bring back manufacturing, we all know now that it didn't work. And I'm sure their plan wasn't as chaoticas Trump's, in case he has one.
What attacks? Fwiw: "he's likely to be right about a lot of things". Perhaps I should have been more specific: I think his analyses are mostly correct, his predictions are not.
Subscribe to ground news so that you know what historically a news sources biases are.
For example: "you can't imagine the cheap Chinese robots coming online"... Then what's stopping an American manufacturer from buying a Chinese robot, taking the tariff hit once, then manufacturing domestically with no tariff?
The hacker posted a screenshot of the shell on the 4chan server. It was running FreeBSD 10.1, which came out in 2014 and stopped getting patches in 2016. It seems like there was basically nobody doing maintenance after moot sold the site. I wonder how long it'll take for them to get the site back up if they don't have anyone who can do server administration.
Sure, if you slap Basic Auth with "admin:admin" on phpMyAdmin in 2025, you're asking for it. But a Basic Auth password with 256 bits of entropy is just as resistant to brute force as AES-256 (assuming the implementation is sound and TLS is used). It's not the protocol that's insecure, it's usually how it's deployed.
As long as "a lot of attempts" take longer than the time it'll take the sun to expand and envelop the earth, that's not really a problem.
Every form of authentication is either subject to "a lot of attempts" or trivial DoS (for when you rate limit the login API so now admins can't log in either). The principles behind modern authentication are mostly "how do we make verification require even more attempts if the attacker doesn't know the password".
What is "a lot of attempts"? I'm no expert in cryptography, but there's many orders of magnitude difference between a distributed bruteforce of a known hash, and bruteforcing over the web.
"a lot of attempts" is doing a LOT of heavy lifting here.
If your password was a set of random letters (both upper and lower case) and numbers and 20 characters long, then even if you could attempt 1,000 logins/second (a very high number for an online attack), it would take a whopping 2,232,000,000,000,000,000,000,000 years.
If you could do 1,000,000 logins/second, an absolutely absurd number for an online attack, that only takes 3 zeros off that number.
Can you please elaborate how it is "asking for it" if we assume the basic auth password is reasonably complex and kept as safe as, say, the SSH login credentials of the same server?
You shouldn't be logging in to a server via SSH using a user+password combo, instead use a public/private key combo which is considerably more complex and can't effectively be bruteforced like a user+password.
Most web servers don't really come with any built in defense against brute force attempts vs Basic Auth gates, so unless you've set something up to protect it, someone with enough time will eventually get in.
Genuine question that I haven't found a good solution to yet, if I want to just go to any old computer and ssh into my server, do I have to carry around a USB stick with the ssh key on or something? because I sure as hell wont be able to just remember it
In that case I'd normally recommend a bastion host with SSH MFA and fail2ban. It'd be publicly available and have SSH keys for other machines. Or you could look at setting up a VPN solution with MFA, but never have a password only admin login exposed to the public Internet.
That's my point - if you have a reasonably secure password (let's say 50-100 characters, fully random), it's extremely unlikely that anyone is ever going to even get beyond the basic auth prompt.
Then you should also be worried about bugs that let you log into an SSH session without providing your SSH certificate, passkey or whatever. Authentication bypass can happen with pretty much any buggy authentication method. None of this is inherently a problem of passwords or basic auth.
Again, the premise was that phpMyAdmin is secured behind basic auth. It doesn't matter how secure or insecure phpMyAdmin is, it only matters how secure whatever webserver is that it is served through. phpMyAdmin code isn't even touched before the basic auth login was successful. Only after that, it becomes relevant, in that you either find a hole in phpMyAdmin itself, or you have to break another (hopefully strong) password for the MySQL login itself.
You can easily put phpMyAdmin behind basic auth as an additional security layer, completely bypassing any PHP execution and letting the web server completely handle the authentication. It's exactly what I have done multiple times in the past. Arguably phpMyAdmin's direct integration is a less secure way of doing it, but do we even know if it's the basic auth itself that was bypassed, or was it just the case of a weak password?
A password is just plain text, which apart from being bruteforced, can easily be phished. There are so many things wrong with using a password even if it's fairly complex. Instead, stick to passkeys and SSH keys
I was kinda surprised to see that phpMyAdmin is still maintained, albeit only barely. The last release was in January but before that it hadn't been touched for over two years.
Nearly every website developer servicing small business builds a WordPress site and sets it up on a hosting company's cPanel install with phpmyadmin running by default.
Which are far far outnumbered by people setting up squarespace sites, or shopify sites or facebook pages or twitter profiles these days.
It was definitely true at one point that small scale indie web devs and small business contractors outnumbered big tech in both headcount and servers. I don't think that's been true for a while now.
- nih.gov - It's using Drupal, per a meta generator tag
- forbes.com - No real for or against evidence, though the lack of any wp- paths leans a little more against it being wordpress
- archive.org - It's some type of react app, not wordpress. Probably home grown
- nginx.org - Just... no.
- ebay.com - Would it surprise you, no.
I have serious questions about their methodology.
Similarly, just because sites like Techcrunch use Wordpress, doesn't mean they're doing it by having someone upload files over FTP to some cPanel managed Godaddy account.
Most of those do in fact seem to use WordPress for part of their site:
* microsoft.com – uses WP at devblogs.microsoft.com
* digicert.com – may be a false positive, they link to files at /wp-content/ URLs, maybe they used WP in the past and kept the URLs?
* mozilla.org – uses WP at blog.mozilla.org
* nih.gov – uses WP at directorsblog.nih.gov
* forbes.com – can’t tell, my ad blocker breaks their cookie consent screen
* archive.org – uses WP at blog.archive.org
* nginx.org – uses WP at blog.nginx.org
* ebay.com – may be false positive?
We end up with 2/10 potential false positives, and one unknown (and even then, those are huge sites, who knows if they’ve got WP hiding under some deeply-buried subdomain).
I agree with you that Microsoft and TechCrunch probably aren’t FTPing their files in, but even if we assume that only 50% of WordPress sites are doing so, that’s still more websites than the next 10 competitors, combined!
If you think about it, this makes sense: do you reckon your local small businesses have a TechCrunch-level web presence, or are they using GoDaddy? Now consider that there exist many more local businesses than TechCrunches.
I serve a cPanel hosting, some people just want something up and running now which cPanel provides.
With Softaculous for automatic installation of scripts it's still widely popular for Wordpress installations. Web hosting is however a very dead market to startup in.
Just took a random server: https://instances.vantage.sh/aws/ec2/m5d.8xlarge?duration=mo... - to get a decent price on it you need to commit to three years at $570 per month(no storage or bandwidth included). Over the course of 3 years that's $20520 for a server that's ~10K to buy outright, and even with colo costs over the same time frame you'll spend a lot less, so not exactly crushing those margins to dust.