hacker news with inline top comments    .. more ..    16 Sep 2013 Best
home   ask   best   6 years ago   
World aem1k.com
762 points by bpierre  18 hours ago   81 comments top 30
nikcub 16 hours ago 10 replies      
It's spinning in the wrong direction!
scarmig 13 hours ago 1 reply      

What I'd love to see is a step by step description of how this was constructed. If I have an end goal in mind, it's simple enough to hammer some characters into something a machine can use to do that end goal while still being readable by a human. But this? It floors me, and I can't even imagine where to start. I can understand the code with a bit of thought, but getting from an empty text editor to that seems beyond me.

zwegner 16 hours ago 1 reply      
Reminds me of the old 1992 winner of the IOCCC by Brian Westley (who consistently entered some of the most impressive programs in that contest). It doesn't spin, but it prints a map of the provided lat/long.


               main(l          ,a,n,d)char**a;{      for(d=atoi(a[1])/10*80-     atoi(a[2])/5-596;n="@NKA\    CLCCGZAAQBEAADAFaISADJABBA^\    SNLGAQABDAXIMBAACTBATAHDBAN\    ZcEMMCCCCAAhEIJFAEAAABAfHJE\    TBdFLDAANEfDNBPHdBcBBBEA_AL\     H E L L O,    W O R L D! "       [l++-3];)for(;n-->64;)          putchar(!d+++33^               l&1);}

mistercow 14 hours ago 0 replies      
That was a wonderful experience of multiple moments of realization. "Oh, it's an ascii globe; it looks like it just scrolls a map through the circle. No wait, it's warping as it shifts across. Wait, is it using asterisks for antialiasing? What is all of this stuff around the outsi- ... oh. Oh."
mathrawka 17 hours ago 2 replies      
Inspired by "The Qlobe", written in Ruby http://mamememo.blogspot.de/2010/09/qlobe.html
parasj 16 hours ago 2 replies      
Here this is, formatted so it is more readable.

  p = "<" + "pre>";  for (y in n = "zw24l6k\  4e3t4jn`t4qj24xh2 x42kty24wrt413n243n\  9h243pdxt41csb yz43iyb6k43pk7243nm\  r24".split(4)) {    for (a in t = parseInt(n[y], 36) + (e = x = r = []))      for (r = !r, i = 0; t[a] > i; i += .05)         with(Math) x -= .05, 0 > cos(o = new Date / 1e3 + x / PI) && (e[~~(32 * sin(o) * sin(.5 + y / 7)) + 60] = -~r);    for (x = 0; 122 > x;)      p += "   *#" [e[x++] + e[x++]] || (S = ("eval" + "(z=\'" + z.split(B = "\\\\").join(B + B).split(Q = "\'").join(B + Q ) + Q + ")//m1k")[x / 2 + 61 * y - 1]).fontcolor /\\w/.test(S) && "#03B");    document.body.innerHTML = p += B + "\\n"  }  setTimeout(z)
* Edited for formatting

josephagoss 10 hours ago 1 reply      
Can someone explain this really simply for me?

I understand that the whole thing is actual source and its manipulating the center commented area. But I am having trouble following the code.

sylvinus 17 hours ago 1 reply      
Saw the talk by Martin at JSConf.eu today explaining how he did it. Just brilliant!http://2013.jsconf.eu/speakers/martin-kleppe-1024-seconds-of...
nine_k 14 hours ago 0 replies      
I see Perl's fashion of poetic source code is being replaced by JS's fashion of animated source code! 8-)
RBerenguel 17 hours ago 0 replies      
My jaw literally dropped, I had to check the source to make sure this was just it... Really impressive. I love these kind of works of art
morgante 12 hours ago 0 replies      
My first thought was that's kinda cool.

Then I viewed the source. Amazing.

kunai 16 hours ago 0 replies      
If you look closely you'll see that there's a parallax effect, where the lines near the equator move faster than the lines at the top, giving it a sense of depth and motion that you wouldn't expect from any ASCII art animation.

This was brilliant, just absolutely fantastic.

scrrr 5 hours ago 0 replies      
There's a bunch of these globe animations already. But always nice. ;)
cstigler 14 hours ago 0 replies      
A heavily refactored version of this code, for those curious how it works:


(note that it will not work like the original and make a pretty globe, because it's dependent on the exact character positioning)

sparist 11 hours ago 0 replies      
This is the first animated quine I've ever seen. It may be a first.

More on quines: http://en.wikipedia.org/wiki/Quine_(computing)

electic 16 hours ago 0 replies      
Kudos, this is amazing.
billforsternz 13 hours ago 0 replies      
Amazing stuff. One quibble; There's a XXXXX in the middle of the South Pacific, midway between Australia and Chile. Whatever it is supposed to be, it's way too big.
pdenya 11 hours ago 1 reply      
That's adorable but I wouldn't have bothered clicking if I had known what it was from the title.
sidcool 7 hours ago 0 replies      
Making the code look like the output!! Super cool.
icpmacdo 16 hours ago 1 reply      
Inspecting the elements in chrome wont let me open the any of the code. Once you get past the body tags the <pre> tags just keep on flashing.
patrikr 10 hours ago 0 replies      
Wow, it even works in Opera Mini!
cburgmer 5 hours ago 0 replies      
aemkei delivered an awesome presentation yesterday at JSConf EU.

This was his final slide.

Techasura 6 hours ago 1 reply      
Can someone explain this?
cyberscrawler 7 hours ago 0 replies      
You chopped off the Indian subcontinent
frozenport 12 hours ago 0 replies      
Is the UK on the map?
salimane 9 hours ago 0 replies      
it's not an accurate map, showing north america as the same size as Africa :)
diericx 13 hours ago 1 reply      
Someone should make a version that spins in real time :O
kul_ 11 hours ago 0 replies      
it hypnotized me to upvote!
MarionWBobby 8 hours ago 0 replies      
my boyfriends mom just got Mercedes-Benz SL-Class SL63 AMG just by working from a home pc. this post www.work25.oM
MarionWBobby 8 hours ago 0 replies      
My Uncle Colton just got a nearly new blue Chevrolet Suburban SUV just by working from a home pc. hop over to these guys http://financialzest.biz/?1=bo0356
The Feynman Lectures on Physics, Volume I caltech.edu
745 points by trevyn  3 days ago   110 comments top 34
trevyn 3 days ago 3 replies      
Original email from this morning to give some color:

Dear Feynman Lectures Forum Members,

Have you ever wished there was a high-quality up-to-date version of The Feynman Lectures on Physics available online? One that could be read with a browser so you could study FLP on your smartphone, tablet, notebook or desktop computer, whenever you felt like it? For free? Well, now there is, and you are among the first to hear about it!

A few words about the free HTML edition of FLP (New Millennium Edition)

It was an idea conceived many years ago, when through FL website correspondence I became aware of the many eager young minds who could benefit from reading FLP, who want to read it, but for economic or other reasons have no access to it, while at the same time I was becoming aware of the growing popularity of horrid scanned copies of old editions of FLP circulating on file-sharing and torrent websites. A free high-quality online edition was my proposed solution to both problems. All concerned agreed on the potential pedagogical benefits, but also had to be convinced that book sales would not be harmed. The conversion from LaTeX to HTML was expensive: we raised considerable funds, but ran out before finishing Volumes II and III, so we are only posting Volume I initially. (I am working on finishing Volumes II and III myself, as time permits, and will start posting chapters in the not-too-distant future, if all goes as planned.)

When you read our HTML edition you will notice a floating menu in the top right corner with Twitter, Facebook, and email buttons (to tell your friends about it!), navigation buttons ('last chapter,' 'table of contents', and 'next chapter'), a "contact us" button (that sends email to me), and a "Buy" button that links to a page of advertising for our books and ebooks, with links to retailers' web pages. To support our effort in producing and maintaining the HTML edition, and to help us keep it free, I would appreciate it very much if you would take some time to explore the retailer's pages through the links on our "Buy" page.

Enough said!

You can access the free HTML edition of FLP either by going to the home page of www.feynmanlectures.info and clicking on "Read," or you can go directly to it at either of two servers:


(So what's the difference between the servers? I maintain the site at feynmanlectures.info, so changes are reflected there immediately. On the other hand, feynmanlectures.caltech.edu is generally faster and more responsive. The entire edition is mirrored from feynmanlectures.info to feynmanlectures.caltech.edu every day, so the latter is current within 24 hours.)

- hope you enjoy the new edition! If you like it, please tell your friends.

Best regards,

Mike GottliebEditor, The Feynman Lectures on Physics, New Millennium Edition

P.S. If you've received this email more than once, I apologize. We're having some problems with our mail servers this morning!

mhartl 2 days ago 11 replies      
I was the project lead on this, which involved converting the Feynman Lectures from LaTeX to HTML. I'd be happy to answer any questions.

Update: Most of the questions center on cost. I've answered in more detail below, but the short version is simple: no off-the-shelf converter was remotely sufficient for our needs, so we had to write lots of custom software, and writing custom software is hard.

doctorwho 3 days ago 4 replies      

Microsoft Research announced on Wednesday that Mr. Gates, who purchased the rights to the videos privately from the Feynman estate, BBC and from Cornell University, in cooperation with Curtis Wong, a Microsoft researcher, has created a Web site that is intended to enhance the videos by annotating them with related digital content.

Project Tuvahttp://research.microsoft.com/apps/tools/tuva/index.html

Jun8 2 days ago 1 reply      
You can read the first answer to this Physics SO question (http://physics.stackexchange.com/questions/29355/reading-the...) to see how these lectures fare in light of later findings.
dylanz 2 days ago 2 replies      
I'm in the middle of reading "Surely you're joking, Mr. Fenyman!", and so far, it is a FANTASTIC read. He has so many interesting stories about fiddling with stuff as a kid, working on the manhattan project, picking locks, interactions with Oppenheimer, Einstein, etc.

Even if you aren't at all interested in physics, math, or anything science related, I would still recommend this book.

That said, I now have a lot more reading to do. I know almost nothing about physics, and this collection looks like the perfect introduction. I'm going to read it in Mr. Fenyman's voice, and try to have the same curiosity as he did as a kid. Very excited to see this post.

nilkn 2 days ago 1 reply      
By far my favorite piece of writing from Feynman is QED:


Out of all his writings, this is the one that has always stuck with me.

Feynman long held that one does not understand something if one cannot explain it to someone who is not deeply steeped in the subject already. I regard this lecture as probably the culmination of that philosophy for Feynman. Anybody with a deep mathematical background will be stunned on reading this book to realize that, oh, he was actually just talking about complex numbers and the path integral formulation all along.

Taken from one of those reviews, I don't need to say much more than this: "He does close to the impossible by explaining the rudimentary ideas of Quantum Electro Dynamics (QED) in a manner that is reasonably accessible to those with some physics background"

loudmax 3 days ago 1 reply      
There are Feynman videos online as well, but unfortunately, they require Silverlight. Reading the headline, I was hoping that they'd finally made them available in an open format.
ivan_ah 3 days ago 0 replies      
This is awesome!

You can read the Feynman lectures either as a first-year UGRAD, a last-year UGRAD, or even as a graduate student and you will always find lots of things to learn.

The thing that I appreciate the most about Feynman's teaching is he shows you how to derive things from first principles. That is what learning should be like---just stating results is not enough: the teacher's job is to show (intuitively or formally) how the result is derived from other things the student knows.

mbucc 3 days ago 3 replies      
I found it interesting how radically different his teaching premise is from the current U.S. public school approach. From the preface:

I thought to address them to the most intelligent in the class and to make sure, if possible, that even the most intelligent student was unable to completely encompass everything that was in the lectures.

plg 2 days ago 1 reply      
ChuckMcM 2 days ago 0 replies      
So freakin' awesome. These lectures are on my list of 'must have' volumes in any personal library. Generally very easy to read, I found them invaluable when I was going through the physic's curriculum at USC.
thufry 2 days ago 0 replies      
I shoplifted the 3-volume hardcover set of Feynman Lectures from the Borders bookstore in Cambridge in 2003. I would be happy to make partial amends for this by donating the full retail cost to any efforts to digitize volumes 2 and 3.
pge 3 days ago 0 replies      
I first read these as an undergraduate physics major. They are fascinating if you already understand the physics, because his approach is always unconventional and a little brain-bending. For an introductory text for those not familiar with the physics, they are often very confusing. I would not recommend them to someone trying to learn physics. Go learn physics elsewhere, but then absolutely come back to Feynman and look at the things you have already learned in a very different light.
solarmist 2 days ago 0 replies      
Audible has the audio of the lectures available (not for free) in good quality as well.


educating 1 day ago 0 replies      
I hope this is continued. I would have loved to have been a student in Feynman's physics classes. Unfortunately, I did not realize this until I had already taken a different path and now my mind has gone enough that it is probably good that I didn't try to attain even 1/10 of what Richard knew because I would have lost it all.
Zarathust 3 days ago 0 replies      
I just quickly browsed through the lectures and this seems very consistent with Feynman style where there is a lot of text and very little math. From his book "surely you must be joking Mr. Feynman", he mentioned that fundamental understanding is largely is lacking in modern education. Instead, students go on and on about memorizing complex formulas that made no sense to them.

Maybe we're not all smart enough for this, but it does make sense that if we understand the problem well, then the calculation for it will be obvious.

megaframe 2 days ago 0 replies      
I tried watching his lectures as an undergrad and found them a bit confusing. I can follow them now but still find them to be all over the place. I always learn better from reading so hopefully these will work out better.
jackfoxy 2 days ago 0 replies      
I think Vol. 1 is really masterful. I read somewhere Feynman was most pleased with Vol. 1, and less so with Vol. 2. The material in the second volume is certainly more difficult, and I did not quite finish it myself. I've been busy with other things, and the relatively thin Vol. 3 still sits on the shelf.
fedvasu 2 days ago 0 replies      
I wish Prof Landau had given some lectures (atleast audio, in english?). I think it is logical for the "eternal physics enthusiast(student)" to move from FLP to Landau & Lifschitz's books.
3327 3 days ago 1 reply      
Gates is the man seriously for doing this. Feynman is such a great person I am so sad I missed seeing and learning from him. And Carl Sagan of course.
zokier 3 days ago 1 reply      
Is the material going to be available in some format suitable for Kindle? Or do I need to convert the HTML myself?
bliker 2 days ago 0 replies      
If I make it into .mobi or .epub. Can I publish it? (with proper licence of course)
rexreed 3 days ago 2 replies      
Are the audio files available as well? I know there's the Silverlight version, but looking for audio I can play while I drive.
ekm2 2 days ago 0 replies      
Thank you!

I have been trying to get this book online,but apparently only Microsoft's Project Tuva had a right to them.So one had to watch them on a Windows platform requiring software that cant seem to run on my machine

Jugurtha 2 days ago 0 replies      
The courses are absolutely great! There is also an audio version of these lectures, you could hear his students laugh when he'd give one of those witty Feynmanian remarks.
mrbrowning 2 days ago 0 replies      
Thanks, this is wonderful. The foreword mentions a set of exercises that are only loosely coupled with the lectures themselves -- are these freely available anywhere?
picardo 2 days ago 0 replies      
Is there a similar project to make Feynman Lecture on Computation easily available? I've been trying to find a decent digital copy for the longest time.
shire 2 days ago 0 replies      
I love Feynman this is much appreciated. I wish there were HD videos of him lecturing.
FlailFast 2 days ago 0 replies      
Was anyone else really happy to see the images seem to be predominantly SVGs? Open-standards-based vector graphics make me super happy.
pvarangot 2 days ago 1 reply      
Except they maybe... will learn some physics?
Datsundere 3 days ago 0 replies      
Thank you for this, I got all the 3 volumes over the summer to read, but couldn't finish them but had to return them.
garrettheaver 3 days ago 0 replies      
Is it just me or does everyone else naturally read this in Feynman's voice?
andimai 2 days ago 2 replies      
Have they finally updated the lectures to use SI units?
jcburns 3 days ago 1 reply      
The whole universe is a hot, dense place.
FBI Admits It Controlled Tor Servers Behind Mass Malware Attack wired.com
641 points by floodcow  2 days ago   259 comments top 30
smtddr 2 days ago 11 replies      
I don't even know anymore. We're gonna have to raise the bar on what it means to be a "tinfoil hatter"; the original definition has become reality.

"Trust no one! Suspect EVERYTHING!", I can say today without sounding crazy.

Also, remember this? http://www.linuxfoundation.org/news-media/blogs/browse/2011/... ....hmm, I wonder if....

belorn 2 days ago 7 replies      
The use of malware in police enforcement is truly a unique event in society. At what other point in history has police distributed a completly illegal tool onto unsuspected and non-targeted civilians? It feels like a total unexplored area of liability laws, so I look with excitement to when the first lawsuit starts.

Some people have compared malware with guns. This is to me a very bad comparison, since guns actually have legal usage like hunting or self defense.

A better example would be a under cover cop, selling real drugs to real people with the intent to impress a local drug cartel. It has to my knowledge never happen, but it would be interesting to know if the cop could be held liable if someone dies from a overdose from those drugs.

Let say that a police virus spreads out of control, and infects millions of computers. What if this specific firefox exploit get copied by a botnet, and is used to execute credit card stealing software on unsuspected users. How liable can the police become when millions of people are effected? I really have no clue.

tokenadult 2 days ago 2 replies      
"Freedom Hosting has long been notorious for allowing child porn to live on its servers. In 2011, the hactivist collective Anonymous singled out the service for denial-of-service attacks after allegedly finding the firm hosted 95 percent of the child porn hidden services on the Tor network. In the hearing yesterday, Donahue said the service hosted at least 100 child porn sites with thousands of users, and claimed Marques had visited some of the sites himself."

So this paragraph of the news report suggests that sometimes Anonymous and the FBI can be united in the goal of stopping child pornography, although not united in how they try to deal with it.

skwirl 2 days ago 1 reply      
The FBI was never going to ignore huge stockpiles of easily accessible child pornography on the deep web, and Hacker News was never going to believe that this wasn't about more than child pornography. Just another day.
DanBC 2 days ago 1 reply      
So, uh, that's a criminal offence in many jurisdictions.

Are we going to see international arrest warrants and extradition and trials?

tete 2 days ago 1 reply      
From my point of view there appears to be a huge campaign to discredit Tor or short FUD going on.

Okay, lately there appears the be a huge campaign to discredit Tor going on. The botnet, the Freedom Hosting thing.

We should fight back on that. Tor is still the best took we have and maybe these attacks are the best sign of it.

If you consider switching to a VPN like many do..

That's a bad idea. VPNs are no technology for anonymity. There are various reasons. They don't defend against various attacks, but more importantly they are owned by private entities. Did you hear of this PRISM thing? [rhetoric question] Well, guess what a private company.. even outside of the US would do if any government would ask for a backdoor, maybe even offering money.

A reason why there are these great releases about attacks on Tor is the fact that it is the best tool we have. There are attacks on it, but way less than on any comparable technology. Numerous institutions, universities, etc. work on both finding attacks and improving Tor. The Tor community is attracting the smartest people in the world, just like the NSA is. There is no other anonymity software with so many scientific papers written about it. There are attacks, none of them reaching beyond what can be done to VPNs, etc. and there are tons of improvements that are outlined, that only need a tiny bit more research or only the actual implementation. If you want to work on a real quality product for the greater good there probably is no better place than the Tor Project.

If you wanna help right now (meaning in seconds to minutes) here are some places to go.

If you want to host a Tor Bridge on the cloud for free or really cheaply:https://cloud.torproject.org/

If you are using Firefox:https://addons.mozilla.org/en-US/firefox/

If you are using Chrome/Chromium:https://chrome.google.com/webstore/detail/cupcake/dajjbehmbn...

If you have a website/blog:http://crypto.stanford.edu/flashproxy/

If you have more than just a few minutes:https://www.torproject.org/getinvolved/volunteer.html.en

jrockway 2 days ago 3 replies      
This is actually a pretty good attack. The only problem I see is the usefulness of the evidence that the attack gathers. Visiting an FBI warning over Tor isn't illegal, so appearing in some child-porn-user database because you were curious about how the exploit worked is a little disturbing, given the stigma child porn has.

I'd also like to see the legal theory they used to seize control of someone's computer. Did a judge sign off on this attack strategy?

But ultimately, I think they used some pretty good software engineering to solve a problem they wanted to solve.

powertower 2 days ago 2 replies      
> The apparent FBI-malware attack was first noticed on August 4, when all of the hidden service sites hosted by Freedom Hosting began displaying a Down for Maintenance message.

The underlining reason for this has been the notion that the FBI was attempting to catch people engaged in CP related activities...

This maybe a little tin-foil here, but...

If you deliver a 404-type of a page on all requests, no website is traversed, no CP is viewed, transferred, replicated, or distributed. Meaning there is nothing here to charge the person with.

Does this article get the facts wrong, or was the purpose of this exploit something entirely different. Because if the article is true (this exploit was only in "Down for Maintenance" pages, which were the only pages served), all they did was get a bunch of useless IP to MAC to host-name correlation/mapping data for that moment in time.

There is also the 'Fruit of a poisonous tree' argument here. Would this untargeted hacking even stand up in court if this data is used to prosecute someone?

This sounds more like flexing of the muscles - the FBI saying we can get you if we want to. Or something else was going on. It also seems like a waist of a good exploit that they would probably use towards terrorist or national security related issues (ex: if they knew the MAC or host-name of a bad guy using TOR that day, but did not know his IP / so they put this out).

bsullivan01 2 days ago 2 replies      
WTF? Can we even trust the water we get from the government? Maybe they put some meds in there to make us dumb and complaint. Is that too far fetched now after what we've reading?

>> Donahue also said Marque had been researching the possibility of moving his hosting, and his residence, to Russia.

Nice try FBI, but I have a feeling that Puttin's Russia will have him a gulag after a 5 minute "trial," appeal included.

yapcguy 2 days ago 3 replies      
> "Mozilla confirmed the code exploited a critical memory management vulnerability in Firefox that was publicly reported on June 25, and is fixed in the latest version of the browser."

Will Rust help eliminate the problem of buffer overflows and other memory related hacks?

Tloewald 2 days ago 2 replies      
This would make the FBI guilty of a whole bunch of felonies, would it not? (Independent of whether what they were doing is morally right or wrong, isn't this exactly what they imprison hackers for?)
sillysaurus2 2 days ago 2 replies      
What's worrisome is that if they were willing to burn this Firefox JavaScript exploit, then that probably means they know of at least one more.
dthunt 2 days ago 1 reply      
Why are MAC's persistent?

They're totally insecure, so you can't make sensible security decisions off of them. Why aren't they randomly assigned on power-up?

DigitalSea 2 days ago 2 replies      
What is happening to this world? The Government and it's so-called agencies vested with protecting America and its allies are treating everyone like criminals, privately harvesting our information via any means possible.

They don't even have to hide it any more. They can admit things like this and nobody can do anything about it. We've passed the point of being able to defend ourselves against actions like this. Every step we take to protect our privacy, the Government is presumably two-steps ahead.

We just can't win...

smutticus 2 days ago 0 replies      
It's like the government isn't even pretending anymore that they don't constantly break the law.
aspensmonster 2 days ago 4 replies      
If this is the only manner that the FBI --or any law enforcement for that matter-- has for identifying TOR users, then wouldn't the best operational security just be to firewall yourself off completely except for Tor connections? Better yet, you could monitor what applications are trying to broadcast out even if they are designed or intended not to leak. Isn't this what the TAILS live-CD does? For this case, even if your software was out of date and vulnerable to the initial attack on the browser, the attempt to broadcast out would hit a firewall and fail (and ideally be logged and alerted).
jacquesm 2 days ago 0 replies      
In a proper judicial system any evidence gained resulting from infecting computers with malware by law enforcement would automatically be inadmissible because the owners of those computers were no longer the only ones with access.
jpmonette 2 days ago 3 replies      
This is crazy, but really interesting at the same time. I always thought that this was the way to break anonymity on the Tor network.

FBI basically generated a shit-load of Tor nodes (https://blog.torproject.org/blog/how-to-handle-millions-new-...) for some while to increase their chances of intercepting traffic. Following the data collection and using statistic, they were able to pin-point the origin of most Freedom-hosting request/response, and then raided the place.

Think about it: if you own 9/10 of the node of the Tor network (and they did for a while) and simply analyze all the traffic, it's just a matter of time before you can find what you are looking for.

The second interesting thing is how they planned everything using the Firefox exploit to find out who was going on each Website. I'm pretty sure they got what they were looking for.

Even thought this is highly scary in term of government control, I think we can all learn a lot about it. Also, I'm wondering how much this attack cost.

aclevernickname 2 days ago 0 replies      
this is fantastic. now I know who I can sue for destroying the tormail accounts I was using for (legal) business purposes. Probably the best news I've had since Tormail went down.
anonymous 2 days ago 1 reply      
Oh, the malware!

What do they do about users who do not turn on Javascript?

Or users who do not use the popular browsers?

It seems like the malware authors here, government employees or contractors, are just like all the others that form the underbelly of the internet... they only focus on the least sophisticated users or the users who always follow the herd (not the Hurd): Windows and OSX/iOS users.

Assumptions, assumptions, ...

sidcool 2 days ago 0 replies      
This is about child pornography. I support this action by FBI for a change. The deep web is rotten in some respects. Child pornography cannot be allowed anywhere. If I were in the FBI, I would do anything to stop child abuse.
jumby 2 days ago 3 replies      
It's sad everyone on here is amazed the good guys have good tools. Sure it probably cost them $1M USD to have some server record an incoming ip from an http request, but still.

"Oh noes, we aren't 3 steps ahead of them, they are 3 steps ahead of us." Fuckin-a they are and I'm glad.

Getting rid of scumbag terrorists, child porn shitbirds and spying on foreign adversaries is fine by me.

And yes, I already know the comments will be "what if they designate you a terrorist some day". I suppose I will cross that bridge when that happens.

mariuolo 2 days ago 0 replies      
I don't understand why he isn't being prosecuted in Ireland.
eulerphi 2 days ago 2 replies      
Let the dark wars begin.
mindcrime 2 days ago 0 replies      
Looks like it's all out war between the government and people who value their privacy...

Really, it always was, but it was a sort of "undeclared war". Now there's really no question about what's going on, so it's time for the gloves to come off.

pekk 2 days ago 1 reply      
Misleading title - the FBI did not conduct a 'mass malware attack'
d4n3ws 2 days ago 0 replies      
My two cents about the "french hosting provider" :The 22 of july, the french hosting provider OVH suffered an APT attack from intruders looking for the database of european clients.The 29 of july, OVH announce new rules about using Tor on their network...In august Marques is arrested.


hubble87 2 days ago 0 replies      
So the more you try to hide your ass, the more you get targeted
tinalumfoil 1 day ago 0 replies      
So, don't trust spy agencies?
molsongolden 2 days ago 0 replies      
Margaret come on now, that would be 233 hours of work if she was paid on a 1099. She still needs to pay tax and self-employment tax on all of that money. That said, I don't think 233 hours really counts as "just a few hours".
Fucking Sue Me (2011) pud.com
635 points by dsr12  5 days ago   194 comments top 61
grellas 4 days ago 2 replies      
Lawyering in general, and business lawyering in particular, is an art in which good judgment counts a lot more than mere technical precision.

From a lawyer perspective, a written contract may have all sorts of areas in which it falls short of an ideal in capturing all key issues potentially affecting a client. There are recitals (defining factual context), covenants (setting forth promises), conditions (defining when an obligation kicks in), and (often) representations and warranties (defining the extent to which parties stand behind what is purporting to be sold, etc.). In any of these areas, a lawyer can potentially find things that are inconsistent with what a client says the deal is supposed to be. Sometimes this happens because of unequal bargaining power, where a big company essentially presents a host of oppressive boilerplate terms and conditions as "take-it-or-leave-it" items. Other times, it happens because of what I call "slicko" tactics by the other party, where something that appears to say "x" in fact has a legal meaning of "not x" owing to the use of weasel wording and the like. Still other times, it happens because entrepreneurs are trying to cobble together their own contract by picking and choosing what sounds good from others they have seen and, in the process, failing to ensure that things don't conflict with each other or perhaps just omitting to address key legal issues by having put an exclusive focus on the business issues. Finally, it can come about simply because of either poor drafting by a lawyer on the other side or simple attempts by a party to overreach.

When you see this as a lawyer, what do you do about it?

First, the final say on such issues belongs to the client and not to the lawyer. So, after a high-level assessment, you talk with your client, explain the general range of issues and problems, and get direction on the desired level of response. Is the deal such as even to warrant legal review? Is it to be a high-level review only, just enough to let the client know what key risks exist and to address only egregious things that go to the heart of the deal? Is it to be comprehensive to try to catch and fix everything that is even potentially material, even if it deals only with issues that are highly unlikely to arise? Or is it to be something in between? This need not be an elaborate discussion and often takes only a few minutes. But it is vital to the process because it lets the client make an informed choice about how to proceed with the legal review.

Having gotten client direction, it is still important in all but mega-deals to keep a sharp practical focus in doing a review. What good is it to do a scorched-earth review and markup if the result will be overkill that is likely to alienate the other side (some lawyers who do this do deserve to be called deal-killers)? It really is poor business lawyering simply to proceed unthinkingly and one-dimensionally in every case to review and mark up everything no matter how remote the risk or how likely it is to be material. There is a dynamic to negotiations and nothing galls the parties more than to have to sort through a lot of lawyer comments over what they see as non-essential points for their deal.

On the other hand, it never pays arbitrarily to cut corners in doing a review. Just because a client says "spend no more than an hour on this" doesn't mean a proper review can be done with such bounds. If a lot is at stake, and a client is just being penny-wise and pound-foolish, it is better not to do the review at all than to gloss over all sorts of serious problems in the name of economy.

The lesson from this piece, to me, is that entrepreneurs can do well in keeping a sharp eye on the practicalities of managing their business opportunities and they should not let lawyers get in the way of that. A related lesson, in case a lawsuit ever did result on signing any complex contract blindly, is that entrepreneurs can act foolishly in casually inviting lawsuits by failing to manage the legal review process at all and simply signing complex contracts as is. The net of this is: use your lawyers in proper cases but make sure to use lawyers who have a good practical focus in addition to legal skill and then manage that relationship to get what you need from the services for your deal. In any deal that really matters, it is usually a mistake to proceed without lawyers and it is an equally big mistake to give the lawyers sole discretion in how to do the project. Be proactive and smart in this, just as you would be in making any other business decision.

jballanc 5 days ago 5 replies      
The lesson, or at least the lesson I've learned from dealing with lawyers at companies big and small, is that lawyering is a practice in making sure nothing can possibly go wrong.

In a way, lawyers are the QA team for the legal world. They know that the shit hitting the fan can potentially be very expensive, so they will go to extreme lengths to prevent any possibility of that happening. But just like you cannot rely on your QA team to prioritize features and bug fixes (because, really, who's going to click those 15 buttons in that precise order with that precise timing to trigger that bug), you cannot rely on a lawyer to determine your business plan.

Lawyers fill the role that lawyers fill. If you're an engineer, then you have to fill the engineer role.

What is that role? My father is a mechanical engineer, and he explained to me very early on just what it means to be an engineer. You see, an engineer could design a bridge that doesn't collapse and lasts for thousands of years, but that's not the engineer's job. The job of an engineer is to take the cost of materials, the budget, the expected longevity of the bridge, the project schedule, the prevailing environmental and geological conditions of the siting, etc. and balance all of these different variables against each other to arrive at a solution.

If we're programmers, then we're saying that we can write down instructions in such a way that a computer can execute them and produce some output. If we're software engineers, then we're saying that we can balance features, schedule, bug fixes, test coverage, etc. and eventually ship it!

jasonkester 5 days ago 8 replies      
There's a simple reason why this works for small businesses: nobody sues a guy with no money.

So if you're a sole proprietor scraping by and you piss off a giant company with lawyers enough that they want to file a lawsuit against you, well, what's the upside for them if they win? Tens of thousands of dollars in expenses on their side, and roughly zero dollars in recovered costs from the business they destroyed or the guy they sent in to bankruptcy.

Unless their goal is simply revenge, there's really no reason for them to follow through with such a course of action.

jonnathanson 5 days ago 2 replies      
"I'm not sure what the lesson is here."

I'm not sure, and furthermore, I'm not sure I agree with being overly 'fuck-it' about legal matters. But I can tell you what it's like having been where you were with the "endless lawyering," and why it sucked so badly.

I worked for a startup once in which our CEO was a really smart guy, but the kind of smart guy that got overly worked up over tiny details and edge cases. We'd spend months working through "what-ifs" in Powerpoint, Excel, or Visio, instead of building and testing features. Anytime we wanted to make a strategic decision, we'd need to run it by our extremely expensive law firm. Picking the name (!) for our company took over $50,000 in legal bills and at least 3 weeks of everyone's time. In retrospect, I'm amazed anything got built at all.

The lesson I personally took from that experience was that entrepreneurs need to make decisions, and often, they need to make them more quickly than they feel comfortable doing. They might fuck up here or there. And one day, when they're successful enough actually to need to run everything by lawyers, they can afford to do so. The ROI on legal fees and time is much more positive when the nature of the threat is being measured in the millions or billions of dollars. In the beginning, though, the biggest threat isn't a lawsuit; it's running out of time and cash.

Lawyers still have their place, though. You need them in certain situations. But they can't wear your balls for you. When you feel the need to run every key decision through a third party, you're basically stripping the "E" out of your "CEO" title.

Here's where I'll risk sounding contradictory: contracts are a crazy beast. Given your circumstances, the "fucking sue me" approach probably made sense. But you also got really lucky.

It's not a terrible idea to consult a lawyer if you're entering into an agreement of a nature you've never taken on before (i.e., with a Fortune 500, with a scope of work you're not used to handling, etc.). I say "consult with," though, not "tie up." Most Fortune 500s have a take-it-or-leave-it policy w/r/t their contractors and their RFPs. They know they've got the bigger guns, so you're kind of playing on their terms. No amount of lawyering on your end is ever truly going to overcome that home-court advantage of theirs. So it's often a wasted and self-defeating effort to fight too hard on any terms -- with the possible exceptions of payment structure and timing (the ones that affect your ability to keep the lights on), provided they seem overly wonky as written. Fight to get paid on time, to get paid fairly, and so forth. Don't fight over nice-to-haves, because you won't get them.

calinet6 5 days ago 1 reply      
Well this just makes you sound reckless and ignorant. I don't think you are. The conclusion might be valuable; that taking risks is a necessary part of business. But the way you get there is not by ignoring the risks, but by fully understanding them and being prepared and willing to deal with the consequences.

This is why you read the contract, understood it, and decided to sign it. It was because you understood all the bad stuff that could happen, but you decided to make it not happen or deal with the consequences. It was sort of a dare in your agreement, a recognition that the agreement you were signing was important but also impossibly complex (they always are), and that the larger picture was more important.

Understanding that and making your decision is not the same as being lazy and irresponsible, and I really don't think that's what you are if you've made it any distance in business. Maybe some people are, I don't know. Cool story though.

jacobparker 5 days ago 1 reply      
crusso 5 days ago 1 reply      
Like with a lot of advice on HN, take this article with a grain of salt and pursue a balance while trying to understand the competing forces at work.

My experience with entrepreneurial legal paperwork was that I ignored it too much in my early days and it bit me in the ass. When the money starts coming in and egos grow large, people reach for their lawyers when there's too much ambiguity in business relationships.

You don't want to kill opportunities with too much negotiation, but then again you don't want to leave yourself too open to misunderstandings that could have been avoided with a line or two in a contract.

mikro2nd 5 days ago 1 reply      
Had to laugh... in my one-man business (20 years and still going) I have almost no "Standard Policies". Almost.

But one ironclad rule I do have is, "If a the CEO is a lawyer, run away. Away is where you must run." Every time I've dealt with client companies run by a lawyer it has been horrible. They seem incapable of signing a reasonable deal and getting on with the business at hand, but insist on crossing every t and dotting every i to the death. All the juice is sucked out of the deal before it even begins.

Oh, and the only client I have ever had to see a lawyer over (to collect outstanding invoices) was a law firm that had hired me to help them design a software system for... Debt Collection. (I kid you not.)

raheemm 5 days ago 1 reply      
My risk-averse nature has been the #1 challenge in my startup life of the last 11 months.

I was worried about taking on a partner for 3 months. Finally I just decided to skip that - it meant I'll grow slower.

I was worried about sending sales and marketing emails for 4 months. Finally, I decided to announce my beta launch and offer discounts for anyone who signs up. One customer signed up and paid for a year's subscription.

Because I had a customer, it forced me to stop dreaming about the perfect product launch and just do my beta launch. Which happened 3 weeks ago.

Now I worry about losing that one customer because my beta product is not perfect. Im also struggling with getting more customers. Why? Because I want to create the most perfect email marketing funnel. I've been procrastinating on this for a month now.

If I worried a lot less, things would happen so much faster.

JonFish85 5 days ago 3 replies      
As much as I admire the candor & spirit of this, at the same time, I'd hate to have the chance of being completely destroyed by the lawyers. Dodged a bullet in this case, but to me, the downside is not even close to worth the upside. $400k contract, but if things go horribly awry, their lawyers are coming after you for millions, and drag you through the mud. Not worth it, in my opinion.
skore 5 days ago 0 replies      
Maybe some more in-depth advice while not missing out on the profanity:

Fuck You Pay Me by Mike Monteiro[0]

(for the few who haven't seen it yet)

[0] http://vimeo.com/22053820

tqi 5 days ago 1 reply      
Isn't this a classic example of Survivorship Bias? i.e. you know who probably doesn't write a lot of popular blog posts? Unsuccessful entrepreneurs who's companies failed because of something in their contract that they didn't read.

But as with many things, the smart path is probably somewhere in between the two extremes...

Spooky23 5 days ago 0 replies      
End of the day, this is risk management. The risk of getting sued over a deal that doesn't happen is zero. The risk of getting sued for deal that goes through is non-zero.

Here's a great example. If you want to do business with the State of New York, there's a list of non-negotiable clauses that you need to agree to. ( http://www.ogs.ny.gov/about/Docs/AppendixA.pdf )Several are onerous... you need to provide periodic reports about whether you discriminate against your employees in Northern Ireland (whether you have them or not).

As a smallish enterprise, you do not have the ability to negotiate with a big org. So you need to decide: Do you want risk and a bag of money? Or no risk and no money?

crazygringo 4 days ago 0 replies      
> This lesson in total disregard for risk served me well. They say entrepreneurs are risk takers. I think of myself as too lazy and irresponsible to fully understand the risk.

I recall a study somewhere (can't find it now, unfortunately) that concluded: it's not actually that entrepreneurs are people who intentionally take bigger risks than others. It's that they have so much self-confidence that they believe things are less risky than they really are -- somewhat self-delusional, perhaps? But hey, that's how things get done.

alan_cx 4 days ago 0 replies      
Forget the legal stuff, the lesson here is to just get on with stuff and gather up and loose ends later. That's it.
unclebucknasty 4 days ago 0 replies      
Years ago, I participated in a mutually beneficial potential partnership being lawyered to death, and missed out on a great win. As a small business that was approached by a large organization with potential to drive us a ton of new customers, I had a great opportunity. But, I also saw some risk, due to the sheer size. So, I let my lawyer review it, which initiated a death spiral.

In retrospect, there was nothing onerous in the initial proposal. My attorney just wanted to cover all bases. That's how they envision their jobs: If a client ends up in a bad situation that could have remotely been avoided, then they have failed (in their eyes). But, there is sometimes no scale brought to bear. Any degree of risk--no matter how small--becomes a point of contention.

The funny part is that I and the biz dev guy on the other side just wanted to get it done. But, we became unwilling conduits for lawyers who tried to eliminate all risk from their respective sides and we just wound up passing marked-up agreements back and forth until we (and the deal) were exhausted.

So, I learned that all of this legal "protection" must be taken with a grain of salt for the small business owner in particular. The upside is generally so much greater than the risk for us, and in the off chance that the risk becomes a reality, it can generally be mitigated then.

There is risk to simply being in business, especially in this litigious society. So, you cannot deny yourself an opportunity simply because your lawyer couldn't wrangle every last bit of risk out for you. And, when you assume that posture of trying to eliminate risk completely from your side, then you have to know that the legal folks on the other side will follow suit. That's when the show stops.

The advice given to the author by his dad is exactly what I'd give to my kids, minus the expletives.

vladimirralev 4 days ago 0 replies      
Bad idea. Anyone who is offering hostile contract terms is very likely to use them. Many of these terms are extremely expensive - such as non-compete or excessive confidentiality, forcing you to put your name and reputation on the line for shady business practices or excessive liability.

Even if they don't sue you, they may publicly call you unethical for signing terms and then breaking them, turining the tables on you to sue them. It is considered excusable if you are a very small guy who simply doesn't have any other choice, but if you are a bigger company building on reputation you will suffer from it.

petercooper 5 days ago 1 reply      
I've been trying to find a post by either Derek Sivers or Tim Ferriss along these lines. It was about basically ignoring annoying rules and regulations if the potential penalty was either small or unlikely to be incurred. Anyone remember it?
eli 5 days ago 0 replies      
I think the larger (and IMHO better) lesson is that it's really important to trust your clients and for them to trust you. That understanding is often more important than the legally-binding fine print that you two have signed.

For example, if the client doesn't agree with the bill you presented them, you're gonna have a problem regardless of what the contract says.

jwb119 4 days ago 0 replies      
The lesson from this isn't that you shouldn't get a lawyer to review your 400k business critical contracts, it's that you should pick a lawyer who knows what's important to fight about and what's not, and understands the objectives of the business. The "Sue me!" attitude is pretty shortsighted thinking.

Disclaimer: lawyer here.

adammil 4 days ago 0 replies      
After handling lots of contracts back and forth, my experience is that you avoid adding new conditions to a contract for a large company if you can, but you had better remove anything that you don't intend to actually comply with. As an independent contractor, I've had companies remove the insurance requirement, non-solicitation, any unusual IP ownership clauses, etc. and never lost a contract yet. I especially watch for clauses that affect my ability to do my normal business with other companies after this work is complete and anything that puts a weird reporting burden on myself. You'd be surprised what's hidden in the company's contract boilerplate text that even the company lawyers forgot about.

My overall goal when doing this is to ensure that when the work is done, the customer signs off and the checks stop coming, that I don't owe them anything more.

rrhyne 5 days ago 0 replies      
While I definately believe in taking risks, be sure to protect yourself. If you are doing anything unique for a client protect your IP and have a non-compete.
dctoedt 4 days ago 0 replies      
Relevant: The funniest lawyer cartoon ever, at http://dilbert.com/strips/comic/2008-08-28/
PhantomGremlin 4 days ago 0 replies      
The 20-something young hipsters in startups now, reading HN during compiles, mostly think the sky is the limit. Salad days, nothing but good times ahead. But we've seen this movie before, and it didn't end well the last time. The whole frenetic startup scene will eventually blow up again. IMO.

Archive.org has quite a few captures of fuckedcompany.com,Pud's great site chronicling the (previous) dot com bust. I don't know if they archived everything; companies were blowing up on a daily basis, laying off people, missing payroll, closing doors without notice.https://en.wikipedia.org/wiki/Fucked_Company

bananashake 5 days ago 0 replies      
There are a few lessons

1) redlining a contract too much can destroy deals. Some lawyers do this instinctively but you should talk to your lawyer and review the changes and make sure all are important to you.

2) when you are starting off in business you can take more risks. but, i think that when you are established, it pays to be more cautious.

mildtrepidation 5 days ago 1 reply      
I'm not sure what the lesson is here.

If a lesson would be considered an informative or useful conclusion based on the circumstances and results described, I'd say the only lesson here is that the author was very lucky despite what seems -- at least as described -- like very risky behavior.

This definitely is not the way to run a business, particularly when there are people depending on you. It's great that it went well, but "just sign it" is very reckless, and "fucking sue me" is, quite literally, asking for it. If you're not prepared for the eventuality of being sued this is just an unconscionable stance to take.

Yes, business almost always involves risk, but it's almost always possible to take calculated risks rather than throwing up your hands, signing whatever's put in front of you, and hoping for the best.

ianstallings 5 days ago 0 replies      
Although I think you should always have a lawyer around to highlight and explain the risks, business is not always cut and dry and contracts disputes sometimes require you go to court. After all, you just need an impartial party to make a determination. It's part of business and entrepreneurs should get used to it. Especially in our field where people throw around Intellectual Property wants/demands so easily.
krmmalik 4 days ago 0 replies      
So I've skimmed maybe the top 10 comments on this thread and it seems everyone has gone off on a complete tangent. I'm seeing this more and more on HN. Maybe someone further down has covered the point but I'll say it anyway. The lesson has nothing to do with a lawyer or hiring people. It's to do with embracing uncertainty. That's the key take away here.
zefi 4 days ago 0 replies      
The lesson here is the same drawn from pg's essay on doing things that don't scale - http://paulgraham.com/ds.html.

If you were a multibillion dollar company acting at scale, it would make sense to spend time perfecting the contract. But because you could assess the risk of failure for all elements of the project and felt comfortable with them, there's little need to do the extra due diligence required by a company acting on a larger scale.

The majority of a founder's job is making decisions. But the point at which a decision needs to be made to be effective is the point where the founder often has only 10% of the information needed to feel comfortable making it.

josephjrobison 4 days ago 1 reply      
The fact that he closed with

"It works for me.

Im not sure what the lesson is here."

Takes it from another 'oh this entrepreneur has a few specific experiences and things he has business wisdom' to just funny and awesome.

Jugurtha 4 days ago 0 replies      
I think that there is inherently some risk taken in any endeavour. I think the biggest risk is not doing anything. I agree on that.

Signing contracts without legal counsel might turn out okay, but legal counsel is like insurance or a seat belt: You don't need it until you have an accident.

It is dissuasive, and it is mitigating. i.e: Those who want to screw you will think twice when you have an attorney, and if they wish to screw you, you have a better chance to get screwed less if you have an attorney than if you haven't.

On the other hand, it depends. Just as some seat belts and air-bags were actually the cause of death of the car driver, it depends on your lawyers. It's not a generic term. One needs to find people who are well versed in the matters, and the body of law is large, so one needs specialists in a field. You can't get the best advice on start-ups from a lawyer who specializes in divorces.

Again, on the other hand, Elon Musk once affirmed that they didn't have lawyers because things were too complicated and it wouldn't make any sense to them. That was back in 2003, I doubt things stayed the same. The stakes are high, and a company like SpaceX ? I don't think they don't have lawyers.

eplanit 4 days ago 0 replies      
You should not engage in contracts as an individual person. Form a corporation (a sub-chapter S if you're a very small team or an individual). As owner of the corporation, you can legally indemnify yourself. The company acts as a shield to protect the assets of the owners/stakeholders.
DanBC 5 days ago 0 replies      
Just signing anything is great until they do sue you and you're fucking screwed.

Tenancy agreements is one thing where it pays to look through and say "come on, you didn't get a lawyer to draft this, let's cross these bits out."

keithrl 4 days ago 0 replies      
As a lawyer, that is a stupid attitude to have.

Having legal shit done correctly for start-up businesses is a lot like having insurance. You'd prefer not to have to pay for insurance and you'll likely never need it. But when you need insurance, you're glad you have it.

Same thing is true for having your legal ducks in a row. You hope you never get sued or embroiled in a lawsuit, but if you do, you'll be glad you had lawyers involved at the beginning.

snorkel 5 days ago 0 replies      
It is a truth of business that contracts are mostly for defining expectations and escape routes, but as long as the client is satisfied none of those clauses will be enacted, especially because most businesses have more important things to do then go to court.
kaa2102 4 days ago 0 replies      
I don't think entrepreneurs should be lazy or blind to risk; rather, they should use strategy, options and flexible arrangements to eliminate, minimize, or transfer risk. Big companies didn't want to handle fraud for online payments - Paypal founders figured it out. The OP could have brought the employee on as an independent contractor. Moreover, forming a corporation would help to limit the risk of non-delivery with the $400k contract.
Knight4 4 days ago 1 reply      
"Worry about that in 2 months,"

I can't help but cringe. I quit my former job at a startup because they owed me 7 months salary. I really believed in the projects and in the CEO but, in the end, he couldn't walk the talk.

It's a real shame because the company had - and still has - TONS of potential, but management is appalling.

mverwijs 5 days ago 1 reply      
Reminded me of "Screw you. Pay me.", a video that advices to get a lawyer before you sign anything.


teeja 2 days ago 0 replies      
I never heard Robert Young say "fucking sue me" in Father Knows Best. But then fathers don't wear fucking fedoras these days either.
OhHeyItsE 5 days ago 0 replies      
Good read. I get the message: done is better than perfect. However, in this specific example, it's pretty terrible advice to sign a contract that leaves you in a compromising position just to get a job. You'd probably be better off signing no contract at all.
workhere-io 4 days ago 1 reply      
This lesson in total disregard for risk served me well. They say entrepreneurs are risk takers. I think of myself as too lazy and irresponsible to fully understand the risk.

This attitude works very well - right until everything goes horribly wrong and you wished you had tried to minimize risks.

grandalf 4 days ago 0 replies      
Not getting a good contractual arrangement is all fun and games until you're the Winklevoss twins.
probablyfiction 5 days ago 0 replies      
> Im not sure what the lesson is here.

Me either, but it was a good read.

Yuioup 5 days ago 0 replies      
The lesson here is that you couldn't resist bragging about the fact that you briefly made an exorbitant amount of cash during the DotCom bubble ... and that your dad is a bad-ass.
bcoughlan 5 days ago 0 replies      
Perhaps the lesson is that getting sued is an occupational hazard.
marincounty 4 days ago 0 replies      
Take the risk, but try to protect youself--become judgementproof if you can? I sometimes think if you're doing something risky, with the real possibility of getting sued it's not unreasonable to hide money in a tin can. Ha--Ha. Yes, it's not conventional advice, but it might keep you from being homeless, or despising alllawyers.
lnanek2 4 days ago 0 replies      
I have seen many deals die with the lawyering back and forth, even if both parties agreed on the essentials.
vph 4 days ago 0 replies      
The obvious lesson here is: listen to dad. If you are starting out, have a mentor.
mydpy 4 days ago 0 replies      
By following the advice in this blog, aren't we letting the big corporations hold all the legal cards and potentially put smaller operations in very uncomfortable positions? That isn't right.
thebandrews 4 days ago 0 replies      
How did this make it to the front page of hacker news for a second time?


acidx 5 days ago 0 replies      
The title remembers me of the Sosumi sound that came with Mac System 7 onwards: https://en.wikipedia.org/wiki/Sosumi
ktran03 4 days ago 0 replies      
As a newish freelance/contractor, what stood out to me is that's a shit tonne of money made there. I wonder if there's contracts close to that floating around still.
call 4 days ago 0 replies      
Previous discussion, posted by the OP.


aceperry 4 days ago 0 replies      
"It works for me.

Im not sure what the lesson is here."

The lesson is: he needs to get sued. :-)

FrankenPC 5 days ago 0 replies      
The only downside to this article is the URL with profanity in it...apparently it can't make it through my corporate firewall!
jesusthatsgreat 5 days ago 0 replies      
this is an attitude that you need to earn, not the kind of attitude that you should start out with...

the reality is bad things happen sooner or later and this attitude banks entirely on linear growth. the bigger you are the harder you fall, so if you're hiring employees without knowing whether you can afford them or not, then that's just wreckless and shouldn't be praised or encouraged.

it's almost an 'all or nothing' approach where you reinvest everything you earn indefinitely because you want the snowball to keep growing. sooner or later, the snowball will start melting or you'll have to push it uphill and this philosophy will have to be 'put right' by sensible people who only spend what they know they can afford.

it's a bit like playing the lottery and the guy that wins is giving advice to those who want to win - "play every week, buy as much as you can, that was my secret"... yeah, well that will work for some people, but for most people it won't work.

skidoo 4 days ago 0 replies      
This ideology works wonders within the United States government's war on terror especially.
Silent_Wolf 4 days ago 0 replies      
In this case you should have gone to a lawyer who knows this type of biz. not some random or general lawyer lol
6d0debc071 5 days ago 0 replies      
Lawyers can either be your best friend or your worst enemy in getting a contract worked out. If they're just posting letters back and forth at each other, I'd try and find a different lawyer fast.

A conversation needs to take place with the interested parties so that people know what they can compromise on and what they can't - see how much leeway they're prepared to give each other. Marked up contracts, after the initial exchange arguing about things that the client perhaps doesn't even care that much about, is not such a conversation.

presspot 3 days ago 0 replies      
Well put.
suyash 4 days ago 0 replies      
$400,000 for an e-commerce site? Can't believe that happened. Anyone can point me or tips as to how to get those 6figure plus contracts now days?
NSA shares raw intelligence including Americans' data with Israel theguardian.com
634 points by dombili  5 days ago   172 comments top 23
ferdo 4 days ago 2 replies      
The worst part is here:

> Notably, a much stricter rule was set for US government communications found in the raw intelligence. The Israelis were required to "destroy upon recognition" any communication "that is either to or from an official of the US government". Such communications included those of "officials of the executive branch (including the White House, cabinet departments, and independent agencies), the US House of Representatives and Senate (member and staff) and the US federal court system (including, but not limited to, the supreme court)".

The NSA is giving intel about officials in the US government to another country, on the honor system.

Snowden and Manning are considered traitors for doing even less.

btilly 4 days ago 7 replies      
The shoe I'm still waiting for is whether the FBI is willing to use the sworn affidavit of foreign intelligence people with access to American intelligence as grounds for warrants issued under the 4th amendment.

In plain English, if another country tells us which Americans to go after, do we issue warrants and actually go after them? I'd be willing to bet money that we do, but nobody will want to admit to it.

ferdo 4 days ago 3 replies      
BTW, thus far it seems that the Washington Post and USA Today are the only American mainstream sources touching this story:


rickhanlonii 4 days ago 1 reply      
The most troubling truth of this for me is:

>Destroy upon recognition any communication contained in raw SIGINT provided by NSAthat is either to or from an official of the U.S. Government. Government officials" includeofficials of the Executive Branch (including the White House, Cabinet Departments. and independentagencies); the House of Representatives and Senate (members and staff); and the U.S. FederalCourt system (including, but not limited to. the Supreme Court). "Officials" include civilian andmilitary members and employees performing the official business of these branches of govemment, andis independent of seniority or position.

>Process only for purposes unrelated to intelligence against the U.S any communicationscontained in raw SIGINT provided by NSA that include references to activities. policies, and views ofU.S. officials.

It's not that Israel is supposed to destroy any data they get that is either to or from a U.S. Government official that troubles me. It's both that they collect that data and that they pass it out blindly to other nations.

That is absolutely irresponsible.

venomsnake 5 days ago 1 reply      
I really like the way Glenn is moving the story. Every new punch is unexpected. And gives enough rope to the Administration to hang themselves.

Can by these deals the NSA whitewash intelligence? If something has come from outside sources they can use it.

lifeisstillgood 4 days ago 2 replies      
Can I try to get this straight - Five Eyes countries all co-operate in grabbing as much traffic and metadata globally as they possibly can. this raw data is also shared with at least one favoured nation.

Analysed, filtered data can then be accessed in BigData style to gather a digital picture of almost anyone globally, covering financial transactions, phone, email and medical.

out of this comes (unsurprisingly) actionable information that covers not terrorism but more common international and domestic crime (drug smuggling, other organised crime)

however due to legal and political issues the information cannot be given directly to law enforcement so it is provided via cut outs - departments in FBI / DEA who get tip offs from "anonymous sources" and pass it on.

A similar legal niceitie is performed by say having Canada process raw data about US officials and the passing on useful data to the NSA (thus no country ever actually spies on its own people)

on top of this Israeli intelligence get raw data and probably join in the game of deniable whispers.

I think that's about it so two things

1. is there a wiki where we can all update / view what is know and provable? if not who wants to help?

2. is there any evidence they have gotten into VISA ? that might tip the balance against this program publically

3. WTF !?

forgotAgain 4 days ago 2 replies      
So what happens in the situations where Israel intelligence uses US supplied information as a basis for killing an American citizen?
narrator 4 days ago 3 replies      
Oh good! We finally have a candidate for someone that the NSA considers to not be "the enemy".
chebucto 4 days ago 3 replies      
I may have missed it, but I'm still waiting to hear whether the assumption about the 'five eyes' is true: whether the signals intelligence agencies of the US, UK, Canada, Australia & NZ spy on each others' citizens, and share that data with one another, in order to circumvent domestic spying restrictions. That is, whether the NSA spies on Canadians and gives that information to the Canadian government, while at the same time the CSE spies on Americans and gives that information to the American government.
ianstallings 4 days ago 1 reply      
My main concern is that they will use this data to target people who are pro-Palestine, or just plain anti-Israel, in America and subject them to scrutiny or worse. It makes you wonder what they give us in return. .
richardlblair 4 days ago 0 replies      
Just when you this shit is bad, it gets worse. I don't even know what to say anymore.
ArtDev 4 days ago 2 replies      
>In 2009, however, the New York Times reported on "the agency's attempt to wiretap a member of Congress, without court approval, on an overseas trip".

This is shocking. If I were a member of Congress I would be pissed! Where is the outrage!!

devx 4 days ago 1 reply      
If you can assume the worst about dragnet surveillance - NSA has already done it. That would be a pretty safe bet at this point.
codex 4 days ago 1 reply      
This makes sense. If they had the technical capability to filter out inadvertent collection of data on US citizens, they would already have filtered it. Therefore, any data shared with Israel may contain data they were unable to filter out. QED.
yetanotherphd 4 days ago 0 replies      
If this turns out to be true, then it's no big deal since we shouldn't be surprised that agencies share intelligence.

If it turns out to be false, then it's anti-semitic to even think that Israel would engage in such a heinous act.

cincinnatus 4 days ago 1 reply      
frank_boyd 4 days ago 0 replies      
Another day, another WTF.
chj 4 days ago 1 reply      
Is Israel also sharing its raw intelligence with US? If so, it's a DEAL between two countries. What's the big deal?
aspensmonster 4 days ago 4 replies      
50 points, 3 hours ago, not on front page. Definitely nothing screwy going on here. Regardless, here's the link to the memorandum:


My favorite part:

>1.d) This agreement is not intended to create any legally enforceable rights and shall not be construed to be either an international agreement or a legally binding instrument according to international law.

Hey Israel, we're totally against you violating the constitutional rights of American citizens --to say nothing of the human rights of all people-- but it's not like this is a "legally binding instrument" or anything. Just don't be bad, m'kay?


sinak 4 days ago 5 replies      
I don't understand why stories like this are being flagged down.

This story has 55 points and is 3 hours ago and is on the second page, but a story with 45 points from 7 hours ago is on the homepage.

ddevelop 4 days ago 1 reply      
How come this story is being buried below older ones with less comments and less points?There seems to be a concerted effort to suppress this.
tsotha 4 days ago 3 replies      
Why single out Israel? Why would anyone think there aren't dozens of countries with the same agreement?
SODaniel 4 days ago 1 reply      
I'm so tired of this crap I'm not even engaging in the debate anymore.
New NSA Leak Shows MITM Attacks Against Major Internet Services schneier.com
630 points by chopin  3 days ago   139 comments top 31
moxie 2 days ago 8 replies      
Trevor Perrin and I have been working on a dynamic certificate pinning proposal called TACK to help mitigate these types of attacks: http://tack.io

In the current state of the world, we're all dependent on CA signatures for each connection we make to a website. TACK is a layer of indirection away from CA certificates, such that we'd only be dependent on CA signatures the very first time we contacted a website. It doesn't introduce any new authorities or change the default UX at all.

After the Comodo breaches a few years ago, I put together a talk about these types of attacks, where the fundamental problems lie, and why approaches like DANE are similarly ineffective:


josteink 3 days ago 6 replies      
If this is true, and that NSA has been MITMing providers like Google, they are undermining the already shabby trust the US cloud-industry has attempted to build. I doubt Google and friends are very happy about that, since that's their one big basket where all the money comes in.

NSA in their eagerness to do rampant spying on everyone have had quite some collateral. They have decided to compromise the one thing which allows us to communicate securely on the internet: trust.

Right now we need to find out which (root?) CAs are compromised by the NSA. Long term it would probably be a very wise decision to revoke any US-based CA from the default trusted-list of browsers and OSes.

We cannot have untrustworthy CAs in a system based on trust. That's simply not an option.

Edit: As I've been pondering for a while (and which was also pointed out on reddit) we now have a situation where self-signed certs are more secure than CA-issued ones. They are the only ones you know can't be faked. How backwards is that?

The NSA is ruining the internet one piece at a time. The NSA needs to be dismantled.

ReidZB 3 days ago 1 reply      
If I had to design a system to break TLS (and I had the authority of a secretive government agency), selected MITM attacks would be exactly what I would use.

Large-scale MITM attacks, i.e. ones against a huge section of the population, really have a lot of disadvantages. First, there are always cautious people who check certs religiously, sometimes with browser addons to help (in fact I see that peterwwillis linked to some below). So, if you execute a large-scale MITM effort, you run the risk of being discovered. Note that if the NSA can compel Google to turn over its secret key(s), this isn't an issue, but I am operating under the assumption that we don't want to give away our MITMing easily.

Second, broad MITMs require a lot of resources to be effective. To MITM all of Google's traffic requires network capacity equivalent to Google's, no small thing (though I suspect very much within the power of the NSA if it were deemed necessary). There's a lot of data on the internet at any one time.

Third, the fact that you must have physical servers on physical networks sitting between Google and the target means that the MITM server's IP address will be the one that targeted clients appear under. That is, if you have a single server MITMing thousands of requests, all of them will appear from the same IP address. That's another risk of being discovered if the MITM is too broad and the servers are too beefy. Although, this assumes that people on the other end are doing some sort of analytics --- maybe not true. But intel agencies are pretty paranoid, so whatever.

Fourth, it still pretty much gets the job done anyway, with less cost: passively sniff traffic for, say, DNS requests to resolve suspicious domains, or plaintext connections that have suspicious contents. Passive sniffing requires less computational power than actual MITMs, and it can be done without raising any red flags. Plus, even if you miss someone suspicious, just get a NSL for Google to hand over all the data anyway in the worst case.

Fourth, if an investigation ever were launched about my breaking of TLS, targeted attacks look great. See, we don't target the American people --- only specific connections that are "suspicious" are targeted. Broad-scale MITMs seem very illegal-wiretap-y, but the targeted connections look very legitimate, at least in comparison.

So, these reasons are why I've always held the belief that the government is not executing large-scale MITM/dragnet collection of encrypted communications ... and hence TLS is effective, so long as you're not the one being targeted.

diego_moita 2 days ago 1 reply      
Funny. I tried to submit the original Globo/Fantastico story to HN 4 days ago (http://g1.globo.com/fantastico/noticia/2013/09/nsa-documents...) but was blocked as spam.

Schneier's credibility makes a lot of difference.

gregschlom 2 days ago 0 replies      
> One document [1] published by Fantastico, apparently taken from an NSA presentation [...]

> Another screenshot [2] implies is that the 2011 DigiNotar hack was either the work of the NSA, or exploited by the NSA.

I doubt that those 2 documents are original slides or screenshots from NSA material. They both are written with the familiar rounded font that Globo uses for all its text [3]

[1] http://www.scribd.com/doc/166819124

[2] http://imgur.com/a/g3UGP#1

[3] http://www.fonts.com/font/urw/vag-rundschrift?siteId=2c670c8...)

dpeck 2 days ago 1 reply      
A bit surprised at the shock here, CAs are, for the most part, in the lawful intercept business and have been as long as they've existed.

Moxie Marlinspike and others have been talking about this for years. Its a recognized problem, and thats why apps that are serious about protecting communications have been moving to a pinning model.

Obviously this sucks at the browser level, though Chrome protect does this with Google properties (and others?) at the CA level now, but at the app level it's very doable and should be something you're implementing.

SchizoDuckie 3 days ago 3 replies      
Holy shit.

This means that The Netherlands was a high-level target with Diginotar, and they hit the frickin' jackpot.

Just for reference, read this: http://nl.wikipedia.org/wiki/Hack_bij_DigiNotar

The Diginotar hack basically exposed all of the information about the Dutch that NSA could ever want to digg through: Information about licenseplates (RDW) Tax info (DigiD) Phone records (OPTA) and the complete dutch encrypted government infrastructure (PKI Overheid)

Let's see what traction this new info will get now in The Netherlands...

wmeredith 2 days ago 3 replies      
At one point does the NSA become considered a terrorist organization in and of itself? It seems to me that they have stared too long into the abyss.
peterwwillis 3 days ago 5 replies      
Some firefox add-ons to help defend against mitm:

Certificate Patrol (notifies you when certs change) https://addons.mozilla.org/en-us/firefox/addon/certificate-p...

Force-TLS (force websites to always use HTTPS) https://addons.mozilla.org/en-us/firefox/addon/force-tls/

Perspectives (compare certs with peers to verify authenticity) https://addons.mozilla.org/en-us/firefox/addon/perspectives/

bostik 3 days ago 1 reply      
The simplified view given in the documentcloud link begs a question: just which CA certificate(s) is/are controlled by NSA?

Because in order to pull that MITM off, they either need to have the target service's CA - or they have the ability to fake any certificate. My guess is on the latter.

And that means at least one commonly accepted CA certificate is effectively compromised.

coldcode 2 days ago 1 reply      
Eventually we will find out enough about what the NSA can do that the entire internet is as good as screwed. If they can get away with MITM against just about any secure site then how does the internet economy function any more?
newgre 3 days ago 5 replies      
If it is true that the NSA MITMed Google connections, then one could draw the conclusion that the NSA doesn't actually have a direct connection to Google data centers (as claimed by Google).If they had such a connection, then why would they use MITM attacks against people?
anologwintermut 3 days ago 5 replies      
I'd say this is likely bullshit at least that it was done against a Brazilian company. Why take the risk of getting caught and burning your ability to do this when you can get the information from Google?

1) Chrome(and some plugins) pin's certificates and would notice a man in the middle attack(unless it was done with google's key). Sure, most corporate targets probably use IE, but if anyone uses chrome on or one of these plugins on the network, you've both alerted your target and exposed a presumably tightly guarded ability. Hell, if it get's reported, you've probably burned the ability. Of course, you might be able to filter out both the plugins and chrome, but it's a risk.

2) NSA could legitimately just ask for the company's emails from Google. Petrobras is a Brazilian company in Brazil staffed by Brazilians and as such a legally allowed target for Foreign Surveillance without either the NSA's twisted definitions of search and who is a US national. Google is legally required to hand over the information by the Foreign Intelligence Surveillance Amendment Act of 2008. Why authorize an operation that could reveal both the CA's you have in your pocket and you network penetration exploits?

As a side note, the cited slide looks nothing like anything else we have seen and lack security/ handling information (e.g the prominent TS/SCI/ORCON/NOFORN on the top of the prism slides).

chopin 3 days ago 1 reply      
The documents mention the DigiNotar hack explicitly. What I do not understand is that the hack was detected when (afair) Iranian authorities tried to MITM Google connections, so the hack was claimed to come from an Iranian hacker. This begs the question whether this is wrong and the NSA hacked DigiNotar genuinely or they just used the breach (perhaps then only known to them) to fake certificates themselves. One may also take into account that DigiNotar was responsible for Netherlands public key infrastructure. This made DigiNotar possibly an even more valuable target.
cromwellian 2 days ago 0 replies      
It's worth noting that Chrome's use of TLS Channel ID makes it unlikely this attacks can be pulled if the end user has a ChannelID capable browser.
rurounijones 2 days ago 0 replies      
"Google directly by performing a man-in-the-middle attack to impersonate Google security certificates."

Which CA did they use to get those certs, they should be obliterated from trust networks.

einaros 3 days ago 0 replies      
And here I was thinking I was being an all paranoid nutter when I expressed privacy concerns with US hosted CDNs and analytics services ..


venomsnake 2 days ago 0 replies      
Flying Pig - I wonder if it has something to do with the "With sufficient trust pigs fly just fine". Seems to summarize very well the NSA approach towards its mandates.
danbruc 2 days ago 2 replies      
This might also be an indication that their advances in attacking commonly used ciphers are not that major - it does not make that much sense to perform a relatively complex MITM attack if you are able to just break the used cipher.
leef 3 days ago 1 reply      
Applied Cryptography mentions the 'Interlock Protocol' [1]. Why is something like this not used in today's protocols to try and detect MITM attacks?

1 - http://en.wikipedia.org/wiki/Interlock_protocol

coenhyde 2 days ago 1 reply      
Cut the cables. The USA should be kicked off the internet. They've proven they can't be trusted.

It is irresponsible on behalf of the rest of the world to allow this behavior to continue. Maybe after US businesses have experienced enormous economic damages they will change their way.

state 2 days ago 0 replies      
Relevant (and just posted on the Cryptome list): http://www.freelists.org/post/cryptome/MITM-Manipulation-of-...
educating 1 day ago 0 replies      
Some security solutions actually rely on doing MITM to read secure packets to identify malware, etc. Really stupid.
leef 3 days ago 2 replies      
The ephemeral session keys should protect against the MITM attacker getting anything but another encrypted stream of data, right?
txutxu 2 days ago 1 reply      
Wait. They access google directly... without depend on routing your traffic and tramp your SSL to get a lot of compressed js and ajax traffic.

So... maybe this was only needed or relevant before have direct access ?

louwrentius 2 days ago 0 replies      
If you worry about the NSA spying on your company, DUMP MPLS WAN networking ASAP, it's unencrypted and basically just VLANS at layer 3.

The easiest way to snoop on all internal company data is to sniff those MPLS links at ISPs.

brennenHN 2 days ago 0 replies      
Bucket Brigade is a better term for this kind of attack. Non-gendered speech and all.
frank_boyd 3 days ago 3 replies      
One more reason to not use any of the giant email providers like Yahoo, Google, and Hotmail.
fejr 3 days ago 1 reply      
Weird. This has been submitted in less than two hours, has 90 points, but it is at the bottom of the front page. Other stories from 6+ hours ago with less points are at the top.
First Mechanical Gear Found in a Living Creature popularmechanics.com
624 points by zdean  3 days ago   183 comments top 24
ihsw 3 days ago 1 reply      
This article was posted to reddit, and incidentally the author is a redditor.


They're taking questions.

m-photonic 3 days ago 4 replies      
"They're rather specialized, and there are lots of other jumpers that don't have them, so there must be some kind of advantage."

Not necessarily. Evolution has a lot to do with path dependence and in no way guarantees the best of all possible adaptations.

dekhn 3 days ago 2 replies      
I'm pretty sure that the bacterial flagellum is effectively a mechanical gear:http://en.wikipedia.org/wiki/Rotating_locomotion_in_living_s...
alan_cx 3 days ago 3 replies      
I wonder how its prevents wear? Could be something quite revolutionary there for the finding. Some sort of new organic lubricant, or something in the gears that self lubricates.
stcredzero 3 days ago 2 replies      
> In 2 milliseconds it has bulleted skyward, accelerating at nearly 400 g'sa rate more than 20 times what a human body can withstand.

This is entirely incorrect. 9g is the limit that someone can stay conscious, but the body can withstand a lot more.

Experimental subject John Stapp withstood 46.2 g.


mrb 3 days ago 2 replies      
Why do they say the gears "look nothing like what you'd find in your car"? They look very similar to me.
ruethewhirled 3 days ago 0 replies      
I found it amusing that to view the 1 second video at the end I had to watch a 30 second advert first
jere 3 days ago 1 reply      
>Even stranger is that the issus doesn't keep these gears throughout its life cycle. As the adolescent insect grows, it molts half a dozen times, upgrading its exoskeleton (gears included) for larger and larger versions.

Gotta catch em all.

drakaal 3 days ago 0 replies      
The Transformers evolved from naturally occurring gears. It says so in Issue 1 of the comic series.
jasonkolb 3 days ago 0 replies      
So assuming we can one day mimick this feat of engineering, can I look forward to my car literally dying on me in traffic?
kriro 3 days ago 1 reply      
Maybe a little cruel but I'd be interested in some sort of study where a large number of issus' are placed in an environment with a couple of predators.

Repeat this with young and adult versions and see if/how much the gear system (adults don't have it) improves the odds of surviving attacks.

jberryman 3 days ago 2 replies      
Can someone explain what this means? I don't get it:

> Most other bugs synchronize the quick jolt of their leaping legs through friction, using bumpy or grippy surfaces to press the top of their legs together

ffrryuu 3 days ago 1 reply      
Does that mean the patent for the gear is now invalid?
lifeisstillgood 3 days ago 0 replies      
OMG - that electron microscope picture, as long as it is genuine, just blows you away. it's a picture of a gear - cogs and teeth and - wow ...
educating 3 days ago 1 reply      
This is misleading. It looks like a gear, but they are just evolved nodules that caused friction that helped the bug escape predators better. We call it a gear but it is just a mix of physics, life, and death.
rocky1138 3 days ago 3 replies      
Hmm.. the text wouldn't load for me. Anyone have a copy of the article?
fosap 3 days ago 0 replies      
I can swear I saw pictures of this years ago. I a series of lectures by different speakers. This can't be a new finding.
mschmo 2 days ago 0 replies      
Some proteins like ATP synthase kind of act like gears as well: http://www.mrc-mbu.cam.ac.uk/sites/default/files/images/imag...
yohann305 3 days ago 0 replies      
In other words, we, human beings, are just reinventing natural occurring (or may have been extinct) mechanics and are putting patents on it.

Okay if you own a patent and sued someone for it, it's time to hand back the money!

ThomPete 3 days ago 0 replies      
I would like to see the patent trolls trumf that.
electronous 3 days ago 1 reply      
God is real.
swamp40 3 days ago 6 replies      
It is for beauty like this that I believe all living things were originally designed by some intelligence, somewhere.

Perhaps designed to mutate and evolve, or perhaps that was a limitation in the source materials, but there are some beautifully engineered living systems on our planet.

swamp40 3 days ago 0 replies      
I agree with you 100%.

Don't know why you got downvoted.

teddyh 3 days ago 13 replies      
This gives us four possibilities:

1. This geared creature must be considered part mechanical. A cyborg, if you will.

2. A "gear" is no longer (and was never) a "mechanical" device, but instead an organic one. Using gears is no longer (and was maybe never) doing mechanics.

3. Whether something is mechanical or organic depends on the process which created it. This is the "colored bits" or "patent" view. (If I build something using intuition instead of reason, am I no longer doing mechanics?)

4. A gear is no longer (and was never) either mechanic or organic, and is simply a physical process. The whole "mechanical" and "organic" division is a false dichotomy.

Civet coffee: why it's time to cut the crap theguardian.com
562 points by ValentineC  1 day ago   192 comments top 33
peterwwillis 1 day ago 5 replies      
This is one of those moments where I learn something I had no idea about, and am very glad someone wrote the Guardian story, and that someone posted it here.

I bought the civet coffee off ThinkGeek for a coffee snob friend of mine years ago. She said it tasted watery and bland, but thanked me for the thoughtful novelty anyway. Now I realize I not only gave her crappy coffee, it was crappy coffee created through abusing animals for a stupid gimmick. I feel like an asshole.

audreyt 1 day ago 4 replies      
A viable alternative may be in-vitro fermentation:http://www.chinapost.com.tw/taiwan/national/national-news/20...

There was a marketing campaign earlier this year in Taiwan around the animal-cruelty-free process.

gfodor 1 day ago 3 replies      
I just got back from Bali and tried this stuff. The place I went to of course said little about the surely terrible environment the animals are in -- they had a few at the place but they were probably just there for the tourists to see.

Anyway, the coffee isn't anything great. Yet invariably many of the tourists around me were raving about it, I'm sure not in small part due to the focus on it and the high price it demands. It reminds me a lot of the phenomenon of shark fin soup in Asia -- the soup is mediocre at best, but because of its high price people (in my view) pretend to think it tastes incredible.

manarth 1 day ago 3 replies      
One hypothesis: what if (genuine) civet coffee is so good, because the civets' nose smells out the very best coffee cherries, and only eats the best? Therefore, if it's crapped out the arse of a civet, it was a very good bean.

Given that many animals have a superior sense of smell to humans, this hypothesis seems reasonable - civets could smell out the best coffee, and given the choice, who wouldn't want to eat the best?

If this is the case, then the whole mass-production/feeding-civits-in-cages is absolutely pointless, because it does away with the civets' selection process. Which might explain why some people describe their purchase as watery and bland.

sigil 1 day ago 1 reply      
I tried Luwak coffee last summer in Munduk, a mountain village in north Bali. Honestly: it's nothing special. My girlfriend (a former barista) vetoed it after she saw a caged Luwak, and the huge piles of drying coffee-bean-laden turds that were clearly not the result of gathering. And, obviously, pretty gross.



rotskoff 1 day ago 1 reply      
This probably isn't any different from consuming anything that contains animal products from a country with flexible regulation on farming conditions. The description doesn't strike me as being any different from the conditions described for chickens in the U.S.

Markets that suddenly emerge often have strange consequences. The demand for quinoa and acai berries, for example, have had serious economic and environment effects in South America.

There's not too much that's unique about this case, other than product. Poor conditions for animals and exploitation appear to be the norm.

Nate75Sanders 1 day ago 0 replies      
First I ever heard of this stuff was from Olin Shivers' page:


his general page:


I don't think it's changed much in about 15 years

aaron695 1 day ago 1 reply      
Reminds me of the South Park 'Whale Whores' episode.

A lot of people who probably are happily eating chicken getting incensed by another culture doing something the same to a slightly different creature.

ghshephard 1 day ago 0 replies      
If it makes any of you feel better (from an ethical perspective), I've heard that a large portion of the "Civet" coffee that is marketed has never seen the digestive tract of that nocturnal animal, and is simply regional coffee beans branded at a much higher price.

It's the coffee equivalent of Kobe Beef (which, if you've purchased in the United States, probably wasn't actually from the Tajima breed of Hyogo wagyu cattle in the Hyogo Prefecture)

fatjokes 1 day ago 1 reply      
Copy and pasted from the article:

" I was the one who started it all ... I first read a description of kopi luwak buried in a short paragraph in a 1981 copy of National Geographic Magazine."

So... he didn't exactly start it. He just popularized it to the affluent western audience.

jsilence 9 hours ago 0 replies      
The leading vietnamese coffee company Trung Nguyen analysed the natural process and was able to reproduce it without animals. I tasted both and was not able to tell the difference. Great coffee, lower cost, no animals harmed.http://www.trung-nguyen-online.com/about-legendee-coffee.php
wanderr 13 hours ago 0 replies      
There's a local startup here that produces coffee supposedly with the same enzymes produced by the cats. I think this might be them:http://coffeeprimero.com/I've tried it before and I have to say, it's not bad...but not really for coffee lovers either. At least if the bitterness is at all part of what you enjoy about coffee, this stuff is pretty bland and boring. The fact that they only sell it ground is another hint that it's not really meant for coffee lovers.
cfontes 14 hours ago 0 replies      
I've been to one of those farms when I was in Indonesia. They only showed me a single one of those animals in a big cage, but I can be sure there were more from the amount of coffee avaliable to sell in their "Rural store"

I've bought one cup of it for U$5,00 and it's stupid. The coffee tastes wierd and seeing that animal in that cage was enought to make me leave the place with a felling that I was doing something really wrong paying for that coffee.

I try hard to never buy this or any other kind of super cool variants of cheap things. Especially if they are from a 3rd world country because ( I am from one ) I know that there is nothing in those countries with power enought to stop any wrong doing. In those places governement and agencies just don't care about animal safety, public health and so on.

codeulike 1 day ago 2 replies      
They need a free-range or wild standard I guess
larsbot 1 day ago 0 replies      
Instead of buying civet coffee, roast your own beans. I have never tasted coffee as good as the stuff I have roasted myself. All you need is an old popcorn maker. Buy green beans from Sweet Maria's or somewhere else online. It's cheap, easy to do, and the results are amazing.
rdl 1 day ago 0 replies      
It is interesting how luxury goods are very amenable to this kind of campaign -- the "conflict diamond" thing from a few years ago seemed a lot more effective than any number of regular anti animal cruelty or sweatshop labor campaigns. Anti-fur and anti foie gras has also been much more effective than anti-meat.
mfieldhouse 1 day ago 0 replies      
Disgusting how there's scumbags out there who jump at the chance to make some quick money, even if it means destroying the lives of others.
raintrees 1 day ago 0 replies      
This is a bit thematic, but maybe we could get Jellyfish to eat the coffee bean cherries? Two problems, one answer?


JacobAldridge 1 day ago 0 replies      
"Wild Crap Coffee" - as a descriptor of the Civet industry's marketing, the broader fecal caffeine industry instigated by the author (Tony Wild), and the brand name for his suggested loop-closing product in the final sentence - has a ring to it.
anigbrowl 1 day ago 1 reply      
Talk is cheap. I kept expecting to read how he was donating some % of his consulting fees/shared profit from the promotion of this luxury into alleviating the problem, but apparently that's not on the cards.
nicholassmith 1 day ago 0 replies      
I had civet coffee many, many years ago (nearing a decade) and it was a lovely cup of coffee, but not enough to justify the ridiculous price. Now that's become industrialised it's even more awful to consider having a cup, I do hope this helps remove it from the market.
gcb0 1 day ago 0 replies      
I sense someone just got a deal with a farm that can actually ship a ton per year of the real stuff and is now working his way into a certification program.

Certified civete coffee anyone?

mrleinad 1 day ago 0 replies      
Aren't we ingenious little fuckers? Always finding new ways to give the finger to other species..
benatkin 1 day ago 1 reply      
In the short term I think this article is going to have the opposite effect of what's intended. It seems inevitable that everyone must know about Civet Coffee before resources can be gathered to protect the animals regardless of the demand. Better sooner rather than later.
siliconc0w 1 day ago 1 reply      
Someone should start a consumer protection type business which offers certification with varying degrees of statistical significance to slap on your products to prove it isn't bullshit. Then we legally mandate you either get the seal or have to put "THIS PRODUCT MAY BE LYING ABOUT ITS CLAIMS" on the packaging. Then it'll be interesting to see how long until the process is corrupted and the certification becomes meaningless.
ballard 16 hours ago 0 replies      
A proper luxury product should debase the consumer, ie,

"LoJack for luxury handbags" that would adapt radio tags for monitoring wild animals to the task. (Sans Civets.)

wtvanhest 1 day ago 0 replies      
I know this is the wrong reaction, but now I want to try it.
ianstallings 1 day ago 1 reply      
What on earth..
frogpelt 1 day ago 0 replies      
It's time for free-range, coffee-eating kopi luwak farms!
guiomie 1 day ago 0 replies      
We humans are really twisted.
njharman 1 day ago 0 replies      
Viva la free market!
malkia 1 day ago 0 replies      
Kopi 2014
talles 1 day ago 0 replies      
"cut the crap" :)
Google knows nearly every Wi-Fi password in the world computerworld.com
483 points by brennannovak  3 days ago   298 comments top 52
tytso 3 days ago 6 replies      
The author is worried about WiFi passwords? If you trust that your WiFi is secure in general, you're in trouble. WPS is horribly insecure, for example, and that's what most home users use. Most user-chosen passwords are incredibly easy to guess for another. The better thing to do is to assume that your network traffic is always under surveillance (since the NSA is tapping Tier1 network providers), and to encrypt everything, or use network protocols which encrypt everything.

The only thing WiFi passwords are good for is to prevent your neighbors from using your network and using up all of your bandwidth (which would slow down your network access) and preventing drive-by spammers/hackers from doing things which you might then get blamed for.

guelo 3 days ago 10 replies      
Your WiFi password is only useful for someone who is within 100 feet of your house. If you have federal agents surveilling you from 100 feet away you have way bigger problems than your WiFi password.
crb 3 days ago 8 replies      
Google also knows all the secrets of General David Petraeus, or anyone else that uses Gmail. And everything you've (secretly) searched for.

Google's business model is based on aggregating that information and gaining value out of the data, mostly in the form of advertising. As soon as it lets a major secret out, even just once, it's game over, and no-one will ever trust a secret to Google again. This is why they publish videos saying that no-one can ever walk out of a Google data centre with a hard drive.

I continue to use the services I use because I find the benefit I gain from them, more useful than the potential risk of exposure.

Should these secrets be encrypted? If they were, it would be possible for Google to steal your key if they wanted to. This is the same kind of perception problem that led to the Chrome team being hauled over the coals in public for not encrypting saved passwords. They have to be available to be useful, but people would rather perceive they weren't available.

jfasi 3 days ago 4 replies      
This very same point could be made against Apple, for instance, but there hasn't been a single comment to that effect in any discussion of this article.

I wonder if all of this recent Google-bashing is really just a symptom of something larger. People are suddenly waking up to the obvious-in-hindsight realization that simply giving their data to a third party involves a certain amount of trust.

The reason people don't seem to be ganging up on Facebook, Apple, etc. in a similar way is because they never really earned that faith. Take Facebook: from the very start their founder was known to consider their users "dumb fucks" for entrusting him with their privacy.

In my opinion, the fact that Google went out of their to, and generally succeeded at earning that trust is a good sign. It shows they take the matter seriously.

All American companies operate under the same rules. If you've taken the position that all American companies are not to be trusted, fine. But if you haven't, wouldn't Google's history make them one of the more trustworthy ones?

cbr 3 days ago 1 reply      
Security is about tradeoffs. How bad would it be if someone else got this information? How helpful is it to me to give it to this third party? Wireless passwords are a huge pain: visit someone's house, ask them for their password, and then feel guilty while they look through various papers to find a long string of hex digits which are so annoying to enter on the phone. This pain makes the tradeoff well worth if for me (and I suspect for nearly everyone) when balanced against the low risk of Google doing something nasty with the saved passwords.

(Disclaimer: I work for Google, but if I had an iPhone I'd want the same functionality.)

PeterisP 3 days ago 1 reply      
Are wifi passwords considered a security issue? I treat it the same way as a flimsy lock on a garden shed - I'd prefer both the shed and wifi to be open, but there's a formal "lock" to keep out teenage pranksters and drunks.
thomasahle 2 days ago 0 replies      
Funny story:

I was once visiting my friends house in the English midlands. I had been there once before, but this time I had to find the way there myself.

I managed to get the entire way to his street, but then I realized that I had forgotten his house number. He didn't pick up his phone, and I didn't want to knock on every door on the road. I was lost.

Then I realized that the previous time I had visited, I had logged on his wifi. It was from a different phone, but with Google's sync all my old wifi passwords had been synced. I didn't remember the name he had given it, but I could walk along the road until I suddenly connected.

Saved the night.

tiernano 3 days ago 1 reply      
when i read the title, i though "really?! how?" then i read the article and realized any time i have restored my android phone, then entered my Google account, it automagically connects to all access points i usually use (home, work, other office, etc)...
DanBC 3 days ago 0 replies      
> And, although they have never said so directly, it is obvious that Google can read the passwords.

Frustrating then that it's so hard for users to reveal the password being used by their phone to connect to a WIFI hotspot.

0x006A 3 days ago 2 replies      
And in addition to that they have the audacity to not make them accessible to the user! No way to look up your own wireless password in your phone, i.e. to tell a guest, thats just ridiculous.
cowls 3 days ago 0 replies      
"On an HTC device, the option that gives Google your Wi-Fi password is "Back up my settings"

Evil Google, disguising the 'Can we steal your password button'

wglb 3 days ago 1 reply      
Or, in other words, Google remembers the things that we agree to have it remember.
nly 3 days ago 0 replies      
Google can also install anything on my phone remotely.
njharman 2 days ago 0 replies      
> backing up Wi-Fi passwords along with other assorted settings. And, although they have never said so directly, it is obvious that Google can read the passwords.

That's not obvious. It's possible, common, and dare I say a "best practice" to store stuff like this encrypted. To be decrypted only on the device.

Also, wifi passwords, Oh my!!! Security wise you should treat your wifi network as open whether it is or not. I.e. isolate it, firewall it, do not trust it.

joosters 2 days ago 0 replies      
Why all the NSA crap in this thread? You don't need to add in a government agency to make this treasure trove of passwords valuable or dangerous. One day, this data will leak out, and then there will be trouble.

Just having a reliable set of millions of real world passwords is invaluable - they'd be useful for brute-forcing other hashed password files.

prab97 3 days ago 3 replies      
For convenience, most people won't opt out of it. Most people won't bother at all. Google employees(or even NSA if you don't do anything illegal) coming to your home/office to use your WiFi is a joke! Only the paranoid ones are perturbed by these kinds of revelations, and they are ready to face the inconvenience caused.

I didn't use last pass until recently when keeping a difficult password on every site became a major pain given that countless numbers of password enforcing rules are there on the web some requiring at least one caps, some enforcing using at least one symbol but not using a ~ or a # yeda yeda. I gave up on it. Every damn time I had to reset password on services I use less frequently. But now I don't. Although LastPass claims that they keep the passwords encrypted and they themselves can not read them. But I don't believe them. Login to lastpass.com. Click your vault on top right corner. Click the pencil against any site in the list. Click the 'show' link in front of password field. And your password is staring at you in plain text. And it has been accessed at lastpass.com. Once they start storing master passwords, or once someone cracks their hash you are done with.But there is no simple and easy alternative. To get the job done we need to make these sacrifices.

diminoten 2 days ago 0 replies      
What does that mean? "Google knows"? That data exists in a database owned by Google, or that Google actively farms that data and makes use of it?

Are you saying Google's using this for gain, or for any reason? Is there any evidence whatsoever to suggest that this data has ever been accessed by a Google employee ever, for any purpose whatsoever?

Slight tangent, but the difference between "can" and "does" is a vast one I don't think people are getting, with all these privacy issues coming about these days. Here's a scary thought: any person who owns a gun/car/knife/taser/baseball bat can kill someone else with it. They could do it.

Unless it "does" happen, and there's evidence that it happened, they don't get in trouble.

What Google can do is almost endless. What it does do is what matters.

demallien 3 days ago 0 replies      
That's not the problem - choosing to give up your own secrets is fine, but giving up the wifi password of your friend's router because they kindly let you use the network whilst visiting is not cool at all. I personally refuse to allow access by friends with Android devices, and they are shocked to learn what Google does when I explain why...
anigbrowl 2 days ago 0 replies      
And, anyone who does run across the setting can not hope to understand the privacy implication. I certainly did not.

Why not? I see 'back up my settings' and I assume it means everything. For a computer security reporter to clutch his pearls and say 'I certainly did not' makes me wonder why he think he's qualified to write a column on this subject. Strictly outrage bait.

sspiff 3 days ago 1 reply      
> And, although they have never said so directly, it is obvious that Google can read the passwords.

This is not necessarily true - they could encrypt this data so that it requires a user password to read, and transmit these settings for client-side decryption. They probably don't though, and in all likeliness can read your WiFi password.

shmerl 2 days ago 1 reply      
It's completely ridiculous that Google "backs up" passwords in clear text without encrypting them. Mozilla does that properly in their Sync service. So why can't Google do that?
donniezazen 2 days ago 0 replies      
I do not agree with the statement that users aren't aware of if their settings are being backed up. It is one of the options that users get when setting up Google account on any Android phone.
runn1ng 3 days ago 2 replies      
I am not sure why is this such a problem.

OK, when NSA goes physically near my home, they can connect to my WiFi and secretly use my internet connection.

That's not really what I am concerned about.

bobzibub 1 day ago 0 replies      
IM(Paranoid)O, it puts the "inadvertent" collection of SSIDs while driving down every street taking pictures for Google View into a new context. They gave a simply implausible explanation that this data was recorded "inadvertently". (No, fitting all those vehicles with the equipment and software would cost serious money!)

Marry the Geo-location, SSID, phone owner and passwords and you've got real information for the authorities. On Everyone.

chinpokomon 2 days ago 1 reply      
Does MAC filtering at the router level help at all? If the backup option is turned on, does Google also save your MAC addresses? If not, that seems like a good start to prevent someone from connecting to your network, even if they know the password. Obviously this won't help for public hot spots, but I always assume that public hot spots are already open to anyone.What if you are connecting to a Wi-Fi network using MSCHAP or MSCHAPv2? Does Google now know my domain login and password? That seems like a huge gaff.
ChrisAntaki 2 days ago 0 replies      
When you buy a new Android phone, during the first setup it asks you if you'd like to enable this feature. I've always click "no".

Not sure why the author assumes most Android users would enable this feature... unless he didn't realize it was an option on the initial setup.

ovoxo 2 days ago 0 replies      
While the idea of Google knowing every wi-fi password is bad, they already know everything you search for and they also have a very good idea about all the websites you visit. So ...
aestra 3 days ago 3 replies      
Google is going to have thousands of different passwords mapped to the SSID "linksys."
Havoc 2 days ago 0 replies      
If you're running an actual corporate network then a wifi password had better not be the sum total of the protection.

For home use - who cares? It would be a sizable mission to make use of the password...and that would get them what? A couple of lolcats and my skyrim saved games? Nice.

Zoomla 2 days ago 0 replies      
Google don't need your Wi-Fi passwords, they have admin rights to a computer inside your network (your phone).
dinkumthinkum 2 days ago 0 replies      
The author must not realize that Google's "customers" are advertisers, not Web searchers or Android users. Why is the government having the data more scary than just Google having it, if we're going to be upset about it ...
d0m 3 days ago 0 replies      
That's how they can give internet for free, now I get it.
anxiousest 3 days ago 1 reply      
Not sure what the author is after here. I mean he's not breaking any news, he admits as much, he also links to some of the articles that were published weeks ago that do a better job of discussing the security/convenience trade offs. Seems like he missed the furore at the the time and decided to compensate with a woefully inaccurate and baiting headline.
NanoWar 3 days ago 1 reply      
Ehem, and later this year Apple gets your finger print!
holri 3 days ago 1 reply      
This means that I will never allow a phone with a proprietary system into my WIFI.
16s 3 days ago 0 replies      
It's only been in the last few years that home wifi routers came with passwords by default. Before that, they defaulted to open access with no password.
nodata 3 days ago 0 replies      
Oh god not this again.
Fando 2 days ago 0 replies      
Just forget about any internet privacy altogether. A new era has arrived.
progx 3 days ago 0 replies      
That mean, that the NSA know all passwords too?

google must work with the NSA and must give them access to everything, but all is secret because FISA Laws.

darkr 3 days ago 0 replies      
802.11x/EAP-TLS have been around for ages and are well supported on most hardware... As long as Google aren't collecting private keys _and_ usernames/passwords.
gdamjan1 2 days ago 0 replies      
I hope the owncloud android app will one day have 'backup service' support, so that I can backup my android to a service I own/manage.
thrillgore 3 days ago 2 replies      
It's troubling to see this, but I've always used MAC Filtering on my home network on top of WPA2 to limit what devices can connect to my network.
frank_boyd 3 days ago 1 reply      
Another reason to (really) go open-source/independent.
creatrixcordis 2 days ago 0 replies      
Great! Now the NSA knows every Wi-Fi password in the world!

Which i am sure they are willing to share if just pushed a little.

ffrryuu 2 days ago 0 replies      
So does the NSA, and not just your Wi-Fi passwords either. With the new iPhone, soon your fingerprint and movement data too.
jheriko 3 days ago 0 replies      
when did settings and data become vague terms precisely? sure people might not make the connection that their wifi password is both a setting and some data... do we really need to be alerted to this? although maybe a little info box or something with details of exactly what is sent might be appreciated by the power user...
gjbondgaurav322 2 days ago 0 replies      
Absolutely, man Chrome is the best browser in the world and through that he can know everybody password...
ddalex 3 days ago 0 replies      
Don't worry, Google already knows EVERYTHING.
niix 3 days ago 0 replies      
Qantourisc 3 days ago 0 replies      
Kiro 3 days ago 0 replies      
I don't mind.
kedar5 3 days ago 1 reply      
What's wrong in it.It's not a bank account rite.
Twitter Files For IPO allthingsd.com
424 points by coloneltcb  3 days ago   222 comments top 32
sheri 3 days ago 16 replies      

Three of the largest, most influential and defining technology companies of our lifetime (Google, Facebook, Twitter) make money pretty much solely through advertising. Is there no other way companies can use this data to generate revenue other than to sell ads?I don't have anything against ads, but I'm just trying to understand how (if at all) this could change in the near future. What is the future of advertising? Will it continue to remain relevant 10 or 20 years down the line in its current form, allowing so many massive companies to be built on its back?

austenallred 3 days ago 8 replies      
So much pessimism in the comments about the viability of Twitter as a business model. I've heard multiple sources (Chris Sacca, Ron Conway) not only say that Twitter has perhaps the best monetization opportunity of any web 2.0 company but dump as much money as they can into the stock. I've advertised on Twitter for quite a while, and the returns destroy Facebook and Adsense.

Advertising makes a lot of money if the audience is big enough. Twitter's audience is huge, connected, well sorted, and interested.

wpietri 3 days ago 2 replies      
My guess is that profits will be low. And they should be. Declared profits are basically a way of saying, "We can't figure anything more useful to do with this money than put it in the bank or give it back to our investors."

That's fine for a large company in a stable market. But Twitter is a young company battling to establish market share with products they hope will last for decades or centuries. [1] If the management really can't think of anything useful to do with cash, they should step down and help hire somebody who can.

[1] Yes, centuries. The New York Times started publishing in 1851. It's reasonable to think that the World Wide Web will have a historical place similar to print periodicals. And network-effect businesses are notoriously hard to dislodge once widely adopted.

ebiester 3 days ago 1 reply      
Ironically, I think this is both the sign to buy twitter and stop using it at the same time.

I no longer trust American companies to do right by the user the moment that their stock becomes public. When wall street is banging on the door for a quarterly result, most CEOs end up listening.

I'm not deleting my account just yet, but I'm wary from everything I've seen in the last decade.

dev_jim 3 days ago 1 reply      
This is awesome. I use Twitter everyday in a way that can't be replicated by any other service out there - there's zero competition. Once they really figure out monetization, as Facebook eventually did, it will be a home run for investors.
jmduke 3 days ago 3 replies      
I'm curious if Hacker News would have brought such pessimism to the AAPL and MSFT IPOs as they have with Facebook and Twitter.

Around 500 million users, around 750 million tweets per day. That data might not be worth everything, but it's definitely worth something.

debt 3 days ago 2 replies      
They have a lot of really sharp talent over there. I'm confident they can make a killer ad platform. Sign me up.
unknownian 3 days ago 3 replies      
Maybe this will get buried, but as a huge fan of Twitter and the team I can't help but think they can try making more cool stuff? This huge benevolent profitable business with amazing developers has a shot at making more than a web application, I suppose. Others may say it's unfair for the big guy to cannibalize business ideas though.
joe5150 3 days ago 0 replies      
"Confidentially" meaning they submitted all the paperwork via Snapchat, of course.
dm8 3 days ago 1 reply      
Congrats, Twitter. Another product that was mocked as a "toy" becomes revolutionary and finally going to raise money on public market. I use twitter everyday and it is my primary information network. I'm sure they will be successful!
swalsh 3 days ago 1 reply      
Nice! Another shorting opportunity.
6thSigma 3 days ago 0 replies      
I'm bullish on Twitter for a few reasons.

I think Twitter has a unique opportunity in advertising. I'd be interested in seeing how many businesses are on Twitter and what percentage of Twitter users follow a business. I'm assuming both of those numbers are fairly high. If so, that means that a large number of users expect to see information about businesses they follow in their feed (and thus are ok with receiving marketing/business information/etc.) That in turn means ads are not viewed by a large percentage of the user base as intrusive. I think psychologically that is very important for an advertising company.

In terms of the rumored market cap, all I have to say is there is no way Twitter is worth only 1/10 of Facebook. I'm not sure what Facebook is worth, but I'm sure the gap between those two companies is much closer than that.

I really like the Twitter platform, and while I know they messed up by restricting their API, I think their leadership generally make good decisions.

crapshoot101 3 days ago 0 replies      
http://gigaom.com/2013/09/12/twitter-files-papers-to-go-publ... - interesting; secondary valuations are in the $14-15B range per GigaOM. I'm a believer at some level.
tinbad 3 days ago 2 replies      
Great, did they find a way to monetize their service yet?
dweekly 3 days ago 0 replies      
What a Dick move.
aganek 3 days ago 0 replies      
I love that Twitter announced it via a tweet. Good work dogfooding their own product :)
nichodges 3 days ago 0 replies      
As one of the people who decides where and how brand marketing budgets are spent - I would say Twitter's advertising product and approach is far more viable and attractive than Facebook's is (or ever has been).

On top of that, the work Twitter is doing with TV networks, producers, and sporting organisations is unique and has a high chance of success because it provides value to those organisations.

While some have tried, nobody else has come as close as Twitter to accessing and disrupting the $180B (annual) TV advertising market.

I wish them luck. I think they're going to nail it.

rplnt 3 days ago 0 replies      
Another bubble appearing I see. Their user base to revenue ratio is pretty average. Their revenue by itself is not that impressive and I'm pretty sure they will be priced in tens of billions. Solely because they are visible and known.
jlebron2 3 days ago 3 replies      
I'm skeptical about Tech IPOs. I wonder if as many people are going to buy into the hype as they did with the Facebook IPO.
pdevr 3 days ago 4 replies      
Any idea about their valuation? Facebook is now worth more or less what they claimed at the time of their IPO. Is it safe to assume this is will be around the same range (i.e., $100b)?
chris_wot 3 days ago 0 replies      
I hope they keep the prospectus to 140 characters or less.
mrgleeco 3 days ago 0 replies      
Delivering ads could be the lesser half. Realtime sentiment analysis on Twitter's scale will explode and hyper-accelerate advertising in ways advertisers cannot yet foresee -but will surely be willing to pay for. They're just getting started.
RexRollman 3 days ago 1 reply      
Brace for monitization.
tn13 3 days ago 0 replies      
Well, hope that does not shoot up housing prices in SF area again.
anmalhot 3 days ago 0 replies      
twitter presents a unique opportunity to choose the 'people' you want to follow & tailor your own feed. It's like handmade versus machine made feed. The former worth much more than the latter nowadays. I imagine if they could establish a business where people build/manage personalized feeds for others & in turn get paid - that would be fun!
wehadfun 3 days ago 0 replies      
I hope they make a cool stock certificates. People were upset that facebook didn't do this.
kaonashi 3 days ago 0 replies      
Well, there goes that.
aflam 3 days ago 0 replies      
Entertaining. Now will the blue bird fare better than the blue chips ?
modarts 3 days ago 1 reply      
joering2 3 days ago 3 replies      
1.16B in funding, any ideas on profits and how much they ask to get via IPO?


bnuighr 3 days ago 0 replies      
Sorry for my ignorance, but what's the general timeline for the IPO process? When could I start buying shares on the open market?
ulfw 3 days ago 2 replies      
Do people still actively use twitter?
Dropbox opening my docs? wncinfosec.com
391 points by johns  3 days ago   124 comments top 34
madaxe 3 days ago 3 replies      
I would wager that they're opening it in order to generate a thumb or preview, or maybe for search indexing, and libreoffice is a good way to achieve this on linux - particularly if they're only opening it once, as they probably use the hash of the file.

We do exactly this on our eCommerce platform, before wanging stuff into s3 or glacier and just keeping a reference kicking around.

On the other hand, you have just discovered an information disclosure (host IPs) vulnerability in dropbox.

milkshakes 3 days ago 4 replies      

you've already determined that it's running on an ec2 instance, but it's somehow "suspicious" that the user-agent is libreoffice? and you're a "security researcher" but "curious if this is an automated process"? please.

sure, dropbox might owe an explanation (even though you certainly gave them permission to do this in their TOS), and you can call me cynical and jaded, but this seems like pretty shameless FUD that appears to be tied to an effort to shill a new product.

EDIT: first i thought this was written by the HoneyDocs founder. now i'm actually unsure who the author is.

yesbabyyes 3 days ago 4 replies      
LibreOffice has a pretty powerful document conversion, which you can run headless. I'm guessing they are converting to HTML and perhaps other formats -- do they offer anything like that?

Edit: You can invoke it something like this:

    soffice --headless --convert_to html file.doc
I'm just speculating, but it seems reasonable that it would open the document just like the regular LibreOffice, fetch external resources and so on.

sspiff 3 days ago 0 replies      
> Further digging into the HoneyDocs data reveals a suspicious User Agent, LibreOffice. Now Im curious if this is still an automated process or one that involves human interaction?

Yes, because humans use LibreOffice over SSH/X11 from an EC2 instance. Probably LibreOffice is being used for the parsing/rendering on a server. Probably for something innocent like generating thumbnails or text-only previews.

dweekly 3 days ago 1 reply      
Dropbox uses (used?) Crocodoc to do its document previews, which would be interesting now that Crocodoc has been acquired by Box (a Dropbox competitor). Crocodoc actually ran full Windows VMs to have Word interpret Word, unlike what was speculated elsewhere here (using LibreOffice) - it turns out pretty much everything else sucks pretty badly at rendering Word docs, largely because the format is a bloody nightmare of binary encoded blobs including OLE embeds, etc. My understanding was that these VMs were run on AWS Windows instances, which explains why the document was seen opened on an AWS cluster. I know they had a fun nightmare of a time getting the right licenses from Microsoft to do this.
pwg 3 days ago 2 replies      
Much ado about nothing.

If you don't want your cloud storage provider reading the data you give them, then _encrypt_ that data _before_ you upload it.

nigma 3 days ago 0 replies      
They are generating PDF for online viewing. Go to your files on dropbox site and click on a .doc file. A preview popup will appear.

Open/LibreOffice with Python bridge is quite handy in converting documents to PDF format and can be run in headless mode (using virtual frame buffer like xvfb) on a server.

eli 3 days ago 2 replies      
Did you bother asking Dropbox what's going on?

This kinda reads like an ad for HoneyDocs...

amvp 3 days ago 0 replies      
LibreOffice is commonly used as part of a system to convert and generate previews for MS Office files. I would assume it has something to do with thumbnail generation or preview generation. However I don't seem to see thumbnails or previews of .Doc files (I do for images - for example) on the dropbox webapp - so maybe it's something their testing?
VBprogrammer 3 days ago 0 replies      
I hope that the servers running LibraOffice only have that job. LibraOffice has a pretty massive attack surface and its not the kind of thing I'd like to leave running on a server with another purpose while accepting documents from pretty much anyone.

The only thing to see here is that DropBox is potentially opening themselves up to a vulnerability, would be interesting to see if GET file://etc/passwd worked...

steven777400 3 days ago 5 replies      
On the one hand, it seems unlikely that an automated process would trigger external resource retrieval. In the same way, most processes that scan webpages for content or similarities don't run JavaScript, unless they are very sophisticated (this used to be a good way to protect against spam bots, for instance).

On the other hand, given how many files are uploaded to dropbox every hour, it's inconceivable that a human, whether through deliberate management direction or mischief, is opening all these documents. I would more concerned about human intervention if occasionally, a document triggered a buzz some days after it had been uploaded.

If all documents are showing as opened within 10 minutes, then surely it is just an anti-duplication automated agent at work.

Guillaume86 3 days ago 2 replies      
Isn't that a thumbnail generation from dropbox? I remember a thumbnail entry in their API.
dotmanish 3 days ago 0 replies      
ryanackley 3 days ago 0 replies      
Dropbox uses crocodoc for MS Office file previews in the browser as html and my guess is crocodoc's tech is based on a custom print driver for LibreOffice that converts it into html.
nonchalance 3 days ago 0 replies      
If someone from honeydocs is reading this ...

The tracking behavior depends on a tracking pixel which may not always be processed by the client.

For example, with the credit_cards sample, the xls file is actually an HTML file with an img at the end (url linking to https://honeydocs.herokuapp.com/img/xls/...) and a client that only reads the plaintext (there are a boatload of command line utilities that fit the bill) won't fetch the image.

phaer 3 days ago 0 replies      
LibreOffice is not necessarily a sign of a human involment in the process, as it comes with a commandline interface to convert documents between various formats. So it could be thumbnail generation as Guillaume86 suggested.
sdfjkl 3 days ago 0 replies      
When you click on a .doc file in the Dropbox web interface, you get a preview of the file in PDF format. To do this, Dropbox must open and convert the file. LibreOffice is popular for this, as it can be run in a headless API mode, reads a wide range of files and can output PDF format. So this is what happens here.

The wisdom of executing "active" content embedded in such files is of course doubtful and something Dropbox should investigate. But if you want your files to be safe, you should instead use a service that encrypts them client side, which has the downside of losing the web interface that Dropbox offers (as this requires it to be able to access the decrypted files in order to serve them to you).

guiambros 3 days ago 0 replies      
Coincidentally (or not), I just received the invite to beta test Sync.com [1] today. Seems a Dropbox-clone, for the privacy conscious user. They claim that all files are encrypted, and they don't have access to the keys. The encryption algorithm is still private, but they say they'll open source it soon.

While I like the approach a lot more than Dropbox (that fights to obfuscate its own algorithm), I still don't feel safe. Anyone with access to the server could intercept your keys, and thus have access to your data.

TrueCrypt over some cloud-based solution is still the ideal option, but the lack of support for sparse images makes me hesitant.

EDIT: no affiliation with Sync.com (or Dropbox, for the matter). Just trying to find a decent cloud-based storage solution that fixes the exact problem exposed by the OP.

[1] http://www.sync.com/your-privacy

yk 3 days ago 0 replies      
For further analysis, I would suggest embedding something nasty into a .doc. [1] Seriously, why would Dropbox execute code in arbitrary files; the only reason I can see is some virus scanner heuristic. So then they could spin up a new vm, load the file and diff the vm with a clean one. Or as others suggested, generate thumbnails; that, together with the 10 minute delay, would imply that they are running remote code on some batch processing machine. ( Where a lot of other files are up for graps.) Either way, it does smell somewhat.

[1] I am not sure how LibreOffice does handle active content and furthermore I am not sure if there is a way to generate a ping back from LibreOffice without some kind of active content embedded. But to me at least, it somewhat implies that Dropbox, or whoever, runs LibreOffice in a not maximally locked down configuration.

mrbill 3 days ago 0 replies      
Dedupe (at least for NetApp systems) only cares about data blocks; it wouldn't "open" a document or parse contents.


rexreed 3 days ago 0 replies      
Posted this reply elsewhere, but SafeMonk encrypts your files before they hit your harddrive and keeps them encrypted in the Dropbox cloud. It's free for personal use: http://www.safemonk.com. Note: this is not my product, just using it after I saw it demo'd at a TechBreakfast.
hoopism 3 days ago 0 replies      
In retrospect this was a very well done ad for HoneyDocs... I checked out the service and thought it was novel... wouldn't have looked if not for this.

The article is written in a such a way that they are saying a lot by playing dumb... so hard to say it's misleading... but I know few security people who'd write something up with this tone.

ck2 3 days ago 0 replies      
It's probably just a MITM review by the NSA Flying Pig


VuongN 3 days ago 0 replies      
I think this is a great example of why we should ask question about cloud security & privacy. I've written down some thoughts about this: http://vuongnguyen.com/personal-business-cloud-security.html


ValG 3 days ago 0 replies      
four12 3 days ago 0 replies      
Yay Little Snitch...


jayd16 3 days ago 0 replies      
To me, the interesting part isn't that the file was read. What has me interested is that this is a clear attack vector.

Want some free EC2 time? Wrap your workload in a .doc and have Dropbox foot the bill.

Michael_Murray 3 days ago 0 replies      
What was that article the other day about "Stealing Traction" from an established player in an adjunct space?

Well played, HoneyDocs... Well played.

gocard 3 days ago 0 replies      
In case you were wondering, I descrambled the blanked out "png" files and the filenames were "jennymccarthy[01-04].png"
jlkinsel 3 days ago 1 reply      
Time to write a little VBScript to port scan me some Dropbox servers...
whywhywhy5 3 days ago 0 replies      
I'm sure it's just the perfectly legal NSA browsing through your files. No need to worry.
jasonj79 3 days ago 0 replies      

Crocodoc is likely generating web previews of your documents.

devx 3 days ago 0 replies      
It's so annoying when Google completely opens up archive files in Drive, too. Why would they do that?!
Putin: A Plea for Caution From Russia nytimes.com
373 points by electic  4 days ago   250 comments top 36
akiselev 4 days ago 15 replies      
"The law is still the law, and we must follow it whether we like it or not."

The irony of Putin saying this cannot be understated. This entire editorial is dripping with it.

For those of you buying into his rhetoric, remember that Putin is the head of a "virtual mafia state" [1] and a government of thugs who are too busy stealing the wealth generated by Russia's natural resources to pursue the eternal dream of Russia as a global hegemon on par with the United States. The Russian state has assassinated journalists [2] and jailed political opponents with impunity while the bureaucracy (now intertwined with organized crime) steals money at an alarming rate [3]. They don't even bother to hide it anymore (Egregious example: Magnitsky [4] and Litvinenko [5]).

I hate the idea of the US getting involved with a civil war on the other side of the world and Putin is right in his logic, but as an immigrant from Russia I can't help but feel I'm reading the same propaganda but with a translator. If at this point, Putin sounds reasonable and is starting to look like the better of two devils, we're in deep shit.

[1] http://www.theguardian.com/world/2010/dec/01/wikileaks-cable...

[2] There's a whole damn wikipedia article dedicated to this: http://en.wikipedia.org/wiki/List_of_journalists_killed_in_R...

[3] http://www.huffingtonpost.com/2011/05/24/russia-fifth-of-def...

[4] http://en.wikipedia.org/wiki/Sergei_Magnitsky

[5] http://en.wikipedia.org/wiki/Andrey_Lugovoy

Edit: To clarify, yes this is emotional and ad hominem. But come on, how many of you thought bombing Syria was a good idea to begin with? How many were entirely unaware of the US government's terrible record of following international law? This article is only on the front page of HN because of its author and it bears remembering how Putin's actions have spoken far louder than his words.

beloch 4 days ago 1 reply      
Putin is certainly playing to his audience and is guilty of more than a little hypocrisy in this piece, but I tend to agree with his central argument. If the world has any duty to those inside Syria, it is to safeguard the lives of the innocent. How will rocket attacks accomplish this?

The second U.S.-Iraq war and the subsequent occupation proved that state-of-the-art precision air and rocket strikes are still a very blunt instrument that cause a lot of civilian casualties when used. More innocent people died during the U.S. occupation than under Hussein! A big reason for this was the U.S.'s over-reliance on technology. Instead of using foot-patrols and talking to the locals, who might have been inclined to point out that they'd seen rebels planting IED's, U.S. SOP was to ride over the locals (and anything else) in tanks and hummers and call in air-strikes if they felt threatened. Forces from other nations, such as the UK, proved the effectiveness of foot-patrols, but the U.S. still largely ignores this. Technology has transformed the face of war, but the fundamental fact that boots on the ground are what let you hold territory has not changed one bit. The U.S. ignored this in Vietnam, ignored this in the first Iraq war, ignored it in the second Iraq war, and continues to ignore it in Afghanistan. You can't cower in a fort, blowing things up with rockets and drones and expect to actually provide security!

What the U.S. proposes to do is to keep their soldiers safe in remote locations while raining robotic death down on Syrian government positions that, if they weren't already hardened, probably started preparing for air strikes after the 2006 war with Israel (Note: Israel was attacking Hezbollah, but did far more damage to civilian infrastructure). Will air strikes have much of an impact on Syrian government forces? What security will Syrian civilians gain as a result?

There are ways to provide security for Syrian civilians, but all they require boots on the ground. A force could be sent to get in between the rebels and government forces, but they'd get the holy hell pounded out of them from both sides! Peace-making forces do not exist for a reason. If a cease-fire could be negotiated, perhaps peace-keeping forces could be sent in. This carries a lot of risk if negotiations break down. A third option is to occupy a portion of Syria or territory bordering with Syria, establish refugee camps, and try to provide ways for civilians to relocate safely.

It's great that the U.S. wants to do something to help Syrian civilians, but blowing stuff up like retarded cowboys isn't the answer.

muerdeme 4 days ago 4 replies      
Putin (or his representatives) knows his audience. This piece eschews the normal alpha bravado that I would expect from Putin in favor of a coherent argument in favor of restraint. I found myself not merely nodding along, but inspired, and I hope that we can at least agree with him on this.

It is alarming that military intervention in internal conflicts in foreign countries has become commonplace for the United States. Is it in Americas long-term interest? I doubt it. Millions around the world increasingly see America not as a model of democracy but as relying solely on brute force, cobbling coalitions together under the slogan youre either with us or against us.

welder 4 days ago 4 replies      
Great closing paragraph:

My working and personal relationship with President Obama is marked by growing trust. I appreciate this. I carefully studied his address to the nation on Tuesday. And I would rather disagree with a case he made on American exceptionalism, stating that the United States policy is what makes America different. Its what makes us exceptional. It is extremely dangerous to encourage people to see themselves as exceptional, whatever the motivation. There are big countries and small countries, rich and poor, those with long democratic traditions and those still finding their way to democracy. Their policies differ, too. We are all different, but when we ask for the Lords blessings, we must not forget that God created us equal.

And yes, it's hypocritical and carefully crafted.

gph 4 days ago 2 replies      
I can't say I disagree with a lot of what he says.

But I doubt he honestly believes in all of this. This rationalization just happens to coincide with his (and Russia's) interests.

I think he'd do better to stay silent and let me come to this conclusion on my own instead of feeling dirty for having him agree with me.

PhasmaFelis 4 days ago 4 replies      
How much evidence do we in fact have that the rebels gassed their own people in a false-flag operation? I had heard it was a possibility, Putin seems to think it's all but certain, but I haven't studied the issue in depth.
iamshs 4 days ago 0 replies      
This piece hits the right spot for a very wide demographic. He evokes trust through previous collaboration during WW2, mentions cold war, pope and increasing trust between nations and then goes on to evoke empathy from the people using "we are one" kind of deal, and even manages to sneak in a reference to League of Nations tangentially hinting/threatening irrelevance of UN. I am fairly impressed. I wish I could write such an elegant Cover letter. Opening paragraph sets the tone, and finishing one solidifies it. A good piece, nevertheless, wherever individual opinions lie.
alexhomer1 4 days ago 6 replies      
"There is every reason to believe [sarin gas] was used not by the Syrian Army, but by opposition forces, to provoke intervention by their powerful foreign patrons, who would be siding with the fundamentalists."

Obama asserted something quite different in last night's address. He stated that the Syrian army distributed gas masks to their soldiers before the attacks, that documents show Syrian generals reviewing the results after the attack, and that they planned to continue and expand the attack after the initial wave of gas was used. I would tend to believe Obama because he is much more credible than Putin, and has much more to lose if he can't produce evidence to support his claims.

Despite Putin's call for transparency, the fact remains that he is unwilling to tell the truth about what happened. Syria broke one of the most important international laws that we have, which is the ban of chemical weapons. If they aren't punished, then we are telling the world that it is OK to use chemical weapons.

Putin claims that the United States' position with Iran will be weakened if we intervene. The opposite is clearly true; our prior negotiations with Syria over their acquisition of chemical weapons in many ways mirrors our ongoing negotiations with Iran. We told Syria there was a red line and they crossed it. If we don't intervene in Syria, we are effectively telling Iran that our word is meaningless.

Putin's claims that an intervention will cause an escalation of the conflict and more terrorism are simply not true. The goal would not be to upset the balance of power or to cripple the Syrian army in any way.

Our objective would be to prevent the Syrian army from using chemical weapons again, and show the world that chemical weapons are unacceptable. Intervention would lower the risk of chemical weapons being used in the future, help discourage nuclear proliferation, and prevent the U.S.'s credibility in the region from being destroyed.

cremnob 4 days ago 2 replies      
This is actually a great piece of propaganda that serves Russia's strategic interests. Judging by the comments here and on the NYT, it seems to be working.

Putin says war should only happen by consensus from the UN, I wonder why he didn't abide by this principle when Russia intervened against Georgia in South Ossetia in 2008.

graeme 4 days ago 1 reply      
There are many comments here about Putin's character and policies.

That shouldn't be relevant to judging the quality of Putin's argument. I think it's a very reasonable one.

Shivetya 4 days ago 1 reply      
People need to understand Putin's motives here.

First and foremost is Putin needs to keep Syria in place to prevent Europe from having access to another natural gas pipeline that he or his allies do not have influence over. Qatar wants to sell natural gas to Europe, they want to build a pile line to do it. Well they need/want to go through Syria to get there.

Second, Syria is home to a Russian naval base, their only one in the region.

Third, Syria buys a lot of weapons from Russia, they buy quite a bit of other materials as well.

Fourth, outside of Syria Russia's only real ally in the area is Iran but they are a bit more off the leash than Syria is.

Top it off with one of the weakest in international affairs US administrations and you give Putin the means to control the worlds opinion. Lets be honest, the amount of dithering on how to act by this Administration is really depressing. It almost seems they were convinced the Middle East would love them and do want they //the Administration // wanted just because they weren't GW Bush. Yet, we have Benghazi, we have the indecision regarding Egypt, Iran is off and running catching drones or faking it all the while mocking the US, and now Syria has shown this Administration is clueless. Its almost as if there are a dozen cooks all trying to do stuff and they either don't make a decision or one does something forcing the others.


Putin's concerns are economic (natural gas), military (base/arms sales), and prestige. With a weak US Presidency he saw an opportunity and took it. Sadly he is/might pull it off

andrewljohnson 4 days ago 4 replies      
A lot of this is rhetoric that we expect from Realpolitik, but overall, I think Putin burnishes his and Russia's reputation with this sort of dialog.

I also wonder how common place it is for major heads of state to write essays in the Times.

dill_day 4 days ago 4 replies      
If there's "every reason to believe" it's the opposition forces and not the Syrian government in control of and using chemical weapons, what good does it do for the Syrian government to "place its chemical arsenal under international control"? How can these two statements be reconciled?

Putin says:

No one doubts that poison gas was used in Syria. But there is every reason to believe it was used not by the Syrian Army, but by opposition forces, to provoke intervention by their powerful foreign patrons, who would be siding with the fundamentalists.

Then later:

A new opportunity to avoid military action has emerged in the past few days. The United States, Russia and all members of the international community must take advantage of the Syrian governments willingness to place its chemical arsenal under international control for subsequent destruction.

raquo 4 days ago 1 reply      
I agree with what he says here but I wonder what his true motivation is. You can see that he wants a strong and stable power in Syria. Easier to deal with and less risk than all these rebels, who in all likelihood will turn out to be either pro-US or fundamentalists, neither of which is good for Russia.
gexla 4 days ago 0 replies      
This article seems a bit naive.

... and I just saw that it's written by Putin. Wow.

Does he think we are stupid?

Nobody could give a rats ass about Syria other than those who are part of the Iran vs just about everyone else game of regional influence.

International law is like the Pirate's code. It's is more what you'd call "guidelines" than actual rules. It's convenient to use it to validate kicking some ass. And it's ignored when you need to kick ass regardless of the circumstances.

Yes, Putin, this new turn of events is great for making Russia look like a big power, but the only reason the U.S. is even looking at this is because we really, really don't want to bother with Syria. In fact, we kind of like that Assad is weakened by the civil war but still strong enough to stay in power. That means he is well occupied, but we still know who it is that we are dealing with.

Unfortunately, Obama screwed up with that red line thing. He didn't have to say that. He could have made his case regardless if he really wanted to. But chemical weapons are certainly a problem. We don't want those things coming back at us. And even if the Assad regime were to go down, we would probably need boots on the ground to secure those stocks. So, giving the chemical weapons over to international control is a slice of pie handed to us on a silver platter.

We doubt that you can really pull this off, Putin, but we thank you for trying. At best, this would help ease one of our biggest worries, and at worst it allows us to kick the can down the road a bit farther.


jnardiello 4 days ago 1 reply      
One general and universally true law:

To comprehend responsabilities and "who did what" you just have to look at the situation with critic eye, ignore all the politics (and propaganda that comes with it, the US are masters. Just calling it with a different name: PR and Marketing) and just look for the side which is actually gaining anything from ongoing events.

I bet that 99% of the people reading this know absolutely nothing about Syria. And you all probably know nothing about Russia too. Everything you know is from news (which honestly, aren't a good source for understanding a culture) and - maybe - from a bit of literature.

That said, my very pesonal opinion is that Assad is an extremely culturate person with very close western connections. He has a degree in medicine, studied abroad, has chosen a wife which lived almost all her life in England, etc.. Surely he isn't an idiot and knows perfectly that the only thing he needs to do to stay alive and (maybe) win the war is to NOT provoke the UN and Western countries. An outside intervention is the only actual real chance of victory for the rebels, therefore they are very very likely the people behind the gas attack.

One very last thought:

Let's talk about Fallujah, as a general example. Iraq War 2003 [1] where the US Army used White phosphorus on unarmed civilians to "regain" the control of the city after a few tens of insurgents killed 4 US contractors. Bitch please.

[1] http://en.wikipedia.org/wiki/Fallujah

foxhedgehog 4 days ago 0 replies      
Garry Kasparov @Kasparov63 I hope Putin has taken adequate protections. Now that he is a Russian journalist his life may be in grave danger!
cousin_it 4 days ago 0 replies      
As a Russian person currently living in Europe and sympathizing with the Russian opposition, this was my first reaction to the article:

Wow, if Putin communicated with Russian voters in the same manner, he would totally have me as a voter!

venomsnake 4 days ago 0 replies      
My take on the whole situation. It was a mess and Obama made it worse by playing with Putin. While the back patting in Washington punditry is in full swing how the US threats have worked the reality is Obama is making things worse.

He called a vote and a debate for the Congress and now called it off. So on top of the whole mess now there are hurt feelings and egos. What comes now are talks. Which take time and can you know - fail. So in 3 months when Bashar tells Yuck Fou with the silent support of China and Russia, Obama will stand all alone, the chemical attack faded from the memory, the president not dared to respond to the red line and with no friends whatsoever.

If going to Congress was a gambit this is Russian roulette. With semi-automatic pistol.

skylan_q 4 days ago 0 replies      
And I would rather disagree with a case he made on American exceptionalism, stating that the United States policy is what makes America different. Its what makes us exceptional. It is extremely dangerous to encourage people to see themselves as exceptional, whatever the motivation.

This will go over just as well as the malaise speech. It's a nice attempt at trying to make a great nation humble, but that's not going to happen. :(

pcrooks 4 days ago 0 replies      
Very, very circular argument Mr Putin. He strongly defends the UN security council as being the custodian of international law. Yet, he seems to say that he is using his veto to disallow action - because action without full consent would be in contravention of that law.

On the other hand - I do agree with many of his other views expressed here. It certainly is a tough situation, and I have no idea how I would react if I had the power to do so.

snowwrestler 4 days ago 2 replies      
The block in the UN is Russia. If Putin wanted action in Syria to carry the UN imprimatur, he could make that happen tomorrow.
InclinedPlane 4 days ago 1 reply      
Putin is a stone cold dictator, but he is very sophisticated about it. And here you see how deftly he manipulates public sentiment and perception. Who wouldn't want peace and cooperation?

Using tomahawk diplomacy against Syria was never a good idea. And "unbelievably small" strikes against Assad's regime was just a stupid threat to make. Chemical weapons are only a tiny part of the many very serious and relevant (even to Americans) geopolitical issues at stake in the Syrian civil war right now. A handful of bombing runs would be unlikely to improve the situation, even in regards to preventing the use of chemical weapons.

But I can guarantee you that Putin cares not the slightest about the citizens of Syria. His interests are with maintaining the Assad regime, as a geopolitical ally, and extracting money from Syria through arms trade. But now he has an opening to rub America's nose in a very public foreign policy failure. The president doesn't want to get involved in Syria but he set a "red line", which has been crossed repeatedly, and now he's forced into an enormously uncomfortable spot. And while the US wriggles out of this snare Putin will take as much geopolitical advantage out of the situation as he possibly can. Which will be a lot. Because he is very skilled at this game and everyone else (the US, France, even the UNSC) has already put their cards out on the table for everyone to see.

drill_sarge 4 days ago 0 replies      
I am not really a fan of Putin but I agree to the point that the USA are more and more seen as warmongers in the public. Our politicians may never admit/say this, but a lot of people only see the aggression which the US govt is bringing towards their so called enemies. Even a lot of people like the USA and their way of life but almost everyone doesn't like their government.
sologoub 4 days ago 1 reply      
Well, the biggest surprise in the article for me is Putin invoking God. Never figured him for a religious man.
dariusm5 4 days ago 1 reply      
Here's a good read regarding the Syria conflict and how Russia and other world powers are involved:


dcc1 4 days ago 0 replies      
Why get involved?

Let them kill each other in the Middle East and show the world what "the religion of peace" is all about.

joshfraser 3 days ago 0 replies      
Pretend Putin wasn't the author. Do you disagree with any of this?
enupten 4 days ago 0 replies      
This a very well laid out essay; kudos to whoever actually wrote it.
ethanazir 4 days ago 1 reply      
"The law is still the law, and we must follow it whether we like it or not." ... unless you are a rogue regime that wants to use chemical weapons?
codex 4 days ago 1 reply      
The prism by which this editorial should be viewed is the age old question: what does Putin stand to gain here? And Obama?
contingencies 4 days ago 2 replies      
That's an extremely well written piece. Clearly Putin has good speechwriters, and the Russian literary tradition is famous! Do you think a US speechwriter could produce such a thing in a foreign language? I doubt it.
frank_boyd 4 days ago 0 replies      
The CIA certainly should learn a thing or two about caution:

They're starting another proxy war right now:


andyl 4 days ago 7 replies      
How is this relevant to HN?
Grovara123 4 days ago 1 reply      
We are all equal... Except for the gay.
USB Condoms usbcondoms.com
369 points by lukashed  3 days ago   137 comments top 34
c-oreills 3 days ago 1 reply      
The sales page [1] has a bit more info on what these actually do.

[1] http://int3.cc/collections/frontpage/products/usbcondoms

ChuckMcM 2 days ago 0 replies      
I heartily approve! The 'juice jacking' discussion (https://news.ycombinator.com/item?id=4951712) was calling out for something like this. I hope they sell a zillion of them.
peterwwillis 3 days ago 6 replies      
Two things:

1. The data lines can be very important in regulating power output for different devices, and there are different maximums for different versions of USB. Some devices require data communication to charge. Some require proprietary protocols. Implementing Apple product charging is somewhat convoluted, for example, and has changed over time.

2. A friend of mine is a computer engineer, and tells me that correctly implementing USB in hardware is incredibly difficult. It's possible that devices like these might be skimping on parts of the spec to more easily get a working product out the door.

Piskvorrr 3 days ago 3 replies      
Even easier, although not as nice-looking: get a common off-the shelf USB Y-cable, plug the power-only male into computer, plug phone into female outlet; done. See e.g. http://easyshop.kiev.ua/images/shnuri/shnuri/Usb-y-power-cab... for an illustration what the cable looks like.

(I have been doing this to charge my phone, as even the USB mount dialog confuses some apps)

rabble 2 days ago 0 replies      
How much do they cost? They're sold out now so they don't list the price. Does anybody know how much they run? Seems like a really good idea to me, there are lots of known USB hacks for phones and somebody smart could probably find away to get the trojan back up on to the person's primary computer.
hwh 3 days ago 2 replies      
For those who didn't click through everything: This devices is an adapter that cuts the data lines for a USB connection.

Such a device will most probably restrict the device (if it properly implements charging) to a maximum charging current of 100mA. The data lines are used for identifying the maximum current allowed.

benjamincburns 3 days ago 2 replies      
Nifty idea. If you want to make it even better, have it simulate the iPhone/iPad charger ID circuitry so that I can charge my iPad off any old USB charger (provided it's rated high enough).

Edit: Actually, scratch that. Leave the data lines connected, but "short" them to the V- line (or shroud, should hopefully be the same thing) with a small capacitor to act as a low-pass filter. I don't have the specs in front of me, but it should be easy enough to filter > 1Mhz down by 3dB and still keep the DC "slew rate" enough to properly ID a charger.

StavrosK 3 days ago 4 replies      
Can't you achieve the same thing with a cable whose data lines just aren't connected to the jack? Why do you need a whole circuit?
willvarfar 3 days ago 7 replies      
Recently, it comes to light that those handling the Snowden files are using air-gapped computers and passing encrypted data to the outside world via ... USB sticks.

Can't USB sticks execute arbitrary code? Couldn't an attacker infiltrate the publically accessible computers that these people use and put a data-stealing trojan onto USB sticks used to bridge the air-gap?

Do other media that most computers accept these days e.g. sd cards support arbitrary code execution too? How can you get around this?

EDIT: it was DMA attacks that I was thinking off, and USB seems free of them at least. I guess, if you trust the robustness of your USB stack against exploit, that USB is a fairly safe bet. As these very people are reading the NSA secrets, one wonders what'd happen if they discovered some hint that that NSA could do precisely that - exploit via USB plugging in.

the_mitsuhiko 3 days ago 1 reply      
Does anyone know how the voltage negotiation works for those?
smoyer 3 days ago 0 replies      
It might be a bit smaller, but the concept has been around a long time (I use my external hard-drive's cable):


Too 2 days ago 0 replies      
If you have enough space to lug one of these around you might as well carry with you a complete wall-charger all the time.
auggierose 3 days ago 0 replies      
"If you're going to run around plugging your phone into strange USB ports, at least be safe about it. ;-)"

Exactly. Better safe than sorry.

fosap 3 days ago 2 replies      
Interesting. But I'm looking for the opposite. I often have to access my phone, kindle, whatever data, but do not want to charge it. But I guess the usb controller will not accept a data-only connection.
nicky0 2 days ago 0 replies      
This $3 "power only USB charging cable" is another option: http://www.ebay.co.uk/itm/POWER-ONLY-USB-Charging-Cable-Exte...
jablan 3 days ago 0 replies      
At first I thought it was a device which would prevent an infected computer from writing malware to the inserted flash drive, as a hardware antivirus.
bitwize 2 days ago 0 replies      
This reminds me of when vendors at tradeshows used to sell "floppy disk condoms" as novelty items. I think there was also at least one transparent keyboard cover billed as a "keyboard condom".
lechevalierd3on 3 days ago 0 replies      
The all NSA scandal is a quite sad revelation, but there a re so many business idea to built off it.
oemera 3 days ago 3 replies      
It could be way more popular if these wouldn't be called 'condoms'. Some people can get offended and wont buy it even if it would be useful.

Just my 2 cents.

speedyrev 3 days ago 1 reply      
Well to continue the metaphor, I guess I practice abstinence.
umsm 2 days ago 0 replies      
This doesn't really protect you from a more subtle attack: setting up a femtocell access point for your phone to connect to.
gametheoretic 3 days ago 0 replies      
>"Any port in a storm." as the saying goes.

Love the humor, usbcondoms crew! Another one I hope you find a place for in the future: "In the dark, all cats are gray" -- Benjamin Franklin. Yes, really.

NSAID 3 days ago 0 replies      
Oh, this is fantastic. I've been wanting to build something like this into a few cables, but this is even better.
aglosson 2 days ago 0 replies      
I guess I'll just have to wait until they release this in magnum size to accommodate my monster dongle.
650REDHAIR 3 days ago 0 replies      
Great idea and cute name, but why would you market this on Friday when you won't be taking orders until at least Monday? Seems to me you just lost out on a bunch of sales by showing it off early because it likely won't make the front page again on Monday.
Egregore 3 days ago 1 reply      
There are external batteries for phones, when you charge through them I think no data will be lost.
teekert 3 days ago 0 replies      
I would like the reverse, block the power lines, so my raspberry pi does not use the backpower of my USB hub through its front USB ports:)
Jugurtha 3 days ago 2 replies      
Well, like everything else .. Marketers are betting on the laziness of people.

Why tell someone he can lose weight by working out and eating less, when you can sell them a pill that makes them lose weight while they sleep and get abs in 7 minutes?

Why learn programming in several years, when you can "learn programming in three days".

Why tell people to be cautious with their data, not to click on everything, when you can sell them a "condom" that enables them to remain reckless and careless and lazy ?

contingencies 3 days ago 0 replies      
When I feel my batteries are low, I like to get my juice flowing by plugging in to the nearest socket available. Sometimes, I even get a surface to sleep on, and when that happens, often I get to load up on media. Sometimes when the media's done there's some funny business. Occasionally, I even get a special powerup for breakfast. There's nothing like waking up in the morning after a new encounter, wealthier for the memories, fully charged and ready to go. - Anonymous mobile device, 50 Bistreams of "Hey!"
Fuxy 3 days ago 0 replies      
Yay! I don't have to build this anymore.
nraynaud 3 days ago 0 replies      
is it me or this thing is huge ?
89vision 2 days ago 0 replies      
I can't believe nobody has made any "pull-out" quips
talles 3 days ago 0 replies      
Great idea. Awesome name.
Eloquent JavaScript, Second Edition eloquentjavascript.net
354 points by fyskij  5 days ago   103 comments top 21
kibwen 5 days ago 3 replies      
In terms of credentials, just wanted to point out that Marijn is also the author of CodeMirror,[1] which is a wonderful in-browser code editor used by Light Table, Bitbucket, and lots of others.[2]

[1] http://codemirror.net/

[2] http://codemirror.net/doc/realworld.html

austenallred 5 days ago 1 reply      
I just came here to say thank you. I tried dozens of methods to learn how to program (I'm a marketer) and all of them start with "ok just type this and see what happens." I love the approach of breaking everything down to the essentials and helping me understand the fundamentals. I don't have much cash, but I'll contribute what I can.
pavs 5 days ago 6 replies      
I want to start learning Javascript (total beginner with few months experience with PHP), can you guys recommend me some good books suggestions as to what frameworks I should get in to?
hmottestad 5 days ago 3 replies      
The bugs in the background are fun to watch. They actually eat each other from time to time. Though it does seem to require some CPU power and got my fans to spin up a bit.
tjbiddle 4 days ago 0 replies      
"Consider the final product to be your perk."

That's how crowd-funding needs to be done, in my opinion. I don't care about little knick knacks - I want my monetary support to actually better the product, not be spent on useless items.

scottmagdalein 5 days ago 7 replies      
To those who've read both, I wonder how [the first edition of] Eloquent JavaScript compares with JavaScript: The Good Parts.
Kiro 5 days ago 2 replies      
Is it worth reading the first edition or should I wait until this is finished? I'm quite experienced in JS but glancing the first edition it seems like it explain some abstract things I still can't wrap my head around in a good way.
taude 5 days ago 1 reply      
I do have to say that I think perks for donations would be better than nothing, even if it's as simple as drop-shipping a copy of the book to each person who pre-buys it (or something)...

something like donate $25, get one of the first copies of the books.

Or even have it be a digital version, or something...

k_kelly 5 days ago 1 reply      
I really liked this book the first time around and I'm glad to see it's (possibly) getting a second edition.

But I had to remove the background to finish the page, it really creeped me out.

billpollock 4 days ago 2 replies      
This will be a very interesting experiment. We're certainly keen to release the second edition of Eloquent JavaScript and excited to see Marijn hard at work.

Who knows. Perhaps this will become some sort of interesting blended model for other authors.

-- Bill Pollock, No Starch Press

budu3 4 days ago 1 reply      
I like the layout of the book. For a self publish book how did you get the layout and typesetting to look that good?
cenhyperion 4 days ago 0 replies      
"they will help with professional editing (which is sorely needed when a non-native speaker like me tries to write an English book"

Wow, I had absolutely no idea that Marijn wasn't a native speaker. I've always considered Eloquent Javascript one of the best written technical books I've read.

JoshGlazebrook 5 days ago 1 reply      
Are there any plans for a chapter on the new major stuff in ECMAScript 6? I believe the target date for the finalization of the spec is still around December? Which is not that far away... time to start shopping for xmas gifts :S
taude 5 days ago 0 replies      
I bought the first edition six months ago and thought it was still quite useful.

I look forward to the new version, especially for onboarding experienced devs that don't have all the nuances of Javascript mastered.

talles 5 days ago 2 replies      
"from Kashmir to Louisiana to Minas Gerais"

Minas Gerais is the Brazilian state that I live, what a coincidence. I wonder if the author choose randomly...

victorhooi 5 days ago 0 replies      
I've just donated 20 euros to this =).

Hopefully he'll reach his target.

dmarusic16 5 days ago 0 replies      
I absolutely loved the first edition, and I will be chipping in. Great work Marijn.
mkhalil 5 days ago 2 replies      
Javascript isn't the best language to "learn to program". Syntax wise it's decent, but for at least us web developers, we shouldn't preach that to newly interested folk. You see how bad websites are today, and it's mostly due to abusing JavaScript. When people learn something they want to use it, and if they know JavaScript better then a good back end server lang, they create...a mess. Stop abusing my CPU!
shire 4 days ago 0 replies      
Cool thanks for this. Is there something similar to this for python 2.7?
cliveowen 5 days ago 3 replies      
That's a lot of money to ask. Chuck Palahniuk's Fight Club got bought for $6000. Just sayin'.
mkhalil 5 days ago 0 replies      
This website is in the top 5 list of the worst website designs I have ever seen.
Short film set entirely on a teen's computer screen fastcocreate.com
336 points by packetbeats  2 days ago   107 comments top 27
billybob255 1 day ago 6 replies      
Am I the only one that doesn't really like it? I see all these websites talking about how amazing it is, but it's just, eh. Everything pre-chatroulette was alright and realistic but then a third of the movie is wasted time jumping around dick shots until he magically hits upon a girl who has a quick speech talking about how fake Facebook is.

The bond between those two parts doesn't really work for me. And it seems like he just ran out of ideas for concluding the Facebook paranoia/break up scene so he cheated with the speech.

It's like a bunch of people see this movie is completely on a screen and it's this hard hitting revelation that relationships are now on screen and so this movie perfectly encapsulates a young person's relationship.

cclogg 1 day ago 6 replies      
Is this how people actually use their computers? I only watched the first couple of minutes, but it seems kind of odd. I did grow up with internet (25 now) but I don't use Facebook, so maybe I'm out of touch... but seriously do people just open tabs or flash games and porn while talking to someone via video chat? What's the point of video chatting then?

I will say though, the way he didn't really pay attention to her in Skype is similar to what I experience in person... with regards to people texting. I make a conscious effort myself to not text while with another person, and if I do text, I make sure to pause if they talk to me.

awjr 1 day ago 1 reply      
Well I really didn't expect to end up watching this all the way through. Worth every second. Be aware this is NSFW but I'm not sure if the film would have lost anything if the NSFW clips had been left out.
jka 1 day ago 2 replies      
For anyone who enjoyed this and might like to look at similarly themed pieces (impact of social media / internet communication on relationships) - the following might be of interest:

* Catfish [movie, USA] - http://www.imdb.com/title/tt1584016/

* Black Mirror [series, UK] - http://www.imdb.com/title/tt2085059/

Both a little on the bleak/dark side, forewarning!

kawsper 1 day ago 1 reply      
Seems a bit like "Welcome To The Scene" but less interesting. http://www.welcometothescene.com/

Notice that there are two seasons, you can access the first one here: http://www.welcometothescene.com/download.php

aroman 1 day ago 1 reply      
As a 17-year-old, this hit disturbingly close to home. Absolutely brilliantly executed, and definitely worth the 17 minutes.
greenyoda 1 day ago 1 reply      
The early part of the video gives some insight into why his girlfriend broke up with him: she's trying to have a conversation with him on Skype, but he's barely paying attention to her while playing with that game. It's almost like he lost interest in what she had to say a long time ago, and she finally got tired of it.
MattyRad 23 hours ago 0 replies      
Things I liked: Excessive porn may decrease a man's desire to engage women, exposure to sexual situations may be occurring at younger ages, the attention span of younger generations may be decreasing. (I use the term "may" because I don't actually know the extent to which these things could be harmful.)

Things I didn't like: Noah was a scummy person for whom I had no sympathy (not paying attention to his gf, lying, breaking into her account, having no sense of subterfuge at that, using chatroulette), the girl's obnoxious and clichd speech at the end, and the numerous exaggerated aspects. And I would argue a lot of this video is exaggerated, like the ridiculous music- "cuddle jams" played immediately when Noah starts feeling down.

Overall, I'm not a fan of the video.

josefit 1 day ago 0 replies      
What surprised me most is not the movie but the realization of how much communication overload has changed over time.

I am old enough to have lived the same situation depicted here on two different communication media: IRC chats and BBS + CB radio before that.

The difference is that i experienced communication overload in a time 1990->2000 when such experience marked you irrevocably as a geek.

Today this is open to the masses.

novalis 1 day ago 0 replies      
That was surprisingly good, 'weak' start but tied it well in the end. If you are reading the comments to check if it's worth the time, it slides well through the time it takes. And it will speak to you, because it does what a good short should do. It makes you think.
hawkharris 1 day ago 0 replies      
Brings this to mind:

The More You Multitask, the Worse You Get at It


aleksandrm 1 day ago 0 replies      
There's a similar short-film that I thought was more thought-provoking -- http://vimeo.com/channels/staffpicks/42857970
litmus 1 day ago 1 reply      
made me want to rewatch Antonio Campos's Afterschool, the first feature-length film I came across that tackled the youtube generation. That film is slow-paced to the point of irony given its subject (this video is Crank by comparison), but its basically similar to what you would imagine if this kid was a couple years younger and at boarding school, and if the camera followed him beyond the screen.
electic 1 day ago 0 replies      
Genius, loved it.
cratib 1 day ago 3 replies      
reminds me of "The Sceen" http://www.welcometothescene.com/
thrush 1 day ago 3 replies      
This is a pretty negative portrayal (obviously) of the dark side of social media. I think that it should be taken that people should be careful about getting too sucked in rather than thinking that social media is "evil". A lot of good and amazing things have come from Facebook (maybe chat-roulette not so much). For example, the Soccer Goalie story is pretty moving (http://www.youtube.com/watch?v=rpOvYWd4KW4). Granted this came directly from Facebook, there are other similar stories out there if you look.
joyeuse6701 22 hours ago 0 replies      
I enjoyed it, I think if this film was out when I was a teen several years back it would have been enlightening to parents about typical teenage computer use and how much it differs from their own.
jafaku 1 day ago 0 replies      
What's so crazy about it? I don't get it.
shocks 1 day ago 0 replies      
psbp 1 day ago 2 replies      
Why would you bookmark chatroulette?
chrislipa 1 day ago 1 reply      
rooofl, you're hell-banned. Looking through your comment history, I don't see why.
jspark 1 day ago 0 replies      
Good demonstration of sensory overload looks like
fluxon 1 day ago 0 replies      
welcometothescene.com - web series starting in 2004.So much for "entirely on a computer screen" being unique.
swang 1 day ago 0 replies      
What the hell was that line about not wanting an Asian roommate?
brianobush 1 day ago 0 replies      
interesting to view into a new generation's issues from a gen-Xer POV.
MrBra 20 hours ago 0 replies      
I love the clicks and keypress sounds.

Oh and I liked the film itself.

pimpl 1 day ago 3 replies      
Does Facebook really work so fast in the USA? :D
Why you should not trust emails sent from Google vagosec.org
336 points by tomvangoethem  5 days ago   94 comments top 14
zmmmmm 5 days ago 3 replies      
No matter what he tried to explain they just kept replying that he didn't qualify for the reward. It sounds like they have become super defensive about acknowledging bugs because the reporter will immediately try to claim a reward. If so, it's the exact opposite of the intent of the program.

I once reported Chrome because it crashed when I tried to load a 65536x65536 bitmap image. Since it was a crash I, of course, claimed it was a security issue, in the hope that was enough to get a reward. Of course, they didn't accept that, but it does make me think the other side of this issue may be that Google is now receiving so many of these they are unable to properly evaluate them all and applying the "HR" solution (employ someone underqualified explicity to fob off as many people as possible so that only super-qualified candidates get through).

kevingadd 5 days ago 1 reply      
Arbitrary content injection into signed emails from Google, and it's not a security risk??? Incredibly poor response from them. Props to the author for being patient and trying multiple times to convince them to actually fix it.
iamshs 5 days ago 2 replies      
Now compare this with the attitude of their Security researcher, Tavis Ormandy, bashing Microsoft's lackadaisical approach towards fixing bugs and has publicly published 0-days twice [1, 2, 3, 4]. Google only moved upon fear of public disclosure, and that too inspite of researcher being meticulous and patient.

Also, thank you Tom for your patience and being responsible. Also, I could not find your name in Hall of Fame list.

[1] - http://www.computerworld.com/s/article/9239477/Google_engine...

[2] - http://www.zdnet.com/google-researcher-publishes-windows-zer...

[3] - http://nakedsecurity.sophos.com/2010/06/15/tavis-ormandy-ple...

[4] - http://www.computerworld.com/s/article/9177948/Google_resear...?

roel_v 5 days ago 3 replies      
Here's an honest question: why do people still bother with the 'responsible disclosure' nonsense? What's in it for them? Days of work, weeks of waiting and frustration, for a 'mention' in some imaginary 'hall of fame'? $1mm over 1500 bugs, that's $666 / bug. That's about a day worth of work if your rates are low and you are in a low CoL area, or half a day or less if you work for Google.

I take it that people who find these vulns do it for fun, even if it's their job - if you don't have a contract to start looking for issues, there is no reason to do so other than fun. So the only reason people bother with 'responsible disclosure' is, as far as I can tell, because not doing so would damage their public persona. But it only got to that point because big vendors pushed the moral superiority of 'responsible disclosure' on us over the last decade. Back in the 1990's (when I was last sort of active in the scene), nobody would think of giving vendors weeks or months of time to fix their own damned bugs - if your PoC exploit worked at 3am (with real, working shell code, none of that 'call ::MessageBox(NULL, "U got 0wned") nonsense), you'd post it to bugtraq at 3:15 so that you could see the responses when you got out of bed in the morning.

f- 5 days ago 3 replies      
Hey folks,

I am one of the co-founders of the Vulnerability Reward Program at Google. It's one of the longest-running and most generous programs of this kind: since 2010, we have paid out around $1M in rewards for more than 1,500 qualifying bug reports in web applications alone. We take great pride in keeping the process responsive, friendly, and hassle-free.

Of course, it takes just one bad experience to undo much of that. Tom's report is a valid issue. The reward panel - of which I am a member - decided that it did not meet the bar for a financial reward. I stand by this decision, but I think we should have been more forthcoming, precise, and responsive when communicating that. In other words, I think we messed up.

PS. If you ever run into any problems of this type - or just want a friendly soul to chat - please do not hesitate to poke me at lcamtuf@google.com :-)

jrochkind1 5 days ago 1 reply      
Maybe they can justify thinking it wasn't really a security vulnerability, or maybe they can say, hey, everyone makes mistakes, we didn't realize it was a security vulnerability.

But what the heck is the justification for deciding it's a security vulnerability that needs to be fixed only when the guy says he's going to advertise it publicaly? What the hell is that?

If he had sold it privately, without telling Google, instead of letting them know he'd be advertising it publicly -- then it still wouldn't be worth fixing?

turing 5 days ago 1 reply      
I definitely commend the author for his work, but I think that there might have been a slight misunderstanding here. In his last email, the author talks about how public disclosure would "force" Google to fix the vulnerability. But I read Google's response as simply saying that they did not think the bug qualified for the program, not that they didn't intend to fix it. Then again, my reading is definitely influenced by my time at Google and how seriously my team took this sort of thing.
kintamanimatt 5 days ago 0 replies      
I don't understand this pervasive mentality among companies that run such a cash-for-bugs scheme. Isn't the idea to encourage people to properly report bugs by rewarding them financially, thereby discouraging them from selling the details to the highest unrelated bidder?

All Google is doing is damaging its reputation.

r0bbbo 5 days ago 2 replies      
I think I might be missing something - as a Google service user, I'd have to update my own name to be Mr Test<!--BAD STUFF HERE in order to perform a phishing attack on myself?
thrownaway2424 5 days ago 1 reply      
It looks like your options for formatting the content are pretty limited and you can't change the subject line nor the preamble about Google Scholar, so you wouldn't be able to, say, masquerade as a password recovery email or anything like that. Still, I personally feel like any content injection should be treated seriously.
benatkin 5 days ago 1 reply      
I don't see the author's name in the linked Honorable Mentions page. Did someone from Google pull it because they didn't like this blog post? Searched for "tom", "Mathias", and "vago". No recent results for any of these search terms.
wahsd 5 days ago 0 replies      
Re. current discussions of security and code review because of NSA and other government entities corrupting standards. If Google and Facebook cannot find such simple errors and then even balk at implementing a fix, which turns out to reveal an even larger flaw, what hope is there.
cryptbe 5 days ago 2 replies      
Wow. Give me a break, please. What the OP reported was a super minor issue, and he's already got what he deserves.

His bug allowed him to inject links into verification emails sent by Google Scholar. He claimed that he could inject CSS links too, but that didn't make this problem any worse. Why? Because it's up to mail clients to load the linked CSS stylesheets or not. Gmail, for example, would never load those remote CSS files. If your webmail client does that, it's time to switch to a better one.

So he could inject links, which is annoying, but still a very minor issue. It may make phishing a bit easier, but you know what phishing has always worked against average Joe if you try hard enough. That means that this problem doesn't really give an attacker any advantages that he couldn't do by himself.

Disclaimer: I'm a member of the team that handles VRP.

moloch 5 days ago 1 reply      
You should not trust emails.
Black Perl wikipedia.org
316 points by diego  4 days ago   67 comments top 18
roberto 4 days ago 2 replies      
I wrote a (valid) Python poem a long time ago:

    import calendar as usual    StandardError is usual \    or not usual. month is long        try: not coerce    finally: quit        (help for me in range    (usual. MONDAY))

haberman 4 days ago 0 replies      
This C program not only reads as a series of letters, it also does something (slightly) interesting:


(HN discussion: https://news.ycombinator.com/item?id=375945)

btilly 4 days ago 1 reply      
Perl has always had a playful nature. For a surprisingly long time, my top rated post on Perlmonks was http://www.perlmonks.org/?node_id=29977. Since it is short, here it is in full:

The job I want:

    $dollars++ while sleep(1);
The job I get:

    {        work();        redo;        get_rich();    }

kbenson 4 days ago 2 replies      
Having had a chance to experience Larry up close at a YAPC, I firmly believe he's one of the most quirkily brilliant people in the industry (for whatever industry means in this case).
nathell 4 days ago 1 reply      
How about a simple meta-sonnet game in Natural Inform?

From http://forums.penny-arcade.com/discussion/39142/inform-7-pro...:

    Will's Study is a room. The desk is here.    A hastily handwritten note is on it.    Description is "It's from your friend Shakespeare:    'I've gone to lunch. You'll have to write the sonnet.'"    Composing is an action applying to nothing.    The quill is a thing that is in the study.    Understand "write sonnet" as composing.    Description of the quill is "Old and cruddy".    Instead of composing when the player    has no quill, say "You have not got the quill."    Instead of composing, say "And... done. 'Heya',    says Will, returning. You say, 'Hello, Will!'    Says Shakespeare, 'Thank you for the time you've taken!    You really are a pal, Sir Francis Bacon.'"

biggfoot 4 days ago 3 replies      
So Larry Wall is a black metal artist in his spare time?

    kill them, dump qualms, shift moralities,    values aside, each one;    die sheep! die to reverse the system    you accept (reject, respect);

gall 4 days ago 2 replies      
Here's a little something in Python that I spent the last few hours writing:

  def unfalse_poem():      (None is True) and False      for subject in [complex(True,False)]:          subject is not object          for certainty in [complex(False,True)]:              certainty is not Exception              certainty is not license              subject and certainty              reduce and coerce              coerce and reduce              while certainty.real: unexamined      for certainty in [complex(False,True)]:          return certainty is not certainty.real is not certainty

ricardobeat 4 days ago 2 replies      
Can anyone explain what happens to all the undefined vars to someone unfamiliar with Perl?
shadeless 4 days ago 0 replies      
Reminded of haikus written in Ruby: http://timelessrepo.com/haiku
hhenn 4 days ago 0 replies      
It never occurred to me how perfect programming languages are for poetry. You have all these extra characters and whitespace to change how a piece of text feels or reads, and it becomes a visual experience too, like looking at art. Are there other program-poems people should look at?

The only thing I'd seen like this before was "Sunrise, Sunset" written in PHP. I know these things aren't new for many of you but I keep being surprised by the creativity I find.

bmmayer1 4 days ago 3 replies      
I want to run it, but do I have anything to fear? "Black Perl" suggests it's going to do some bad stuff to my box.
nvader 4 days ago 0 replies      
My favorite poem is Sharon Hopkins' Listen https://groups.google.com/forum/m/#!topic/comp.lang.perl/V2R...
HillRat 4 days ago 0 replies      
The Perl Poetry contest used to be a thing -- I don't think anyone ever measured up to "Black Perl" in awful audacity, but the parser can take a hell of a lot of abuse before it cries uncle.
motoboi 4 days ago 4 replies      
Not literally a poem, a beautiful code written in Perl:http://www.perlmonks.org/?node_id=45213(Camel Code)
jacquesm 4 days ago 0 replies      
Now I have Margriet Eshuijs in my head.
jonah 4 days ago 0 replies      
That's pretty dark. :(
dandare 4 days ago 0 replies      
If "any sufficiently advanced technology is indistinguishable from magic" [Arthur C. Clarke] then incantation is really just programming through voice interface done smart.
winkerVSbecks 3 days ago 0 replies      
Am I the only one who thought this was about Pel?
Voyager 1 has been traveling for about a year through plasma between stars nasa.gov
313 points by ComputerGuru  3 days ago   79 comments top 22
hypersoar 3 days ago 4 replies      
From "The West Wing", around one of the last times Voyager left the solar system:

"Voyager, in case it's ever encountered by extra-terrestrials, is carrying photos of life on Earth, greetings in 55 languages and a collection of music from Gregorian chants to Chuck Berry. Including "Dark Was The Night, Cold Was The Ground" by '20s bluesman Blind Willie Johnson, whose stepmother blinded him when he was seven by throwing lye in is his eyes after his father had beat her for being with another man. He died, penniless, of pneumonia after sleeping bundled in wet newspapers in the ruins of his house that burned down. But his music just left the solar system."

It's pretty amazing how far we've extended our reach, if not our grasp.

kens 3 days ago 0 replies      
I agree with everyone who is tired of the "Voyager has left the solar system" PR game, but I'll point out that the latest announcement is data confirming last year's Aug. 25, 2012 exit date, not a new exit. That is, they have new data showing that the previous departure was "real".
stephenhuey 3 days ago 1 reply      
Several commenters are joking about how many times they've heard this before, but NASA goes into great detail about why it was so difficult to measure and what new information helped them decide for sure. Here's a small excerpt:

"The particular oscillations meant the spacecraft was bathed in plasma more than 40 times denser than what they had encountered in the outer layer of the heliosphere. Density of this sort is to be expected in interstellar space."

Read their account of how an "unexpected gift from the sun" helped them. It's not long and quite fascinating, and some little tidbits like this are pretty intriguing to me:

"By the time the signals get to Earth, they are a fraction of a billion-billionth of a watt."

WestCoastJustin 3 days ago 5 replies      
If the universe is continually expanding, does that mean we are trying to hit a moving target? Probably sounds like a stupid question, but I honestly want to know.

There was a xkcd comic about this @ http://xkcd.com/1189/

Miyamoto 3 days ago 0 replies      
> Stone discussed with the Voyager science group whether they thought Voyager 1 had crossed the heliopause. What should they call the region were Voyager 1 is?

> "In the end, there was general agreement that Voyager 1 was indeed outside in interstellar space," Stone said. "But that location comes with some disclaimers - we're in a mixed, transitional region of interstellar space. We don't know when we'll reach interstellar space free from the influence of our solar bubble."

> So, would the team say Voyager 1 has left the solar system? Not exactly - and that's part of the confusion. Since the 1960s, most scientists have defined our solar system as going out to the Oort Cloud, where the comets that swing by our sun on long timescales originate. That area is where the gravity of other stars begins to dominate that of the sun. It will take about 300 years for Voyager 1 to reach the inner edge of the Oort Cloud and possibly about 30,000 years to fly beyond it. Informally, of course, "solar system" typically means the planetary neighborhood around our sun. Because of this ambiguity, the Voyager team has lately favored talking about interstellar space, which is specifically the space between each star's realm of plasma influence.


I tend to agree with their rationale, but they may just be pressed with time (remaining power on Voyager 1) and want conclusion. They can't wait 300 - 30,000 years.

chacham15 3 days ago 1 reply      
Is it just me, or is anyone else fascinated by the idea that we receive data from a device that is 12 billion miles away at a rate of 20 bytes a second? How do they deal with the problem that there is most likely to be a lot of interference in the form of other planets, magnetic waves, solar flares, random gamma rays, etc?
jessaustin 3 days ago 2 replies      
A more interesting event will be when crewed spacecraft "pass" the Voyagers. Betting this won't happen is basically betting that humanity will destroy itself.
achairapart 3 days ago 0 replies      
For the series something went wrong: The CPUs inside this spacecraft run at just 0.25Mhz.

"The Voyager spacecraft computers are interrupt driven computer, similar to processors used in general purpose computers with a few special instructions for increased efficiency. The programming is a form of assembly language."

"The master clock runs at 4 MHz but the CPUs clock runs at only 250 KHz. A typical instruction takes 80 microseconds, that is about 8,000 instructions per second. To put this in perspective, a 2013 top-of-the-line smartphone runs at 1.5 GHz with four or more processors yielding over 14 billion instructions per second."

Source: http://voyager.jpl.nasa.gov/faq.html

Abundnce10 3 days ago 1 reply      
"After the data are transmitted to JPL and processed by the science teams, Voyager data are made publicly available."

Where can I find Voyager data?

martinkallstrom 3 days ago 0 replies      
Third time's a charm
noselasd 3 days ago 0 replies      
Be sure to check out the Reddit AMA yesterday; http://www.reddit.com/r/IAmA/comments/1m9wke/were_scientists...
farresito 3 days ago 1 reply      
A question for the physicists or people that know about the subject: does plasma affect circuits? I read somewhere that alpha particles do affect them. I'm just curious. It might well be a stupid question. Pardon for my ignorance.
dombili 3 days ago 0 replies      
auton1 3 days ago 1 reply      
sgustard 3 days ago 0 replies      
These younger engineers can write a lot of sloppy code, and it doesnt matter, but here, with very limited capacity, you have to be extremely precise and have a real strategy, she said.


Coincoin 3 days ago 0 replies      
Nice! This time it's real because we have an artist's depiction of voyager going from non-ionized almost void to ionized almost void.
apierre 3 days ago 0 replies      
What kind of software has Voyager inside? I am amazed it has been running for 36 years. Updates at 20 byte a second must be fun:-)
Pxtl 3 days ago 1 reply      
skidoo 3 days ago 1 reply      
And the techie who lost his car-keys 36 years ago is still really kicking himself.
repdetec 3 days ago 0 replies      
Pics or it didn't happen.
speeder 3 days ago 2 replies      
They say that so much, that I will consider news when they say Voyager 1 is in another star (or in another... whatever it finds along the way!)

THEN I will consider it news...

Even because some scientists consider even the oort cloud (that is hell far) still part of solar system anyway.

sami36 3 days ago 6 replies      
No kidding, That's about the 6th time I've read about it these last two years. WHY doesn't NASA begin by establishing WHAT is it exactly that makes a solar system official "boundary" before producing press releases every time they find something interesting in the readings sent to them by Voyager.

ADDENDUM : Ahem, Thanks for the downvotes, but the inner workings of space discovery are not the subject of my comment. As an engineer, I'm more than mindful of the back & forth & general messiness of discovery, peer-reviews, control groups, & the like. I'm talking about press releases & headlines targeted towards the GENERAL PUBLIC. A public that has a lot less of an appetite, patience or time to follow NASA's inner deliberations or the intricacies of the scientific method. The fact that this is the 5th or sixth time that they've heard that "Voyager has left the solar system" might leave them a little bit confused.

Show HN: Wit Natural language for your app wit.ai
306 points by ar7hur  4 days ago   94 comments top 27
npalli 4 days ago 3 replies      
It was so confusing figuring out what this service is supposed to do. Had to look up the documentation. In summary, from what I can gather

1. It doesnt do any speech recognition (speech -> text), so not sure why they put Siri in the title. It is also not clear how they can hijack the text from Siri to do this analysis. The ASR engines they talk about (CMU, OpenEars) have pretty horrible accuracy (compared to Siri or google voice).

2. Looks like they do some form of text normalization/correction, again not clear how they do it.

3. The actual service they provide is a form of named entity recognition (confusing named intent which clashes with the android intent mechanism in their examples).

4. Also they let you define your own entities to match. You can train them using a drop down menu. Not sure how you can train hundreds of examples using point and click.

This different from alchemy (or many others) because this is open source(?)http://www.alchemyapi.com/products/features/entity-extractio...

Given this service was for developers with an interest in NLP, it would have been good if they didnt hide behind a snow job title like Siri as a service.

jasonkester 4 days ago 2 replies      
Is there any way to view this page with the effects turned off? With all the text constantly appearing and disappearing, I haven't yet made it to the end of a sentence, and therefore can't form an opinion about it.

I think there was a picture of a robot on the screen for a few seconds, but that's all I remember.

Would disabling javascript do the trick?

MasterScrat 4 days ago 1 reply      
That looks really interesting.

You should make it clearer that you don't actually handle voice recognition. When I read: "Developers use Wit to easily build a voice interface for their app." I expect you to handle things from start to finish.

Also, let me try it! It's frustrating because the UI looks like you can experiment but it's only an animated demo (or am I missing something??) In particular the mic logo is used to record on Google and here it doesn't seem to do anything?

lutusp 3 days ago 1 reply      
The word "Siri" doesn't belong in the title or the article, unless a Trabant advertisement has the right to mention Mercedes-Benz in its promotional text. The project does a primitive kind of voice recognition, but it doesn't use Siri.

On this topic, I invite people to try out my non-prototype, non-project toy that uses Google's support for HTML5 speech recognition. It's pretty funny how wrong things go when you try to say something even a bit out of the ordinary:


If I say, "Now is the time for all good men to come to the aid of their country," an old teletype test sentence, the Google recognizer always nails it. If I say, "I hit an uncharted rock and my boat is being repaired," things go hilariously wrong, and every time differently.

xauronx 4 days ago 1 reply      
I like the concept a lot. I'm going to have to read more about it. One thing that I'm unclear about is if this does voice->text, or if the developer does that and Wit handles translation of that into actions.

Just a heads up, but Get Started on the pricing page does nothing. It's natural progression for me to go home page->pricing->OK, looks good, let's get started.

endlessvoid94 4 days ago 1 reply      
This is amazingly timely for me, I've been building my own version of jarvis using speakeasy-nlp (a node NLP library) and Chrome's builtin support for HTML5 webkitSpeechRecognition:

https://github.com/dpaola2/jarvis work in progress)

I absolutely would love a better NLP api. Please let me in!

chrislomax 4 days ago 1 reply      
Nice concept, I just came back on here to let you know that I don't know what is happening on that page but I left it open about 45 minutes ago and noticed my fan kicked in a lot. It was that page I left open. Ended up taking 25% CPU, you didn't work on the iTunes software did you??

Only messing, it was taking a lot of CPU though.

MasterScrat 4 days ago 0 replies      
The .ai extension is cute :-)

I don't know if people will remember it and be receptive to this touch but I like it.

drakaal 3 days ago 1 reply      
Sounds like they are trying to be this, http://www.youtube.com/watch?v=Ko-r4gpM3Rc

Except Stremor has a Query Language so you don't have to do anywhere near as much heavy lifting.

ar7hur 4 days ago 1 reply      
Hey everyone. Wit guy here. We've been working on Wit the past few months and we think it's time to get your feedback. I'm happy to answer any questions you have.

Bringing Natural Language Understanding to the masses of developers is hard and we still have a lot of work ahead of us. Please don't hesitate to reach out to us!

radley 3 days ago 1 reply      
The pricing model doesn't scale realistically and would require a subscription service for users. An app with 1M+ installs could do 1M+ calls per day making this service $24k / month.
ragebol 4 days ago 2 replies      
Interesting! Nothing happened after I registered with my Github account though using Opera. I also wonder how this compares to http://www.maluuba.com/ ?
rch 4 days ago 0 replies      
This would be great for open source projects, but I feel like I would trip over a very large pile of patents if I tried to build a product around it. I don't have any relevant experience myself though, so it's just a feeling.
fjabre 4 days ago 1 reply      
Your message isn't clear. AFAIK there is no official way to interact with Siri or Google voice rec.

It seems like WIT will take the text that has already been translated from a user's voice to text and make it easily accessible to my application but how does WIT access the text generated from a Siri request in the first place for example? Does WIT have some other way of getting at this data that has already been converted from voice to text by Siri or Google or some other speech-to-text engine?

sinzone 3 days ago 0 replies      
Hi guys, here you can find the full API Documentation: https://www.mashape.com/lxbrun/nlp-and-voice-interface-for-a...
dhucerbin 4 days ago 0 replies      
You could read witai as "witaj" in Polish, which means "hello" in slightly official manner.
sally888 4 days ago 1 reply      
Great job on this. Are there any plans for Ruby or javascript tutorials, or am I being too optimistic?
MasterScrat 4 days ago 1 reply      
This "fade-in as you scroll" thing is annoying. Get-rid-of-it-right-now kind of annoying.
tonydiv 4 days ago 2 replies      
This looks neat, I will definitely keep it in mind.

I would be weary of using the Github Octocat mascot though. I believe Octocat is protected under copyright.

skram 3 days ago 1 reply      
How does this compare and contrast to http://www.ask-ziggy.com/ ?
BrandiATMuhkuh 3 days ago 0 replies      
I'm interested to use it in combination with a robot (NAO). Could you provide a tutorial for it. Not sure if ROS on NAO will be necessary or not.
hipaulshi 3 days ago 1 reply      
hah! My startup is doing a similar platform in a little bigger scale. I realized I did pretty bad on the hackathon :( http://on.aol.com/video/jarvis-2-0-demo-at-hackathon-sf-2013...
veg 4 days ago 0 replies      
This looks really promising - can't wait to see where it is in a year with community additions.
sally888 4 days ago 2 replies      
Looks great. Will this work with web apps too, or only mobile apps?
cookiedough 3 days ago 1 reply      
How do you compare to Ask Ziggy? It seems you have created an interface similar to theirs
illyism 4 days ago 3 replies      
As a Service? Why not go open source?
GuriK 4 days ago 1 reply      
what about languages other then English ?
Why two spaces after a period isnt wrong lies typographers tell about history heracliteanriver.com
298 points by eru  2 days ago   221 comments top 46
harshreality 1 day ago 3 replies      
Why is it that rarely does anyone distinguish output format from source format in these discussions?

Two spaces are used to semantically separate sentences in source format. They can be collapsed or modified for typeset output (like HTML rendering), but nobody should be telling an author to use single space in source format if the author wants to add the additional semantic separation between sentences.

Particularly at fault are sanitizers like tidy (not just stand-alone, but sometimes used as a component in document editors) which will collapse multiple spaces by default. They're not doing any other html rendering, and they're not minifying the html either, so why do they insist on removing a common form of semantic content information in the source document? Collapse >2 spaces to 2 in some cases, perhaps, but not 2 to 1, particularly not after punctuation.

The two spaces vs one space argument for how text should be typeset is a completely different issue and unrelated to the question of how many spaces human typists should use between sentences. Using two spaces between sentences happens to make it easier for typesetting software to automatically apply whatever magical 1+epsilon or 1-epsilon inter-sentence spacing it deems best, assuming the typesetting software can deduce that the author is using the two-space sentence convention (otherwise it has to fall back on heuristics, which are not perfect).

Any author is free to choose how many spaces to use between sentences, but collapsing 2 spaces when editing others' documents is wrong, and so is preventing an author from using two spaces. Doing so removes information content from the document, which can only be restored perfectly by humans (or other things with human-level natural language processing ability).

jere 2 days ago 9 replies      
I hate double spacing. And you can dismiss that as a personal preference, but there's a problem with it, objectively speaking. Normally, whitespace is collapsed in HTML and it's a moot point. But not in WordPress.

Now, let me pick on patio11. He uses double spacing in his articles. Not a big deal, right? But the extra spaces causes unintended indentations in paragraphs. I know it shouldn't bother me, but it drives me bonkers. For example, I see it in the second paragraph here: http://www.kalzumeus.com/2011/10/28/dont-call-yourself-a-pro...

habitue 2 days ago 3 replies      
If typesetting aesthetics are actually important to the document you're creating, you should be using software like LaTeX that figures out all the spacing for you. If you're typing up a word document for functional usage, it doesn't matter how many spaces you put in there

(Yes, I am giving you permission to go all e.e. cummings in your emails)

MaxGabriel 2 days ago 4 replies      
I thought the book Practical Typography made the best case by just showing an example. Two spaces creates rivers in the text that make it look bad. The author's proposed solution to custom-typeset to avoid this is not sustainable (because it's sensitive to reformatting) or practical.

Judge for yourself: http://practicaltypography.com/one-space-between-sentences.h...

keithpeter 1 day ago 1 reply      
To my considerable surprise, a convenient sample of older books on my bookshelf tend to confirm the author's contention (year of publication order, all London, see file names for specifics).





Oxford University Press was using single space like spacing around 1950, but I have a travel book about Greece published in 1947 (George Allen Unwin) that still uses a very large space after a full stop.

joosters 2 days ago 1 reply      
In every discipline, there are those who care too much about such pointless trivialities. I just hope that the author leaves the correct pause at the end of every spoken sentence, too. But I pray that I am not caught up in that conversation!
overgard 1 day ago 2 replies      
I didn't even know this was a thing, but caring passionately how many spaces people put after their sentences is borderline OCD. I'm going to start using double spaces so I know who the crazy people are.
kefka 1 day ago 2 replies      

And frankly, be glad we don't use the traditional caps-only run-everything-together style of yore.

ronaldx 2 days ago 1 reply      
I eventually noticed that this article practices what it preaches, after reading a few sections. The sentence-spacing is wider than the word-spacing.

I found it easy to read fluently all the way down (this is moderately unusual for me) - with good typographic choices in line length and colour contrast helping.

At the least, I find the author to have some credibility on this subject.

rmrfrmrf 1 day ago 1 reply      
It doesn't really help the author's case that they only examples of extra space after a period they have is with justified text. ALL computer software will add extra space after periods in justified text. In flush-left text, 2 spaces after a sentence just looks bad, period.

I also like how the author manually went in and &nbsp;&nbsp; after every period just to make a statement.

For the record, these contrarian articles bother me because I'm a creative director and I have to put up with my underlings showing me HN articles saying that design dogmas like "serif text is easier to read in body copy" and "2 spaces after a period is bad" are WRONG and that I'm not listening to the "facts". The problem? They try to prove me wrong and the results look like shit. The author here tried to prove me wrong, but the result is his typography looks like shit. I hope they're happy!

rz2k 1 day ago 2 replies      
> The standard of one space is maybe 60 years old at the most, with some publishers retaining wider spaces as a house style well into the 1950s and even a few in the 1960s.

This article starts off sounding like it is making an argument against prescriptivists, then claims that older standards are more authoritative?

Why not choose scriptio continua as an even more authoritative style? Or, take a look at the quality of writing in something like Readers Digest from the 1950s, and judge whether the conversational tone is worth emulating.

Regardless, most opinions are probably influenced either by such books as The Mac is not a Typewriter or alternately by a high school typing class that was based on a curriculum for professional secretaries. There were still high schools into the 1990s that taught students about carbon paper.

Even if there is a lot of unmerited arrogance about using a single space after a period, there's a lot of officiousness around a claim that two spaces after a period is "correct". If it is a generational thing between people who went to high school in the 70s and 80s vs 90s and 2000s, then it is also a difference between people who were learning business correspondence compared to people who were learning desktop publishing and web design.

rayiner 1 day ago 0 replies      
Double sentence spaces are still entrenched in the legal community, and I think they have a major advantage there: they make it easier to read text with inline citation sentences.
gregors 24 minutes ago 0 replies      
Two spaces is wrong.
Tloewald 1 day ago 0 replies      
The convention of a 1/3 em space between words, 2/3 after most punctuation, and a full em space after a sentence seems great to me. And I do appreciate a serious piece of pedantry.
Glyptodon 1 day ago 0 replies      
I guess my question is this: Are word processing/page layout programs failing to translate a space after a period to the modern 'em quad' equivalent?

I was under the impression that one single spaced between thins because 'smart' features in text software and with variable width fonts knew how to make spacing variable automatically.

I always understood the "don't use two spaces" exhortation as a standard aimed at getting people to let their software take care of things instead of treating Word or In Design like a typewriter.

raldi 1 day ago 1 reply      
What I want to know is why style guides recommend no space around a slash. To my eye, "either / or" is much more readable than "either/or".
lutusp 1 day ago 0 replies      
An alien craft slips into orbit around the earth. They intend to invade earth, but they first want to know whether there's a point to conquering us.

One of the aliens picks up a Internet exchange on his superpowerful galactic cyber-terminal. He turns to his companion and says, "I don't know how to tell you this, but they're posting thousands of words discussing whether to use one or two spaces after a period."

The ammonia drains from the other alien's face and he says, "Let's get out of here!"


dgesang 1 day ago 0 replies      
The whole discussion is pointless because as soon as you start thinking in spaces, linebreaks and tabs to generate whitespace between objects you're doing it wrong! Change the font, size, weight, line height, etc. and your layout is gone.

Just use LaTeX. Problem solved.

VBprogrammer 1 day ago 1 reply      
My main objection to double space fonts is that if we wanted more space we could easily do it with the kerning tables. To physically have to type two spaces is stupid.
pradocchia 1 day ago 1 reply      
Nice article and nice use of primary sources.

The convention was: put wider spaces than word spaces after punctuation, and put an extra-wide space after a period.

I will try this for two weeks: three spaces after the period; two after the comma, semi-colon and friends. Already, I note a difference. Already do I seek alternate syntax to regulate spacing.

danellis 2 days ago 2 replies      
Apparently the author is so serious about this that the HTML is full of this things like "lazy standard?&nbsp; Wow.&nbsp; Just wow."
glaugh 1 day ago 0 replies      
It'd be interesting to get data on this. Thoughts on how that would work? Something like "Take a paragraph, A|B test it on CrowdFlower/Turk with both types of spacing, with the outcome being [?]" Speed? Being able to answer some question at the bottom about some detail in the text? Not sure.

I guess the likely outcome would be that there's no difference. And we'd be stuck in the same place. We'd be better off if everyone used one convention (if multiple people edit a doc, more consistency), but there's not much of a good way to decide on what the convention should be. I suppose that's why these things get so religious in the first place...

dpkendal 1 day ago 1 reply      
It may not be wrong, but it still looks wrong, or antiquated at the very least. Reading a book that still uses extra space after a full stop feels like reading something from the time when it was fashionable to put a space before an exclamation mark or a question mark.

The period alone is enough to indicate a full stop; an extra space is redundant. Like needless words, one should seek to omit needless punctuation wherever possible.

catenate 1 day ago 0 replies      
Unix fmt double-spaces after periods, except periods after single letters.Of course, that's only useful to you if you compose text in a text editor,and pipe it through fmt (or par, if you are that picky), before publishing it.

Thanks to HTML, however, you wouldn't know this text, for example,had lines about 72 characters, was carefully hand-justified after fmt(1)to leave no dangling words alone on a line before or after punctuation,and had double spaces after all periods inside paragraphs, except Tand S in T. S. Eliot.

Except the first paragraph, better broken at letters, editor,and it, and this footnote, also broken after editor.

Though I would rather do that than visit violence upon decentsentences, like this one, broke at sentences. Obviously it'spreferable to expand and contract margins a bit to suit the text.Nobody does this any more though, because auto-sizing to columnsdestroys manual formatting.

Incidentally, these footnotes had to be separate paragraphs,to keep them from merging with the previous one, and with thebody paragraphs. What a piece of work is HTML it delights not me.

Here is this comment before the autoformatter got to it.https://gist.github.com/catenate/6567903

stuartjmoore 1 day ago 1 reply      
A larger space (em-quad) is not the same as two spaces.
nn3 1 day ago 0 replies      
`sententious' is a great word. I need to start using it.

Other than that it sounds like a tale from Jonathan Swift. Big or little endian anyone?

EGreg 1 day ago 0 replies      
Oh boy, I just wasted 10 mins on reading sides in a debate about typesetting sentences.

The original author's purpose is to set the record straight about history and counter false claims about history to back up one's points in a debate. Period. Full stop. Space. The guy even says that repeatedly in his comments. Get it right :)

robot_ 1 day ago 2 replies      
This article is very bitter and inflammatory. In my experience, people only use two spaces after a period because thats what they were taught and are too stubborn to change.

The main typographic case against two spaces after a period is that it breaks up the flow of text and creates rivers inside the text block. Counter space is the most important aspect of a typeface, and by adding two spaces after a period you are breaking the rhythm of the text.

nkuttler 1 day ago 0 replies      
lnanek2 1 day ago 0 replies      
I vote whatever is faster to read. Wikipedia claims one study said one space barely, other studies showed no difference. So one space it is, I guess. Don't really care about the history whatsoever.
mgsouth 1 day ago 0 replies      
I want Jasper Fforde to write a book about this... gangs of 14th century typographers rove the Italian cities, always ready to whip out finely-honed copies of LaTex to impale hated rivals and defend family honour. Meanwhile, hermit monks of the order of St. Lancaster toil away at hand-illuminated Postscript documents...
arnorhs 1 day ago 0 replies      
Arguing with a Slate article is probably the wrong place to start for this discussion. The Wikipedia entry on sentence spacing is probably a tiny bit better.

As much as I'd love to see a properly executed experiment where reading speed, enjoyment and comprehension was evaluated between groups of people reading the same material using single or double spacing after a period, I'm guessing it ultimately it comes down to preference.

dnautics 1 day ago 0 replies      
If you read the original constitution, there is definitely a longer space after periods (not too many of them not at the end of a line) than between words. http://upload.wikimedia.org/wikipedia/commons/6/6c/Constitut...
peterkelly 2 days ago 1 reply      
Wow, that's some passion there!

I find it ironic that this is the first article I've seen in a long time for which I've had to bring up Safari's reader in order to read comfortably. Black text on a dark-grey background? really?

stretchwithme 22 hours ago 1 reply      
&nbsp; has been my friend for years. Its the only way to make the browser give you two spaces between sentences.

Or is there some better way to do it, a setting for an entire paragraph or page? It'd be great to have that.

vuldin 1 day ago 0 replies      
Double spaces are a pet peeve of mine. I remove all of them in any document I must edit and I'm quite thorough.
huma 1 day ago 1 reply      
If you see two spaces, you can almost bet that the author is an American and over 40 years old :
girzel 1 day ago 0 replies      
It seems there are three different use cases. 1) Typing and storing words as plain-text. Two spaces seem unnecessary. 2) Writing a file for pretty printing. LaTeX is an excellect choice, and will probably make a pretty PDF. 3) Display as an HTML webpage. Currently there aren't any good solutions for this, and generally we're trying to make something that either just defaults to 1, or else creates a poor emulation of 2.
meangeme 20 hours ago 0 replies      
My main issue with double spacing after periods is that people rarely do it consistently. This author, who is in favour of the double space, uses a triple space after a question mark at one point. I always see this happen when I read anything from "double spacers."
eagsalazar2 1 day ago 0 replies      
This is a hilarious debate to read on hn, a veritable shitpile of busy text. Not complaining, I like hn, just saying it's funny. (btw, I'm firmly in the 2 space camp).
bowerbird 15 hours ago 0 replies      
i really love that this is one of those topics thatdraws scads of comments no matter where it appears.

as if it is important, and everybody's behavior mustbe rigidly enforced so we'll have complete conformity.


derefr 1 day ago 1 reply      
One space after periods, then give the period-space pair nice-looking kerning in your typeface. Done.
FkZ 1 day ago 0 replies      
The author keeps mentioning that "most people", but I can't find where that conclusion comes from.

And arguing that we should use two spaces to replicate a standard of longer spaces is at best a crude approximation.

CharlesW 2 days ago 1 reply      
Not sure if serious?
city41 2 days ago 1 reply      
Can you elaborate?
ddebernardy 1 day ago 0 replies      
Sigh... Methinks the author should get a life.

Here's what should really happen: my OS should adjust tracking after periods based on preferred locale. And the same for other typography rules.

Instead, we have broken software that can't get anyone to agree on typography, and anal bloggers who are debating over how we should adapt to our broken software in an age where white space is collapsed anyway courtesy of html.

How is Docker.io different from a normal virtual machine? stackoverflow.com
288 points by jaynate  3 days ago   106 comments top 13
bobf 3 days ago 4 replies      
Docker doesn't add a whole lot over what basic Linux containers (lxc and vserver) have offered for years. Having said that, the main benefit to Docker is a change in viewpoint from "virtual machine" to "application". Docker aims to make applications portably deployable to any Docker-machine. Since Docker uses lxc (aka Linux containers), it helps to understand a little how containers are different from other virtualization.

Conceptually, they are similar to Linux's chroots or FreeBSD's jails, which offer process isolation. Basically, they work with a lightweight virtual machine instead of a single process. Containers have lower overhead - they are virtualizing on the operating system level. Other virtualization technologies like Xen and KVM work on the CPU level, and provide a fully virtualized hardware setup to the virtual machine[s].

dhaivatpandya 3 days ago 1 reply      
I recently wrote an article that covers some of this ground: http://www.sitepoint.com/docker-for-rubyists/

The basic idea behind Docker is that you don't have to create another operating system in order to just separate your processes from each other. This leads to containers being much more lightweight than virtual machines but also significantly less powerful (i.e. powerful as in ability to do something, not in terms of performance) in some areas.

csense 3 days ago 5 replies      
I've been having trouble figuring out the value-add of using Docker over Ubuntu's built-in LXC functionality [1].

[1] https://help.ubuntu.com/12.04/serverguide/lxc.html

rdl 3 days ago 3 replies      
I really don't like giving up the isolation of modern hypervisors, particularly those with Intel virtualization extensions. Docker (and LXC) seems like a huge step backwards for security. I'm sure there are use cases, but I'd never multi-tenant with it.
est 3 days ago 3 replies      
I always wanted to ask a question about docker, if the local devel machine is ubuntu 12.04, I can not deploy my docker image build to a 10.04 ubuntu server, right? (Unless you run a 12.04 virtual machine or something.)
ailox 3 days ago 1 reply      
I Would love to migrate 50+ KVM VMs to LXC-Containers, but there seem to be some problems left with security[1][2].I cant wait to get my hands on Docker, but I lack the SELinux knowledge to secure everything the 'proper' way.

Is LXC (and therefore Docker) really ready for Production yet?

Edit: Formatting.


[1] http://mattoncloud.org/2012/07/16/are-lxc-containers-enough/

[2] https://blog.flameeyes.eu/2010/06/lxc-and-why-it-s-not-prime...

yalogin 3 days ago 2 replies      
I thought docker just makes creating, deploying and managing LXC "enabled" applications easier. Do they add anything to the LXC ecosystem other than the online sharing of containers?
portmanteaufu 3 days ago 1 reply      
Ha! Crazy to see a question I asked 5 months ago pop up on Hacker News.

The docker.io team has said that they don't consider it to be production ready [0]. Has anyone experienced any major problems? Anyone using it in production?

[0] http://blog.docker.io/2013/08/getting-to-docker-1-0/

general_failure 3 days ago 3 replies      
Compare this with vagrant
theatraine 3 days ago 0 replies      
I wonder how Microsoft's Drawbridge OS (http://research.microsoft.com/en-us/projects/drawbridge/) will compare to LXC, and the Docker APIs? Currently Drawbridge looks like it's lacking adoption, and doesn't seem to be widely available. Regardless, the container model looks like it solves a lot of PaaS security issues without the overhead of VMs (Iaas).
anoopelias 3 days ago 1 reply      
One of the issues I found with contributing to open source is the time it takes to get a build environment up and running. Since different people face different kind of issues and projects usually lack an exhaustive documentation, I've always felt adding a light weight image of the build environment could help. I hope in future Docker or similar projects pave the way for it.
rralian 3 days ago 2 replies      
Holy cow, the unit test case is fantastic.
somberinad 2 days ago 0 replies      
How is this different from HPUX or Solaris Package managers? Asking to learn.
Securing a Linux Server spenserj.com
286 points by shawndumas  2 days ago   138 comments top 36
spindritf 2 days ago 3 replies      
This falls a bit short.

You shouldn't just update, you should update regularly or better yet set up unattended upgrades[1]. Especially for your hobby projects or personal server because odds are that you won't always have the time to act on every security advisory. (Subscribe here[2] to at least hear about them.) Also, if something breaks once in a blue moon, it's not that big a deal.

Fail2ban is fairly heavy and only very recently supports IPv6 (which means the version from your repo may not). You can achieve similar results with something like

    -A INPUT -p tcp -m tcp --dport 22 -m recent --update --seconds 180 --hitcount 4 --rttl --name SSH --rsource -j LOG --log-prefix "ssh brute force: "    -A INPUT -p tcp -m tcp --dport 22 -m recent --update --seconds 180 --hitcount 4 --rttl --name SSH --rsource -j DROP    -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --rsource -j ACCEPT
but if you disable password logins, no one's going to brute force their way in.

[1] https://help.ubuntu.com/community/AutomaticSecurityUpdates

[2] http://www.ubuntu.com/usn/

nl 2 days ago 4 replies      
I find https://wiki.ubuntu.com/UncomplicatedFirewall to be much friendlier to use when setting up firewalls.

The big problem I have is securing my private keys. I use multiple devices, and haven't found a secure and convenient way to share the keys across devices securely. I'd love ideas..

makomk 1 day ago 0 replies      
It's usually also worth checking whether you need to generate new SSH host keys - a lot of VPS providers use the same host keys on all their deployed instances, which isn't secure, and the longer you leave it the more of a pain it'll be to change. If "ls -lh /etc/ssh/" shows that the host keys predate when your system was provisioned, change them:

    rm /etc/ssh/ssh_host_*    dpkg-reconfigure openssh-server
Also, on some VPS solutions I've come across you can't use passwd to change the root password permanently; management software outside of the VM changes it back on the next restart.

sturadnidge 2 days ago 7 replies      
I've never understood the compulsion to restrict outbound traffic on an internet facing server that you do not intend to be used by other (untrusted) people.

If someone is good enough to own you with everything else locked down, they can change any firewall rules completely if they need to, or just tunnel out over an allowed port.

Creating a non-root user then giving them carte blanche sudo rights is similarly odd to me. I'd rather just use root and /etc/nologin (assuming no one else needed a login shell to run).

EDIT: Added paragraph about non-root users.

ChuckMcM 2 days ago 3 replies      
This is a good start, netstat -an to see what ports are open, to shut down things that open ports. Turn of xinetd if it is on, etc. There was a much more complete best practices document that came through here earlier.
jlkinsel 2 days ago 2 replies      
sudo, ssh certs, egress firewalling. Congrats - you've covered about 4 pages from the NSA's 200 page hardening benchmark. Off to a good start!


bdg 1 day ago 0 replies      
Guides like this are tricky. They secure one facet of lots of things, and not always the things you actually want.

If securing a server were as straightforward as changing ssh settings and firewall rules, distro providers would do this sort of thing out-of-the-box, or at the least there would be a script circulating on github for doing this specific setup.

chrsstrm 2 days ago 0 replies      
The first time I locked down a server I found iptables to be a little intimidating. If you're on Ubuntu then ufw is extremely easy to use - it's just a front end for iptables.


sherr 2 days ago 0 replies      
I used to think that the Redhat security guides were good [1], but would also go through the NSA guide to securing Redhat [2]. Seems a little ironic nowadays.

Recently, we had Bryan Kennedy's "first 5 minutes" [3], linked from Drew Crawford's guide to "NSA proofing" email [4] (pretty good guide to securing a mail server).

[1] https://access.redhat.com/site/documentation/Red_Hat_Enterpr...[2] http://www.nsa.gov/ia/mitigation_guidance/security_configura...[3] http://plusbryan.com/my-first-5-minutes-on-a-server-or-essen...[4] http://sealedabstract.com/code/nsa-proof-your-e-mail-in-2-ho...

txutxu 2 days ago 1 reply      
This article is letting IPv6 without a firewall.

A few feedback:

1) Start by the "lower layer"

If it's a physical server, start by reviewing all BIOS options, if it's virtual one you control, start by reviewing the host environment for the guest.

2) Follow from the bottom to the top

Follow by review and secure the boot process. (Grub password, kernel modules loaded, kernel module options, kernel sysctl options.

Follow by review the services started "even before starting nothing".

Review what is accessible in the system to "anybody".

Review what is accessible in the system to each "user". Many times a "user" is going to be listening to the hostile network in a port.

Review what the system is going to do across the time, what is scheduled, which resources are assigned to which users (and their processes), what is going to be registered.

4) Does not limit or scrub any traffic

It's not that we forget about IPv6

It's that such iptables, on any 1 core VPS, is vulnerable to DoS from a single IP (you don't need any distributed attack to put down that). A syn attack to the port 22 could be enough.

In resume:

When giving general security advisories, lets try that people build a secure system if they follow our tips. Not let open things like ping broadcast from our host, or IPv6

np422 2 days ago 1 reply      
I've never been a fan of shunning/blocking ip-addresses based on number of wrong passwords. It's to easy to exploit as denial-of-service attack and can be used to lock out legitimate users.

Possibly use a non-standard ssh port, make sure you disable ssh v1 and apply a password policy, allow password logins only for white listed users. Now you should be reasonably safe against brute force attacks and still have a system that is accessible.

If/when you disable root logins through ssh, try to have another way to login as root - maybe a console/kvm switch, prefferably with remote access through a secure network.

muppetman 2 days ago 4 replies      
Amazed that "Install grsecurity" isn't one of the key things listed here. Sure, you have to compile your own kernel, but the enhanced memory protections and many other hardening features make it an excellent addition to your security arsenal.


ruttiger 2 days ago 3 replies      
I made the mistake of accidentally setting the firewall too strict on a remote server, killing my ability to SSH. A neat little trick I found was to setup a scheduled task to kill the firewall in 5 minutes, and then restart it. If it's too restrictive and locks you out, wait 5 minutes. If you did it right, then kill the scheduled task.
atmosx 2 days ago 1 reply      
This article is okay, nothing against the author but the topic of securing a host depends on many factors and it's so extensive at so many levels that this post doesn't even scratch the surface.

Why is it in frontpage?

lloeki 2 days ago 1 reply      
Important caveat: fail2ban does not work for IPv6 connections yet (there are patches floating around though)
chmike 2 days ago 2 replies      
What's wrong with passwords ? The info is in your head and in a physical booklet secured at home for backup. Its only weakness is is keylogger.A secret key protected by password doesn't provide you more security. You can only connect from the computers having a copy of the key. If that computer is inaccessible or dead, or the private key is erased you can't log in. It also is exposed to keylogger. So I stay with password for now. It should be a secure password of course. Maybe use private keys and a password for backup recovery only.
modoc 1 day ago 1 reply      
I've found CSF is a great tool for securing a server if you aren't an IPTables expert: http://configserver.com/cp/csf.html
asdfs 2 days ago 1 reply      
Would automated security updates be an appropriate item to include in this?
Geee 2 days ago 1 reply      
Where can I buy this as a service?
mapleoin 1 day ago 1 reply      
Is creating a new group really necessary? Doesn't ubuntu have the 'sudo' group for exactly that purpose? And others have 'wheel'.
belgianguy 1 day ago 2 replies      
Hmm, no mention of SELinux? It's a pain to get into though. Many just turn it off to make its errors go away, while they should actually configure their machine. But it is very convoluted and hard to get really into. IRC helped a lot here.

Another suggestion I miss is just setting the SSH port to something different than 22, while many will correctly notice that this comes close to security through obscurity, it does throw off some more mainstream attempts.

A third one is more web-server specific, if you have the option, make it hide its version number in its responses.

A fourth one would be to mask all errors to a 404 on a production server, the less an attacker knows, the better.

A fifth actually links to the person operating the server: 'know what permissions are, and what they allow/deny'. Too many people "solve" issues by doing a "chmod 777" on a folder, which might have solved one problem (in a very bad way) but probably set him up for a few nasty surprises down the road.

froyke 1 day ago 0 replies      
Please do yourself a favor and instead of fail2ban install dome9.com. You'll have your ssh closed as well as all other non public ports, will not rely on funky failed login logic. As a bonus you will have clean logs.Also saw here a recommendation to change ssh port. Man, even kids today use nmap. It takes nothing to find your 'hidden' ssh.

Consider pimping this setup with external WAF such as incapsula.com or CloudFlare.com. Combined with dome9- there will be no entity connecting directly to your server (or even knowing its ip)

dpweb 2 days ago 1 reply      
What is the purpose of creating a new user and not using root, assuming ssh password auth is disabled, and only I have the key. Making a new user that has sudo an attacker geting that user as opposed to root all they have to do is sudo anyway?
blameless 2 days ago 1 reply      
I also always change the SSH port to 9922. I haven't seen any failed login attempts so far.
Nikkau 2 days ago 1 reply      
Can I haz an Ansible playbook with good things?
contingencies 2 days ago 0 replies      
This is very lightweight.

There are many more steps used in more serious situations... chiefly, these come to mind: Validating installation media. Validating/upgrading firmware. Installing a minimalist kernel. Securing BIOS and IPMI. Taking an inventory of part numbers and identities to detect tampering at later stages. Locking down network access on the switch to the appropriate MAC address. Determining administrative access methodology and distributing appropriate keys or credentials. Testing.

Probably most servers today are automatically set up, and live in large scale server farms. They probably boot via PXE, using custom auto-provisioning code. Other than physically taking delivery of the unit and inspecting it and logging its presence in inventory, such machines are literally just plugged in and boot up. Probably most of them are preconfigured to PXE boot by the vendor. A strong setup will also override BIOS settings automatically upon boot, ensuring further boots have 100% pretested/tuned configurations.

itry 2 days ago 3 replies      

  youll want to lock down SSH access entirely,  and make sure that only you can get in
This sounds like Ubuntu is by default open to everybody via ssh. I find this hard to believe.

The whole article sounds like a lot of fud to me. For example, what benefit is there in creating a new user with sudo privileges instead of using root directly?

zerop 2 days ago 0 replies      
Very useful for any Linode user.. Compare to AWS, I find it hard to manage security on Linode boxes.. Need concept of security groups like AWS configurable and manageable from UI..
chmike 2 days ago 0 replies      
Change the default ssh port and use .ssh/config to predefine connection parameters. This way you can write ssh mybox
louwrentius 2 days ago 0 replies      
LIFS (Linux Iptables Firewall Script) is aimed at what UFW does but it also provides NAT, port forwarding and allows you to work with groups of hosts and services.


tgeek 2 days ago 1 reply      
There seems to be a lot of wasted breath in these comments about IPv6. Given that its unlikely that your provider even supports IPv6 on their networks, and that globally the traffic via IPv6 is nearly non-existent, I wouldn't spend too too much time caring about it.

Less than 2% of traffic to Google is IPv6:http://www.google.com/ipv6/statistics.htmlEven the attacks CloudFlare sees are mostly DDOS: http://blog.cloudflare.com/ipv6-day-usage-attacks-riseTraffic through Akamai is minimal:http://www.akamai.com/ipv6

Maybe someday it makes sense to spend a lot of time around IPv6 defenses, but today is not that day.

xtc 1 day ago 0 replies      
Change default SSH ports should be mentioned right away.
synchronise 1 day ago 0 replies      
Is there any chance of getting a guide of this for FreeBSD?
sepbot 1 day ago 1 reply      
The .ssh folder and the files inside it should be given the lowest permissions possible.
relaxitup 1 day ago 0 replies      
port knocking to open ssh can come in handy in certain setups as well...
Poll: Are there too many NSA stories on HN, or not enough?
282 points by sinak  4 days ago   200 comments top 88
deveac 4 days ago 9 replies      
The subject is vast. The subject is technical. The subject is on-topic.

Beyond all that, the subject rises to a level of fundamental importance to a degree few others do. Certainly more than 99% of topics that find their way to the front page of HN (feel free to quibble with that percentage).

I've said it before on here. I don't think the conversation on this issue has gotten loud enough, or lasted long enough, and HN is one of the few communities on the net where it is not only happening, but happening with a greater degree of insight, acumen, and creativity with regards to solutions and future actions.

I say carry on, upvote, comment, and ignore those unconcerned people with short attention spans.

Edit: And most importantly for the Americans here, call your representatives and tell them, in your own voice, exactly what you think. This has to happen at a minimum.

crazygringo 4 days ago 2 replies      
The stories are fine, because I don't have to click on them. And it's one of the most pressing technological-communications issues, so it belongs here.

BUT, it's getting really tiring people making NSA-related comments in other stories, and expanding into huge threads, like the iPhone article yesterday. Please, let's just keep the NSA discussions within the articles themselves, and stick to facts instead of conspiracy theorizing. Otherwise it just seems like trolling.

unethical_ban 4 days ago 4 replies      
So much of what the NSA does is enabled by high technology, and their continued disregard of the US Constitution will continue via digital channels. We as technical experts of the younger generation (mostly) have a civic obligation to be informed, and as long as the conversations stay in-depth and not one-liner potshots, it's useful to have it everywhere.
fusiongyro 4 days ago 1 reply      
Since I am apparently in the minority on this one here's my two cents.

First, there's a finite amount of actual news here. When there's a new revelation, I want to see it. "More NSA news" sounds to me like exactly what I don't want: every programmer's personal outrage, every major news outlet's take on the latest revelation, and so forth. I don't want to see every story's comments degenerate into NSA discussion. Having a story about the NSA on the front page in perpetuity puts it in the back of everyone's mind.

The level of discourse has, mostly, been high and valuable, but I worry that we're inviting in people who only want to talk about politics, and that's going to drive me and every other technically-minded person with limited energy away.

epoxyhockey 4 days ago 0 replies      
I wouldn't mind if NSA-related articles are restricted to those published by theguardian.com or sometimes nytimes.com & washingtonpost.com. Essentially, the primary source for newly leaked information.

What I hate seeing are articles from blogspam institutions like forbes and businessinsider, or others, that digest the primary source with a snazzier headline.

As far as frequency of NSA stories, this is obviously the strategy of the sources: leak bits and pieces over a long period of time. And, I don't mind that as long as there is just one copy of the information being voted up.

jonnathanson 4 days ago 0 replies      
To me, your poll choices don't seem totally binary. I'd take the hidden third option: "I wish there were fewer NSA-related stories, but I'll accept that they should be allowed to rank naturally."

Generally speaking, NSA-related topics tend to do well here. This is a free market, more or less (presuming, as seems reasonable, that any gaming or rigging of votes is an inconsequential factor in this case). If the market seems to want NSA-related topics, then that's what it upvotes, and that's what it gets.

I'm fine with that dynamic, even if I'm a little tired of the topic myself. I'm not apathetic to the topic; quite the contrary. But I feel as though it's been crowding out other topics on HN, and I wish that weren't the case. But I wouldn't go so far as to actively limit the topic through some sort of filtering mechanism.

In general, I find this community's concern with the topic healthy and commendable. It's a serious fucking issue, and it's not being made a serious enough issue by the court of public opinion. But I get tired of the endless rehash and remixing of the same coverage. I'd gladly cast a million upvotes, if I had them, to any HN submission that proposes to do something about the NSA surveillance.

gecko 4 days ago 1 reply      
I'll be honest and say that I'm a bit mentally exhausted from the NSA stories, but I think it's really healthy that they stay in the news so that people don't forget about the issues, and that we remain motivated to get those issues resolved. Flagging is the wrong solution, in my opinion.
ferdo 4 days ago 0 replies      
Keep 'em coming. The more educated the tech community is, the greater chance we have of finding viable technical defenses to mass surveillance.
dylandrop 4 days ago 0 replies      
My problem is that NSA stories (of what I've seen) is that any NSA story will get voted up ad nauseam, and so people just try to post as many as possible, regardless of quality. Again, this is just from what I've personally seen, it may be different on a case-per-case basis, and I've definitely noticed the amount of this has decreased since the initial explosion of NSA topics after the initial Snowden leak.


I also want to just express that this poll is kind of biased, because it seems to be implying that every NSA article that doesn't make it to the front page must have been flagged. While I don't like the sheer quantity of NSA articles, this doesn't mean I want to flag all of them.

I'd prefer a system in which articles were ranked naturally without flags, but less low-quality NSA articles were posted in general.

windexh8er 4 days ago 0 replies      
This is highly subjective per user - keep that in mind. We could do polls like this that are Apple, Android, Node, Ruby, etc.

I think, if HN is actually filtering content based on NSA tagging - then that is censorship regardless in my book. I don't care about the iPhone news, but I acknowledge the fact that on a release it's going to bubble up. If there's real and relevant NSA content - then let it, if you don't like it I say ignore it. While I don't agree that I want "more or less" NSA related content the reality is I want to know when good and interesting content is out that I may have otherwise missed.

For those who have the ideal and perspective that the NSA related stories are getting "annoying" keep in mind that's your opinion and perspective. Mine would be that that particular view of this topic suits those who don't care how much control the government has over the industry that we all seem to live and play in. I, personally, care and would like to see these articles, if worthy, given the same level of treatment as a product release.

misnome 4 days ago 3 replies      
I think it should rank naturally - even if some people would rather it didn't - if it's ranking, then people must want to see it.

IMO, if people are flagging articles to get rid of them, just because they don't like them - rather than just downvoting, then this seems like an abuse of the flagging system and there should be some sort of repercussion (flags/day? lower?)

tikhonj 4 days ago 0 replies      
The two options aren't really fair--I want less NSA news, but I still want them ranked naturally.

I think it would be best for everyone to concentrate any given topic (not just NSA stuff) to at most a couple of threads at a time. This way discussions are a bit less disjoint and there's more room for other topics. In fact, this is exactly what's happening right now, but we have certainly been oversaturated with NSA topics in the past.

Also, I think artificially changing the algorithm to deal with any particular topic is probably not a good idea. I believe it's better to let the community implicitly choose what to talk about. Trying to work around a specific topic is going to obscure useful signals from HN readers and will only help until the next hot topic arrives.

DanBC 4 days ago 0 replies      
I don't care so much about the articles.

I do get bored with the number of comments about NSA that are shoe-horned into comments on submissions that have zero connection to NSA / GCHQ spying. And it's frustrating to see those comments with upvotes or no downvotes.

jquery 4 days ago 2 replies      
I would just be happy if NSA coverage wasn't brought up in the comment section of unrelated articles. Most of the conversation about the new iPhone 5 revolved around the NSA and I found that very disappointing.
ibejoeb 4 days ago 0 replies      
Keep in mind that a lot of the NSA coverage is highly correlated to topics that would naturally rank high here, and many of our colleagues are involved in one way or another. I'm as happy to read about applied cryptography, law & policy, cyberwar, data mining, and other IC goings-on, as much as I am about how they pertain to any other industry.
jemka 4 days ago 0 replies      
"It will eventually blow over." -NSA
smtddr 4 days ago 0 replies      
++++Keep 'em coming!!!++++

The validation of all those tinfoil-hats out there is big news and it should be continually covered as long as there are leaks & snowden isn't dead & the NSA hasn't changed their ways... even though I don't see how I'd believe them anyway, so...

kapitalx 4 days ago 0 replies      
3. The content to date has been good and informative. I'm satisfied with the current amount.
wahsd 4 days ago 0 replies      
I am thinking that this whole narrative, this whole development needs thorough and detailed documenting. Humans in general have a hard time recalling all the facts and future humans, aka, kids are not going to be told about these events or that the compromised technologies exist or even if they are told about it it will be a story that is molded and dressed as to not make the good ol' USA look too bad.

I don't think people, even here maybe, have yet fully internalized what these developments mean to all of humanity. We are entering a post-national age and the enemy is that which poses a risk to the system that is barricading itself behind financial, legal, and political walls.

grecy 4 days ago 0 replies      
We need more NSA stories.

If anyone is going to "fix" this in the next 1-5-10 years, it will be the kinds of tech people that read sites like HN.

elorant 4 days ago 0 replies      
NSA broke the Internet. Our jobs are heavily Internet related. So there's no way this will go away until we find a way to make the web safe again.
rdl 4 days ago 0 replies      
I'd rather see some kind of clustering -- I don't like seeing a NYT, Guardian, etc. article all on exactly the same document with separate comments, as none of the journalists are actually adding any value to the raw documents. It'd be nice to see one meta-story about each new revelation, with subsidiary URLs for each article about it. Ultimately I'd be happy with 3-5 stories on the front page at any given time being about NSA/spying/privacy, until it is resolved (probably not this decade).
hannibal5 4 days ago 0 replies      
Internet is still in it's very early stages.

Whatever are the laws, policies and culture that we create now can have effect that is felt hundreds of years from now.

Now is the defining moment. This issue should be pushed more and more and not just with more articles.

ISL 4 days ago 1 reply      
Some public visibility of the number of flags, with tunable viewing parameters, might be interesting.

Flagging has its place, and HN isn't Reddit; reactionary stories aren't the same as reasoned discussion. Algorithmically preventing activist flags while effectively suppressing true garbage from reaching the front page is hard.

I'd love to be able to tune the decay time constant for articles on HN. All scales, minutes, hours, days, weeks, months, and years would offer new insights.

rfnslyr 4 days ago 1 reply      
I think we should keep them coming. Don't like them? Scroll down. Don't like them SO MUCH? Write a script to filter anything NSA out.

C'mon people, this is HUGE. One of the biggest scandals in the history of ever.

Poor you, are your rights getting in the way of browsing HN?

greenyoda 4 days ago 0 replies      
I think the NSA stories are mostly interesting. I'd only flag the obviously duplicated ones (there's not much need for five different newspapers' stories on the same news item, based on the same sources). However, I can understand why people might flag stories like the ones you cited about Israel: important as they are, these are mostly political issues, and have no obvious technical angle. People who are interested in that kind of news probably read about it in other news sources. HN readers are probably more likely to want to see stories about how the NSA broke TLS, how internet companies cooperate with (or resist) the NSA and what the ramifications of NSA spying might be on the ability of U.S. tech companies to compete.

When in doubt, read the HN guidelines:


CompelTechnic 4 days ago 0 replies      
What I would like to see would be a comprehensive list of confirmed NSA practices that have been revealed since the start of the Snowden leaks. One of the problems that I have (and I feel that the majority of people have) is "crisis fatigue"- that is, an inability to appropriately judge the severity of an ongoing problem in the context of its continued development (and also within the context of the noise of other news that it has to compete with).

So, the best thing that could be provided, IMHO, would be a list describing CONFIRMED NSA practices that have been revealed. This would aid by filtering out the noise of continued speculation (will the NSA have info from iphone fingerprint scanners, etc. etc.) such that readers may be sure that what they are reading is relevant and factual, and may make better informed decisions based on it.

warnick 4 days ago 0 replies      
I really enjoy the more technical NSA commentary and discussion found here and not on many other sites.
steven777400 4 days ago 0 replies      
It's interesting to me that every time another company is discussed, we usually get posts by a few people who work there, and often even have relevant information about the subject at hand. I don't know that I've ever seen a post here start with "I work at the NSA..." even though we know that the NSA must have a substantial staff of experienced technologists.

So, do they just not wish to identify themselves, or is it an agency-wide prohibition against revealing employment? (I realize they couldn't reveal any details about the issues that concern us here, but they could comment in general)

kposehn 4 days ago 1 reply      
Third option:

I want HN'ers to submit less NSA stories that are just conjecture/opinion and more about concrete information as it is released.

Information is what we need right now - and is what we so desperately lack.

RougeFemme 4 days ago 0 replies      
This is not my primary news source; I've been reading about the NSA elsewhere - yes, directly on the websites of the Guardian, NYT, etc. I've read very few of the blog entries, though I've sampled a few. Having said all that, I believe that the NSA stories should be allowed to rank naturally. And I do enjoy the more technical comments found here.

In response to some of the comments. . .the tech community is not the only community (within the general public) with a high level of interest in the stories. Even if you leave out "conspiracy theorists", there are privacy advocates, advocates of limited government in general, advocates of limited government at the federal level, . . .

habosa 4 days ago 0 replies      
This is not a good poll. The answers are too weighted. I want less NSA news, but I don't want any topic singled out by the ranking algorithm. I just wish people would talk about the NSA elsewhere, by choice. My opinion is not represented in either option because you're forcing me to choose between "Less NSA news and a change to filtering algo." or "More NSA news". I want neither.
cracell 4 days ago 0 replies      
I think this issue is of a huge importance, not only to mankind but specifically to those of us working in the tech industry.

The technology they are using to create a massive dragnet for our data has only become possible relatively recently. As a culture we've haven't widely thought about and discussed the potential for abuse of this technology at this scale and how to prevent it.

We've talked about it a lot at the small level but nothing like what the NSA has been doing. And the fact is those of us in technology are the ones that are actually implementing these systems so as a community it's important to figure out where we stand on it and then as individuals to do what we can in our daily jobs to prevent and expose these abuses.

What happens as a result of the Snowden leaks could very well define our attitude towards privacy and security for decades to come. We should realize how important this is and talk about it for the next several years forming a vision for what sort of privacy and security we want for the future and how we will use technology and politics to get there.

Void_ 4 days ago 0 replies      
What the deuce is it to me? You say that we go around the sun. If we went around the moon it would not make a pennyworth of difference to me or my work. -- Sherlock Holmes, "A Study in Scarlet"

That's just how I feel about NSA. Don't wanna waste time even thinking about something I can't change.

So, less stories, I ignore them all, anyway.

mgipson 4 days ago 0 replies      
The NSA stories have to do with some of the most important changes in the world since the last world war.
rexreed 4 days ago 0 replies      
There are many stories about what we know but not enough about what we don't. Put me in the camp of more disclosure, even repetitive, is better than none.
dreen 4 days ago 0 replies      
I voted on both because I want to see less NSA stories which don't bring anything new (vast majority), but I would like increased visibility of those which contain new information.
windexh8er 4 days ago 1 reply      
Considering the number of votes to see the content I find it odd that people wouldn't be willing to show the distaste within the poll and not flag down.

Pretty lame and trivial to pick off a hot topic - there's also no public way to showcase that this is in fact real people or artificial flags that slowly sink it. Unfortunate drawback in transparency by design.

metaphorm 4 days ago 0 replies      
Too many from linkbait websites peddling clickthroughs and eyeballs on a controversial subject.

Not enough stories with real journalism, real technology discussion, and real political philosophy.

creativityland 4 days ago 0 replies      
More and less filtering. NSA is directly related to the future of tech and not just US startups.
zokier 4 days ago 0 replies      
I would be very happy if we could get over the things exposed by Snowden et al. and we get back to our normal lives. Sadly that doesn't happen by sticking our heads to the sand, so I guess the NSA stories must be let to continue plague our frontpages even if the stories are repetitive and chip away my faith in modern society. There just aren't good solutions.
untog 4 days ago 0 replies      
Flagging on Hacker News is too powerful - I've long thought that. Anything discussing the forbidden G word is flagged from the front page in seconds - it looks like NSA articles are receiving the same treatment.

That said, I don't want all NSA, all the time. When Snowden was on his way to Russia the front page was literally over 60% stories repeating the same information. If we can settle on one article for each major news story and flag the rest, I'll be happy.

timr 4 days ago 0 replies      
The NSA subject, when there's actual news, is on-topic and relevant. But most of what makes it to the front page of HN is gossip and speculation and tinfoil-hat conspiracy.

And the results to this poll aren't going to indicate anything useful, because there's an asymmetry of interest -- it's like setting up a poll to ask if there should be more Libertarian stories. The few people who really, really care will find a way to make their obsession "win" the popularity contest. Everyone else yawns and walks away, knowing that Eternal September is already a few months in the rear-view mirror.

not_that_noob 4 days ago 0 replies      
This is a pointless poll - it's like asking if there are too many Ruby stories on HN.

It's not the keyword that matters - it's the content and importance of the story itself. Let the story live or die on its own merits, not on the matching keyword.

crucini 4 days ago 0 replies      
I'm deeply interested in the NSA stories, although I'm becoming fatigued by the continuous stream.

Mostly I want to see meaty technical discussion of these stories, not political opinions. That fact that someone likes/dislikes NSA surveillance is uninteresting.

What fascinates me, for instance:

Which chips are backdoored? How is it done technically so that normal function isn't compromised? What protections are in place to stop a "fourth party" from exploiting the back door?

Isn't it amazing that none of these back doors came to light via the "geek community"? Maybe it's because the chips involved are relatively rare, only used in specialized crypto hardware.

jdalgetty 4 days ago 0 replies      
I feel like the types of people more likely to do something about this are those who read hacker news. If we decide to stop talking about it, who is left?
forgotAgain 4 days ago 0 replies      
It's a long running story and it's natural to develop a sense of fatigue about it. On the other hand the ramifications of the story could be immense to all of us who make a living directly or indirectly from the internet.
blah32497 4 days ago 0 replies      
I think the conversation has turned into an echochamber where everyone rehashes the same old arguments and complaints as before. I don't get anything new out of the newer NSA stories. No one seems to be really ready for a real debate about privacy.
Apocryphon 4 days ago 1 reply      
The problem is, like almost any other issue of our times, we are rapidly getting desensitized to it. Our society has been jaded to suffering and injustice for decades, even as our awareness have gone up. It's like in Hotel Rwanda where Joaquin Phoenix reporter goes, "I think if people see this footage, they'll say 'Oh, my God, that's horrible.' And then they'll go on eating their dinners."

So when do we stop being outraged yet complacent? We should try to promote stories that focus on some sort of activism, even meager ones, to try to address the problem. That doesn't just apply to NSA surveillance, but any challenge.

SideburnsOfDoom 4 days ago 0 replies      
There was a story over the last few days about widespread successful man-in-the-middle attacks on SSL. this absolutely should be top of HN. It's on topic and very serious.

But it wasn't even on the front page. Yes, it was an NSA story - maybe that's why. Imagine if it was about Mafia black-hat hackers, to pick some other random group.

For links to the story, google "flying pig ssl"

twelvechairs 4 days ago 0 replies      
The big problem for me is that 'flag' is the new downvote (only with more power).

it shouldn't work like this. if people are up voting a story its relevant and flags shouldn't drag it down.

mhartl 4 days ago 0 replies      
It would be interesting to know the poll results if we weighted the votes by karma or time-since-created. (Come to think of it, it would be interesting to know what the front page would look like if we weighted the votes by karma or time-since-created.)
rietta 4 days ago 0 replies      
The revelations about abusive, prima facie unconstitutional behavior by the United States government is massively important. The more information that the we as the public have on the irreparable harm that has been done to us, the more effective we can be pressuring Congress to change misguided policies.

And more directly, the business and technical work we can all do to mitigate the risks. This is too important to let slide.

To put another way, deprivation of rights under the color of authority is a really, really big deal. We should not let it slip away into obscurity!

snowwrestler 4 days ago 0 replies      
This is sort of a push poll, in that it implies a point of view--that "ranking naturally" means "less filtering/flagging."

But flagging is a standard and valid component of the way HN ranks all stories. So in what way would its use on NSA stories be "unnatural?"

If the point is to measure sentiment, the poll would have worked better worded simply "I want more" vs. "I want less."

davidrudder 4 days ago 0 replies      
If it's on a technical topic, then I say post it. But, we've seen a lot of repetition and hand-wringing on the subject. If it doesn't add anything new to the conversation, whether that conversation is about the NSA or any other topic, then I say to ditch it. With the NSA stories, the signal is unusually important, but the noise is also unusually high.
eli 4 days ago 0 replies      
lots of stories are flagged off after hitting the front page. That's not unusual.

I'd personally prefer less on the NSA, especially if its news I can readily find in a national newspaper. But I definitely could do with less meta discussion about it.

regis 4 days ago 0 replies      
Many people here work for (or even own) companies that are enabling this sort of data collection to happen whether or not they take responsibility for it. We as a community are burdened with this issue and it is our responsibility to be knowledgeable about what is going on in an attempt to understand/deal with it.
bougiefever 4 days ago 0 replies      
I think there is just the right amount.

It seems like NSA stories kind of take over when a lot of interesting things are happening, and then they kind of taper off when nothing new is happening. There is a crisis happening now with all the spying, and this crisis is very relevant to this community. I would therefore expect to see lots of articles here when something new is revealed.

miguelrochefort 4 days ago 0 replies      
Privacy is overrated.

People like to feel persecuted, and they enjoy drama. I can't blame them, but I won't be part of it. All these stories simply confirm things we already knew. Acting like any of this is surprising only makes you look foolish.

Not only is privacy an extremely unsustainable model, but it's rapidly becoming obsolete. The future is public and transparent, and you probably should adapt to it.

You have been warned.

jonheller 4 days ago 0 replies      
So much that I considered learning how to write Chrome extensions just to hide anything that contained the words NSA or Snowden
TapocoL 4 days ago 0 replies      
Where is the "I am fine with the status quo of NSA stories on HN"? I'm sure there are others like me that do not sit on one side of this imaginary fence.

I personally have enjoyed the continual information on NSA through HN, and there are still plenty of other topics being discussed on the front page when the NSA stories do not interest me.

Cbasedlifeform 4 days ago 0 replies      
Essential news that affects us all in our jobs and in our lives. They should be as visible or more so than just about any other topic for the time being.
Jacqued 4 days ago 0 replies      
Ironically, it seems that this precise submission is getting flagged a lot, seeing as it is rapidly being dragged down the first page
mixmastamyk 4 days ago 0 replies      
This subject is what a "hacker news" site should exist for.

Those complaining about the Apple thread takeover failed to mention the new finger-print reader. It's an unfortunate? coincidence that can't be ignored.

diminoten 4 days ago 0 replies      
I want less, but I don't want none. NSA stories should be flagged and/or filtered if they're not technical in nature.

But this has never been a democracy, I hope no one thinks that's what HN is.

elektronaut 4 days ago 0 replies      
This is important, and HN is my main channel for staying on top of the news. That said, the discussion leaking into the other threads is getting a bit tiresome.
willurd 4 days ago 0 replies      
Until things change, this is arguably the most important US issue we are facing right now, and is thus always relevant. So no, there are not too many NSA stories on HN.
mattmaroon 4 days ago 0 replies      
What if I want fewer NSA stories but ranked naturally.
tinbad 4 days ago 0 replies      
Can't there be a third option: Neutral. I want the news stories to get up/down voted naturally without ranking manipulation.

(Which doesn't mean I'd want more or less NSA stories per se).

fnordfnordfnord 4 days ago 0 replies      
For such a simple filtering methodology, it seems to be satisfactory. Some low-quality links get through because everyone is excited about the NSA leaks.
tlrobinson 4 days ago 0 replies      
6 upvotes in 2 hours isn't likely to get on the front page no matter the subject.
chris_mahan 4 days ago 1 reply      
ArekDymalski 4 days ago 0 replies      
Flagged? Yes, that's a right that (some) users have after all.Filtered? No, that would be replacing natural selection with groundless censorship.
jcla1 4 days ago 0 replies      
I am personally for less NSA news. BUT I don't think they should be filtered out! HN is should be self regulating and not controlled by any 1 entity
lrPrentice 4 days ago 0 replies      
NSA and related abuse of civil liberties stories are the most important news of our century. And tech is at the heart of the issue. We need thorough coverage, incisive analysis, and intelligent discussion.
carrja99 4 days ago 0 replies      
Make a subreddit or something about NSA related stories. Maybe launch nsa.ycombinator.com or something. I'm done with seeing the same articles reposted here from reddit.
ars 4 days ago 0 replies      
The stories aren't so bad, but the paranoid comments in every single thread are becoming too much.

If you have info, then fine write about it. But we don't need a comment wondering what the NSA will/can/did/does do in every single story.

cheatcode 4 days ago 0 replies      
I have only one karma point, and my vote doesn't seem to count. However, for the record I think the NSA revelations are on-topic and should be welcome.
peterarmstrong 4 days ago 0 replies      
There are NSA stories on HN?
AsymetricCom 4 days ago 0 replies      
Why is it that these articles with new information are being flagged and kept off the front page?
Ellipsis753 4 days ago 0 replies      
"Just right"?
whytaka 4 days ago 0 replies      
Why not both? It's a shame we have to talk about it.
RTFR 4 days ago 0 replies      
Spread/publish as much as possible as widely as possible. Detail is subject to the interest and focus of readership. Thus, no discriminatory actions.
iprashantsharma 4 days ago 0 replies      
That's an important issue.
oedipamaas 4 days ago 0 replies      
I don't think the damage being done by the NSA should be easily forgotten. Keep the news coming!
testerson123123 4 days ago 0 replies      
It's a fucking vote-based website, why is this even being asked?
keepkalm 4 days ago 0 replies      
Nice try NSA.
ivanbrussik 4 days ago 0 replies      
too many
NIST "strongly" suggests dropping its own encryption standard arstechnica.com
278 points by fejr  2 days ago   55 comments top 12
rgbrenner 2 days ago 1 reply      
This is an article about Dual_EC_DRBG.. [edit: the final algo was] published in June 2006, and criticized as insecure by the end of June 2006. Here's Schneier summary:https://www.schneier.com/essay-198.html

First critic from June 2006:http://eprint.iacr.org/2006/190

Not only was it immediately criticized as being insecure, it's also slow.. I doubt anyone used this algo.. certainly, after 7 years of public criticism, anyone who used it would have replaced it by now.

thex86 2 days ago 1 reply      
A few days ago, there was a lot of talk about how Tor has backdoors, because it is funded by the US Government.

The answer to that question is also here. You have the NIST, a government entity that is opposing another government entity, the NSA, because the former does not agree with the latter's practices. We should not forget that the government is not one cohesive entity and this is an example of that.

tptacek 2 days ago 1 reply      
Is the DEC PRG not the same as the Dual EC DRBG (also by Kelsey), or is the 2006 paper wrong about Dual EC being breakable on a desktop computer, or is there some other subtlety I'm missing? Because the conclusion Ferguson came to in '07 wasn't that Dual EC was bad because it was trivially breakable.

(Nobody I know of uses Dual-EC, and you shouldn't either).

bsullivan01 2 days ago 1 reply      
If Microsoft was seriously pissed and not fearful, they'd sic Microsoft Research on them.

Also Google, FB, Yahoo etc should provide grants so independent cryptologists can spend time to review and test encryption standards. They don't have to match NSA's budget...

jlgaddis 2 days ago 1 reply      
Note that the original article is from ProPublica and the original headline was:

"Government Standards Agency Strongly Suggests Dropping its Own Encryption Standard"


Ars Technica, however, changed it and added in "NSA-influenced algorithm" because, you know, clicks.

jlarocco 2 days ago 1 reply      
Am I blind, or does the article never once mention which encryption standard it's talking about?
lelf 2 days ago 1 reply      
Did you notice circus arriving recently?

  1. FBI Admits It Controlled Tor Servers Behind Mass Malware Attack (wired.com)  2. NIST "strongly" suggests dropping its own encryption standard (arstechnica.com)  3. No more CSS and HTML, just JS (ojjs.org)

alcari 2 days ago 0 replies      
Here's the NIST document from their own site, in case you'd like to skip the article: http://csrc.nist.gov/publications/nistbul/itlbul2013_09_supp...
chmike 2 days ago 1 reply      
I don't understand the rationale to introduce such weakness. The NSA doesn't have the monopole of spying and cracking code. This weakens defense of USA's interest as well. This raises again the question if we can trust the people holding such power in their had.
meowface 2 days ago 2 replies      
>The NSA declined to comment.

That's a shocker.

frank_boyd 2 days ago 1 reply      
> Asked whether Microsoft would continue to use the encryption standard in some of its software, a spokesperson said the company "is evaluating NIST's recent recommendations and as always, will take the appropriate action to protect our customers."

Pretty funny, coming from an NSA partner company.

devx 2 days ago 3 replies      
I "strongly suggest" everyone drops NIST's encryption standards as soon as there are viable alternatives to them. They can't be trusted ever again, and it's best to form another truly international security standards body, anyway, with ties to no government.
No more CSS and HTML, just JS ojjs.org
267 points by colinmegill  2 days ago   180 comments top 59
_lex 2 days ago 5 replies      
This post is getting a lot of flack from people who haven't given it more than a glance.


1. SEO is not a problem.

Since OJ can be compiled on the server-side, it's comparable to EjS, JADE or other templating languages, which means SEO is not a problem.

2. Current code-size can be ignored in the long run.

This code doesn't have to be sent to the client (since it can run on the server), could possibly be hosted by a CDN and cached across the web, and can probably be tightened up in the future.

3. CSS is still available, but the views know about their css files and are coupled with them

4. True MVC on the front end

OJ gives us the chance to do true MVC in the web frontend, without having a javascript view and an dom view and css styles that are separate, but that work together to make one thing. It seems to me that they're really made for each other - shouldn't they be together at last?

5. Sharing code will be easier

OJ could eventually be supported by a package manager that allows you to include (or install for server-side) js objects for things like youtube videos, but also for tweets etc. Separation of concerns (So your app doesn't just have one huge CSS file, but each view has it's own css, and it's own html & js etc) will also reduce complexity in larger apps.

------Trade offs

1. Yet another framework to learn/use

2. May be slower than what you currently do to render pages

3. If used client side, you may weaken your site's SEO

4. New engineers to your team will likely need to be brought up to speed.

5. (short term) There are likely weird bugs you'll pull your hair out over.

cocoflunchy 2 days ago 4 replies      
Well, it's only 11 000 lines of js... Plus Backbone, plus jQuery, plus underscore, plus ace. Loading the source page takes about 15s on my computer... I'm not sure I would like my index.html to like this https://github.com/ojjs/ojjs.github.com/blob/master/index.ht...
MarkHarmon 2 days ago 7 replies      
What problem is ojjs solving and what are the trade-offs?

For me personally, the design principle of "separation of concerns" has always worked well, especially in a team environment. Having a pure designer (on photoshop or illustrator), then an html/css expert for coding pages and finally a programmer for adding dynamic content works out as a nice pipeline for web development. With ojjs, the programmer and html/css person would have blurred lines separating their responsibilities. It is a cool project, but it seems like a step backwards to me. Maybe it's just a step sideways or a better way of doing things for a team consisting entirely of programmers.


padolsey 2 days ago 2 replies      
Not really sure what problem this is trying to solve. I am more enthused about the potential of Web Components, shadow-dom etc. [1] Take a look at Polymer [2]. By abstracting away the concept of the contrived set of HTML Elements we currently have we can create new 'complex' elements/components while retaining consistency with the rest of the DOM API.

[1]: http://www.w3.org/TR/2013/WD-components-intro-20130606/[2]: http://www.polymer-project.org/

pault 2 days ago 1 reply      
The big issue I have with this approach is that you'll eventually need to do one of the following: hire a designer that can javascript (rare); hire a javascripter that can design (rare); sit and tediously convert your designer's static html and css line-by-line into javascript templates.

It's not impossible to be an expert graphic designer and web developer, but they are both extremely deep disciplines and people with the dedication, inclination, and aptitude for both are few and far between. Unicorns, etc...

This is fine for one-offs and side projects, but trying to build large project around this seems like an unnecessary extra layer of complexity (not that the current standard isn't complex, it's just relatively entrenched, for better or worse :)

justindocanto 2 days ago 2 replies      
HTML Version - 56 Characters, no dependencies:


OJJS Version - 57 Characters, thousands of lines of js dependencies:

var myList = oj.BulletList('They','create','themselves');

The fact that just writing the html output is the same (and in this case less) amount of characters then the ojjs functions makes me unsure about this. especially considering all the extra dependencies.

scottfr 2 days ago 0 replies      
Similar to something like ExtJS. Using Ext you declare the UI purely with JavaScript (CSS and HTML can be inserted if desired but that is antithetical to the standard practices).

It works pretty well. But when you have complex layouts, your JavaScript files can become very complex with many layers of nested object definitions. I use Ext and love it, but personally I think an HTML markup approach to defining UI's is cleaner.

kapowaz 2 days ago 0 replies      
Why do people keep trying to abstract away the parts of web applications that have been carefully designed to solve that particular part of the problem as best they can with a one size fits all solution?

To me the answer is obvious: we have people who don't understand CSS, who don't understand HTML, who do understand JavaScript (or Java, or Ruby, or Go, or whatever) who want to make web applications but have no interest in learning or understanding the reasons why we do things a certain way.

Frankly it depresses the hell out of me for the next generation of web applications, because it feels like we're taking a technological leap backwards.

SchizoDuckie 2 days ago 1 reply      
Please do not use something like this if you're building your next project. NOTHING is wrong with using mustache or so for templating, but this is just plain wrong.

You will know how much it costs to use something like this if you have a project that you've worked on for weeks or months and need to hand it over to another developer. Or actually any other interaction with a third party like a designer or frontender that's used to just juggling around some tags for preference or layout optimisation.

balloot 2 days ago 2 replies      
Uhhh...shouldn't the site itself be built using the framework it advertises? Because the page structure and styling is all there even with JS turned off.
DanielRibeiro 2 days ago 1 reply      
Seems similar to Reactive Coffee: http://yang.github.io/reactive-coffee/

Having proper components is a big win. However, it seems it requires a command line dependency to the build app, which would be nice not to: http://ojjs.org/docs.html#file-types

nicolethenerd 2 days ago 1 reply      
Love the concept, but the site itself (which I assume was built using the framework) is visibly laggy (in Chrome, on a MacBook Pro) - I'd be worried about using this for anything where performance was important, and for mobile (esp Android), it would probably be too slow to use. :-(
ultimatedelman 2 days ago 0 replies      
All benefits to having a CSS file are completely lost using this method, in addition to the aforementioned performance hits. Could be cool for creating widgets and forms on the fly, but would definitely not recommend creating an entire site, let alone a webapp of any size or scale, using this tool.
CWIZO 2 days ago 3 replies      
Umm ... why?

(sorry, that's the most constructive I can get with this)

mankyd 2 days ago 0 replies      
This would be terrible from a performance perspective on mobile. Not because the phone executes JS slowly (it might, but that's not issue). The problem is the network latency around downloading the initial html (whatever little html you need) and then sending a further request to download the JS.

Pagespeed goes into this a bit here: https://developers.google.com/speed/docs/insights/Prioritize...

chrisdone 2 days ago 0 replies      
A language like Elm seems more innovative and interesting: http://elm-lang.org/

It removes HTML, CSS and JS from the equation with just one language, Elm, which uses FRP (functional reactive programming) for doing UIs.

tzury 2 days ago 0 replies      
I think the "no more CSS and HTML" misled us all.

In other words, if you think of this as a way to generate HTML snippets with events binding, then, this might not looked as such crazy idea. Of curse when it aims at building the entire website with, one will wonder why.

Having said that, a suggestion to the author, start using name spaces, i.e. put all plugins under the namespace of .plugins, e.g. plugins.YouTube(), plugins.Ace() instead of just YouTube() and Ace().

hadem 2 days ago 2 replies      
This feels like it is trying to reinvent the wheel. Is there something wrong with using HTML and CSS?
grimtrigger 2 days ago 1 reply      
A couple other stabs at this problem:



mike_ivanov 2 days ago 0 replies      
"build websites with objects"

Why not start with some content instead?

tantaman 2 days ago 1 reply      
Stuff like this is useful to an extent but not when you go so low level as to generating individual divs, ol and spans like this.

For example, it makes sense to have a Javascript class such as "ShoppingListView" that takes care of rendering a shopping list via a template that it references. A component like a shopping list is coarse grained enough to be styled and designed on its own (by designers) and then stuck into a template (by designers) that the Javascript developer can then use and populate in code.

oj just takes us back to the tedious GUI development of Swing style frameworks. It is unfortunate that some people in every generation forget what the previous generation has already learned.

wprl 2 days ago 0 replies      
I absolutely love JavaScript and being able to use one language from database to server to client in my current stack BUT I am very skeptical about using JS for representation and styling. Maybe JS can be massaged into a great language for representation and presentation, but I would bet HTML and CSS are far better suited.
andyroid 2 days ago 0 replies      
Atwood's Law: any application that can be written in JavaScript, will eventually be written in JavaScript.
grannyg00se 2 days ago 1 reply      
There's a javascript wrapper around all html and css functionality so instead of creating a .html file you create a .js file and have javascript functions like h1('HTML Creation') instead of html like <h1>HTML Creation</h1>. Is that right?

Interesting. But why would we use this? Or is it just for fun?

Alex3917 2 days ago 0 replies      
So it's like a WYSIWYG that you need to know JavaScript to use?
chenster 2 days ago 0 replies      
This is horrible horrible things to do, a giant step...back. The entire separation of concern is destroyed this way by mashing up everything into object that is completely unnecessary. The entire internet is built around loosed couple system so it wont' fall apart when a ending body tag is missing. But with objects, that's not the case.

Please stop the madness.

Sanddancer 2 days ago 2 replies      
So, how well does this framework handle screen readers, like JAWS? All javascript, all the time is terrible from an accessibility standpoint.
sinkasapa 2 days ago 1 reply      
I think the title presages the coming of the apocalypse. The two ok-ish parts of the web replaced by the horrible one that we are all stuck with. Next step, replace all three with 666 and call it quits.
txutxu 2 days ago 2 replies      
Great technology.

But it reminds me a little bit to perl cgi in the 90's.

    print h1('hello world');
I mean, this is great for people fast learning, but will never work against "fronted" people in the average (non top) company.

I wish I'm wrong.

dragonwriter 2 days ago 0 replies      
It seems like a clever way to avoid the decoupling of content, presentation, and behavior, each with their own focussed, domain-centered language offered by the traditional HTML/JS/CSS set up...

But I don't really see why I'd want to do that.

jimbobimbo 2 days ago 1 reply      
The more I read the comments trying to explain this library, the more it reminds me ASP.NET Web Forms, only in JS.
amjd 2 days ago 0 replies      
"To a man with a hammer every problem looks like a nail"
icedog 2 days ago 0 replies      
Huge step in the wrong direction.
zekenie 2 days ago 0 replies      
Very interesting. Its become dogma that the markup and event handlers should be separate (for example you never add an onclick html attribute to anything). There are many good reasons for this. But I suppose if you think of this kind of like t ejs templates or something, its not so bad. Seems like an interesting way forward.
ferno 2 days ago 0 replies      
I started working on something similar to this, and left it as another object to gather dust on my SSD after it proved like a very inelegant way of making web apps/sites. Dunno, might have just been doing it wrong, but OJ seems very similar. Blog post on it here: http://www.spectrumcoding.com/projects/xalt/2013/06/27/xalt.... and repo here: https://github.com/Mirceam94/xalt
aragot 2 days ago 1 reply      
Good, so Swing fans can finally write webapps.
gluxon 2 days ago 1 reply      
Seeing CSS before HTML freaks me out more than it should.


auggierose 2 days ago 1 reply      
Good idea, I am currently working on something very similar, but built on Scala/Scala.js. Javascript is just not the right language for this, just as Java (GWT) wasn't.
rob_mccann 2 days ago 0 replies      
Reminds me of building views in Java...
reycharles 2 days ago 1 reply      
Maybe I am misunderstanding something, but it seems like all the HTML is created as a side-effect. How can this possibly be a good idea?
Johnyma22 2 days ago 0 replies      
Bug report: When the page loads the caret is focused in the textarea but using the arrow keys moves the entire page and not the caret inside the text area.
_random_ 2 days ago 0 replies      
This is what you get for "open web" - treating symptoms instead of the disease that is JS, HTML and CSS.
thibpat 2 days ago 0 replies      
Why would you remove HTML, it's the easiest way to create a UI ?Also this introduce a lot of coupling between the style, the structure and the logic.
wojcikstefan 2 days ago 0 replies      
Although I respect the effort put into making the API look neat and work properly, I don't think it's a good idea to use JS for yet another thing instead of using the right tools for the right job.

Check out this presentation by Nicholas C. Zakas: https://www.youtube.com/watch?v=li4Y0E_x8zE

piyush_soni 2 days ago 0 replies      
Man ... Every day there is a new ".js" library coming up. How to even keep track of them? :O
deadfall 2 days ago 0 replies      
I like the idea even though I am not a JavaScript developer per se. The examples are fun to play around with. It hides so much on the backend that I definitely would be worried about performance. Fun stuff.
puppetmaster3 1 day ago 0 replies      
Ha ha. No designers. Remember Java applets? Yeah, that was a thing. The rest of us will keep doing HTML 5 and DOM.Bye.
rfnslyr 2 days ago 0 replies      
Love this, but I'll only adopt this way once it seriously becomes mainstream.
rjurney 2 days ago 0 replies      
This seems like the Perl-based web of 20 years ago.
VeejayRampay 2 days ago 0 replies      
Oj also happens to be the fastest Ruby JSON parser.
denysonique 2 days ago 0 replies      
I see this useful for writing UserScripts/browser extensions.
inovator 2 days ago 0 replies      
Nice framework but my eyes bleed when I see html and css in my js.
coin 2 days ago 0 replies      
The fade effect make it feel sluggish
4d47 2 days ago 0 replies      
No. Just no.
egypturnash 2 days ago 0 replies      
My adblock (GlimmerBlocker) breaks your JS.
danso 2 days ago 0 replies      
OK, I won't add another "Why?"...but I'll just say that this paradigm already evokes a stomach-turning reaction from some people...why do the colors have to be so off-putting? It's tolerable on a standard Mac screen, but on my (cheaper) Dell monitor...which, let's face it, a lot of monitors are uncalibrated, the colors are not comforting...

There's already a lot of work put into this, it's worth going that extra step and make things look less like the messy days of HTML and Java and Flash a decade ago.

afleegman 2 days ago 1 reply      
This dosen't really work at all with SEO
vezzy-fnord 2 days ago 0 replies      
I think I'll stick to markup.
tretarok 2 days ago 1 reply      
Oh good, another abstraction around html and css. Please murder me and this project.
Shot tower wikipedia.org
259 points by ari_smith  4 days ago   79 comments top 24
guelo 3 days ago 2 replies      
I thought it was interesting that the modern "Bliemeister" manufacture method still consists of dropping molten lead drops. The difference apparently being the use of heated liquids and inclined surfaces for greater control. https://en.wikipedia.org/wiki/Bliemeister_method#Manufacture

In contrast metal bearing balls are manufactured using cold metal working techniques. Sheering, pressing, grinding and polishing some wire. https://en.wikipedia.org/wiki/Ball_%28bearing%29#Metal

It seems as if lead should be easier to press into shape than steel so I wonder why the difference in techniques.

ChikkaChiChi 3 days ago 0 replies      
In 1782, William Watts disrupted the shot ball industry by creating an unconvential simple solution that produced a cheaper, better output at a faster rate than the established method.

...How could any of you not understand how this applies to Hacker News? This is hacking at its finest!!!

chiph 4 days ago 1 reply      
Natural Bridge in Virginia was used as a shot tower during the American Revolutionary War. They simply dropped molten lead off the bridge into the water below. Someone would then collect them from the stream bed after they cooled.


jscheel 4 days ago 1 reply      
Ok, I get it, not HN material. But, write a blog post about creativity and simple solutions in startups, using shot towers as an illustration, and boom goes the dynamite. This post requires us to use our imagination and extrapolate to get the point, I guess.
Zoepfli 4 days ago 1 reply      
Interesting. So in essence, the 19th century used zero gravity fabrication. Who knew?
aspir 3 days ago 1 reply      
I couldn't find any videos of shot towers in action, but I did find a video of a man demonstrating a handmade modern shot manufacturing machine: http://www.youtube.com/watch?v=TwVvdIFyQ0Q
duck 3 days ago 0 replies      
This is also how you create urea in prill form, which you'll find in a bag of fertilizer.


jessevdk 4 days ago 4 replies      
You can try something similar to this (although more related to the older barrel technique) at home with a soldering iron . Melt some tin at the tip while holding the iron at a sufficiently large enough height over a glass of water. It takes some practice to make nice round balls, but it works!
laacz 4 days ago 0 replies      
Interestingly, we in Latvia still have a shot factory which produces shots this way: http://www.dsr.lv/?lang=en
marpstar 4 days ago 4 replies      
I've lived in Dubuque, IA (there's a picture of our shot tower in the article) my entire life, and assumed that everyone knew what these were. It's a iconic symbol in our city's history. I guess I took them for granted.
chrismorgan 4 days ago 0 replies      
I saw the picture of the Clifton Hill shot tower at the top there and thoughthey, that looks like. Ive wondered precisely what it was meant to be every time Ive passed it (not very frequently), but never enough to find out.

Cool stuff, even if I dont quite see how it's relevant here. :P

AmVess 4 days ago 1 reply      
Interesting. And here I thought they were all made by hand. I guess shot producers aren't nearly the highly patient and dextrous craftsmen that I made them out to be.
rexreed 3 days ago 0 replies      
There's quite a big and famous one in Baltimore that's right in the middle of town and hard to miss. And it's open for tours.


adolph 4 days ago 2 replies      
In my recollection, this is one in Austin, TX:


I may be wrong though. I wasn't able to find any references about it easily.

Pirate-of-SV 4 days ago 2 replies      
How many feet taller does a tower in northern Alaska need to be compared to one in south Florida? (at 0 feet above average sea level)

Someone please calculate this.

Thank you.

crazytony 4 days ago 0 replies      

It's been turned into an enclosed mall in the Melbourne (Australia) CBD. You can see the glass dome covering the whole shot tower building from all over Melbourne.

nsxwolf 3 days ago 2 replies      
Is terminal velocity a factor in achieving a spherical shape? Is that part of the reason for the height of the tower, or is it just cooling time?
hiccup 4 days ago 1 reply      
This is also how cheese balls are made.
tommoor 3 days ago 0 replies      
Now this seems like it would have been a legitimate use for patents at the time!
ahupp 4 days ago 1 reply      
Just last week I string to think how I'd make ball bearings and this strategy came to mind. Neat to see that it's actually feasible.
oleganza 4 days ago 1 reply      
The article does not list Saint Jacques Tower in Paris. http://en.wikipedia.org/wiki/Saint-Jacques_Tower
mholt 3 days ago 0 replies      
The Dubuque shot tower is in my hometown. It's a really great piece of history but a shame that the site isn't more kept like the rest of the riverfront.
hokuem 3 days ago 0 replies      
In Montreal a shot tower was kept when converting an old industrial complex to high-end residential units. Result is pretty good and made me learn about shot towers before reading it here:http://goo.gl/maps/WJZPj
lmgftp 4 days ago 5 replies      
In the most restrained and calm way possible, I'm wondering why this is on Hacker News at the moment...

A Wikipedia article, concerning a technology that is effectively ancient and indisputably outdated, seemingly with no relevance to any recent events in the tech world, or the greater world in 2013 for that matter.

Occasionally it seems as if one could do "Random" Wikipedia click [0], find something marginally interesting, and post it here. It's strange that this would be the case, but I suppose the points voted on suggest that the community is interested in the subject. Don't get me wrong, I read the article and found it interesting, just to learn a little something new about history, but I then wondered how it could possibly relate to HN, and I went back to re-read before commenting as I was certain I must've been missing something regarding how this article relates to some current event / technology.

Edit 10:42EST, to restate the purpose as it seems people neglect to realize I too found it interesting and are saying "but it's interesting, I personally enjoyed it", please see the below sentence (Copied from above paragraph for clarity). This comment wasn't about personal interest, it's a question of relevance.


Don't get me wrong, I read the article and found it interesting, just to learn a little something new about history, but I then wondered how it could possibly relate to HN, and I went back to re-read before commenting as I was certain I must've been missing something regarding how this article relates to some current event / technology.


Ninja Edit: Note! The following will direct you to a random wikipedia page, may be NSFW. Follow at your own risk.

[0] http://en.wikipedia.org/wiki/Special:Random

E-ZPasses Get Read All Over New York (Not Just At Toll Booths) forbes.com
258 points by jmcintyre  2 days ago   164 comments top 22
forgotAgain 2 days ago 8 replies      
I have to disagree with those who say this isn't news. It was news to me and will, I believe, be news to most others as well. The only time before this that I heard about using EZ pass for anything other than tolls was a few years ago when I read about some feasibility work on the concept of traffic flow optimization being done around Ithaca, NY.

I do wonder why they haven't been used yet to track speeding violations. Speed cameras are being installed in Manhattan. EZ passes are supposed to be used in one car only so it can't be lack of ability to isolate the user that's stopping it.

For years I've been keeping my EZ pass in a static electricity bag when I'm not anticipating going through tolls. I'll definitely continue to do so. At least until it becomes illegal.

joezydeco 2 days ago 1 reply      
Wait until people discover your FM car radio also leaks information. Besides the leaky iPod/SatRadio transmitters, the unit itself gives away the station frequency from the internal oscillator.

There's a company already sniffing radios on the road to determine listener demographics among other things.


fnordfnordfnord 2 days ago 3 replies      
As many have stated, this isn't news. There are all sorts of good and proper uses of toll-tags that aren't collecting tolls. There has never been any effort to hide that, nor should there be. The thing I have always been disturbed by WRT toll-tags is that toll-collecting entities flatly refuse to sell one that isn't attached to a person or a vehicle. There are opportunities for profit that have been ignored[1], and I expect that is probably because gov't entities want a high degree of certainty as to who is with the tag.

[1] - Prepaid toll-tags could be sold at vending machines for cash (business travelers, philanderers, etc.), but are not.

ethomson 2 days ago 3 replies      
I had thought it was common knowledge that E-ZPasses were used to collect real-time traffic estimates; certainly I've known for years that i-Pass (the Illinois equivalent) was used for this purpose. Unfortunately, some quick googling does not appear to locate any information on this, so now I don't remember where I heard / read this in the first place.
PaulHoule 2 days ago 2 replies      
You'll pull my E-Z pass out of my cold dead hands.

This is the first piece of vehicle telematics I added when I got a new car. When I was stuck in a traffic jam at an off-ramp near Albany, I realized how I'd make it better for myself and other drivers if I got one.

It's particularly good that E-Z Pass uses the same technology as most other states in the Northeast so you can drive the Mass Pike and out to Maine or the other way to Ohio.

mrb 2 days ago 2 replies      
In California, our toll transponders (FasTrak) are spuriously read at the LAX airport, merely for tracking reasons, not for billing.

Interesting reverse-engineering of FasTrak transponders in 2008: http://rdist.root.org/2008/08/07/fastrak-talk-summary-and-sl...

Spooky23 2 days ago 1 reply      
This isn't news, and hasn't been hidden. EZ pass readers are plainly visible all over the place, including on the BQE in NYC and other places in NY. They give you an ESD bag to put your transmitter in.

As part of 511, state DOTs also purchase cell tower data to estimate speed on highways. My understanding is that is where the Google Maps traffic indicators come from.

loganfrederick 2 days ago 0 replies      
Little-known, but publicly available, information: The EZ-Pass was originally developed by JPMorgan Chase (my employer) for use with a different client.

Just last month, JPMC announced that its patent collection had reached 500, with our patent on EZ-Pass being one of our most successful, and something we still receive licensing fees on.


addflip 2 days ago 0 replies      
Oddly enough I just received an email from SunPass(Florida tolls) encouraging me to trade in my old battery operated transmitter that beeps when it's read for one that doesn't. They're even offering to foot the bill. Weird... maybe I'm just being a conspiracy theorist :)
kazagistar 2 days ago 0 replies      
> The DoT was not forthcoming about what exactly was read from the passes or how long geolocation information from the passes was kept.

Listen up kids. Even if your goals are entirely pure and innocent, this sort of BS just makes you look shady. If you wanna do traffic analysis, sanitize your data ASAP, and purge it as soon as you can, and then when people ask, you can answer questions like this with a clear conscience.

ChrisAntaki 2 days ago 0 replies      
Your license plate is always visible, it's probably a nicer target for people interested in tracking you.

Search for "license plate" on http://www.zdnet.com/wikileaks-uncovers-trapwire-surveillanc...

koopajah 2 days ago 1 reply      
This reminds of Little Brother by Cory Doctorow that I just read two weeks ago: http://www.goodreads.com/book/show/954674.Little_Brother
ISL 2 days ago 1 reply      
Is there a publicly available standard for interrogating EZ-Pass chips? Does the state have an exclusive license for the band?
shitlord 2 days ago 0 replies      
IMO, this is actually pretty awesome. Maybe in the future, we can produce new EZPasses that do the same thing, except more privacy-oriented: a pass that reports different Tag IDs to traffic monitoring equipment, but keeps reporting the same Tag ID for 1 hour. Or maybe a piece of hardware that can intercept the EZPass signal on its way to the traffic monitoring equipment.

Everyone hates traffic and loves complaining about it, but I personally haven't seen a lot of work being done to solve it. And yeah, having people take public transportation helps with congestion, but you're not actually solving anything by doing that, only working around the problem. Maybe it's because I've never worked with any DOTs.

Stwerp 2 days ago 1 reply      
I can't find details of his hack, but I am curious if his detector detects actual read events (when his device responds with its ID) or if it is just an RF power detector. Is there a link to a technical description?
codex 2 days ago 1 reply      
Your location in a public place is not a secret. It is not legally protected. This is well established by multiple precedents.

Heck, FBI agents can legally place a tracking device on your car, without a warrant if they do so while your car is in a public place (http://www.rawstory.com/rs/2012/01/03/federal-judge-rules-fb...).

seiji 2 days ago 2 replies      
His presentation also featured pictures he took of many NY police's personal cars with deliberately obscured license plates so they can't be automatically read (and other features like illegally too-tinted windows, etc).

*edit: found the presentation at https://www.defcon.org/html/links/dc-archives/dc-21-archive....

shiven 2 days ago 0 replies      
This looks like a potential solution:


Don't know where to buy just the shield though...

Phargo 2 days ago 5 replies      
Is there any way to install a switch to kill the tag when you don't plan on using it? If that's possible, how difficult would it be to control this on/off switch with a spare smart phone based on approved GPS location?
benguild 2 days ago 0 replies      
At one point the ones in California beeped, not sure if the new ones still do but they definitely used to.
diminoten 2 days ago 2 replies      
Yet again, we arrive at a, "could" story, and not a "does" story.

The NSA "could" have you arrested for a crime you didn't commit by sharing intel it's collected about you! The NYPD "could" use your E-ZPass to track your movements through NYC! Google "could" access your Wi-Fi password as it's synced from your Android device!

I think people forget sometimes that 1984 was a work of fiction, and never actually happened.

rayiner 2 days ago 0 replies      
Scumbag Puking Monkey: puts wireless tracking/identification device on his car; surprised when he is wirelessly tracked/identified.
Steam Family Sharing steampowered.com
258 points by danso  4 days ago   116 comments top 18
zalzane 4 days ago 4 replies      
Valve often talks about trying to provide a service that is more convenient than pirating, and this looks like another step in that direction. If I'm playing a pirated game and want to share it with a friend, it would involve getting them to torrent/crack it, or uploading it to a file sharing host. Using Valve's new program, sharing a purchased game is as simple as sharing it with them on steam.

I'm curious as to what other kinds of convenience measures they'll be able to implement in the future - especially with hardware control via steambox on the horizon.

Pxtl 4 days ago 3 replies      
... on closer inspection, it seems functionally equivalent to logging into steam on a friend's computer, except that you don't have to type in your password on their machine and you can kick them off easily.

Considering how much trouble Steam has with phishing and accounts getting hacked, it's obviously a good idea to minimize any use-case where users are allowing others to get at their passwords. This kind of feature will probably save Valve money in the long-run.

Still, doesn't match what I hoped. I was hoping to see a way to share a few games on a machine within the same house, so I could have my set-top machine and my desktop machine divvy up the console-style and pc-style games without constantly having to re-log-in.

amelim 4 days ago 2 replies      
A brilliant move would be to offer discounts on purchasing a game if the lender kicks you off while you are playing. "Sorry we have to kick you off while you are playing, it looks like the owner wants to play game X right now. Purchase the game for yourself at 10% off and keep playing immediately!"
Raphmedia 4 days ago 7 replies      
"Can a friend and I share a library and both play at the same time?No, a shared library may only be accessed by one user at a time."

So, if one of my friend play on my game, I can play none of my games? Or am I reading this wrong?

peterarmstrong 4 days ago 1 reply      
Well, I still need 2 copies of Civ 5 to play multiplayer with my son:

  > CAN A FRIEND AND I SHARE A LIBRARY AND BOTH PLAY AT THE SAME TIME?  >  > No, a shared library may only be accessed by one user at a time.
Now, I was (and still am) fine with that since it has provided so much entertainment, but for many games that would not be true...

hanifvirani 4 days ago 1 reply      
If I am not wrong, this is what Xbox One wanted to do initially.
hayksaakian 4 days ago 1 reply      
Sounds great for a hypothetical Steam Box

Seems similar to the way current consoles handle accounts.

twodayslate 4 days ago 1 reply      
So my brother and I can't play the same game together if we share a steam account? Am I reading that right? Not much changes for me then
iam 3 days ago 0 replies      
This isn't any different from sharing the password with your family members (who you should trust anyway, right?). Why not make it more useful and allow the person you share with to play games from your library at the same time you're playing?

(but different games. if I want to play TF2 and the family member wants to play Dragon Age, I don't see why that shouldn't be possible!)

Heck, you can already play single/multi player games simultaneously just by sharing passwords and using offline mode. Color me unexcited.

Here's even a quick config file change you can make so that your Steam always starts in offline mode and doesn't force-logout the other person already logged in. http://forums.steampowered.com/forums/showthread.php?t=25474... tried this with my dad and it works great as long as he doesn't need to patch).

JonoBB 4 days ago 0 replies      
Somehow, I ended up with 2 steam accounts, and wanted to merge them. This is expressly prevented by Steam ((https://support.steampowered.com/kb_article.php?ref=1558-QYA...).

Now, with these changes, I at least have a way around this problem.

sliverstorm 4 days ago 0 replies      
Ok, this much closer to allowing me to have my desktop and my HTPC logged in to Steam at the same time...
TheCraiggers 3 days ago 0 replies      
There's much lamenting about how people can't play the same game together on a shared account.

The much bigger issue to me is that a shared device can't play any of your games if you're playing a game. So if you're playing Borderlands 2, your brother can't play Borderlands 1. This seems nearly useless, if true.

richardlblair 4 days ago 0 replies      
Some people see this as pointless because "lending" digital goods is impossible.

Really, it's about ease of use. If a person can "borrow" a game easily, and get their fulfillment from it they are less likely to download it illegally or even try to steal it from valve by exploiting the "borrowing" system.

kreek 4 days ago 0 replies      
Attn: Spotify, plz implement this too, thx
dylangs1030 4 days ago 0 replies      
I was really excited about this, but then I read the limitations...in particular:

>No, due to technical limitations, some Steam games may be unavailable for sharing. For example, titles that require an additional third-party key, account, or subscription in order to play cannot be shared between accounts.

Damn. Probably should have expected this.

But, all in all, seems like a positive step forward!

seniorsassycat 4 days ago 0 replies      
I hope this leads to more game sharing. I think letting people play a multiplayer game together when only one person owns the game would be great for the consumer, and lead to higher sales of the game.

I have skipped some co-op games because I knew my friends wouldn't buy it, but they would have played with me if they could.

math0ne 4 days ago 3 replies      
This has been a rumored coming feature forever but I can't for the life of me figure out how this benefits steam, or even how they convinced publishers to take part in this.

Whats their motivation? Did they go over the publishers heads with this? I'm curious to see how this pans out.

Sarien 4 days ago 1 reply      
You could always share steam accounts by giving somebody your password! The only thing this does is allow you to gain your own achievements which is just Valve's way of getting you addicted to your steam account. Stop treating this like a good thing or even a service it only benefits Valve.
How I thought I wanted to become a digital nomad alexp.github.io
254 points by bartekurbanski  1 day ago   184 comments top 45
kristiandupont 1 day ago 3 replies      
Having been semi-location independent for 4 years now, I have come to a similar conclusion.

The theory of decision fatigue -- that you get exhausted by making a certain number of decisions -- seems to be true to me. And the thing is that when you are in a new place, there is a large number of decisions to make about petty things like where is the nearest supermarket, where can I work out, how do I get proper internet etc. Whenever I've set up in a new place, my productivity suffers severely for a week or two. After that, I'm okay but if you travel a lot, that becomes a real price. And it's not rewarding the same way that other guilty pleasures are, it's just annoying.

I remember walking to the "office" in Bangkok one day, having been there for three weeks. I pulled out my iPod for the first time since I arrived. It struck me that this was a sign that I was familiar with my surroundings. I didn't need the full mental capacity just to navigate, I could run that process in the background and allow myself to listen to music. I am not sure what you can conclude from this but I think that it's likely that I had consumed a lot of energy up until that point, which I then didn't have for programming.

RyanZAG 1 day ago 4 replies      
Far as I can tell, the argument here boils down to "can't concentrate on coding while traveling". When put in a simple statement like that it becomes very obvious that the statement depends entirely on the person. Many people have little difficulty opening up their laptop and forgetting the rest of the world for an 8 hour stretch, and this would be the type of person who would do well as a digital nomad. If you need peace and stability in order to code - and many, many people do - then it's a bad choice.

I've also found you need to be very comfortable with email and text communications, and you probably need to be good at getting your point across and discerning the point of others as it's more difficult to communicate technical issues without being in person - but obviously very possible, as the number of very good technical blogs can attest to.

mr_luc 4 hours ago 1 reply      
I've been living 9 months per year in coastal pacific south america -- for the past 7 years.

I am not a "nomad", and my experience is the opposite -- I am much, much more productive working remotely. I did actually enjoy the article for the useful information it can provide others considering this, but (as many of the comments in this thread point out) the author is clearly Doing It Wrong. I don't think it has much bearing on working internationally.

Two thoughts:

1. 'I changed a massive part of my life and, 2 months in, I feel less efficient!' Gee, really? 2 months is just about long enough to investigate a new location, but it pales in comparison to the amount of time you've spent optimizing your life in your old locations.

2. Home base. Living. Everyone here is saying the same thing: you need a solid, stable home base. Maybe there are rare butterflies who can flit from hostel to hostel and feel good. The rest of us typically have more of a relationship with our surroundings.

I hate traveling. I love living in great parts of the world, though.

I have a modest 2-story house I bought, one block back from the ocean in an 800-person fishing village. It's my home base.

I am fantastically productive when I am there. Far, far, far more so than when (maybe close to launch date) some clients request that I sit in their lovely, stylish, noisy open-plan offices, where you cannot take a nap and where you have the mental barrier of a commute bookending your days.

dageshi 23 hours ago 2 replies      
Having done this a bit, the answer is in my experience, figure out a good location in a particular country, in Thailand I'd say Chiang Mai, in China perhaps Yangshuo, Cambodia Siem Reap or Sihanoukville. Get yourself a cheap place/room for a month or so, do some serious work then when you've completed whatever it is you're doing do some proper traveling.

Trying to do it all at once is mostly a killer. That's not to say you can't do maintenance and smaller tasks while actually traveling, but really building anything meaningful actually requires a lot more concentration in my opinion.

motters 1 day ago 2 replies      
"Even though it might be obvious, during my travels I found out the hard way that creative, meaningful work, requires some routine. Changing your location once a week, working from benches, hammocks, cafes, bars and hostel floors is a cool way to fund your vacation, but it certainly doesnt help you when tackling hard programming problems."

And this is what I've also found. In order to be able to do anything of any significance you need to make the rest of your life as routine as possible in order to minimise distractions. Continually moving around requires you to do a lot of extraneous work merely to reproduce your labour.

personlurking 1 day ago 5 replies      
Being and having been a digital nomad for the past several years, it can become tiring having to switch up location and work setting so often. While living in Rio de Janeiro, I often wondered how people who are from there work in office buildings in the wealthy neighborhoods (which are a stone's throw from the beach), deal with knowing that fun and sun is literally 5 minutes away at any given moment, that people are always on the beach enjoying themselves while you have to be stuck up in your office with a possible view of the sea.

In any event, I wasn't one of these people as I could take a break when I wished and hit up the beach, etc. It was great...until the project that kept me financially stable went under. Instead of looking for more work, I sacrificed the need to work more for the free time (and ability) to very cheaply or freely enjoy myself in my surroundings, eventually tiring of demanding little of myself after a few months (you can only be young-ish and 'hang' for so long). It's great living in a beautiful place, but even better when that place is very affordable (or, in the least, when you've found a way to make it affordable...almost an art in itself).

In the Bay, I almost never went out because everything cost money and therefore my friends only did things that cost money. Being poor in US standards was social suicide.

In Brazil, I was going out 4-5x per week! My average night out in Rio I'd spend about US$5, maybe $10 (drinks included, try doing that in SF!). Plus, there just so much to do for free, from hiking to beaches, to free concerts and art exhibitions...you name it. Things that other young people are also doing, mind you. In developing nations, or even economically strained ones (I'm in Portugal now), where most people are on a budget, I find the amount of fun and interesting things to do, for free or cheap, increase. Not only do the events and activities increase, but the number of people doing them increase, too.

Being a digital nomad, with at least one stable project, in places like these is where the 'good life' is. But when that stable project goes bye-bye, the sense of the good life goes with it, no matter where you are.


As an aside, having just read the article, I saw that it's a minimalist blog (post) on github.io, which I'm not familiar with. From their landing page, I don't see any offer for blogging.

On Wordpress, I couldn't find any theme like this but on HN I come across these types of entries somewhat often, though this is the first I've seen from github.io. Anyone know how I can get a free one like this, where there's just a white page and words, via any blogging service?

cmeranda 1 day ago 1 reply      
Programming (for me) occurs at the apex of an extended Maslow's type hierarchy, and traveling often destroys the very foundations of it. The code I write when sleep-deprived, hungover, hungry, sunburnt, and sitting on a bumpy Thai train wondering if I missed my stop and wishing there was internet & coffee, is strongly inferior to what I write in a well-lit, quiet environment, fed, rested, fueled by engineering conversation and mental/real bandwidth, etc. That's not a proscription of adventure so much as an acknowledgement that the whole nature of adventure is disruptive: multiple variables in your equation are changing at rapid rates, and they are important variables: food, shelter, language, currency. Over our two-year stint in Asia, we usually found ourselves in one of two situations: 1) blissfully immersed in the culture and outdoor activities of <x> country but contending with unreliable internet, limited work time and near-nonexistent attention spans, or 2) sitting on a nice nondescript hotel bed somewhere with A/C, good wifi and our tiny MacBook Air screens, and feeling like we may as well have not left the US at all.
Lucadg 20 hours ago 0 replies      
I worked online, run my "little Airbnb" and travelled/lived in more than 50 countries since 2001. The fact that your productivity suffers can be interpreted in a positive way: you CAN'T work too much because you are kept busy with the non-routine stuff.I absolutely love it and wouldn't change this for a 100% productive environment anytime soon.It's my protection against the work-a-lot-buy-stuff-you-don't-need routine. So I am forced to spend money in non trivial things as keeping the flexibility is expensive.When I need to get some serious work done I stay in Italy, Bangkok, Bali or Prague for a few months.It takes me a couple of weeks to settle in Bali, 1 day in Prague (I just need to rent an apartment), 1 day in Bangkok and more or less a week in other places.I also did a lot of backpacking (a few days in each place) and I agree that this greatly reduces the productivity.You have to find the balance which works for you, anytime, anywhere. Not easy, but it's there somewhere.
cmccabe 19 hours ago 1 reply      
Excessive travel is terrible for the environment. You can easily generate many times the amount of carbon dioxide you would emit by driving for a year, simply by taking a long plane flight or two.http://www.nytimes.com/2013/01/27/sunday-review/the-biggest-...

Travel is nice, but not when you do it just to brag about having gone to X countries in Y days. Then it just becomes a status thing, and is, as the author notes, "kind of douchey." The internet, good news sources, and documentaries can broaden your horizons even without leaving the house.

SyneRyder 1 day ago 1 reply      
"Stay in one place for a while" is fantastic advice. One week is barely enough time to get settled - every time you move you need to find stores, amenities, cafes etc. Two weeks is much better (and you'll appreciate the place more), but even longer is better if you really want to get work done.

A nice room is great advice too - makes a huge difference to your happiness if you can wake up each morning to an amazing view & sunshine in a good location, compared to a small cramped hotel room in a sketchy area. Obviously you have to go with what you can afford, but a cheap AirBnB can be dramatically better than a hotel sometimes.

The downside of getting a 'real job with an office' is that you might not be able to negotiate that 2 months annual vacation, or to get the vacation at times that suit you. You'll have to prioritize what you really want.

gexla 1 day ago 1 reply      
I'm somewhat doing this, I made it as far as the Philippines and then I sort of planted myself. When sticking to one place, it's pretty much the same as being planted anywhere else. Obviously the author of the article moved around a lot more.

My advice for S.E. Asia is don't get a hostel for AirBnB room. Get an actual apartment or even a house. Where I'm at you can get either month to month for $100 to $200 per month easy.

My work takes a lot of my time, so I don't travel much. There is no way I could move around a lot. But with a good gig it's easy to take some time off and travel to another place for a couple of weeks. Flights are cheap to anywhere in the region and there are a lot of interesting places nearby.

So, use your house or apartment as your home base and then take lots of vacations.

Even just living abroad can get old though. After a number of years you wonder why you are doing it. What's the point? You begin to find out what really matters in life, which to me is family, my craft and... food! I haven't had real Mexican food for far too long. I would kill for a Subway sandwich. Even worse is that the Philippines isn't known for its food.

But then, there are good reasons to stay as well. I think there is a lot of opportunity in S.E. Asia. I feel like I'm not missing out on opportunity in the U.S. because most of my work is there anyways and I already know the culture.

ETA: I don't see how you could go out 5 nights a week. Even with just a few drinks and going to sleep later than usual, I feel it the next day. It's not even hangover, I would feel the same the next day just from screwing up my sleep schedule. If I did that 5 nights a week I would get nothing done. I generally get up crazy early to be available towards end of day for the U.S. though (12 hour difference from New York.)

hawkharris 23 hours ago 2 replies      
Alex, you're a very skilled storyteller. I enjoyed reading the post.

I have one small piece of constructive feedback: your use of commas was a little confusing at times, and it slowed down my reading.

Commas can be tricky, and I sometimes struggle with them as well. Here's a quick guide that I find useful:


heyitsnick 16 hours ago 3 replies      
I see there's lots of insightful comments here from "digital nomads." Are there any good forums or communities online where you congregate to discuss these issues?
config_yml 1 day ago 1 reply      
"And to be completely honest, its just not enough. I believe that working with a team of people that are more experienced and smarter than yourself is crucial for your development, and as a freelancer, doing minor gigs involving some MVC/CRUD application programming, you just miss out on a world of possibilities to grow and learn."

I've experienced this as well, it was my main grief with working by myself and on the road and ultimately led me to join a company again part time. Sadly the team I joined isn't really what I expected from a team, so I'm already on the lookout again :(

jonmy 12 hours ago 0 replies      
I'm a location independent UX/ UI, startup guy who has been doing this for a long time. Over the years, I've raised capital for one startup, worked with high-profile clients on complicated projects, and worked on my own stuff, all while being more or less unattached to a location.

I've clocked time in South America (Ecuador, Argentina, Chile, Uruguay), Mexico, Taiwan, India, China, and Southeast Asia (Vietnam, Malaysia, Thailand) and the list goes on. I'm not dropping these locations or the info above to show off, I'm simply lending perspective.

I slow travel - meaning I usually set up for at least 3 months, if not longer. My most recent stint was on and off Ho Chi Minh City, Vietnam for 6 months+ where I was lucky enough to get embedded in the local startup scene.

The biggest flaw with the article and the idea of the digital nomad as presented in general is prioritizing lifestyle over business.

It makes being a "nomad" seem like a wandering soul hopping gig to gig taking advantage of low cost locations without much strategy or purpose. Additionally, I sense the job or employee mindset in the tone of the article, which is fine, but I wouldn't hit the road with that mindset.

If you're going to take on this lifestyle you can't have an employee mindset. It won't work, and most will end up broke or bored trying to sustain the lifestyle and scrambling to try and find remote work.

A whole point of being location independent, which the article neglects is how you can be more strategic about your location, expand your network by being exposed to serendipitous opportunities that would have otherwise not presented themselves, and grow your business.

The opportunity to expose yourself to places and people on an upward trajectory, and how you can add value to those situations and take advantage of them should be a priority at the top of the list. Not just a beach hammock, backpacker ghetto or a cool place to work and Instagram.

Otherwise, what's the point.

VLM 1 day ago 3 replies      
My father did something like this in his later years and I never heard any of the complaints in the article; then again he had an RV instead of a 44 liter backpack and mostly stayed in the USA rather than crossing the world. Connectivity was the main problem I heard about. I guess its much better now.

Also its not a binary decision. Its a big planet and you can select whatever tradeoff you'd prefer in a nearly pure analog fashion, its not exclusively binary "Poland OR Vietnam". For example there must be tens of thousands of places to park a RV in the USA that are similar enough not to be strange but different enough to be an adventure on time off.

Some people set the thermostat to 72F and leave it alone 24x365 (that's me!). Some people alternate setting the thermostat to 85F and 60F every couple hours and complain constantly of freezing or burning up (I work with people like that, it is such a pain to be around). That doesn't mean a third option doesn't exist of setting the thermostat to 67F, or 77F, or randomly varying from 70F to 74F from week to week, etc.

skizm 22 hours ago 0 replies      
Has anyone tried this working only in the United States? I feel like this would be easier as internet access isn't at a premium (you can always tether on your smart phone worst comes to worst). The United States also has lots of large clients and if you want a larger technical challenge you can always set up camp near their offices for a few weeks and work in house. On the non-technical side of things you can find any kind of environment you want in the US. Mountains, beaches, cites, etc. I know you won't get the rewards of traveling abroad but you get 90% of what the ideal is and you can always take some time off big projects and travel abroad if you feel like it.

This is coming from a US citizen who loves his country despite all the fucked up shit that it's government does sometimes, so maybe I'm bias, but I definitely think the life is possible.

stevenwei 1 day ago 0 replies      
I think the 'digital nomad' lifestyle is an interesting one and definitely worth experimenting with (especially for folks in our industry who truly can work from anywhere in the world), but it is hard to sustain over time.

If you're trying to get stuff done though, I think a good strategy is to pick a place and stay there for a few months, rather than being 'on the road' and traveling around from place to place. You can still be 'location independent' by renting an apartment for 3 months in a foreign country (like the Costa Rica example that was on HN a few weeks ago). But at least then you'll have more of a sense of routine, waking up in the same place every day, and because you have a full 3 months to explore the place, you won't feel as obligated to rush out and see the sights all the time.

It also really helps to be able to set yourself up in an office with an ergonomic chair, external monitors, and proper mouse/keyboard. That might be a bit more difficult to do if you're in a foreign country, but you can definitely buy used and sell again when you leave.

johncampbelljr 1 day ago 2 replies      
I hope to try the digital nomad route in a few years but I have a different take on it.

I'm not looking to sustain a working vacation--I'm interesting in experiencing day-to-day lifestyle in different cultures/suroundings. I'm thinking of staying around in terms of months or years, not weeks.

Also, I probably will only try it if I have my own enterprise I can run on the road. I'm currently working as a freelancer but wouldn't think about hitting the road until I have more direct control on projects.

And while I get my ducks I a row I would love for someone to do an airbnb for digital nomads. If it would be easy to find a place to work and place to live I'm sure I'd me more likely to try it. And I wish some countries would see the revenue opportunity of this! (I'm looking at you Spain, Italy and Greece.)

ivanhoe 5 hours ago 0 replies      
Very good text. I'm struggling with the same problems right now, typing this from a beautiful medieval city in Istria, Croatia, and trying to look at my laptop and not at the wonderful landscapes and Adriatic sea on the horizon. It's harder than it might sound and extremely distracting. And I have to sit here because it's the only place around with a decent wifi. Self-discipline is a b__ch...
homakov 2 hours ago 0 replies      
I dont understand what are you trying to say. I traveled around the world and had nonproblem consulting people meanwhile.
jfb_1973 21 hours ago 0 replies      
My wife and I were talking about a property we found in Central America that was pretty amazing. Having been a backpacker when I was younger (in the 90s) I always wanted to set up a small hostel/hotel type thing somewhere beautiful.

I wonder if you could build a business serving the Digital Nomad. Basically offer a place to live + a coworking space. The traveling hacker gets the benefit of having a good place to work, plus the benefit of hanging out with other hackers whom you can chat with, maybe even pick up new work.

alexp 1 day ago 0 replies      
Thank you all for commenting. I'm positively blown away. Especially considering the fact that it's just my first note on the blog. And sorry about the commas and possible grammar mistakes. English isn't my native tongue. I must have skipped those classes on punctuation.
StavrosK 1 day ago 0 replies      
As a data point, I went to Barcelona for a month (because remote work) and stayed in a flat with roommates etc, the full citizen thing. I loved it, I worked at home during the day and went out/made friends/saw the sights in the evenings and weekends. It's only one place, as I just roam around Greece usually, but it was a very positive experience.

The hardest part was meeting new people in the beginning, but meetups quickly changed that and I had a blast. I would definitely recommend going to a new city for a month or two (a month is a bit inconvenient, you have to go right when you're making new friends and enjoying yourself).

pieterhg 1 day ago 0 replies      
I have been practicing this lifestyle since April when I moved from Amsterdam to Bangkok & Chiang Mai. While I recognize some parts of the article, I think the general tone is off.

Constantly traveling and working won't work for most. But settling in one place for at least 6 months, finding a good office or co-working space with fast internet, and getting into a routine (like the article states) CAN actually work for many people. It does for me.

Also since you're in a new place, you also have plenty of opportunity to do weekend travels to other countries, as well as local leisure activities. In case of Thailand, that means you can be on the beach in 2 hours from anywhere, or if you're not into that, enjoy the wild nature. And life is cheaper in many of these places.

Not for everybody, but definitely do-able.

karterk 1 day ago 0 replies      
1) get a remote-friendly job that fits your skill set and ambitions. Move every quarter or so. Stay in one place for a while.

That's kind of the best of both worlds. It's actually pretty tiring travelling AND working at the same time. You will have a large amount of context shifts which will destroy your productivity.

I also wish remote work is more common. While it usually works when you know a company really well (e.g. small company with known, trusted colleagues), not many companies are actively trying to make remote work possible.

pwpwp 21 hours ago 0 replies      
I've just travelled through Europe for three months as a location-independent consultant and what worked well for me was to stay at least a week in any place, and travel only on weekends.

This got me into a nice rhythm where I could be as productive as at home.

spaboleo 23 hours ago 2 replies      
I am really wondering how you communicate with your customers?

Do they know that you are living in places where most of them might even can only dream of going to for vacation? Or do you just simply "not tell them"?How do you handle call requests then? Or situations where the customers just invites you over to discuss the project in detail in person?

And what are their reactions like when you tell them that you currently are living just a stone's throw away from a beautiful sandy beach? What is the quota of lost jobs due to that?


Otherwise really insightful article. I enjoyed it :)And being a frequent traveller myself I would recommend you to stay longer in predefined places.Like you said...catering for the logistics (accommodation, internet access, checking out the neighborhood, finding grocery stores/restaurants) all that is yet interesting but really tiering and time consuming.It is a better choice to stay somewhere for 3 months, plan ahead for the next location during that period and use weekends or other "time-slots" of your choice to explore the region. If you want to travel to a place that would require you to have more time than a regular weekend offers, you should take a vacation. Which would require you to work the time on weekends the weeks before and of course one should stick to a set number of days off per year in addition.It's the student-dilemma...when there is no one micro-managing you, people tend to slack-off. So you should keep yourself accountable towards yourself in that situation. Like you were employed, but by yourself ;)

Oh and another question:What is your girlfriend doing that she has the time and financial backup to do this with you?Is she working in the same field?

ozim 5 hours ago 0 replies      
I would like to take different approach, get my gf to some calm place. Have a nice house, good internet connection which is now not a big problem even in country side. Lead simple life far from city, have my "home office" room. Country side is cheaper and a lot nicer, I could get great coffe doing it by myself instead of working from "shops". Traveling would be needed also because it is easier to work with someone you met at least once face to face, or going on vacations but without work. That would be life of digital hermit :
malandrew 17 hours ago 1 reply      
The best way to do meaningful work while living as a digital nomad is to contribute to open source. IRC, mailing lists and Github issues provide all the conversation and decision making infrastructure necessary to make the same architectural choices needed to build something with the same level of substance and depth as any project being tackled in an office environment.
__--__ 20 hours ago 0 replies      
I recently did something similar to this short term (airbnb for a month in SF) and I'm curious: are all digital nomads strictly software guys or writers? I have physical electronics and carpentry projects I like to do in my spare time, so I had a trunk full of tools during my airbnb stay.

Is it possible to do hardware projects on the road? Maybe rely on hackerspaces for tools and such?

Dewie 19 hours ago 0 replies      
On the one hand, I can understand all the complaints here that traveling makes hard work since you often have to forego all the creature comforts you have become accostumed to, and might rely on to a large degree in order to be productive.

On the other hand, programmers are notorious for their binge-coding-marathons, living off less-than-optimal nutrition and little sleep. I can imagine that this type of person could sustain to have a few bumpy days when settling into a new location (of course, even if one can manage to sustain some binge-coding now and then does not mean that you can do it often. So I guess you still might have to find a comfortable setup and routine while away from home, eventually).

timedoctor 18 hours ago 0 replies      
I travelled and worked for over 3 years with 1 month at a time. After working on my time management skills I found that it did not decrease my productivity that significantly (maybe 10% reduction?). This is mostly from things that you cannot get when traveling for example: Multiple big screen monitors, regularly stocked fridge with easy to eat food, extra time taken to find locations to eat and wash your clothes etc.

This is assuming you're switching locations every 1-2 months. If you move locations every week it's a huge drain in productivity as it takes time to get set up and to travel etc.

Have now fixed in one place just because I have a baby, but otherwise would be possible to keep traveling.

I think a bigger problem of constant travel is the lack of a regular community.

lnanek2 19 hours ago 0 replies      
I fly almost every week and, honestly, I get a lot more work done those weekends I stay in one place. Even ordering cars ahead of time you aren't going to get as much coding done when you are hoping in planes and out of cars and waiting for departures, or arranging the next week's hotel stay or other stuff.
pfortuny 6 hours ago 0 replies      
I read , much of the nightAnd go South in the Winter.
dennybritz 23 hours ago 1 reply      
Your blog should have comments. I've done this as well, I've lived in Thailand for 6 months and Japan for a year, and other countries for longer period of time, mostly doing remote freelancing work.

I somewhat disagree with your first point (I've been getting good and big projects), but I completely agree with the second one. There is a lot of mental baggage when you have not "settled" down and don't have established habits. I am starting to think that a more effective way would be to do several weeks of focused work, 1-2 week travel, rinse and repeat.

pjbrunet 20 hours ago 0 replies      
I don't think he mentioned safety or crime either. Law enforcement varies state to state, town to town. Off-limits neighborhoods, speed traps, tricky intersections where accidents are common, quirky customs and conventions. Gang colors? Towing! Some states left turns go first, in Texas left turns go last. Frontage roads in Texas are really crazy and we have life-threatening flash floods regularly. "Turn around, don't drown." Knowledge of local insects, snakes, animals, etc.
agibsonccc 23 hours ago 0 replies      
Great story. This is something similar to what I'm close to building for myself. I had wondered what it would be like if I had actually achieved it. That being said, if I rotate places I would try to stay for a decent chunk of time. I couldn't imagine constant travel. It's just not productive if only for the fact that travel itself tends to limit ability to do work. That doesn't count the cognitive load of establishing a somewhat productive routine.
kimar 21 hours ago 0 replies      
Very interesting discussion as I am just starting my digital nomad life. Like the author suggests, I strongly believe in staying at least a couple months at every destination (where you'd like to get some work done).

One thing I'm curious about is if some of you have tried finding local clients in destinations you visit?

This is obviously easier in big cities than in Kho Phi Phi, and will most likely pay less than a US-based client. Nevertheless, I'd imagine it to be a great way to get immersed in the local lifestyle and solves some of the issues mentioned in the post (eg: timezone, workplace).

bobonaza 6 hours ago 0 replies      
I have been working on, gotten funded, and grown my DYI'd startup while living as a digital nomad. Since being funded I have worked with a number of collaborators. I try to only hire people that move a lot. because I live that way it feels good that the people I get to work with share that lifestyle. We are actually currently doing our first group face2face powwow now for 2 weeks. It's great to be in person together but everyone, myself included is such a lone wolf that working together in person is awkward. We all disperse to our corners and work.

Hanging out having cigarettes and chatting about development, that's where the value in being together is it seems.

We are hiring again now. Anyone know the best forums to find digital nomads (term is getting worn out) looking for work. It would fit our company's culture to bring on another traveling developer.

rdixit 20 hours ago 0 replies      
I did this throughout India for 9 months. Reliable wifi access is a must and more difficult to secure than you'd think, perhaps. But by moving only every 2 or 3 months, I find there's a good balance between setting up shop, getting familiar with your environment, etc. and just getting shi* done.. YMMV
contingencies 1 day ago 0 replies      
Yes, moving around is a pain. Power adaptors, crappy internet, lost days in airports, missing luggage, carrying things, finding decent accommodation, worrying about visas, changing money, etc.

I'm location independent and change base-cities every year or so. I also spend maybe 6 months per year on the road.

Honestly, I get more coding work done when I'm at my home-of-the-time. But a lot of the soft stuff: running in to people in related industries whose brains I can pick, spotting new potential hires, thinking up powerful bizdev ideas, etc. all happen far more on the road. I often stop for extended periods .. a week is typically the minimum.

I've found the most important thing to manage is my own motivation: if work is getting in the way of relaxing, I can it for awhile. If relaxing is getting in the way of work, I can it for awhile.

Being in a stationary, fixed environment with ongoing overheads and investments in random rapidly depreciating junk (like vehicles) is personally not a good situation for me. I get demotivated pretty immediately. On the other hand, sometimes transient living feels like it's getting long in the tooth, too. If that happens, I tend to switch it up a bit and pop cultures, rent a place longer term. The grass is always greener, right? As it turns out: often it is. And when you go back to somewhere you'd been before, both you and the place have changed.

Bonus poem excerpt (sorry to those scrolling!):

They'll allow me to choose,

Where to settle anew,

Be it in east or west.

But with dollar now sliding,

And frequent poor tidings,

The orient does rather seem best!

Aye if USA visas,

Berkeley feminist divas,

Could yet warrant a tired "may-be"...

With all due respect,

Most are pains in the neck,

And I love a good foreign lady.

So at present juncture,

(Passed global acupuncture)

I dream happily now of returning...

To the rhythms of life,

Of an eastern respite,

From the world of democracy burning.

nickthemagicman 23 hours ago 0 replies      
cottonseed 1 day ago 6 replies      
The author needs to learn how to properly use the comma.
davidgerard 17 hours ago 1 reply      
If you're going to take a holiday, take a proper damn holiday. "Digital nomads" are fictional characters from Charlie Stross novels. (Or, if you're unlucky, Cory Doctorow novels.)
Cocktails for programmers github.com
248 points by bencevans  4 days ago   169 comments top 32
tptacek 4 days ago 5 replies      
Malibu, Crme de Menthe, Jager, Triple Sec, Vodka & Coke, Kahlua. These seem like cocktails for programmers... earlier in their careers, shall we say.
teddyh 4 days ago 6 replies      
The title Cocktails for programmers gives me the same feeling as would the phrase Leaf blowers for stamp collectors.

Yes, a stamp collector might use a leaf blower, but it would not be relevant to collecting stamps. On the contrary, using a leaf blower while collecting stamps would be inadvisable.

westicle 4 days ago 3 replies      
A good cocktail showcases and highlights the component spirit(s) to make a more interesting and (hopefully) tasty drink.

Unfortunately when cocktails are based on nasty components, they often end up trying to disguise the spirit with sugary mixers like fruit juice or coke.

If you're interested in cocktails and don't mind diving in the deep end, try an authentic Sazerac:


Remember: the point is to highlight the primary spirit, so start with something good: http://www.anchordistilling.com/spirits/old-potrero-straight...

ibejoeb 3 days ago 2 replies      
Gotta chime in here because I do this professionally.

This is why people don't like cocktails. These are seriously terrible. I wouldn't serve any of these, ever.

I don't want to be overly negative here, but no number of pull requests will fix this. Rather than try to salvage these, I will offer take out anyone who's interested and introduce you to a bunch of the top folks in the food and drink biz. There's really not a friendlier group of people, and learning about wine and spirits is a lot of fun.

yawgmoth 3 days ago 3 replies      
The C#, it turns out, is the same as a Java but with a finer stock of liqueurs. The recipe for C#.NET however, is proprietary and no one can quite explain why one in a thousand makes you ill, or why the bottom of the glass seems to fall out sometimes.
bookface 4 days ago 4 replies      
It's missing the BASIC:

    10 tequila    20 GOTO 10

aylons 3 days ago 1 reply      
C is pure vodka, hard, powerful and without any flavor.

Assembly is pure ethanol.

Still thinking how would VHDL be... thinking about raw sugar cane to make your own alcohol from there.

jpea 4 days ago 4 replies      
So, PHP is the one where they mix all of the ingredients in your liquor cabinet together and top it with a raw egg, right?
venti 4 days ago 4 replies      
Another cocktail is the "Tschunk", which is hugely popular with hackers here in Germany. See the recipe here: https://entropia.de/Tschunk the main ingredient, a carbonated, caffeinated soda called "Club-Mate" is difficult to source outside of Germany, though).
meerita 4 days ago 1 reply      
I don't see a campari one, :D but here goes my daily cocktail:

1. half glass of Campari bitter.2. Ice3. orange4. a shot of water-soda

(never use tonic or white wine, if you like it a bit more alcoholic then use some cava or champagne [sprinkledwine])

sdfjkl 3 days ago 1 reply      
Lacks a non-alcoholic option, for programmers who need to do programming.
stuaxo 4 days ago 3 replies      
Each to their own, these all look undrinkable though!
CmonDev 3 days ago 0 replies      
Ruby, Python and Perl... So nothing strong at the moment?
pittboy 3 days ago 0 replies      
Awesome idea. My friends at ActiveState had a release party and went to the bar to celebrate over drinks. One of the guys ordered a round of shots for the group "12 shots please, half Tequila and half Jager" The waitress took him literally and brought 12 shots, all with half Tequila and half Jager.

The release included a GUI version of an existing command line tool because a certain customer wrote in saying "F&*k this DOS prompt BS, I want a GUI".

We now call this awful shot "The DOS Prompt"

ciderpunx 3 days ago 5 replies      
Hex on the beach.


JonnieCache 4 days ago 1 reply      
Now I want a bartending robot with it's own drink-mixing DSL.
arvinjoar 21 hours ago 0 replies      
Why not specify the amounts in centiliters? All the amounts end with 0 anyway.
dylanrw 3 days ago 1 reply      
While not themed after languages and such, I keep a gist of my favorite cocktails I either want to try or the recipes me and my friends have come to enjoy: https://gist.github.com/dylan/6093669

My engineering pals think me using a gist to store recipes is funny... :P

skisly 4 days ago 0 replies      
Nice... tomorrow will get "Python" for start I think the result will be "Memory Leak" and party will be over after "Epic Fail" :
kvcrawford 3 days ago 2 replies      
This is nonsense. I'll have a Jameson on the rocks, please.
mwsherman 3 days ago 0 replies      
C# would need to be citrus-y (C and sharp). It would go very quickly but might take a while to build.
wturner 4 days ago 1 reply      
I suppose 'brainfuck' would be a Absinthe mix of some sort
cowls 4 days ago 3 replies      
Nice ideas, though I think java is sorely missed here,
ArekDymalski 3 days ago 0 replies      
Hmmm... so I the recipe for Befunge would be: 1. Pour a pint of beer 2. Pour a shot glass of vodka 3. Drop the glass into the beer 4. Drink quickly 5. Start flowing in all directions
TeMPOraL 3 days ago 4 replies      
Any ideas for Lisp drink?
reccles 3 days ago 0 replies      
I'm surprised there isn't a "java" with some sort of coffee +liqueur.


Lua Kahlua.

edsiper2 3 days ago 0 replies      
I am turning 33, give me a Memory Leak please!


vezzy-fnord 3 days ago 0 replies      

First we had the 'how to shoot yourself in the foot in X language' jokes.

Now we'll have jokes about what cocktails different programming languages would be. Not bad, I might compile them in a page some day.

tbrake 4 days ago 0 replies      
Reminds me that webtender is still going strong.

The younguns at work were terrified of its layout and design when I showed it to them but it's a solid site.

deletes 3 days ago 1 reply      
So according to logic, assembler is pure alcohol?
daGrevis 4 days ago 0 replies      
I really like Long Island Iced Tea, what about other hackers?
chatman 4 days ago 0 replies      
More useful is Mojito Cocktails https://github.com/yahoo/mojito
       cached 16 September 2013 15:11:01 GMT