hacker news with inline top comments    .. more ..    7 Mar 2012 Best
home   ask   best   7 years ago   
Six-Legged Giant Finds Secret Hideaway, Hides For 80 Years npr.org
1138 points by MaysonL  6 days ago   172 comments top 26
petenixey 6 days ago 1 reply      
Respect to the little feller for making it out of that egg. Any animal that starts life having to unglue their feet from the bottom of a vacuum-packed, delivery case is a winner.
tpatke 6 days ago 3 replies      
That's an amazing story. This insect was pretty lucky to live on the coolest rock climbing crag I have ever seen...which requires a special permit to climb [1]. I think I would have quite happily joined that "research" team.

[1] http://en.wikipedia.org/wiki/Balls_Pyramid

ars 6 days ago 3 replies      
That's an awesome story!

Initially I didn't like the genetic bottleneck created by just having one pair (i.e. that they should go back and get more now that they know how to care for them, perhaps as a swap) - but then I realized the original source on the island was probably a single individual, so they are all probably virtually clones anyway.

Once they have enough they should sell some - tons of people would be delighted to keep them as pets, and it would remove the risk of having them in just one location.

juliano_q 5 days ago 5 replies      
This story gave me a weird feeling and reminded me of the Dodo (http://en.wikipedia.org/wiki/Dodo). This animal was extincted by man only 83 years of it was discovered. I am glad we have will/technology enough today to try to repair this kind of mistakes.
xbryanx 5 days ago 2 replies      
Pics of Ball's Pyramid from Bryden Allen, one of the first people to summit this wicked place:
vl 5 days ago 0 replies      
Wouldn't it be wonderful if this article was titled "Giant insect, presumed extinct for 80 years, rediscovered, reproduces in the zoo"?
theon144 5 days ago 0 replies      
>"Eve became very, very sick. Patrick ... worked every night for a month desperately trying to cure her. ... Eventually, based on gut instinct, Patrick concocted a mixture that included calcium and nectar and fed it to his patient, drop by drop, as she lay curled up in his hand."

They look just about damn disgusting, but the mental image produced by that paragraph was just so... heart-warming.

derrida 5 days ago 2 replies      
Any HN'ers in Sydney with a spare Yacht want to go check out Ball's pyramid? I'll cook. :-)
kpanghmc 5 days ago 3 replies      
From the Wikipedia article on Dryococelus australis [1]

"The ultimate goal is to produce a large population for re-introduction to Lord Howe Island if the project to eradicate the invasive rats is successful."

I wonder what the 347 residents of Lord Howe Island think about this? It's an amazing story and all, but I sure wouldn't want a bunch of these insects introduced into my neighborhood.

[1] http://en.wikipedia.org/wiki/Dryococelus_australis

leke 6 days ago 2 replies      
The neighbouring Howe Island, is pure island porn. Ideal, steady annual climate, no venomous or stinging life forms. There aren't even sharks in the daytime waters.
ramblerman 6 days ago  replies      
"Step one, therefore, would be to mount an intensive (and expensive) rat annihilation program. Residents would, no doubt, be happy to go rat-free, ..."

I despise rats. Yet I find it disconcerting that the author just brushes this off as a triviality. We are perfectly happy saving one species by wiping out another.

verelo 5 days ago 0 replies      
I love stories like this! I can understand how difficult these guys will be to introduce back into their original habitat...there will have to be extensive investigation into if they will hurt the local economy (i.e. will they eat plans that people sell for profit or use for food). Australia hasnt had a good history of introducing or removing animals (take those rats as an example, and then consider the Cain toad..not cool)

Just imagine how fulfilling it felt as the first insect escaped from its vacuum pack...serious wow moment i imagine. I wish i was that valuable to this world...

lionhearted 6 days ago 4 replies      
> The important thing, the scientists thought, was to get a few of these insects protected and into a breeding program. That wasn't so easy. The Australian government didn't know if the animals on Ball's Pyramid could or should be moved. There were meetings, studies, two years passed, and finally officials agreed to allow four animals to be retrieved. Just four.

> When the team went back to collect them, it turned out there had been a rock slide on the mountain, and at first they feared that the whole population had been wiped out.

This is why you just do things, bureaucrats be damned. Better to beg for forgiveness than ask for permission.

kayhi 6 days ago 2 replies      
Clickable wiki page for those that want to an image of the insect:


threepointone 6 days ago 10 replies      
This is a fascinating story, but I must ask - does this belong on hacker news? Please, I ask with no intended malice.
lysol 6 days ago 0 replies      
The beetle mentioned in that article is not the same insect as in this article.
yaix 4 days ago 0 replies      
1k+ points wow, looks like HN hackers really like bugs...
sitkack 5 days ago 0 replies      
Another option which they probably explored was creating more habitat for them on Ball's Pyramid. Maybe somewhere far away from the original area or increase the cricket supply?

I do not envy being in that situation, where a mistake seals the fate of a pretty awesome bug.

theklub 6 days ago 0 replies      
That is amazing. I'm glad they were found.
malandrew 6 days ago 0 replies      
How does the mobile version have photo of the island but not have a photo of the insect? Quite absurd. "Pics or didn't happen"
tommypjr 5 days ago 0 replies      
holy cow batman, am i happy to get out of there!
afterburner 5 days ago 0 replies      
My takeaway: Ball's Pyramid is one cool looking island.
gcb 5 days ago 0 replies      
Start up idea #769

Something that annihilates both mice AND giant insects

thespace 6 days ago 0 replies      
WHOA!! Look at those HUGE eyebrows!!
haldean 6 days ago 0 replies      
Warning: large, up-close image of creepy-crawly.
jimrandomh 6 days ago 6 replies      
This seems to me like a case of empathy gone awry. All that work and effort to bring back a species of insects? There is no balance to preserve; they've been gone for almost a century. Those resources could be spent preserving human life.
There is no point to distributing music in 24-bit/192kHz format. xiph.org
694 points by nullc  1 day ago   315 comments top 43
sjwright 1 day ago  replies      
I must say I get rather irritated when people spend time worrying about dubious 'tweaker' methods to improve their audio, when the most under-performing component of most people's sound equipment also has the lowest-hanging fruit: The room itself.

When people ask me where they should spend money to improve the quality of their hi-fi or home theater system, in nearly every case my response will be something like "get a thicker rug" or "put something on this wall to absorb sound reflections, even if it's just a bookshelf."

Beyond that, I'd tend to say something like "stop being so paranoid about what you think you can't hear, and enjoy the damn music."

cmer 1 day ago  replies      
There's a lot of scientific-sounded content in this, but unfortunately most of it couldn't be further from the truth. I'm an ex-audio engineer and studied digital and analog audio engineering; this has been debated to death over the last 15 years.

Digitally recording a triangle is the best example of why 48kHz is very limiting. The distinct sound of the triangle constitutes of a high fundamental frequency, ballpark 5kHz and of many very high-pitch harmonics. Most of these harmonics are above 20kHz. The harmonics are what makes it sound like a triangle, not the frequencies below 20kHz. This is why the triangle is one of the hardest instruments to digitally record. It always sounds like crap.

In theory, it's true that the human hear can't hear above ~18kHz, but it can hear the influence of the very high pitch harmonics on a lower frequency.

EDIT: here's more data backing what I said http://www.cco.caltech.edu/~boyk/spectra/spectra.htm

EDIT 2: typos, frequency mistake

Anechoic 1 day ago 0 replies      
For those of you who are interested in just how much of a golden ear you truly are: download Harmon's "How to Listen" software for Windows or Mac OS X http://harmanhowtolisten.blogspot.com/ scroll down).

Harmon requires its trained listeners to pass tests based on this software before participating in juries to evaluate Harmon products. It doesn't directly address the sample rate/bit depth issues discussed in the linked article, but it does address a lot of the issues brought up in the HN discussion, so you can have a chance to see how much those characteristics really matter.

You may be surprised.

Derbasti 1 day ago 3 replies      
He raises a lot of valid points. However...

192 kHz is clearly overkill for listening. Not so for further editing of the data.

Same goes for 16/24 bit, however, the difference between 16 and 24 bit is actually audible.

44100 is not a bad sampling rate, but it necessitates very sharp aliasing filters, which are audibly bad. A bit more headroom is well needed there.

That bit about intermodulation distortion is complete bogus. He talks about problems when resampling high-fs audio data. However, you would never do that. You would digitally process 192kHz all the way. Only your loudspeakers or ears would introduce a high-pass filter, and a rather bening (flat) one at that. There is certainly no aliasing going on there unless you resample (wrongly). Intermodulation distortion is not the fault of the sample rate.

I mayored in hearing technology. Calling 192/24 worse than 44.1/16 is total BS. How useful it is is a different debate.

jdc0589 1 hour ago 0 replies      
There is no harm in releasing higher quality uncompressed or loss-less tracks. At the worst they will bring in some new customers, such as myself, that currently will not buy music online. Why would I pay $10 for an album as a highly compressed download when I can pay the same price for the CD and rip it to FLAC myself? I realize I am in the minority here, but as CDs phase out even more, there has to be some other way for consumers to obtain high quality versions of tracks.

Footnote, you don't have to have a >$10,000 setup to benefit from higher quality tracks (compared to the downloads that sometimes have 'questionable' quality). I have two systems, a full range stereo (front left and right) setup for nearfield listening at my desk thats +/- 1DB from 50hz-20khz. The other is a stereo setup in my media room; 2 way quarter wave transmission line, +/-3DB 40hz-20khz. The point is, there are a lot of people with less than $1200 in audio gear that still want lossless tracks made available. Who cares if the human ear can't discern much of the extra information, we still want it.

JangoSteve 1 day ago 6 replies      
Even without debating the science and signal processing arguments raised...

In any test where a listener can tell two choices apart via any means apart from listening, the results will usually be what the listener expected in advance; this is called confirmation bias and it's similar to the placebo effect. It means people 'hear' differences because of subconscious cues and preferences that have nothing to do with the audio, like preferring a more expensive (or more attractive) amplifier over a cheaper option.

The human brain is designed to notice patterns and differences, even where none exist. This tendency can't just be turned off when a person is asked to make objective decisions; it's completely subconscious. Nor can a bias be defeated by mere skepticism. Controlled experimentation shows that awareness of confirmation bias actually increases rather than decreases the effect!

Doesn't that completely negate his conclusion, that there is no point to distributing 24/192 music? If people want to pay for 24/192, and even he just admitted that they will legitimately enjoy it more, how can you conclude there is no point?

Life is short. I want to enjoy things. Whether or not my enjoyment can be quantified or scientifically defended, I really don't give a shit. But that's okay, if you don't want to sell me 24/192 music, Amazon will. Between this and DRM-free content, it's no wonder I buy all my music from Amazon these days.

wickedchicken 1 day ago 7 replies      
For an article containing a lot of "well, if you knew signal processing..." there are two fairly major oversights:

1) Any well-designed system is going to have headroom. Period. Just because 48kHz can capture the frequencies the human hear theoretically, it's always good to have a little wiggle room. This comes into play even more with interactive situations: humans are particularly sensitive to jitter. Having an "overkill" sample rate lets you seamlessly sync things easier without anyone noticing.

2) 192kHz comes with an additional benefit besides higher frequencies: it also means more granular timing for the start and stop of transients. More accurate reverb would be the obvious example. I don't know if the human ear can discern the difference between 0.03ms and 0.005ms but it's something I don't see mentioned often.

blackhole 1 day ago 1 reply      
You always record stuff at 24-bit/192 kHz for many reasons usually involving minimizing analog artifacts and to give you a lot of information to work with. You use 32-bit float wavs to transport stuff around so you don't have to worry about normalizing levels and clipping. Lossless formats drastically improve the quality of transients by an enormous degree. But every single objection to this is either ignoring the points of the article, or talking about the benefits of recording at high fidelity, when this entire article is pointing out that once you have _finished a mix_, there is no reason to distribute things in 24-bit/192kHz. Most speakers can't even play about 20kHz anyway, which makes the entire point moot. I don't care if you have a bajillion kHz, the speakers can't play about 20 kHz, so your screwed.
WalterBright 1 day ago 0 replies      
My hearing has declined over the years, to the point where audiophile gear is a complete waste of money. For example, I can no longer hear the difference between a cassette tape and an LP. I still listen to and enjoy music all day, but no longer worry at all about the sonic quality of it.

My advice to you younger guys is to keep the windows rolled up while driving. I have no other explanation why my left ear is much worse than my right.

jwatte 1 day ago 0 replies      
The sampling theorem is for static signals and perfect filters. Turns out, music isn't static. Once you have transients in the program, you need higher bandwidth or you will end up with phasing effects (time domain aliasing.) This is plain from the math!

Filters are also not perfect (but good oversampling filters are not the weakest link)

Further, even perfectly dithered 16 bit data can't go 20 dB below the quantization floor, unless you give up on frequency response on the high end. Again, this is plain math.

With a calibrated 105 dB low-distortion sound system, in a quiet room, I can hear imperfections from 16 bit, 44 kHz material, especially in soft flutes and triangle type percussion. Of course, D class amplifiers, and MP3 encoding, do worse things to the signal, so let's start there. But 20 bit, 96 kHz (or at least 64 kHz) are scientifically defensible, when analyzing the math and the physics involved. No snake oil needed!

nileshtrivedi 1 day ago 6 replies      
What I would love to have is: independent instrument/vocals tracks along with a default recommended "mix". The default mix would be used for normal playback and independent tracks would be great for custom mix / karaoke etc.

Is this too unrealistic to expect? Has something like this been tried before?

polshaw 1 day ago 0 replies      
I have to say that was probably the most comprehensive dealings with the issue of sample-rates I've ever come across. I'm not going to make the mistake others have of claiming falsehoods (all of which i've read so far have been debunked to my satisfaction by the HN users-- i'm impressed, guys).

As pointed out, mastering has vastly greater effect on the audio quality (and is often pretty poor[1]), and is the reason vinyl records often can sound better than their digital counterpart, despite being an inferior technology[2]. The DAC used also has a massive effect on the sound once you get into decent quality equipment.

Like the author, i'd also love to see some expansion of mixed-for-surround music.

[1] a lot because of loudness wars, as pointed out in the post, but also just due to a lack of time/care/love(/demand?).

[2] http://www.hydrogenaudio.org/forums/index.php?showtopic=6175... This thread explores the bit-depth of vinyl records, beginning with a claim of a maximum 11-bit resolution-- limited by the width of a PVC molecule the record is made from.

untangle 1 day ago 0 replies      
This article is one of the most lucid and accurate that I have read on this topic.

However, one thing that's missing here (and in nearly all other similar pieces) is a full discussion of the prerequisites of the sampling theorem. For example, the signal must be bandwidth-limited (and no finite-time signal can be).

But this is a minor concern, as there are many elements in the analog domain of the recording and playback chains that serve as low-pass filters - starting with the mics. So bandwidth-limiting is effectively achieved.

For a similar reason, the discussion of the "harmful" effect of high-frequencies to playback electronics and loudspeakers to be a bit overdone IMO. Peruse the excellent lab results of modern audio gear on Stereophile's web site. You'll find that bandwidths exceeding 30kHz are rare.

One last thing. When doing subjective "testing," keep in mind that what some folks are hearing may be limitations of their gear. For example, most DACs derive their clocks for higher sampling rates (88/96/176/192) by clock-multiplier circuits. IOW, 44kHz and 48kHz are the only ones clocked directly by a crystal. These multiplier circuits are often noisy, contributing to jitter. The audible effect of this jitter is hard to predict.


PS As an avid audiophile, I find the clash of subjectivists and objectivists on this normally-buttoned-down forum to be a bit of a trip.

Andys 1 day ago 1 reply      
This is a really convincing article that makes me want to set up a double blind test for myself with my own equipment.

In my own tests I believed that I couldn't tell the difference between 16/44 and 24/96 on high quality loudspeakers, but I could with high quality headphones. The studies cited all seem to use loud speakers in testing.

Also worth noting, the article states that obtaining 24/96 source material sometimes means you get better mastered material, which still sounds better after down-sampling back to 16/44.

noonespecial 1 day ago 2 replies      
I was under the impression that two inaudible high frequency tones could interfere with each other to create an audible interference pattern. (I think known as a "beat frequency").

If this is the case, then all of the arguments in the world about the maximum audible single frequency are irrelevant. Imagine music composed entirely of these beat frequencies and performed with a pair of oscillators between 25kHz and 35kHz. Without higher resolution encoding, it would be audible IRL but the recording would be silence.

ChuckMcM 1 day ago 0 replies      
TL;DR - long and detailed information about why if you got music in 24/192 format you couldn't tell the difference between it and 16/48 music.

I chuckled because this is so true, and yet tell that to the people who buy oxygen free copper 'monster' cables for their speakers, being careful to align the arrows with the direction of the music from the amplifier to the speaker. People, even otherwise reasonable people, will swear up and down they can hear the difference.

blahblahblah 1 day ago 1 reply      
I mostly agree with the article in the context of distribution of a final mix. However, the article ignores one glaringly obvious reason to distribute in 24/192 format: to allow the listener to be a participant in the creative process, enabling better results for amateur musician listeners who want to sample or remix the audio or for DJs to get better results when altering the tempo for beat matching one track with another, etc. Of course, if you're going to do that, you might as well distribute in a multi-track format instead to maximize flexibility for the end user (Want to sing karaoke? Just turn off the lead vocal track for playback).
rbanffy 1 day ago 0 replies      
Minor nitpick

> The FLAC file is also smaller than the WAV, and so a random corruption would be less likely because there's less data that could be affected.

At the same time, if you flip a bit on a WAV file, you may hear a "pop" sound. On a FLAC file, the whole encoding block may be inaudible (or worse).

jlft 1 day ago 1 reply      
In normal listening conditions and for most people the difference between 16/44 and 24/192 is inaudible.

Given a 5 minute song, if I have the choice to download a 11MB file (320kpbs MP3) or a 330MB file (24/192) I would of course choose the 11MB file. The sound quality is perfectly acceptable and the file size much more convenient to manage (storage, backups, etc.).

In terms of the convenience of managing the file size and sound quality I think 320kbps MP3 is the best compromise.

Here's a file size comparision of a 5 minute stereo song:

MP3 128kbps > 5 MB

MP3 320kbps > 11 MB

Uncompressed 16/44 > 50 MB

Uncompressed 24/192 > 330 MB

When talking about sound quality there is a much more relevant issue: the amplitude compression (distortion) abuse used by mastering engineers and producers that totally destroys the dynamic and life of the sound. That is a real issue. When buying a song there should be two versions to choose from:

A) "Loud", dynamically destroyed / distorted version.

B) Normal, dynamic, non-distorted version.

Today only version A is available to buy.

sliverstorm 1 day ago 2 replies      
So, presuming we take this example:


The key to reproducing the original signal from the digital signal is a low-pass filter that rejects everything above the sampling rate, correct?

That is to say, what I am getting at is while the original signal can be reproduced, it requires properly tuned, and probably reasonably high performance, hardware to remove the higher frequency components of that square wave. Can you count on consumer grade hardware to do this well?

leouznw 1 day ago 1 reply      
I know a bit of sound engineering, waves and so..
I totally agree with the title and the first 60 lines of article, and I add my POV:
1. Most of the people doesn't care,
2. What apple did is just about marketing,
3. Most of the people who says that care is pretending,
4. Zeppelin still rock the shit in a poor quality mono mp3 recorded by a drunk guy in the audience of a concert in 73.
bryanlarsen 1 day ago 0 replies      
One of the strongest things that makes this article credible is that in it we have the author of Ogg Vorbis recommending that we stop using Ogg Vorbis (and all other lossy compression formats).
neilalbrock 1 day ago 0 replies      
A few years ago I became really interested in recording music. I had been writing a little with a friend, using whatever crap equipment we could afford, the results weren't amazing but we were having fun and staying focussed on the music itself.

Then we starting recording other people. I became obsessed with gear, software and all the associated toys that go with any technical pursuit. I'm a programmer, so it's easy to understand how that happens but I totally lost sight of the music, spent way too much money and equipment that was nowhere near being required and generally lost the plot. I was tracking everything 24-bit/96kHz and bemoaning the loss of quality when I mixed down for CD.

Anyway, the TL;DR version of what followed was that we recorded quite a bit, lost interest in making our own music and then the whole adventure came to an end. Now my gear is leaving via eBay and I'm finding my way back to just playing guitar and trying to write good music.

24-bit/192kHz - pointless. Give me a small venue and a guy with an acoustic guitar any day.

tcarnell 1 day ago 0 replies      
Has anyone had a look at their hi-fi amp recently? If probably probably doesn't handle much more than 80 kHz and your speakers probably dont respond to anything over 20 kHz. So yes, 192 kHz is pointless UNLESS you intend using it for studio quality editing/mixing - and I'm sure Steve Jobs would not have encouraged this!
tammer 1 day ago 0 replies      
I find mp3 and aac compression artifacts to be monstrously irritating. I have no idea how the majority of the world seemingly can ignore them.

Further, I can hear a difference between 44.1kHz and 96kHz. Whether you can hear that difference is up to you. (The word-length is a red herring - there's no new information contained in a 24-bit recording vs 16.)

IMO anything less than flac and you're missing something. Higher sampling frequencies do add to the sound, but in a way that is almost invisible to the untrained ear. Perhaps these should be distributed at a premium the way SACDs and similar "audiophile" formats were in the past?

agentgt 1 day ago 1 reply      
I know this is slightly tangential but are hi-end DACs really worth it? I have always been amazed how much audiophile DACs cost ($300-1000). The reality is I listen to 320kbps music that was most likely recorded at 44100. DAC technology is not exactly new. So why the price?

Another tangent: To me it seems audio engineering should fix the "woofer". That is it seems subwoofers have terrible distortion.

zzygan 1 day ago 0 replies      
This is a good article, however the guy who has been pushing this for years and years now, is a man called Dan Lavry. In fact he wrote a very good, rigorous explanation a few years back,in very readable and well written form.


thewisedude 14 hours ago 0 replies      
I am told that a similar argument can be made between TV's that display at 120 Hz as opposed to 240 Hz. i.e there is no discernible difference!
yzhou 1 day ago 1 reply      
The hearing of ears is a time-domain thing, not a frequency domain thing. It's the frequency response of all the frequency components added together. people might not be able to respond well to a single high frequency tone, but might respond well to a combination of tones.
jaekwon 1 day ago 1 reply      
The article AFAIK states little about distortions introduced in remixes & samples. I would expect certain high frequency samples, when mixed together to overlap in time, would introduce moire artifacts (beats).
tintin 1 day ago 1 reply      
I think this only applies to headphones. People also 'hear' sound with there body (skin). Maybe you could call it experiencing sound.
And then there are resonating sounds that cannot be heard but help to create other sounds. But maybe this won't apply to a recording because your will record the result and not the tones that make the result.

This is a great article but I'm still not convinced people cannot have a sensation of sound out of there hearing range.

jensnockert 1 day ago 2 replies      
I just want floating point, then this silly loudness war would end (to some extent, since you can make the mix almost infinitely loud).
yzhou 1 day ago 3 replies      
A person can not hear a 22kHz tone doesn't mean he can not hear a sound that contains 22kHz components. For example, a square wave contains lots of high frequency harmonics, the more higher frequency harmonics it have, the "squarer" the square wave gets. An ideal square wave forms ideal "0" "1" states. A person's ear might not be able to hear a 22Khz sine wave tone, but he might be able to sense the steepness of "0" "1" state.
diminish 1 day ago 0 replies      
Would someone explain should I use 44.1 or 48Khz?
mistercow 1 day ago 2 replies      
> Can you see the LED flash when you press a button? No? Not even the tiniest amount?

I used to be able to see it when I was a kid (it looked very faintly red), but I just tried it and couldn't see it at all. That's actually a little bit disturbing.

naughtysriram 1 day ago 0 replies      
I think 192kHz is the sampling rate used by the A2D converter vice verca. It is not the actual frequency of the sound (data).
rbreve 1 day ago 0 replies      
Unless you are a dj or producer and would like to sample or time stretch the tracks.
That's why Beaport offers a wav download option, that many djs/producers prefer.
hackinthebochs 1 day ago 2 replies      
One thing I don't see addressed is the experience of feeling frequencies that can't directly be heard. There was a study done with a particular piece of classical music, with and without a particular inaudible component to it. The presence of the inaudible component drastically changed the listeners perception of the music. They described it as more dark or creepy (perhaps not the actual words used, but it matches the sentiment). The point is that there may be value in reproducing frequencies that we can't "hear", as inaudible notes can alter the experience of the music.

*not the study I was referring to but its along the same lines: http://ieeexplore.ieee.org/xpl/freeabs_all.jsp?arnumber=5291...

hackermom 1 day ago 2 replies      
There is no point with going over 16 bits, but there is definitely a point with going over 44.1khz, as it allows you to actually reproduce waveforms more accurately than 44.1khz. Try reproducing f.e. a sinewave accurately over 4-5khz with a sample rate of just 44.1khz - it cannot be done, and at this point we haven't even taken into account the issue of varying slew-rate characteristics of the thousands or so different DAC output stages in use in personal audio equipment.

44.1khz gives too much aliasing distortion, but 192khz is quite the overkill. Ideally, digital audio could sit on 16 bits of depth sampled at 96khz.

citizenspaced 1 day ago 1 reply      
I don't understand why anyone gets down on 24-bit consumer audio.

Specifically because CD-quality 16/44 audio has midrange distortion present during complex passages that is completely eliminated and non-present in 24/96 sources.

Listen to "Us and Them" off a 16/44 CD version of the Pink Floyd album Dark Side of the Moon. When it kicks into the chorus, it becomes totally distorted and everything in the midrange bleeds into each other. It's a mess.

Then, try listening to the 24/96 Immersion box set copy or a vinyl-sourced 24/96 rip and you'll find it's gone. When the song gets complex and loud, everything remains totally clear, each instrument stands on it's own, it doesn't become an awful distorted jumble.

You could argue that it's just the quality of the master that makes the difference; but if you take a copy of the original transcoded to 16/44 and compare it again with the 24/96 copy you can hear the same effect.

Why would anyone argue against high-resolution audio anyway? Sure, most everyone will probably just continue downloading 16/44 MP3s, but at least give us the option to have 24bit FLACs of the stuff we really like. Please and thank you.

coopersloan 1 day ago 3 replies      
Huh, I think people truly advocating 192 as a distribution format will be few and far in between, a really good and cheaper sampling system can be put together at 96. Still, a lot of things in this article perplex me.

Human hearing is limited to 20k because frequencies higher than that are perceived as painful? Dont agree with that one.

24 bit doesn't offer any advantages to sound quality? Sheesh.

And the crux of the argument is intermodulation distortion increases when you try to represent more frequencies? Isn't that an argument for a faster power amp?

aiurtourist 1 day ago 3 replies      
Science be damned! Onwards with subjectivity!

• 24-bit audio is magical. When I recorded myself playing guitar in 24-bit and played it back through my amp, it sounded like I was still playing. 16-bit sounded like a CD.

• With MP3s, 192 kbps is a huge step up from 128 kbps. 192 doesn't exhibit any of the "swooshiness" heard in the upper range of 128 kbps MP3s for regular rock/pop/hiphop music.

joccam 1 day ago 1 reply      
Sometimes less is more. The debate goes on. Why not just let the music play? And by that I mean high resolution music. All you need is one person who can hear high frequencies, and all the technical mumble-jumble becomes hogwash.

People actually _believe_ the 20KHz argument that anything above is inaudible. That's hogwash. I know because I can hear (or sense) higher frequencies, and I do not have the absolute best ears I've ever "met."

For example, last week I attended a A/V equipment event with very high-end equipment. It was packed --- over 600 people for one evening. 6 rooms of equipment. I'm sure all six served the same fare according to the 20-20KHz argument of this piece, yet they all sounded quite (or even extremely) different.

The 20 KHz argument is a myth. For people who can't hear the difference, no problem. But please do refrain from ruining or hobbling music for the rest of us... who can hear a wider frequency range.

Yes, some people are color blind. Does that mean the rest of us shouldn't use color? I hope not.

Music is an important wholesome and potentially emotional part of human life. Please do not cap it with "false optimizations".

24-bit/192 KHz is not inferior to CD quality sound. If you don't believe me, try a Linn system sourced on a Klimax DS with some high bitrate Linn classical music (or the Beatles Masters USB release!). If you can't hear the difference compared to low bit-rate (including CD quality) material, I assure you someone can. The low bit-rate will sound flat, hollow, less lively, or/and more coarse. Any number of problems exhibit at inadequate bit levels.

Vinyl is analogue quality (no discrete digital distortion). CD quality is a large step down from vinyl. A/V is just trying to get vinyl like quality from digital. We don't need nay-sayers impeding progress. If you can't hear the difference, please let someone who can hear make the informed decisions.


Notch gives his $3,000,000 Minecraft dividend to his employees minecraftforum.net
679 points by citricsquid  5 days ago   209 comments top 23
lincolnq 5 days ago  replies      
I'm extremely interested to see how this plays out. Giving large cash bonuses seems like it could wreck morale just as easily as it could boost it. And now when they're hiring in the future, they have to wonder whether the candidate is more motivated by the money or the love. And will the employees expect a similar bonus next year?

I'm not saying he shouldn't've done it. I am, however, extremely curious. This is the sort of thing that I have wondered why more companies don't do.

GoodIntentions 5 days ago 2 replies      
I don't play minecraft.
I'm not a fan.
I wouldn't know Notch if I tripped on him.

I gotta say hats off to the man. Doing something good for others at your own ( great ) expense when not compelled to do so is unusual. Most people would have spent it on themselves somehow. wtg man.

staunch 5 days ago 1 reply      
Didn't he pretty much develop Minecraft single-handedly? If so, I don't think it's necessarily "right" to share the profits with employees who joined after the work was done.

It's his money of course, he's free to do what he wants and generosity is always nice to see. To my mind though, it would have made just as much sense to give it to charity or anyone else.

I'd be much more interested to hear that he's giving meaningful equity to new employees. That way they could actually make life-altering money if they help create another big hit like Minecraft.

I doubt his employees will appreciate getting another $3 million split across dozens of employees if they help create a new $100M game.

zotz 5 days ago 1 reply      
That's leadership. He just solidified a good team into a better one.
Chrono 5 days ago  replies      
Dividend is generally taxed at 30% in Sweden so a fair bit of that will be paid in taxes. Depending on how Notch decides to pay out the money to the employees they may have to pay even more.

If it is paid out evenly and as wages it will be about 66k SEK/month per employee, that puts them well into the top tax bracket. Assuming the tax authority counts it as normal income they will be force to pat ~56% income tax a fair bit of social securities and employer tax. Assuming this they might get about (as a guesstimate) 20-25k SEK/m or 240-300k SEK total, after taxes. Not shabby at all, that is close to what an average worker in Sweden earns per year. And that is bonus alone.

None the less; Cheers Notch for thinking about your employees! : )

Edit: Gifts are no longer taxed in Sweden, luckily! but it is likely that the tax authority will regard it as income or bonus rather than a gift.

jeremyarussell 5 days ago 2 replies      
Now if only more American bosses would take the money they earned with help from their employees and redistribute it to those employees, then maybe the economy (in America) wouldn't be as crazy as it is.
bond 5 days ago 2 replies      
Amazing how the sales keep going on... Last 24H 8845sales=176500€... http://www.minecraft.net/stats
therealarmen 5 days ago 1 reply      
For the lazy, that works out to $120,000 per employee if split equally. Anyone know what kind of taxes this is subject to?
Tycho 5 days ago 1 reply      
Notice how at the bottom of the article it says this move is very surprising 'in this day in age.' Is that just a cliche or was it that people really were more generous in these situations in years gone by?

I mean bankers are giving up their bonuses left right and centre these days ;)

keithvan 5 days ago 0 replies      
I think actions speak louder than words. Despite Notch getting a some flack among the community for being out-of-touch with Minecraft and some of it also going to his staff, I think this shows that Notch cares about his studio, his work, and staff more than anything else. And certainly unprecedented in among gaming studios and companies.
tdicola 5 days ago 0 replies      
I have so much respect for Notch and Minecraft. It's the dream that pretty much everyone who wanted to build games has had--turning your game into a massive success both financially and artistically. All without the help of publishers or really the entire professional game industry. Amazing.
justjimmy 5 days ago 2 replies      
It'd be more awesome and effective (in terms of morale and team) to pay those in shares. Nothing boost productivity and care like owning a bit of a company. Even if it's just a tiny bit.

Now that would be interesting to see.

maxharris 5 days ago 2 replies      
Assuming that the money is deserved by the employees, this is a very shrewd, selfish^ move on his part. Giving people their just deserts is in everyone's interest, and Notch's long-term reward will be a robust, growing business.

^I use the term to mean what it should mean - "what's good for Notch, long term" - and disavow any connotation about harming others. It's not truly selfish to hurt others.

bicknergseng 4 days ago 0 replies      
I might be being naive since he seems to be rather bravado about splitting the money with everyone, but I like to think Notch is doing the absolute best thing for Mojang and probably for himself in the end. I personally would love to work at a company like Mojang for a boss like Notch who disperses the hard work of the company with the company.

It seems to me that executives like Gates, Page, Brin, or Jobs who take $1 salaries (discounting their travel subsidies and Jobs's Gulfstream) are better for their companies in a number of ways than someone taking a lavish salary. I'm not saying the latter is wrong, but it seems like the "selfless" executive at the very least demonstrates the need for the company to do well--a real connection between vision, company, and leadership.

I hope good things come for both Notch and Mojang as a result of his sharing the wealth, their focus on satisfying their customers, and their general attitudes of honesty and openness.

feralchimp 5 days ago 0 replies      
Giving $3M to employees is cool. But maybe next time, let them tweet it.
vic_nyc 5 days ago 0 replies      
I applaud these guys.
It's more about the money per se - it's about having a share of company profits. This, I find, is what a lot of companies get wrong. We go by the same old mentality that an "employee" should simply be compensated with a fixed amount. But why? People who work on the product should have a significant share of the profits as well. Allegedly a regular employee is "taking less risk" by having a fixed salary as opposed to the "risk takers" at the top - but in this day and age where there is no more guaranteed long-term job stability, that is not true anymore. And the continuing success of the company's products depends directly on the good work of its employees.
malkia 5 days ago 0 replies      
DarkMeld 5 days ago 0 replies      
Stay humble my friend.
tonfa 5 days ago 1 reply      
Who are the other shareholders of Mojang?
lyime 5 days ago 0 replies      
Huge respect. I hope this will encourage more founders to follow.
jebblue 5 days ago 0 replies      
That guy just totally rocks. I wish I could work with him.
erikb 5 days ago 0 replies      
He already got millions of $$ in his pocket. From his point of view $3M is not that much, I think. Nice move, but nothing impressive.
sukuriant 5 days ago 3 replies      
Forgive me, but... why should we care?

It's his money, he can do whatever he wants with it. It's not humble and awe-inspiring. He announced it to the world on twitter. I mean, it's nice of him, or whatever, but.. I don't care? Why should anyone care about this?

I could write a long tyrade about how this could be useful if more companies did this, because yes, the employees would have an invested interest in this company; and la la la; but really, this is just Notch tooting his own horn about giving his money away. Congratulations.

Yes, what you've done with Minecraft is absolutely amazing, and I love the game, but... very nice of you. Moving on.

awaits the downvotes

[edit: in seriousness, could someone tell me why the public, even the programming public, should care that Notch gave away his dividends? We're not told why he did it. He's not encouraging others to follow his example, he just did it and told everyone.]

Hacked: commit to rails master on GitHub github.com
640 points by stwe  2 days ago   223 comments top 29
teej 2 days ago 5 replies      
Posting it as an issue on the Rails repo and then exploiting GitHub with it is a great way to get attention, but not necessarily the most responsible.

I disclosed a vulnerability to GitHub before. I dropped it into their Issues system marked private with the heading "URGENT". It was a Sunday and I got a response + a fix from Tom Preston-Wener himself within a few hours. That, in my mind, would have been a more responsible approach.

patrickaljord 2 days ago 4 replies      
Funnily, the first Diaspora release had the same issue and the devs were ridiculed and called noobs by a big part of the HN community and security "experts" wrote big posts about it. The different reaction here is interesting to say the least.
wycats 2 days ago 7 replies      
Here's my proposal for improving the situation: https://gist.github.com/1974187

Merb's approach was to have mass assignment protection in the controller, and I personally think it's self-evident that it belongs there. Moving it into the controller will also make it easier to solve the tension between reducing the friction of getting up and running quickly and having good security defaults.

In general, Rails' convention over configuration make a stock Rails app more secure by default (CSRF protections, XSS protection, timing attacks, session fixation, etc.). This is a case where there's a real tension, but I think that we can solve it by applying some brainpower to the question.

holman 2 days ago  replies      
We've patched and fixed this on GitHub.
bretthopper 2 days ago 2 replies      
Everyone might as well take this opportunity to add attr_accessible to your models.

Models: find app/models -type f -name \*.rb | wc -l

Models with attr_accessible: grep -r -m1 "attr_accessible" app/models | wc -l

If those numbers aren't the same, and the missing model files inherit from ActiveRecord::Base, then look into adding attr_accessible.

danmaz74 2 days ago 1 reply      
I would say that homakov's angry and not very mature reaction to his warning being ignored just did a very big favor to a lot of rails developers, that reading about his exploit on HN (and other places) will rush to check their websites and will fix a LOT of serious vulnerabilities they didn't have any idea they had. But which somobody could have already been secretly exploiting.

Understandably, Github would have liked much more to be one of those companies that will be able to quietly fix this vulnerability without anybody knowing, but now that the damage to their image is done I really hope they'll not add to that damage by persisting in their banning of a 18 year old that acted irresponsibly yes, but maliciously - definitely not.

From a PR perspective, I guess that having titles like "Silicon Valley company rewards Russian teenager who helps them eliminating a security risk" could even spin the episode in their favor.

mojombo 2 days ago 2 replies      
I have written a blog post outlining the exploit and our mitigation procedure: https://github.com/blog/1068-public-key-security-vulnerabili...
zyfo 2 days ago 1 reply      
Here's the guy's blog post about the hack: http://homakov.blogspot.com/2012/03/egor-stop-hacking-gh.htm...

"Today I can pull/commit/push in any repository on github. Jack pot."

shearn89 2 days ago 0 replies      
This is clearly a problem: with Rails' approach being 'right from the start', having no protection by default is not the right way to do it. This issue may be well known among the type of people that use github and read HN, but if someone had read about Rails being an awesome framework to make db-driven websites, they might not be aware of such a thing as a "mass assignment vulnerability."

If by adding a line or 2 to the code for generators can stop this, even if it includes a comment saying "Removing this line will do x y z", then I think the rails team could've treated the bug with a little more respect.

As @ericb said, if strong devs make this mistake, there's something wrong with the code.

I think it should also be noted that he didn't do anything malicious like trash repos, and even says on his blog:

    "Then I could wipe any post in any project. That wasn't that funny but pretty
dangereous[sic]. It got more curious."

All he did was add a 3 line file to the master repo of a project that he was frustrated with. It generated all this attention, and will probably make them rethink the approach...

Finally: big props to the GitHub team for patching their vulnerability in <1hr on a Sunday...

mvasilkov 2 days ago 0 replies      
IMO this attitude of GitHub is the best motivation to sell 0day exploits in private instead of ever trying to get dev's attention.

No, I mean really, "malicious attack". I can't help but laugh, he committed 3 lines of text grand total, this is what you call malicious? Seriously, WTF.

The guy is a proper white-hat hacker, even if somewhat childish, Y U ban him.

teyc 2 days ago 0 replies      
I love the delicious irony when all sorts of rails dev argue for status quo only to find their master hacked because the source control system has the same vulnerability.
sad_panda 2 days ago 0 replies      
This is a pretty huge security issue with wide-reaching implications. People everywhere pull and compile from master branches on Github without second thoughts. It's a big hole. But everybody's running defense for GitHub.

Contrast this with the enormous hue and cry against FB, MS, et al. when they have comparatively minor holes in their systems.

I'm not saying that we need to tar and feather GH, but we should at least be equal-opportunity in our condemnations and realize that everybody is capable of mistakes. So, if you're OUTRAGED about Apple making a minor boo-boo, you should be equally outraged about this.

hundredwatt 2 days ago 0 replies      
I threw together a quick 'n dirty Rails generator that will generate the code for white/black listing all model attributes with attr_accessible/attr_protected.

Here's the file: https://gist.github.com/1975167, just add to lib/generators in your Rails 3 app, then do rails g mass_assignment_security -h

Hopefully others find this helpful

arturadib 2 days ago  replies      
I'm confused. Is this a generic Github vulnerability or is this a vulnerability in tools outside of Github used by Rails? The 'hacker' seems to suggest it's the former ("Github pwned"), which would be pretty serious stuff.
javascriptlol 2 days ago 0 replies      
Even a genius eventually makes a mistake. Systems should be safe by default unless there's a good reason (e.g. performance). Why bother with high level tools if they're not even protecting you from mistakes?
Estragon 2 days ago 0 replies      
So, the vulnerability was public for at least days in homakov's bug report, and probably for years to anyone who wanted a crack at github badly enough to do a little research. Is it paranoid to worry about malicious commits in other important github repositories?
wandernotlost 2 days ago 0 replies      
This is basic security, folks: never drive your application from stuff that comes over the wire (or any untrusted channel). Passing a params array directly to update_attributes is a fundamentally flawed approach for this reason. Instead, inspect incoming data for exactly what you expect to be there. By doing this, malformed input will either fail or be ignored without exposing a security vulnerability.

It should be obvious that you can't anticipate every potential attack vector at design time. Therefore, a well-designed system is one for which, when expected or normal conditions are not met, the resulting action is nothing or error, not an unexpected action.

This principle is also known as fail-safe:

nate 2 days ago 1 reply      
Shouldn't rails by default protect belongs_to associations. There is probably a minute number of cases where someone wants mass assignment changes to include the parent's id of that record.
codesuela 2 days ago 0 replies      
I don't get how many of you seem to take this issue lightly. Imagine what would've happened if this guy was a black hat. I use github for private code hosting and this a definite breach of trust and if I don't trust github how can I pay them? Sure they fixed the issue within an hour but still this could have ended far worse.
tlogan 2 days ago 1 reply      
Can somebody explain why this is a Rails bug?

Meaning using mass assignment is very similar to SQL injection: you pass variables from user input directly to model without even verifying them. Duh?

Now regarding GitHub: yes there is a security hole and they fixed it.

However, hacking a site after finding its vulnerability is definitely illegal and hope there will be consequences. And he did not even report a problem to GitHub.

tvon 2 days ago 0 replies      
Nothing makes you look like more of a jackass then throwing gifs into rails commit comments.
orblivion 2 days ago 1 reply      
> "Since you can commit to master, you could just fix the vulnerability :) "

I like it, this would be a great way to be snarky and semi-responsible at the same time.

bbeausej 2 days ago 0 replies      
How can you be sure Homakov is the first person to notice GH was vulnerable if the vulnerability was present for many years in the codebase?
deanpcmad 2 days ago 2 replies      
How has he hacked Github? He's a contributor on rails/rails see here and search for homakov - https://github.com/rails/rails/contributors
shearn89 2 days ago 0 replies      
Also just noticed this at the bottom of his resume (http://homakov.blogspot.com/p/service.html):

    "<s>Discount for girls</s>"

apl 2 days ago 2 replies      
It's unfortunate that the guy stumbling upon this apparently noteworthy vulnerability happens to be so utterly immature. [EDIT: Unsurprisingly, the dude's 18. See http://homakov.blogspot.com/p/about-me.html for reference.]
klodolph 2 days ago 9 replies      
If this is a GitHub exploit, and I were GitHub, I would be talking to law enforcement. This is not how adults disclose software vulnerabilities.
A violently true depiction of what war really is mediumdifficulty.com
615 points by sberder  5 days ago   249 comments top 29
Cushman 4 days ago 3 replies      
Reminds me of my father (who was in the Airborne) looking over my shoulder playing the training in America's Army.

"That's pretty realistic. Do they have a level where you have to go knock on somebody's door and tell them their son was killed in a training exercise?"

That said, I feel like this article, like the censors, gives video games much too much credit. Glorification of violence is everywhere in our culture and fiction; I'd imagine at least 95% of gamers understand intuitively that the games they play bear very slight likeness at best to the reality of war (although probably more in the sense that they might be killed themselves rather than that they might kill others.)

After all, one of the things (multiplayer) video games do teach you is that combat is seriously dangerous. Pop out of cover for one second and you can get shot in the head, bam, you're dead. In a game, that means respawning; nobody seriously believes that's how it works in real life. In that sense, I have to think that these games, as unrealistic as they are, are still the most realistic fictional depiction of war you can experience-- and the lessons you learn are much more valuable than those of, say, comic books.

Which is not to say that we don't have a bit of a violence problem in our culture (though I'm on the side of Steven Pinker in thinking that our violence problem is probably better than it ever has been). But the problem is not the kids running around playing cops and robbers. The problem is the kids who never properly learn the distinction between playing and hitting-- and worst of all, those who learn it by the maxim that "If you hit your brother, I'll hit you even harder."

That's what we should be talking about.

roboneal 4 days ago 4 replies      
Being ex-military and not a sociopath -- he lost me when he said that the "vast majority of us are straight up sociopaths"

We constantly made decisions that increased the risk to ourselves while trying to minimize the risk to civilians. That is not a mindset of a sociopath.

unknsldr 4 days ago 2 replies      
I am an experienced soldier with combat experience in several corners of the world. I have a distinguished service record. The only units I've ever known are Special Forces units. I've operated in several tiers of the community. I was medically discharged following injuries sustained in combat operations. You deserve a better account than M provides. Please understand some detail must be left out.

I am not an academic any more than M or his psychologist. It's important to include the psychologist that asserts violent personality disorder outside of the DSM.

There are a lot of guys like M floating around special operations (the community) but perhaps many of you do not understand the community. The special operations umbrella is pretty large depending on how you classify. To simplify, there are several degrees (tiers) divided by purpose and specialization. The degrees might look like a pyramid if you represented them by the number of soldiers in each. M would be near the bottom of a special operations pyramid, meaning he's a highly proficient infantryman, probably supporting a higher unit. A good guess for M would be Ranger Battalion. He mentions Special Forces (Green Beret), which is at least branch consistent.

M wouldn't make it at a higher level of the community. The community would correct the matter if he did. In special operations, psych evaluations are routine. There are evaluations for aptitude and there are evaluations for disposition. If you are a sociopath by clinical standards, you will not climb the pyramid. You will be told that this is why you were denied ascension. At lower levels of the pyramid, a clever man can influence the evaluation but not considerably so. At higher levels, the evaluations are much harder to 'game' because they are conducted over time in a range of dynamic scenarios. The higher tiers need a pool of exceptional candidates to use as a baseline. In a class of elite SOF operators, the higher tiers are looking for standouts. Those standouts are further evaluated. M never made it that far, which is why he thinks there are no heroes. I'll only discuss the lower tier to address M's depiction. It differs considerably at higher tiers.

One of the many problems with M's depiction is the misrepresentation of the community. An FNG is much more common in a line unit than in a proper special operations element (furthering my suspicion that M came from a support element). There are no FNGs in the community. Each SOF operator, regardless the branch, spent 18-24 months in a pipeline training specifically for special operations costing the government more than $1 million per candidate. If they complete the training, they go to a team a 'cherry'. They need real world experience as an operator and they need advanced training beyond their generalized training. This does not mean walking point in a mine field. This means developing the training plans for the rest of the team, coordinating cross training with the senior members, and accounting for equipment. The entire experience prepares the cherry for the demands of sustained operations far from the flag pole (built up bases) during a deployment. The cherry is one of maybe 15 men who are going to be fending for themselves throughout the deployment.

The sensation is nothing like sex but your first fire fight is a lot like losing your virginity. You'll always remember. The adrenaline dumps. Your senses heighten and you become acutely aware of your 'anchors'. Cheek, pad of your trigger finger, your shoulder pocket (where your long gun is firmly tucked) or maybe your elbows. Whatever your problem points were during exercises. Between engagements are lulls, mag changes. You move. You communicate. You decisively engage yet you hardly think. Hours go by before the engagement is over. You feel exhilaration. Consider the state you are in emotionally, chemically. And at this moment you have your first coherent thought in hours. What do you think about? Does it suggest anything about you?

I wish I felt something for the people we expired in my first fire fight. I didn't. This isn't sociopathy. This is pragmatism. We are all going to die. In that moment, the person most likely to die is my adversary. My training is superior. My firepower is superior. I have the strategic advantage. In order to achieve success in the objective that brought me to the patch of earth I meet my adversary, I must first know that one of use will expire- the one that is least present. You accept mortality so that you can control your emotions during the engagement. Why fear death when you can elude it? At the conclusion of the fire fight, you don't have time to think. The end of the fire fight is not the end of the day. Are there any casualties? Do you have all of your equipment? You have to establish communications with command. They may have guidance for follow on actions. They may have intel of a quick reactionary force descending upon your location. The avenues of approach and egress from your location may have been rigged to blow while you were engaged. Command mind know a better route for exfil. There remains a tremendous amount of work before you'll be in a position to reflect. It could be hours. You'll probably sleep first. When you wake up, the feeling is gone. You remember the exhilaration. You remember the triumph. In my first deployment, this was the routine every other day for three weeks before we were pulled from the area to decompress. My thoughts were, "keep calm" My emotions would only ever cloud my judgment and performance. It was crystal clear to me that they were useless in a war zone, including malice.

The situations that I have encountered have been horrific. I would not propose that we expose the youth to these horrors. Help us all if we ever go down such a road. We should focus on effective management of a crisis. For me it is perspective. For others it might be something else. Nothing could have prepared me for my first fire fight. That, like losing your virginity, is something you must experience to ever really understand. The rest of the horrors of war are handled through live tissue training. If you understand basic medicine and tissue trauma, you'll be able to stomach what you'll see along the way. To suggest that video games should more realistically depict war is to suggest that we should practice applying a condom to a dildo rather than a cucumber. It doesn't prepare anyone to lose their virginity but it does increase the comfort with going down that road. Teach children stronger critical thinking skills and you'll prepare them to avert more conflict in the first place. Failing that, you'll prepare them to handle the horrors of the conflict.

mattdeboard 4 days ago 5 replies      
As a former Marine infantryman, and a former Marine PR idiot, I think his numbers are off but a lot of the concepts are right, with a caveat. It's not sociopathy of the organic sort. It's the kind of detachment from prolonged exposure to extreme, unmitigated stress. So don't take this article as justification to feel like there's something mentally wrong with people who join a combat arms unit.
DanielBMarkham 4 days ago  replies      
I am very tempted to flag this. the sociopath thing really rubs me the wrong way -- there are logical flaws with using that label. War is a part of society. If society tells you to go kill somebody and you do, you can't be a sociopath.

Having said that, it's a great first-person account of what real combat is like, at least for this one guy. I am concerned the effect on HN discussion will be negative. Hopefully I'm wrong.

The United States made a huge mistake in moving to an all-volunteer army in the 1970s. With a draft and mandatory conscription, everybody had the common experience of serving and perhaps doing really bad things in the line of duty. As it is now, the vast majority of civilians have absolutely no idea what military service is like, as the author points out.

In this lack of context everybody becomes really impressionable. Not only can the military manipulate public opinion through selective release of information, other soldiers like this one can also. When the majority of people don't have context, they'll believe anything.

This is why you couldn't get away with writing a really negative article about WWII right after the war. It wasn't that somehow the war wasn't terribly horrible, it was that the average Joe reading it would immediately say something like "yeah, but that's not the way it was for most people" or "you think that's bad? I remember when..."

We don't have that kind of audience now. Once again, as the author points out, most of the readers only know cartoon violence and have never even hunted an animal. So people are left substituting other experiences and trying to draw rough analogies. The one thing I know for sure is that different people in different units can have vastly different impressions of a conflict. In my mind, this article would have been better with less "I'm the sane one and the other soldiers are crazy" and more "Here's another view"

I would also note that it has become fashionable for authors to say they have all sorts of combat experience when they don't. I'm sure this author isn't one of those people, but I've learned over time to be suspicious of people who wear the grisly warrior mantle as a way to get around my critical thinking skills. This area is just really difficult to discuss, especially when it's about an ongoing operation.

jakeonthemove 4 days ago  replies      
Street fights and other violent encounters are the same.

There is no honor, no right way to fight and nothing good comes out of it except you surviving.

It's nothing like video games - martial arts won't help (well, beyond helping keep you in shape), a bullet will kill you in a horrible, slow way (dying instantly means you're lucky) or leave you with a disability for life, a simple knife slash will leave you in a hospital for a long time and a simple hit with fist can dislocate your jaw, which is really terrible (you can't eat, can't speak, your face is swollen, you drool all the time).

Sadly, kids don't seem to understand, and most people laugh when I tell them the best strategy is RRF - Reason (give them the wallet, try to solve it with words), Run (as fast as you can and don't look back), Fight (only if all else fails, and fight as if your life depends on it)...

lukifer 4 days ago 1 reply      
I have a cousin coming of age who's downright excited to join the military and become a sniper. I have little doubt that war video games are partly responsible for that.

Now, I don't think violent games are inherently bad, and relatively few people playing them will actually sign up to go blow up insurgents in the desert.

But there is a significant difference between Modern Warfare and Hitman, Doom, GTA, etc.: most other violent games are either clearly fictionalized, or you knowingly play a villain. While a few nutcases might emulate the game, no reasonable person, not even most children, will draw the conclusion that the game activity is normal, real or justified.

But wars really happen, and they are seldom sexy or heroic. Even if you accomplish the most kick-ass mission ever, you probably lost friends in the process. Any soldier anywhere would happily give up their medals and glory if it meant the fallen got to go home to their families.

War is hell. While I would never advocate any form of censorship, selling video games that hides this reality is socially irresponsible.

ObjectiveSub 4 days ago 1 reply      
On a similar note: I recently watched the movie "Act of Valor". I had no idea it was one big propaganda piece before I got in. As soon as the movie started I thought "Yep, here we go. 110 minutes of pure army PR".

What I thought was more interesting were the comments on the reviews on Rotten Tomatoes. You can check them out for yourself here: http://www.rottentomatoes.com/m/act_of_valor/
It is a shit movie; no doubt about it. What I find interesting are the comments on the reviews that the critics gave.

Critics of course correctly pointed out how this movie is basically an advertisement paid for by the Navy. However, any critic that dared to give a bad review or even mention the word "propaganda" was attacked by countless posters that were shouting how he is a "damned liberal" and how the soldiers "die for [him] everyday to protect [his] freedom".

I do not understand the glorification of soldiers and I probably never will. War is a horrible, horrible thing. Soldiers are professional killers. As Voltaire said: "All murderers are punished unless they kill in large numbers and to the sound of trumpets"

There is no glory or honor in war (more specifically the current situation in Afghanistan/Iraq). The soldier sure as hell did not die for you. He most likely died protecting his comrades that he has been living with for the last 4 years. The soldier probably doesn't even give a shit about you. The Army is not defending America's "way of life". Terrorists do not hate you because of your "freedoms".
As a Canadian, I really don't understand why my opinion is so frowned upon in the US.

JS_startup 4 days ago 1 reply      
I like one point in particular that he touched on. That is, the military's careful manipulation of the media and public perception and the lens through which we view military personnel.

I know I'm supposed to laud infantrymen as brave and patriotic (which is why I'd never voice this in public), but frankly..nearly every frontline veteran I've ever met seems like an uneducated, violent and scary thug. I know that's basically what you have to be to fight on the frontlines, but the disparity between public opinion and reality is shocking.

nonce43 4 days ago 2 replies      
The Onion has its own take on the difference between real war and video game war: an "ultra-realistic" war game featuring endless paperwork, awaiting orders, and repairing trucks: http://www.theonion.com/video/ultrarealistic-modern-warfare-... (I don't mean to trivialize war by this, and I should point out that The Onion is satirical.
Sakes 4 days ago 2 replies      
Wow, awesome read. If this guy consulted on a video game I would never play it. Mowing down Russian civilians in the game MW2 was more than F'd up enough for me.
huhtenberg 4 days ago 1 reply      
I can't imagine how it is for a person like W to try and live a "normal life" after he leaves the war zone. And if he'd want to to begin with.
philwelch 4 days ago 0 replies      
"Whereof one cannot speak, thereof one must be silent." --Wittgenstein

That's my reaction to most of these 182 comments. I grew up with a combat veteran, and between listening to his stories and reading those of many other vets, including the OP, the only thing that's clear to me is that there are as many ways of coping with combat as there are combat veterans. Instead of arguing about whether or not people are sociopaths, go listen to few veterans sometime.

skeltoac 4 days ago 2 replies      
"the vast majority of us are straight up sociopaths"

Society can't function without socially acceptable outlets for this and other anti-social behaviors. That is the best justification I have found for a long list of things that don't seem to make sense in an enlightened society.

What would the world be like if we didn't have the Army and NFL? A lot of people would find new, more chaotic outlets for their aggression.

wallawe 4 days ago 0 replies      
I have a friend in the special forces who has changed as a person completely since his first deployment.

The last time we hung out, we went to a casual bar for a drink. He brought his pistol everywhere he went now out of paranoia. He spoke in jealousy of the British mercenaries who were allowed to kill anyone without permission. "I wish we could do that," he said. I was honestly baffled.

It truly is amazing how much war can change someone. He lives and loves to kill now. He says there is no better rush in the world.

a_a_r_o_n 3 days ago 0 replies      
I think we make too much of video games and movies.

They don't make us violent. We're already violent. That's why we buy them.

"We have met the enemy, and he is us."

Tossrock 4 days ago 1 reply      
Whoa, I know the guy who runs this website, along with several of the authors. He actually just launched it a few days ago, primarily for the Penny Arcade forum readers. Small internet.
toadi 4 days ago 0 replies      
like playing these games. But it's a game... I thaiboks also and like it.

But would never be a soldier in any army. Can't kill people of do any of this shit. Except if there was immediate threat for my family....

itmag 4 days ago 2 replies      
As a personal development junkie, I find war to be very problematic (well duh). Killing people is just so... unenlightened.

Then again, I find the warrior ethos or what you might call the male Warrior archetype to be of great interest. It's pretty obvious that this is something that the modern world very much lacks, at least we don't have any formal initiation rites for it (going to Marine boot camp might qualify though).

For more reading, check out this book: http://www.masculinity-movies.com/articles/king-warrior-magi...

run4yourlives 4 days ago 0 replies      
I suggest anyone intrigued by this pick up a copy of LCol. Paul Grossman's work: On Killing.
atc 4 days ago 0 replies      
This is one of countless ways the military carefully shapes the public opinion of the troops. It's a shameless PR exercise. One of our guys got a Military Cross (a medal for bravery) awarded after he got shot in the bum and continued to fight. His platoon was isolated on a rooftop with no escape for hours, and there was literally nothing else he could do but fight. This does not make him a hero. It makes him a soldier with a sore bum.

Kinda sobering.

dfc 4 days ago 1 reply      
How common is it for someone in the UK to drop out of school at 16?
dasil003 4 days ago 0 replies      
He hasn't really convinced me he's a sociopath. More like he's suffering from PTSD and coping with it by acting out sociopathic tendencies. I mean obviously I don't have the first clue, but I ask myself would a real sociopath write something like this?
rhaphazard 4 days ago 0 replies      
I don't have first-hand, or even second-hand experience of war. I can only go by what I read in articles like this.

But logically, the author is making a lot of sense. Any apathy or desensitization to killing is either a result of social conditioning (sociopathy) or a psychological predisposition (psychopathy). There are of course other ways this could come about, and the author's 80% figure is probably an over-estimation, but I think the proliferation of military contractors really increases the chances that what the author says is true.

I wonder if there has ever been a study that tries to figure out how prevalent these kind of issues are.

Kids are going to have a hard time unlearning the fake reality presented to them by video games.

winter_blue 4 days ago 1 reply      
Violent video games & media must be banned. It should be treated like child pornography.

A federal law prohibiting the dissemination of such material and people who develop or make such games and movies should be given the same punishment those filming child pornography receive. I personally recommend a minimum of 10 years.

The social and psychological corruption of society must come to an end.

I know many of you will not agree with my opinion, but I think you don't understand how bad an impact blatant violence in games and media has on people.

MasterScrat 3 days ago 0 replies      
Off topic, but it's really annoying when the actual content of a page represents 1/5 of its length and the rest are comments. The scrollbar is made to give you a hint of how much of the article is left. This completely defeats this purpose.
facorreia 3 days ago 0 replies      
With all that said, games like "Brothers in Arms" helped me experience, to a degree, the sacrifices brave men made.
cpursley 4 days ago 6 replies      
I can't imagine how anyone enjoys games like these unless they really are sociopaths. War is when young men go die for the old men's mistakes and kill a lot of women in children in the process.
bootload 4 days ago 0 replies      
"... your lead guy gets blown up and you spend the next hour or so casevac'ing [ed note: casualty evacuating] him ..."

that's CASVAC. Correct pronunciation. A portmanteau or joining of "CASualty" and "EVACuation". The difference b/w MEDIVAC and CASEVAC? The former is by medical vehicle, the later ad-hoc.

Font Awesome, the pictographic font designed for use with Twitter Bootstrap fortaweso.me
610 points by fortawesome  20 hours ago   84 comments top 29
hornbaker 8 hours ago 3 replies      
Brilliant. I absolutely love this, and will absolutely use Font Awesome in my next project.

While the name Font Awesome is catchy, it doesn't say much about the product, and won't carry seo juice or meaning for your main selling point: better icons. A name like "fonticons" (pronounced like "emoticons") might be stronger, and you could own that term which may go generic (like "kleenex") if the technique is widely adopted.

In fact, you could literally own it. After making sure a google search was relatively clean, and a USPTO.gov trademark search was clear, I just registered the domain fonticons.com, and would be happy to give it to you if you want it as a token of appreciation for your project.

ccollins 18 hours ago 1 reply      
First, this is great. The Bootstrap Sprites definitely need some love and this is a solid forward step.

I am close to dropping in Font Awesome, but the small font sizes really need work. Here is a comparison screenshot of the standard bootstrap sprites vs font awesome sprites in Chrome on Mac: https://s3.amazonaws.com/gusta/sprites-less-vs-font-awesome-...

Again, awesome work. Font Awesome is on my short list to use once it's cleaned up a bit.

ot 4 hours ago 0 replies      
The icons look great! The font rendering engine is still the cheapest and most convenient way for having small scalable graphics.

Note that this trick is as old as Windows 3.1, as Raymond Chen points out in his blog:


(The blog name "Old New Thing" is spot-on as always :) )

tnorthcutt 51 minutes ago 0 replies      
I don't know if it would make sense for your plans, but have you considered looking into getting fontawesome added to Google's Webfonts collection? That could help drive mass adoption. Here's their submit form: https://services.google.com/fb/forms/submitafont/
jazzdev 9 hours ago 3 replies      
Yes, very awesome. Makes implementation much easier. But having just removed a font from our web app to improve performance (download time and rendering time) I can't help but wonder if sprites aren't lighter weight than using a whole font when you only need a few icons.
headbiznatch 17 hours ago 1 reply      
I love font icons and these are great. Thanks for sharing.

Two notes:

1) When I first started using font icons, I encountered an issue that might be worth sharing - you need to make sure your web server properly handles the more esoteric file types that are included in the @font-face declaration.

2) Paperclip icon!!!! I'm sad when these icon sets are missing this very useful metaphor for "attachment": not "my dog just died" sad, more like "I wish I could fly" sad. I am just throwing that out there.

cobychapple 17 hours ago 1 reply      
You have licensed this under the CC-BY 3.0 license (which requires attribution 'in the manner specified by the author'), but I can't see anywhere that you've specified how it needs to be attributed if used.

Is this something you can elaborate on?

rplnt 5 hours ago 1 reply      
I have web fonts disabled (because of abuse by many developers) and this looks like rubbish. Perhaps there is way to fall back to image icons if font is not available?
logical42 5 hours ago 0 replies      
This is terrific! I've ported your fonts into my variant of the many twitter bootstrap rails gems out there (https://github.com/logical42/Bootstrapped-Rails). Thanks a bunch for this great work! This is going to make my life, and many others, much easier! :)
fortawesome 18 hours ago 0 replies      
It's been moved to a proper location:
remi 17 hours ago 1 reply      
It says “Wide @font-face support means Font Awesome even works in IE4” but not as the way it is implemented on the demo page.

That technique is not compatible with browsers that do not support the :before pseudo-class (eg. IE7). The icons could be used though, but not that way.

ivobos 12 hours ago 1 reply      
Looks good. Having a set of geo-location icons would make it even better. In particular:

1) Request geo-location - this icon can be used on buttons that request the device/browser to activate geo-location.

2) Location on map - this icon can be used on buttons that display locations on map.

wiradikusuma 10 hours ago 1 reply      
Just wondering, is it possible to combine this with the font we use in the website so we don't need to download two separate fonts? Maybe some command line tool?
jogloran 13 hours ago 0 replies      
I wondered how these would look as iOS tab bar icons " I added a script to generate them using ImageMagick: https://github.com/jogloran/Font-Awesome
chrisacky 16 hours ago 1 reply      
What application did you use to make these fonts in the first instance?
I would quite like to have a go at making my own font icons. Could be quite useful in replacement of spritesheets.
thekungfuman 18 hours ago 1 reply      
Does using the <i> tag have any negative effect on the semantic markup of a page? I see that it doesn't impact screen-readers but what about if someone is trying to parse your HTML?
lostsock 14 hours ago 1 reply      
Looks great,

I've just tried to implement them into a Bootstrap site (without LESS) and I seem to get a double up of icons.

It looks like both the default bootstrap icons and the Font Awesome icons are being shown. The instructions don't mention the need to download a custom version of Bootstrap, am I doing something wrong?

ars 16 hours ago 0 replies      
So, are fonts the way to get scalable graphics on websites?
vailripper 18 hours ago 0 replies      
This looks excellent, nice work.
clarkmoody 19 hours ago 1 reply      
This is a great idea!

Wanting to use this font offline, I was trying to install the .ttf to my Windows fonts, but I was unable to do so. Windows claims that it is not a valid font file.

Any suggestions on why this is the case?

praxeologist 13 hours ago 1 reply      
Request: an empty/reverse/outline icon-tint or droplet

Nice stuff, going to try to use it sometime!

patman81 17 hours ago 0 replies      
Now if we just had a tablet computer with a super high resolution display, this would be perfect for it...
cwsaylor 17 hours ago 1 reply      
This is fantastic. I'm going to try to use this in a Phonegap iPhone app right now.
zshapiro 10 hours ago 0 replies      
This is seriously great. Thanks!
Void_ 19 hours ago 1 reply      
The website seems to be down.
TomatoTomato 16 hours ago 1 reply      
Font Awesome or Fort Awesome... I'm confused.
pagehub 16 hours ago 0 replies      
Wow, this is awesome... thanks for sharing!
RollAHardSix 17 hours ago 0 replies      
Maybe it's been a long day, but this actually hurt my eyes. Too Perfect!! O_O

Did anyone else have eyesore issues when they first saw it?

jasimq 19 hours ago 0 replies      
Looks really sharp.
Give it five minutes 37signals.com
607 points by sathishmanohar  5 days ago   71 comments top 29
analyst74 5 days ago 5 replies      
I come from the opposite direction, where I was thinking too much. In the sense that I am quiet in most conversations, because I need to think about what to say back, and most conversations flow quite quickly, and I end up with a response well past the point it's applicable.

This is bad for two reasons:
1, if you don't say anything, the default assumption is you don't know anything, unless you have well known achievement in the field. Now your peers will eventually learn what you know, maybe even more than they do, but it takes time, and modern life is fast;

2, you don't have to be wise/correct/knowledgeable in all conversations, especially casual ones where people are just shooting the stars and will forget what was talked the next day.

The real tricky thing, the thing that distinguishes a <i>wise</i> man, is to know when to speak like a fool, and when to dive into deep thinking, and when to shut up.

funkah 5 days ago 5 replies      
At the same time, the world is full of ideas, and a pretty tiny fraction of them are any good. The world feels especially full of ideas these days, since a lot of folks now fancy themselves "creatives" (that is, people who come up with ideas without having to get into the yucky business of actually executing on them).

Here's the real challenge: What deserves your five minutes in the first place? Many intellectually bankrupt ideas benefit from the notion that both sides of an argument should be considered. This is partially why we have dumb ideas like "intelligent design" floating around -- they get their oxygen from the mistaken notion that both sides should be considered, when in truth the issue is much more one-sided, or should be. Because ideas have power, there is an incentive to pitch such ideas and to persuade others with them, however hollow they may be on examination. There is value in talking about "clean coal", even though no such thing actually exists in the world.

You can't waste five minutes of your life every time someone says their ideas at you. So, what do you do? I suppose my approach is to try to develop a filter, to try to focus on things that are actually worth thinking about. But honing that filter is a challenge in itself, trying to keep oneself intellectually honest, trying not to indulge in parochialism. This is a tough subject, there are no easy answers.

leftnode 5 days ago 0 replies      
I frequently fall victim to this and I've gone through considerable effort not to.

One example: at my previous job, our ecommerce site had individual templates for each product. We only had around 20 products, but I came from a job where you might have thousands of products, so a single template was used. I just couldn't wrap my head around why you would have individual templates for each product.

The pages were mostly static (aside from a header and footer, and the pricing), and they took quite a while to make.

Then I realized that because we had so few products, we could really customize and market each page to highlight the features of each product. I went on to build a personal site with only a handful of products the same way as well.

Like Jason said, spending that extra time (even if it isn't literally 5 minutes) can really change your perception of something.

sray 5 days ago 1 reply      
This reminds me of And the Rock Cried Out, a short story by Ray Bradbury. The story revolves around two American tourists who are in South America when the US and much of Europe is wiped out by nuclear attacks during the Cold War. With the US in rubble, everyone is out to get the tourists as payback for all of the terrible things America has done in the past.

Anyway, they eventually meet a man named Garcia who offers them help. They're shocked, since everyone else wants them dead. Garcia explains:

Do you read the papers? Of course, you do. But do you read them as I read them? I rather doubt that you have come upon my system. No, it was not exactly myself that came upon it; the system was forced upon me. But now I know what a clever thing it has turned out to be. I always get the newspapers a week late, from the Capital. And this circumstance makes for a man being a clear-thinking man. You are very careful with your thinking when you pick up a week-old paper.

That always stuck with me for some reason.

rumblestrut 5 days ago 3 replies      
I have found this approach to be quite useful with my co-workers, friends and even my spouse.

Sometimes I hear an idea and my initial reaction is "No," when what is really going on inside me is "Let me mull it over." The trick for me is to not open my mouth too soon before I've truly given the idea a chance to breathe a little.

youlost_thegame 5 days ago 0 replies      
Oh man, I'm like having a dejà vu.

This realization occured to me about a year ago, and when it came to me, everything was so clear. I had been an asshole in too many meetings because of wanting to speak first. My manager, on the other hand, was a very quiet, enigmatic guy, and he seemed wise.

While the engineers discussed some ideas, he listened. By listening, he was able to detect who was full of B.S. and who was has the best ideas. In the end, when he finally broke his silence, he was usually right.

Silence is very, very powerful, and it's never too late to learn to shut up

RyanMcGreal 5 days ago 0 replies      
> Asking questions means you want to know. Ask more questions.

Just make sure they're real, good-faith questions, not booby traps.

draggnar 5 days ago 0 replies      
This relates quite closely to the idea of thinking "fast" and "slow" as proposed by Daniel Kahneman. Here is an interview from the other night: http://www.charlierose.com/view/interview/12185

The basic idea is that our brains have two methods of thinking, first on intuition, like when we are driving a car. Natural reactions based on intuition are very powerful, but the flip side is that they are often wrong and we won't realize we are making a mistake. That takes going into the second mode of thought, thinking "slow". It is important to realize when to step back from the intuition of fast thinking to the rationality of slow thinking.

MattJ100 5 days ago 0 replies      
> Learning to think first rather than react quick is a life long pursuit. It's tough.

I must admit I stopped reading about here. I don't think I'm among the intended audience for this post. It personally takes quite something for me to stand up and criticize someone's work. I certainly couldn't do it within five minutes - I need to soak an idea up first.

I often explain to people that I'm a slow thinker. I actually don't know if it's that, or that I just have a higher threshold of thought before I have confidence to speak about something. That usually means I'll be the last to speak on a subject, but I'd hope that my contributions when I do speak are then at least a little more considered than those who spoke first. That's what I'd like to think, anyhow.

jilebedev 5 days ago 0 replies      
>I came into the discussion looking to prove something, not learn something.

I'm just future-fantasizing here but ...
Wouldn't it be a ripe topic of neurochemical study to find out what happens in a brain that decides that ego stroking is more important than learning through constructive conversation?
I suspect that "deciding to learn" requires a significantly higher activation energy than simply choosing to prove "I'm right".

joelhaus 5 days ago 0 replies      
"Seek first to understand, then to be understood." - Habit 5 of Stephen Covey's 7 Habits of Highly Effective People[1].

Trusted, influential and successful communicators are trained to engage with people this way. It's less about "thinking" before you speak, than what the intentions are behind your interactions with others... are you seeking first to understand or to be understood? Everyone wants to be understood, and when you consistently give them that, you get much more in return.

Another case of common sense being not all that common. If you're like me, then you too need to make this a conscious pursuit.

[1] https://www.stephencovey.com/7habits/7habits-habit5.php

smountcastle 5 days ago 0 replies      
This is really difficult sometimes. I wholeheartedly agree with Jason about giving new ideas some time (and thought). Most people are resistant to change and their immediate reaction is to reject new and/or novel ideas. Some ideas take days of rumination before you fully grasp the implications so you just have to take the time to let them sink-in.
pazimzadeh 5 days ago 2 replies      
There is a French expression for this:
"Tourner sept fois sa langue dans sa bouche" or "Turn your tongue in your mouth seven times before speaking."


tikhon 5 days ago 0 replies      
As recounted in Carnegie's classic book: When General Meade squandered a great opportunity to capture General Lee and his army after the Battle of Gettysburg, Lincoln wrote a harsh letter to Meade. The letter was found after Lincoln's death, still in his desk drawer, never sent.


Toenex 5 days ago 0 replies      
Interesting. I read this as saying "have some respect for those brave enough to present a novel idea for consideration" which I think we would all agree with. How we do that is always a function of our personalities and consequently of our personality disorders of which we should be mindful. However, good ideas need to be tested and must therefore survive robust discussion.

I'm an ENTP/ENFP on Myers-Briggs personality tests and thus I do tend to get very enthusiastic about ideas, bombard people with questions and point out any issues I observe. This is just how I learn but can be annoying for people unless they know me so I try temper my behaviour. I'm from England where the workplace can still be a little more reserved.

emehrkay 5 days ago 0 replies      
Great stuff. I dont blog, but I want to. I recently came to the conclusion that I don't think about things enough, I dont form an opinion.

I read a lot of stuff and wonder how the author came up with what they wrote or how they managed to piece two points together that otherwise would have seemed unrelated. The answer is as simple as they gave it five minutes.

bostonvaulter2 5 days ago 0 replies      
This advice reminds me of "The Soak". Here's an excerpt:

Back to the original flame mail from your friend. You've received these before and you know the absolute wrong thing to do is immediately respond. Of course, your animal brain is dying to do so because IT FEELS SO GOOD TO PUNCH BACK, but it's never the right move because your animal brain is defending itself, it's not resolving anything other than proving BOY CAN I PUNCH BACK OR WHAT? My advice regarding flame-o-grams and hard decisions is the same. Sleep on it.


techiferous 5 days ago 0 replies      
jinhwang 5 days ago 0 replies      
That's solid advice. AND it JUST happened to me. Another entrepreneur with ZERO credibility in the space that I'm operating in flat out told me that another company is ALWAYS going to deliver a feature better than we are. My knee-jerk thought was "Who do you think you are? Jeff Bezos?" I disagreed and later said I would think about options.

I should get into the habit of stepping back and absorbing what just happened or what was just said. Although I still disagree with the delivery of the message, I do see some insightful gems from the casual conversation. And you always have to have thick skin in the startup game. Nay-sayers are everywhere but there is wisdom all around you. You always need to listen for it.

ronnoles 5 days ago 2 replies      
Am I the only one who's really tired of the 37signals people tossing their dime-store philosophy on us?
stretchwithme 5 days ago 0 replies      
Very true.

Commit your grievance to whatever system you use for reminders and take a walk around the block, comforted in the knowledge that it is in the queue.

fourmii 5 days ago 0 replies      
I think this is a pretty simple but important little piece of advice. I am certainly guilty of speaking before thinking a lot of times.
In the day of 140 characters, blogs and a steady stream of self-anointed 'expert' bloggers and media pundits, you don't get too many examples of the eloquent thinker.
I'm glad I came across this post, as it applies to my actions, in professional and certainly in private life. Thanks again Jason!
robinjfisher 5 days ago 0 replies      
It's great advice. When somebody is talking, people are very rarely listening. They're waiting to speak or preparing their next argument. By doing that, you don't hear what the other person is saying and more often than not misinterpret what they are saying.

It's a skill I'm still learning and it's a combination of patience, humility (I'm not always right) and a desire to learn (other people will know more and have better ideas than me).

Chirag 5 days ago 2 replies      
If I get a negative remark, I usually take a step back, kind of like a out of body view, and see if there is any validity, if there is truth in the remark, I thank the person and ask questions; else I just smile.

Some people mistake a smile for agreement and I use smile to put a full stop to the argument. In my limited experience I have seen there is no point winning a pointless argument :)

sankalpk 5 days ago 0 replies      
Imagine an environment where you did TWO things:
1) You gave your opinion immediately without fear for others thinking of you as an asshole.
2) You thought about it for more than 5 minutes later. You might even think about it for hours later that night.

It's not one or the other. Both are very important. I've seen more annoying and bureaucratic things happen because people are too afraid to say what they think. Not because people think too less.

duncancarroll 5 days ago 0 replies      
To see a post like this is both satisfying and depressing.

Satisfying because it's always good to see someone learn an important life lesson.

Depressing because I know far too many smart people with zero humility. It's such. a. shame.

vlokshin 5 days ago 0 replies      
If you give this article 5 minutes AFTER you read this article, it's like... extremely honest and... awesome.
yepreally 5 days ago 0 replies      
I think 5 minutes is too little time when you've taken offense to something. A day is usually the right amount. For idea consideration, I think 5 minutes may not be enough for some and may be too much for others.
drats 5 days ago 1 reply      
Six days ago, during the last HN cycle of 37signals blog/marketing, I said that I thought they were desperate to prove that their path was so awesome because there was tension about not getting acquired and not really working on anything world-changing (http://news.ycombinator.com/item?id=3629729). I think this post of introspection from 37S supports my point. It confirms that all the other 37 Signals stuff was part of their program of constantly churning out contrarian pablum because it's good marketing, because people (young men usually) like to do that and because they have this uncertainty about them which needs to be masked with an aggressive stance.

Whatever the past reasons for posting I welcome this blog, if it's genuine, because it might be the first signal of a change from the usual blogspam from 37 signals that magically makes it's way to the HN front-page on a regular basis.

GitHub and Rails: You have let us all down. chrisacky.posterous.com
577 points by chrisacky  2 days ago   185 comments top 26
trotsky 2 days ago  replies      
Jesus, HN goes from zero to lynch mob faster than reddit these days.

Guy drops a zero day on a major service provider, guy gets his account suspended (temporarily, it turns out). In what possible world is disabling an account that has recently exploited your live product in a very visible way not ok? Remember, you don't have a chance to call a meeting with the C level guys and your community manager - you're one or two guys responding on a weekend.

The rest of the "oh my god the sky is falling" drivel about how terrible a bug it could have been and how they should never have had such a vulnerable bug in the first place is even worse. Security bugs are fuckups by nature - nobody sat and said well shit I was going to code this wrong but since it might allow a lot of access I won't. In terms of OH SHIT bugs this is actually rather small - I'm sure github's live infrastructure has been open to lower level remote execution vulnerabilities over the years - newsflash: we all have been. Getting user or superuser or db admin is going to almost certainly be a lot worse than an application authentication level vulnerability.

You say none of that matters because it's such an obvious bug and people have known not to do that kind of thing for years? Say hello to our old friends "buffer overflow" & "use after free" - still grabbing msft aapl & goog after all these years.

TL;DR - stop acting like children.

epistasis 2 days ago  replies      
I have lost all trust in GitHub, and not because of the vulnerability, but because of their response. With their suspension of hamakov's account and deceptive blog post about the extent of the hole, GitHub has guaranteed that they won't be the first to know about the next vulnerability (and there's always another).

I've downgraded my paid account to a free account, and won't keep any non-public data on GitHub in the future. I had a similar response with my (non-paid) DropBox account. I guess I didn't rationally evaluate cloud resources, and have trusted far too many people.

dkrich 2 days ago 3 replies      
Give me an F'in break. I understand security is not something to take lightly, but no system is infallible. There was an oversight, plain and simple. It is debatable whether the Github/Rails Core Team was too lax, but I for one am tired of hearing developers whine and make a witch trial out of groups of developers that have moved the development community forward several huge steps just to make themselves sound smart or feel fulfilled. If you're such a hero, why didn't you discover this loophole? Please stop writing provocative statements and behaving as if the sky is falling on top of your head and the very fiber of our being is at stake. An open source language and a website written in that language were shown to have a flaw. Which has since been fixed. I hate developers who like to sound smart at the expense of somebody else. Get over yourself.

I also don't see how you can blast Github for its oversight of this issue but then defend the "hundreds of thousands" of sites that use Rails. Aren't they as culpable? Oh, I suppose Github is held to a higher standard than the rest of the dependent apps. If this is Github's fault, then it is also every other developer's fault who doesn't by default disable mass-assignment of attributes.

elithrar 2 days ago 4 replies      
> When the large portion of the technical world all depends on a single service, and that service is vulnerable to a variety of attacks, that makes anyone who consumes these services also vulnerable.

I don't mean to diminish the severity of this exploit, and the impact it has/could have had if left unchecked.

BUT, isn't one of the biggest perks of Git the fact that it's a distributed SCM? It's not a service where you must trust all of your data with the one provider, who might go belly up at any point and take it with them.

Yes, GitHub provides some fantastic social features and helps with community involvement through these features, but if you are dependant on a "single service" and you're using a DSCM/DVCS, you should probably look at a few alternatives to reduce that dependancy.

raganwald 2 days ago 1 reply      
As Zed Shaw pointed out, someone appearing to be Homakov has posted a comment dating back eight years. Is Posterous vulnerable as well? If so, that may not be Homakov, of course, but his twitter comments are consistent with him posting it.


ericflo 2 days ago 2 replies      
I fail to see what GitHub did wrong here. They were attacked, they suspended the account doing the hacking, and they fixed the problem. Then, they blogged about it, explaining in detail what happened. Apparently they weren't quite reverent enough for the person who wrote this article.
aneth 2 days ago 2 replies      
The response to this makes me feel that HackerNews is now populated by a bunch of pretenders. This "bug" has been in Rails since Day 1, and any remotely experienced Rails developer is aware of this functionality. You can argue for a different default, but it's not a bug.

Github did have a bug and noone knowledgeable about Rails appears to have made even a cursory inspection of the security of their controllers - which is where attribute protection actually belongs, since different controllers and different users change different attributes. Protected attributes is a blunt tool for simple situations, which is why it's not enabled by default. Github had a pretty terrible bug, discovered, and fixed it. They may not have handled it perfectly, but the certainly don't deserve this sort of mon hatred - any competitor you go to is likely to have security flaws as well, perhaps more severe and subtle.

@homako didn't just expose the bug in github, he exploited it to make an unauthorized commit to Rails master. His account most certainly should have been at least temporarily suspended as GitHub had no idea what else he might do to prove his point.

So basically, most of the comments here are glaringly wrong or ignorant bandwagoning, and it makes me wonder about the accuracy of information here about topics I'm less familiar with. A sad day when you realize all this intelligent discussion you thought you'd been reading about new topics was probably just grandstanding by eloquent fools.

jtchang 2 days ago 0 replies      
The one "good" thing that comes out of this public exploit is that github was the target.

Github is obscure enough to non-developers but quite well known in the development circle.

This means if you are using github you probably have a damn good idea what the vulnerability is. I'm not a rails developer (mostly python/django) but I get it immediately. This is mostly an issue with the framework helping me shoot myself in the foot.

Sure it's in the documentation. But realistically a good framework gives me sensible defaults so I don't have to refer to the documentation. I trust the framework does the "right thing".

collypops 2 days ago 1 reply      
> Beyond any shadow of a doubt, a shit storm of epic proportions has just gone down...

> ...this episode has been handled is a face-palm fail of epic proportions.

I'm all for, like, the evolution of language, but can we please all, like, agree that 'fail' isn't, like, a noun, and 'epic' is, like, totally overused.

Kiro 2 days ago 4 replies      
"If you are one of those strange coders that don't use GitHub".

Never used and never will. What's strange with that?

endlessvoid94 2 days ago 1 reply      
> Beyond any shadow of a doubt, a shit storm of epic proportions has just gone down.


mkramlich 2 days ago 0 replies      
I'm not too worried about the ability of an attack to push a commit, or cause a commit/object deletion in a repo's history, on GH, because most smart folks (if not everybody, by default) will have multiple copies of a repo across multiple machines, with backups, so anything can be undone or restored. (And trust me, I have the imagination to understand how an unauthorized commit/push could lead to a situation enabling remote execution on client machines who've pulled down tainted commits. Think build scripts that have "install rootkit/malware/keylogger" commands added to them in the mal commits.)

What would be more bad is if this vulnerability allowed an attacker to get unauthorized read access or pull/clone access to a private GH repo.

Can anyone clarify for me whether this was possible?

tlianza 2 days ago 2 replies      
I'm not sure if everyone noticed the last comment on this article: http://screencast.com/t/Nobted7zv5z

Posted "almost 8 years ago" ie. posterous would appear to have the same vulnerability.

ktizo 2 days ago 0 replies      
I'm starting to like homakov more after reading this article.
alinajaf 2 days ago 0 replies      
Though I will say that mass assignment is about as rookie a rails mistake as you can make, I won't be leaving github.

They've delivered so much value over the past four years for me that I can forgive them this and I'd still have (a little) goodwill towards them left over.

n8agrin 2 days ago 0 replies      
There is so much bombastic talk in this post. This has to be a troll.
tmcdonald 2 days ago 2 replies      
I'm not sure all the things you list as being possible are true.

  - Every GitHub Repository could be access by anyone as if they had full administrator privileges.
- This means that anyone could commit to master.
- This means that anyone could reopen and close issues in issue tracker.
- Even the *entire* history of a project could be wiped out. Gone forever.

As I understand it from his explanation[1] he added his public key to the Rails user, which has permissions to push/pull to the repository. This doesn't mean he had web administrative access, just Git access, since you cannot log in to the web service using your private key. I hope that's the case, at least.

[1]: http://homakov.blogspot.com/2012/03/how-to.html

meow 2 days ago 0 replies      
For me the sad part is that there is an almost even split between people arguing the right way to bring this issue to every ones notice. I think this is the perfect way to show how serious the issue is and to get more sites to adopt the fix.

Exploits like this are worth a lot on black market. They are worth even more if you provide a precious and vulnerable target to go along (github).

tlowrimore 1 day ago 0 replies      
I'm sorry, but this feels to me like an over-dramatized heap of bullshit.

First, the statement, "Rails. You clearly messed up." is self righteous bullshit at its finest. Rails didn't mess up; the programmer(s) at Github messed up. No conscientious developer lets the end user mass-assign variables carte blanche. But with that said, _every_ developer messes up every now and then despite their best efforts; some times they mess up in a big way.

Secondly, if a user discovered a vulnerability in something I wrote, and they handled it like homakov did, I'd ban the shit of them until I knew for sure that they weren't a threat.

Finally, Github handled this exactly the way many companies would handle it: it's called damage control. These guys are really good at what they do, they provide a great service and they offer-up a lot of their tools to the FOSS community.

knodi 2 days ago 1 reply      
This is the first thing in securing your rails app a developer learns, how to properly handle mass-assignment. I don't blame rails, I blame Github.
telent 2 days ago 0 replies      
AFFECT, grrr. Not effect. To effect every coder would be to bring them all into existence, which is clearly not what happened here.
eli_gottlieb 2 days ago 0 replies      
Oh, they've let you all down? Then stop using other people's web applications and just run your own git/hg server. With blackjack, and hookers.

You are vulnerable to someone else's fuck-ups as long as you insist on giving up control over your data and code in exchange for the convenience of someone else doing the "hard work" of development and administration for you.

Hell, restore the network to being peer-to-peer rather than hierarchical, and hosting your own whatever will no longer be such a damn problem.

edu 2 days ago 0 replies      
Posterous is down?
colinmarc 2 days ago 0 replies      
+1 for the usage of "github-gate."
latetothepatty 2 days ago 0 replies      
I used GitHub and I'm not moving my stuff off. If an app gets hacked, then not long after, that app will likely be the most secure place. GitHub at least keeps it up most of the time. Who you really should be mad at are the Rails maintainers and the RoR community. I switched from Java to Ruby a few years back, and since day one, everyone using Rails has been slack on security. The reason is that they make things too easy to leave wide open. Don't believe me? Read the Rails official documentation for starting off. It is all about ease of use, not security. If you are new, you have no idea what you've really left open even when you just generate a scaffold as they show you to do. The main thing that Rails security has going for it is that the adoption of Rails is still relatively low, and because a newbie isn't likely to scale their app well, odds are you won't have an extremely popular, extremely performant Rails app that is just asking to be hacked that easily.
ggwicz 2 days ago 0 replies      
Shut the fuck up.

How many companies get hacked regularly like this but keep it under the rug? You think FaceBook's never been exploited? TurboTax? Mint? Stripe? PayPal? Shopify? Tumblr? Pick your app that "so so so so many businesses" use regularly, and I guarantee something like this has happened with all of them.

But were they open about it?

GitHub's been open the whole time.

Your post is like saying "All criminals are stupid". This is ridiculous, as the only sample you know of and can work with are the criminals who have been caught. You don't know how many other criminals are out there getting away with their crimes, because...they haven't been caught yet.

Who knows how many other companies have had hacks like this in the past two months alone, for example? I don't, and neither do you.

But GitHub, as an open, honest company that so so so many of use regularly (which means we know right away when there's a problem, especially with a hugely popular repo like Rails/rails) has been in the spotlight since the second this happened.

GitHub, in my opinion, has acted really cool about this. They addressed the issue, explained what the issue is, patched the hole, and even reinstated the hacker's account. DHH addressed the issue in twitter, other people in the community have admitted they fucked up, and now we as a community can work on fixing this.

That doesn't sound like "Letting us all down".

Someone who expects everything to work perfectly all the time and have no vulnerabilities is someone will be let down by anything, a pessimist, and stupid. And certainly not worthy of the front page of Hacker News.

"Egor, stop hacking Github" homakov.blogspot.com
436 points by llambda  2 days ago   110 comments top 12
JangoSteve 2 days ago  replies      
Given the recent story on HN about how former YouSendIt founder had taken their servers down to prove their vulnerability [1] [2], I'm surprised how little reverence these "lol-hackers" (that's going to be my term for them) give to showcasing these vulnerabilities by exploiting them in the real-world and messing with people's real things.

I know as hackers, we feel a duty to show people how serious these things are and that we get impatient and annoyed when ignored. And I also know that it's hard for us to reconcile the idea that when we show the owners rather than tell, it's suddenly considered a crime. But it is.

Let's try an analogy. Door locks on houses are ineffective. Think about it. Your house is covered with windows, which are made of glass. Glass is really easy to break. I mean really easy. If you found out your neighbor didn't have a house alarm, you might talk to them and tell them they should get one. If they didn't get one, would you then break into their house one night and walk into their bedroom to show them how dangerous it is?

OK, who knows, maybe you have a weird relationship with your neighbor. Furthermore, this is an imperfect analogy, because here, Rails and Github are both responsible for other people's property.

But now imagine it's a business across town and that you don't actually know the business owner. If you broke into their business to show them their building's security vulnerabilities, you bet your ass they would press charges and I don't think anyone would blame them. Even if you're doing it with the best intentions, it's still vandalism at best.

All of that being said, this is a very effective way of making your point and getting people to fix the problem. That doesn't make it right. But if you're willing to put yourself in harm's way and essentially become a martyr to get these security vulnerabilities fixed, more power to you.

[1] http://news.ycombinator.com/item?id=3643102

[2] http://www.inc.com/magazine/201203/burt-helm/a-silicon-valle...

wycats 2 days ago 5 replies      
For what it's worth, we'd like it if security vulnerabilities in Rails were disclosed to http://rubyonrails.org/security.

Obviously this situation is a bit more complicated, as a ticket was opened up, and a lot of community discussion occurred. In general, emails to the security list are taken extremely seriously.

lnanek 2 days ago 2 replies      
This reminds me of how PHP used to turn HTTP request variables directly into global programming variables by default. Now it only happens when you enable the register_globals option. I don't think I've ever met anyone who didn't consider it a huge security issue.

This rails behavior is actually even more powerful than the old PHP one for hackers because with this you get directly into the model and then the DB when everything is still left as generated, not just the temporary variables. It's actually pretty surprising how much resistance there is to fixing the issue.

It could be that the proposed whitelisting isn't the only solution. It does require annoying configuration. With PHP, nowadays, most people just access a particular array when they want their request variables. Similarly, maybe Rails could have a request model object and a DB model object with simple methods for copying state between the two. Maybe combine it into some sort of validation logic with user friendly error messages being specified. I guess it is still more work that default overwriting of the DB with request variables, though.

waffle_ss 2 days ago 0 replies      
If this vulnerability is really due to attr_accessible, then that's got to sting for GitHub as this is a well-known "insecure by default" issue in Rails, and GitHub is probably the most (or one of the most) public Rails app out there.

Would be kind of scary if he had injected some nastiness into the rvm repo master branch, for instance, because I know some people do ride on the master version (`rvm get head`). Or, some gems that are built from Gemfile's pointing at the git repo on GitHub.

Luckily, git itself is quite resilient to attacks on the repo integrity so I don't think there could be much long-term harm done (no rewriting repo history would go unnoticed, for example).

jclem 2 days ago 2 replies      
Are people misunderstanding this?

It is not a bug. It's an acknowledged part of the framework (http://guides.rubyonrails.org/security.html#mass-assignment), although one that could get a developer into trouble without knowing to protect attributes where necessary.

If he'd known that there was something the GH team missed, he should have just brought the issue to them directly. If I realize my neighbor's house is in danger of collapsing because the contractor used the wrong type of wood, I don't bring the issue up with a lumber yard and then knock over my neighbor's house to prove a point when they ignore me.

I agree that it's a problem that many developers aren't aware that they need to protect against mass assignment, but it seems like this dude is totally misunderstanding the entire ecosystem here, and now people are calling him a "hero" because he took advantage of something that everyone already knows.

Big whoop.

gaius 2 days ago 1 reply      
'Bout time someone took the Rails "rockstar ninjas" down a peg or two.
nchuhoai 2 days ago 5 replies      
Can't decide whether to love or hate this guy. For his young age, he seems to have an impressive skill set, but you can totally tell the douche growing inside
rmoriz 2 days ago 0 replies      
sometimes it's better to do bold moves when some nastiy thing needs attention and noone is really hurt.
javajosh 2 days ago 2 replies      
This is not a rails bug, but a github bug. The discoverer reported it in the wrong place, the rails people (correctly) told him to report it to github, he ignored them, and this hilarity ensued.

While this is a legit bug on github, and Egor deserves credit for finding it, he also deserves a scolding for the classic noob mistake of not reporting it to the right place.

BenjaminCoe 2 days ago 1 reply      
Alright, this did a pretty good job of winning me over to Egor:


That tattoo is legit.

joelhaasnoot 2 days ago 3 replies      
Dont quite think this is what I'd call "responsible disclosure", and not exactly sure this is "disclosure" either.
Volpe 2 days ago 0 replies      
tl;dr; - Learn about: attr_protected[1]

[1] http://guides.rubyonrails.org/security.html#mass-assignment

Mercedes uses LEDs and a Camera to make "invisible car" for marketing youtu.be
440 points by got2surf  3 days ago   93 comments top 21
encoderer 3 days ago  replies      
Mercedes really has a fantastic heritage of "hacking" the driving experience.

While other manufacturers have their own versions of modern safety tech, I've never seen it used as thoroughly across the lineup of cars as I do with Mercedes.

I bought a Mercedes for only one specific reason: It's very credibly the safest car I can put my family in that is also fun to drive. The safety tech on a commonly equipped Mercedes today is what you'll see on all cars in 5-10 years. Things like active blind spot assist -- If there's a car in my blindspot and I try to change lanes into it, the car will use the brakes on the leading side of the car to nudge me back into my lane. And active lane keeping assist -- it applies that same tech to prevent me going left of center if it thinks I'm drifting and not doing it intentionally. Attention assist -- it tracks my driving style and engagement and alerts me if I'm drifting off. Not to mention, just a lot of smart tech: Apply the brakes ever so slightly when it's raining to keep them dry. Seatbelt pretensioner's. And structural things -- an extra firewall in the engine compartment. More, stronger clasps on the hood. Many of these features are found on other makes. But as a package, combined with a fantastic 7 speed automatic and turbo charged 8cl engine, Mercedes sells a wonderful car.

Please excuse me for being such a fanboy!!!

geoffschmidt 3 days ago 4 replies      
Of course, it doesn't actually look invisible unless you're standing in exactly the right place. That is why the stationary shots at the beginning of the video look so much more "invisible" than the moving shots later in the video. If you pause on those later shots, you'll see that there are big discontinuities around the boundary of the car.

Thought experiment: imagine the car as a sheet of glass. Think of yourself standing at position A and looking at a point X on the glass. You see a position A' behind the glass. Now imagine moving to a position B and looking at the same point X on the glass. You see a different position B'. The LEDs don't know if you are at position A or B, so they can't know whether to show the light from A' or B'.

randlet 3 days ago 4 replies      
Only tangentially related, but it really bugs me how these vehicles are being marketed as "zero-emissions" and being "invisible to the environment". Clearly the energy is being generated, and hence negatively impacting the environment, somewhere. It's just outright dishonest.
dazbradbury 3 days ago 1 reply      
Looks like a primitive version of the invisibility cloak from several years back [1].

Am sure someone made a more advanced version of this after the James Bond film came out though. Lots of tiny cameras interleaved with led's covering the surface of the vehicle...

[1] http://science.howstuffworks.com/invisibility-cloak-news.htm

david_shaw 3 days ago 2 replies      
If a car manufacturer can create this technology as a marketing stunt, I'd be really interested to understand the (existing) military applications of "active cloaking."

It doesn't really make things completely invisible, but it sure does seem like excellent camouflage.

rochoa 3 days ago 0 replies      
Top Gear guys did something similar in its Top Gear at the Movies special a few months ago: http://youtu.be/cZBqq-UaK98?t=34s
driverdan 3 days ago 1 reply      
Notice how the video is only 480 and not HD? I'm guessing it looks more impressive at low res since it's harder to see how low the "display" resolution is. Very cool but probably doesn't look as good in person.
hinathan 3 days ago 1 reply      
This is a much more sophisticated version of something that's been tried off and on since 1943 " http://en.wikipedia.org/wiki/Diffused_lighting_camouflage
gyom 3 days ago 0 replies      
Note also that only one side of the vehicle has the cloaking. The other side is just ugly cameras and we can see that at the very end of the video (1:15).

It's not quite the invisibility cloak yet.

pohl 3 days ago 2 replies      
When I first saw that phrase while watching the video, I thought to myself: "I bet the top-voted comment is a pedantic reaction to that."
jakeonthemove 2 days ago 0 replies      
Oh man, I had this idea ever since I saw "Die Another Day". Always wondered if it would work in real life - apparently, it does!
pkulak 2 days ago 0 replies      
Did they figure out how to make one without putting a half a million dollars worth of platinum in it yet?
rewind 3 days ago 0 replies      
This is only bad if your real goal is pushing the specific car. If you're more concerned with brand awareness, or being remembered as innovative or creative or doing something unexpected, this type of commercial can be very effective. I'll definitely remember that it's Mercedes. I'll bet a lot of people on HN remember the Darth Vader kid was in a VW commercial, even though they may not remember which car it was an ad for or what the car looked like. They probably know that the talking baby is in an eTrade commercial, even though they might not remember what he was talking about.

But I'll agree with you that it is really easy to waste your marketing dollars on these commercials if the message isn't somehow making the viewer remember the brand. The ones that just celebrate the creativity of the ad firm ARE terrible; I just don't think this was an example of that.

rosstafarian 3 days ago 0 replies      
This is the same concept as the guy that made a halloween costume out of 2 ipad's[1]

yes it's nothing new but it's still damn cool and gets people talking.

[1] http://www.youtube.com/watch?v=V6p5mbp_M98

barcoder 3 days ago 0 replies      
This is nice, but it looks as the team making the video hasn't used "real" footage, instead adding a layer of video of over the LEDs to make the image cleaner. Some of the shots clearly show the LEDs though.
caycep 3 days ago 0 replies      
this is the camo built into Major Kusanagi in Ghost in the Shell!
cww 3 days ago 1 reply      
The technology seems pretty crude, but it's cool, nonetheless.
inghoff 2 days ago 0 replies      
What's the song?
hindsightbias 3 days ago 0 replies      
Panther Modern Wheels
gregatragenet 3 days ago 0 replies      
OMG I hope they bring it to burning man.
l33tbro 3 days ago 3 replies      
I don't want to sling mud at Ycombinator here .. but something is a bit fishy. This is currently the top voted article on HN, but it has only 300 views on Youtube (and 1100 likes - wtf).

Please tell me this isn't a paid spot - mercedes trying to infiltrate an early adopter set. I don't want to jump to conclusions, but that would compromise everything about HN that we love.

What HN users don't mean to be hnsearch.com
428 points by pg  4 days ago   128 comments top 44
thaumaturgy 4 days ago 2 replies      
Well, "rude" is the clear winner, with 54 occurrences (and one "intentionally rude"). Runners-up:

    harsh                           21 ("overly harsh": 2; "too harsh: 1)
negative 13 ("unduly negative": 1; "completely negative": 1; "overly negative": 2; "negative Nancy": 2; "too negative": 2; "totally negative": 2; "intentionally negative": 1)
snarky 12
overly critical 11 ("too critical": 3; "critical": 3)

Other common phrases:

    an ass                          8
pedantic 8
argumentative 8
insulting 6
a downer 6 ("(a) Debbie Downer": 2; "down": 1)
dismissive 6
flippant 6 ("flip": 3)
offensive 7 ("blatantly offensive": 1)
cynical 5 ("overly cynical": 1)
condescending 5
glib 5
a jerk 5
mean 4
pessimistic 4 ("overly pessimistic": 1)
that guy 4
crass 3
curt 3
a hater 3
disrespectful 3
patronizing 3
presumptuous 3
nit-picky / nitpicky 3

Terms that were only used twice: obnoxious, picky, insensitive ("culturally insensitive": 1), discouraging, crude, impolite, preachy, a tease, adversarial, coy.

HN has quite the vocabulary. There's a long tail of single occurrences: meta (ed: ha-ha), naive, cheeky, shortsighted, dumb, hasty, racist (ed: surprising!), stuffy, demeaning, snide, dense, nasty, personal, unhelpful, contrary, contentious, fanboyish, cold, doom-and-gloom, frivolous, facile, accusatory, callous, lame, inflammatory, hating, ironic, skeptical, trolling, trollish, patronizing, spiteful, sexist, disagreeable, controversial, simple, overly reductionist, hard on Aussies (ed: chuckle), antagonistic, off-topic, crabby, crude, derogative (ed: think they meant derogatory), passing absolute judgement, an idiot, an alarmist, an insensitive dick, a curmudgeon, an HN curmudgeon, a troll, a jackass, a tweak, a word Nazi (ed: surely not), a grumpy gus, a dick, a total dick, a stickler, a hardass, a killjoy, a huge downer, a turd, a burden, the grumpy skeptic ...

...and my personal favorite:

"the next snarky Lisp guy in the room".

There were about 7 other things roughly fitting the pattern here, but not quite within the spirit of the rest: e.g., "trashing Ballmer", or "overly favorable towards Google".

Quoted text was ignored where possible; instances of "or", as in, "insensitive or rude", counted as a point for each, except for "or anything", which was ignored. Terms were very lightly massaged, for example, "so callous" would have counted simply as "callous".

DarkShikari 4 days ago  replies      
It's an old rule that whenever someone says "I'm not racist, but", they are practically always about to say something incredibly racist. I think this can be generalized to all forms of "I'm not X, but" or, "I don't mean to be X, but", and so forth. "No offense, but, <offensive thing>" seems to also be a common variation.

Is there a word for this kind of linguistic construct?

( Possibly related: http://www.notracistbut.com/ )

pg 4 days ago 4 replies      
This one produces an interesting list of offenses: http://www.hnsearch.com/search#request/all&q=%22far+be+i...
DanielBMarkham 4 days ago 2 replies      
"I don't mean to be" easily translates into "There's a hell of a long conversation here, with a lot of qualifiers, but frankly I don't have the time for it. Instead I'm just going to offer some generalization that you can easily throw rocks at. I know that you will, and now I'm telling you to have fun with it."

So if I say "I don't mean to be old grumpy guy" that means that what comes out of my mouth next will be a generalization and summary of my feelings that I fully know for all intents and purposes sounds like old grumpy guy. Sorry, can't be helped. That's the way the summary looks.

Most of the time people do not use such linguistic qualifiers out of some desire for self-protection or having some mechanism to inoculate them from some horrible thing that follows. It's simply a shortcut. I always thought this was pretty obvious.

I know pg posted this, and it's his site, but is there really something here worthy of this being on the front page? Is this some kind of clever editorial about the quality of the commenting? If so, I don't get it. People are trying to be nice about their criticisms?

endtwist 4 days ago 3 replies      
From a cursory look, it seems like the most common (in order of frequency) are:

1. Rude

2. Pedantic

3. Snarky

4. Negative

5. An ass

6. A downer

7. A jerk

I'd love for someone to actually analyze the results and get the numbers, though.

tokenadult 4 days ago 0 replies      
Comments asking for sources may be catching on.


After edit: I recall the brilliant use of "can be shortened to" in this example from the HN Guidelines:

"When disagreeing, please reply to the argument instead of calling names. E.g. 'That is an idiotic thing to say; 1 + 1 is 2, not 3' can be shortened to '1 + 1 is 2, not 3.'"


Similarly, a comment that begins with "I don't mean to be [X]" can be shortened to making the statement that follows the "but" in that sentence, probably for better rhetorical effect and persuasive power, especially if the statement is actually based on a reliable source mentioned in the comment.

petercooper 4 days ago 1 reply      
A couple of years ago, we discussed pg's use of "it turns out" here on HN. It turns out a lot of people enjoy the phrase still :-) http://www.hnsearch.com/search#request/comments&q=%22it+...

And the old discussion for context: http://news.ycombinator.com/item?id=1162965

scottkrager 4 days ago 4 replies      
"to be honest"

One of my pet peeves...are you usually not honest with me?


ck2 4 days ago 0 replies      
So this is data mining in that the poster clearly defines what they are about to actually do.

In fact you don't even need the "be" part, though it gets more complicated, you could even just analyze "I don't mean to" - whatever follows immediately afterwards characterizes the post?


thekungfuman 4 days ago 1 reply      
I don't mean to be meta, but this comment now appears in this article.
primigenus 4 days ago 0 replies      
I used to start sentences with "No offense, but..." when I felt I was going to say something controversial until a coworker pointed out that the only reason what I was saying was controversial was because I prefaced it with "No offense, but...".

So now I don't say that anymore. I just say what I mean and people aren't as likely to be offended.

davyjones 4 days ago 0 replies      
Has happened to me more than once when my comments online have been construed as hostile when I never had the intent. Especially on this medium, where one's face and vocal tone cannot be communicated, I think such disclaimers are necessary (evil?). Also, there is the "Be civil" HN doctrine. So there.
Herring 4 days ago 5 replies      
When someone says "but", it usually means "Ignore everything I said before the but." It's like "No offense".
rfrey 3 days ago 0 replies      
Looking through this was interesting and fun.

I'm surprised at some of the comments that posit intent doesn't matter in communication. Intent matters a great deal: a question can be sarcastically rhetorical or earnest, a comment can be blunt-but-helpful or simply meant to hurt, a reply can be a defensive knee-jerk or a clarification of position. It's possible for the same string of words to be either of those alternatives, the choice made only by intent of the writer.

In physical communication there are many cues to indicate the intent of the speaker. Writers must provide those cues intentionally.

"I don't mean to be" is often (not always) lazy and meaningless, of course, but that doesn't imply intent doesn't matter.

benwerd 4 days ago 0 replies      
Related: questions that have been begged: http://www.hnsearch.com/search#request/all&q=%22begs+the...

(Features pedantry and inexplicably purple microbes.)

ChuckMcM 4 days ago 0 replies      
And the other one: http://www.hnsearch.com/search#request/all&q=%22that+bei...

Interesting take on linguistic analysis.

overcyn 4 days ago 0 replies      
I don't see anything wrong with this. There are a lot of posts on HN are looking for feedback, and criticism can very easily be mistaken for aggressiveness. Sure rudeness is rudeness but prepending "I don't mean to be..." in front of your sentences don't make it so.
thought_alarm 4 days ago 2 replies      
The earliest use of "sheeple" was from user "stcredzero" almost 4 1/2 years, in a comment that, unsurprisingly, mentions John C. Dvorak.


Gosh, this is a terrific resource. It's almost as much fun as Google's Usenet archive, back when it actually used to work.

bicknergseng 4 days ago 0 replies      
Amazing how this thread took over the whole first page of results from that search.

There's a few things that are interesting about this whole thing though.

First, that HN's users are this good. Many other communities across the web eventually degrade into a news entertainment troll parties, sometimes needing to be removed in order to preserve some kind of dignity on the mother site. I'm sure there are worst things said here, but they are very much the exception.

The phrase itself also got me thinking about how people express things on the web. I imagine the majority of comments with that phrase have some malicious intent, but there is also the possibility that whatever idea the user is trying to convey is something not easily expressed in text through the internet impersonally. For example, a conversation on racial stereotypes will inherently have racist undertones, but it is entirely possible that people want to discuss it genuinely without meaning to offend people. Part of the problem is that it's very difficult to communicate things like sincerity, empathy, etc. via plaintext. Another part of the problem is that people are very...willing...to be offended... though I haven't decided how much of a role the internet plays from this angle.

One takeaway: if you aren't meaning to offend people, choose better words on the internet. It's likely the easiest way of saying something is offensive and will offend.

ElbertF 4 days ago 0 replies      
ricardobeat 4 days ago 0 replies      
Related: what HN users don't want to sound like


shingen 4 days ago 0 replies      
I don't mean to be speculative, but I think it's always the "but" in the opening sentence that is really interesting.
staunch 4 days ago 1 reply      
I assume this is related to PG's disappointment with HN'ers ragging on companies when they first launch.
waitwhat 4 days ago 0 replies      
I am reminded of the classic "not here to make friends" http://www.youtube.com/watch?v=w536Alnon24
molecule 4 days ago 1 reply      
kevinpacheco 4 days ago 0 replies      
Similar results here: http://www.hnsearch.com/search#request/all&q=%22I+hate+t...

The proper response to most of these statements is, of course, "So don't."

TeMPOraL 4 days ago 0 replies      
What HN users hate to say, but still do:
stevenspasbo 4 days ago 2 replies      
"I don't mean to be curt, but what's the point of this?"


mwerty 4 days ago 0 replies      
"Don't get me wrong."

I have to suppress "Then why don't you say it right?"

ktizo 4 days ago 0 replies      
..first, let me point out, I do mean to be cynical. ;p
mattdeboard 4 days ago 1 reply      
Surprisingly there are more results for "viagra" than "autodidact"
anxrn 4 days ago 0 replies      
Sorting descending by time makes this a meta post:

It also makes this comment a meta^2 post.

hc12 4 days ago 1 reply      
Here's an interesting one
Why you should blog posts

I'm sure there are as many how-to's posts.

josiahq 4 days ago 1 reply      
HN goes self-referentially meta, and the slow transition to becoming reddit begins...
chrisacky 4 days ago 1 reply      
This is pretty awesome. Is this going to be included in the main HN pages?
andrewhillman 4 days ago 0 replies      
I think this shows that HN users are careful w/ words because they don't want come off negative and be down voted.
donohoe 4 days ago 0 replies      
I don't mean to be in the first page of results, but I couldn't help it
MortenK 4 days ago 0 replies      
Try also "strawman", "ad hominem" and "to be fair".
balsam 4 days ago 0 replies      
looks like pg's stumbled upon a way to find smart comments
evanlong 4 days ago 0 replies      
I don't mean to be rude but was this really necessary :P
J3L2404 4 days ago 0 replies      
The eloquent being so obtuse.
silentscope 3 days ago 0 replies      
clever. and I mean it.
Sad, Tired, and Alone: My Ongoing Battle With Startup Depression zakhomuth.com
357 points by liamk  5 days ago   96 comments top 43
cwilson 5 days ago 3 replies      
I mean this in the nicest way possible, but this is one of the most frustrating things I've ever read, as well as many of the comments echoing the author. I do commend you for posting this publicly, that takes guts, but you have to do something about it. If I were your CEO, I'd insist you take a very long break, right now.

You realize you're going to die, in the best case, 70 to 80 years from now, yeah? Likely much sooner with the mental state you just described. This is all very blunt, and probably harsh, but my point is life is short and you only get one shot. I can't believe you'd subject yourself to this, all for a startup, or for the startup lifestyle. I do not mean to belittle what you are passionate about, or the time and effort you've clearly put into your company, but there is more to life than this.

Take a break. Take a very long break (I'm talking a year at least). Go travel, go home, go somewhere, but stop slaving away and sitting in your room for days at a time. Go be around other people, be it family or friends. Find love, and love yourself. You can always pursue your entrepreneurial dreams after you're happy (and your company will benefit from your happiness).

The startup lifestyle is an incredible journey, I'm on a third myself, but if I felt even remotely close to what you just described, I'd quit in an instant. It's not worth that to me, not even close. I'd prefer to be happy, love, be loved, and work in a coffee shop for the rest of my days before I'd trade it for being depressed in the way you describe.

You owe it to yourself to be happy, so quit wasting time.

j45 5 days ago 4 replies      

Thanks for writing this, it's a brave and open and honest thing to do where people are afraid of doing those things. At a certain point, we have to get over what others think and get to figuring out what we think, and how it should be.

I believe a person does whatever they do to find a certain amount of peace in themselves and their lives.

I'd like to share some scraps I've scraped together on finding, and keeping a positive and healthy inner-dialogue and energy. This discipline has helped me more than any education, talent, skill that I have. It fuels them all. The below is not perfect, no one is perfect, there is no perfection to attain, only better discipline.

I put the pursuit of a better-self like taking a shower, I have to remind myself daily, in my words that have meaning to me, or my energy will stink.

Every action, every choice we take is ultimately geared at getting to a peaceful flow, focused and purposeful.

Whether the actions are dietary, physical, sensory, emotional, mental input, all aim at getting a neurological hit of the great peace that comes from great understanding / accomplishment.

Deep, meaningful, fulfilling, satisfying, lasting peace and contentment that fuels us forward. Soak that idea up.

The thing is, the things we pursue to find this peace / flow / focus / presence in the present / attention don't provide it. The things that we need to do (build healthy habits and discipline to over-ride and reset us when we're in a rut), we don't build enough muscles of.

Strengthening weaknesses and weakening what we need our strengths to be doesn't work, and ends up feeding the monster of ineffectualness. Sounds easy enough to understand, but pay attention to what you say, do, and say you do and increase the discipline of consistency between those three.

Whenever I look around me and say this sucks, it's usually because everything around me is moving, and I'm not.

My most favorite reminder; Keep moving. Inward, onward, upward.

A lot of folks take logical thinking to the extreme of building so many doubts that they seem so insurmountable that they lose the spark of possibility in themselves. They then turn to spreading their belief in the insurmountability of their doubts by helping others doubt themselves, partially to validate the fact that their own doubts were insurmountable. I call this spreading confusion and doubt. Everyone does it, some worse than others.

Filters and finding doubts in something are really important. Having it be the only way you see life fuels imbalance.

I like living in possibility and creativity, more than doubt and elimination of possibility. So I try to stay there more, than doubt.

Consider if a lack of peace comes from trying to understand something with our mind when we should be trying to understand it with our heart, or our gut, or vice versa. A lot of pain happens here and wears anyone down.

If something is becoming a zombie like experience, throw a wrench into it. Change your perspective. Get out, Get away, change it up. Instead of fuelling doubts in a negative downward spiral, learn, and then remember to hit the reset button to start fuelling possibility and forever spiral upward.

What if, instead of why not. How can, instead of how can't. The mind is amazing. It will see what you want, connection, or disconnection, relation, or unrelatedness and deliver time and time again.

I'm a big fan of logic. I'm a bigger fan of awareness and understanding, which isn't black and white, but a lot of colours that make up the picture.

If we don't like what we see, change how we see it. It's all there.

Our dominant world viewpoint is the true religion through which we see and process the world inside, and outside of us.

A threatened person lives in a threatening world.
A scared person lives in a scary world.
An untrustworthy person lives in an untrusting world.
A trusting person lives in a trusting world.

Prolonged visits in one ups or downs aren't productive, or fun. I pick centered, serene, calm, focus over ups or downs any day and try to saturate my life with it. Reminders all around me.

Why peace? It's the closest to the flow. We keep getting what we've been getting, when we keep what we've been doing. If we don't want what we have, we have to change what we're doing. It's important to work on your awareness of your awareness, and your awareness of your thinking to catch it.

The main culprit; thinking. We aren't supposed to figure things out before we do them all the time, or where would the journey and discovery of ourselves be? All we can work on is developing the best mindset for the journey and head in the best direction we know how.

It's too easy to get into a cycle of analysis paralysis. Of trying to understand everything to the end, before doing anything.

For me, I tend to notice thinking rarely solves problems worth solving. Problems worth solving come from going on the path of experiencing them, not staying in them,and going through them.

Let me know what you like, or don't.


alaskamiller 5 days ago 1 reply      
He wants it. He wants it so bad. But even when he puts in the work, has the drive, and tries so much success isn't there.

This is the flip side to every multi million dollar exits of some social widget or TechCrunch rah rah bullshit or the stock buyouts of a collapsed firm.

This the reality in the tech game. Not everyone wins. I know this, I felt this, I felt the highs and lows.

But something isn't working. Many point out to trying too much, too hard, psychological, depression, so on so forth. These comments here ring a bit hollow because they dismiss what Zak already wrote. He is a smart cookie, he knows the sickness, he knows the cure. The only remedy is change. Not only change but be brave enough to also accept change. The metaphorical come-to-Jesus moment is nigh.

Then take five minutes and really think about this and see this for what it is. This post has been read over 9000 times--almost a third of all tech workers in the city of San Francisco--and rallied over 80 comments with people even arguing whether suggestions are mean sprited. Meaning: you are not alone.

Others get this, others empathize. Because we are the community that wakes up every morning and want it bad too. That in itself is pretty amazing.

What's the real solution? No one can give you that. It's going to be personal. You're a startup vet. Deep down you know what to do. Success is not a straight line, it's meandering, it's failures, it just is.


subwindow 5 days ago 6 replies      
I don't want to be pedantic, but this is not depression. Depression is 6 months without a single high point. Depression is not a roller coaster- there are no ups. Just down. For a long fucking time. I've been depressed off and on for the past 10 years- about 5 depressive periods, each 6-18 months.

I don't want to minimize the OP's struggles- he most certainly has some kind of mood disorder (possibly rapid-cycling bipolar disorder or RBD). There may be depressive episodes involved, but I don't think the word "depression" should be used unless it's referring to Major Depressive Disorder or one of its close siblings.

Again, I'm trying hard to not be pedantic. It just frustrates me when people think that depression is something you can get over, or that will get better in a day or a week. That's just not the case.

sachingulaya 5 days ago 1 reply      
Some thoughts:

Mood stabilizers are not an appropriate first(SSRI), second(tricyclic), or even third line(MAOI) treatment for depression.

Your idea that you need to be sad to be happy is common among people who suffer from depression. But being depressed isn't 'part of the roller coaster'. You most certainly can have the highs without the lows...except if you're on mood stabilizers which work wonders at taking away both.

What's most concerning to me is that you credit your depression with so much of your accomplishments and motivation. There is absolutely no honor in suffering. That's just you buying in to a narrative. I feel happy when I've accomplished something. Other days I feel moderately happy and driven to accomplish something. No depression necessary.

And yes, I suffered from severe depression for years but would prefer not to discuss it publicly ;).

mmaunder 5 days ago 2 replies      
Stop drinking and any recreational drugs immediately.

You need to be having fun doing your startup or you won't be able to succeed and should do something else. So if you're spending most of your time writing code, try to make it fun again. If you can't then I recommend the following:

Go and get a physical job for a few months, preferably somewhere rural. It will remind you what real hard work is like, get you physically fit and give you the satisfaction of having achieved something tangible at the end of your day. Come back when you're ready.

redthrowaway 5 days ago 0 replies      
I really respect you for taking the leap and talking about it. This is not an easy decision to make, particularly for folks like me who trend towards stoicism, even at the best of times.

It can be excrutiatingly painful to talk about that which everyone knows, but keeps quiet. In doing so, you not only help yourself resolve your issues, but also allow those who come after you to get a more honest lay of the land, and more ably deal with the challenges that await them.

For that, I salute you.


chegra 5 days ago 1 reply      
1. Eat slow burning carbs. This has the double effect of forcing you to eat slower[ie you will eat less] and giving you a longer lasting energy.

2. Eat foods that will enhance dopamine: banana, avocado, almond nuts, ginseng, tangerine, red clover.

3. Keep away from food you are allergy too.

4. 10 minutes of exercise can get endorphins pumping but for a good kick, look for like 20mins. [You might struggle to get your first 10mins in but push through]

5. Give friends a call[maybe even by cam], better yet visit them.

6. Go get three massages[consecutive days] or ask a friend to give you a hand massage.

7. Cinnamon and Honey Tea. Mix a teaspoon of cinnamon and honey in hot water[about a cup]. Cinnamon and Honey both have anti-bacterial properties and strengthen the immune system.

lukifer 5 days ago 0 replies      
I've often read that is a correlation between bipolar and starting up a company: "the highs are higher, the lows are lower." (Which tends to cause which is academic.)

Here's what I've discovered: the highs are far more dangerous than the lows. The highs are good, whether they're based on real-world success, or your invisible fuel, the die-hard belief in what you're pursuing. You need those highs: milk them for all their worth.

But what goes up, must come down. Whether based on a real setback, or a stray negative thought, it doesn't take much to send you back down to earth, or straight through to hell. When the confidence evaporates, suddenly those unpleasant realities you were dismissing all hit you at once, and it's too much to deal with.

Everything you mentioned is great for riding out depression: sleep, a good meal, exercise, relaxation. You've got the treatment covered quite well. But after you bounce back, pay attention to that "winning" feeling, and work on moderating it to just the level you want, so that it can burn for longer, and you have less far to fall. Keep spending time on basic human needs, even when you're on top and you feel capable of 18-hour days.

Ideally, you want a steady engine, not bursts of up and down. But those will still happen sometimes; roll with it, forgive yourself, ride it out, and keep moving. Good luck!

(This is just a bit of awareness I picked up about myself; your mileage may vary.)

dchuk 5 days ago 0 replies      
dude I deal with this shit literally every day. I've spent a ton of time studying what can be done, and lately I've decided to use my skills as a web developer/startup guy to build a tool that can (hopefully) really help people like you and I.

Please email me (if OP is reading this, or anyone else who wants to discuss this) at admin@serpiq.com and I'll share what I'm planning. If you're a rails guy, we can even collaborate on the project (even if you're not, we can figure something out).

EDIT: To add some more to this, don't give up on drugs just yet. I've been taking Prozac for the last few months and it's made a HUGE difference for me. Not saying it's the right drug for you necessarily, but definitely experiment with different options (legally experiment). For instance, I was on Lexapro a few years ago and it royally screwed up my stomach and didn't fix anything.

paraschopra 5 days ago 2 replies      
What I have found is that you need to separate your personal worth from your startup/professional worth. Do not derive your personal identity from your startup. Although it is easier said than done, but you don't have a choice.

Are you doing anything outside of your startup? Like learning a new language, getting into Art/Movie clubs or travelling?

alecco 5 days ago 1 reply      
The state of HN: a lot of unqualified people giving idiotic advise to someone who needs professional help.
depressedalot 5 days ago 1 reply      
I'm in the same boat, and honestly it is comforting to see things like this. I feel like seeing that others are in the same place and struggle with the same things makes me feel like I can get over it too.

I do almost the exact same things as well - massive weight gain, HUGE sleep problems (to the point where I end up going to sleep as the sunrise, sleeping all day), lack of exercise, avoiding friends/gatherings, etc. I haven't left my apartment in 4 days now.

All of this while running a semi-successful (to the point where it pays my bills) consumer facing service company. It is difficult. It's difficult when I can't bring myself to answer the phone, call someone back, or give them an update on an order.

I have history of severe mental illness in my family, and it is actually a bit of a motivator to think of them. The family member in particular literally has spent 10-12 years trying to have a normal life while sleeping 12-18 hours a day, heavily medicated, in and out of hospitals (easily half the year in the hospital, for the past 15+ years), and 100+ ECT treatments. I don't want to be that. I don't want to get that far, and it pushes me to pick up that damn phone or send that email. I know that is a bit twisted, but it works for me. I don't want to hit that low. Oddly enough, any time I've ever seriously contemplated suicide, I've stopped precisely because I know what it would do to this person - I can't imagine bringing that much pain to my family and making them go through that. I don't know if they could handle it. I've had the unfortunate experience of walking in on a suicide attempt and driving their blood covered body to the hospital, and I know the way I felt there is nothing I would ever put someone through, no matter how much I wanted to.

I also have literally zero interest in talking about it - which is tough, but I know the first reaction from my family would be medication, and I absolutely refuse.

I'm rambling now, but that's probably good. Interesting what you'll say on a throwaway that you'd never dare with your name attached.

jyu 4 days ago 0 replies      
You are viewing life through gloom filled lenses. It doesn't have to be this way.

I have been working alone/startups for about 3 years when I quit my last job. I was majorly depressed for over 3 years without realizing it, because on the surface it seemed like I had "the good life" (vacationing every 2-3 months, a bunch of friends, great income, etc) but everything I tried was sluggish, I felt demotivated and alone. Only when I checked myself into cognitive therapy did I realize how bad things were upstairs.

Over the years I built up all these inaccurate beliefs in myself and others without correcting them and letting them run rampant. I dedicated 2 hours a day in reading and practicing exercises + 1 hr / week cognitive behavioral therapy sessions for about 6 months, and it is by far the best investment I have spent. While they can't fix your problems so that you will never be depressed again, but it definitely helps you realize when you are thinking inaccurately, showing warning signs of depression, and things to help you cope.

If you can not afford therapy, then I suggest reading the book recommended by my therapist, "feeling good" by david burns. It helped me a lot more than any advice from parents, friends, strangers on the internet ever did.

You're welcome to reach out to me if you have any questions.

Shenglong 5 days ago 4 replies      
Speaking as a straight male:

Surround yourself with beautiful women; it's hard to get sad around beautiful women. I'm no stranger to the darkness, and I know that in some environments, I feel everyday, just as you do.

Force a change, go somewhere else. I found SV to be beautiful, but how long can you really stay in a male-dominated atmosphere, and still stay sane/happy? I know this sounds really shallow, but pause for a moment and think about it. Regardless of what's logical, sometimes you need to surrender to your base instincts - especially when you're dealing with illogical, irrational emotions.

noonespecial 5 days ago 0 replies      
A bit OT but I just have to say that I'm ridiculously impressed with Upverter.
mindcrime 4 days ago 0 replies      
Wow, there's so much one could say on this subject. I'd post a lengthier response, but I don't have time right now, so I'll just say this:

Startup depression (hell, depression in general) is a serious problem. And while I'm no doctor or psychiatrist or anything, to the extent that just a "friendly ear to bend" can be useful, I offer myself up as such, to anybody dealing with depression. I've struggled with it myself to some extent, so I know what it's like. By all means, feel free to email me, call me, whatever, if you're ever feeling down and need somebody to talk to. If you happen to be in or near the RTP, NC area, we can meet in person over a coffee/beer/dinner whatever.

Also, if you're looking for other startup minded folks in this area to socialize with, definitely ping the RTP Hackers and Founders mailing list.

jaf12duke 5 days ago 1 reply      
Yep...know how you feel bud. Thanks for sharing out loud.

I want to add one additional suggestion. I think lack of light and Seasonal Affective Disorder gets mixed into the normal startup depression quite frequently. It's never surprising to me when people feel depressed during winter months. The lack of light, lack of vitamin D"it contributes heavily.

Now, the OP mentioned this is a once-a-quarter pattern, so S.A.D is clearly not the only thing at play. But I would be willing to bet that it contributes.

For those that know me, I'm a huge evangelist of light products to solve insomnia. In the winter, these same light products solve for S.A.D. My old post on insomnia has lots of good links: http://www.humbledmba.com/become-a-morning-person-how-to-end...

My new favorite light product is the NatureBright Per 3 (http://www.amazon.com/NatureBright-PER3-Deluxe-Light-Therapy...). It's well worth a try.

Whatever you buy, make sure it provides minimum 5000 lux and that you use it at least 30 minutes a day.

And finally"
Regardless of all this, props to you for writing a wonderfully authentic post. And it's already quite obvious with the comments here that you are not alone. Keep at it.

niels 5 days ago 1 reply      
If you have a depression you need help. Talk to your doctor, and don't dismiss the assistance of drugs. Also exercising is known to help against depression.
DanBC 5 days ago 0 replies      
OP - I'm sad that you had such a bad experience with meds, and I'm sad that experience makes you not trust doctors. You should be in control of any medication you take, and if it has bad side-effects your doctor should be willing to change meds.

Please may I make some suggestions? I have no medical training, and it's a good idea to talk to doctors.

1) Make a "rainy day action plan" and give it to someone you trust. This would have a list of signs that things are not going well (either too high or too low) and that you might need some help. It would include a list of things to do, and people to contact, when you do need help. It would also include any "Advance Directives" (written instructions for clinicians about your future treatment) I don't know if they exist in your country, but they're a strong and useful tool in the UK.

2) Consider regular vigorous exercise. There's plenty of evidence that good exercise helps lift moods. Be careful when you're feeling up that you do not over-exercise.

3) Consider being very careful with the amount of alcohol you drink. Alcohol depresses mood. Sometimes people feel the effect for a day or so after drinking even a small amount. This is especially important if you're drinking alone. (The UK has the concept of "units" for public health about drinking. If you're drinking more than 21 units a week, without 48 hour breaks after a heavy drink session, you may be risky for physical harm)

4) Consider being careful with caffeine. Some people feel the affect more strongly than others.

5) Consider "sleep hygiene". Sleep is often disturbed with mood disorders. Sleep hygiene is the first line treatment. Then you could try CBT for sleep disorders if you can find it. Otherwise a short course of a z drug may help kick you back into a sleep rhythm.

mattiask 5 days ago 1 reply      
I can only sympathize, I'm on the end of a 3-year product development cycle myself and it hasn't always been easy.

Some tips from my own experience:

1. Focus more on all the positive things that will happen when you succeed than thinking of all the bad things that will happen if you dont. It's easy to imagine all kinds of worst case scenarios, especially when your plagued by a a little doubt. Try to have faith and power through

2. Exercise! Trite as it might sound exercise is really important for mental well being and can lift your spirits if you're feeling down

3. Surround yourself with people that give you energy. Now I'm not saying you should only socialize with sycophants and yay-sayers but some people can be a real drain on a persons motivation.

4. Embrace "the fear". So things are hard, you're not sure you going succeed. On the other hand, you can probably look back at similar times in your life which now seems like exciting learning experiences. Realize that you're in the middle of one of those and chose be excited about it.

4. Don't let other people bring you down. Those who says it can't be done should get out of the way of those who are doing it. Some good ideas are only evident in hindsight so don't listen too much to the naysayers.

5. Get some perspective, even if things can seem bad and insurmountable I'm sure we all can imagine people who do everything for the same oppurtunity or people with far worse problems.

6. Adopt an attitude of every mistake being an learning opportunity. Don't be angry at yourself for making them. Be glad that it didn't take you longer to find out your mistake and glad that youre wiser for it

_k 5 days ago 0 replies      
Can we give him some feedback and advice on Upverter so he can take it to the next level?

I think it's an interesting site.
But I'm not sure a subscription model is the way to go.
I do know R&D teams are gonna have a hard time getting permission to use it.
They have all the tools they need, their projects are secret, it's not going to fly with upper management.

I do like the fact that you can search for components and buy them.
I'm sure there's some affiliate revenue in there.
Although I have to say, it's probably not that easy, because companies usually have long-term agreements in place with suppliers, there's a lot of bureaucracy, you have to get a purchase order before you're allowed to buy something.
I'm not saying that's good or bad, but that's usually the way it is. And it's a problem for Upverter.

Getting PCBs manufactured is a good idea as well, especially for people who use Kickstarter and want to build a prototype.
The companies I know might be hesitant to use it. Especially for R&D projects, they will use their own equipment or outsource it to a local supplier they know they can trust. And this guy is going to say it's gonna cost you x, but I can do it cheaper if you let me manufacture the first 10,000 units.
And it gets really tricky when you're working on a cutting edge product, because you can't always buy every component off the shelf. The manufacturer is gonna say ok, I'm gonna help you but I can't buy component x cheap enough, or I'm gonna help you but you have to ship me component a,b,c before day x.

The design of your site looks really good but you need photographs of products that have been build. You may not care about that but if you're going after the Kickstarter market, then you're in the business of making dreams come through. You need to appeal to the senses.

crewtide 5 days ago 0 replies      
Glad to see people suggesting exercise (spacefood, chaostheory, juliano_q, others), as well as other tools to change the underlying depression. I think the important takeaway is that this is not "startup depression" -- it's depression. You'll be happier/more successful if you find a way to get rid of it.

Sure, running a startup is going to have ups and downs. Sure, you'll sometimes fail at what you're trying to do, and you'll sometimes feel that failure deeply. Failing comes from trying to do something really difficult; taking that failure personally comes from being human.

But as a general rule, the founders I know from the (pretty hoppin') Boston scene are born optimists. More than any other group of people I know, they believe despite the odds, they bounce back quickly, and they have pretty tough skins.

Depression is hard to sort out, but totally worth it. It's worth it for anybody, but necessary for founders because of the up & down nature of running a startup. I spent much of my adult life beating my head against a wall, occasionally being depressed, and not understanding why I couldn't make sh*t happen. Then a few years ago I figured myself out (combination of exercise, gratitude, & therapy), and since then everything has been different. Externally, my life took a major turn for the better in every arena from relationships to finances. Internally, I just don't have the resistance I used to really suffer from, and my downs are pretty short. It rocks.

So I guess I feel your pain, but don't glorify it. Do the work to get over it. You'll be much happier.

nutanc 5 days ago 0 replies      
I have always found that the fastest way to get out of a funk is to talk. Guess you have already started by sharing on HN. If possible, do the same thing in real life. Just get a friend and tell him/her all these things and maybe you will get a hug. A hug always helps :)
juliano_q 5 days ago 0 replies      
I wholeheartedly suggest a combination of diet and exercises (many can be made at home). I recently discovered Nerd Fitness, a blog directed to nerds that is getting some attention (Steve Kamb, the man behind it, gave talks to Google and FB) and it is pretty much changing my life.

I am not saying that this is the cure, but from my experience with depression I think that much of it is related to physical activity and general welfare. And a good diet (paleo works very well for me) and fitness can help a lot.


spacefood 5 days ago 1 reply      
Zak. Please listen to me. I suffer depression, but you know what has helped me immensely? Lifting HEAVY weights.

Give it a try. Lift HEAVY weights for at least 4-5 days a week, and make it the absolute NUMBER ONE PRIORITY in your life for that month.

Closely monitor how you feel, and how your mind thinks during that month.

Try this ASAP Zak. It will IMPROVE YOUR LIFE.

P.S. Sorry if I come off as a spazz. I just really believe in what I'm saying.

ForrestN 5 days ago 0 replies      
Your psychological position is negatively affecting your ability to function. This is by definition a psychological disorder.

Let me state it clearly: it is extremely unlikely that your depression has anything to do with "startups" or your work life.

Quitting your job might be a good idea, but only insofar as it will free up time for you to focus on getting treatment. In and of itself, quitting your job won't solve your problem.

Paradoxically, the reason you're so miserable is likely tied to the fact that you love what you're doing so much, or put another way, that you're doing just what you want to be doing.

Get help. If you don't, you're never going to feel better even if everything goes perfectly in your professional life.

gotrythis 5 days ago 0 replies      
I've been in the same situation for years. Skimmed the article, but I get it.

Here's what I do:

1) I have a social life even if I "should" be working. I have people over for dinner several times a week and have regular friend dates, often with other entrepreneurial folk who don't have day jobs.

2) I rock climb several times a week and do yoga and a short workout daily so I keep fit. I also eat well, drink lots of water and avoid sugar. (Drinking water and avoiding sugar is THE KEY to avoiding depression. So easy to spot the cause and effect when I fall off the wagon.)

3) I consult part time, now primarily with another startup, working out of their office. Gives me the cash to pay someone to help me with my startup so I'm not working alone, reminds me of how useful I am instead of feeling like a failure for making the mistakes I made with my own startup, and keeps me socialized and energized.

4) I take mini-vacations. Mostly local music festivals and short camping trips to get me out and connected to nature. Hell, that reminds me, I'm going to go buy some winter gear and go!

rooshdi 5 days ago 0 replies      
There seems to be a lot of people here going through some of the same feelings, I know I have. Sometimes you just lose yourself when you're working on something you want to win. I know I've needed to take a step back and get myself back together at times. A lot of people have suggested eating right, exercising, and taking a break, which I find helps quite a bit to restart the mind and body. We're sort of like engines and if we don't get a proper oil change once in a while, we'll have trouble starting up. So keep an eye on your mileage and if a refill doesn't work, you might need to see a mechanic.
mmonihan 5 days ago 0 replies      
I see startup depression as a sort of cost of the lifestyle. If your existence depends on the success of your own project, this can be an enormous weight to bear. If you have a bad day, it can easily turn into a bad week if you're not careful.

For me, when things aren't going my way, I just say, "Fuck it" and move on to the next problem. You're are going to lose sometimes, but who cares? You're going to win.

If sheer willpower doesn't work, I usually exercise and clean my apartment. The point is to secure little victories here and there to get you motivated. I can definitely say that doing the dishes and pumping out some push-ups have been the catalysts for some great ideas in the past.

At the end of the day everyone is experiencing some sort of depression every once and while. At least you're doing something awesome. Most people aren't. Remember that.

lisper 5 days ago 0 replies      
You may be sad and tired, but you're not alone.


monsterix 5 days ago 1 reply      
That pretty much nails it: "You quite simply can't change the world in a couple of years without doing more than most people do in a lifetime."

Don't be depressed boss. Cheer up, and fly out to Himalayas for a small break. You'll get all the peace of mind hereand flip be ready to flip back again with full swing!

loceng 5 days ago 0 replies      
Tip #1:
Start yoga immediately (hot yoga preferably).

Find a 30 or 40-day challenge, and start going every damn day. Even if it's the only thing you do in the day.

I'd suggest Bikram to kick your ass into forcing you to letting go. The routine + regular space you create for yourself + endorphines and healing it will allow your body do will change your mindset within 1 month's time.

This will create the space for you too, to do all of the little things that you felt like you couldn't get done.

Maybe I should connect with people by bringing other founders to yoga classes. I'd actually love connecting with people that way. I'm living in Kingston (Ontario) right now, though planning to travel the next 3-4 months looking for technical + other people who we have a good rapport with to join me.

Let me know if you're open for a visitor and to be dragged to some yoga. :)

Tip #2:
Therapy can help a lot, not medication-based, but talk based. In my opinion medications poison your mind and lessen your overall potential (not forgetting the hit and miss with finding one that 'works' for you, and realizing newer studies show they're not really any better than placebo for most people). And you can reach the same level of flow in life with proper support and doing things every day to take care of yourself.

I've been seeing someone for over a year now, who's an Innerchild/Regression therapist - really just looking at how you react and feel in different situations and helping you release past things that you are suppressing and are holding you in a certain pattern. I'm unimaginably farther ahead in my self-awareness and balance than I was a year ago.

Tip #3:
Upverter looks fantastic. I'm jealous at how far along you are with it. I'm at least a year away from reaching the same place you're at with your company, with having a team, and product at the same place (and that's with some luck!).

If you want some unsolicited design tips.. let me know. The tour I think would work better if you just put it all in a scrolly. I think you'd find you'll expose more people to all of the information (continuing to scroll is much easier than having to click around).

Happy to see a fellow Canadian sharing on HN!

I have a few more little design thoughts if you'd interested.

Otherwise, you're on track - just start yoga - and let me know if you want me to visit and drag you the first few times. It's nice to have expectations set by someone who's been doing it 4 1/2+ years, and I also did a 200-hour Hatha yoga teacher training in the summer.. so I'm a little qualified to offer yogic advice. :)

crag 5 days ago 1 reply      
No you are not alone. But that might be part of the problem. Get a dog. I know I know. You don't have the time to care for a dog. But you do. Cause you'll make time. And hire a dog walker. I do. She comes in every day and walks my 95lbs lab/dane mix. Most dog walkers will feed your dog too, if needed.

Coming home to an empty house gets old fast.

danso 4 days ago 0 replies      
I don't have much to add to the excellent advice and discussion already given, but this is the first I heard of Upverter, and it looks awesome. Wish I had this when I was studying engineering in college.
chaostheory 5 days ago 0 replies      
I didn't see this in the post, but I can't help but stress the importance of exercise to help fight depression; I think it's better than any drug.
kappaknight 5 days ago 0 replies      
If you're an introvert and charge your batteries by being alone, then find a way to do that without worrying about your day-to-day stresses. For me if I'm getting too zonked out, I end up in StarCraft II pissing myself off by playing with newbs - but it's different enough that it gets my mind off of work.

If you're an extrovert and charge your battery by interacting with others, make sure you do enough of that by going out to events, networking, listening to other founders' stories. Personally I'm a little of both and I find that when I'm out meeting with other startups and listening to their issues, throwing out ideas to help them makes me happier and charges my battery. In a way, it's my version of charity work but getting inspired by solving different problems for others work for me.

As a founder of a few startups myself, I do go through similar cycles where I'd work myself to death for about 3 months and then have 3 months of absolute laziness/depression where I want to do nothing but space out. I'm okay with it cause I know if something motivates me, I usually snap out of my funk. You mentioned you've been in this cycle for awhile, maybe try thinking of something completely different, something inspiring, or maybe go see someone about it.

Good luck!

cr4zy 4 days ago 0 replies      
I find getting something done, _anything_, gets me out of a slump the best. Try to make it the most important thing possible, but don't get stuck in analysis paralysis. Forcing yourself to do something will often help your mind work out any ambiguities along the way.
richardlblair 4 days ago 0 replies      
Hey Man,
Thanks for writing this. Depression is tough, and putting it out there for the world to see makes it even tougher. Hang in there. You have been through this, so you know things will get better. It just takes time. Keep pushin, keep fighting.

The best advice I had ever heard is to not make happiness a goal. Happiness is a state of mind. If you make happiness a goal you will spend so much effort looking for it that you will never actually find it.

Best of luck.

rokhayakebe 4 days ago 1 reply      
Get laid more often. More often.
onedewd 5 days ago 0 replies      
No reason to be depressed, your project looks great. There are people out there with real reasons to be - no family, no loved ones, bad health, no realization.
People who have cool projects (should) have a meaningful live.
supervillain 4 days ago 0 replies      
I think Upverter might be one of the most important app that exists today.

Try pitching them internationally in schools, colleges, universities... You will gain overwhelming momentum.

weixiyen 5 days ago 0 replies      
Give p90x a try
How github was hacked homakov.blogspot.com
333 points by bluemoon  2 days ago   70 comments top 19
jtchang 2 days ago 6 replies      
Is anyone else laughing at how ridiculous this vulnerability is?

I just spent a few hours last week hacking through the Stripe CTF game. Environment variables, string formatting injections, and a timing/side channel attack to top it off.

This is just POSTing a value to an endpoint. And it gets written?! To the database?! That's awesome and scary at the same time.

rdl 2 days ago 0 replies      
I wonder if they pay their security firms for code audits, vs. just system configuration level stuff. It's reasonable to think they're about as expert on their codebase and its security as anyone else would be, so just having different people within the same company look at it would probably be effective, and could be done more frequently than an external audit. (I generally advise AGAINST external code audit for a lot of early stage companies, since it can be a lot of wasted money when the codebase is changing; it's better to have some guiding principles internally and then try to reduce the scope of security critical code as much as possible, and eventually audit that. Stick to securing the infrastructure, which is pretty standard across companies and thus cheap, and can be handled through outsourcing to gmail/heroku/etc., at least in the beginning.)

Looks like they have two companies for audit/pentest (nGenuity and Matasano Security), plus a consultant. Somehow I doubt tptacek is going to comment on any of this.

kalleboo 2 days ago 1 reply      
To be honest, mass assignment sounds like Rails' own "register_globals". The default should be conservative and disallow setting any fields, instead of allowing anything to be changed.
sjtgraham 2 days ago 1 reply      
I just threw together a quick gem that will ensure active_record model attributes are protected from mass-assignment unless explicitly declared as mass-assignable.

Granted, this as default will break an app that does not have the correct attributes declared as mass-assignable, but the alternative is a vulnerable app.


ortatherox 2 days ago 5 replies      
I'm not a fan of some of the comments about the man posting, you'd think the developer community would be above "you look like frankenstein" and "your english sucks."
aneth 2 days ago 3 replies      
This has been Rails behavior from day 1. Rails seems to assume that people will make some level of effort to secure their application before deploying to production. There are many ways and places to protect models, and mass assignment protection is a blunt tool that would not have worked for github, so the default behavior is not the issue.

This bug could occur in any framework where someone assumed all attributes submitted are writable by the current user. Rails has no internal concept of users or roles, so building that by default into a model makes no sense.

This is a github bug, not a Rails issue. One could argue it's a questionable, but defensible, decision in the Rails framework, to have such an easy way to take every submitted field and apply it to a model. I'd argue that using such a feature in a production app is a fault of the developer for failing to read their own code, because it's rather obvious and clear what the code does:


Does exactly what you'd expect it to do.

mattlong 2 days ago 1 reply      
I'm not too familiar with RoR, but does the mass assignment vulnerability basically boil down to not doing any input validation for the convenience of updating several model fields in one line of code?
gphil 2 days ago 0 replies      
Here's the relevant section of the Rails manual describing this exploit, along with some ways to prevent it.


homakov 2 days ago 1 reply      
just wonder why you all discuss that kind of shit: 'who's in charge', 'who should be punished', 'funny bug' etc in other topics.
This topic is better because it is about reality. protect your attrs blah blah
peregrine 2 days ago 2 replies      
Seems strange that Active Record doesn't have an "update_fields" method with sig array of updateable fields, hash of field=>val. Similar to Sequel.
coreyspitzer 2 days ago 0 replies      
Regarding the argument between whether this is a Rails framework concern or a Rails developer's concern, the fact that many tutorials and screencasts don't bring this vulnerability up has left the impression to a whole slew of developers that scaffolding and other step-by-step out-of-the-box ways to build things that Rails affords you are complete solutions that don't require any other modifications besides what's needed for your own business logic, etc. I think this is how we all missed something so simple. I think it's partly because of this convention/idiom groupthink.
kellenfujimoto 2 days ago 0 replies      
The comments are rather classy too. Glad to see xenophobia is alive and well.
jayferd 2 days ago 1 reply      
Totally avoidable via `Hash#slice`. Come on guys, this is common knowledge now.

    def update

niclupien 1 day ago 0 replies      
It's definitely the responsibility of the developer to know the security vulnerabilities and the guidelines of the tools he uses. Every serious frameworks have documentation on them and it is generally easy to find.

If the developer choose to ignore it, is the framework responsible of his action? I don't think so. Like other commenters have said, this is a beginner's mistake and they happen all the time. I don't understand how Rails can be blamed for this. They have done their duty by documenting the issue and it's easy to find (tell me who develops in Rails and is unaware of these guides?)

By the way, this feature is also known in Spring MVC (http://www.springsource.com/security/spring-mvc) and affect frameworks based on it too (ex: Grails). They state this is a "usage issue" and not a bug in the framework.

barumrho 2 days ago 2 replies      
I am not familiar with Rails, so I am a bit confused about what caused this. What does it have to do with mass-assignment?
minikomi 2 days ago 0 replies      
Quickly formatted in a gist (only slightly tongue in cheek): https://gist.github.com/1975850
mofey 2 days ago 0 replies      
Love the comment by dbounds: "Nice work. FULL DISCLOSURE"
instakill 2 days ago 0 replies      
The ad hominem attacks are despicable.
omgsean 2 days ago 2 replies      
I find it really surprising that Rails is taking heat for this. "Protect your attributes" is something you learn really early on, and most of my models will have a spec along the lines of "as a user, I can't steal another user's _____"

On top of that, public facing code should be written like

  def update
@pk = current_user.public_keys.find(params[:id])
# do the update if you find the key

Simple stuff.

Did GitHub Suspend Egor Homakov account? homakov.blogspot.com
322 points by VuongN  2 days ago   120 comments top 18
vasco 2 days ago 4 replies      
Suspending him only shows that if a vulnerability exists (and they always do) in the future people won't go about it so openly because what they'll get for their troubles will be an account suspension. The guy could have done real harm if he kept silent and used it maliciously, chose not to, and got suspended. Github should pay him for finding the vulnerability instead!
ricardobeat 2 days ago 5 replies      
Well, this is not exactly what I expected to find in the ToS:

GitHub, in its sole discretion, has the right to suspend
or terminate your account and refuse any and all current or
future use of the Service, or any other GitHub service, for
any reason at any time. Such termination of the Service will
result in the deactivation or deletion of your Account or
your access to your Account, and the forfeiture and
relinquishment of all Content in your Account. GitHub
reserves the right to refuse service to anyone for any
reason at any time

That means my company's code can be wiped out by GH at any time, for any reason. Please don't hurt me :(

ricardobeat 2 days ago 1 reply      
Remember when Zed Shaw took down GitHub for purely personal reasons, disturbing service for millions? I don't remember him getting suspended, his account is live and well at http://github.com/zedshaw


T-Winsnes 2 days ago 1 reply      
So if I got this right, this is the order of how things happened.

1. Egor finds a vulnerability and reports it. https://github.com/rails/rails/issues/5228

2. It gets ignored and he is being called a troll.

3. He proves that he was right by doing a harmless commit to to the rails master repo.

4. The vulnerability gets fixed quickly as it got the focus of the community.

5. His account gets suspended

Not sure I agree with the suspension.

sriramk 2 days ago 0 replies      
I'm sorry but I have to defend Egor here. Here's how you actually report a vulnerability, demonstrated by dfranke here on HN -> http://news.ycombinator.com/item?id=639976

What Egor did was to violate sensible disclosure rules. He should have contacted GitHub in private, created a test repo and demonstrated his exploit there, rather than impersonate users and compromise multiple accounts.

If I was in Github's shoes and I was trying to figure out what damage was done, the first step would be to suspend the account doing the damage to make sure no further surprises were headed my way.

abalone 2 days ago 1 reply      
kpanghmc 2 days ago 4 replies      
What's to prevent Egor from setting up a new account and using it to exploit the vulnerability he's found?
heimidal 2 days ago 2 replies      
His account has been reinstated, Github has patched their service, and the Rails team has committed a patch with new defaults. All in less than eight hours. Let's move on.
mtkd 2 days ago 0 replies      
They should be hiring him.
eli 2 days ago 2 replies      
Not sure that's the call I would have made, but hacking into other users' accounts does seem like a pretty valid reason for account termination.
xpaulbettsx 2 days ago 3 replies      
In the future, if folks find vulnerabilities in GitHub, please report them via an Email to security@github.com or support@github.com.
chbrown 2 days ago 1 reply      
Why is someone who can hack Github working for $30/hr on oDesk? @Egor, quit selling yourself short!
VuongN 2 days ago 2 replies      
Is this supposed to prevent him from doing further damage? I hope this isn't the beginning of something ugly with GH.
narsil 2 days ago 1 reply      
What I would like to know is if this is permanent or just till github completes their security audit. It doesn't seem like homakov intended or caused any real harm, although it was a bit immature to draw attention to the vulnerability that way.
rurounijones 2 days ago 0 replies      
espeed 2 days ago 0 replies      
Don't suspend him -- hire him.
aquarin 2 days ago 1 reply      
This is really childish attitude. Egor grow up.
krobertson 2 days ago 0 replies      
He clearly violated their Terms Of Service. If you like and enjoy a service, exploiting it to prove a point is not the way to do it. It takes no time to spot the clause about exploiting the service.

Legally, it wouldn't be good to have a TOS and then not enforce it. You never how that could bite you later on if you get dragged into a dispute.

All this "they should give it back when they're done" is pointless. You can't reward stupid behavior.

Square Register squareup.com
323 points by robbiet480  2 days ago   121 comments top 31
rythie 2 days ago 3 replies      
I can't actually remember the last time I swiped my card and signed for anything, because we in the U.K., like most of Europe, use Chip and Pin (EMV is the official name). I wonder if Square will still function when this gets pushed into the U.S. market.

Surely this is due soon in the U.S.?

staunch 2 days ago 0 replies      
First time a URL like:


Hasn't been about signing up for the web site.

tricolon 2 days ago 9 replies      
One piece is missing: a much more robust card reader that doesn't swivel or threaten to snap in two after a day of swiping.
sriramk 2 days ago 2 replies      
Slightly tangential note - Square has the most gorgeous product videos I've seen from a startup. Their jobs section even lists an open position for doing these so I guess they do them in house. Very impressive.
fufulabs 2 days ago 4 replies      
No other startup has ever been so primed for an Apple acquisition. Everything from execution, design sensibility, culture and even CEO is heavily Apple inspired but in a different but still complementary industry.
kefs 2 days ago 4 replies      
I don't like how, as the customer, I have no way of seeing what exactly is being charged to my card. For all I know, anything could be running on that ipad (foreground or background) and i could be charged any amount without knowing. Sure, I can ask for a receipt, but even the legacy till they replace in the video has a customer facing display, not a shiny piece of aluminum with some fruit. It's interesting that video never switches to the customer view either.
JoshTriplett 2 days ago 0 replies      
Scanning through the page, I noticed one oddity in the screenshots: the "Add an Optional Tip" page showed various fixed-size tips, but no way to enter an arbitrary amount. In previous versions of the interface, I thought the UI had an option to enter an arbitrary tip amount.
geuis 2 days ago 1 reply      
I would love to see a slight modification to the design of their reader hardware. Keep the audio interface, obviously. But design a small plastic frame that the reader can fit into that fits flush against the edge of the top of the iPad/iPhone. Make it a bit longer with slightly sloped internal edges so that its easier to guide a credit card to the scanner. This will also have the benefit keeping the reader from swiveling around while in use. Actually sounds like a Kickstarter project if Square doesn't come out with it themselves soon.
savrajsingh 1 day ago 0 replies      
This looks awesome! It's important they get this kind of product right on the first release -- because small business owners can't tolerate 'beta' for something so critical as their cash register.

Case in point: One of my favorite restaurants in Seattle was using iPads for registers (not using Square's product). I came back a few months later and they had switched to a 'normal' POS system. "What happened to the iPads?" I asked. "There were too many issues and they crashed way too often." It was a case of a restaurant that wanted to be on the cutting edge -- but in the end it didn't work out, so they went with a standard solution that worked well.

I don't doubt that square can execute -- they have already shipped some great products. I just want to point out that it's not as simple as some people might imagine.

etfb 2 days ago 8 replies      
Must be an American thing, I guess. Is EFTPOS (ie debit card) less common in the US than in Australia? Seems odd to provide a credit card service by itself. People don't pay for coffee and things on credit, do they?
craigmccaskill 2 days ago 1 reply      
The Application looks amazing. Well done.

What I do wonder though, is why they're shipping this with such a terrible stand/card reader attachment? I can't see those lasting 6 months in a busy shop environment. I'd like to see a swivel stand that's locked to the counter which you can slide the ipad into, then bolt secure and lock with a key. While you're at it, build a robust card reader into the side of the case. Basically something similar in form factor to this: http://www.directindustry.com/prod/elo-touchsystems/touch-sc...

I could probably put something like that together in a weekend with a trip to fry's/home depot, but why should I have to?

Also, a question I'd have before using this - what happens in the event of a software crash? Where is my data, how quickly does stuff get backed up online?

kwamenum86 2 days ago 0 replies      
This could be a game changer. Restuarant management software is a space that needs innovation as well - I'd be surprised if they don't roll something out that incorporates both payments and reservations.
dguido 1 day ago 0 replies      
FWIW my local coffee shop uses ShopKeep and Perka and they work great!



disappearance 2 days ago 1 reply      
I'm not sure if I'm missing something, but desensitising the general public to devices that their card is being scanned through (and occasions where that might be appropriate) will surely lead to to an increase in card fraud.

What's to stop someone jailbreaking an ipad, writing a custom fake ui, clipping in a square scanner, and writing off a days worth of cheap merchandise down at the park for a haul of card details?

If this becomes common, will credit card companies still offer the same guarantees on transactions?

bostonvaulter2 2 days ago 1 reply      
The text is all garbled in my stock Android browser. Please ut this seems like quite a nice idea.
hansy 2 days ago 3 replies      
Did anybody go through the verification process when ordering the device? After I input some basic info (like my birthday and last 4 digits of my SSN), I was asked to answer questions I have no idea how they even came up with.

One example is, "What hospital did you live near when you were on RandomName St.?"

How did they immediately know what street I lived on some years back, and also that it was near a major hospital?

The authentication was all pretty impressive, but kind of creepy too.

Thomaschaaf 2 days ago 1 reply      
I don't understand where the actual cash came from in the video. Would this mean I still have to have a register to store the cash in? Wouldn't this make the whole process borked again?
unicron 2 days ago 1 reply      
This is a gimmick or a hack. Not much better than what you will see on hackaday.com

I did a LOT of POS work a few years ago for small businesses. An iPad/iPhone would be dead and broken in less than a month for most retailers. You need pretty hard wearing industrial grade kit if you don't want to throw it away 3 times a year. That flimsy card reader is almost comedic - you'll break it and your device.

If it's your revenue collection equipment, it makes sense to buy something that will last i.e. was designed for the job rather than sit there not being able to take cards.

theneb 2 days ago 0 replies      
There's lots of talk about the survival of the Square reader under heavy demand, certainly another more durable reader needs to be produced.

However is the market for square at this price point really for anything above one or maybe two point of sales?

Using this setup in some bar environments would require some hardware to protect the iPad, I've worked looking after hardware in busy student union bars where the staff just destroy the tills with spillages.

My impression of the earlier square products for POS were that it's intended for giving the small business something, not for running your local branch of Starbucks.

Valid 2 days ago 0 replies      
I wonder if they plan to open a web store interface, so users can purchase things without an iPad... I've been looking for a sexy place to set up shop, but my business doesn't have walk-in customers. I know that's not really square's game though
taitems 2 days ago 1 reply      
I love Square's work to date. The way they've changed the retail and hospitality industry for the better, and looking damn good while doing so. That being said, I can't say I'm a huge fan of the Register icon. Even the Card Case icon is strobing a bit on this monitor.
andyfleming 2 days ago 1 reply      
Awesome to see Square continuing to progress forward on a regular basis! The register app looks great!

Does anyone know if it works well (or at all) with multiple iPads? Can you view/manage the inventory online?

callumjones 2 days ago 0 replies      
It's great to see a company taking an existing product (iPad) and building on top of it's powerful software and hardware.

Instead of stores having to buy some expensive & clunky cash register or crazy expensive PoS solution; they can pop down to their local Apple or electronics store & buy a future PoS device.

It's very powerful when anyone can start accepting payments by just popping down to their local electronics store.

learc83 2 days ago 0 replies      
I really wish they would work on pushing a final version of their API.
albahk 2 days ago 2 replies      
The app is downloaded via the App Store - according to the terms of the app store, aren't Apple entitled to claim 30% of transactions through the app?

edit: Or, at the very least, entitled to 30% of the fees charged by Square to the merchant?

felixchan 2 days ago 1 reply      
That's a horrible logo. I had no idea that was "Square" at all when just looking at the logo.
BCounsell 2 days ago 1 reply      
I'm drawing up a design to make them a better stand. What they have just looks like it's waiting to get pushed off a counter.
They are only a few blocks away, I could just drop it off.
ssn 2 days ago 1 reply      
Any update on when this will be available in european countries?
kirillzubovsky 2 days ago 1 reply      
I wonder what Jack Dorsey is thinking, while reading of all these. I seriously doubt he worries about "...one retailer and they weren't using the device because the square was too wonky ..." It just sounds like a problem too easy to fix, and I am sure they've got bigger fish to fry.
xianshou 2 days ago 0 replies      
I just stopped in at a coffee shop in the middle of Philly the other day using Register. Guess they got access to the beta testing.
mycodebreaks 2 days ago 0 replies      
We need such innovation (at any level - design, engineering, technology) Keep it up guys!
Compromised Linode, thousands of BitCoins stolen bitcoinmedia.com
316 points by tillda  5 days ago   240 comments top 35
larrys 5 days ago  replies      
"As a respected hosting provider, I hope they do the correct thing and refund me for this liability due to their error. Many people trust Linode, and they have proven themselves as a serious contender for hosting critical sensitive operations on the internet. I would hate to not see them live up to that reputation."

"hosting critical sensitive operations" in particular. If you are doing "critical sensitive operations" you need a more secure solution and process which will cost you more money.

Under no circumstances can a hosting provider assume the liability for something like this.

The tradeoff you make for the low cost you pay is that you might have an issue like this because someone screws up.

You pay more for a safe to store your money (and for a safe deposit box to store your valuables) because it's important and you understand the risk involved in not doing that. If you have valuable jewelry many times the insurance company will only insure if you keep it in the safe when you are not wearing it and even the amount of days is specified when it can be out of the safe.

It's unreasonable to expect (and linode's contract clearly states as other's have mentioned) a hosting provider to have a liability over what you are paying them. Edit Add: Unless you specifically have an agreement in advance or that is what they promised or charged you for.

Before anyone reacts to this with any harsh criticism please think for a second what liability you would want for any mistakes that you make with your web startup or idea. You could either be charging zero or charging a small $5 to $20 per month charge. You might make a mistake. Are you willing to accept and even be able to insure for thousands or even millions in liability for those mistakes?

nbpoole 5 days ago 3 replies      
So, a customer service interface was compromised via stolen credentials and used to access various Linode instances. A couple questions that immediately come to mind:

1. Can this interface be accessed from anywhere on the Internet? If so, why? If not, does that mean other systems owned by Linode were compromised as well?

2. Why can customer service representatives access and update servers without the client being notified and with minimal logging?

luser001 5 days ago 4 replies      
Hmm, for a customer of a cloud provider, this sort of thing will be very hard to defend against.

Maybe if the customer service system had had two-factor security, this might have been avoided (i.e., customer service can access your account only if you read them your hardware token's code).

Requiring SSL/SSH client certificates even for intranet accesses might have deterred this attack.

I hope other cloud providers take note of this incident. This is a very interesting incident.

cookiecaper 5 days ago 3 replies      
How many times does something like this have to happen before people learn to encrypt? Any serious business or financial data should be encrypted, period. Almost all of the major hacks we read about could have been minimized if not entirely avoided if the data was encrypted.

I just read the release from Bitcoinica where they explained that the server accessed contained _only_ Bitcoinica's "hot wallet", and that no code, services, customer data, or other wallets were stored on the server.

If this was the case, why couldn't every access to that wallet, which, assuming the above is true, necessarily occurs on other servers, run a decryption on the file first? Even if you keep the passphrase and/or secret key in plaintext on the machines that run the code, the separation should prevent this kind of rogue access as long as the intrusion is isolated as these people claim.

There is really no excuse just to have a plaintext wallet sitting around anywhere anymore (the official bitcoin client now supports symmetrical encryption). Like credit card numbers, when a wallet is accessed it should be decrypted in ethereal storage like RAM and promptly discarded; it should never hit disk as plaintext. At least the same practices used for PCI compliance and credit card data should be used for btc wallets; preferably better since there is no recourse if your btc wallet is compromised.

mindstab 5 days ago 3 replies      
How did the attackers know what they were looking for. I'm going to assume that it's a small minority of linode users who have bitcoins on their machines. How were just these users targeted so accurately? What tied together knowledge they used bitcoins to those VMs and their linode accounts?

Also, was the nature of the attack just that the were able to login to your linode admin panel and from their root the machines and then loot your wallets?

klodolph 5 days ago 5 replies      
I'm not really sure why people are trying to store bitcoins on a VPS in the first place. You can't process credit cards on a VPS and be PCI compliant (it's against the rules), but any moron can do what they want with bitcoins.
ben0x539 5 days ago 3 replies      
> Although passwords are stored using SHA1 with a salt,

Where's the bcrypt/scrypt/whatever police in this comments thread?

liquidsnake 5 days ago 6 replies      
The OP's tone clearly indicates that he expects some compensation, Linode's TOS are pretty clear:
Therefore, subscriber agrees that Linode.com shall not be liable for any damages arising from such causes beyond the direct and exclusive control of Linode.com. Subscriber further acknowledges that Linode.com's liability for its own negligence may not in any event exceed an amount equivalent to charges payable by subscriber for services during the period damages occurred. In no event shall Linode.com be liable for any special or consequential damages, loss or injury.

This also provides an interesting dilemma when it comes to such events. In this case the damage is relatively easily quantifiable, he got X bitcoins stolen so the damage is X times the bitcoin value at that time. Still, it could have easily been user personal data or credit card information, which would have made an evaluation harder to make.

One of the risks of using such a platform I guess and something that anyone who does it should consider.

RLG_RLG 5 days ago 2 replies      
Please people (not corporations w/ staffs), do not run critical systems in the cloud.

Get a dedicated server (not cheapest you can find) and secure it with:

(install in this order)

APF - http://www.rfxn.com/projects/advanced-policy-firewall/

BFD - http://www.rfxn.com/projects/brute-force-detection/


Ideally, install rkhunter on fresh system, right after updates, APF, & BFD. Then update the binary check-sums with this command, if you know server is secure:

Update file properties:
# rkhunter --propupd --sk

Run a system check to make sure it is known clean:
# rkhunter --check --sk

Lastly, sign up for the security alert mailing list for your version of linux on your server.

If you want maximum security, be sure to password protect your boot loader and use an encrypted file system. This will make it very difficult for ISP to work on your server however!

kylebrown 5 days ago 0 replies      
Update: the Linode compromise first reported was that of the "slush" mining pool (mining.bitcoin.cz), reporting a loss of 3094 BTC. Second report was the donation-funded bitcoin faucet, reporting a loss of all of its 5 BTC.

Third report is the biggest, Bitcoinica.com which is arguably the second-largest exchange. Their main site is hosted at rackspace, but their 'hot wallet' was hosted at Linode, and contained 10,000 BTC which were stolen.[1]

1: https://www.bitcoinica.com/posts/warning-please-do-not-re-us...

EDIT: Those not following this incident on the bitcoin forums might be amused that the attacker used the stolen bitcoins to form a transaction with a size of 1337 bytes. That's probably not a coincidence, since the size of bitcoin transactions are usually under 1kb.


sgornick 5 days ago 1 reply      
Bitcoinica just reported losing 10K BTC (worth $50K USD) in this same incident.
- http://bitcointalk.org/index.php?topic=66961.msg778254#msg77...
javascriptlol 5 days ago 0 replies      
The attitude that Linode should refund the loss is a fragilising attitude. The more trust you keep pushing onto the provider the bigger everything is going to blow up when something goes wrong.
plasma 5 days ago 0 replies      
It's quite possible that the attacker has been using the support admin login details for much longer against Linode, without being noticed, until now.

What sort of defenses can developers put in place to protect against admin panels?

I've used these sorts of techniques in the past:

1) Separate username/password system compared to the regular website
2) IP whitelist of who may even access the admin panel
3) Failed login attempts send an e-mail alert with a log entry

Any other recommendations or suggestions?

sdrinf 5 days ago 0 replies      
As a Linode customer, I'm really looking forward to hearing out their side on this issue
brandoncordell 5 days ago 0 replies      
It sucks that money was lost but I can't help but to shake my head at someone keeping something like that on a cheap VPS. It's just stupid to think that was at all safe. That's something you should do on your personal computer where you can assure your security.

I'm not really sure if the author of the article expects to be compensated but if so, he's dreaming. Just read through their terms.

Next time he won't be so ignorant as to put something so sensitive on a server like this.

sgornick 5 days ago 1 reply      
mootothemax 5 days ago 0 replies      
This is obviously an unacceptable incident. I don't understand how the author can write:

Especially upsetting is that I went to great pains to keep everything as secure as possible.

When that's plainly not true. Surely having a wallet stored on a VPS is a really bad idea, what with admins potentially having full access to hard drive contents? Wouldn't a PGP'd local copy be a better solution, or am I missing a trick?

rubypay 5 days ago 0 replies      
Could this have been a vulnerability in Lish, which can be run from a browser using Linode's AJAX console?


I've completely ruined networking and disabled root logins on a Linode VPS, but could still access that same VPS as root using Lish.

thisduck 5 days ago 0 replies      
The title reads like a title one would expect from the future.
Pent 5 days ago 0 replies      
This reminds me of a situation when I first signed up for linode... my password on my account inexplicably changed one day(I use lastpass so no I did not type the randomly generated password wrong). I contacted support and they fixed it, but I still remember questioning why or how...
nazgulnarsil 5 days ago 0 replies      
not having your wallet separately encrypted means you're asking to be robbed.
jaredstenquist 5 days ago 2 replies      
Since my $1,000 worth of bitcoins dropped in value to $150 over a period of weeks, I've become significantly less interested in using it as a currency.
dedward 5 days ago 0 replies      
Without passing too much judgement........ it's common sense that as your revenue goes up, the time and effort put into ensuring you are on an appropriate platform should go up as well.

Because sh*t happens...... whether we like it or not. Even if the technical requirements are light and it runs fine on a tiny linode, that might not be the right place from a security or integrity point of view, depending on the value of the app.

(for me, a digital wallet worth that much, I'd want at my home..... where I can control it)

dale-ssc 5 days ago 0 replies      
We install a little script that runs at boot up to page us if /.expected-reboot isn't present (or removes it if it is). Then, to reboot systems, we run expected-reboot, which is a tiny script that touches /.expected-reboot before calling shutdown.

Wouldn't have prevented this but would likely have paged this unfortunate soul when his machine rebooted unexpectedly.

shirro 5 days ago 0 replies      
I am off to store some cash in my car and put all my important docs in a bus locker. BRB.
motters 5 days ago 0 replies      
The lesson repeatedly not being learned seems to be that it's not a good idea to keep wallet files on other people's servers, where you have no control over their security process.
opendomain 5 days ago 1 reply      
I know that bit pin is supposed to be annonomous but is there any way to get these back? I mean is there some logs or if they were signed by his account or anything?
cpt1138 5 days ago 0 replies      
Update from linode: http://status.linode.com/
shirro 5 days ago 1 reply      
Linode compromised! That is important news that concerns me. If the headline didn't mention the BitCoin scam that HN is always pumping would it have made it to the front page? Certainly haven't heard anything from Linode :-(
ropable 5 days ago 3 replies      
For those of us late to the Bitcoin idea, how does one "steal" Bitcoins? Is it the equivalent of copying someones private key and then deleting all their copies of the key?
jaequery 5 days ago 2 replies      
i think bitcoin could use another layer of authentication to verify the person is indeed the owner of bitcoins.
ianloic 5 days ago 0 replies      
Why the fuck are people putting their bitcoins on servers that they don't control? That's just stupid.
beedogs 5 days ago 0 replies      
LOL, bitcoin.
tantalor 5 days ago 1 reply      
If this was sensitive data why was it not encrypted?

Replace "bitcoin wallet" with "medical history" or "credit card numbers".

DiabloD3 5 days ago 4 replies      
The writeup of this is rather suspect. What happened is someone guessed slush's Linode account password, and used the root password reset feature from there.

What I don't understand is why does such a feature exist, why doesn't Linode require >16 character length passwords that are sufficiently random (or eschew password auth altogether), and why does slush (apparently from what I can tell) allow password auth for ssh AND allow root to login on ssh.

Responsible Disclosure Policy github.com
311 points by mnilsson  2 days ago   78 comments top 15
georgemcbay 2 days ago 4 replies      
Speaking as someone who isn't a Rails developer (but does use GitHub Enterprise for work projects), when this first broke I was on the side of github and thought homakov was acting irresponsibly.

Now that more background is coming out, I think he probably did the Rails community at large a huge favor here. Had this just been fixed quietly on GitHub, that would certainly be better for GitHub's PR but the wider community might never have realized the lurking horror that the Rails team appears to have been unlikely to do anything about other than point people to the existing docs.

This situation shows that pointing people to those docs was clearly an inadequate solution. If GitHub (arguably the poster child for Rails apps outside of 37signal's own apps) could fuck this up, anyone using Rails could. All of this exposure to the problem is net positive for everyone using Rails other than GitHub and the core Rails team, IMO.

JumpCrisscross 2 days ago 10 replies      
Given that:

(1) the nature of the suspension was not communicated to Egor at the onset of the situation, nor,

(2) noted in the blog post [1] describing how Github "detected the attack",

I am inclined to believe that this is a response to the furious reaction to their suspension decision and was not, as this post implies, the game plan from the beginning.

It's healthy that they've reversed their suspension but the lack of transparency (not to mention potential dissembling) on the decision process regarding the revocation is still troubling.

[1] https://github.com/blog/1068-public-key-security-vulnerabili...

kragen 2 days ago 1 reply      
The problem I see with this blog post is something I haven't seen mentioned in the comments. It's not GitHub's place to set policy on what kind of disclosure is or isn't "responsible". Egor Homakov's responsibility is not to GitHub; his responsibility is to other users. His moral duty upon finding a security vulnerability is to act in such a way that other users will be minimally hurt. It appears that he has fulfilled that responsibility spectacularly in this case.

GitHub has no business demanding his, or your, agreement to a legal contract that prohibits you from exercising your best judgment in such a case.

Furthermore, "responsible disclosure" is a propaganda euphemism for "allowing irresponsible vendors to cover their asses, possibly at the expense of their users". Terms like "responsible disclosure" have no place in a serious discussion. Please see the blog post by the Google security team at http://googleonlinesecurity.blogspot.com/2010/07/rebooting-r... for further details.

gbrindisi 2 days ago 1 reply      
I hate to be the one pointing out this but it's a shame that a company like GitHub will reward responsible disclosures just with a thank you and the promise to not pursue a legal action.


"white hat researchers are always appreciated"

joedev 2 days ago 0 replies      
Another in the long line of Silicon Valley companies screwing up and then getting kudos from the community for handling the screw up. It's getting tiresome to see people get accolades for basically doing their job, after failing to do their job.
dthunt 2 days ago 1 reply      
Honestly, I am less likely to want to use github in light of this announcement. You handled this incident badly, and then didn't acknowledge it, nor offer the much-needed props to Egor for exposing an issue you guys didn't think was serious.

If this is how you react to someone who WANTS to tell you about a serious problem, how what percentage of the people who don't love you enough to put a tattoo on themselves are likely to report an issue versus sell this to one of the many buyers of 'sploits who exist out there?

The reality is that these folks generally don't want to hurt you, they just want you to understand the thing you won't admit. When it happens, and you've got egg on your face, grow a pair and cop up to the fact that you/the system failed, and GIVE PROPS. Fix the issue, move on, and award the guy who did you a solid by finding an issue his 15 minutes of fame.

sneak 2 days ago 0 replies      
Their claim that his exploiting the vulnerability (in a completely benevolent fashion) was not "responsible disclosure" is bogus.

They need to stop trying to cover their ass and just apologize for suspending the guy.

ashamedlion 2 days ago 0 replies      
Impressed by how Github handled this. It's easy to get red-faced and smack down with a hammer, and it's hard to remain level-headed and come to the best decision. This seems like it was, in fact, the best decision.

For those of you who didn't see, they were quick to update people and be on the ball: https://github.com/blog/1068-public-key-security-vulnerabili...

dhconnelly 2 days ago 0 replies      
This is a great response to this clusterfuck. These guys have a responsibility to react slowly and deliberately. I'm impressed they got the problem solved and two public statements out on a Sunday. This is why I'm happy to be a paying customer.
skeletonjelly 2 days ago 2 replies      
"and we worked with him to fix it in a timely fashion"

Did this take place in private? I can't see any evidence of this from his issue on the rails repo.

spullara 2 days ago 1 reply      
The thing I haven't heard a straight answer on is 1) how long has the bug existed, 2) have they proved that it wasn't previously exploited.
ktizo 2 days ago 0 replies      
At least, after this, there should be a few people picking through github with a pin to look for other vulnerabilities.
gnu8 2 days ago 1 reply      
(Ir)responsible disclosure always does more harm than good. Making these issues public is the only reasonable thing to do.
ig1 2 days ago 2 replies      
What the guy did was not only morally irresponsible but also criminal.

The security community has long has an accepted standard of responsible disclosure, which involves informing the vulnerable party beforehand and allowing them time to fix the problem before publicly disclosing it.

Publishing a vulnerability before giving those vulnerable a chance to fix it is irresponsible, using it to compromise a system is criminal. He was getting off light from getting his account suspended, GitHub could push for a criminal prosecution resulting in deportation and serious jail-time for his actions.

It doesn't matter what he did after the compromise (whether it was benevolent or not), the compromise of an account not held by him puts him clearly into the "black-hat" category.

JulianMorrison 2 days ago 2 replies      
Honestly I have no idea why they didn't just ban him and say "don't hack us". It really should be that simple.
Nobody Wants to Learn How to Program inventwithpython.com
310 points by jemeshsu  3 days ago   106 comments top 29
nhashem 3 days ago 4 replies      
When I was in high school (late 90s), they had kind of a weird curriculum for teaching programming. We had AP classes for Computer Science A/AB, which you had to be at least a sophomore to take. There was also a class called 'Computer Programming' that anyone could take, which I did as a freshman, although the students in the class were actually pretty evenly distributed between all four grades.

Basically we were taught QBASIC and given assignments. The first few weeks seemed pretty mundane as the OP describes, getting into conditionals and loops, etc, but after we learned those, my teacher told us to make something like 'Choose Your Own Adventure' text-based game. I remember loving that assignment and even compiling it as an EXE and sending it to my other friends. This pretty much followed through the whole year, learning some new programming concept (arrays, functions, etc) and then making some sort of game as an assignment. We had the usual "write a program to display all the factors of a number" assignments too, but I just remember loving the game projects. I didn't know anything about Big-O or AVL trees or whatever, just that I could create cool stuff on a computer.

In 10th grade I took Computer Science A, and about half the class hadn't taken Computer Programming already. The material was a lot drier, obviously, and I remember a lot of those students switched out. I witnessed the same thing my freshman year of college -- no 'Choose Your Own Adventure Games' as an assignments, just grueling midterms on polymorphism and inheritance.

So this post really resonated with me, because my thoughts have basically echoed this for awhile -- why isn't software engineering taught as a discipline that can let you implement and create, since that's exactly what it is?

edtechdev 3 days ago 2 replies      
This is stuff educational researchers have known for over 20 years, and theorists have known for 100 years (John Dewey). It's called situated cognition. Learning happens in context. You have to give students a reason to learn, not just learn something for its own sake. It explains why for example a Brazilian street kid may be a whiz at math, and a 6 year old may have hundreds of Pokemons memorized. See for example the work by James Paul Gee or Jean Lave. John Dewey said 100 years ago that we shouldn't educate just to prepare kids for a future they know and care little about, we should educate them for today, teach them stuff that is useful and interesting to them today.

An example of my own - at 9 my father attempted teaching me programming with basic - I thought it was pretty boring all that work just to draw a US flag on the screen, especially compared to the videogames I was playing. I was similarly bored with a basic programming class in high school and a survey of programming languages (lisp, C++) class in college (worst class I ever took in my life, actually).

It wasn't until early college when I started making CGI web applications, games, and educational software that I learned real programming and saw the value of it (along with the value of similarly boring calculus/linear algebra stuff).

I disagree with the author of this article's put down of GameMaker and similar tools. Python was not designed for beginners, and neither was Javascript, of course. Right now Scratch may be the best tool for teaching kids how to program, although it is very limited and not so great for creating games as other tools.

zedshaw 3 days ago 4 replies      
I have about 200k+ unique visitors a day reading my books, and over a million since I started tracking in May last year. I have comments on nearly every exercise on my books, which means people are actually going through them. I have 2200 people taking my udemy course which is the most popular paid class on the site (last time I checked). My books are used in workshops all over the world, have readers from all over the world, and have taught people from nearly every age group that can read English.

And my books do exactly what this article says you shouldn't do.

I'd say if nobody wants to learn basic programming concepts from you, then it's not the concepts, it's you.

karpathy 3 days ago 2 replies      
This post very eloquently expresses what I've believed for a long time as well.

It really hurts me to see newbie programmers in first year classes going through Java, writing getter and setter methods for a monster Object Oriented cash register or something. The code is spread across 40 different functions in 10 files, each function containing at most 5 or so lines of code. I'm sure it is a nice starter code for an amazing cash register application that can potentially scale to thousands of lines of code correctly, but it is not the way to teach programming. What a disaster.

I've made my own set of tutorials in the past on programming (see the set at http://karpathy.ca/phyces/tutorial4.php, though this set is for intermediate students who are already familiar with coding). I've always felt that coding should be taught in context of doing something concrete, not just by itself. Snippets of code without the whole don't mean anything. I also take a somewhat extreme view in that I think that game programming specifically is the best way to teach, because making games is engaging and students learn all the programming only as a by-product. Once they are comfortable with the basics, they should be introduced to progressively larger code bases, and at some point it becomes obvious why Object Oriented paradigms, for example, are a good idea.

As a last point, I think Udacity recognizes this as well and shares a similar philosophy. Notice their first two classes: "How to build a Search Engine" and "How to build a Self-driving car", not "101: Computer Programming", with Chapters 1. Variables, 2. Control flow, etc.

trjordan 3 days ago 2 replies      
As I sit here, past 3 in the morning, playing with an Arduino for the first time, I find myself thinking...


The Arduino folks have this whole thing nailed. The install process (especially for something that involves, you know, buying resistors) was super-easy. The examples seem endless (they have a UDP implementation? Nifty!). The troubleshooting page is relevant and specific. The default environment is so stripped down it hurts, but you know what? I don't care.

This _feels_ like I'm just getting started again, and I'm totally jazzed about it. This whole system is approachable, understandable, and _fun_.

jdietrich 3 days ago 1 reply      
To quote eight-time champion bodybuilder Ronnie Coleman:

"Everybody wants to be a bodybuilder, but don't nobody wanna lift no heavy ass weight."

georgieporgie 3 days ago 9 replies      
Can anyone with kids comment on whether or not computers are even exciting and empowering anymore?

When I was eight, we got a Commodore VIC-20. It plugged into the TV and booted into BASIC. Just running PRINT statements and simple loops was unbelievably cool. I learned key positions (and how easily mistakes are made) by spending hours typing in bytecodes printed in magazines. With any luck, at the en of it, a completely unforeseen game would appear.

Getting to play with Logo on the Apple ][e was awesome, too. Shapes and angles and horribly flickering animations were exciting.

Now, it seems to me that the difference between Dive Into Python (or whatever) and Call of Duty are so immense, that even running Hello World would be a disheartening experience. But maybe I'm just too nostalgic.

Incidentally, I distinctly remember from my first proper high school programming course (Pascal) that the instructor asked why we wanted to learn programming. Every single student responded, "to make games."

endlessvoid94 3 days ago 0 replies      
"If you want to build a ship, don't drum up the men to gather wood, divide the work and give orders. Instead, teach them to yearn for the vast and endless sea." - Antoine de Saint-Exupery
AlexeyMK 3 days ago 1 reply      
The cleanest comparison I can think of is, nobody wants to work out. They want to look good, feel good about themselves and be admired and have their pick of their opposite sex.

This makes sense, as does the fact that working out can get you there. They don't want to work out, they want to _want to_ work out.

At the University of Pennsylvania, we (CS club) held a Codecademy-style event (hackertrails.com) targeted mainly at business folk. We had 150 folks, mostly MBAs, show up to the first event and maybe 15 to the second.

They want to start companies, and get that programming gets them there. But they don't actually want to learn to program, they _want to_ want to.

kiba 3 days ago 0 replies      
The more material you give your students to plagiarize, the wider the range of derisive works they'll make from them.

Derisive should be derivative?

mrich 3 days ago 0 replies      
Nobody wants to work hard (learn to program), everybody wants to show off a coding masterpiece, say Quake or Future Crew's second reality, to their friends. A good teacher leverages the latter to motivate students to do the former.
j_baker 3 days ago 1 reply      
I agree with the general principle behind this. But I don't agree with it in practice. It's a bit like saying "Nobody wants to learn how to drive, they want to learn to get to the store.". And strictly speaking, that's true. I mean, nobody wants to know about how to use the steering wheel or blinkers. Now, the first time I got behind the wheel, did I get to drive to the store? No. I got to drive around the parking lot after taking a class about how the steering wheel and blinker work.

Now clearly this example is different from programming because it's much more difficult to hurt or kill someone learning to program than it is when learning to drive, but I'm not convinced that the general principle is any different. With programming, you'be simply gotta learn about variables and loops, just like you've gotta learn how the steering wheel and blinkers work.

What I'm concerned about with this approach is that it might give newbies a premature sense of accomplishment that might hide just how difficult programming really is. In other words, it's like trying to convince someone that they've driven to the store when all they've done is driven around the parking lot.

john2x 3 days ago 0 replies      
I think part of the problem why some aspiring programmers give up is because the bar is too damn high. They get fed a constant stream of beautiful 3D games and iPhone apps, and when they start to make one (from following a book/tutorial, for example), it looks like shit compared to what they/others are expecting and they lose their initial enthusiasm.

Compared to a few years ago where a simple 2D/text-based game is already considered pretty cool.

capkutay 3 days ago 1 reply      
While learning piano, no one wants to sit in a room playing scales over and over. They want to play Claire De Lune. Programming is similar in that it can be an art but it is first and foremost a skill. You need to struggle with boring parts until you figure out that you can actually make very cool things...but first you need to learn about loops and variables.
hnwh 3 days ago 1 reply      
This is one thing that Logo got right. You didn't learn to program, you learned to draw cool pictures and animations with the turtle
nazgulnarsil 3 days ago 2 replies      
plenty of people are fine with learning how to program. It's Learning How To Program that people don't want to do. I blame hiring practices TBH. If anything programming should be the ONE field that leaves the bullshit signaling aside and just hires people who can make things work.
geon 3 days ago 2 replies      
I tought a highschool level intro class in C++ programming. Sadly, it was very short, only 1.5 weeks of 2 hours per day, so we didn't even have time to cover classes.

What I would like is to walk the class through implementing a naïve Brainfuck interpreter, optimizing it, then implementing a Brainfuck-to-C compiler and optimize that.

It would bring a whole lot of understanding I didn't gain until much, much later.

After that, a simple text based adventure game engine to illustrate data driven programming.

That would show the difference between hard coding behaviour in assignments and creating actual usefull applications. It would also show that doing it properly isn't necessarily more difficult, and definately less code.

jiggy2011 3 days ago 0 replies      
Perhaps a good way to teach people beginning programming would be to show them how to use a simple web framework.

It would have to be something purpose built to be easy though probably with a dedicated language.

A bit like this:

No libraries or APIs , everything required is built into the standard library.

Database is a simple key/value store that can be used transparently within the language. Something like "Store X = 3" and "Get X" where X is the key name.

Of course you would need some form of lists too, not sure what a friendly syntax for that would be.

Very simple looping syntax, in my experience beginning programmers struggle with this more than anything else.

Something like, "do X 3 times" where of course X would be a a subroutine, this would make functional programming seem quite natural later.

A WYSIWYG HTML editor that can integrate seamlessly with the language itself. Save teaching HTML/CSS until later.

Very friendly error messages that provide links to simple documentation that explains where they have most likely made the mistake.

Documentation should include many videos as well as text.

Graphical debugging should also be taught through a super simple debugger that just dumps the values of every variable at a breakpoint and allows users to browse the DB.

One click "deloy to web"

danso 3 days ago 0 replies      
I disagree that regular expressions should be deferred to later. For professionals who are trying to figure out what value programming has for them, regexes have more use than game concepts
hsshah 2 days ago 0 replies      
I believe (and teach) programming the way I learn a new language ('Human' language not a computer language).

It should be segmented in a way that at the end of each segment there is a 'reward' (an application of the learning that is considered beneficial/cool by the student) and a 'desire' to learn more to achieve the bigger reward.

So typical segments for a new language could be:
- bragging/showcasing to your family and friends that you know how to count some numbers and words
- being able order food in restaurant in the new language
- communicating with someone who speaks only the new
- being able to enjoy a TV show/movie in the new language etc

That's why I really like Scratch tool. I can gradually introduce new capabilities (and implicitly new programming concepts).

AznHisoka 3 days ago 3 replies      
is this the same with foreign languages as well? Noone really wants to know the rules of a grammar. They just want to impress others, understand anime or foreign tv shows, or curse in another language
crewtide 3 days ago 0 replies      
As someone who learned to program in my 30s (spent my 20s as a professional musician) I can't agree more. The book that was recommended to me was K&R, which I found so dry as to be impossible to read through. The first book I really used was C++ in 21 Days, which has you writing working programs from...well, from day 1.

I always thought the reason for this problem in teaching programming is that what you need to know when switching to a new language is totally different from what you need to know when you don't know how to program. If you already know how to program, the first thing you need to know is the syntax: data types, iterators, etc. It's like being a carpenter and going to a new shop -- what are the tools? But if you don't know how to use the tools, being told the torque on an impact wrench is completely useless information. Not only is it useless, it's easy to look up, and therefore a waste of time to teach.

I now help teach the Boston Python Workshop, a weekend workshop for non-developer women and their friends. We do cover loops and data types on Saturday morning, but then all afternoon is projects -- building programs that cheat at scrabble, access twitter, and draw colored grids.

I totally understand why experienced programmers teach the way they do -- it's what they'd want to know. But the focus should not be on the language, it should be on the skill of how to program regardless of language. And yes, that's really hard to teach.

leouznw 3 days ago 0 replies      
That remembered how I learn programing, at the beginning of the course I wasn't at all into that, learning pascal, printing words into a black window, but when I started my project, I got a goal and it become very fun and I was very enthusiastic into that...

I think sometimes the common sense of the right way of doing things its not the best way, other thing that comes to my head about that, is when you end up in big projects with very complex design patterns applied but since nobody b-sides the creator fully understand the pattern, and the shift of people in the project is very high, the thing becomes a mess.

teaching is about enthusiast your students and programing is about make programs with readable code...

but what i really see today, is teaching about be difficult with a ton of unused things, and programing about to be most complex that u can..

Craiggybear 3 days ago 0 replies      
I agree that involving beginners with OOP is a distraction -- albeit a very important principle. But they must be able to write their own modules, functions and classes first then be comfortable with exporting those then OOP can come naturally from that. Most software is still highly procedural in nature (while it may consume and refer to objects) and even in languages like Python where everything is an object you can still write software that has a clearly defined beginning, middle and end. Once you have a handle on all that, you can then start utilising the objects and their properties and that is huge fun in Python and Ruby.
projct 2 days ago 0 replies      
Randy Pausch helped create Alice, which is a bit like a modern Logo or Mindstorms - helps you create 3d animations and various other cool stuff, while teaching Java syntax.

http://alice.org/ (and if you haven't seen it yet, Randy's last lecture is amazing... http://www.cmu.edu/randyslecture/ )

JVIDEL 2 days ago 0 replies      
I think the biggest fallacy these days is that "programming is easy". I bet pilots think flying is easy, and surgeons will repeatedly tell you cutting someone open and removing this vestigial part of the cecum is routine, but if you did that the patient will bleed to death from the first incision.

My point is that coding might be easy for you, easy for me, and it must be easy for most people here, but the rest of the world?

I'm going to sound like Spock here but most individuals out there aren't logical. People out there don't thing in terms of ¬P->Q, so for them even the basics of programming are very hard, if not impossible to understand.

And even if you work around your limitations and learn how to program there's a long way between "hello world" and the engineering behind the kind of stuff that motivates most people to learn how to code, like building the next Google.

Tycho 3 days ago 1 reply      
On a related note, I put an advert on Gumtree a while back offering to teach/tutor people in programming for free, but didn't get any responses.
altrego99 3 days ago 0 replies      
Well, I do. And I also did, in 1990's, when I was 10 years old.
loveitbaby 2 days ago 0 replies      
There are two ways to teach programming:

2. Everything else

If you think there is a method in (2) that is superior to the method in (1), then please reply to this comment.

How Homakov hacked GitHub & the line of code that could have prevented it github.com
302 points by petenixey  2 days ago   84 comments top 23
danso 2 days ago 2 replies      
I hope those who ripped into Homakov initially are feeling more mellow towards him. They certainly were justified in thinking him being rash, but his action raised far more awareness about this issue than the typical proper channel.

Rails devs (some, not all of them) had dismissed his complaint because "Every Rails developer hears about attr_accessible." Well, I'll be the first to say that I can't remember the last time that this update_attributes vulnerability had been pointed out to me. I certainly can remember all the times that Rails docs reminds me to use their sanitizing helpers when making ActiveRecord queries.

To be fair, I haven't developed apps that required the use of user-facing access to update_attributes, and maybe when I got around to using that, I would've wisely consulted the dev guides to make sure I was following best practice. But knowing me, I probably would've likely thought, "Well, that seems simple enough, here goes."

It's not that the logic behind this vulnerability is hard to understand...in retrospect, it's as clear and blatant as the processes that lead to SQL injection.

But surgical patients die because elite surgeons sometimes forget to wash their hands (Google "Atul Gawande checklist"). It's not an impossibility that a skilled dev team would overlook the update_attributes issue.

The Rails team was right in arguing that this wasn't a security risk given a half-competent dev. But they were looking at the problem from the wrong perspective and assumed that everyone is as familiar with Rails best practices as they were. So how else could Homakov convince them otherwise other than pricking a high-profile dev group?

What if Homakov managed to alert the Github team, and they managed to fix it quietly? Github would be safe but thousands of Rails sites would still be operating in ignorance. It truly stinks for the Github group that they had to respond to a five-alarm emergency on a Sunday...on the other hand, I think there are going to be a lot of Rails devs who are thankful that they (involuntarily) took one for the team. Thanks to Homakov, it was a small hit.

jarrett 1 day ago 4 replies      
Homakov kind of gave the impression he had discovered a previously unknown vulnerability in Rails. This is not the case. Rather, he discovered an instance in which one very prominent Rails app (Github) failed to implement a standard Rails security practice.

For those not familiar with Rails, it boils down to this: You as the programmer need to use a security feature built into Rails called mass assignment security. If you fail to use this feature, you have a vulnerability. In other words, the default is insecure by design. The alternative would be to make Rails secure by default, but that would mean pretty much nothing would work until you explicitly granted access where necessary. I guess the core team figured "not working by default" was worse than "insecure by default."

Homakov obviously disagreed with this design decision. I can understand why, and I mostly feel the same way.

So Homakov posted an issue to the Rails repo Github (https://github.com/rails/rails/issues/5228) suggesting the default be changed. He made a good case and was initially polite. A few days passed, and nobody else had posted to his thread.

So, presumably to draw attention to this issue, he exploited the fact that Github had failed to use mass assignment protection. Specifically, he posted a comment with a far-future timestamp, which obviously should be impossible. (I think that's what he did, although Github seems to to have fixed the timestamp now.) He then said this should be proof enough that the Rails defaults need to be changed.

The problem with Homakov's argument, as pointed out in subsequent comments in the thread, is that Homakov's hack only demonstrated a mistake on Github's part, not a bug in Rails. It didn't prove anything about Rails that we didn't already know. The only thing surprising he demonstrated was that Github had left open a rather serious vulnerability.

TL;DR: Rails has some less-than-secure defaults which all Rails developers are expected to understand and deal with. Homakov found out that Github failed to do so in at least one instance, and he wanted to use that as proof the Rails defaults should be changed.

jgrahamc 2 days ago 1 reply      
It's surprising to me (not a very experienced Rails developer) that the default behavior should be so open to abuse.

Why isn't the default the opposite?

jazzychad 1 day ago 1 reply      
Is it really frowned upon to do:

    user.name = params[:user][‘name']

?? Call me old fashioned, but this is called 'defensive coding' and should (in my opinion) be the norm when dealing with client-generated input. It might be more verbose and not 'The Rails Way', but update_attributes seems like too much magic for my paranoid taste.

adriand 2 days ago 3 replies      
I agree that the default for Rails should be more secure, but this was a really basic mistake by the GitHub team. Yes, mistakes do happen, but there's a very simple way to avoid the exploit that is postulated in this article.

The 'schematic' of what the public key update looks like from the original post:

    class PublicKeyController < ApplicationController
before_filter :authorize_user
def update
@current_key = PublicKey.find_by_id params[:key]['id']

The correct way to code this is as follows:

    class PublicKeyController < ApplicationController
before_filter :authorize_user
def update
@current_key = current_user.public_keys.find params[:key]['id']

This has two updates to it that protect against this exploit:

1. Rather than calling "find_by_id" on the PublicKey model, which searches all public keys, you call it on the current user's list of public keys. This scopes the search down to the public keys that they own. Thus, if you pass in the id of a key they do not own, it will not be found, leading us to:

2. Using "find" instead of "find_by_id" will trigger an ActiveRecord::RecordNotFound error (404) if the resource is not found. Of course, find_by_id will just return nil in this instance, so the update_attributes part would still fail, but triggering a 404 is an easier, cleaner way of dealing with this, I think.

It's really very simple: you don't let people access stuff they don't own.

Now, this does not protect you against faked timestamps, or against privilege escalation by passing in a faked "role" parameter, and so on. You still need to use attr_accessible to protect yourself from that stuff, but scoping resources down to the user who owns them is a simple technique that should be standard practice for applications with authentication.

LargeWu 2 days ago 1 reply      
Just a heads up for those who only read the TL;DR: Please be aware that if you just put that single line of code in your initializers for your existing app, your app will break anywhere you are using update_attributes(). They do call it out later in the article, but you have to set attr_accessible on all your models.
yumraj 2 days ago 1 reply      
I must say that this episode is the best example of how to handle such cases.
Homakov found the issue and made his point without any sign of maliciousness.
Github, also handled is extremely professionally by accepting it and fixing the problem and then publishing a full report on it, rather than get into a pissing match with Homakov and getting law enforcement and lawyers involved.

BigCo's should take a note.

feralchimp 2 days ago 0 replies      
I'm not a Ruby or Rails guy, so I can't comment on how likely a typical (or atypically good) Rails dev might be to code this sort of bug into their app.

But as a security guy, given the power of Public Key assignment in the context of a system for managing access to Git repositories, I can't help but be a little surprised that model objects that touch Public Keys weren't more thoroughly reviewed.

If nothing else, folks everywhere will be thinking a little harder about authorization logic this week.

gphil 2 days ago 1 reply      
I posted a link to the relevant part of it (http://news.ycombinator.com/item?id=3665429) on another thread regarding this exploit already, but the official Rails Security Guide covers this and other common security pitfalls really well. It is worth reading over thoughtfully if you are building a Rails app:


SpoonMeiser 2 days ago 3 replies      
Is it just me, or doesn't this sound very similar to SQL injection, only as applied to an ORM instead?

That is, if my understanding is correct, they're taking user posted data and trivially turning it into a command to update data.

This doesn't sound like a problem with Rails, in the same way that if I turn data I receive from the user straight into an SQL statement, the fact that people can abuse it isn't a problem with SQL.

kristofferR 2 days ago 1 reply      
I wonder how many Rails apps there are out there that is still vulnerable to this sort of flaw. Both GitHub and Posterous has fixed it, but there's probably thousands of smaller less known Rails sites/apps that still haven't been patched.
rmc 2 days ago 3 replies      
I'm a Python/Django developer and don't really know much Ruby or Ruby on Rails. Does anyone have an outsiders/non-rubyist explaination of how this hack was carried out? Did he modify HTTP headers? POST parameters?
InclinedPlane 1 day ago 0 replies      
I find it hilarious that just in the last few days they've removed register_globals from PHP for good. It seems every language/framework ends up retracing the same set of security/convenience tradeoffs over and over again.
Estragon 2 days ago 2 replies      
Since this vulnerability has been known about for years and experienced crackers have presumably checked for it before, is there any reason to be concerned about more malicious corruption of other repositories on github?
o1iver 2 days ago 2 replies      
"Homakov PUT an update to his own existing public key which included a new user_id. The user_id he used was that of a member of the Rails repository members."

But wouldn't that mean, that the commit would display the username of the user with the `user_id' that he used?

forza 2 days ago 2 replies      
GitHub really needs to clearify if access to private repos was compromised, for how long and if such access would be traceable.
jimworm 1 day ago 1 reply      
DHH does it in half a line: https://gist.github.com/1975644

`attr_accessible` should only be used to protect the attributes that are NEVER modified by users. Access to the rest of the attributes may differ by user role, and should be handled by the controller. Trying to use `attr_accessible` to protect everything leads to enough frustration to make one eventually give up on security.

madarco 2 days ago 0 replies      
It's sad that this same bug was resolved in CakePhp 7years* ago:
pdufour 1 day ago 1 reply      
I don't find this a good solution. A much better solution is to generate a list of form inputs that are present on a page, then when the form is submitted, check if any of the form inputs were changed / any were added.
Shanewho 1 day ago 1 reply      
Is the solution given in the article any different than using this?

config.active_record.whitelist_attributes = true

Also, this isn't the first time someone's been bit by this:

lattepiu 1 day ago 1 reply      
The real culprit here is HashWithIndifferentAccess, a crutch that throws away a difference that Ruby has for a reason.

The sensible way to do updates, in my opinion, is

    User.update(:name => params['user']['name'])

But there's no way in Rails to keep that syntax while disabling


unclegene 1 day ago 0 replies      
unclegene 1 day ago 0 replies      
Am I the only one who does not understand what is this about? Oh, no, looks like rails team does neither.
Stupid code can be written in any framework/language. How much experience does one need to understand a simple rule - _never_ use user input directly.
If you have an urge to trust your users - I'd suggest better way:
Show HN: Streak.com - Do sales, support and bug tracking all inside Gmail streak.com
298 points by alooPotato  5 days ago   94 comments top 46
andrewljohnson 5 days ago 2 replies      
This is great timing! We just hired a customer support person this week, and we started using HelpScout.net, but we aren't finding that it's very polished.

We're going to give Streak a shot, and hopefully give you some good feedback.

P.S. You are missing a question mark on your home page: "Want to know where the customer is in the sales pipeline."

donpark 5 days ago 0 replies      
Nicely done. Two concerns: 1) exposure to breakage when Gmail changes, 2) potential introduction of protection against invasive integration.

Google has three options: 1) turn a blind eye, 2) block deep integration (same game AOL played with AIM), or 3) introduce client-side integration API. #1 is temporary. #2 is nightmare for Streak. #3 requires strategy change by Google.

[update] Rapport doesn't have this problem because they are using Outlook PIA to work directly with Outlook object model.

smilliken 5 days ago 0 replies      
We've been using Streak to help with hiring, fundraising, and business development at MixRank. It works really well. I'd highly recommend it to anyone that needs to stay on top of their email.
yurisagalov 5 days ago 0 replies      
Just started using it for our hiring funnel at AeroFS and I already love it. Well done!
toblender 5 days ago 1 reply      
I've been trying to manage customers with emails for a while. What a nightmare. This looks like a great product. But, I'm not sure I'm willing to share all my emails.

I think a good work around would be to create a gmail account specifically for handling client stuff. Or you guys could offer email address which are already gmail integrated.

Just some notes. Great product, props from Canada :D

petenixey 5 days ago 2 replies      
I was literally thinking earlier today that I wish someone would write this app.

Unfortunately it doesn't play well with Rapportive profiles for me (HD Beach theme, comfortable sizing) - seems to be some jumping over each other.

I realise it must be very hard making bootstrap GMail addons play with each other but it would be great to use the two together

rokhayakebe 5 days ago 0 replies      
Finally, it looks like someone nailed it, or at least has a great start. We want to work inside email, not launch a separate app.
temphn 5 days ago 0 replies      
Any plans for Salesforce integration? Can you use SF.com as a backend?
Jun8 5 days ago 2 replies      
Can you provide some insight as to how this is implemented? Do you use contextual gadgets?
PaulYoder 5 days ago 3 replies      
Exactly what I was looking for!

But please, please start charging for your product. I don't want this product to disappear in a year when you run out of funding and still don't have a sustainable business model.

revorad 5 days ago 5 replies      
Looks nice! But I can't watch any of the videos because clicking on the play button (in the lightbox) closes the lightbox :-) I'm on Safari 5.1.3 on OS X.
latifnanji 5 days ago 0 replies      
Already got my support and deployments team using Streak and its been an amazing experience! Constantly adding new features and making our lives easier.
firefoxman1 5 days ago 3 replies      
What a beautiful homepage. Professional and...just beautiful!

Would this be compatible with Fluent.io?

asifjamil 5 days ago 0 replies      
nice product. Just out of curiosity, how exactly do you attach your app to Gmail? The way I imagine it: basically, this is just a big javascript application which inserts itself inside the gmail view using DOM manipulation?
aschobel 5 days ago 1 reply      
Login screen is showing an odd domain name, apps.googleuserscontent.com, is requesting authorization to my account.

  The site XXXXX.apps.googleusercontent.com is requesting access to your Google Account for the product(s) listed below

TomAnthony 5 days ago 1 reply      
This looks extremely cool, and I'm really tempted!

In light of recent things like Path etc. (and without insinuating anything!) - could you clarify what information is sent via Streak's servers, if any?

jayzee 5 days ago 0 replies      
Amazing work guys. Played with it a bit and looks really intuitive and easy to use!
gee_totes 4 days ago 0 replies      
This looks very promising... I've been looking for a CRM solution for my company for awhile. Question: is there a way to set up a gmail filter to add existing client e-mails and contacts into a box?
tomblomfield 5 days ago 1 reply      
This looks awesome - I'd love more information about how it works in a multi-user environment.

For example, if 3 guys in my company do sales, how do we prevent everyone contacting the same leads?

Lambent_Cactus 5 days ago 0 replies      
Really really cool.

Minor copy edit on your splash page - there's a 't' on the end of 'messages' in this section:

Streak Plays Nice
Streak never alters any data in your Gmail. No extra labels, and no moving around your messagest. Streak adds a layer of organization on top of your email and stores this separately and securely in our own cloud.

jpdoctor 5 days ago 3 replies      
Given that Google might acquire your company, why would you want to provide it with 100% of your sales, support and bug tracking information?
grok2 5 days ago 0 replies      
Something I've been thinking I should do, but never got round to. Good idea, will give it a spin. BTW, I was thinking about working on this because a number of Mortgage Brokers I have interacted with in the past have all been using gmail and they all seem to be in desperate need of a CRM solution that integrates with gmail. So, there, a segment for you to target.

BTW, found a typo on the main page -- "messagest".

bkruse 5 days ago 0 replies      
I've used google apps/gmail for years, in my large previous organization and currently in our 100+ organization. Obviously you know this, but this type of "glue" is great - I'm glad you guys took advantage of this. I am in the market place daily, there is NOTHING that compares to this so far. I am excited to see where you take this!
tathagatadg 5 days ago 0 replies      
Some dreams come true. Even when you are not hacking on them.
zerop 5 days ago 1 reply      
Good work, but I think good for Google apps users (only?)....
ajju 5 days ago 0 replies      
I use Streak as a "Personal Salesforce". It has been incredibly useful because it helps me stay on top of 30 different conversations in 5 different contexts.
brettpaden 5 days ago 0 replies      
You need chrome 15 or better for the extension to install. If you go go there and click on the install button without chrome 15, it generates a javascript exception with no visual or textual clues to the user that is going on. Person on chat was responsive.
troels 5 days ago 0 replies      
Wow. This is really great. We are just at a point where we consider switching away from Lighthouse for bug tracking. Do you provide - or plan to provide - an api, so it's possible to integrate with other systems?
chrisfarms 5 days ago 0 replies      
This looks really useful, but some parts of a pipeline I might need external people (who are probably not using gmail) to action/move items along a pipeline.

It might be cool if you could generate a URL for a pipeline for someone so they can collaborate (change statuses/comment) without needing to use gmail. Although I haven't really thought of all the consequences of this.

code_pockets 5 days ago 0 replies      
Congratulations to the streak.com team. This is a great product.


This brings another point: There is a need for a better business email application that is as easy to use as Gmail, but is not owned by any of the big 4 (MS, G, APPL, Y!).

harshaw 5 days ago 1 reply      
Looks cool - although my cynical assumption is that this product a) would work great in demos with a simple number of folders,etc and b) will be bitch to maintain given when Google changes the UI or generated code / structure.

Having looked at the gmail generated source there isn't a human generated component so something trivial like $('#button_bar').appendChild(..) doesn't work requiring more clever approaches (and perhaps the streak guys are insanely clever). If I had the time I'd pick apart the extension source to see how streak works.

zabeth24 5 days ago 0 replies      
I've used the Beta for a multi-user sales pipeline. Worked wonders!
pencilcode 5 days ago 1 reply      
signed up, and been loving it! for now no slow downs of gmail. Is there any way to group boxes together? I created one box per client for some of my clients thinking i would put each issue in there and then figured out that i would have to create a box for each issue. so how do i group boxes, eg those belonging to the same project?
halayli 5 days ago 0 replies      
Great product. But I personally prefer to use my inbox for handling mail only and not get it in the mix of other processes like hiring, bug tracking etc...
dataisfun 5 days ago 0 replies      
This is fantastic. Glad you guys came along. I was wondering why it took so freaking long for something like this to show up.
pastaking 5 days ago 0 replies      
This is awesome! Thanks for the great work.
OoTheNigerian 5 days ago 1 reply      
I am having login problems. I am stuck on step 2.
hartcw 5 days ago 0 replies      
Looks impressive so far, I've basically been doing this kind of thing manually in gmail using labels, for supporting Smart Shooter.

So its free for now whilst in beta, I just might be hooked by the time they start to charge for it..

auston 5 days ago 0 replies      
My question is: Are you guys a YC company? Because you should be!
joshuareeves 5 days ago 0 replies      
Congrats on the launch! I love the UI and set-up process, it's very smooth.
xanadohnt 5 days ago 0 replies      
This looks incredibly useful and well designed. I've shown my CEO; perhaps we'll be incorporating Streak soon. Two copy niggles:

"Streak is great for sales, but did you know you can also use it for: hiring candidates, handling email support, organizing dealflow, fundraising and organizing your personal projects."

This is a question - add a question mark to the end (bonus, invented by Dr. Evil)

"We put indicators right in your inbox to show you which emails have to do with which deals you are working on."

Awkward / run-on. Try - We added email indicators showing you the association to the deals on which you are working. (remove the wordy noun modifiers and prepositional phrases)

instakill 5 days ago 0 replies      
Looks great, but no FF 10 support?
pagehub 5 days ago 0 replies      
Looks cool, is it just for a single user or does it sync with everyone in your organisation?
ramoq 5 days ago 0 replies      
Omar, this is fantastic. You rock
FreshCode 5 days ago 0 replies      
What is the Streak.com stack?
bretr 5 days ago 1 reply      
This looks awesome, is it a Chrome plugin? Is there only Chrome support?
Rich Hickey's new project: datomic.com datomic.com
302 points by indy  1 day ago   102 comments top 28
breckinloggins 1 day ago 5 replies      
It looks like a very cool product/service, but there's something... off... about this landing page. I can't quite put my finger on it. Two things I can think of right off the bat:

1. The use of the term "whitepaper". It's very "enterprisey"

2. It took me a bit of perusing to figure out what the product IS. I think the lead paragraph may need some tweaking

In all, the landing page makes the product feel intimidating. Contrast to Parse's landing page (https://www.parse.com/) where it feels like I'm free to jump right in and tinker with it, but I also get the impression that it will scale up if I need it to. (Yes, I know the two services aren't offering the same thing).

jamii 1 day ago 1 reply      
"Datomic is not an update-in-place system. All data is retained by default."

I'm becoming more and more convinced that your canonical data store should be append-only whenever possible (see eg [1][2] for detailed arguments). It's nice to see first class support for this.

[1] http://nathanmarz.com/blog/how-to-beat-the-cap-theorem.html

[2] http://martinfowler.com/articles/lmax.html

EDIT: Just read through the whitepaper. Looks like the indexes / storage engine form an MVCC (http://en.wikipedia.org/wiki/Multiversion_concurrency_contro...) key-value store, similar to Clojure's STM. Peers cache data and run datalog queries locally.

This could be either an available or consistent system, depending on how cache invalidation in peers works. In the available, eventually-consistent case you have the added benefit that all queries see a consistent snapshot of the system, even if that snapshot is not totally current.

Like most of Hickey's work, the whole thing seems really obvious in hindsight. It also bears a lot of similarity to Nathan Marz' recommendations for data processing and schema design.

gfodor 1 day ago 0 replies      
One question I have is the cold start problem. How can I ensure dropping in a new peer is not going to have a large negative effect on response times? With memcache, you can just prewarm a new node or have clients only round-robin it a few times per request to warm it up. It seems like pre-warming here is going to be more cumbersome since it's not a simple k-v store but will require you to pre-emptively run queries to get there. (Similar to Lucene.)

Edit: Rich's response here:


Seems to imply that non-cached performance won't be so bad anyway. Looking forward to seeing some benchmarks.

fogus 1 day ago 1 reply      
Stuart Halloway provides more information in his Datalog querying in Datomic screencast: http://www.youtube.com/watch?feature=player_embedded&v=b...
puredanger 1 day ago 0 replies      
Rich will be discussing Datomic in his keynote at Clojure/West next week in San Jose (Friday March 16th). Schedule: http://clojurewest.org/schedule

Tickets for the conference are available, including Friday-only tickets for $250. Friday will include Rich's keynote and a keynote by Richard Gabriel as well as lots of other Clojure-y goodness. http://regonline.com/clojurewest2012

jasonkolb 1 day ago 4 replies      
I have to admit I'm a little confused about what this is. I'm taking a coffee break and not really into reading a whitepaper, so take that with a grain of salt, but I'd call that a landing page failure.

That said, it sounds like a database-as-a-service? If so, is the primary benefit the reduced database management load? Or is there some special sauce in here that makes it more capable than other RDMS or NoSQL databases?

Confusion 1 day ago 0 replies      
Won't this just be another leaky abstraction[1] in which the remoteness of the data will be impossible to ignore[2]? I like the idea of a transparant local LRU 'query'-cache for a remote database[3], but I fear Hibernate-like (or Haskell-like) problems in locating performance bottlenecks.

[1] http://www.joelonsoftware.com/articles/LeakyAbstractions.htm...

[2] "A Note on Distributed Computing" (http://labs.oracle.com/techrep/1994/smli_tr-94-29.pdf)

[3] Please correct me if that synopsis is wrong

brianm 1 day ago 2 replies      
If I read correctly, it is pretty expensive. $0.10 / connection (peer) / hour, plus dynamodb and transactor instance charges. For 100 clients, and not including the dynamodb or transactor instance(s), this makes it a hair more per year then a quad core oracle instance.
politician 1 day ago 0 replies      
The product seems to share characteristics with triplestores and the Sparql query language and append-only persistence mechanism from the Linked Data sphere/movement. Could someone more knowledgeable comment on this similarity?

Some differences:
1. No concept of inference/reasoning
2. No mention of a graph
3. Interesting use of clientside caching / data-peering
4. Clojure serialization vs N3/Turtle/RDF

Some similarities:
1. Quadstores have are parameterized by graph, Datomic by time
2. subject-predicate-object model
3. query-anything ( including [ ?s ?p ?o] ??)
4. query anywhere (sending an rdf to a client for local query seems similar)

edit- I give up trying to get HN to render an ordered list. Any help would be... helpful.

DanWaterworth 1 day ago 1 reply      
This is pretty cool, it's very similar to a project I'm working on: Siege, a DBMS written in Haskell [1]. Siege uses roughly the same approach; I didn't know anyone else was working on a distributed immutable DBMS, so this is really exciting.

[1] https://github.com/DanielWaterworth/siege

dpritchett 1 day ago 0 replies      
Neat to see that there's a VM appliance available on launch day. Downloading that now, gonna give it a spin!
rbarooah 1 day ago 1 reply      
I'd like to know how its model of transaction isolation works given that reads and writes are claimed to be independent.

It seems as though a 'transaction' is defined as an atomic set of updates, but doesn't involve reads.

JulianMorrison 1 day ago 1 reply      
This strikes me as yet another NoSQL with a niche in which it will be great. In this case, it's good for a read heavy application with minimal writing, where its working set is a small subset of the total data set and you care a lot about write consistency. It would fail in a smoking heap under heavy write load (single global lock, and the need to push every write to every client cache). It would blow the cache if you tried to do a range scan.
spitfire 1 day ago 1 reply      
Okay, I don't quite get this. The processing gets moved to the client. But what if the dataset involved is too large for the client to hold?
nickik 1 day ago 0 replies      
Nice little find in the comments of a blog. Rich Hickey himself speakes about some of the things people probebly care about http://blog.fogus.me/2012/03/05/datomic/.
mark_l_watson 1 day ago 1 reply      
Reading through the site reminds me of append-only CouchDB (or even better, BigCouch) both Datomic datoms and CouchDB documents have time stamps so the state of data is available for different times.

This looks new: local query peers that cache enough data to perform queries (I don't understand how that works, but it looks like indices might be local, with some data also cached locally).

Also interesting that it seems to use DynamoDB under the hood.

locopati 1 day ago 1 reply      
The idea seems very interesting, but the non-free aspect of this seems likely to limit its uptake. I cannot install a version of this for small-scale, personal, or not-for-profit needs other than using a non-durable VM that saves state only when suspended. Even if I buy into the Datomic pricing model and that pricing is not prohibitive, I am still bound to Amazon's pricing model (though hopefully that will expand over time to other cloud services to prevent vendor lock-in).
nuttendorfer 1 day ago 2 replies      
Can't see content on any of the pages in Opera.
bilalhusain 1 day ago 0 replies      
As a developer, I find datomic easy to use. The getting started, running examples, tutorial, reference, the in-memory environment, the downloadable appliance - everything is so smooth. Last time I had a similar feeling was when I tried CloudFoundry.

Things should be like this - intuitive, some seed data and kickstart code w/ just enough documentation for when you get stuck.

swalsh 1 day ago 4 replies      
Clojure is an amazing language, so i'm willing to go the extra mile to attempt to understand this work. However there's one thing that I can't get over. From my understanding, the big idea is the query engine is brought local, and the storage would eventually come local too. It seems like for smallish db's this is fine. What happens though if you're working with a rather large database?

Additionally, If local means the users client, how is security of the data ensured?

danieljomphe 1 day ago 1 reply      
Thus Datomic would be very great for centrally-operated systems, but not so much with highly distributed systems where many peers are often partitioned out because, for example, they have no Internet connectivity for a few days, and they still need to operate within their limited universe.

So if such a highly distributed system was to use Datomic, it would be harder to guarantee that each peer can work both for reads & (local) writes while being partitioned from the transactor. One would need to program the software to log those new facts (writes) locally before submitting (syncing) them to the transactor. And make that durable. Also, one might also need to make the query/read cache durable, since there's no network to fetch it back in case of a reboot of the peer. So it seems there's a missing local middleman/proxy that needs to be implemented to support such scenarios. At least, thanks to Datalog, the local cache would still be able to be used with this log, using db.with(log).

What do you think, is this use case quite simply implementable over/with Datomic, without asking it to do something out of its leagues?

yvdriess 1 day ago 0 replies      
Datomic reminds me a lot of the tagged-token dataflow architectures of the day. Really cool.
vdm 1 day ago 2 replies      
Webdevs will be all over this when the Peer runs on Javascript runtimes. Who's taking bets that it's written in Clojurescript?
justindocanto 1 day ago 0 replies      
From a UX point of view, i didn't realize there was a menu until i scrolled down and your js menu popped in on the top. once that happened I scrolled back up to see where the menu initially was, because why would they do a pop-in menu if there wasnt one initially. ah ha! i see it. my eyes completely looked over it. yes, i realize it's giant but it's also about the same size as an ad banner (which my eyes typically just ignore). also, the colors are quite bland and do not set any type of priority. just some constructive criticism for ya. good luck!
makepanic 1 day ago 0 replies      
somehow the page is broken in opera.
Disabling the content: " ."; in #main resolves the problem.
gtani 1 day ago 0 replies      
Very interesting. It occurs to me that clojure will be widely adopted without a killer app, but a few near killers (I thought incanter and a web app framework around ring and enlive would be the first).
twodayslate 1 day ago 0 replies      
Can someone explain what I can do with this thing? Can I use it to backup all my files and make a dropbox sorta thing? I don't understand.
jfarmer 1 day ago 1 reply      
Why is this interesting? It sounds like yet-another data store.
How I built a Hacker News mobile web app cheeaun.com
297 points by bearwithclaws  3 days ago   55 comments top 30
dmvaldman 3 days ago 1 reply      
Thank you for taking the time to share this so carefully. I think many people getting started in developing UI heavy applications fail to understand that it is all about solving many orthogonal problems, and to do each one carefully is what the job is all about.

People that lack this expectation replace it with the naive thought that there is a single library out there that can do it all for them, and they spend countless time finding it as opposed to breaking up a problem into smaller pieces and attacking each one.

You've consolidated many interesting techniques here, and it's a valuable resource not only in philosophy, but in general hackery.

Are you planning to flesh out the app more, say to allow users to login, comment, upvote?

cageface 3 days ago 2 replies      
This is impressive but it must be less work to just use Cocoa. Isn't the point of mobile web apps that they're cross platform?
xinsight 2 days ago 0 replies      
Great work and a fantastic writeup. One crucial interaction missing for the native scrollview feel is tapping the time in the status bar to quickly scroll back to the top. Does mobile safari expose that event?

Edit: it scrolls to top if you tap the navbar. The anim is a bit wonky, but it works.

nodemaker 3 days ago 3 replies      
On a shameless plug note,check out HackerNode.A free iPhone/iPad/iPod app for all iOS(4.0+) devices.


I pushed an update today which grey out visited links and fixes some bugs for the iPad interface.It should be approved in a day or two.

pg 2 days ago 0 replies      
the -> a
J3L2404 3 days ago 1 reply      
Does anyone have a reasonable explanation as to why HN does not have a mobile stylesheet?
Derbasti 2 days ago 0 replies      
Awesome! This is so far the most beautiful and readable HN App I have seen on the iPhone and iPad.

Except: There does not seem to be a way to post comments or to vote. Is there something I am overlooking?

dybber 2 days ago 1 reply      
Impressing, but I can't see why people strive for native look and feel. Take a look at the Readability web app, it really doesn't feel like a website at all (somehow they remove the Safari-chrome on the iPad, anyone know how?). When you go for native theming, you will have to do it for each platform. It just feels weird to get and iOS menu on your Android.
bearwithclaws 3 days ago 0 replies      
Direct link to the web app: http://cheeaun.github.com/hnmobile/#/
rkudeshi 3 days ago 0 replies      
This is fantastic! Very well-designed and it is the best "fake" iPhone app I've used in terms of responsiveness.
guidefreitas 2 days ago 1 reply      
Hey, I build an Mac OSX menu tab app "wrapper" with @cheeaun code, check it out! http://guidefreitas.wordpress.com/2012/03/04/hacker-news-men...
BillPosters 2 days ago 0 replies      
Mobile web apps should work in more places than safari on the iPhone. Otherwise call it a "mobile safari app".

I tried the app in mobile Firefox, no luck. I tried it mobile Opera, no go. Also, I don't understand why anyone would use Apple's native interface graphics on purpose for a web app. I get why native dev it makes things easier to build than custom icons etc, but on the web, you are not on Apple's leash no more, be free!

KTamas 3 days ago 1 reply      
Looks awesome. That being said, it doesn't load at all under Android Gingerbread.
lovskogen 3 days ago 0 replies      
Nice work. On my iPhone 4 it doesn't seem to stop loading..
newman314 3 days ago 0 replies      
Tried it on a webOS phone. No dice =( Bummer.
gavingmiller 3 days ago 0 replies      
I've just finished using the tappable library the article references and found that it does work very well.
TazeTSchnitzel 3 days ago 0 replies      
I think he might have saved himself a lot of work if he just read the official Apple guides on developing web apps for Mobile Safari:
mmuro 3 days ago 0 replies      
I understand wanting to use CSS b/c I've had to do similar things for mobile web sites.

However, if he's just developing for iOS, why not create a new web app in Dashcode?

dybber 2 days ago 1 reply      
You should set the apple-mobile-web-app-capable meta tag:


tar 2 days ago 1 reply      
This is a bit unrelated but anyone know which font is used in the website logo?
ChrisSteel 2 days ago 0 replies      
If you add commenting this would be a complete replacement for desktop viewing of HN for me!
methoddk 2 days ago 0 replies      
I learned some new stuff about CSS! Motivated to create my own mobile web app now. Thanks for the in-depth explanations.
jmslau 3 days ago 0 replies      
Great stuff! Thank you for the detailed writeup as well!
joering2 3 days ago 1 reply      
since we are on the subject -- what are the features you missing on HN the most?
brianjolney 3 days ago 0 replies      
The details are fantastic. Great work!
soulofpeace 3 days ago 0 replies      
Congrats! :D
sidcool 2 days ago 0 replies      
Thanks for sharing this.
ronkkk 3 days ago 0 replies      
so complicated
JVIDEL 2 days ago 0 replies      
This reminds me of the Spartan project and all the money FB is burning to get around APPL policies. I think in the medium and long term this overly restrictive appstore strategy and the limitations of mobile webapps are going to backfire, similarly to how Nintendo's 3rd party policies of the '80s backfired soon after the NES. Initially it made a ton of money, but then it lost the market to the likes of Sega, Sony and MSFT.
toyg 3 days ago 0 replies      
Am I reading it wrong, or he's admitting that he's ripped off the images for his application right from Apple ? That's not exactly legal, in my book...
Sometimes the bug isn't in your code, it's in the CPU dragonflybsd.org
289 points by there  1 day ago   96 comments top 14
jaylevitt 1 day ago 5 replies      
As someone who found four compiler bugs in three weeks - in a five-nines fault-tolerant OS, yet! - and who found a PostgreSQL optimizer bug within weeks of learning SQL, I think the key to being "that guy" is playing five-whys with every single bug you encounter.

I work with some very talented developers who, when they try something and it doesn't work, try something else. I am fundamentally incapable of that. If it doesn't work, I MUST KNOW WHY. Even if that requires building a debug version of my entire stack, adding all sorts of traces, and wolf-fence debugging until I have a minimal fail case.

It's a real limitation; if I hit an undebuggable brick wall, I have no ability to attack the problem from a different angle. Luckily, there are few things that are fundamentally undebuggable.

16s 1 day ago 2 replies      
Please stop referring to him as "this guy", he's well known in the BSD and Linux worlds. He had commit access to FreeBSD before many things we take for granted today even existed. His name is Matt Dillon and he's one hell of a hardware/OS hacker. http://en.wikipedia.org/wiki/Matt_Dillon_%28computer_scienti...
jdfreefly 1 day ago  replies      
First off, I would say that is some pretty awesome work by this guy to chase this down. Including his work with the manufacturer to help them reliably recreate the issue.

Second, I would say that over the course of my 10 year career in managing developers, I've heard many, many times that the bug was in the kernel, or in the hardware, or in the complier, or in the other lower level thing the developer had no control over. This has been the correct diagnosis exactly once. If I had to guess, I would say about 5%.

gue5t 1 day ago 1 reply      
Here are some more details about this particular bug: http://leaf.dragonflybsd.org/mailarchive/commits/2011-12/msg...
etrain 1 day ago 4 replies      
My hat's off to this guy for the work he did, and indeed, finding a CPU is quite the accomplishment.

That said - what is it about the hardware manufacturers that makes them relatively immune to this sort of thing? Is it formal verification and rigid engineering process? Is it that they spend so much money developing these things that they better do them right, god dammit?

Sometimes I think that the whole industry would be much better off if everyone up the stack was held to these kinds of standards. If that were the case though, where would we be? We'd have rock solid systems, but how sophisticated would they be? Would UNIX exist? What about (a more bulletproof and less feature complete) Java?

bebop 1 day ago 1 reply      
Great job tracking down a hardware bug! That must be really exciting, and you get your name in the AMD errata I assume?

One of my comp sci professors found a bug in an Intel chip and got his name in the errata. I think that gives you +100 to nerd credibility :)

ot 1 day ago 0 replies      
Original thread with all the analysis performed before the bug was attributed to the CPU:


(Check out in particular the section "EFFORTS AT FINDING A KERNEL BUG THAT WASN'T A KERNEL BUG")

augustl 1 day ago 0 replies      
In order to reliably reproduce the bug, he wrote his own operating system. A small one, but still, an operating system. That's pretty badass..
bgrainger 1 day ago 2 replies      
If you're interested in the types of bugs that are present in modern CPUs, AMD makes their errata documentation publicly available. (As far as I know, Intel's errata are not public. Edit: See tedunangst's comment below for a correction.)

The errata documentation for AMD Family 10h Processors (Athlon, Opteron, Phenom, etc.) is here: http://support.amd.com/us/Processor_TechDocs/41322_10h_Rev_G...

The errata for AMD Family 12h Processors (A-Series APU, etc.): http://support.amd.com/us/Processor_TechDocs/44739_12h_Rev_G...

I found this out when an AMD engineer confirmed an AMD CPU bug for me: http://stackoverflow.com/questions/7004728/is-this-should-no...

sjwright 1 day ago 1 reply      
When a CPU bug is discovered, what options are available for remedying the situation?
throwawayderp 1 day ago 0 replies      
Nice catch.

It would be interesting if he has accidentally triggered a backdoor, such as mentioned in this post.


daenz 1 day ago 0 replies      
Amazing. I'm happy his sanity survived!
dhruvbird 1 day ago 0 replies      
wow! this is quite a rare thing...
comice 1 day ago 0 replies      
Next time my code isn't working as expected, I'm going to shout "cpu bug!" and cite this article.
A single tweet page is 2.0 MB teczno.com
285 points by skimbrel  2 days ago   109 comments top 22
ahoyhere 1 day ago 1 reply      
In Q1 2007, my husband and I were invited to Twitter HQ for a meeting -- I was pitching a visualization project, my husband (renowned JS developer Thomas Fuchs) was proposing that we fix their horrible front-end performance issues (both page load & laggy JS code). We met with ev, some of the team, and the new CTO at the time. They nodded and agreed it was important. It would only take about 2 days of consulting. They later said "We can't get it together to hire you." Not due to the money (only a few grand, really), but about what you might call "political will."

Their front-end performance situation has sadly never gotten better… and has definitely gotten worse.

We started to build the visualization project anyway, and it got us a little bit of fame and a lot of consulting work: http://twistori.com

And just under a year later, we published a book on front-end performance: http://jsrocks.com

But I still wish we could have fixed their damn front end. Every time somebody tweets a link to a tweet and it opens up as a web page on my iPhone and I have to watch a blank screen for 10 freaking seconds before the tweet actually shows up, I die a little inside.

This story amuses & horrifies people who believe that startups are more flexible, responsive, & sane than big companies. At this time, Twitter the company was definitely smaller than 30 people… around 15 if memory serves, but I'm not sure. It was definitely small, either way. Meanwhile Twitter the site was growing in popularity by leaps & bounds every second. I'm sure the bandwidth saved alone would have paid back our consulting fees in a matter of a few weeks, or less.

poutine 2 days ago  replies      
His rant doesn't seem too informed: "aggressive anti-performance and apparent contempt for the web by Twitter's designers"

According to his charts most of Twitter's page is JS/CSS and presumably set to heavily cache. Very little is data. Once you've done the first page load Twitter's pages will load quite fast and efficiently. While quite a lot of JS, this is good design, not bad.

mfringel 1 day ago 2 replies      
Several people in this thread state "It's cached, so why does it matter?"

So, even ignoring the issue with cold caches, how about the two megabytes of code that the browser may need to go through to render the page?

What on earth is twitter doing on a given page that needs two megabytes of code?*

* As of March 2012, for I'm sure this will look silly when there are 2 gigabyte pages, 20 years from now.

untog 2 days ago 3 replies      
File this under "annoying to developers and no-one else".

Twitter obviously caches 99% of this stuff. I absolutely agree that 2.2MB on one page seems absolutely insane, but that doesn't match up with the experience every time you load the page. And I imagine it's pre-caching code that runs on other pages as well, so you most likely only ever take that download hit once.

Yes, they should bring that amount down. No, it probably isn't going to be a priority.

johncoltrane 1 day ago 1 reply      
All of the comments here could be shortened to "It's cached so it doesn't matter" as if the main problem was "2 MB is too large hence loading is too slow".

But the problem here (according to the author and I tend to agree with him) is that one needs to load too much junk for too little actual content; whether the junk in question is cached or not.

Now, ideally, a tweet's 140 characters shouldn't weight 2 MB but Twitter users need tools to act upon those tweets: re-tweet, follow a link, etc. and those tools come with a cost.

A relatively high cost but one we can afford, with the help of caching.

rowanseymour 1 day ago 2 replies      
I live in Rwanda and like a sizeable portion of Twitter's userbase, have very slow internet. When Twitter switched to their new design it got a lot harder to open their site... I kept using the old version until they removed it. I don't understand why - it's not pulling down a lot of data, it's not even making that many requests (~50), but this site and other AJAX rich sites just don't seem to work as well as the old less-AJAXy versions on a really slow internet connection with a bit of packet loss
noonespecial 2 days ago 0 replies      
The first tweet is 2 MB. How much is the second?
keeperofdakeys 1 day ago 0 replies      
It takes 3-5 seconds for my rather powerful laptop to 'build' a twitter page after it has loaded (since it is doing AJAX etc), and this is warm. This is also on a rather fast internet connection, in the latest firefox and chrome. Compare this to Facebook - which has enough javascript to make it slow on my netbook - it loads almost instantaneously under the same circumstances, even when performing AJAX requests.
tzury 1 day ago 0 replies      
Well, I measured that with chrome and it wasn't 2MB rather ~450 KB.

Talking about 140 chars is irrelevant, a tweet, is a 140 (unicode) chars handler for a (mini social) graph, and this is how we should look at it.

In that particular page he's talking about[1] there are 10 profiles info (status owner + 9 retweeters) embedded within the page so when you click on a profile thumbnail you get the profile modal with some basic info and "Follow" button etc.

381Kb out of those 450 belongs to his own background image [2].

In other words, twitter does a very good job at making their service fast and speedy.

1. https://twitter.com/#!/bos31337/status/172156922491969536

2. https://twimg0-a.akamaihd.net/profile_background_images/9706...

tripzilch 1 day ago 0 replies      
Try http://m.twitter.com , it's the dressed-down mobile version of Twitter.

It doesn't have all the features, but easily makes up for that by the fact that you can actually click around as much as you like without your browser getting all slumpy from loading huge pages or doing javascript.

You'd expect caching to help, but there's a lot of truth in the jQuery tax article[1]: even if you got the code cached, executing it all takes a significant amount of time, and the sluggishness is made worse by the fact that during this time your CPU is busy, unlike with data transfers which at most cost some memory.

I don't use the m.twitter.com site all the time, but I switch often enough whenever I get too annoyed by default Twitter's slowness.

The only real downside (for me) is that you can't click through to a full resolution version of a profile picture. Otherwise all the basic features are in there.

[1] http://samsaffron.com/archive/2012/02/17/stop-paying-your-jq...

hpaavola 1 day ago 1 reply      
One tweet is 2 MB? More like 670 KB for first load and 18 KB cached. http://imgur.com/QFIjU
zacman85 2 days ago 1 reply      
Does anyone know how to get those graphs to show up in the current version of WebKit? They seem to have disappeared or are hidden.
swang 1 day ago 0 replies      
Can anyone tell which page he loaded specifically? I just loaded the latest status update on my timeline in incognito mode and all it downloaded was ~578kb+ of data.
rajpaul 1 day ago 0 replies      
I tried to use the twitter mobile site. I'll never do it again because it takes too long to load.

This is why people use the twitter app instead of the site.

tpurves 2 days ago 0 replies      
How does this work, is he reporting compressed or uncompressed sizes of data? text/css/js compresses really well for transmission, images do not.

User-defined image backgrounds can also be up to 800k-ish for twitter too right?

OneBytePerGreen 1 day ago 0 replies      
Funny: Every user comment on reddit has about 3.4 KB of HTML overhead (<div>, in-line javascript, etc), including multiple <!--IE6sux--> comments.

It really adds up for a large thread.

AdamTReineke 2 days ago 1 reply      
Maybe so, but how much of that 1.65MB of Javascript is cached by the browser?
webwanderings 2 days ago 1 reply      
No wonder it takes long for Twitter pages to load. Such things show up only when you're on slower speeds.
mrcalzone 1 day ago 0 replies      
This might be one of the best reasons to have native (mobile) clients. As a web-developer I like the model of writing one web-application to fit all clients, and being able to link to pages etc. But on a slow connection it certainly makes sense not to have to download the GUI before viewing the content. As the author points out, the content from the API is just some hundred bytes.
neilmiddleton 2 days ago 0 replies      
Ah, but how big is the (downloaded) size of the next page on each of those sites?
funkah 2 days ago 0 replies      
shimon_e 1 day ago 4 replies      
The web will be a better place once everyone has 100mbps and servers have 10gbps. Sites like the verge can load in one second without caching.
Google's Web Search Quality. A picture is worth a 1000 words jakenbake.com
272 points by staunch  3 days ago   94 comments top 28
aresant 3 days ago 6 replies      
The article shows BING & GOOG'S search results for "the film where no new babies are born"

BING returns gibberish results, GOOG returns an IMDB link to "Children of Men", the perfect answer.

But one search out of billions is easy to gimmick, what are the results with a slightly different search string:

"the movie where no babies can be born anymore"



Bing's search is more accurate in the above example

Not "knock it out of the park" accurate but GOOG returns the complete wrong answer

How many of these could you find if you had the time in your day?

That said, as a guy with a bunch of MSFT stock I can't remember the last time I used BING

ajays 3 days ago 6 replies      
One of my pain points with Google is that the page is now bloated beyond belief. At one time, I'd hit the "home" button (G was my home page), the page would pop up instantly and I'd start typing my search.

Now, with "instant search", "google plus" and all that bloat, the page pops up, but when I start typing, nothing happens (as it's still loading the gobs of JavaScript); and then it'll miss the first few characters and then start pulling in random search results based on the last few characters I typed, while trying to load previews of pages. In all this confusion, the time taken for me to enter a search term and get results has gone from, say, 3-4 seconds earlier, to 7-10 seconds now. I know it doesn't sound much, but this is a company where Marissa used to count the individual characters of the homepage. Now that she's not in charge, the page has ballooned like Kirstie Alley.

hackinthebochs 3 days ago 4 replies      
Google has many cute gimmicks built in, no doubt. But honestly I've been frustrated at Google's results as of late. Google simply has been SEO'd to death. Plus, uncommon phrases are completely swamped by more common similar ones. Search is just waiting to be blown wide open again, at least in some specific cases.
leh 3 days ago 4 replies      
I just tried this with a different movie in mind. The results are pretty interesting, but see for yourself:




If you get the same results as I do, you should find the correct answer as duckducks first answer and bings 4th one. Google's first page of search results has no reference to the correct answer (though in the picture search the first one picture is from the movie).

I use google day in day out. Maybe I should overcome that habit :-)

zalew 3 days ago 0 replies      
about a year ago this came up



the keywords in description were added after this search got popular!

tambourine_man 3 days ago 1 reply      
The problem is when the cleverness doesn't work. Then it's clippy time.

I desperately want a “don't be smart button”. Searching for code is pointless, even on quotes and verbatim.


Tobu 3 days ago 1 reply      
[the film where no new babies are born] ' [no babies movie]. The rest of the query is superfluous or implied.

http://google.com/#q=no%20babies%20movie finds it.

"no babies" does not appear on the IMDb page itself, but I expect it appears near many links to the IMDb page.

Edit: rewriting queries is a necessary step to do question-answering with a search engine. Query rewriting + some sort of knowledge graph is a large part of the Watson recipe; the graph is comparatively sparse but simplified queries can be entry points into that graph.

lrobb 3 days ago 0 replies      
I'd be interested in how those results were obtained, because when I search google with that exact same query, the results look pretty much like bing's results.
wavephorm 3 days ago 1 reply      
Microsoft's entire business is based around the idea that inferior products don't matter as long as you have the monopoly position, backed by business and sales channels that enable them to shove half-baked products and poor support down customers throats.

Microsoft is long past the point where they will continue to get away with shipping turds. I think they've lost the entire mobile computing market forever. It doesn't matter how much they polish Windows 8 because consumers and business alike are finally starting to see the light from the permanent hangover that Microsoft has cast upon the entire IT industry since the mid-1990's.

mathattack 3 days ago 1 reply      
Looks like Google finds ways to keep getting better. It's an arms race... Geogle wants to be so much better than everyone else that people won't mind ads thrown in. That's ambitious. They also have to stay ahead o SEOs who compete with their ads.
kenjackson 3 days ago 1 reply      
This says nothing about search quality. No single query can. The fact that I've completely stopped using Google search for about 3 months now and don't miss it at all is probably more telling. Five years ago that wouldn't have been possible, but today Bing is as good (sometimes worse, sometimes better).
drivebyacct2 3 days ago 0 replies      
This thread is quickly filling up with anecdotes and such which is fine, but I thought I'd throw out a tip. Do not be afraid to play with the date range for limiting or further specifying your search. I probably use it 2-3 times a week, it's very nice.
alinspired 3 days ago 0 replies      
great example!
another improvement from google - recognize search queries typed in wrong keyboard layout, ie:
tazzy531 3 days ago 0 replies      
This thread is filled with great anecdotes. If you do encounter something where Google is not returning the best result for your query, fill out the Search Quality Feedback form: http://www.google.com/quality_form

This will help the team improve the search engine.

ivan_ah 3 days ago 0 replies      
Counter example query that returns the same first hit:
"movie where they use math to find patterns in the torah"



Kurtz79 3 days ago 0 replies      
Similar queries give incredible accurate results ("movie with Brad Pitt and Edward Norton","movie where james stewart is afraid of heights") , but it seems to work just with movies...

I got spottier results trying with music and games related queries. Google probably picks up the words "movie" or "film", and than search the rest of the query restricting the first few results to movie-related websites.

Still, it's clearly not a "Number of French military victories" kind of gimmick, search is definitely going in that direction in the following years.

anonymoushn 3 days ago 3 replies      
If you search for chrome, Google thinks you probably want to do the following things more than you want to download Chrome from Google: buy a Chromebook, use the Google Chrome Beta, buy a Google Chrome messenger bag, read about Google Chrome on Wikipedia, download Google Chrome from download.com, download ad block for Chrome, read news about Chrome, download Angry Birds for Chrome

If you search Bing for chrome, the first result will allow you to download Chrome from Google. :)

yabai 2 days ago 0 replies      
This post illustrates the reason I cant seem to shake my Google addiction.
sofifonfek 3 days ago 0 replies      
Google web search's secret: it's not searching what you tell it to search.

- suggest spelling corrections and alternative spellings
- personalize your search by using information such as sites you've visited before
- include synonyms of your search terms to find related results
- find results that match similar terms to those in your query
- search for words with the same stem, like "running" when you search for [ run ]


Also https://en.wikipedia.org/wiki/Google_bomb

why-el 3 days ago 0 replies      
No one is interested in why bing is suggesting word "baby" instead of babies? I submitted the same query and it does not suggest that anymore.
gghootch 3 days ago 0 replies      
Adding some very popular words to a query really messes up the results of all three.

I tried combinations of the movie with (four) guys in white clothing/suits. It wasn't until I searched for 'the movie with guys dressed in white' that any relevant results were returned.




Arguably it's Google > Duck > Bing

threepipeproblm 3 days ago 0 replies      
The success with negation-based queries displayed in the example is thoroughly explained in The Structured Search Engine -- http://www.youtube.com/watch?v=5lCSDOuqv1A

TL;DR - Google has added phrase chunking, weights positive/negative words in phrases, and allows negative phrases to modify the search impact of the affected phrases.

sofifonfek 3 days ago 0 replies      
Paradoxically this is also the reason why the biggest advertiser's search engine sucks more and more. This fuzzy search where he looks for all kind of synonyms instead of what he's asked means it often returns no useful results and misses the target by a solar system or two.

Looking for a film on the web = imdb
no babies are born = no procreation

So let's search for "imdb no procreation": http://lmgtfy.com/?q=imdb+no+procreation and http://www.bing.com/search?q=imdb+no+procreation

Now let's turn off this fuzzy synonymous search, go on the results page for "the film where no more babies are born", click on "more search tools" in the sidebar and click "verbatim".
Not only the actual results doesn't show up anymore but we now see this very story referenced several times further skewing the results towards confirmation bias: https://en.wikipedia.org/wiki/Google_bomb

I switched from metacrawler to google for my web searching in 1998, I can testify that it's getting worse and worse at providing relevant results for a while now and at the same time it gets better at tracking users and raising privacy concerns, censoring results, adding clutter, spam and ads, silently removing useful features.
I've switched to duckduckgo in 2010 and rarely go back to google anymore.

user2634 3 days ago 2 replies      
There is no point of linking to google search results because it is personalized. Everyone sees different pages.
stretchwithme 3 days ago 0 replies      
you mean baby born with two heads isn't it?
scriptproof 3 days ago 1 reply      
Very bad example because Google trends to favor large and authority websites. Try a query where the answer is on a small (but very well informed) site.
rplst8 3 days ago 0 replies      
Whatev. So one search result (or even 100) are better on Google. Bing could be better at other things. The problem is no one uses Bing, so it's hard to know.
       cached 7 March 2012 16:11:01 GMT