frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

Open in hackernews

Bucketsquatting is (finally) dead

https://onecloudplease.com/blog/bucketsquatting-is-finally-dead
71•boyter•2h ago

Comments

lijok•1h ago
Huh? Hash your bucket names
Maxion•1h ago
I don't think that'd prevent this attack vector.
alemwjsl•28m ago
Ok; salt, and then hash your bucket names
why_only_15•1h ago
if your bucket name is ever exposed and you later delete it, then this doesn't help you.
calmworm•1h ago
That took a decade to resolve? Surprising, but hindsight is 20/20 I guess.
thih9•1h ago
> If you wish to protect your existing buckets, you’ll need to create new buckets with the namespace pattern and migrate your data to those buckets.

My pet conspiracy theory: this article was written by bucket squatters who want to claim old bucket names after AI agents read this and blindly follow.

vhab•1h ago
> For Azure Blob Storage, storage accounts are scoped with an account name and container name, so this is far less of a concern.

The author probably misunderstood what "account name" is in Azure Storage's context, as it's pretty much the equivalent of S3's bucket name, and is definitely still a large concern.

A single pool of unique names for storage accounts across all customers has been a very large source of frustration, especially with the really short name limit of only 24 characters.

I hope Microsoft follows suit and introduces a unique namespace per customer as well.

ryanjshaw•1h ago
I recall being shocked the first time I used Azure and realizing so many resources aren’t namespaced to account level. Bizarre to me this wasn’t a v1 concern.
iann0036•46m ago
Author here. Thanks for the call out! I've updated the article with attribution.
Aardwolf•1h ago
Why all that stuff with namespaces when they could just not allow name reuse?
CodesInChaos•57m ago
I'd allow re-use, but only by the original account. Not being able to re-create a bucket after deleting it would be annoying.

I think that's an important defense that AWS should implement for existing buckets, to complement account scoped bucket.

iknownothow•41m ago
Potential reasons I can think of for why they don't disallow name reuse:

a) AWS will need to maintain a database of all historical bucket names to know what to disallow. This is hard per region and even harder globally. Its easier to know what is currently in use rather know what has been used historically.

b) Even if they maintained a database of all historically used bucket names, then the latency to query if something exists in it may be large enough to be annoying during bucket creation process. Knowing AWS, they'll charge you for every 1000 requests for "checking if bucket name exists" :p

c) AWS builds many of its own services on S3 (as indicated in the article) and I can imagine there may be many of their internal services that just rely on existing behaviour i.e. allowing for re-creating the same bucket name.

dwedge•15m ago
I can't accept a) or b). They already need to keep a database of all existing bucket names globally, and they already need to check this on bucket creation. Adding a flag on deleted doesn't seem like a big loss.

As for c), I assume it's not just AWS relying on this behaviour. https://xkcd.com/1172/

orf•5m ago
That would be a huge breaking change. Any workload that relies on re-using a bucket name would be broken, and at the scale of S3 that would have a non-trivial customer impact.

Not to mention the ergonomics would suck - suddenly your terraform destroy/apply loop breaks if there’s a bucket involved

INTPenis•1h ago
I started treating long random bucketnames as secrets years ago. Ever since I noticed hackers were discovering buckets online with secrets and healthcare info.

This is where IaC shines.

XorNot•52m ago
I just started using hashes for names. The deployment tooling knows the "real" name. The actual deployment hash registers a salt+hash of that name to produce a pseudo-random string name.
Galanwe•44m ago
This is all good and we'll on the IaC side,yes. But at the end of the day, buckets are also user facing resources, and nobody likes random directory / bucket names.
amluto•5m ago
It would be nice if the other end of this could be addressed: a configurable policy to limit resolution of bucket names within an account namespace. Ideally, if someone doesn’t have permission to resolve a bucket name, they shouldn’t even be able to detect whether it exists.
iknownothow•31m ago
Thank you author Ian Mckay! This is one of those good hygiene conventions that save time by not having to think/worry each time buckets are named. As pointed out in the article, AWS seems to have made this part of their official naming conventions [1].

I'm excited for IaC code libraries like Terraform to incorporate this as their default behavior soon! The default behavior of Terraform and co is already to add a random hash suffix to the end of the bucket name to prevent such errors. This becoming standard practice in itself has saved me days in not having to convince others to use such strategies prior to automation.

[1] https://aws.amazon.com/blogs/aws/introducing-account-regiona...

alemwjsl•26m ago
I take it advertising your account id isn't a security risk?
aduwah•22m ago
It is not hygienic, but with only the account-id you are fine. In the IAM rules the attacker can always just use a * on their end, so it does not make a difference. You have to be conscious to set proper rules for your (owner) end tho.
Cthulhu_•2m ago
[delayed]
josephg•11m ago
Sometimes I wonder if package names, bucket names, github account names and so on should use a naming scheme like discord. Eg, @sometag-xxxx where xxxx is a random 4 digit code. Its sort of a middleground between UUID account names and completely human generated names.

This approach goes a long way toward democratizing the name space, since nobody can "own" the tag prefix. (10000 people can all share it). This can also be used to prevent squatting and reuse attacks - just burn the full account name if the corresponding user account is ever shut down. And it prevents early users from being able to snap up all the good names.

donmcronald•6m ago
I just want to be able to use a verified domain; @example.com everywhere.
Cthulhu_•3m ago
That still has "squatting" risks as described in the original article though, domains expire and / or can be taken over.
rithdmc•4m ago
I like it for buckets, but adding a four digit code won't help with the package hijacking side of things - in fact might just introduce more typo/hijack potential. It'll just be four more characters for people to typo.

Bucketsquatting is (finally) dead

https://onecloudplease.com/blog/bucketsquatting-is-finally-dead
71•boyter•2h ago•31 comments

Willingness to look stupid

https://sharif.io/looking-stupid
349•Samin100•4d ago•119 comments

Executing programs inside transformers with exponentially faster inference

https://www.percepta.ai/blog/can-llms-be-computers
110•u1hcw9nx•1d ago•22 comments

Malus – Clean Room as a Service

https://malus.sh
1278•microflash•20h ago•465 comments

“This is not the computer for you”

https://samhenri.gold/blog/20260312-this-is-not-the-computer-for-you/
473•MBCook•8h ago•188 comments

Source code of Swedish e-government services has been leaked

https://darkwebinformer.com/full-source-code-of-swedens-e-government-platform-leaked-from-comprom...
4•tavro•46m ago•0 comments

Prefix sums at gigabytes per second with ARM NEON

https://lemire.me/blog/2026/03/08/prefix-sums-at-tens-of-gigabytes-per-second-with-arm-neon/
44•mfiguiere•4d ago•3 comments

Vite 8.0 Is Out

https://vite.dev/blog/announcing-vite8
302•kothariji•5h ago•80 comments

Ceno, browse the web without internet access

https://ceno.app/en/index.html?
22•mohsen1•4h ago•5 comments

ATMs didn’t kill bank teller jobs, but the iPhone did

https://davidoks.blog/p/why-the-atm-didnt-kill-bank-teller
420•colinprince•19h ago•445 comments

Bubble Sorted Amen Break

https://parametricavocado.itch.io/amen-sorting
339•eieio•17h ago•102 comments

Shall I implement it? No

https://gist.github.com/bretonium/291f4388e2de89a43b25c135b44e41f0
1283•breton•13h ago•472 comments

Enhancing gut-brain communication reversed cognitive decline in aging mice

https://med.stanford.edu/news/all-news/2026/03/gut-brain-cognitive-decline.html
311•mustaphah•17h ago•129 comments

An old photo of a large BBS (2022)

https://rachelbythebay.com/w/2022/01/26/swcbbs/
189•xbryanx•14h ago•132 comments

Understanding the Go Runtime: The Scheduler

https://internals-for-interns.com/posts/go-runtime-scheduler/
113•valyala•3d ago•15 comments

IMG_0416 (2024)

https://ben-mini.com/2024/img-0416
97•TigerUniversity•3d ago•18 comments

The Met releases high-def 3D scans of 140 famous art objects

https://www.openculture.com/2026/03/the-met-releases-high-definition-3d-scans-of-140-famous-art-o...
291•coloneltcb•18h ago•55 comments

Document poisoning in RAG systems: How attackers corrupt AI's sources

https://aminrj.com/posts/rag-document-poisoning/
120•aminerj•20h ago•47 comments

US private credit defaults hit record 9.2% in 2025, Fitch says

https://www.marketscreener.com/news/us-private-credit-defaults-hit-record-9-2-in-2025-fitch-says-...
367•JumpCrisscross•21h ago•416 comments

Celebrating Interesting Flickr Technologies

https://medium.com/@brightcarvings/celebrating-flickr-technology-3c93c8ddecc2
38•steerpike•1d ago•9 comments

Grief and the AI split

https://blog.lmorchard.com/2026/03/11/grief-and-the-ai-split/
154•avernet•11h ago•237 comments

Specimen Gallery – CC0 transparent specimen PNGs organized by taxonomy

https://specimen.gallery/
8•eclectic_mind05•3d ago•5 comments

Okmain: How to pick an OK main colour of an image

https://dgroshev.com/blog/okmain/
4•dgroshev•3d ago•0 comments

Worldwide Sidewalk Joy: Adding whimsy to neighborhoods

https://worldwidesidewalkjoy.com
18•NaOH•3d ago•3 comments

Never snooze a future

https://jacko.io/snooze.html
16•vinhnx•4d ago•4 comments

Bringing Chrome to ARM64 Linux Devices

https://blog.chromium.org/2026/03/bringing-chrome-to-arm64-linux-devices.html
107•ingve•14h ago•48 comments

Big data on the cheapest MacBook

https://duckdb.org/2026/03/11/big-data-on-the-cheapest-macbook
356•bcye•22h ago•280 comments

Runners who churn butter on their runs

https://www.runnersworld.com/news/a70683169/how-to-make-butter-while-running/
105•randycupertino•15h ago•62 comments

How people woke up before alarm clocks

https://www.bbc.com/future/article/20260306-the-wake-up-tricks-people-used-before-alarm-clocks
55•tchalla•4d ago•47 comments

WolfIP: Lightweight TCP/IP stack with no dynamic memory allocations

https://github.com/wolfssl/wolfip
130•789c789c789c•18h ago•24 comments