Man, I love the rainforest. Why don't we hear about it as much? It's been a dream of mine to visit the Amazon. Now that I have the means I really need to get down there.
Cats, cows, turkeys, dogs, and horses, among many other animals, will always be around as long as humans are, simply because we'll ensure that they always have a healthy habitat. The same goes for trees, especially tropical trees.
Reforestation is a huge opportunity if we invest in plantations that have managed cutting, allowing tropical trees to grow up to 40 years before being turned into beautiful products like furniture.
In order to produce high quality lumber that's useful for furniture making, like mahogany for example, loggers have to be selective about the trees they fell. Can't just chop down every one of them because not all will generate productive wood.
Maple is similar in that it's plantation grown right here in the U.S. What that actually means in terms of wood quality is that it suffers a bit from uniformity.
The reason I know this is because I'm running a Kickstarter for a remote control. It's made out of mahogany and maple, but its impact is offset a bit by the small size of the remote, which also makes small features much more distinguishable.
This is also one of the reasons why I'm a vegetarian, as much deforestation is caused by burning forests for raising livestock.
: Turn Touch: https://www.kickstarter.com/projects/samuelclay/turn-touch-b...
It is not just the net loss of plant matter. The indigenous are under constant duress and we risk losing a unique part of our world; medicinal plants and esoterica, wild-life, and access to limited resources, to boot.
There are groups working with those impacted by this. I am contributing to an NGO called the Alianza Arkana which is doing some work to aid the indigenous and the rainforest.
Contextual plug: http://alianzaarkana.org .
I left a grand paying, comfortable tech job to try to make even-a-small difference. I hope this devastation is not a part of my generation's legacy.
The article doesn't get into it, but what is driving this growing appetite? Is it a natural effect of population growth?
...so really it did rise in 2014, from 1.2 to 1.5 so the first statement is false, isn't it?
There's this site, tree-nation.com that helps with reforestation projects. Any others out there?
I remember checking out Staffjoy last year sometime, out of curiosity. Seemed to be a nicely designed system that fitted a niche.
I too wonder why it never took off - having consulted in the small business area for 3 decades now, rostering and checking staff availability is a major pain point for business owners, especially those running cafes or security services, catering etc.
Heck, even my wife is on an automated rostering SMS system for her part time job, and it works well and seems to alleviate a lot of stress for her boss. I am surprised that $9/mth wasn't an automatic "Shut up and take my money" for a lot of businesses. I know there is a lot of competition, but surely there is plenty of pie for a few players to be in the same market.
I hope to perhaps one day hear a more detailed post mortem about the business, rather than technical, challenges faced by the founders of Staffjoy.
Also, was this the Homejoy v2 attempt? Seems like contractor scheduling services don't provide enough value to the contractors and customers to keep them from dealing without them once the contact is made. Curious if there are any successful companies that provide the same services, with actual revenue, and what they did differently. It's gotta be something to make the customer and contractor stick to the platform.
But within your own code, you would not want to represent "an unforeseen error occurred" with a value, no matter how much you like enums.
If you were parsing JSON and you got an unexpected error that isn't about parsing JSON, logging the error and continuing is not the right option. There is probably nothing reasonable your program can do. Raise the error so your broken code stops running.
Yes, and if I wanted type annotations to stop my program from working I wouldn't be using Python
Enforcing types is exactly what Python IS NOT about. Because of Duck Typing and everything else
So this is not "postmodern error handling" this is "let's code Java in something else and pat ourselves in the back"
Do you want to check errors in "compile time"? Use Pylint. It does the right thing
At first I was reluctant of the syntax, after a while I got used to it. Function definitions look a lot like Rust ones and do not require the endless docstrings just to document the type of the expected parameters anymore.
The actual statements are available here https://www.fcc.gov/document/fcc-addresses-unnecessary-accou...
The sad fact is, this is yet another grim attack on net neutrality by nefarious agents who see the web as something to be dominated and bent to their will exclusivley for political and economic gain.
Like it or not, the work we do is going to become highly politicised. Are we ready for this? Do we have the moral fortitude to resist the influence that fuzzy, sloppy, and emotive politics seeks to have on our discussions?
I think back to how we handled the Brendan Eich debacle. I (regretfully) came down on the punitive side of that argument. And I participated in that debate with a level of anger and vitriol that embarrasses me now. But whichever side you took, there's no doubt that for a brief moment we were deeply divided. The Brendan Eich story was a flash in the pan compared to what is about to happen.
Should we engage in political debate, or should we avoid it? Can we buck the trend and participate in political debate in way that doesn't tear us apart, or should we ignore it as it happens around us and impacts upon our lives and work? Or is there a path between the extremes, where we can be neither ignorant to our political leanings nor beholden to them?
I don't dare offer any advice on how we should prepare ourselves for what is about to come, I just hope we can all think about how we hope to respond before it happens.
One thing I will say though, being someone prone to highly emotional reactions in all aspects of my life; developing software in teams has taught me the value of "strong opinions, weakly held".
In the tech community I see people rising up against any kind of movement against net neutrality. And I do not want to see it erode. But I worry that by becoming averse to any reversal, any compromise, the communities stance will eventually be so politicized that it is just another part of the unreasonable and ultra biased political landscape that grinds progress to a halt.
ERROR: TechCrunch is not part of your Internet Service Basic Web pack. For an extra $29.99 a month you can upgrade to Internet Service Extreme, offering access to over 50 more web sites!
Isn't more competition among providers what we want? Shouldn't we be doing everything we can even if it's saving 6.8 hours per year in regulatory compliance to help these smaller guys be able to take on these horrible behemoths like AT&T and Comcast?
Deregulation of access to consumers will result in cheaper internet and most likely faster internet speeds. However, it will concentrate power to those who already have it. Large ISPs will charge heavy bandwidth companies and only the largest heavy bandwidth companies will be able to afford the fees.
Those heavy bandwidth companies paying the fees will recoup the money through advertising. Remember newspapers and large TV media companies make the majority of their money through advertising. When companies rely on advertising, the users are no longer the customers. They are the product.
Further protecting the companies which rely on advertising will allow those companies to focus less on the customers and more on the advertisers. Companies relying on the allegiance of advertising will naturally shape their political standing to views of the advertisers. Remember also that advertisers are not paying for just eyeballs, but they are all paying for control. If a company starts moving away from their advertisers' political ideology they will lose revenue. Net Neutrality will ultimately give more control to companies that already hold power.
Just my two cents...
Mine connects to yours which connects to his which connects to hers. Eventually we'll have formed a network.
I'm left hoping that's close enough to branch out wireless service in short order.
Otherwise, I'm left screwed, between an AT&T that refuses to upgrade its local network (and it's a dense, accessible, suburban neighborhood -- hardly the boonies), and a Comcast that has doubled its rates for basically the same service. Both with caps that will quickly look increasingly ridiculous in the face of the wider world of data transfer.
We'll be back to them insisting on big bucks for assymmetric streaming of big-brand content, with increasing pressure to make that their content (a la data-cap exemptions, etc.)
The caches other than Google were quick to clear and we've not been able to find active data on them any longer. ... I agree it's troubling that Google is taking so long.
The leaked information is hard to pinpoint in general, let alone amongst indexes containing billions of pages.
I can understand the frustration - this is a major issue for Cloudflare and it's in everyone's best interests for the cached data to disappear - but it's not easy, and they shouldn't say as such (or incorrectly claim that "The leaked memory has been purged with the help of the search engines" on their blog post).
This is a burden that Cloudflare has placed on the internet community.Each of those indexes - Google, Microsoft Bing, Yahoo, DDG, Baidu, Yandex, ... - have to fix a complicated problem not of their creation.They don't really have a choice either given that the leak contains personally identifiable information - it really is a special sort of hell they've unleashed.
Having previously been part of Common Crawl and knowing many people at Internet Archive, I'm personally slighted. I'm sure it's hellish for the commercial indexes above to properly handle this let alone for non-profits with limited resources.
Flushing everything from a domain isn't a solution - that'd mean deleting history. For Common Crawl or Internet Archive, that's directly against their fundamental purpose.
But their response here is embarassingly bad. They're blaming Google? And totally downplaying the issue. I really didn't expect this from them. Zero self awareness- or they believe they can just pretend it's not real and it'll go away.
I kind of understand what CF is doing here: they've screwed up, there's no way for them to clean it up, so all they can do now is deflect attention from the magnitude of their screw up by blaming others for not working fast enough in the hope that their fake paper multibillion dollar valuation doesn't take too big a hit.
Still a dick move though. Maybe next time don't use a language without memory safety to parse untrusted input.
At this point if you don't consider all data that was sent or received by CloudFlare during the "weaponized" window compromised, you're lying to yourself.
There is a bit of tension between cloudflare and taviso over the timing of notification, but that is vanishingly insignificant overall.
From their blog: https://blog.cloudflare.com/incident-report-on-memory-leak-c...
If they can't tell, someone may now be sitting on a lot of very juicy data, far beyond what may be left in these caches.
Also, if you take a closer look at the video - each room artificially looks like it's gender-equal and diversity-equal (watch the video, it's fun to notice the artificiality of it) .
How fake can companies be these days ?
Or maybe they were always socially-fake, but it's just the current political state that they use the 'gender-equality' fakeness rather than 'we are all a big family' fakeness that i remember from 5-10 years ago.
My main complaint here is that it seems so obvious that they USE the fact that people want to see more gender equality and inclusion (some want that regardless of the quality of the employees (ie quotas), some want that only if it really reflects reality (ie: gender distribution will be determined just by who passes the company's hiring process, regardless of their gender. no 'discounts' for anyone, regardless of their gender) .
If I were a girl - I would really be suspicious about a company that does that - I would prefer to go somewhere else where I could say 'I got in because i was a good candidate, not because of a female quota that the company had to fill up so they can post a "gender-cool" video to their website'.
If you find some samples with domain names / unique identifiers of domains (e.g. X-Uber-...) you are welcome to contribute to the list: https://github.com/Dorian/doma/blob/master/_data/cloudbleed....
One causes swapping. The other causes a month of extra work.
Is there some sort of information extraction feature service or something they offer? I don't get it.
If I were google I would hit back hard. They prob won't just stop, but I would not bother trying to even clean up the data unless under legal pressure. It out there, it's too late.
>Google, Microsoft Bing, Yahoo, DDG, Baidu, Yandex, and more. The caches other than Google were quick to clear and we've not been able to find active data on them any longer. We have a team that is continuing to search these and other potential caches online and our support team has been briefed to forward any reports immediately to this team.
>I agree it's troubling that Google is taking so long. We were working with them to coordinate disclosure after their caches were cleared. While I am thankful to the Project Zero team for their informing us of the issue quickly, I'm troubled that they went ahead with disclosure before Google crawl team could complete the refresh of their own cache. We have continued to escalate this within Google to get the crawl team to prioritize the clearing of their caches as that is the highest priority remaining remediation step. reply
taviso 6 hours ago [-] Tavis Ormandy
>Matthew, with all due respect, you don't know what you're talking about.
>[Bunch of Bing Links]
>Not as simple as you thought?
If this is how 2017 is pacing, we've got a long year ahead. This is an insanely interesting time to be alive, let alone at the forefront of the INTERNET.
Fellow Hackers, I wish you all the best 2017 possible.
What happens for sites using Full SSL (a certificate between cloudflare and the user and a certificate between cloudflare and the server), could any information from ssl pages have been leaked?
- there is a smaller number of sites that used some of the special features of Cloudflare that allowed leakage for some months, according to what Cloudflare said.
- it seems the number of the sites was much bigger for some days, according to what Cloudflare said.
- the data leaked are the data passed through the Cloudflare TLS man-in-the-middle servers -- specifically not only the data from the companies, but the data from the users, and not only the data related to the sites through which the leak happened, but also other sites that just happened to pass through these servers. Again, also the visitor's data, both directions are leaked. From the visitors, their location data, their login data etc. As an example: if you imagine the bank which used Cloudflare TLS, in the caches could be both the reports of the money in the accounts (sent from the bank to the customers) and the login data of the customers (sent by the customers to the bank), even if the bank site hasn't had the "special features" turned on. That's what I was able to see myself in the caches (not for any bank, at least, but the equivalent traffic).
Either we can search for obvious strings like X-Uber-* and try to scrub them one by one, or we can just nuke the caches for all the domains that turned on the problematic features (Scrape Shield, etc.) anytime between last September and last weekend. Cloudflare should supply the full list to all the known search engines including the Internet Archive. Anything less than that is gross negligence.
If Cloudflare doesn't want to (or cannot) supply the full list of affected domains, an alternative would be to nuke the caches for all the domains that resolved to a Cloudflare IP  anytime between last September and last weekend. I'm pretty sure that Google and Bing can compile this information from their records. They might also be able to tell, even without Cloudflare's cooperation, which of those websites used the problematic features.
Not exactly breaking news. At some point, maybe people will realise that CF is actively making internet worse and less secure, and that it should be treated as nothing more than a wart to be removed.
Is there someone among you HNers who has retained a positive outlook by believing that the universe is a bleak, chaotic place with no intrinsic meaning to the things happening in it?
The Penguin edition of fellow stoic Marcus Aurelius' Meditations is free on Amazon kindle:https://www.amazon.com/Meditations-Marcus-Aurelius-Wisehouse...
It blows me away how that part about taking every problem as a chance to learn and become a better "wrestler" fits right in with my natural conclusions. The rest of it describes me adequately also.
I'm reading Epictetus now, thanks for sharing.
(Used by many journalists to analyze the data in PDFs)
Yes, (al)pine is my mailtool in 2017.
That has a --layout option that works really well sometimes and really terrible other times. Doesn't seem to be related to document complexity either.
Is this something that could be combined with those OCR engines? (e.g. TesseractOCR...)
The deja vu made squint for a minute.
ps: pdfbox is nice
The OP_2DUP OP_EQUAL OP_NOT OP_VERIFY OP_SHA1 OP_SWAP OP_SHA1 OP_EQUAL script was making sure that only a person who finds 2 SHA1 colliders and publishes it can get the 2.5 BTC bounty.
The key is that essentially all of the data for both images are in both PDFs, so the PDFs are almost identical except for a ~128 byte block that "selects" the image and provides the necessary bytes to cause a collision.
Here's an diff of the 2 PDFs from when I tried it earlier: https://imgur.com/a/8O58Q
Not to say that there isn't still something exploitable here, but I don't think it means that you can just create collisions from arbitrary PDFs.
edit:Here's a diff of shattered-1.pdf released by Google vs. one of the PDFs from this tool. The first ~550 bytes are identical.
My version is similar to this, but removes the 64kb JPEG limit and allows for colliding multi-page PDFs.
Installer.py and Installer-evil.py are both valid seed data for Installer.torrent ...
> identical-prefix collision attack, where a given prefix P is extended withtwo distinct near-collision block pairs such that they collide for any suffix S
They have already precomputed the prefix (the PDF header) and the blocks (which I'm guessing is the part that tells the PDF reader to show one image or the other), and all you have to do is to populate the rest of the suffix with identical data (both images)
Edit: yes, looks like it is.
As sp332 and JoachimSchipper mentioned, the novelty here is that it contains specially crafted code in order to conditionally display either picture based on previous data (the diff). I can't grok PDF so I still can't find the condition though. Can PDFs reference byte offsets? This is really clever.
Edit #2: I misunderstood the original Google attack. This is just an extension of it.
Does anyone have any idea about a broad risk-assessment of systems worldwide that might be vulnerable as SHA1 becomes easier and easier to beat?
> As you may be aware, Cloudflare incurred a security breach where user data from 3,400 websites was leaked and cached by search engines as a result of a bug. Sites affected included major ones like Uber, Fitbit, and OKCupid.
> Cloudflare has admitted that the breach occurred, but Ormandy and other security researchers believe the company is underplaying the severity of the incident
> This incident sheds light and underlines the vulnerability of Cloudflare's network. Right now you could be at continued risk for security and network problems. Here at Dyn, we would like to extend a helpful hand in the event that your network infrastructure has been impacted by today's security breach or if the latest news has you rethinking your relationship with Cloudflare.
> Let me know if you would be interested in having a conversation about Dyn's DNS & Internet performance solutions.
> I look forward to hearing back from you.
For example, https://coinbase.com is on that list! If they haven't immediately invalidated every single HTTP session after hearing this news this is going to be bad. Ditto for forcing password resets.
A hijacked account that can irrevocably send digital currency to an anonymous bad guy's account would be target number one for using data like this.
"I am not changing any of my passwords. I think the probability that somebody saw something is so low it's not something I am concerned about."
Original post: https://news.ycombinator.com/item?id=13720199
And the disclaimer right at the top:
This list contains all domains that use cloudflare DNS, not just the cloudflare SSL proxy (the affected service that leaked data). It's a broad sweeping list that includes everything. Just because a domain is on the list does not mean the site is compromised.
I question Pirates (https://github.com/pirate) motives for even doing this? Karma? Reputation?
Were the 2 things running on the same process? If they were not, there's no way that the buffer overrun could read an other process memory, right? it would have failed with a segfault type of error.
If so, shouldn't Cloudfare consider running the sensitive stuff on a different process, so that no matter how buggy their caching engine is, it would never inadvertently read sensitive information?
At least change the cookie name so the token stops working. For example, in ASP.NET - change the "forms-auth" name in the web.config file
There probably aren't many but with something this serious it could be important. I'm not sure how one would go about finding the sites that use the CNAME option. If it helps, they use a pattern like:
www.example.com --> www.example.com.cdn.cloudflare.net
> In our review of these third party caches, we discovered data that had been exposed from approximately 150 of Cloudflare's customers across our Free, Pro, Business, and Enterprise plans. We have reached out to these customers directly to provide them with a copy of the data that was exposed, help them understand its impact, and help them mitigate that impact.
Does this jive at all with the Google or Cloudflare disclosures? They are claiming that across all caches they only found and wiped data from ~150 domains, can that be true?
One interesting thing: the raw dump that's linked from the list's README doesn't seem to include a couple of notable domains from the README itself, like news.ycombinator.com or reddit.com. I may be mangling the dump or incorrectly downloading it in some way.
EDIT: disclaimer, be responsible, audit how the dump is generated, etc etc etc
Welp, time to change all my passwords.
> When the parser was used in combination with three Cloudflare featurese-mail obfuscation, server-side excludes, and Automatic HTTPS Rewritesit caused Cloudflare edge servers to leak pseudo random memory contents into certain HTTP responses.https://arstechnica.com/security/2017/02/serious-cloudflare-...
> Hi [Username],
> A bug was recently discovered with Cloudflare, which Glidera and many other websites use for DoS protection and other services. Due to the nature of the bug, we recommend as a precaution that you change your Glidera security credentials:
> Change your password> Change your two-factor authentication
> You should similarly change your security credentials for other websites that use Cloudflare (see the link below for a list of possibly affected sites). If you are using the same password for multiple sites, you should change this immediately so that you have a unique password for each site. And you should enable two-factor authentication for every site that supports it.
> The Cloudflare bug has now been fixed, but it caused sensitive data like passwords to be leaked during a very small percentage of HTTP requests. The peak period of leakage is thought to have occurred between Feb 13 and Feb 18 when about 0.00003% of HTTP requests were affected. Although the rate of leakage was low, the information that might have been leaked could be very sensitive, so its important that you take appropriate precautions to protect yourself.
> The actual leaks are thought to have only started about 6 months ago, so two-factor authentication generated before that time are probably safe, but we recommend changing them anyway because the vulnerability potentially existed for years.
> Please note that this bug does NOT mean that Glidera itself has been hacked or breached, but since individual security credentials may have been leaked some individual accounts could be vulnerable and everyone should change their credentials as a safeguard.
> Here are some links for further reading on the Cloudflare bug:
> TechCrunch article: https://techcrunch.com/2017/02/23/major-cloudflare-bug-leake...> List of sites possibly affected by the bug: https://github.com/pirate/sites-using-cloudflare/blob/master...
> If you have any questions or concerns in response to this email, please contact support at: firstname.lastname@example.org
/* generated code */if ( ++p == pe ) goto _test_eof;
"The root cause of the bug was that reaching the end of a buffer was checked using the equality operator and a pointer was able to step past the end of the buffer. This is known as a buffer overrun. Had the check been done using >= instead of == jumping over the buffer end would have been caught."
"2017-02-18 0011 Tweet from Tavis Ormandy asking for Cloudflare contact information
2017-02-18 0032 Cloudflare receives details of bug from Google
2017-02-18 0040 Cross functional team assembles in San Francisco
2017-02-18 0119 Email Obfuscation disabled worldwide
2017-02-18 0122 London team joins
2017-02-18 0424 Automatic HTTPS Rewrites disabled worldwide
2017-02-18 0722 Patch implementing kill switch for cf-html parser deployed worldwide
2017-02-20 2159 SAFE_CHAR fix deployed globally
2017-02-21 1803 Automatic HTTPS Rewrites, Server-Side Excludes and Email Obfuscation re-enabled worldwide"
Seems like a pretty good response by cloudflare to me.
this is despite (or maybe because) of my best efforts to secure systems as a major part of my job.
Sites using Cloudflare, really. However, Cloudflare say that only sites using three page rules were affected - email obfuscation, Server-side Excludes and Automatic HTTPS Rewrites. 
Is this over-estimating the impact, perhaps?
All that said, I'm glad to see this happen!
If you want to play go - I highly recommend it!
I have tried Pandanet IGS, KGS, Tygem, WBaduk and even obscure ones such as Fly or Die and Go Chat (Facebook messenger bot).
I think OGS offers by far the most frictionless way to start and a more modern UI. It even offers really nice features such as the ability to draw on a board during a review.
There are so many cool things about bees.
In the paper "Detection and Learning of Floral Electric Fields by Bumblebees" they mention how bees can detect if other bees have harvested pollen from flowers, based on an electric field.
Along with the waggle dance, their functioning in a colony.
Apparently they might let out a little vibration to express surprise when another bee bumps into them https://www.newscientist.com/article/2121275-honeybees-let-o...
Also they can apparently sense the earth's magnetic field - http://web.gps.caltech.edu/~jkirschvink/pdfs/Bees.pdf
(and FWIW: i'm not being morally superior here: i believe that in reality, probably being vegan is the only morally defensible position, but the flesh being weak and all... And in actual fact, probably even that is a tricky position: by surviving one is probably making the calculated decision (conscious or not) to put one's own survival above the cost of some other's demise.)
I would much prefer to live in an environment of plants and animals than one of concrete and metal.
The bottleneck is in the training, and this is where technology could play a part. Robotics and machine learning algorithms could be employed to improve the training process (for example see here: http://thecrowbox.com/).
"No you stupid wasp, how many times have I told you, YOU DO NOT REBASE A SHARED BRANCH. Never, ever, ever. If I see you do that again I swear to God I am telling the queen."
I tried Ragic just now for 10-15 minutes and it is far from simple, like their landing page claims. It is nothing at all like a database and it also is nothing at all like a spreadsheet (and not in a good way).
Edit: Looking at previous discussions about it here on HN, the criticism in this 5 year old comment all still holds true: https://news.ycombinator.com/item?id=3960207
Due to piss poor project managers and lack of business requirements and/or realistic deadlines.
I switched to zsh + prezto with powerlevel9k ( https://github.com/bhilburn/powerlevel9k ) and within an hour, I had something awesome. Here's a guide on installing it: http://www.codeblocq.com/2016/09/Pimp-up-iTerm-with-Zsh-and-... and I'd really really recommend powerlevel9k. Nothing against fish, but after a few weeks, it was just too hard to unlearn all my bashfulness, whereas in zsh it just works as it used to + had the extra functionality I got with fish + now is even more awesome and useful thanks to powerlevel9k.
One nice thing about (good) GUI programs and websites is that 'results' are quickly navigable. In a terminal, I'd love to be able to drill down into results of ls; from grep output quickly open a file and jump to that match; etc.
(Shell output can be in any format, but even if it could grok the output of only specific programs/commands (and also their switches) that would be a starting point.)
Does anything like this exist, for any platform? It seems like PowerShell could be a good match, but I don't know anything about its ecosystem.
Sometimes I see good stuff in these lists, but this author looked like they didn't even really try.
Open source so if you've got yourself an Apple Developer account you can build and run it yourself.
Yeah absolutely this. They spin everything they do as some kind of heroic "for the people!" decision even when it's just about cutting costs or not having to solve "hard" problems. One example are DNS "any" queries. Cloudflare just decided to toss standards out because they aren't up to conforming to them. As far as I'm concerned, this Cloudbleed thing is karma, and nobody should believe anything Cloudflare says about itself.
A friend of mine was about to fall for a hoax/scam. And even though they changed the words and meaning of quite a few elements, I was able to pinpoint the exact scam using carefully crafted Google queries.
With Google there is just no way to bullshit people anymore. Someone would tell a strong story in the 90s during a birthday, and you'd have to go to library the next day to verify or discard it. Not anymore.
Someone asked why those old modems made noise, and instead of giving an answer right away, it took all of 15 seconds to find the answer online, much better than I ever could answer it.
I remember my first job skill test. It was multiple choice and you were allowed to use the internet. I answered all questions by Googling keywords from the question, in combination with keywords from each answer, and looking which combination gave the most results. Answering this way I got a near perfect score. There were questions about programming languages I hadn't even written a "Hello World"-example for.
With all this goodness, comes of course the danger of relying on Google for all your answers. If it is not on the first page of the results it is not true. Especially younger people believe a lot of facts they find online. Another danger is using Google for confirming a bias: With so many pages online, there is bound to be a page in the results that agrees with your initial hunch, however incorrect it is.
I participated in the pilot for Google Answers. There were people there that, if the answer was to be found anywhere online, could answer it, no matter their expertise on the subject. Googling well is a valuable skill.
He regularly posts quirky challenges (What kind of cow is in this picture? Can you see the Farallon Islands from San Francisco, and where should you stand at what time of year to best see them?). Also contains lots of useful information about the state of the query and engine, such as which search operators have been deprecated, or which obscure search operators no one seems to know about.
"What do you learn the definition of on page 21 of the 2011/2012 Official Rules of the NBA" was "legal goal" really? It doesn't say that anywhere on the page. "legal field goal" didn't work, "Scoring and Timing" didn't work (the header of the page). None of the other definitions on Page 21 worked, there's a few. The only mention of "legal goal" is in the Index where it points to page 21.
Later the question was what musical period was the definition of symphony, sonata etc. standartized in. I copy pasted "C period", it didn't work, so I tried some other ones. Well, apparently "C" was the correct answer all along.
I'd love to try asking the questions from this site to Google Home and see how it does.
You'd all start on one random page, and race to get to some completely unrelated target page, only by clicking through links to other pages.
It was always surprising how few degrees of separation there were between wildly unrelated topics.
An example of the very first one, from August 1992:
Google has definitely made these a lot easier, so the questions have had to get a lot harder!
Who is the intended audience?
anyone remember this game? my recollection is hazy but i think the questions were sent out periodically and teams would rush to get them all answered first.
Parent-child interaction goes a really long way in child development and if you ever get the chance, it's worth sitting in on a session (whether your child needs extra help or not). A large part of the work my wife does is around enabling parents to assist kids that need more input (through no fault of the parents themselves).
Seems like data sample is too small to infer anything useful for Swedish.. but comparing Danish and English is interesting. Seems like Danes outperform or English kids underperform. Would be interesting to understand what the major driver is for the effect.
Streisand Effect in 3... 2... 1...
It's 2017. Have we really not learned this lesson yet?
(You shouldn't use corporate wifi for a personal phone anyway)
(working at a startup so can't just sign up and see it myself...)
It should be assumed as a given that any company or hotel wifi network is monitored and HTTPS is quite possibly is MITMed.
>unless we start hacking away them.
Latin, 1 century AD: Cerasus (AFAIK C is pronounced ch as in chain, Edit: thanks to danans for the correction: ch is a modern and k as in king the traditional pronunciation, so it's even closer to the Greek one)
And even older, ancient Greek:
(pronounced probably like kera-sos):
" Of Anatolian origin. Compare Akkadian "karu""
Of course, Akkadian is the oldest Semitic language for which the records exist, at least 4000 years old, i.e. around 2000 BC. Their empire was in the part of today's Iraq -- in the area to which the people who later wrote the Torah (which even later became the part of the Old Testament) referred as "the garden of Eden."
The cherries are our direct connection to the mythical paradise.
(And, when I'm by Eden and fruits, the famous "forbidden fruit" wasn't an apple in the original text, that's a wrong, later, interpretation: https://en.wikipedia.org/wiki/Forbidden_fruit#The_Apple )
Consider using an actual class or a closure perhaps?
[I think it does most of what yours does](https://github.com/Cheezmeister/kapok/blob/master/tst/kapok....) (EDIT: Nope, missing URL loading and XSS cleaning!)
The danger comes if you are not aware of the risks inherent in your own income. Sometimes it does make sense to let your income have some instability in it, and let someone else control it -- maybe it is a case like mine where it is small enough to not matter. Or maybe it is large enough that it is worth the risk. Just don't let yourself get in a situation where it is large enough that you are living on it, but not so large that the risks are acceptable. Because that is when changes like this will bite you.
It's a massive loss (~50%) for affiliates like Wirecutter that do mostly tech/electronics, and a huge boost for the luxury beauty category.
Current fees: https://web.archive.org/web/20170106214444im_/https://images...
They're there now. They have critical mass. They're the first place organic search for new stuff.
There's no sense in throwing money after sales they'd already get. They're better off using it as discount to get sales they wouldn't.
and not seeing what is cut in half.
(Also I notice that the new chart says musical instruments are 6%. For electronic musical instruments -- digital keyboards, for instance -- does this mean the fee has gone up from 4%?)
If they are going from a volume based approach to a margin based approach that is rational, and good for everyone.
(i.e. why payout more for 1000 rubber bands that makes them uncompetitive to sell, and you should pay out more for that high end tv).
But... if I'm being honest with myself, it also seems kind of reasonable. I think their original plan was pretty generous. I was kind of expecting this to happen at some point.
I have been running onlineshops before (not electronics though) and we happily spent all of the profit margins of an order on trackable advertising. Because a) the lifetime value of the customer b) the word of mouth value of a customer and c) the untracked sales generated by the advertising.
2.5% of revenue sounds unbelievably cheap to generate an actual trackable order.
I stopped by the local Microcenter (which is, incidentally, has a nice assortment of hobby-oriented electronics items for sale) and they beat Amazon's price on a Samsung EVO SSD by over $20. Since they price match, I got a $3 discount on one of the other pieces of hardware I bought that day.
All in all, the time I spent driving there likely make the savings irrelevant, but I was surprised that they were so much more aggressive on the SSD pricing.
I could see a site like the WireCutter getting lots of clicks to Amazon and then the person not buying that product buy remembering later "hey, I forgot that I need dog food." Well dog food happens to be a 10% commission now, so maybe it isn't as bad as it would seem.
Also, the WireCutter's sister site is the Sweet Home, and I think home goods are now up to a flat 8% rate, so they may not be any worse off.
My strategy is this: At these commissions in the Health niche, Amazon will no be in our "preferred" tier of stores. On March 1, their products will no longer show up on our blog (unless they are the only store with it in stock) -- and the blog gets the vast majority of our traffic.
They will still show up in our main site (where I need to decide whether or not to keep their exclusive buttons), and they'll still be involved in our hot deals and price drop alerts.
Stores need to earn our best visitors, and Amazon is no longer deserving. Surprisingly, they're most often not the best deal on our site anyway, so I don't think anyone will be too upset.
I may try to negotiate my own rates, but I don't think we're big enough for that (not yet, at least). Everything is negotiable when you have legit traffic and other options.
Meanwhile, we've been diversifying our revenue with various industry SAAS services that can be scaled globally. This has been a big focus of mine, knowing that these kinds of things can happen at the drop of a hat.
But at the end of the day, this is still a paycut, and it still hurts. Amazon will ultimately lose more of our traffic for it, and I really don't think they'll even notice this on their bottom line compared to the explosive profits they get from AWS.
Seems like bad PR more than anything.
Affiliate programs are a good way to get market quotas. If they're #1 in sales, then there's no need to spend marketing bucks on it.
Reading the Associates discussion forum is the definition of depression. People running sites for many years talking about earning $200 in a month. please, enlighten us as to your thoughts on the new rate structure!
And related question, is there an affiliate scheme for Amazon India? I had checked a few times earlier for the US-based Amazon affiliate scheme, and IIRC, each time it said that it was only for the US, or not for India.
Basically, each PDF contains a single large (421,385-byte) JPG image, followed by a few PDF commands to display the JPG. The collision lives entirely in the JPG data - the PDF format is merely incidental here. Extracting out the two images shows two JPG files with different contents (but different SHA-1 hashes since the necessary prefix is missing). Each PDF consists of a common prefix (which contains the PDF header, JPG stream descriptor and some JPG headers), and a common suffix (containing image data and PDF display commands).
The header of each JPG contains a comment field, aligned such that the 16-bit length value of the field lies in the collision zone. Thus, when the collision is generated, one of the PDFs will have a longer comment field than the other. After that, they concatenate two complete JPG image streams with different image content - File 1 sees the first image stream and File 2 sees the second image stream. This is achieved by using misalignment of the comment fields to cause the first image stream to appear as a comment in File 2 (more specifically, as a sequence of comments, in order to avoid overflowing the 16-bit comment length field). Since JPGs terminate at the end-of-file (FFD9) marker, the second image stream isn't even examined in File 1 (whereas that marker is just inside a comment in File 2).
tl;dr: the two "PDFs" are just wrappers around JPGs, which each contain two independent image streams, switched by way of a variable-length comment field.
B = 3,116,899,000,000,000,000
G = 9,223,372,036,854,775,808
Every three seconds the Bitcoin mining network brute-forces the same amount of hashes as Google did to perform this attack. Of course, the brute-force approach will always take longer than a strategic approach; this comment is only meant to put into perspective the sheer number of hashes calculated.
Release the clean one and let it spread for a day or two. Then join the torrent, but spread the malware-hosting version. Checksums would all check out, other users would be reporting that it's the real thing, but now you've got 1000 people purposely downloading ransomware from you- and sharing it with others.
Apparently it costs around $100,000 to compute the collisions, but so what? If I've got 10,000 installing my 1BTC-to-unlock ransomware, I'll get a return on investment.
This will mess up torrent sharing websites in a hurry.
Edit: some people have pointed out some totally legitimate potential flaws in this idea. And they're probably right, those may sink the entire scheme. But keep in mind that this is one idea off the top of my head, and I'm not any security expert. There's plenty of actors out there who have more reasons and time to think up scarier ideas.
The reality is, we need to very quickly stop trusting SHA1 for anything. And a lot of software is not ready to make that change overnight.
We're at the "First collision found" stage, where the programmer reaction is "Gather around a co-worker's computer, comparing the colliding inputs and running the hash function on them", and the non-expert reaction is "Explain why a simple collision attack is still useless, it's really the second pre-image attack that counts".
Collision attack: find two documents with the same hash. That's what was done here.
Second-preimage attack: given a document, find a second document with the same hash.
First-preimage attack: given an arbitrary hash, find a document with that hash.
These are in order of increasing severity. A collision attack is the least severe, but it's still very serious. You can't use a collision to compromise existing certificates, but you can use them to compromise future certificates because you can get a signature on one document that is also valid for a different document. Collision attacks are also stepping stones to pre-image attacks.
UPDATE: some people are raising the possibility of hashes where some values have 1 or 0 preimages, which makes second and first preimage attacks formally impossible. Yes, such hashes are possible (in fact trivial) to construct, but they are not cryptographically secure. One of the requirements for a cryptographically secure hash is that all possible hash values are (more or less) equally likely.
No need to wait. The option to reject SHA-1 certificates on Firefox is `security.pki.sha1_enforcement_level` with value `1`.
Other configs worth doing:
`security.ssl.treat_unsafe_negotiation_as_broken` to `true` and `security.ssl.require_safe_negotiation` to `true` also. Refusing insecure algorithms (`security.ssl3.<alg>`) might also be smart.
and his Master Thesis, whose quality is approaching a PhD thesis is here:
Note that they also only mention MiniSat as a footnote, which is pretty bad. The relevant paper is at
All of these are great reads. Highly recommended.
$ls -l sha*.pdf -rw-r--r--@ 1 amichal staff 422435 Feb 23 10:01 shattered-1.pdf -rw-r--r--@ 1 amichal staff 422435 Feb 23 10:14 shattered-2.pdf $shasum -a 1 sha*.pdf 38762cf7f55934b34d179ae6a4c80cadccbb7f0a shattered-1.pdf 38762cf7f55934b34d179ae6a4c80cadccbb7f0a shattered-2.pdf
$shasum -a 256 sha*.pdf 2bb787a73e37352f92383abe7e2902936d1059ad9f1ba6daaa9c1e58ee6970d0 shattered-1.pdf d4488775d29bdef7993367d541064dbdda50d383f89f0aa13a6ff2e0894ba5ff shattered-2.pdf $md5 sha*.pdf MD5 (shattered-1.pdf) = ee4aa52b139d925f8d8884402b0a750c MD5 (shattered-2.pdf) = 5bd9d8cabc46041579a311230539b8d1
* DHT/torrent hashes - A group of malicious peers could serve malware for a given hash.
* Git - A commit may be replaced by another without affecting the following commits.
* PGP/GPG -- Any old keys still in use. (New keys do not use SHA1.)
* Distribution software checksum. SHA1 is the most common digest provided (even MD5 for many).
Edit: Yes, I understand this is a collision attack. But yes, it's still a attack vector as 2 same blocks can be generated now, with one published, widely deployed (torrent/git), and then replaced at a later date.
See https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2013... and https://bitcoinchain.com/block_explorer/address/37k7toV1Nv4D...
and it's super effective: The possibility of false positives can be neglected as the probability is smaller than 2^-90.
It's also interesting that this attack is from the same author that detected that Flame (the nation-state virus) was signed using an unknown collision algorithm on MD5 (cited in the shattered paper introduction).
Pretty close in his estimation.
It says "Upload any file to test if they are part of a collision attack."
When I upload either of their two sample collision documents, it says they are "Safe."
Is there a rough calculation in terms of today's $$$ cost to implement the attack?
I know the attack isn't practical today, but the writing is on the wall.
Actually a serious question. How do we communicate something like this to the general public?
And this, my friends, is why the big players (google, Amazon, etc) will win at the cloud offering game. When the instances are not purchased they can be used extensively internally.
In their example they've created two PDFs with the same SHA-1. Could I replace the blob in a git repo with the "bad" version of a file if it matches the SHA-1?
I don't expect one overnight. For one, as noted, this is a collision attack, one which took a large scale of power to achieve. In light of that, I don't think the integrity of git repos is in immediate danger. So I don't think it'd be an immediate concern of the the Git devs.
Secondly, wouldn't moving to SHA-2 or SHA-3 be a compatibility-breaking change? I'd think that would be painful to deal with, especially the larger the code base, or the more activity it sees. Linux itself would be a worst-case scenario in that regard. But, it can be pulled off for Linux, then I'd think any other code base should be achievable.
As for what I think in general about it: I'm not concerned, worried, or even scared about the effects. If anything, inelegance of brute-force aside, I think there's something very beautiful and awe-inspiring in this discovery, like solving a puzzle or maths conjecture that has remained unsolved for many years.
I remember when I first heard about MD5 and hash functions in general, and thinking "it's completely deterministic. The operations don't look like they would be irreversible. There's just so many of them. It's only a matter of time before someone figures it out." Then, years later, it happened. It's an interesting feeling, especially since I used to crack softwares' registration key schemes which often resembled hash functions, and "reversing" the algorithms (basically a preimage attack) was simply a matter of time and careful thought.
There's still no practical preimage for MD5, but given enough time and interest... although I will vaguely guess that finding SHA-256 collisions probably has a higher priority to those interested.
Is this correct?
Huh? It's been around a lot longer than 10 years.
Pretty impressive, though. And worrying, because if Google can do it, you know that state-level actors have been probably doing it for some time now (if only by throwing even more computing power at the problem).
That part from the original article seems to be missing something?
> A picture is worth a thousand words, so here it is.
This picture is meaningless to me.Can someone explain what's going on?
What this means is for all of you [developers], is to start new projects without SHA1 and plan on migrating old ones (if it's totally necessary, normally don't unless you use SHA1 for passwords).
A Great resource for those who still don't know how or what hash to use, is paragonie: https://paragonie.com/blog/2016/02/how-safely-store-password...
The biggest risk I see with this is how torrents are affected:
There's also a problem with git, but I don't see it being that as susceptible as torrents:
My understanding of crypto concepts is very limited, but isn't this inaccurate? Hash functions do not compress anything.
They have an image too which says "<big number> SHA-1 compressions performed".
Seems weird to see basic mistakes in a research disclosure.
BTW quine relay is impressive: https://github.com/mame/quine-relay
Give me the sha1 and md5, rather than one or the other. Am I wrong in thinking even if one or both are broken individually, having both broken for the same data is an order of magnitude more complex?
I wonder why they did not use the 2^52 operation attack that Schneier noted in 2009?
It looks like the did the same thing or something similar in 2^57.5 SHA1 calculations back then versus 2^63 SHA1 calculations this time.
wasn't SHA-1 introduced in the 90's?
Like a NURBS based sudoku multi-hash...
Why? Was it in anticipation of this attack specifically?
That is mathematically impossible when reducing an N bit string to an M bit string, where N > M.
All hashes have collisions; it's just how hard are they to find.
I think Microsoft tried to do it too early on, but eventually agreed to a more aggressive timeline.
Since some GCP engineers are watching: Presumably we'll see some new zones to provide these processors, or will it be a limited release within existing zones? And if so, will you be moving away from homogenous zones in the future?
The cache is also a whopping 56 MB.
Disclosure: I work on Google Cloud (and helped a bit in our Skylake work).
Disclosure: I work on Google Cloud.
Great job GCP team!
It's something that I've wanted to play with for sometime. It's cool that GCE has them available as a service.
Your calculator page is unusable on mobile due to fancy "material" form filling.
It hints there's Individual Accounts, but I see no way how to set it to that?
this post would have been interesting if they had included those tests.
Another commenter already brought that issue up, but thanks for pointing it out again. I still think that it's quite silly to claim that Ryzen Rev. A may end up being a paperweight based on a mistake that took place a decade ago. Whatever floats your boat, I guess.
And from what I read, it seems like it was an extreme edge case, so the TLB error was triggered only during specific workloads. Sucks to be AMD back then.
(It bears repeating: No email can be very secure.)
Also if something goes wrong is there a mitigation plan in place to recover data and restore access of the user?
That's another major concern - to lose access to the account and not be able to recover it - because Gmail has no support.
I'm not yet at a point where I need to lug my reading glasses everywhere - provided I can adjust font sizes on my phone.
The fastmail app is just a wrapper over the mobile site and you can't adjust the font size. The font as it is is tiny and unusable for me.
I contacted support and while they were curteous and prompt, they basically said too bad and refused to give me a refund, even though I had purchased the year subscription just a few days before.
Still have good things to say about them, just wish the app were more accessible.
- Happy customer since November.
Hope they can put the investment to good use. I'm definitely not opposed to paying them when the final version is released.
From my experience using the Oculus dev kit 2 there was too much of a "screen door" effect and it was hard to read text on a virtual monitor vs reading text on a real life monitor. It wasn't practical to use a virtual monitor to say, write code or surf the web.
But resolution will only get better! At that point will things get fun and I can see people eschewing monitors for VR "monitors".
Here is a demo video: https://youtu.be/-CFOGDBFKrk
And are couches and living room environments a skeumorphobic ornament to help the transition to VR?
One huge obstacle to open-source anything in DoD is the attitudes of their information assurance professionals. I have been told by numerous DoD IA people that "Open Source is bad because anyone can put anything in it" and "We'd rather have someone to call." I understand the second point -- we honestly don't have the time to run every last issue to ground and it's probably better if we do have some professional support for some of our most important tools. But the first just boggles my mind.
But the IA pros are, as a group, schizophrenic, because somehow people are getting things by them anyway. The system I'm working on has Python as a build dependency. The devs are creating reports using Jupyter notebooks.
Basically the DoD needs to stop being so damn obstinate about open source.
* There is no copyright and plagiarism doesn't exist. Internally to the military everything is libre to the most maximum extreme. While people do get credit for their work they have no control over that work and anybody else in the military can use their work without permission.
* Service members and employees of the military are not allowed to sue the military. As a result software written by the military has no need to disclaim a warranty or protect itself from other civil actions.
* Information Assurance protections are draconian. This is half way valid in that there are good monitoring capabilities and military information operations are constantly under attack like you couldn't imagine. The military gets criminal and script-kiddie attacks just like everybody else, but they also get sophisticated multi-paradigm attacks from nation states. Everything is always locked down all the time. This makes using any open source software really hard unless it is written yourself or you work for some advanced cyber security organization.
Is there an explanation about why Unlicense is not appropriate? Or what it would take for an Unlicense derivative to meet the legal requirements? Could the laws be changed in small ways to allow US Government employees to more fully participate in open source?
"The Unlicense is a template for disclaiming copyright monopoly interest in software you've written; in other words, it is a template for dedicating your software to the public domain. It combines a copyright waiver patterned after the very successful public domain SQLite project with the no-warranty statement from the widely-used MIT/X11 license." http://unlicense.org/
I like how other commenters have included other successfully US.gov and specifically DoD open source such as BRL-CAD and NSA's Apache Accumulo.And the DoD Open Source FAQ is interesting and something I haven't seen before: http://dodcio.defense.gov/Open-Source-Software-FAQ/
Open source and US.gov participation reminds me of what happened with NASA Nova. It was pretty sad that when OpenStack became relevant in the industry that seemed to cause a panic at NASA and they pulled completely out of OpenStack development. Instead of NASA being to help the project stay focused on being opinionated enough to be generally useful (out of the box), NASA was too afraid about the perception of competing with proprietary commercial interests. (It was nice to see last year, all these years later, that NASAs Jet Propulsion Laboratory is now a user again having purchased RedHat OpenStack.)
The DoD, though, is still trying to feel its way around. There seem to be some lawyers there who are very hard to convince. For years, they've been asking to have various licenses and CLAs modified and we've been telling them no.
Here's their latest request for the Apache License 2.1:
Hopefully this helps push things in the right direction, although I'm not optimistic.
Just think back to why you studied computer science or coding. I hope it wasn't to help build spy tools on your friends & families. I hope it wasn't to help engineer destructive weapons that is dropped on innocent civilians.
Fuck code.mil, fuck lockheed martin.
edit: I've turned down VC money a while ago because I discovered they had previously sold a company to Lockheed Martin affiliate. Downvote all you want but I'm not some spinless piece of shit that will throw out principles and morals for it. I love making money but it's not worth losing your compass or soul over.
It highlights a unique aspect of Federal Government developed software: it's public domain rather than licensed based on copyright law. This facilitates reuse but complicates contribution by outside developers.
It's not clear to me why this is necessary/desired. Is it because of contribution to existing works protected by copyright or something else?
From the OSI's FAQ :
> What about software in the "public domain"? Is that Open Source?
> There are certain circumstances, such as with U.S. government works ... we think it is accurate to say that such software is effectively open source, or open source for most practical purposes
What problem does this license aim to solve?
EDIT: ok this comment  clears things up a bit. AFAICT It's specifically regarding a mechanism to permit foreign contributors while allowing them to disclaim liability.
> When You copy, contribute to, or use this Work, You are agreeing to the terms and conditions in this Agreement and the License.
I do not see how this is enforceable, or that it even makes sense, any more than it would make sense for me to take, say, a NASA photo and slap my own terms on it. If it's in the public domain, there's no ownership and no 'or else' to back a contract setting licensing terms.
The alternative is that I'm misunderstanding this license, of course. Where am I going wrong?
Is there any DoD code that is both interesting and suitable for public consumption?
You're doing 3k batches per second with 4 logical writes each, right? So that is at most 3-12k writes per second using the way that every other distributed database benchmark and paper counts.
Or otherwise - if you continue counting writes in this special/misleading way - you'd have to multiply every other distributed db benchmark's performance numbers with a factor of 3-15x to get an apples-to-apples comparison.
The 12k batched writes/sek through what I assume is a paxos variant is still pretty impressive though! Good to get more competition/alternatives for zookeeper & friends!
I'm not trying to make a comparison between a system I used to work on and one that I frankly know little to nothing about; rather, I'd suggest that building a system like this just isn't enough to be compelling on its own.
120,000 writes per second is accurate, talking about actual durable storage (disk) writes. But it's only 3,330 transactions, which should be the number that a user cares about.
I don't have proper data and I'm a bit rusty, but I feel like Cassandra could blow that away if you set similar consistency requirements on the client side (QUORUM on read, same for write?). Am I understanding this correctly, or does Fauna/Calvin give you something functionally better than what C* can do?
How does this algorithm compare to whatever Google Spanner does?
Is this specifically for distributed SQL only? I think there are some scalable SQL systems that don't support sessions either.
Also a single SSD from 2015 is rated at 120K writes per second:
Even my Windows 2000 laptop is essentially bullet-proof. Don't need all that nonsense just to read my typical news sites and as an additional bonus the router whitelist puts a stop to Windows Update ignoring the utterly-useless core Windows HOSTs file and stops it from doing anything further to my Windows 7 install.