hacker news with inline top comments    .. more ..    3 Jan 2014 Best
home   ask   best   4 years ago   
1
What I Didn't Say paulgraham.com
1230 points by twampss  3 days ago   566 comments top
1
grellas 3 days ago  replies      
A word about credibility. It comes from the Latin word credo, meaning "I trust." Its value exceeds that of money because it marks you as a person - as someone who is respected, who is trustworthy, and whom you would want to count as a friend. It marks you not as perfect but as special. It makes others ponder not so much that they did the last deal with you but that they would want to do the next deal too. Just as we build credit through many transactions, so we build credibility by the very pattern of our lives. Credit and credibility derive from the same root and signify the same thing: when in doubt, we can trust the one who has either trait. Not blind trust, just a benefit-of-the-doubt level of trust.

Well, pg has earned our trust and deserved the benefit of the doubt when something so off kilter as this is attributed to him. He did not get it here, and that is a sad testament to how crowd-inspired frenzies can bend our perceptions in such faulty ways. Let us only hope that we can learn some good lessons from this.

pg's response is actually priceless: it is like a soft-spoken witness upending a bullying lawyer who had just viciously attacked him, leaving the attacker reeling for all to see. Indeed, the mob looks pretty much like an ass at this point and kudos to pg for his more-than-able defense. Very lawyer-like, in a way, but far more classy.

2
Edward Snowden, Whistle-Blower nytimes.com
746 points by Anechoic  1 day ago   155 comments top 4
1
pvnick 1 day ago 3 replies      
That was such a refreshing article. I've been saying it for a while now, I'm hopeful that we're going to see some very positive reforms in 2014 or 2015, as well as an eventual hero's welcome for Snowden. It takes a while for such a massive shift in public opinion, but it's inevitable. The reason it's taking so long is just a knowledge gab with the people that aren't as well-informed and don't know the magnitude of the abuses. As people learn the full scope of what's been revealed they tend to be (for the most part) outraged. I look forward to a couple decades from now, when I can tell my kids about how us folks who were paying attention were all vindicated when the NSA reforms were enacted and Snowden was given a full pardon.
2
r0h1n 1 day ago 3 replies      
Absolutely! I especially loved this part:

>> "His leaks revealed that James Clapper Jr., the director of national intelligence, lied to Congress when testifying in March that the N.S.A. was not collecting data on millions of Americans. (There has been no discussion of punishment for that lie.)"

3
umanwizard 1 day ago 5 replies      
I find it pleasantly surprising -- almost unbelievable, in fact -- that a highly sought-after fugitive accused of treason and practically certain to be found guilty of serious crimes is so widely supported by the public and the media.

Has there ever been another person whom the executive has done everything in its power to paint as a dangerous enemy of the state, whose approval rating was several points higher than the President's and several times higher than that of Congress? Or is this a never-before-seen situation?

The inverted totalitarianism[1] we live in can seem almost invincible, but this to me is a big glimmer of hope that some people at least are still unwilling to swallow the (two-)party line.

I hope this leads to some real change, but then again, I can't exactly hold my breath.

[1]: http://en.wikipedia.org/wiki/Inverted_totalitarianism

4
ajays 1 day ago  replies      
On the surface, I welcome this editorial. About time.

But the NYT has deep connections to the USG, so I'm wondering where this editorial is coming from. It could be a trial balloon on the part of the administration to test the public's appetite for a reduced sentence for Snowden.

3
About Python 3 alexgaynor.net
541 points by jnoller  3 days ago   344 comments top 4
1
thatthatis 3 days ago 5 replies      
I'm going to go against the grain here and say that moving slowly is one of my absolute favorite features about python and its libraries.

Rails and django were released about the same time, rails is on version 4, django is on 1.6.

Moving slowly means I can spend more of my time writing code and less of my time upgrading old code. More importantly, every release requires a perusal: did the API change, what's new, are there breaking changes I need to be aware of?

I didn't appreciate how nice a slow but consistent and deliberate release cycle was until I started using Ember which seems to release a new version monthly.

Its generally acceptable to be one or two x.x versions back, but much more than that and the cost of maintaining libraries skyrockets, so you start losing bug fixes and library compatibility.

With python there's not really a question of if I can run my code for a year between non-security upgrades, even with a few dozen third party libraries. That stability is immensely valuable.

2
agentultra 3 days ago 4 replies      
I like Python 3. I prefer it. It is better to program in than 2.x. Iterators everywhere, no more unicode/encoding vagueness, sub-generators and more. It is a much better language and it's hard to see how it could have evolved without a clean break from its roots.

However it has been interesting to follow over the last five years. It has been a sort of, "what if p5 broke the CPAN," scenario played out in real-life. Breaking compatibility with your greatest resource has a painful trade-off: users.

Everything I work on is not even considering a migration to Python 3. OpenStack? A tonne of Django applications that depend on Python 2-only libraries? A slew of automation, monitoring and system administration code that hasn't been touched since it was written? Enterprise customers who run on CentOS in highly restrictive environments? A migration to Python 3 is unfathomable.

However my workstation's primary Python is 3. All of my personal stuff is written in 3. I try to make everything I contribute to Python 3 compatible. I've been doing that for a long time. Still no hope that I will be working on Python 3 at my day job.

Sad state of affairs and a cautionary tale: "Never break the CPAN."

3
evmar 3 days ago 2 replies      
I like to think of engineering as "solving problems within a system of constraints". In the physical world, engineering constraints are things like the amount of load a beam will bear. One of the primary easily-overlooked constraints in the software world is backwards compatibility or migration paths.

There are many examples of systems where many look at them today and say: "This is terrible, I could design a better/less-complicated system with the same functionality in a day". Some examples of this dear to my heart are HTML, OpenID, and SPDY. It's important to recognize the reason these systems succeeded is they sacrificed features, good ideas, and sometimes even making sense to provide the most critical piece: compatibility with the existing world or a migration plan that works piecemeal. Because without such a story, even the most perfect jewel is difficult to adopt.

The OP, about Python 3, is right on except for when it claims making Python 3 parallel installable with 2 was a mistake; doing that would make it even more impossible to migrate to 3 (unless the single binary was able to execute Python 2 code). (Also related: how Arch screwed up Python 3 even more: https://groups.google.com/d/topic/arch-linux/qWr1HHkv83U/dis... )

4
themgt 3 days ago  replies      
It's fascinating to compare this with ruby 1.9, released around the same time, but seemingly with a slightly better cost/benefit ratio, having nice new features and also significantly improved performance, and with ruby 1.8 being deprecated with a lot more speed and force. It got everyone to actually make the switch, and then ruby 2.0 came along, largely compatible and with a more improvements, and now ruby 2.1 seems to be an even smoother upgrade from 2.0.

The ability of the ruby core team to manage not just the technical aspect of making the language better, but smooth the transition in a way that actually succeeded in bringing the community (and even alternate ruby implementations) along with them, hasn't been given nearly enough credit. You could analogize it to Apple with OS 9 -> OS 10.9, versus Microsoft with people still running XP

4
Were About to Lose Net Neutrality wired.com
525 points by joseflavio  4 days ago   261 comments top
1
pvnick 4 days ago  replies      
I consider everybody here very smart. In many cases smarter than myself. Therefore, could somebody please explain why we would give the government, which has shown itself to be terribly incompetent with technology issues, the ability to enforce net neutrality? Seriously, I can't get over the dissonance here. If it's such a shitty idea, let consumers decide. Google Fiber et al will just eat the major telecoms' lunch sooner or later anyway. It may just take a little longer, but we'll avoid the possibility of letting the government crush Internet innovation forever.
5
Backdoor found in Linksys, Netgear Routers github.com
519 points by nilsjuenemann  1 day ago   135 comments top 15
1
maxk42 1 day ago 10 replies      
About a year ago I left a cable modem and internet service (Time Warner) at an apartment I was moving out of while my friend continued to stay there. I had configured the thing in a manner I thought to be fairly secure -- strong password, no broadcast, etc.. One day the internet goes down and my friend doesn't know what to do. She calls the ISP and asks them what's wrong. They say they can't release any information about the service to her without my permission, so I suddenly get a three-way call explaining that my friend and the ISP representative are on the line and I need to give my authorization to access the account information. Being the person I am, I attempt to troubleshoot things over the phone before giving out any sort of account credentials. Eventually, I ask her to log into the router configuration page. She doesn't know the password and the first one I gave her doesn't work. The representative chimes in "That's fine -- I can just change it from here."

"...What?"

I was furious. Time Warner had left a backdoor in all their modems that gives them administrative access to my private connection. And yes -- she did alter the password remotely. She didn't seem to think there was anything wrong with this. I tried googling for relevant information, but wasn't able to find anything more than speculation at the time.

2
earlz 1 day ago 3 replies      
Interesting. Reminds me of the hack I did on a (mandatory) modem/router forced on AT&T users. They had a bunch of problems with it, so one day I got fed up after the millionth disconnect and cracked it open. Got a serial root shell by using the "magic !" command (completely randomly discovered) and dumped the source to the web UI(in Lua/haserl). From there found the equivalent of a SQL injection vulnerability and used it to gain a remote root exploit.

Most annoyingly, AT&T put out a firmware update some months later that closed the exploit, but didn't fix any other problems. So, I found another more intrusive/permanent exploit. Still waiting on them to patch it next heh. But now they are actually putting out some updates that actually fix problems too at least. Hopefully user uproar will continue to drive them to fix more problems

3
midas007 1 day ago 1 reply      
This is not surprising. It's a calculated risk to make a product just good enough. Development resources invested in retail wireless gear is minimal. I've worked on firmware for high-confidence industrial wireless gear used in mines. Most of them fall over under load, run obsolete+unpatched code and/or reboot randomly. Retail customers will tend to just put up with it and not return the product before the merchant's return grace period.

It's a totally different attitude when the intended market is enterprise: it's assumed that if a product causes a failure, the vendor is going to receive escalating, unpleasant phone calls until it's resolved.

4
nlvd 1 day ago 1 reply      
"And the Chinese have probably known about this back door since 2008." http://www.microsofttranslator.com/bv.aspx?from=&to=en&a=htt...

That's a pretty scary prospect. If its been 'known' and exploited since at least 2008. Poor form Netgear/Linksys.

5
dbbolton 1 day ago 4 replies      
Has there been a technical write-up on this yet? I honestly tried to read the presentation and had to quit after the third superfluous meme slide.
6
nwh 1 day ago 1 reply      
I have confirmed this (or something similar) is present in the Netgear DG834N as well.
7
elwell 1 day ago 3 replies      
TIL: Some people know a lot more than me about hacking. That PDF was interesting, but I only understood a small fraction of it.
8
atmosx 18 hours ago 0 replies      
I live in Czech Republic and my Zyxel from O2 has port 7547 open (Allegro RomPager 4.07) and you can't do anything about it. There is no editor on the installed linux version (cropped down linux, probably openWRT or something similar), no package manager no nothing.

If I flash the firmware warranty is void and I have no user/pass to re-enable the ADSL. So basically, my router is a hostile AP.

Given the fact that, it's a common pattern among ISPs in order to offer quick service - I firmly believe that ISPs do it for practical reasons - and end up killing your security, the best thing is to put the router in bridged mode and get a cheap custom-made router like carambola2[1] and install FreeBSD[2] on it.

Disclosure: I donated one of these devices to Adrian Chadd[3] in order for him to port FreeBSD on this device, which enabled me to use PF[4] - my favorite firewall - but I have no affiliation otherwise with 8devices or FreeBSD.

[1] http://8devices.com/carambola-2

[2] https://wiki.freebsd.org/FreeBSD/mips/Carambola2

[3] https://wiki.freebsd.org/AdrianChadd

[4] http://pf4freebsd.love2party.net

9
salient 1 day ago 3 replies      
Can this be fixed by changing the firmware to OpenWRT or DD-WRT?
10
thrillgore 5 hours ago 0 replies      
Thankfully I have an older WNDR3700 and I remain unaffected.

However seeing mention of (and an implementation of) Dual_ECC_DRBG in the slides immediately gives me a lot of pause regarding the security of my router. I love memes more than the next guy but this guy really went out of his way to make this confusing to understand.

11
redx00 1 day ago 1 reply      
Has anyone ever tried submitting a GPL request to http://support.linksys.com/en-us/gplcodecenter

I wonder if there is anyone still working in the GPL compliance department.

12
dobbsbob 1 day ago 2 replies      
Buy a $200 soekris box and install openbsd or m0n0wall on it, or on any old pc you have lying around with 2 network cards.
13
billpg 1 day ago 1 reply      
I've used GRC's "Shields Up" and asked for a user-specified probe for port 32764 and it came back "Stealth".

Assuming GRC isn't out to decive me, can I assume that my router is fine?

Bill, using a Netgear router.

14
m86 1 day ago 2 replies      
ScMM = SerComm, perhaps?

Many of Linksys' old DSL modems were manufactured by them, AFAIK.. and it seems many of the noted 'probably affected' models have a SerComm manuf'ed device for at least one revision of that model line

More probable SerComm manuf'ed devices are visible at the WD query link below..

http://wikidevi.com/w/index.php?title=Special%3AAsk&q=[[Manu...

15
jacob019 1 day ago  replies      
is this backdoor only served up on the wlan or is it also exposed to the internet?
6
Vacations are for the weak sethbannon.com
391 points by sethbannon  19 hours ago   311 comments top 2
1
equalarrow 15 hours ago 8 replies      
I think the big takeaway here is a lot of companies don't care, these are the rules and you accept them or not. Most people accept them - they feel like they have to. I've done it quite a few times.

But what we really need is more self-realization like this at the top. This is where the change for these sorts of policies can happen. On one hand, it's really sad that we're so work obsessed here - money is more important than people so much of the time. But, on the other hand, there is still room and freedom to make your own way and write your own rules.

I think about this topic a lot, especially because I am fighting burnout myself. I didn't do any work for most of xmas break and when I went back this week I kept thinking "I need another few months off". I even had to push for the two days after xmas off - there was a little push back from the ceo since we're a small 4 person company. But, I'm a little older than everyone and I was thinking "fuck it, I need to chill".

Ideally, my dream job is to just work for myself (I'm sure that's everyone else's too). Sure, there are tradeoffs with that, but there's something about working when you want, where you want. I think there can definitely be a balance between being on vacation a lot and outsourcing all the non-important work to other people who will do it. Time Ferris is a great read for this type of living and it exemplifies the work to live not live to work thing (or work as little as possible and really live).

I did a vacation a few years ago where my wife and mother in-law went to Spain. It was awesome, my first time there, but I was 'pressured' by work to keep crankin on our app. It was such bullshit and I was really pissed about that pressure - vacation was not vacation. I told myself: 1) I'd never work for someone else on vaca again - ever, and 2) I'd never make anyone else do that. Needless to say after a few days I was like, 'fuck this, this is the stupidest thing in the world. I'm in one of the best food and historical places in the world and the guys at home want me to keep coding. Bullshit.'

I think there's a point where you either keep going with everyone else's rules or you make your own. Get busy livin or get busy dyin. I'm at the point in my life where I'm getting to the last of dyin for someone else's deal and starting to live for my own. It's not impossible, just take discipline and focus. Otherwise, me, and everyone else is working under someone else's thumb, by their rules, working on vacation. Dumb.

2
glesica 19 hours ago  replies      
It is unfortunate that so many people are stuck in jobs that don't offer sufficient time off. It seems fairly common for employees to "start"* with just two weeks of paid time off (and many, I think, even lack access to unpaid leave for non-medical reasons).

One might argue that two weeks is sufficient for a week-long vacation every six months, but most people I know use most of their time off for family obligations and "work outside of work" like home repairs. This is a crap situation.

* Quotes because it is becoming less and less common to work for a company for decades, so the traditional system of awarding vacation based on length of tenure is becoming more and more insane. How many people never even get past the initial level of paid time off before switching jobs?

7
Bzr is dying; Emacs needs to move gnu.org
383 points by __david__  1 day ago   290 comments top 3
1
hyperpape 1 day ago 9 replies      
I went back and looked at the older discussion, and it doesn't paint Stallman very well as the head of a project. He pins the question of whether to keep using bzr not on whether it is good or whether the Emacs developers want it, but on whether it's being "maintained".

But then he seems to define maintenance as having fixed a specific bug that's been around for over a year, blocking a point release.

He admits that he can't follow the developers list to see if they're genuinely doing active maintenance (reasonable enough: he has a lot on his plate), but also won't accept the testimony of Emacs developers that the mailing list is dead and there's no evidence of real maintenance.

When questioned, he says that there's too much at stake to abandon bzr if it can be avoided at all. But the proposed replacement is GPL software. This is just madness.

Refs: http://lists.gnu.org/archive/html/emacs-devel/2013-03/msg009....

http://lists.gnu.org/archive/html/emacs-devel/2013-03/msg008...

(and surrounding posts).

2
stiff 1 day ago 2 replies      
FWIW, just a few days ago I was browsing through the Emacs Bzr repository - after a full bzr clone, that took ridiculously long as well, a simple bzr blame takes 40-60 seconds to execute locally, and I have an SSD drive, four-core intel i7 and 8GB of RAM. I have never seen this kind of slowness with Git, with any repository size.
3
mikro2nd 1 day ago  replies      
>git won the mindshare war. I regret this - I would have preferred Mercurial, but it too is not looking real healthy these days

I confess that my perception of Mercurial is the diametric opposite of the author's. Recently I believe I have seen a modest resurgence of interest in Hg and increased uptake. Am I just seeing this through some peculiar VCS-warped glasses?

I believe that much of the popularity of git stems from github making it very easy to adopt, something that bitbucket doesn't seem to have pulled off as well.

8
On Hacking MicroSD Cards bunniestudios.com
383 points by fernly  4 days ago   68 comments top 20
1
josh2600 4 days ago 3 replies      
I'm not much into hero worship, but if you guys don't know Bunnie you should really take 5 minutes to understand who wrote this article. Bunnie is a hardware monster of the best kind and an EFF 2012 Pioneer award winner.

He's a hacker's hacker.

2
kabdib 4 days ago 2 replies      
It's amazing how much firmware has these back doors, where the engineers responsible have one or more of the following justifications:

- "I don't care, this is just my job. And I was told to do it by management." [what can I say? This sums up a lot of grunt coders I know]

- "What are the chances that anyone will find this?" [lack of appreciation for how smart and dedicated attackers can be]

- "So what if they do? It's not like it's useful" [lack of proper analysis]

- "How else are we going to run tests?" [poor design / fear]

- "Huh?" [absolutely oblivious about security]

I've worked on projects where we made the very conscious choice to leave doors like this open, but I doubt that most firmware shops are that intentional about it.

3
radicalbyte 4 days ago 4 replies      
So now my microSD card has as CPU 100x faster than my first computer (C64), and access to storage at least 10^5 times larger. Amazing.
4
SwellJoe 4 days ago 1 reply      
So, this has potentially interesting value for implementing secure storage (assuming one can replace the whole firmware with something trusted).

I assume it would be possible to, for instance, make every "delete" operation a secure delete operation...wherein data gets overwritten a specified number of times. Shortening the useful life of the device, sure, but if security matters, that's a small price to pay.

Going further, what about a handler that serves out one set of data about what's on the device to any random person that plugs it in (like empty or with a few harmless photos or something), and another set of info to someone that has a key? Sure, for a high capability attacker, they might even know about this kind of firmware magic and know how to circumvent it, but it would make it very unlikely that some random person picking up your device would find anything that you want to keep secret.

Obviously, if your data is encrypted on the host system before writing to the card, that's reasonably safe...but for people in really dangerous situations, where torturing someone to obtain their key is not out of the question, making it seem like there's no data to obtain a key for is the best of all possible solutions.

5
Udo 4 days ago 0 replies      
For me, the big take-away here is not that SD cards have firmware that can be reprogrammed, but that there's apparently an opening for a comparatively high performance, cheap Arduino competitor. Being decidedly on the software side of things, I have to admit I was surprised to see that a 100MHz core with loads of memory could be produced for just a few cents now. There are probably dozens of low-cost places where fabrication of such a SoC would be only a minimal departure from churning out flash cards. I'd say let's do exactly that!
6
Spittie 4 days ago 1 reply      
It's kinda scary how many microprocessor and different firmwares are needed/used in nowadays computer/hardware, and how each one of them add a new point of failure.

I was reading just today a similar article, but involving HDDs instead of Microsd cards (and even with a PoC): http://spritesmods.com/?art=hddhack

7
briandon 4 days ago 1 reply      

  Its as of yet unclear how many other manufacturers leave  their firmware updating sequences unsecured. Appotech is   a relatively minor player in the SD controller world;  theres a handful of companies that youve probably never  heard of that produce SD controllers, including Alcor   Micro, Skymedi, Phison, SMI, and of course Sandisk and   Samsung.
Which begs the question: so why target Appotech rather than Sandisk or Samsung?

8
nona 4 days ago 2 replies      
This and the article on Der Spiegel [1] mentioning how the NSA has a whole catalog of custom firmware for all major HDD makers tells me never to yield to the temptation of relying on built-in hardware-based full disk encryption.

[1]: http://www.spiegel.de/international/world/catalog-reveals-ns...

9
ChuckMcM 4 days ago 0 replies      
Excellent article. I wrote a simple SDIO driver for the STM32F4 and have three different MicroSD cards to test it with (they all behave slightly differently) and its clear that such systems "working" is a small miracle in itself :-) All the vagaries of implementation.
10
gwu78 4 days ago 1 reply      
From Bunnie's page on his "open laptop" project:

"I'm shy on the idea of just selling it to anyone who comes along wanting a laptop. I'm worried about buyers who don't understand that "open" also means a bit of DIY hacking to get things working, and that things are continuously under development. This could either lead to a lot of returns, or spending the next four years mired in basic customer support instead of doing development; neither option appeals to me. So, I'm thinking that the order inquiry form will be a python or javascript program that has to be correctly modified and submitted via github; or maybe I'll just sell the kit of components..."

I hope he chooses the latter option.

If Bunnie is a "hacker's hacker" as someone else suggested in this thread, then I am confused why he believes the proper hoop to make a fellow "hacker" jump through is making sure they know some JavaScript or Python and how to upload to Github.

I thought "hacker's hackers", especially hardware hackers, were not the type to follow the path of least resistance, namely, JavaScript, Python and Github. Whereas, assembly and C (and FORTH, APL, Lisp, etc.) are the languages of the "hacker's hacker".

But that's just me. Maybe I am the only one. If so, pay no mind.

11
K2h 4 days ago 2 replies      
It is a little dated, but this doc shows 200mA required for the card on highspeed writes. I was curious how much power needed to run that little uC.

http://media.digikey.com/pdf/Data%20Sheets/M-Systems%20Inc%2...

12
baruch 4 days ago 1 reply      
I'm not quite sure what is so special here. It is a device, it has firmware, the firmware can be upgraded. The same is true for your HDD or SSD. Why is an SD Card any different?

If someone hands you an SSD in an external enclosure do you automatically suspect it too? A similar hack is known to work there, witness the number of SSDs that needed a firmware upgrade after their field release.

I do applaud the finding of how to do it and the proof that it really does work. It is a nice work in that regard and I have a few SD cards I'd be happy to hack their firmware for fun if nothing else (damn fake SDs, if they at least just advertised their real capacity they could at least be useful).

13
revelation 4 days ago 1 reply      
You can download the talk from here:

http://wtf1.muling.lu/30c3/Saal_1/Day_3/5294-30C3_-_5294_-_e...

(This is a streamdump, so don't expect seeking to work, and it might cause issues for your player)

14
pedrocr 4 days ago 0 replies      
Just another reason why we need to start getting direct access to the underlying flash instead of relying on vendors to provide a bunch of unupdatable translation software. This is particularly the case with SSDs where the end result of all this is "just buy Intel SSDs if you value your data" with the corresponding price premium.
15
voltagex_ 4 days ago 0 replies      
http://www.youtube.com/watch?v=r3GDPwIuRKI is one of the recordings of the talk. CCC will have others in free formats, if you prefer
16
analog31 4 days ago 1 reply      
Et Tu, USB flash drives?
17
pasbesoin 4 days ago 2 replies      
I've only read part way through, but good grief, you owe it to yourself to read this. Also, in retrospect, it seems obvious. Nonetheless...

Not having finished the article, one of my initial thoughts: I guess my thoughts and intuition were right. It's not time to throw away those optical disks (and drives), yet.

18
blinkingled 4 days ago 0 replies      
> You are not storing data, you are storing probabilistic approximation of your data

Ha!

19
tommis 4 days ago 1 reply      
So, could this mean that one could theoretically wire a MicroSD card directly into ethernet plug and with some voodoo harness PoE to create an ethernet plug with busybox on it?
20
chippy 4 days ago 0 replies      
This is an extremely well written blog post. It should set the standard. Bravo!
9
Snapchat Phone Number Database Leaked snapchatdb.info
380 points by lightcontact  2 days ago   212 comments top 11
1
antimatter15 2 days ago 7 replies      
The top comment on Reddit r/netsec's corresponding coverage has mirrors on Mega.co.nz for the files [1]

I couldn't find my own data in the set, and actually it seems like lots of entire area codes are missing.

Assuming `cat schat.csv | uniq | cut -c1-4 | wc -l` is the proper command, there are only 76 of 322 [2] US area codes represented.

It appears there are two Canadian area codes represented in the database: 867 and 204. There are also 248 US area codes which are not represented in the database. Assuming a relatively uniform distribution of phone numbers in the US (which is not at all a safe assumption), the average US snapchat user has better odds of not being in the list than being in it. Sampling from the set of my snapchat friends who are not in my area code, 3 of 13 can be found in the database.

If your phone number is in any of these states, you're not in the database: AlaskaDelawareHawaiiKansasMarylandMississippiMissouriMontanaNebraskaNevadaNew HampshireNew MexicoNorth CarolinaNorth DakotaOklahomaOregonRhode IslandUtahVermontWest VirginiaWyoming

[1] http://www.reddit.com/r/netsec/comments/1u4xss/snapchat_phon...

[2] I'm matching a regex against this list http://en.wikipedia.org/wiki/List_of_North_American_Numberin...

2
cenhyperion 2 days ago 1 reply      
Just like to remind everyone that snapchat was aware of this exploit and dismissive in regards to it.

http://www.theverge.com/2013/12/27/5249304/snapchat-dismisse...

3
rdl 2 days ago 0 replies      
Possibly they shouldn't have pissed on the people who notified them of the vulnerability, and on the journalists who broke the story?

(aside from not being vulnerable to this in the first place, but that actually is a lot to ask. I still can't believe anyone relied on the Snapchat model of security more so than any other app, although from an ease of use, non-security perspective, sure, it's reasonable.)

4
aheilbut 2 days ago 3 replies      
I guess I'm dating myself, but didn't we used to call that the phone book?
5
ufmace 1 day ago 0 replies      
Anyone else tried putting together some stats from the info?

                     name                     | areacode | count  ----------------------------------------------+----------+-------- Chicago Suburbs                              | 815      | 215953 Eastern Los Angeles                          | 909      | 215855 San Fernando Valley                          | 818      | 205544 Southern California                          | 951      | 200008 Los Angeles                                  | 310      | 196183 Northern Chicago Suburbs                     | 847      | 195925 Denver-Boulder                               | 720      | 188285 Downtown Los Angeles                         | 323      | 168565 New York City                                | 347      | 166374 New York City                                | 917      | 165420 Fort Lauderdale                              | 954      | 153522 Northern New York                            | 315      | 147447 Buffalo                                      | 716      | 144939 Southern Illinois                            | 618      | 144280 Boulder-Denver                               | 303      | 139265 Southern Michigan                            | 617      | 138821 Northeastern New York State                  | 518      | 138043 Champaign-Urbana                             | 217      | 135837 Oakland                                      | 510      | 130531 Miami                                        | 786      | 117906 Westchester County, NY                       | 914      | 116632 Western and Northern Colorado                | 970      | 115378 San Francisco                                | 415      | 108883 Miami                                        | 305      | 104415 Southeastern Colorado                        | 719      | 102932 Manhattan                                    | 646      |  96646 Mountain View                                | 650      |  94430 Chicago                                      | 312      |  70709 Southwest Connecticut                        | 203      |  60629 Bronx, Queens, Brooklyn                      | 718      |  51086 Boston                                       | 857      |  41857 Central Arizona                              | 480      |  35631 South Carolina                               | 864      |  33034 Eastern Ohio                                 | 330      |  32721 Arkansas                                     | 870      |  28940 Idaho                                        | 208      |  26827 Southeastern Virginia                        | 757      |  21170 Los Angeles                                  | 213      |  13705 Southeastern Ohio                            | 740      |  11597 Eastern San Francisco                        | 209      |  11356 Seattle                                      | 206      |  10623 Fort Lauderdale                              | 754      |  10131 Maine                                        | 207      |  10126 Northern Louisiana                           | 318      |   9842 Indianapolis                                 | 317      |   8151 Northwestern Arkansas                        | 479      |   7300 Manitoba                                     | 204      |   7211 Minnesota                                    | 320      |   7162 Southeastern Michigan incl. Ann Arbor        | 734      |   7077 Eastern part of Southern New Jersey          | 609      |   6952 Pennsylvania                                 | 484      |   6314 Manhattan                                    | 212      |   3970 Pennsylvania                                 | 610      |   3930 Southern New York State                      | 607      |   3437 Central Florida                              | 321      |   3258 New York City                                | 929      |   2651 Florida                                      | 863      |   2642 Southeastern California                      | 760      |   2523 Southwestern Wisconsin                       | 608      |   2217 Central Texas                                | 325      |   1542 Central Georgia                              | 478      |   1396 Western Central Alabama                      | 205      |    825 Eastern Kentucky                             | 606      |    565 DuPage County, Illinois                      | 331      |    512 Eastern part of central New Jersey           | 732      |    507 South Dakota                                 | 605      |    375 Knoxville, Tennessee                         | 865      |    263 Southwestern Connecticut                     | 475      |    253 Eastern Iowa                                 | 319      |    198 Georgia                                      | 470      |    163 Minneapolis                                  | 612      |    103 San Fernando Valley, LA                      | 747      |     84 Canadian territories in the Arctic far north | 867      |     31 Washington DC                                | 202      |      3 Georgia                                      | 762      |      2 Dallas                                       | 469      |      1
I wonder where they were getting the numbers to search by from. From how they described the vulnerability, I would have thought they would just iterate through all possible phone numbers. If they're doing that, it's strange how there's exactly 1 number for the dallas area code.

6
untog 2 days ago 3 replies      
Not at all surprised. Anyone that used the app would be suspicious of the backend behind it. Should have taken that $3bn while you had the chance.
7
scaramanga 2 days ago 2 replies      
CSV: magnet:?xt=urn:btih:bab9548c3770188c70d27ded9b22348f5b979713&dn=Snapch at+database+CSV&tr=udp%3A%2F%2Ftracker.openbittorrent.com%3A80 &tr=udp%3A%2F%2Ftracker.publicbt.com%3A80&tr=udp%3A%2F%2Ftrack er.istole.it%3A6969&tr=udp%3A%2F%2Ftracker.ccc.de%3A80&tr=udp% 3A%2F%2Fopen.demonii.com%3A1337

SQL: magnet:? xt=urn:btih:f7b1cec6280edb8169d63550ba2dfb224df7810d&dn=Snapch at+database+SQL&tr=udp%3A%2F%2Ftracker.openbittorrent.com%3A80 &tr=udp%3A%2F%2Ftracker.publicbt.com%3A80&tr=udp%3A%2F%2Ftrack er.istole.it%3A6969&tr=udp%3A%2F%2Ftracker.ccc.de%3A80&tr=udp% 3A%2F%2Fopen.demonii.com%3A1337

Both: magnet:? xt=urn:btih:fae9c0a8b2eee2f9cc31c713f21a4cda4083612b&dn=Snapch at+Database+CSV+%26amp%3B+SQL&tr=udp%3A%2F%2Ftracker.openbitto rrent.com%3A80&tr=udp%3A%2F%2Ftracker.publicbt.com%3A80&tr=udp %3A%2F%2Ftracker.istole.it%3A6969&tr=udp%3A%2F%2Ftracker.ccc.d e%3A80&tr=udp%3A%2F%2Fopen.demonii.com%3A1337

8
sschueller 2 days ago 1 reply      
I still don't understand why you would turn down $3 billion. How will you ever make money with snapchat and how is it not a fad that will eventually die?
9
aabalkan 2 days ago 1 reply      
It's taking too much time to download each file even they're 40 MB. I wish they put it on as torrent in the first place.

Regarding the leak, yeah, that actually happens when you focus on the product but security and reliability of your system. Snapchat, Whatsapp and many others are hacked numerous times and yet it still happens.

10
gibsonsecurity 2 days ago 0 replies      
For the record we don't know about SnapchatDB.

But it was a matter of time until this happened, the exploit still works with minor modifications, you just have to be smart about it.

11
stefan_kendall 2 days ago  replies      
This is only useful in wide-net fishing attacks, most of which I'm guessing no one here would fall for.

Anyone interested in you particularly will quickly get your phone number, email address, facebook profile, social security number, or whatever they want if they're determined enough.

Even then, I'm not sure what information this database really provides that could be used to gain some fraudulent or exploitive benefit.

10
I fought my ISP's bad behavior and won erichelgeson.github.io
377 points by helfire  2 days ago   103 comments top 19
1
JoshTriplett 2 days ago 2 replies      
Very nicely done: reporting this as abuse to the companies offering these affiliate programs seems quite appropriate, and it sounds like they reacted appropriately. One person complaining to an ISP is noise; one person making an abuse report is all it takes to get that ISP banned from the affiliate program.
2
afhof 2 days ago 3 replies      
Cox does something similar but bypasses the the DNS records and just slipstreams in a response. I noticed Cox would redirect javascript requests to their own HTTP server and put in their own snippets, effectively doing mass javascript injection.

The snippet ended up being some sort of alert about upcoming maintenance, but using a malicious technique for a benign purpose is the path to the dark side. Use HTTPS!

(I use 8.8.8.8, it didn't help)

3
gpcz 2 days ago 0 replies      
The cynical side of me says that the ISP is just going to redirect the author's traffic to the "pure" DNS server in the future (even when he or she directs traffic to the main one) unless they get in serious enough trouble with one of the companies this first time.

If anyone wants to do this in the future, I'd recommend just sending affiliate abuse emails with no notice to the ISP. Also, the future person may want to revise the [2] script to scan in a more surreptitious manner (change the order, add delays, simulate legit web traffic, etc).

4
jauer 2 days ago 3 replies      
As a ISP when we were considering using Aspira they claimed that no referral tokens would be replaced and that the only behavior was injecting a popup coupon window.

I decided not to proceed with it because it seemed like a support nightmare and tampering with non-malicious subscriber traffic crosses a line.

Their marketing affiliates (such as Cash4Trafik) are always reaching out to CEO types at small ISPs and the money they bring (particularly when you are small) can be hard to pass up.

5
lambda 2 days ago 2 replies      

  This also shows a weakness in DNS. There is currently no   way to validate the DNS record youre being served is what   the person hosting the website intended.
That's what DNSSEC is for, but it hasn't become pervasive enough yet to be able to depend on it.

6
zquestz 2 days ago 1 reply      
Eric, I am very sorry to see this happen to you. Unfortunately more and more companies are using our data for marketing purposes.

All is not lost though.

There are several ways you can protect yourself from these practices. The first thing I would do is get a router capable of using dnscrypt-proxy (http://www.opendns.com/technol.... Then you can be confident that your DNS traffic is not being modified by your ISP. It does require that you have trust in a 3rd party DNS provider like OpenDNS, but at the end of the day you have to trust someone to provide DNS lookups.

The second option is to setup DNSSEC so that you can verify where your DNS responses are coming from. While people will still be able to intercept what sites you're looking up, at least you know you're getting valid responses which is better than your situation is currently.

Third is to use both. =)

Anyhow, really awesome to see people standing against these practices. It takes users complaining to make change. The sad truth of the matter.

7
dmourati 2 days ago 2 replies      
Super shady stuff. I never rely on any ISP provided DNS servers. I'm glad you talked to the the etailers to let them know what was going on. These business practices do introduce latency, regardless of what he told you. Not to mention, they are highly unethical and dishonest.
8
gnu8 2 days ago 1 reply      
Is there a way we can choke companies like Apira by making a concerted distributed effort to disrupt the referral programs they exploit (either by reporting them or by feeding them false referrals somehow)?
9
sloop 2 days ago 3 replies      
If your ISP and/or Aspira were making any significant amount of affiliate commissions, I would be surprised if the merchants do not take action against them for fraud.

This sounds like the same behaviour that Shawn Hogan got in trouble for with cookie stuffing http://en.wikipedia.org/wiki/Shawn_Hogan

10
tdumitrescu 2 days ago 1 reply      
"I will continue to monitor periodically their DNS entries and compare them with other public DNS servers."

This would make for a great watchdog site to provide visibility across different ISPs (and could also discourage other ISPs from pulling this crap).

11
rcfox 2 days ago 1 reply      
One a slightly related note, in Chrome extensions, it's possible to redirect DNS requests on a per-URL basis. This is how Media Hint works to allow non-US Netflix users access the US version of the site.

I'm surprised we haven't seen similar behaviour from Chrome extensions. I'm sure it would be caught eventually, but this isn't exactly something that people tend to look for, so it would take a while for people to catch it.

12
neil_s 2 days ago 2 replies      
Interestingly, you might have benefitted more from keeping quiet about this. While the original retailers are losing money through this, you aren't really affected negatively by them doing it. In fact, with this additional revenue source, they might be able to support thinner margins on their broadband charges, saving you some money. You did the morally correct thing, but perhaps at a potential personal cost.
13
natch 2 days ago 3 replies      
I'd like to try out this curl command. I'm not using macports, though. Like many people, I've switched to brew since some time. Is there a quick way to see if my curl install is compiled with 'ares' whatever that is?
14
samweinberg 2 days ago 0 replies      
Anyone know if Time Warner Cable does this?
15
AlonsoGL 2 days ago 2 replies      
Here it goes:Behind a ISP-wide cache.Any 'traceroute' passes by transtelco.net (ISP used to have their own infraestructure for voip services Megafon) now i have 5/6? DNS jumps! and all my traffic going to Transtelco.

  traceroute to news.ycombinator.com (198.41.191.47), 30 hops max, 60 byte packets  1  customer-GDL-**-***.megared.net.mx                 << 177.230.**.*** Dynamic IP, GDL is the city of the company  2  10.0.28.62 (10.0.28.62)  8.939 ms  8.941 ms  8.935 ms  3  10.2.28.195 (10.2.28.195)  8.912 ms  8.903 ms  8.891 ms  4  pe-cob.megared.net.mx (189.199.117.***)  8.878 ms  8.866 ms  14.201 ms << COB is the user city  5  10.3.0.29 (10.3.0.29)  23.494 ms  23.483 ms  23.408 ms  6  10.3.0.13 (10.3.0.13)  22.842 ms  19.609 ms  19.596 ms  7  10.3.0.10 (10.3.0.10)  19.560 ms  19.555 ms  19.536 ms  8  201-174-24-233.transtelco.net (201.174.24.233)  19.527 ms  20.650 ms  19.468 ms  9  201-174-254-105.transtelco.net (201.174.254.105)  34.239 ms  31.793 ms  31.268 ms  10  fe3-5.br01.lax05.pccwbtn.net (63.218.73.25)  31.792 ms  31.736 ms  33.533 ms  11  any2ix.coresite.com (206.223.143.150)  32.834 ms  33.221 ms  33.429 ms  12  ae3-50g.cr1.lax1.us.nlayer.net (69.31.124.113)  41.288 ms  41.228 ms  41.231 ms  13  ae2-50g.ar1.lax1.us.nlayer.net (69.31.127.142)  42.632 ms ae1-50g.ar1.lax1.us.nlayer.net (69.31.127.138)  35.192 ms 33.860 ms  14  as13335.xe-11-0-6.ar1.lax1.us.nlayer.net (69.31.125.106)  35.143 ms  44.714 ms  44.666 ms  15  198.41.191.47 (198.41.191.47)  37.638 ms  37.239 ms  36.997 ms
I don't know how normal or ethic is this type of cache. No download limits, I have the 10mb and get 20mb(2000-2300kbps) downloads, for uploads is limited to 1mb.

16
GigabyteCoin 2 days ago 0 replies      
Congratulations. What they were doing was absolutely evil in my opinion.
17
ozh 2 days ago 0 replies      
+1 to OP, and +2 to companies who responded positively (and -3 to ISP, obviously)
18
_RPM 2 days ago 1 reply      
Gaming the system seems to be the secret to winning.
19
philip1209 2 days ago  replies      
This is why you should encrypt your DNS.
11
DigitalOcean leaks customer data between VMs github.com
373 points by sneak  4 days ago   200 comments top 8
1
AaronFriel 4 days ago 4 replies      
This is a huge problem and there seems to be a good deal of misinformation about this issue that has confused things. I'm going to debunk two things: first, that DigitalOcean is not violating user expectations (they are), and second, that doing this correctly is difficult (it isn't). The tl;dr is that if DigitalOcean is doing this, they are not using their hardware correctly.

First, it's not uncommon for virtual disk formats to be logically zeroed even when they are physically not. For example, when you create a sparse virtual disk and it appears to be XGB all zeroed and ready to use. Of course, it's not. And this doesn't just apply to virtual disks, such techniques are also used by operating systems when freeing pages of memory - when a page of memory is no longer being used, why zero it right away? Delaying activities until necessary is common and typically built in. Linux does this, Windows does it [http://stackoverflow.com/questions/18385556/does-windows-cle...], and even SSDs do it under the hood. For virtual hard disk technology, Hyper-V VHDs do it, VMWare VMDKs do it, sparse KVM disk image files do it. Zeroed data is the default, the expectation for most platforms. Protected, virtual memory based operating systems will never serve your process data from other processes even if they wait until the last possible moment. AWS will never serve you other customer's data, Azure won't, and none of the major hypervisors will default to it. The exception to this is when a whole disk or logical device is assigned to a VM, in which case it's usually used verbatim.

This brings me to the second issue. Because using a logical device may be what DigitalOcean is doing, it's been asked if it's hard for them to fix it. To answer that in a word: No. In a slightly longer word: BLKDISCARD. Or for Windows and Mac OS X users, TRIM. It takes seconds to execute TRIM commands on hundreds of gigabytes of data because, at a low level, the operating system is telling the SSD "everything between LBA X and LBA X+Y is garbage." Trimming even an SSD with a heavily fragmented filesystem takes only a matter of seconds because the commands to send to the firmware of the SSD are very simple, very low bandwidth. The SSD firmware then marks those pages as "free" and will typically defer zeroing them until use. Not only should DigitalOcean be doing this to protect customer data, but they should be doing it to ensure the longevity of their SSDs. Zeroing an SSD is a costly behavior that, if not detected by the firmware, will harm the longevity of the SSD by dirtying its internal pages and its page cache. Not to mention the performance impact for any other VMs that could be resident on the same hardware as the host has to send 10s of gigabytes of zeroes to the physical device.

Not only is DigitalOcean sacrificing the safety of user's data, but they're harming the longevity of their SSDs by failing to properly run TRIM commands to clean up after their users. It hurts their reputation to have blog posts like this go up, and it hurts their bottom line when they misuse their hardware.

Edit: As RWG points out, not all SSDs will read zeroes after a TRIM command, so other techniques may be necessary to ensure the safety of customer data.

2
xSwag 4 days ago 8 replies      
TL;DR: In the DigitalOcean web panel you can check the "scrub data" checkbox when destroying a VM. When using the API this option is not ticked. This can lead to other customers being able to retrieve your data.

The author thinks that this is a security issue because this option should be enabled by default. However, (I assume) it's not in Digital Oceans interest to do full disk scrub because it reduces the lifespan of their SSD.

If a user forgets to log out of Facebook on a public computer, is it Facebook's responsibility? Similarly, if a user does not correctly delete data on a budget host, is it the hosts fault?

3
sneak 4 days ago 2 replies      
Oh, hey guys, they've responded. It's no big deal, they just disabled the security because because _users were complaining_.

Turns out it "add[s] a very large time to delete events" when you actually delete things when a user makes an api call to DESTROY. Who knew?

http://i.imgur.com/MFW8ng6.png

4
nbpoole 4 days ago 1 reply      
Interesting: this sounds like a recurrence of the same issue which was described a number of months back:

https://www.digitalocean.com/blog_posts/resolved-lvm-data-is...

At the time, the blog post claimed that the issue was resolved and that data was now being wiped by default. I wonder why that would have changed.

5
tachion 4 days ago 4 replies      
This reminds me my own story: few weeks ago I was trying out their service and on newly created droplet I've noticed a... shell history of downloading and executing a shell script:

    1  clear    2  ls    3  clear    4  wget https://kmlnsr.me/cleanimage.sh    5  rm cleanimage.sh    6  cd /tmp/    7  wget https://kmlnsr.me/cleanimage.sh    8  chmod +x cleanimage.sh    9  ./cleanimage.sh
This looked very disturbing, so I went and check what that script is, and it is available to read for everyone, and seems to be a part of their provisioning procedure for the vm's, written by some guy who works for DigitalOcean as 'Community Organizer' (however, at that point I thought the website might be created by an attacker and misleading).

Not only it looks bad and alarming to customers, but also poses a security threat, where an attacker could target his website and/or server and replace the script with something nasty inside. How long before they'd notice such fact? No idea, but I've opened a ticket about it right on, giving them some advice on why its bad (availability, scaling, performance, security and PR reasons) but also how to better handle it, and it seems nothing has been done about it so far.

That rings a bell in my head not to use Digital Ocean service as things they do are looking pretty amateur.

6
sillysaurus2 4 days ago 1 reply      
There is a simple solution to this: don't trust providers to do what they say they'll do with your data. You should scrub any drive that's ever contained sensitive info before you throw it away, and terminating a VM instance is precisely equivalent to handing the VM's harddrive to your provider.

It's pretty easy nowadays to scrub a drive. Writing zeroes would suffice.

Personally, I'd worry more about what data is being leaked when your VM is paged to disk on your provider's servers. Parts of each of your VMs will probably reside in the pagefile at some point, so therefore writing zeroes won't save you if the provider has bad disposal practices (like not scrubbing before disposal). So it seems impossible not to have to trust a cloud computing provider whatsoever; some basic trust seems to be a requirement.

But that minimum level of trust should be the extent to which you trust them. Not scrubbing your drive before handing it over is placing faith where faith doesn't belong.

7
comice 4 days ago 1 reply      
Since day one, Amazon EC2 used a copy on write system with their LVM volumes to protect against this problem (without them having to do expensive zeroing operations).

This has been an identified and solved problem for YEARS. No excuse for a modern VPS/IaaS provider to be leaking customer data in this way, except incompetence.

8
jlawer 4 days ago  replies      
Talk about a link bait title. Its a bit hard to call it a leak,Its a configuration option that is well presented in the web UI. It is optional as it adds ~ 10 minutes of billing to the small 512mb VMs and as such it is optional if you do it.

If your using an overlay or API on top of a cloud or service, its the overlay's responsibility to ensure a consistency with your expectations. The API is consistent with the UI.

While other cloud providers accept the time that this takes as non-billable, DO don't. By getting higher utilization is how they are able to offer their prices and still have some modicum of service.

12
Lessons learned from my failed startup after 2 years, 300 users and 0 revenue sergioschuler.com
361 points by sergioschuler  3 days ago   159 comments top 14
1
patio11 3 days ago 5 replies      
This is a fantastic writeup (and like nearly all worthwhile writing on the subject, I don't necessarily agree with all of it).

Two elaborations:

1) General advice to non-technical founders, not specific to this post: If sales is one of your primary skill sets, and you cannot sell one developer on working for you, you may want to have a brief heart-to-heart with yourself on whether you are sufficiently skilled at selling to build a company which will live or die based on your sales ability.

2) His advice about starting with 1 anchor client for a SaaS, expanding to 10 via expenditure of shoe leather, and then starting to worry about scalable approaches to customer acquisition is very, very good. (I don't know if I definitely would endorse the "An Indian company expressed desire to buy something from me other than the thing I was building, so I should have built that instead." That would turn on a lot of things, including how serious that company was about actually buying the thing. There is a world of difference between "I would buy a Widget from you" and "I commit to accepting delivery of a Widget from you, where a Widget broadly does X, my timeframe is Y, and your payment will be $Z." I'd be looking for a letter of intent or a check as a filter for seriousness following that Skype call before making a bet-the-business decision on it, personally, but I obviously don't know the specifics of what was said.)

2
Killah911 3 days ago 0 replies      
I don't understand people's (not necessarily the OPs)utter obsession with philosophies. Especially in the startup world when being adaptive and surviving is key.

Lean Startup, great book, decent ideas, not the religion that it's become. I'm sick of hearing, hey do this the lean way and it'll "significantly improve" how well you do, after all it's the blueprint for success. Personally, I don't buy into that. Here's my view of success in reality: do whatever works (that's legal & up to your moral standards), be opportunistic and get lucky (yes, hard work and measuring metrics alone don't do crap).

MVP and idea validation are great concepts & helpful common language. In hindsight all "successful" startups seem to have a "pattern", but in all seriousness, there isn't a friggin algorithm for success in startups, otherwise algorithms would've replaced entrepreneurs a long time ago. (Although selling success patterns & software based on such to wantreprenuers is a great idea)

I'm sorry the Sergio's experience happened. It's easy force cause and effect onto a narrative. It very well could have been that the developer Sregio met was at a point in his life where he really just wanted to build something great and did end up building the awesomest thing. Instead of trying to dissect the reasons his startup failed, had luck been a little more favorable, we might be trying to analyze how it became a huge success.

Bottom line, my heartfelt congratulations to Sergio on being successful at stepping up, despite the risks and having a crack at it. If you had never stepped up and we all gave in to our negative biases and overanalyzed the crap out of everything before we started we'd still be polishing stone wheels.

I know how shitty it feels. But remember, hindsight is 20-20 and cause and effect should really be cause+luck and effect. Hope you're a better entrepreneur and will be back in the game soon.

3
ry0ohki 3 days ago 1 reply      
"The developer had no intention of being the projects developer (?) he was not really a developer, he was a computer science graduate who owned a webdev shop and was used to managing, not coding."

Heard this story so many times. Amazing how many people join a startup and don't want to do the actual work. Remember that scene in The Social Network where Mark Zuckerberg calls his outsource team about progress on that latest feature? No? Me either.

4
at-fates-hands 3 days ago 1 reply      
"Since we were 3 business people, we spent all this time into idiot plans, budget forecasts, BUSINESS CARDS, fancy website all useless things which in the end did not contribute to anything."

I've been apart of a lot of startups and this is far and away the best advice. It was a common theme with two startups I worked for during the boom years. One CEO's hubris was stunning. 10 million privately funded and he blew most of it on season tickets and suits at stadiums to "entertain" big prospects (nevermind we didn't have any "big" prospects at the time!), remodeled the office to the tune of a few hundred thousand dollars, it goes on, but you get the idea.

When you're in a startup, it really is about getting your product shipped, and making sure that's where the focus is.

Great writeup and glad you saw the errors of your ways. Lots of people never gain the wisdom you have until after two or three failed attempts.

5
wrath 3 days ago 0 replies      
Good article but I would look at this "failure" from a glass half full perspective. You "won" because you've learned valuable lessons you can take to your next idea. I've had many products that have not gained many users in their respective marketplaces but I learned from each and everyone of them. All these experiences has brought me where I am today (CTO of a 45+ employee company). No failures in my past as far as i'm concerned; just lots of self teaching (that you can't get in school).

>> ""An Indian company expressed desire to buy something from me other than the thing I was building, so I should have built that instead.""

I may be the minority but I agree with him but on one condition. If this Indian company wanted to pay a small monthly subscription fee for your product I would never have agreed developing "their" ideas. I would have taken their feedback and put in the big pile with all the other feedback I gathered up. But I would have pitched this Indian company a different story, I would have pitched them a professional services contract instead of a product. I did something similar in the past and it worked out very well because in a business money is king. With no money you can't do the things you need to do, like attend conferences to sell your idea, buying adwords, hiring solid developers, paying yourself a salary so you can devote your time to the idea.

In my case the customer was willing to pay ~$10k a month to get what he wanted. We built it for him while building our own product. Once we got big enough and could sustain ourselves without our original customer, I gave the customer away. The developer who maintained the project was interest in taking on the project himself. We came up with a 6 month transition plan, including lots of product/project management help, office space, etc. It was a win/win situation at the end.

Doing this is not for everyone though. There are many days I cursed this customers for taking up the majority of our resources. We had to be very good at differentiating between their requirements and the markets requirements. We weren't perfect at it but it worked out in the end.

6
al2o3cr 3 days ago 2 replies      
"Instead of surfing the wave and adapting my idea to what a real prospect client was telling me they wanted"

FFS don't do this. There are far too many startups beached on the shores of "well, this one SRS BZNS client wanted us to change what we were doing so we did. Where'd all the rest of our clients go?"

I'm not saying "don't pivot", but "just making what they wanted" (where N(they) = 1) turns you into a poorly-paid contract developer who's also paying to host the result, not an entrepreneur.

7
thu 3 days ago 1 reply      
Do people find it really ok to have video and a website spelling "try it free" and then have only an email input form ? I know that testing if demand exists is important, but doesn't it have adverse effect on your reputation to somehow lie to your prospects ?
8
PythonicAlpha 3 days ago 1 reply      
I want to shine some light on one side problem, scratched here:

The problem today is (out of the perspective of a developer): To many companies rely on just "hire any (cheap) developer" to ramp up the product. I see it all the time: Quality is not asked for, many companies (specially in the web business) just want the cheapest developers. They search for a student (at best), because he is cheap and will just make a small time estimation and an even smaller fixed price offer for the project. The student will happily work overtime that is not covered by the initial estimation.

Than the companies go mad, when either the programmer is running away or the whole project runs into a blind alley (or both at the same time), because the "totally expensive" programmer had not enough experience e.g. with database development and the database structure just lets you shiver. Then the shouting and anger is big: "Damn programmers -- all are liars and lazy!"

What went wrong, stated Uncle Bob correctly in his Blog: http://blog.8thlight.com/uncle-bob/2013/11/19/HoardsOfNovice...

But the "cheap, cheap!" culture seams to be unstoppable. If you tell people in advance about "quality" and "professionalism", they don't listen or just laugh at you. It seams, all the people just have to find out the hard way -- but I guess, even than most of them will not learn at all.

9
guynamedloren 3 days ago 1 reply      
Really great writeup, thanks for sharing.

I'm left wondering, though, what you actually did over the two years? You imply that you were working on it full time. Two years full time is a lot of time. You can do pretty much anything in that time (including, as others have mentioned, learn to code).

> idiot plans, budget forecasts, BUSINESS CARDS, fancy website [and writing articles]

I find it hard to believe you can work on those things for two years, day in and day out.

10
snorkel 3 days ago 0 replies      
... one of the prospects was an HR person from a huge Indian manufacturer. They wanted the system NOW and wanted to speak to me. [...] I just needed to build what they wanted.

I know startups that charged down the other path, being hyper responsive to their big customers, and they suffered for it because their biggest customer steered the product vision straight to crazy town. Such startups essentially become the contract development shop of a few big customers, living and dying by the whims of those big customers. Yes, you can pay the bills, but you're essentially working full-time for a few customers rather than building your own enterprise.

11
karterk 3 days ago 0 replies      
I think for first time bootstrappers, investing some time in a quality blog on a particular field you would like to build products for is really really useful. Apart from having a good audience to launch your first product, it helps you interact with people before you have something to sell to them. You learn more about their problems, the existing market, competition and so on.
12
subbu 2 days ago 2 replies      
__If there is just one thing you should learn, it is: Just speak to prospects and extract their pain, then sell the painkiller (before building the product). If they are willing to buy, do take their money and invest that money into building the product.__

This advice always seemed like a stretch to me. Does anybody pay for a product that's not ready yet?

13
atmosx 2 days ago 0 replies      
Firstly, the Indian corporation which contacted him, apparently was asking for something totally different. If they were asking about 3 or 4 features that could be added, I don't think that it would be a problem. But the author didn't do anything wrong there. They were looking for a developer probably not a product or not his product whatsoever.

If you accept his argument as true, that he should switch and follow the tide, then you might as well start looking for freelancer developer job.

< J/K>Awesome quote:

> The result of this was that in the end we had to hire a full-time (and paid) developer. So we had zero revenue, 4 co-founders and a paid employee (which was effectively the only one doing real work).

I laughed really hard reading this line. My girlfriend came from next room to make sure I was okay!!! That's awesome, like 4 guys watching a movie, say the 'Social Network', and deciding to do a startup!!!</ J/K>

Jokes apart, I think the author has got it all wrong. There are ten million reasons why a small startup failed. Most of the time is hard to tell exactly why.

But seriously, only people who have proved time and again their ability to deliver a product to the market and are famous for turning ideas into money, are able to struck deals before having a product. And we probably all know them (Jobs, Musk, etc). For the rest of us that's not how things work, I'm sorry to say that he is still getting it all wrong.

In the real world, you can't sell something that doesn't exist, these things happen only on Wall Street.

14
Elizer0x0309 3 days ago  replies      
A business person trying to start a tech startup.... It's like a business person looking for musicians to start a band. This is beyond ridiculous. Either bring some skill to the table or go create a "business startup" and stop polluting the industry with yet another failed idea and even worse a "post mortem" of why it failed.

PS: This includes Marketing, Managers as well as the Business peanut gallery.

13
What Could Have Entered the Public Domain on January 1, 2014 duke.edu
350 points by Tsiolkovsky  3 days ago   158 comments top 10
1
donpdonp 2 days ago 2 replies      
While not a solution per se, an alternative exists. If the license for current works are unacceptable, start celebrating other works! Notably, works with a Creative Commons license.

Some Creative Commons cartoonshttp://www.seosmarty.com/15-cartoonists-that-allow-using-the...

Creative Commons Music at Jamendo (see the FAQ http://www.jamendo.com/en/faq)

edit: 'per-say' to 'per se' (thx ansimionescu)

2
kevando 3 days ago 6 replies      
For those curious, this is mostly a result of Disney.

http://www.washingtonpost.com/blogs/the-switch/wp/2013/10/25...

3
sentenza 2 days ago 1 reply      
In the EU, we have lifetime plus 70 years. So the first released movie of the Marx Brothers, "Coacoanuts" (1929) will enter the public domain in 2048, since Groucho lived to be 87.

System is broken. Please reboot.

4
possibilistic 2 days ago 1 reply      
The fairest idea I've come across concerning protecting copyrighted works from falling into the public domain is actually pretty simple: tax exclusivity after the initial 30 years has elapsed. If this tax is non-negligible, companies will be obliged to keep only their best IPs protected and will let everything else fall into the public domain.

The government taxes every other kind of property, so why not IP? Additionally, keeping created works out of the public domain is essentially a tax on the public; this intellectual levy placed on everyone should be balanced by a reinvestment in favor of public interests.

If Disney wants to keep Mickey Mouse out of the public domain, they should pay a yearly fee to prevent it from becoming public property. They'd more than make up for it with the revenue they garner.

I think that this would also encourage less wasteful use of copyrighted properties.

5
sheff 3 days ago 0 replies      
On a happier note, here is a list of authors whose works will be entering the public domain tomorrow in various parts of the world.

http://publicdomainreview.org/2013/12/10/class-of-2014/

6
huskyr 2 days ago 0 replies      
Another interesting tidbit about US copyright is the Uruguay Round Agreements Act:

https://en.wikipedia.org/wiki/Uruguay_Round_Agreements_Act

One of the effects of this act is restoring copyright in the U.S. to foreign works of authors that weren't dead for 70 years on january 1st 1996 in their home country. Instead, works only enter the PD 95 years after publication.

So for example, the last paintings by Theo van Doesburg, a Dutch artist who entered the public domain in the Netherlands in 2002, will only be out of copyright in the U.S. in 2026. And that's why you won't see those works on a site such as Wikipedia, that is under U.S. law.

7
pessimizer 3 days ago 3 replies      
If this stuff did start to enter the public domain after 28+28 years, the modern entertainment industry would be screwed because they would have to compete with it. Rationally, they'd rather it burned than free.
8
kriro 2 days ago 2 replies      
The irony that Atlas Shrugged is on the list and massively protected by government IP law is deliciously sad.

More interesting is that Tesla is part of the class of 2014 for 70 year countries :)50 year countries get some nice additions (some real heavyweights): Robert Frost, Sylvia Plath, William Carlos Williams, Louis MacNeice, Jean Cocteau, C. S. Lewis, Aldous Huxley

9
seandougall 2 days ago 0 replies      
My wife's response: "Although, really, Ayn Rand fan fiction does not sound like that much fun."
10
will_brown 2 days ago  replies      
I do not see a problem with indefinite copyright protections.

One of the assumptions is that everything being equal the same works would exist if it were not for copyright protections. However, I would argue without the extended copyright protections, most of these [future] classic works would not exist, simply because publishers/studios would not invest in the creation/distribution of the works initially. In other words, copyright protections encourages the creation of works.

The OP takes an opposing stance, suggesting if copyright protections existed historically it would have stifled the creation of many classic works. This may be the case in certain instances, but to make that argument one must have an in depth understand of what constitutes copyright infringement in a legal sense - including all defenses to infringement (i.e. derivative work, fair use, educational/news worthy use, ect...)- and make the argument on a case by case basis. Very few people have any idea of what constitutes copyright infringement - and even among legal scholars, practitioners and judges there is disagreement.

All I know is if you have ever created anything and had it stolen you understand the need for legal protection. Plus it would suck to live in a world where I am financially rewarding thieves because I can not distinguish if a work was original or a knockoff. Finally, legal protection is just that protection, there is nothing stopping copyright owners from giving away their works for free, in other words voluntarily releasing their work(s) to the public domain.

14
The NSA Reportedly Has Total Access To The Apple iPhone forbes.com
323 points by larubbio  3 days ago   201 comments top 6
1
JunkDNA 3 days ago 5 replies      
I know this headline generates traffic by being about the iPhone, but this is a minor point. The big message from Jacob's talk and the original articles in Der Spiegel is that the NSA can intercept anything. Period. Full stop. People have suspected such far reaching capabilities for some time. This talk and the articles demonstrate that it exists. I'm personally a little uncomfortable with this kind of disclosure. On one hand, the NSA exists for the express purpose of spying. That is their job. You can not like that the NSA is a spy organization and we can debate whether we should conduct spy operations as a society, but I'm not sure what exposing their methods in this level of detail does for advancing that debate. Did people expect them to be a spy organization that was incompetent? A group that makes crappy and obvious listening devices stamped with "Designed by the NSA in Maryland"? On the other hand, the cases of potential abuses and dragnet surveillance capturing everything indiscriminately are extremely worrying. I don't know how a free society can do all this spying in support of legitimate foreign policy goals and at the same time not grow into an out of control, unaccountable organization ripe for abuse.
2
RyanZAG 3 days ago 4 replies      
Aren't we missing a critical point here??

> "The initial release of DROPOUTJEEP will focus on installing the implant via closed access methods." [2007]

OK, we knew this much already. I remember seeing a number of stories on how law enforcement can pull data off an iPhone, etc. Not really much new here.

> "A remote installation capability will be pursued for a future release"

Here is the interesting bit. You don't put this in a document unless you have a good plan on how to do it. Obviously with iOS devices having ports closed and being behind NAT, the NSA can't exploit them remotely. However, the NSA is pretty clear that it will have the capability in the future. Note the date on this - 2007.

Since 2007, what has changed? iCloud allows Apple to install and run code directly on your device remotely. Is there any doubt that the NSA would request Apple give them full access to iCloud? So the real issue here is what that last little line hints at: the NSA was looking to get remote access rights to all iPhones back in 2007 and with the knowledge now that they will happily backdoor AT&T/Google/Microsoft to retrieve data, is there any doubt they are now using iCloud to gain remote access to all iPhones?

I'm sure NSA/Google does the same with Google Play Services.

3
forgottenpaswrd 3 days ago 3 replies      
"one question has been paramount for privacy advocates: How do we, as a society, balance the need for security against the rights to privacy and freedom? "

I hear this fallacy question again an again. It implies that giving total power to gobertment is "security". It is not.

Giving total control to Stalin meant hundred of millions of Russians got murdered in terror, giving total power to Hitler or Mussolini from democracies meant the total destruction of Germany and Italy with millions dead.

4
andr 3 days ago 0 replies      
I really see this working remotely, as long as you have control over a cell phone tower or you use a phony portable base station, both of which are within the NSA's reach.

The thing is phone baseband software (which is reused on different phone models and controls the phone's I/O including GSM, USB, etc.) has hardly ever been under attack. When the iPhone arrived with its new security model, baseband bugs became one of the major ways to jailbreak a phone. Those bugs have been fixed one by one, but they were mostly on the USB side - the GSM side has been impractical to attack. A carefully crafted GSM packet could in 2008 and probably could now cause a buffer overflow in the baseband and gain access.

An interesting presentation on the topic: http://www.youtube.com/watch?v=fQqv0v14KKY

5
rlx0x 3 days ago 1 reply      
Now the talk he gave was interesting, laying out some known and some new facts about the surveillance and automated attack capabilities of the NSA, particularity interesting is the targeting of infrastructure and their traffic injection systems. And he is right to make the point, that its particularly despicable that they actively sabotage infrastructure security, something everyone on this planet has to suffer from.

But.. I don't even know where to begin, its not only that we need to convince a large portion of the US population that living in a dystopian total surveillance state is actually not something to thrive for, we can't even begin to discuss those issues in any meaningful way when people have not the slightest clue whats really going on, even if leaks like this occur that outline frightening and utterly insane surveillance and attack capabilities nobody is going to explain it to them (not that anyone cares anyways).

The NSA developed and deployed a global system that enables them to do DPI on the whole internet traffic, analyze that traffic, inject traffic, attack every system through countless vulnerabilities and backdoors and all of that automated, not only against their targets but also against any infrastructure they are interested in.

They have secret laws, can force companies to work with them, force backdoors and not only are the US companies not allowed to talk about those things, they are legally bound to publicly lie about it.

So yeah they can hack every iPhone on this planet, and turn it into a silent listening device, among many many many other things, is that really what we should be talking about?

6
wyager 3 days ago  replies      
This is from a very old version of iOS (2007). We don't know if this is still true.

Regardless, I can say for a fact that there are exploits for all cell phone platforms. iOS exploits are by far the hardest to find. An iOS remote execution 0day will easily fetch $250k. I've seen one go for $600k. For an Android remote exec 0day, you're looking at closer to $50k.

Even if the NSA doesn't have these on hand, they can certainly purchase them.

15
Can-Do vs. Cant-Do Culture recode.net
313 points by minimaxir  1 day ago   125 comments top 16
1
zach 1 day ago 12 replies      
The economist who helped Walt Disney's theme park dream become what it is today[1] said that the most important thing he learned through it all was the profound difference between a "no, because" person and a "yes, if" person.

If you ask many people an audacious "Can we do X?" their response is usually along the lines of "No, because [valid reasons]". They're not wrong, but the basic attitude is to shoot down what doesn't seem to fit with one's own view of the world. These are "no, because" people, and big companies are often full of them.

Much rarer and infinitely more valuable, especially for an entrepreneur, is the person who hears "Can we do X?" and responds, "Yes, if... [possible solutions]". Their response is one of problem-solving instead of confrontation, seeking to find a synthesis of the new perspective and their own. It seems like a small thing, but it is a very significant shift in mindset. Thinking like a "yes, if" person can unlock so much potential.

A friend of mine, one of the most talented and knowledgeable game programmers around, could easily have shot down many of the ambitious ideas that came his way. Instead, he greeted them with enthusiasm, often saying, "It's software! We can do anything!" Wouldn't you like to set out to do amazing things with that person on your team?

[1] - https://d23.com/harrison-price/

2
austenallred 1 day ago 2 replies      
I love the comment from Robert Scoble:

"My friend Andy Grignon worked for Steve Jobs and was on a very small team building the original iPhone. Steve told him "sorry, you can not hire anyone who has worked on a phone before."

Why not? For exactly the reasons laid out here. He didn't want his team to find out what they were attempting to do was "impossible." Andy learned that when he went to AT&T to pitch them on what became visual voice mail. Andy and his team thought it was possible. The AT&T folks thought they were nuts. It took lots of work by Steve Jobs to convince AT&T to try."

3
abalashov 1 day ago 5 replies      
Ultimately, in 1842 English mathematician and astronomer George Biddel Airy advised the British Treasury that the Analytical Engine was useless, and that Babbages project should be abandoned. The government axed the project shortly after. It took the world until 1941 to catch up with Babbages original idea, after it was killed by skeptics and forgotten by all.

Is it not reasonable to suppose that it was an idea before its time, and useless in the particular historical context and implementational form in which it appeared?

There has always been utility for mechanical computation, but it's entirely possible that the world simply did not have an application for The Analytical Engine in the 1830s-1840s because other sectors of technology and the economy simply hadn't evolved to a level where they could effectively utilise it, especially given its physical properties--its size, scale, and energy consumption.

I don't know that for a fact, and can't effectively gauge the merits of my own suggestion, as I am neither a mathematician nor a competent historian of the intellectual, scientific and commercial zeitgeist of that period. But, for the sake of argument, is it not possible that this invention fell into the "interesting, novel, but useless" category?

Now, as for the telephone:

1) From the point of view of the telegraph establishment, it was a competitor;

2) Unintelligible voice really is useless. They just weren't far-sighted enough to see that the voice quality could improve, and indeed, it was a quite a long time before it did. Local loop quality improved first. Long-distance toll voice really didn't begin to sound good until digital trunking came along. Ask your grandparents or great-grandparents what coast-to-coast long distance phone calls sounded like in the era of analog lines and waveguide-type multiplexing technology;

3) In the heyday of the telegraph era, deploying lines was an extremely expensive and capital-intensive process, and it wasn't until other technological advancements that made possible various multiplexing and aggregation schemes (frequency-division, and later digital TDM) came along that the idea of running a copper line into every home really got to be realistic[1]. I agree that Western Union was a bit shortsighted in turning down this patent, but one could hardly blame them for thinking that universal telephone service wasn't economically possible. That's like selling a business idea today that relies on everyone having a 10 terabit fiber cable run to their home. Yeah, it's possible, and I have no doubt someone will make fun of me in a decade or two for naysaying it in any way, but would you invest $2bn in a related patent today?

What mistake did all these very smart men make in common? They focused on what the technology could not do at the time rather than what it could do and might be able to do in the future.

I don't disagree, but that needs to be fleshed out. No viable entrepreneurial venture can succeed solely on the basis of what it is logically possible for the technology to someday do, or what it could, in principle, in theory, one day. There is a need to realise a return in a usefully short period of time that is also unanimously acceptable to a coterie of investors with varying needs in terms of payoff time frame and patience.

Thus, you need a practical plan for getting to point B, making the technology do X. Even the most far-fetched, high-risk, R&D-driven ventures entail a proposal to concretely deploy and commercialise technology in a period that is usefully short and politically palatable, and that means everyone involved is somewhat constrained to what can be practically envisaged in terms of today's possibilities. One can make some leaps of faith, some intelligent extrapolations and some prescient forecasts, but ultimately, it's something expressed largely in the observational language and ontology of today.

Thus, I can't bring myself to fault someone for doubting, in 1995, that the consumer web is going to be what it is today, or even be what it was six or seven years later, in the early 2000s. It was possible--perhaps even reasonable--to suppose so, but would you have bet the farm on it? Your retirement savings? I'm not sure I would have (not that I have a farm or retirement savings, pero bueno).

[1] http://ieeexplore.ieee.org/xpl/login.jsp?tp=&arnumber=451163...

4
crazygringo 22 hours ago 0 replies      
Of course, too much of a 'can do' attitude can lead to completely unrealistic expectations, spread your resources too thin, and bankrupt a business or lead you to waste years or even decades of your life.

The smart choice is obviously a happy medium. Too much of a "can do" attitude is just as harmful as too much of a "can't do" attitude. We all need reality checks.

And this is why diverse teams and groups are so important -- one person says "of course we can't do", another says "of course we can do", and everyone hashes it out until they've come up with a realistic assessment that is neither clouded by overly optimistic nor overly pessimistic thinking.

5
mech4bg 1 day ago 1 reply      
That Alexander Bell quote sounded way too good to be real, looks like I wasn't the only person to think that, some interesting sleuthing:

http://blog.historyofphonephreaking.org/2011/01/the-greatest...

6
praptak 1 day ago 0 replies      
I don't buy this division into can - the good and cannot - the bad. It's just two strategies with different outcome distributions. The critic will be right more often, invest in boring tried ideas, earn less on average but with less variance. The enthusiast will often fail but when he's right against the common knowledge, he hits the jackpot.

And picking those jackpots and their critics ignores the majority of crazy ideas that indeed fail - "They laughed at Columbus, they laughed at Fulton, they laughed at the Wright brothers. But they also laughed at Bozo the Clown."

Here's some criticism of a crazy idea that actually failed (CueCat): http://www.joelonsoftware.com/articles/fog0000000037.html

Obviously there is a lot of criticism for the sake of proving oneself smug. Unfortunately sounding smug does not automatically make one wrong.

7
jasonkester 1 day ago 1 reply      
I wonder how much of this is just a visibility issue.

We notice this same thing here on this site, where every new idea seems to get immediately piled on with negativity. The feeling is that it didn't used to be this way, and many of us old timers will remember a time when new ideas were mostly met with encouragement and constructive criticism.

But I bet if you look at the threads today and then, you might find that the absolute number of constructive, encouraging comments hasn't changed much at all. Rather, they are simply lost in a sea of negativity spouted out by the peanut gallery that seems to have washed in from other places where people dump all over tech news. We used to be conspicuously entrepreneurial here. Now we're a lot more representative of the tech world at large.

So yeah, I think that there are still plenty of people with the right entrepreneurial mindset out there. It's just getting harder to find them.

8
aetherson 17 hours ago 0 replies      
I don't believe that quote that purports to be a Western Union memo on the telephone. I don't think that 19th Century businessmen put words like "idiotic" into business communication, and I don't think that they used phrases like "the technical and economic facts of the situation," as the word "economy" at that point was much more strongly meaning "being thrifty at home" and much less about economic systems.

This blog post claims that the quote is fake: http://blog.historyofphonephreaking.org/2011/01/the-greatest...

Slate says it "may" be fake and is awaiting verification: http://www.slate.com/blogs/business_insider/2014/01/02/why_p...

9
_delirium 1 day ago 0 replies      
I kind of wish the startup community looked like the picture painted in this post. :)

More audacity and innovation, less audacity-lacking "innovation" of the form, how to get users to click ads more often and exit this company for a multiple ASAP.

10
altero 1 day ago 0 replies      
A few years ago the iPad mania just started. I worked for harware company on admin software. It was written in Java, 15 years old (1998) and never had major rewrite.

All managers were like 'be like apple' and 'we must release iPad app' and 'PC is over'. Programmers on other side wanted to rewrite some critical parts, introduce automated tests and fix some very old bugs.

I was speaker for programmers, soon I became 'tablet hater' (kind of funny since I had Android tablet). Latter we even bough some iPads for developers to learn, those were locked in managers office :-). I left company shortly after that.

So for me 'Can-Do vs. Cant-Do Culture' is just sort of bullshit to mask real problems. Sure Jobs made iThinks, but he pulled massive resources towards the problem. Apple actually bought factories for touch screens before iPhone was made.

11
jeffdavis 9 hours ago 0 replies      
Way too general to be useful.

I think it's useful to be optimistic when it comes to visions of the future and how a business can accomplish it. Electric cars for everyone? Sure, give it a try. All that can be lost is a little money, and maybe you make a huge fortune and change the world. Isolated government programs can be a similar story -- e.g. NASA, which is unlikely to lose anything but a small amount of money but can be really inspiring or create some great things.

However, when it comes to government policy, the downside can be utter disaster. It pays to be a little skeptical that the "help the poor" bill (or whatever other utopian title) will actually deliver as advertised. Or skeptical that a war will be a simple in-and-out proposition.

Or some things just have little upside. We see this all the time in engineering. Someone wants to use a fad technology or model of some kind, or wants to reimplement something to be a little faster, or whatever. There's huge project risk that it could derail other projects and destabilize the entire product -- which is fine if you're going to change the world with it, but not fine for a 10% speedup on some specific workload.

Moral of story: optimism and "can do" attitude is good when the upside is huge and the downside is contained (like in a startup). Not exactly a profound revelation.

12
tlb 1 day ago 1 reply      
A fine editorial. Stirring. It has inspired me to not write off recode simply because 90% of what's on their front page today is crap.
13
mrbrowning 20 hours ago 0 replies      
He's making a good point in the abstract, but I think Horowitz is too close to the matter to understand that a lot of the negativity he cites is a natural reaction to the totally overblown rhetoric of the start-up scene. He inadvertently proves this by referencing such epoch-defining inventions as the telephone and the internet. Many tech start-ups are creating interesting, useful, and sometimes even novel products, but it's nonetheless annoying to anyone with a sense of perspective to hear from every angle that Start-up X is going to change the world by revolutionizing, you know, shoe-resoling.
14
fudged71 1 day ago 4 replies      
I see this all the time in the consumer 3D printing space. Sometimes high tech people act like laggards. "I can't make a metal part on my desk, so it's useless!" "okay, we're almost there, but how about you look at the progress in this industry and all the other applications that we CAN do right now!"
15
joelandren 1 day ago 1 reply      
Let's also remember that there is valid criticism of startups and how they operate their business.

If a startup founder is an asshole, let's not excuse the behavior because they are building something worthwhile.

If a startup makes a mistake due to lack of concern about its users (i.e. Snapchat and their security hole), they should be criticized.

All told, I'm all about "can do" culture, but let's not use it as an excuse for boorish behavior or bad business practices.

16
annnnd 6 hours ago  replies      
I think this article missed a point. It is not a battle between "Yes, if" and "No, because" - each has its own place and each should be used with care.

The first stage of innovation should use "Yes, if" approach. This is similar to brainstorming session, where negativity should be kept to minimum. This mentality lets people find ways around the obstacles.

When the idea is ready for evaluation, it should be evaluated in light of resource constraints and similar. In this phase "No, because" approach should be used to identify all possible downsides. If the answer is "No", the idea can be either retired or returned to brainstorming session, until it is ready for re-evaluation.

So it is not a question of Yes/No, it is a question of appropriate answer in appropriate moment.

16
The Lost Art of C Structure Packing catb.org
312 points by Tsiolkovsky  1 day ago   138 comments top 6
1
jandrewrogers 1 day ago 2 replies      
I do optimal structure (and bit) packing without much thought because it is an old habit. As the article states, I have noticed that the only other people that do habitual careful structure optimization these days have been doing low-level and high-performance code as long as I have. Most programmers are oblivious to it.

The reasons you would do it today are different than a decade ago and the rules have changed because the processors have changed. To add two clarifying points to the original article:

- The main reason to do optimal structure packing today is to reduce cache line misses. Because cache line misses are so expensive it is a big net performance gain in many cases to have the code do a little more work if it reduces cache line fills; optimal structure packing is basically a "free" way of minimizing cache misses.

- On modern Intel microarchitectures, alignment matters much less for performance than it used to. One of the big changes starting with the i7 is that unaligned memory accesses have approximately the same cost as aligned memory accesses. This is a pretty radical change to the optimization assumptions for structure layout. Consequently, it is possible to do very tight memory packing without the severe performance penalty traditionally implied.

What constitutes "optimal" structure packing is architecture dependent. The original C structure rules were designed in part to allow the structures to be portable above all else. If you design highly optimized structures for a Haswell processor, code may run much more slowly or create a CPU exception and crash on other architectures, so keep these tradeoffs in mind. The article is discussing basic structure packing which typically has easily predictable behavior almost anywhere C compiles.

2
anatoly 1 day ago 6 replies      
One trick that's not mentioned is unbundling the struct. Suppose you have a struct with a pointer and a character in it, and a huge array of those structs. If you resent the padding tax, refactor your code to use and pass around two arrays instead, one of pointers and the other of chars.
3
rwmj 1 day ago 2 replies      
He should mention this tool:

http://linux.die.net/man/1/pahole

4
alextingle 1 day ago 9 replies      
Is this a "lost art"? I always consider the layout when I'm writing a C struct. It's the principal concern that governs the correct ordering of the members.
5
drdaeman 1 day ago 3 replies      
This could be partially automated with `__attribute__((__packed__))` and a bit of -fipa-struct-reorg for better cache performance. Sadly, there's no any kind of `__reorder_yes_i_know_and_i_want_to_violate_c_standard__` attribute. But I really believe managing and optimizing memory layout (unless explicitly necessary, like when declaring serialization formats) should be compiler's job, not human's.
6
solarexplorer 1 day ago  replies      
If your struct covers more than one cache line, you may want to think about which members are accessed together and put those in the same cache line. E.g. if you manage to fit all frequently accessed members in the first cache line, you will bring likely useful data into the cache when you access any of them. At the same time you avoid cache pollution with not so useful data from other cache lines.
17
Why does Google prepend while(1); to their JSON responses? stackoverflow.com
304 points by gs7  4 days ago   52 comments top 16
1
Stealth- 4 days ago 5 replies      
I think it's important to note that this is a bug that effects older browsers only. Modern IE, Chrome, and Firefox have security measures that do not allow scripts to capture values passed to constructors of a literal. That way, this hack is only needed for older browsers and will hopefully not be needed at all in the future. For more info: http://stackoverflow.com/a/16880162/372767

Also note that this attack, JSON Hijacking, is different than a CSRF (Cross Site Request Forgery) and has little to do with CSRF tokens.

2
tzury 4 days ago 0 replies      
There is a long discussion about this at

https://news.ycombinator.com/item?id=5168121

(from about a year ago)

3
frik 4 days ago 0 replies      
Chrome DevTools recognice while(1) and for(;;) in the network tab (JSON preview). Sadly, Firebug still doesn't know how to handle this and shows no JSON preview :(
4
andreyf 4 days ago 3 replies      
Does anyone know what browsers allow you to override the Array constructor? I was under the impression that modern browsers don't.
5
matchu 4 days ago 0 replies      
It looks like modern Chrome doesn't trigger setters when constructing from literals, so that's encouraging. http://jsfiddle.net/KY4Sa/
6
CCs 3 days ago 0 replies      
A good description: http://stackoverflow.com/questions/6339790/what-does-a-ajax-...

The idea: you need such workaround only if you return JSON Array.

Most of the API returns JSON Object in which case the attack does not work, it will result in syntax error.

7
robocat 4 days ago 1 reply      
Would introducing a syntax error into my JSON help prevent CSRF attacks? We don't use JSONP.
8
ciniglio 4 days ago 1 reply      
So does this solve the problem with using remote JS templates (advocated by DHH and 37s), what was outlined here [1]?

[1]: https://github.com/jcoglan/unsafe_sjr/blob/master/README.md

9
silon3 4 days ago 0 replies      
Is it correct to use the Content-Type application/json on this? IMO: not.

(I've just tested Firefox network view and it breaks the response display with syntax error -- there should be an option to select the format).

10
jbrackett 3 days ago 0 replies      
After seeing this I went to see if AngularJS had anything built in to mitigate JSON hijacking and they do. It will strip ")]}',\n" off of json responses if included from the server.

http://docs.angularjs.org/api/ng.$http#description_security-...

11
frozenport 4 days ago 2 replies      
What happens when you visit a malicious website and your computer gets stuck on `while(1)`? Syntax error would be better?
12
homakov 4 days ago 2 replies      
Google is wrong IMO: there is no need to have such workaround. In rails we had similar problem https://community.rapid7.com/community/metasploit/blog/2013/... and fixed it by adding request.xhr? check on server side.

while(1) is ugly solution to currently non-existing problem.

13
Kiro 4 days ago 2 replies      
Why doesn't this prevent CSRF?
14
frik 4 days ago 0 replies      
Facebook uses "for(;;);" as it's one char shorter.
15
dontdownload 4 days ago 0 replies      
It's the bot.
16
alixaxel 4 days ago 1 reply      
Smart!
18
How Netflix Reverse Engineered Hollywood theatlantic.com
300 points by coloneltcb  22 hours ago   125 comments top 11
1
smsm42 11 hours ago 4 replies      
For all the high praise that gets heaped on Netflix for their brilliant technology, I have a feeling there is some other Netflix that is concealed from me.

I have been Netflix customer for years. I thought the idea was brilliant - super-cheap movies arriving whenever you want, what could be better?! I loved Netflix. Then I slowly discovered Netflix is running out of movies I want to watch - up to now where about 95% of movies I want to see are out. Then there was that streaming vs. DVS fiasco - and I stayed with streaming. But then I discovered there's nothing for me to stream. I thought maybe my tastes are weird - so I went to wikipedia and IMDB and looked "top X movies" - and most of them, of course, can't be watched on Netflix, except for those few that I've already watched long ago.

And that million dollar recommendation system? I've over 800 ratings, and I have hard time remembering last time their system suggested me something useful. In fact, the only reason I am keeping the subscription is because my wife has some series on her sub-account that she's watching. For me, Netflix has become almost 100% useless. So I wonder, with all the high praise to their brilliant data usage and innovative technology - am I doing something wrong? Am I missing some important part of Netflix that everybody else is seeing?

2
refurb 12 hours ago 1 reply      
A friend of a friend works at Netflix and told me how they use some of this data.

House of Cards was basically a data driven production. Based on Netflix's customer preferences, they knew that a political thriller, starring Kevin Spacey and directed by David Fincher would maximize the number of views based on the habits of its customers.

It would appear the data was correct!

3
danielharan 21 hours ago 1 reply      
Netflix's data allows it not only to recommend movies, but also to finance original productions.

Lots of businesses want "recommendation engines" to appease their cargo cult gods, few ask what possibilities their data really creates.

Sometimes data can make you better at delivering your service. Other times you can optimize inventory, enter entirely new lines of business or even obsolete your competitors.

4
eli 21 hours ago 8 replies      
Haven't people gone to jail for scraping a URL and enumerating its possible values?
5
zheng 21 hours ago 1 reply      
What would be really cool is if this list of genres was open-sourced somewhere. I can see Netflix not wanting that, but it would really save time for however many hackers read this article and decide they want the same data.
6
msg 21 hours ago 3 replies      
At the top of the article is a Netflix genre generator. That is worth the price of admission all by itself.

But then there's a fairly entertaining look into what happened to content at Netflix after the million dollar challenge.

7
mixmastamyk 18 hours ago 0 replies      
Meanwhile, their client still can't separate my daughter's kid shows from mine. It took them several years to implement profiles on iOS and then another to do it on Android.

Now implemented, "My Top Picks" last night were still dominated by My Little Pony.

Also would like to choose which shows she can watch, but the client doesn't support that. </complaints-over> ;)

8
shawnc 20 hours ago 0 replies      
I find the part at the end about the Perry Mason aspect very interesting, and actually my favourite part of the article.

And the final sentence, feels like the real reason this was posted to HN: "And sometimes we call that a bug and sometimes we call it a feature."

Edit: Also, the 'Gonzo' genre of Post-Apocalyptic Comedies and Friendship seems it's got its first one in "This Is The End".

9
agibsonccc 15 hours ago 0 replies      
For those who are data curious:https://gist.github.com/agibsonccc/8230583

I cherry picked this from the source for those who might want the generator. I "think" that's everything, correct me if I'm wrong there. I didn't really test it, just took a few seconds to grab what I saw for later.

10
discardorama 19 hours ago 2 replies      
How is this any different from that Pandora did with music?
11
hershel 21 hours ago  replies      
There's also jinni.com which has a similar system, not limited by UI issues and that can be used globally. Usually i get great recommendations from them , and they're fun to play with.
19
Losing Aaron: Bob Swartz on MIT's role in his son's death bostonmagazine.com
271 points by cjbprime  15 hours ago   146 comments top 4
1
suprgeek 12 hours ago 2 replies      
MIT Played a key role in Aaron's Death:http://gothamist.com/2013/01/15/aaron_swartzs_lawyer_mit_ref...

They refused to sign-off on any deal that did not involve Jail time. This was THE one point that weighed more on his mind than any else per the recorded statements of his partner.

MIT's pig-headedness in this aspect really destroyed any respect I had for that institution. JSTOR made a much more reasoned statement http://docs.jstor.org/summary.html - Clearly indicating that they had NO INTEREST in any further prosecution (since they were the primary wronged party).

2
Smerity 12 hours ago 4 replies      
I'm still more disturbed by the laws in play.

Aaron was facing a cumulative maximum penalty of 35 years in prison.

The roommates of one of the Boston bombers was only facing 25 years in prison[1] if found guilty of helping Dzhokhar Tsarnaev dispose of a laptop, fireworks, and a backpack in the aftermath of the bombings.

I understand it's not a straight comparison, but no matter how I try to re-arrange those numbers in my head, I can't reconcile the impact to punishment.

[1]: http://en.wikipedia.org/wiki/Boston_Marathon_bombings#Dias_K...

3
tzs 7 hours ago 2 replies      
Several comments have talked about 35 year or longer potential sentences.

Those big numbers come from simply taking the maximum possible sentence that can ever be given out for each charge, and adding them all up.

There are two things that make that unrealistic in most cases. First, the defendant is almost always charged with several similar or related crimes that have mostly the same elements. If convicted on more than one charge from such a group, they are only sentenced for one of the convictions.

Second, the sentence takes into account the severity of the particular acts that constitute the crime, and the prior criminal record of the defendant. To get the maximum possible sentence you'd need to have gone way beyond what ordinary violators of that particular law usually do, and you'd have to have a serious criminal history.

What Swartz was actually facing if he want to trial and was convicted was something ranging from probation to a few years, depending on just how much damage the court decided he caused.

If he took the plea the prosecutor was offering, he was facing up to 6 months.

Details with citations on the above are available at [1] and [2].

In the dozens of discussions of the Swartz case we've had in the last year here, the 35 year or 50 year myth has been repeatedly busted. Yet it keeps coming up in each new discussion--often from people who were in some of the previous discussions! Why is it so persistent?

[1] http://www.volokh.com/2013/01/14/aaron-swartz-charges/

[2] http://www.volokh.com/2013/01/16/the-criminal-charges-agains...

4
vex 13 hours ago  replies      
Suicide is completely a personal choice. MIT had no reason to try and defend an outsider who hijacked part of their network, and trying to make them seem like they caused him to hang himself smacks of tunnel vision.

It's a natural response to a suicide; we try and search for something to blame. But unless you argue that MIT should have known Aaron was mentally unstable, saying MIT "caused" him to kill himself is illogical. People who commit suicide may desire to because of what they feel about their lives, but the final decision is one's own.

It's sad that it takes a death to bring attention to the IP issues that Aaron's trial had raised.

20
30C3 Recordings ccc.de
259 points by znq  4 days ago   38 comments top 6
1
hansjorg 4 days ago 0 replies      
Transcripts can be found here: http://subtitles.media.ccc.de/
2
madethemcry 3 days ago 1 reply      
I found a similiar posting on HN last year. I saved exactly 97 videos from 29C3. All of them with an interesting title. My brilliant plan: watch them over the year while traveling by train or plane. Maybe I read HN or slept but I watched not a single video. Now I have another ~100 great videos to watch. I really want to watch them all but I doubt it. I need a direct brain uplink.
3
3rd3 4 days ago 14 replies      
Which recordings do you recommend? (One per comment.)
4
weavie 4 days ago 5 replies      
Anyone care to summarize what this is about?

From what I gather these are 30C3 recordings from a CCC-TV website. The recordings have titles like FPGA 101 and Programming FPGAs with PSHDL.. There is no about page and the home page has further topics like, SIGINT13 video release, SIGINT12 video release and 28C3 webm release.

I'm confused..

5
Cyclenerd 4 days ago 2 replies      
10Gbit/s mirror (also offers ftp and rsync): http://ftp.halifax.rwth-aachen.de/ccc/30C3/
6
hydrogen18 3 days ago 2 replies      
Python script to download them all

https://gist.github.com/hydrogen18/8185934

21
A Short Story for Engineers txstate.edu
258 points by shawndumas  4 days ago   85 comments top 25
1
dkarl 3 days ago 7 replies      
I like the values that jokes like this reinforce (simplicity, creativity, and proactivity versus complexity, expense, and bureaucracy) but I wonder if they serve a positive purpose in engineering culture. Do we tell these jokes to keep ourselves on our toes, to make ourselves better? Are we really in danger of forgetting which is better, simplicity or complexity? When we create complex and over-engineered systems, is it because we forget that simplicity is better?

I don't think we do. I think we tell ourselves these jokes to contrast good engineering with bad engineering and to congratulate ourselves for being on the right side. A good joke would lead you down the garden path, encourage a bit of smugness and then rip the rug out from under you. This joke telegraphs the punch line from the start: it encourages smugness and then vindicates it. A healthy joke would make us uncomfortable about whether we would have been on the right side, whether we are doing a good job of living up to our values. This joke reassures us that the problem is other people's values, and by doing so, it promotes exactly the kind of complacency that it makes fun of.

2
HCIdivision17 3 days ago 4 replies      
My opinion has shifted over the last few years working in plants, and I've now settled on the idea that the fan solution probably needed the eight million dollar project. Without the project, the operator would not have been inconvenienced, nor would they have achieved their goals as soon.

Also remember that the project was worth it - it was returning on the investment. Ideally the simple solution would have been found first for a massive windfall of savings, but industry runs on constant, small, incremental changes over many years. And it takes a very special mindset to invent awesome hacks like the fan trick!

The operator should instead be applauded for making it so no other plant needs to buy such an expensive system!

Edit: also, never underestimate the utility of inconveniencing operators. They will find the most brilliant, clever, and cheap hacks to solve problems. Watching operators is the best diagnostic tool available. When you see a c-clamp or duct tape on the machine, you know exactly what needs workin' on next!

3
wikwocket 3 days ago 1 reply      
This is a cute story about over-engineering and thinking outside the box to find the simplest solution, but anyone with manufacturing experience can tell you that many factories have compressed air lines at each machine, and frequently use it to blow bad parts off off of a conveyor/feed rail.

American manufacturing factories are actually homes to tremendous ingenuity and practicality. To an outsider they may seem loud, dirty, and disorganized, but the engineers inside routinely deal with issues like "how can we catch bad parts before they roll off the line, using spare parts, scrap metal, and a $20 budget?" I have seen some amazing Rube Goldberg feeding systems that can outperform expensive laser/optical/diverter gate packages.

4
WalterBright 3 days ago 0 replies      
The engineers should be working alongside the factory line. That this often doesn't happen isn't always the fault of the engineers or management.

Back when I worked on the stab trim gearbox at Boeing, it came time to put it on the test rig and load it up. The test engineers gleefully told me they were going to bust my design. So joy for me, I got to go to the shop and get my hands dirty testing it!

By the time I got there, they had my baby all mounted in the custom test rig, with a giant hydraulic ram all set to torture it. There was some adjustment needed, and I lept forward to make it. The union shop steward physically blocked me, and said I was not allowed to touch anything. I was only allowed to give directions to the union machinist there, and he would turn a wrench at my direction.

Jeez, what a killjoy moment for me.

Anyhow, to make a long story short, when they loaded up the gearbox with the ram, the test rig bent and broke, and that lovely gearbox just sat there. Nyah, nyah, nyah to the test engineers and back to the office building for me.

5
mathattack 3 days ago 1 reply      
Great story, and widely applicable.

I worked on a very large process and technology improvement program for a Fortune 50 company. One critical piece of the project was a scheduling system for field technicians. After 100+ effort years (don't ask!) we got it developed and tested, and it achieved the 15 minutes per technician productivity improvement, justifying the massive expense. We then found that we could double the benefit by having them reboot their laptops weekly instead of nightly. (Though the technology architects screamed bloody murder)

6
SilasX 3 days ago 0 replies      
A cheesy, apocryphal story written like a forward from Grandma on a site that looks like it was stolen from 1996? How did it make the front page?
7
pmorici 3 days ago 0 replies      
This is like an engineering urban legend. I've seen it on here before but the circumstances were different. Last time this was posted it was a Japanese soap factory instead of a toothpaste factory.
8
juddlyon 3 days ago 2 replies      
Similar to the "Knowing where to put the X" story:http://www.engineering.com/DesignSoftware/DesignSoftwareArti...

Also, the NASA vs Russian space pen vs pencil.

9
spullara 3 days ago 0 replies      
This is one of the reasons the engineers at Tesla work on the factory floor. Take the tour if you can, it is great.
10
JackFr 3 days ago 0 replies      
In 1985 I worked in a factory on a line producing tubes of vitamin A&D ointment (similar packaging to toothpaste tubes.) The filling of the boxes with the tubes was actually done manually, I suppose because ointment is higher margin, lower volume.

We also produced foil packs (like fast food ketchup packets). That machine was the coolest mechanical device I've ever worked with.

11
southpawgirl 3 days ago 1 reply      
> and six months (and $8 million) later a fantastic solution was delivered

In real life the solution applied wouldn't be this one, nor the cheap fan, but some dude being paid peanuts to shake each box by hand.

12
codegeek 3 days ago 0 replies      
I have read this story before and it reminds of the phrase "Necessity is the mother of all inventions". What if that $8M project was never implemented ? The factory worker would then not need to manually go and remove the empty boxes. So one way to look at it is that the $8M project actually created a necessity to be more efficient and gave the guy an idea to not manually move the boxes by installing a fan which in turn solved the overall problem of empty boxes being shipped. May be he would have thought of all this without the $8M project but what are the odds ?
13
analog31 3 days ago 0 replies      
Everybody standing on the sidelines with no skin in the game is always proud to point out the engineer's mistakes after they have been made.

I comfort myself with Teddy Roosevelt's "man in the arena" speech.

14
seivan 3 days ago 0 replies      
I think most engineers are familiar with easy quick hack solutions that are cheap and fast. You want this to have an effect? Tell it to the product monkey overlords or the design "gurus"
15
ausjke 3 days ago 1 reply      
old story, it used to be a USA solution(high-tech, expensive) vs a Chinese factory solution(the fan added by a worker)
16
11thEarlOfMar 3 days ago 0 replies      
There are a couple of points that come to mind. First, management needs to be judicious about how problems get solved. Does it require committee? Or a lone actor? Which department should own it or should the CEO take it on personally? Second, there is no doubt that an organizational approach to problem solving is going to change as a company scales. The path the information took in this parable likely was from customer service to upper management to engineering. A CEO that will accept an $8M solution to such a problem is probably running a multi-billion dollar company. If this had been a $50 million company, no way he would have felt satisfied that it was money well spent.
17
Aloha 3 days ago 1 reply      
You'd expect the fancy scales to reject the empty boxes, but instead it appears they just sounded a bell. The workers added the rejection feature once they had an incentive to do so (the ringing bell).
18
johngalt 3 days ago 0 replies      
I think there's a similar story about Fedex being the highest throughput network provider.
19
loomio 3 days ago 0 replies      
For me the lesson here isn't as much about engineering as incentives and inclusion. If you engage people who are actually on the front lines in solving the problems, great ideas will emerge. These are the people who understand the problems best, and can be most motivated to fix them.

But in order to do that you have to effectively align incentives for them to solve the problems. If companies treat employees as disposable automatons, and do not allow them to share in the success of the business or benefit from improving workflows, they have no motivation for doing so.

So many companies shoot themselves in the foot by bringing in "experts" when the real experts are right there on their payrolls, but no one is asking them their opinions or creating a situation where they would be inclined to give them anyway.

20
coloncapitald 3 days ago 1 reply      
The story doesn't suggest that that the CEO or management staff should have thought of a fan before. It suggests that they should have probably looked into the problem better which may have involved visiting the production line and asking the workers how they would fix the issue inexpensively. Then probably one of them would have come up with this solution, or may be an even better one.

I see people bringing up points like "What if the fan dies?" or "what if the weight of the boxes increases due to extra packaging?". IMHO, these arguments are invalid because of the same reason. Fan is not the solution.

21
dsugarman 3 days ago 0 replies      
how it is usually done in the fulfillment industry is a scale that changes the track if it is off weight by more than a certain percent (think of how train tracks work). The problem here is tougher than just a toothpaste factory because you can have multiple items in one purchase order and you have to make sure all items are in the box. Stopping the entire line every time something is off with 1 package is never a good solution. With pushing the packages into a 'problem' pile, someone can figure out what is wrong with each one and get things moving again on their own schedule.
22
bowlfeeder 3 days ago 0 replies      
It's a nice story, but anyone familiar with mechanical feeding systems[1] could tell you air jets have been commonly used to reject parts for decades.

[1] http://en.wikipedia.org/wiki/Bowl_feeder

23
ttdan 3 days ago 0 replies      
Alternate take away: Visibility of key metrics/information (bell on expensive machine) is a strong motivator. Worthwhile when considering spending resources on things like creating informative dashboards and proper instrumentation to focus the a team on key metrics.
24
kimonos 3 days ago 0 replies      
Haha! Nice one! Thanks for sharing! Happy New Year to all!
25
lani 3 days ago 0 replies      
oooh !! 8 Mill !! I'd like that ..
22
David Cameron's Internet porn filter is the start of censorship creep theguardian.com
266 points by iamben  4 hours ago   162 comments top 7
1
netcan 2 hours ago 1 reply      
I'm really disappointed with this whole situation. The government. The parliament. The people & the media. I resent all the apologizing and explaining and the "don't attribute to malice" excuses. I also think that it's very possible that unrelated "side effects" like surveillance and control of the internet "media" have always been an intended unstated goal.

This article is right on the right track. This is an attempt to control the discussion, the definition of normal and public morality. It's is not a response to an actual problem. It's old fashioned conservatism and paternalism.

The bottom line here is choice. Parents everywhere have easy solutions for voluntary porn filters. You can have them set up by your the people you buy your internet from or the people that sell you your computer. It's cheap or free and it's available. I do not buy the "it's too complicated" argument. This is parents responsibility and it just ins't that hard to meet that responsibility.

2
bmj1 4 hours ago 15 replies      
"Never attribute to malice that which is adequately explained by stupidity." (1)

As a UK citizen, I've been very disappointed by this debacle. I suspect that Cameron's heart was actually in the right place (protecting the children, etc) but he does not understand the significant number of unintended consequences that we are likely to see (and are already seeing).

I would suggest doing the following to make this workable long term:

- Centralise the list of sites categorised as obscene/pornographic/etc (why should it be different for different ISPs?)

- Make the list of these sites publicly accessible and searchable

- Ensure the list is maintained by a non-political and balanced panel (is this possible?)

- Implement a process for removal requests where a site is mis-classified and ensure that this appeal process is separate from the initial panel

- Implement KPIs on the effectiveness of the filter that take into account false positives + false negatives

- Remove any automatic categorisation based on keywords, this is too crude

- Make publicly accessible the guidelines for classification

Unfortunately, I don't expect the above to actually happen :(

1. http://en.wikipedia.org/wiki/Hanlon's_razor

3
chunkyslink 19 minutes ago 0 replies      
If you live in the Uk and you want to do something about this you can join the Open Rights Group https://www.openrightsgroup.org/campaigns/cameron-stop-sleep...
4
sbt 4 hours ago 3 replies      
If I was British, I would do anything I could to urge politicians and the public to dismantle this firewall. Our biggest problem, not just in Britain but in all countries, is that the public does not understand how serious this is at all.
5
JunkDNA 2 hours ago 1 reply      
Reminds me of this recent editorial (which is hopefully not paywalled) in the Wall Street Journal about "the Good Intentions Paving Co": http://online.wsj.com/news/articles/SB1000142405270230402070...
6
petercooper 3 hours ago 1 reply      
The start? Cleanfeed has been running for 10 years already: http://en.wikipedia.org/wiki/Cleanfeed_(content_blocking_sys...
7
matthewmacleod 4 hours ago  replies      
Censorship is bad. That said

This is not censorship. It's an opt-in web content filter, operated by the largest ISPs, with no statutory backing. It's intended to encourage ISPs to provide optional parental controls for every subscriber, and no more.

Frankly, I think this is actually a pretty good outcome, if not deliberately so. It completely kills the arguments for actual Web censorship by eliminating the "think of the children" argument, which is probably the one which the media bang on about most, without imposing any legal requirements or mandatory filtering.

So there are plenty of options for users who don't want to be subject to the filter. Switch to another DNS provider, or don't opt in to the filtering, or even better switch to one of the ISPs that don't offer this feature and never will.

Ironically, I think that these filters are going to encourage the preservation of Internet freedom in the UK in the long run.

23
Show HN: Use any text as a domain name github.com
243 points by daenz  1 day ago   138 comments top 12
1
TeMPOraL 1 day ago 6 replies      
I might be missing something, but I completely don't get this idea, especially with the examples provided by the author. I have two major concerns:

> Bind searches to domain names, eg "food in chicago" => f02970848a63988965aa40cd368ffcf9046209ca.com

This IMO is bad, and goes in completely wrong direction. We've invented search engines to have such phrases not bound to a particular domain. Who would handle the "#://food in chicago" domain? Would it be Google? Bing? Yelp? Local restaurant chain? Or maybe some scammers? And who would maintain the completely different website "#://food in Chicago", and why "#://Food in Chicago" wants to silently install me some malware?

The reason searching for such phrases makes sense, while having them as domains does not, is that things like "food in chicago" are poorly defined, fuzzy concepts. It would feel weird to change one letter in a query, or replace word "food" with, eg. "something to eat", and see completely different website. Moreover, major search engines are more or less egalitarian wrt. buisnesses. Yes, there's the whole SEO thing, but you can't get full control of what food joints are listed near your location just because you've managed to get the register first. I can (and do) trust listings from Google; they have both incentives and track record of being fair. I will never trust listings from random-autogenerated-squat-scam-business-site.

Which brings me to the second point,

> Good domain names are pretty scarce. It's a source of frustration for anyone who has ever tried to buy a domain.

Yes, they are, and the primary source of frustration is that they are mostly taken by various squatters and other scums of the Internet. What will happen is that, the moment there's any real possibility such hash-domain scheme is introduced, all those evil people and companies will take all the domains like "#://microsoft", "#://android" and "#://insert any popular keyword or phrase here" in order to sell them back to real businesses for boatloads of money. And then we'll be back to square one, with maybe a little bigger domain space than we have right now. Bad people win, good people loose and nothing changed.

So, again, the concepts behind this idea elude me.

2
arn 1 day ago 4 replies      
Reminds me of "RealNames". Dot-com era company. $130 million in funding.

http://en.wikipedia.org/wiki/RealNames

RealNames was a company founded in 1997 by Keith Teare. Its goal was to create a multilingual keyword-based naming system for the Internet that would translate keywords typed into the address bar of Microsoft's Internet Explorer web browser to Uniform Resource Identifiers, based on the existing Domain Name System, that would access the page registered by the owner of the RealNames keyword.

3
Patrick_Devine 1 day ago 4 replies      
The is a horrendously horrible idea, for the same reason why unicode domain names are a bad idea. Domain names are important because they provide a reasonable amount of trust. If I type http://apple.com, I'm 99.99999% certain that I've connected to Apple's website. This gets nasty with unicode, because a person can spam your email account and get you to click on a URL which looks very similar to something like apple.com, but really points to a malicious site (thank you cyrillic characters).

Hash based domain names would be even worse. You have no idea what site is lurking behind some big string of hex digits. You could argue that a person should just compare the hash to some known set of hashes, but that's a. cumbersome and b. unrealistic. If it's done by humans, it's error prone (a malicious site could spoof the first few chars to point to their site), and if it's done by computers, what's the point? You've now effectively created a really shitty replacement for DNS.

4
colmmacc 1 day ago 1 reply      
This mechanism is half way to a suggested scheme for domains that are less vulnerable to single-actor take-downs, posted here on HN a few days ago; https://news.ycombinator.com/item?id=6964090 .

In short; instead of merely mapping to [hash].com the extension could map to [hash].com, [hash].se , [hash].ly, [hash].is, [hash].ch and then use a quorum consensus of whatever answer 3 or more of those names agree on. Effectively each TLD registry (and each of your registrars), along with their regulatory environment, would lose the ability to take down your name without international agreement.

For certain niches, such a feature might be a good enough value proposition to ordinary users to convince them to install an extension.

Other observation; 36-ary is probably a better encoding for the hash data than hex. DNS isn't great with lengthy answers and every byte is worth conserving. But it's cool to see something interesting like this in the form of a browser extension.

5
splatzone 1 day ago 1 reply      
This is really cool. This is my favourite kind of idea; one that changes something fundamental in a succinct way.

This makes me wonder how important domains are at all. My mum never even thinks about the domains for the websites she visits, she just types in 'ebay' and Google does everything for her.

The only time I think about URLs (outside of coding) is when I have to share a link with someone, but I wonder if even that could be replaced with a sufficiently advanced search engine.

6
pudquick 1 day ago 2 replies      
I would be in favor of this idea if a little more thought was put into how the hashing function works.

As it stands, someone typing in:

food in Chicago

will get a different URL than:

food in Chicago

And the same goes for: Chicago food, chicago food, food near Chicago, etc.

Every one, with a single character difference (extra space, different word order, capitalization difference, regional spelling like theatre vs theater, etc) will result in a different hash.

You've now made 'humanized URLs' into 'no one will guess your domain'.

It's an interesting approach to avoiding search engines, but it doesn't solve the problem that search engines do solve: multiple similar but different entries resulting in the same "appropriate"/top website result.

With this approach, not even face book, Facebook, and facebook would result in the same .com (and please don't suggest just purchasing a billion domains and redirecting them all).

7
gbog 1 day ago 3 replies      
This is quite an interesting experiment, and a step in the good direction, which should and must lead us to the complete removal of domain names.

Why are domain names bad? That should be obvious.

The main symptom of domain names' inherent brokenness is that the law must patch it so that an unknown squatter cannot kidnap some domain, e.g. register "france.com" and ransom it to the people who are most qualified to claim it. This is ridiculous: the squatter should not have had the opportunity to squat this (I know it doesn't apply for "France" but it applies for many other names). Nowhere in the world we see kids grab the seat in front of the fireplace and not let their grandma have it.

Moreover, what if a single ascii string refers to two different things equally claimable by two groups of people? E.g. what about "francfort.com"? Which city would it refer to? A contrieved case: If Chinese people chose a translitteration scheme for their language so that "google" would mean China, wouldn't they have some rights over google.com?

This level of brokenness is not even because of a leaky abstraction, this is a sunken boat everyone has to use to cross the river.

On a more philosophical stance, domain names are wrong because they build a kind of universal language out of nowhere, grounded on nothing, whitout any kind of democratic digestion and acceptance by human beings. We could have a universal language shared by all humans, but it would be a very long process of slow acceptance, with a percolation through all societies all over the world. In this way, there would be many adjustments, reverts, and eventually we would come up with a set of names that is good enough, but right now domain names are just a musical chairs game that is ridiculous and must be stopped.

So I think using a string's hash is a nice step, because it starts blurring the domain name.

However, I think a much better scheme should be to use the hash of the page content as the domain name. In this case, once the hash is determined, who cares where it is, who care which domain it has? It would just be way to download the content. And the job of search engines would be to point us to these hashes.

And dynamic content you tell? Which dynamic content? Does one really care about changes in wiki pages? And for the twitter feed, each tweek is a fixed content snippet, and the javascript fetching them is also fixed, or could be a browser extension. And an up-to-date search engine would have the latest hash for a keyword such as "twitter" or "The Guradian".

A nice side-effect would be that domain name based censorship would become ineffective. And downloading content could be just some p2p checkouts.

8
chavesn 1 day ago 0 replies      
My initial thought: This is terrible, because how would we ever know which sites we can trust? Something as tiny as an extra space would change the hash value.

But on second thought, the real problem is that we (the web technology community) have assumed domain names are even a remotely suitable proxy for trust. I don't think most common web users actually get this point. That's why phishing is so easy (except for the part about getting a phishing email past spam filters).

Do you think most people really know (or notice) the difference between webaccess.bankofamerica.com and webaccess.bankofamerica.x8.co? I doubt it.

So the real fix for this situation is creating a true trust system that most actual end users can understand and rely on.

Then, it seems only natural for something like this to be the future. UUIDs will act as the underlying addressing technology with "whatever you want" as your display name.

And as a bonus, it will really cut down on the cybersquatters' profitability.

9
jrochkind1 1 day ago 1 reply      
To the extent that TLD's are namespaces of hostnames, it's just adding the equivalent of another TLD, but implementing it as a weird proprietary extension on top of .com.

Why?

10
glesica 1 day ago 0 replies      
Fun story, some of the older (hehe, older as in "older than 30 or 35) people here might remember that in the 90s there was a startup that did exactly this but with a browser plugin as I recall (well, not exactly, they didn't hash the text, but they took arbitrary plain text and mapped it to a URL). The idea was to sell short sentences to companies, so "seinfeld TV show" (or whatever) in the address bar would have gone to the NBC "Seinfeld" web site, etc. I think the idea was to make "deep" links easier for people to remember, but I don't remember the details, I just remember that it existed and I probably read about it in PC Magazine.
11
jyap 1 day ago 0 replies      
This won't work because to me this is similar in concept to URL shorteners. The difference being in the shortening algorithm and the use of expensive domains.

So for example with current shorteners you have:

http://shorturl.com/{algorithm for unique URL goes here}

In the above case using a browser plug in can also eliminate any server side resolution of domains.

With this proof of concept:

http://{algorithm for unique URL goes here}.com

... Except the implementation costs $ if it is to be accepted... And to be accepted it needs to have a benefit that isn't solved by URL shorteners.

12
ffk 1 day ago  replies      
This reminds me about how many people don't use domain names at all anymore. Many people probably type the name of their bank into the search bar and visit the first result. I've seen people literally pull up google to search for yahoo mail or ebay.

Domain names are still useful, for a start they provide some level of authentication when mixed with cryptography. (If you visit https://news.ycombinator.com, you can be relatively sure there is no MITM with certain conditions present).

It would be interesting to see how this system can be adapted to work with our current Internet infrastructure.

24
Court Rules No Suspicion Needed for Laptop Searches at Border aclu.org
242 points by frostmatthew  2 days ago   175 comments top 7
1
ck2 2 days ago 4 replies      
Here's the hidden worst part about this they don't mention.

You think border means at the point you cross into another country.

That's not what it means. Government can now do this behavior a HUNDRED miles inland from a border. You could be just driving across town, to or from work, and they can use this border search law because you are a hundred miles from the border.

Oh and the border also includes the ocean, doesn't have to be another country.

https://d320ze5h7gg57a.cloudfront.net/sites/default/files/we...

100% of NY, NJ, Florida and half of Texas is subject to these searches as their state is blanketed by the hundred mile limit.

edited to correct hundred instead of hundreds, bad memory

2
bazzargh 2 days ago 0 replies      
A quote from the ruling that bugs me: "[The detention of David Miranda] is enough to suggest that it would be foolish, if not irresponsible, for plaintiffs to store truly private or confidential information on electronic devices that are carried and used overseas"

(p23, https://www.nyed.uscourts.gov/sites/default/files/opinions/1...)

This is in the middle of a discussion of carrying lawyer-client privileged documents over the border; the judge says you should have no expectation of privacy because other countries may conduct invasive searches too. As advice, it's hard to disagree, that's where we are now; but surely two wrongs don't make a right?

It would be obviously wrong for police to confiscate your money because you were walking towards a rough part of town where you might be robbed. Yet that is the kind of logic the judge applies here; he relaxes the responsibilities of the US govt by invoking hypothetical actions by others. The example he cites was not even a normal border shakedown, but a specific action that was signed off by a government minister; do unusual acts like this change expectations of privacy in the normal course of events?

3
zaroth 2 days ago 3 replies      
Amazing, this is literally the first paragraph in the ruling:

"Since the founding of the republic, the federal government has held broad authority to conduct searches at the border to prevent the entry of dangerous people and goods. In the 21st century, the most dangerous contraband is often contained in laptop computers or other electronic devices, not on paper. This includes terrorist materials and despicable images of child pornography."

Judge Korman is quoting Michael Chertoff, Searches Are Legal, Essential, USA Today, July 16, 2008, at A10.

4
rl3 2 days ago 1 reply      
Interdicting data at borders seems to me as the height of stupidity, considering said data can flow freely across borders anyways, via the internet.

These policies have no legitimate reason to exist, and can perhaps only be explained by a combination of paranoia, ignorance, and incompetence. It would stand to reason that any terrorists or criminals foiled by these methods would tend to be of the exceedingly dumb variety.

5
joshfraser 2 days ago 2 replies      
I travel abroad a lot and am pretty sure I'm on a special NSA list at this point or will be soon. Besides all my anti-NSA tweets and emails, I've donated money to support Snowden, Lavabit, ACLU, EFF and Ron Paul. I guess it's time to pick up some cheap laptops that I'm okay losing to the border thieves.
6
girvo 2 days ago 1 reply      
The issues arise with the fact that every countries border is inherently leaky anyway: the internet makes sure of that. So, searching your computer and confiscating your device because you're not a fan of some not-even-a-cop going through your stuff will just push those that they want to catch to transferring files somewhere to retrieve when they're in the country.

I'm an Aussie. I have nothing to hide in terms of data on my computer, as far as I know. If I was flying to USA (as an example) tomorrow, I'd wipe my laptop and phone clean, put images on my server, and access them via SSH once I'm through the border... Why the hell do I need to do that?

7
thematt 2 days ago  replies      
Does anybody know what they're looking for? Border Patrol/TSA/Homeland Security agents aren't the sharpest tools in the shed and I can't imagine they're very computer literate. Are they just poking around the filesystem? Do they have automated tools that search for stuff?
25
Ask HN: What's your speciality, and what's your "FizzBuzz" equivalent?
241 points by ColinWright  1 day ago   318 comments top
1
crntaylor 1 day ago  replies      
I was a mathematician, and now work in finance (systematic trading). I've found a reasonable negative filter is

  A jar has 1000 coins, of which 999 are fair and 1 is double  headed. Pick a coin at random, and toss it 10 times. Given  that you see 10 heads, what is the probability that the next  toss of that coin is also a head?
That tests their ability to turn a problem into mathematics, and some very basic conditional probability. Another common question (that I don't use myself) is to ask what happens to bond prices if interest rates go up.

26
I Transcribed Glenn Greenwald's 30C3 Keynote github.com
240 points by poppingtonic  4 days ago   53 comments top 16
1
coldcode 4 days ago 2 replies      
Reading this (and others) makes me conclude that we the people (or any country, but especially here in the US) are truly and royally fucked. For every brave person who stands up there are a hundred thousand who refuse to the see the sun rises in the east and continues to believe what they are being told, that it rises in the west.
2
aryastark 3 days ago 1 reply      
How the hell is James Clapper still in office?? Isn't what he did so obviously perjury?

The America of 2013 is absolute bullshit. I can't even fathom how corrupt this country is.

3
3ds 4 days ago 1 reply      
nice work, maybe you would like to contribute it to the subtitle team effort?

http://subtitles.media.ccc.de/

specifically here: http://subtitles.pads.ccc.de/5622

4
jnbiche 4 days ago 1 reply      
Thank you, tipped (he has a Bitcoin address in the README).

It's a sad era indeed when we have a whole network of American journalists living outside of U.S. borders for fear of imprisonment and other reprisals from their own government.

5
znowi 4 days ago 0 replies      
6
dewey 4 days ago 0 replies      
7
varelse 3 days ago 2 replies      
Playing an unfortunate devil's advocate, all this ludicrous surveillance state gadgetry seems to be less of an attempt to be the United Stasi of America and more of a ridiculous over the top reaction in fear of being accused of going soft on terror.

I don't like it, and I don't agree with it, but I acknowledge that if a 2nd 9/11 level event were to occur after the government relented and imposed reasonable limitations on data collection that the party out of power at the time could easily scream bloody murder and take all 3 branches of government in a single election cycle. I'd previously only expected this from the party of Kang, but Obama's stance on drones and NSA surveillance has revealed the party of Kodos is no better.

Which is to say I think the surveillance state is a symptom more than the disease. America has lost all sense of perspective.

~30,000 automotive deaths (of which ~10,000 resulted from drunk driving) annually.

~11,000 gun deaths.

~6,000 deaths from falling off ladders.

~3,000 people died on 9/11.

Ergo we should ban ladders, guns, alcohol, and cars: it's the only way to be sure, no?

8
lispm 3 days ago 0 replies      
'Applause' at the end is an understatement. He got a long standing ovation for his contributions to expose the NSA's war on people.
9
beernutz 3 days ago 0 replies      
I wanted to thank the poster for their work in transcribing this! I personally really appreciate it.

I REALLY dig doing this via github as well. I submitted a pull request with some spelling changes.

10
salient 4 days ago 1 reply      
Greenwald's speech was great, but so far the most interesting one to me has been Jacob Appelbaum's speech where he gives a lot more technical details (including new information) about how the NSA is hacking systems and how far they are willing to go, like wanting to create a "Great Firewall of Earth" or even radiating people with up to 1KW in order to get what's in their computer, which just proves how out of control and power hungry the NSA is and how indefensible their actions are, despite what some of the NSA HN users around here or their supporters might say.

Highly recommend it:

http://www.youtube.com/watch?v=b0w36GAyZIA

11
mjallday 4 days ago 1 reply      
Did you do this by hand or use a tool and then touch it up afterwards?
12
detcader 4 days ago 0 replies      
A good summary of events so far, in a general sense. More important stuff to check out from/on Greenwald, one of the most important journalists in US history, at least by the nature of what he's helped publish (but of course more than that):

Conversations with History: Glenn Greenwald - https://www.youtube.com/watch?feature=player_embedded&v=-qlF... ~2011

Glenn's "Frequently Told Lies" page - http://web.archive.org/web/20131007002618/http://ggsidedocs.... (it's currently down, both on archive.org and the original page)

The American columnist who can't live in America - http://amanpour.blogs.cnn.com/2013/06/10/the-american-column... (this is before the striking down of the gay marriage law in question, I think)

How Glenn Greenwald Became Glenn Greenwald - http://www.buzzfeed.com/jtes/how-glenn-greenwald-became-glen...

Believing oppression only happens elsewhere - https://theoldspeakjournal.wordpress.com/2013/01/16/believin... (the original blog is down)

Endless War, Radical Presidential Power, and a Rotted Political Culture: A Talk by Glenn Greenwald - http://translationexercises.wordpress.com/2013/03/28/endless... [28 Mar 2013]

13
jonnybgood 3 days ago 2 replies      
I'm very skeptical of Glenn Greenwald. I'm surprised by how many will readily accept whatever he says. That's kinda scary. There's a question of credibility when you don't fact check[1]. Makes you wonder what else is Greenwald exaggerating or not fact checking.

[1] http://www.washingtonpost.com/blogs/erik-wemple/wp/2013/06/1...

14
davedx 4 days ago 0 replies      
Thank you.
15
plg 4 days ago 0 replies      
Thank you
16
jokoon 3 days ago 1 reply      
watching the video, at some points there seems to be audio lag...

I even wonder if the NSA actually tried to DDOS the skype call conference.

28
Isaac Asimov Predicts in 1964 What the World Will Look Like in 2014 openculture.com
228 points by beshrkayali  1 day ago   116 comments top 13
1
sillysaurus2 1 day ago 10 replies      
Note that this article is a lightweight edit of Asimov's original piece: http://www.nytimes.com/books/97/03/23/lifetimes/asi-v-fair.h...

In particular, the article is edited to only show you reasonable predictions, rather than all his predictions. I thought his mistakes were just as interesting, because they give us a window into what life was like in 1964. Asimov predicted that moon colonies would be common by now, for example. The overoptimism may have been due to the rate of technological growth leading up to 1964. On the other hand, perhaps it was due to the times. People were abuzz with the possibilities of the future partly because Kennedy had recently (1961) set a national goal of "landing a man on the Moon and returning him safely to the Earth by the end of the 1960s." So it's pretty interesting to try to see the world through the eyes of someone 50 years ago and try to diff societal trends to the modern day.

(It's also fun to imagine someone 50 years from now looking back on us. I wonder which of our societal trends will survive 50 years? It's an interesting game to try to figure out which of our current beliefs are crazy even though no one presently thinks so.)

There are many interesting aspects of Asimov's piece, so it's well worth the read. For example, does this point about future societies sound familiar?

"The situation will have been made the more serious by the advances of automation. The world of A.D. 2014 will have few routine jobs that cannot be done better by some machine than by any human being. Mankind will therefore have become largely a race of machine tenders."

He's mistaken about 2014, but only time will tell whether this is temporary.

I was also surprised that there were fewer than half as many people in 1964 than 2014. Asimov mentioned that the population is predicted to double every 40 years. I wonder it that's still the case, or if growth has slowed?

2
JeffL 1 day ago 3 replies      
A lot of it is really good, but the part about boredom is interesting:

[M]ankind will suffer badly from the disease of boredom, a disease spreading more widely each year and growing in intensity. This will have serious mental, emotional and sociological consequences, and I dare say that psychiatry will be far and away the most important medical specialty in 2014.

One thing we haven't had any trouble with in terms of advancement is how to entertain people. Facebook, Twitter, World of Warcraft, (ahem) Star Sonata, traveling, sports, German board games, ... The entertainment possibilities are endless. I think too many entertainment options is the problem, if anything.

3
smsm42 1 day ago 3 replies      
One of the funny things is the video-phone. The technology is there for years, and we can't really say we don't do it at all - we do it sometimes. But mostly we don't - not because technology is not there but because it turned out it's not that great an idea after all. Turns out in most of the situations we don't actually need the video and voice only is good enough. It is fascinating how many people didn't think it would be the case.
4
dylandrop 1 day ago 2 replies      
"There will be aircraft, of course, but even ground travel will increasingly take to the air a foot or two off the ground."

Curious as to why there is such an obsession with hovering vehicles in pop culture depictions in the future. It seems cool but that it would be inefficient even if we did develop it. (Using a crapload of power to suspend a heavy vehicle when it could be sitting on the ground just doesn't make much sense to me.)

5
unfunco 1 day ago 2 replies      
The one that stands out for me:

    [M]ankind will suffer badly from the disease of boredom,    a disease spreading more widely each year and growing in    intensity. This will have serious mental, emotional and    sociological consequences, and I dare say that psychiatry    will be far and away the most important medical specialty    in 2014.
Whilst psychiatry isn't yet the most important specialty in medicine, we are beginning to fall into boredom all too easily, most people can't go a few minutes without looking at their smartphones, most can't live in the moment yesterday I watched the New Years Eve fireworks on the Thames in London, and the ground was lit up brighter with the screens of phones than the sky was with fireworks.

6
ricardobeat 1 day ago 0 replies      
Previous discussion (3 months ago), with a list of correct/failed predictions: https://news.ycombinator.com/item?id=6287340
7
redthrowaway 1 day ago 2 replies      
I'm always fascinated when reading articles like this that no one predicted general purpose or networked computers, or the implications thereof. It's always a gadget for this and a gadget for that, but never a gadget for everything that communicates instantaneously with every other gadget for everything on Earth. It speaks to the limits that the society around us places on our imagination -- these things were, quite literally, unthinkable.
8
schappim 1 day ago 0 replies      
Asimov's predictions:

Gadgetry will continue to relieve mankind of tedious jobs. Kitchen units will be devised that will prepare automeals, heating water and converting it to coffee; toasting bread; frying, poaching or scrambling eggs, grilling bacon, and so on. Breakfasts will be ordered the night before to be ready by a specified hour the next morning.

Communications will become sight-sound and you will see as well as hear the person you telephone. The screen can be used not only to see the people you call but also for studying documents and photographs and reading passages from books. Synchronous satellites, hovering in space will make it possible for you to direct-dial any spot on earth, including the weather stations in Antarctica.

[M]en will continue to withdraw from nature in order to create an environment that will suit them better. By 2014, electroluminescent panels will be in common use. Ceilings and walls will glow softly, and in a variety of colors that will change at the touch of a push button.Robots will neither be common nor very good in 2014, but they will be in existence.

The appliances of 2014 will have no electric cords, of course, for they will be powered by long- lived batteries running on radioisotopes.

[H]ighways in the more advanced sections of the world will have passed their peak in 2014; there will be increasing emphasis on transportation that makes the least possible contact with the surface. There will be aircraft, of course, but even ground travel will increasingly take to the air a foot or two off the ground.

[V]ehicles with Robot-brains can be set for particular destinations that will then proceed there without interference by the slow reflexes of a human driver.

[W]all screens will have replaced the ordinary set; but transparent cubes will be making their appearance in which three-dimensional viewing will be possible.

[T]he world population will be 6,500,000,000 and the population of the United States will be 350,000,000. And later he warns that if the population growth continues unchecked, All earth will be a single choked Manhattan by A.D. 2450 and society will collapse long before that! As a result, There will, therefore, be a worldwide propaganda drive in favor of birth control by rational and humane methods and, by 2014, it will undoubtedly have taken serious effect. [See our Walt Disney Family Planning cartoon from earlier this week.]

Ordinary agriculture will keep up with great difficulty and there will be farms turning to the more efficient micro-organisms. Processed yeast and algae products will be available in a variety of flavors.

The world of A.D. 2014 will have few routine jobs that cannot be done better by some machine than by any human being. Mankind will therefore have become largely a race of machine tenders. Schools will have to be oriented in this direction. All the high-school students will be taught the fundamentals of computer technology will become proficient in binary arithmetic and will be trained to perfection in the use of the computer languages that will have developed out of those like the contemporary Fortran.

[M]ankind will suffer badly from the disease of boredom, a disease spreading more widely each year and growing in intensity. This will have serious mental, emotional and sociological consequences, and I dare say that psychiatry will be far and away the most important medical specialty in 2014.

[T]he most glorious single word in the vocabulary will have become work! in our a society of enforced leisure.

9
edward 1 day ago 3 replies      
I like this one: The appliances of 2014 will have no electric cords, of course, for they will be powered by long- lived batteries running on radioisotopes.
10
ctdonath 1 day ago 0 replies      
The problem with most such predictions isn't the technology but the social side effects; we are capable of fulfilling the prediction, but don't want to. Ex.: nuclear batteries are entirely doable, but the word "nuclear" has been demonized. Ex.: breakfast-making robots are possible, but we just don't want them.
11
adamnemecek 1 day ago 5 replies      
Some of these are actually pretty prescient. Particularly this one

"Robots will neither be common nor very good in 2014, but they will be in existence."

Rest is pretty hilarious. E.g.

"Any number of simultaneous conversations between earth and moon can be handled by modulated laser beams, which are easy to manipulate in space. On earth, however, laser beams will have to be led through plastic pipes, to avoid material and atmospheric interference. Engineers will still be playing with that problem in 2014."

12
jrockway 1 day ago 0 replies      
The appliances of 2014 will have no electric cords, of course, for they will be powered by long- lived batteries running on radioisotopes.

I guess lithium doesn't decay very quickly. What's interesting is that we didn't really make batteries much better: we made things use less power. I am still looking forward to a wireless tea kettle, however.

13
deletes 1 day ago  replies      
All the high-school students will be taught the fundamentals of computer technology will become proficient in binary arithmetic and will be trained to perfection in the use of the computer languages that will have developed out of those like the contemporary Fortran.

I wish that was the case.

29
The most Kafkaesque paragraph from todays NSA ruling washingtonpost.com
228 points by runn1ng  4 days ago   61 comments top 16
1
jfaucett 4 days ago 4 replies      
If I understand this correctly, it is the simultaneously the most absurd and scary thing I have read in a very long time. So now crimes committed by the government cannot be challenged because the government never intended anyone to find out about it - thats a horrid peace of law.
2
chasing 4 days ago 1 reply      
"Pauley is essentially saying that the targets of the order have no recourse to challenge the collection of their personal data because Congress never intended for targets to ever know that they were subject to this sort of spying."

No.

Pauley is saying that the targets of the order have no recourse to challenge it. That Congress never intended for them to know about it may be true, but it's otherwise neither here nor there.

3
jbaiter 4 days ago 0 replies      
Yesterday in a talk at 30C3, a historian discussed article 10 of the German 'Grundgesetz' (our constitution) whose logic is similar and which reads as follows:

> (1) The privacy of correspondence, posts and telecommunications shall be inviolable.

> (2) Restrictions may be ordered only pursuant to a law. If the restriction serves to protect the free democratic basic order or the existence or security of the Federation or of a Land, the law may provide that the person affected shall not be informed of the restriction and that recourse to the courts shall be replaced by a review of the case by agencies and auxiliary agencies appointed by the legislature.[1]

The logic sounds alike to me: Victims cannot know that they are being surveilled, and should they, under some circumstances obtain knowledge of the fact, take any real legal recourse against it.Fun fact: That article was imposed by the US.[2]

[1] http://www.gesetze-im-internet.de/englisch_gg/englisch_gg.ht...

[2] http://de.wikipedia.org/wiki/Deutsche_Notstandsgesetze (sorry, the English article doesn't cite any sources)

4
CurtMonash 4 days ago 3 replies      
That's not crazy. When faced with a law, terrible or otherwise, judges have two main choices:

1. Rule that the law should be followed.2. Rule that the law is unconstitutional.

The article provides strong reasons for believing the law is terrible, but that doesn't mean the judge is wrong on any grounds except constitutional ones.

5
smokeyj 4 days ago 3 replies      
I wonder what kind of dirt the executive branch has on the judicial branch..
6
rayiner 4 days ago 2 replies      
This is taken wildly out of context. The sentence right after the quoted text is just wrong. The quote is in response to a statutory argument. Statutory arguments are evaluated by reference to the text of the statute and Congress's intent in drafting the statute. The court is not saying that the ACLU has no claim because Congress did not intend the targets to find out, but rather that Section 215 doesn't create that claim because it would be inconsistent for Congress to intend to create such a claim when Congress did not intend for targets to find out. The court is rejecting one possible basis for the ACLU's claim, which is that Congress intended to create an avenue recourse in the statute. Its not a general point applicable to other possible bases for the ACLU's claim. In particular, the court is not saying that the ACLU cannot mount a Constitutional challenge for that reason, which is what the article implies. That would be Kafkaesque, but that's not at all what the opinion says. The Constitutional basis is separate from the statutory one, and does not depend on Congress's intent.

It helps to think about this analogously to other kinds of suits. Say you feel like a school district is discriminating against African Americans. There's a constitutional dimension to that case, but also a statutory dimension. Congress has created legislation that people can rely on to address such discrimination. To defend a suit under such a statute, a state might argue that a particular suit does not fall within the scope of the statute: that Congress did not intend for the statute to serve as recourse in this situation. But that sill leaves the broader Constitutional issue on the table. Whether Congress intended for a statute to serve as recourse is irrelevant to the Constitutional argument. There are two separate bases.

7
Cakez0r 4 days ago 0 replies      
It's not a crime unless you get caught! .... Or apparently if you didn't intend to get caught.
8
zacinbusiness 4 days ago 2 replies      
I don't think any of this really matters. If the Supreme Court decided tomorrow that anything the NSA does is unconstitutional then the laws would either be rewritten immediately or the government would challenge the ruling and force the justices to change their minds. The Us government answers to no one, and that includes the Supreme Court.
9
ItendToDisagree 4 days ago 1 reply      
A hypothetical:

"The principal called. He said that you cheated on your exams."

"Yeah, but I never meant for anyone to find out, so why am I in trouble?"

Seems legit to me!

10
Aloha 4 days ago 0 replies      
I should point out that the person who argued for the petitioner - Doe - in Gonzaga v Doe, was John Roberts - this may not go the obvious way if it reaches the supreme court.
11
coldcode 4 days ago 0 replies      
We should be reminded that neither Kafka nor Orwell should be regarded as designs for law. The more time goes by the more we seem to live in their world.
12
memracom 4 days ago 1 reply      
Imagine that the KGB informs Putin that Edward Snowden is holed up in Moscow airport. What would Putin ask.

Probably, "What information does he have that we could use?".

What would you as a KGB leader say to Putin. Probably "Well he stole a huge amount of sensitive information from the NSA but he apparently hid it all on the Internet and gave copies to several other people. But he doesn't have it with him."

And then what would Putin say? Perhaps "If he has already passed on this information, then could he do anything else other than what he has already done?"

I suppose the KGB leader would say "No, other than to hide away so that they can't hold a big show trial hoping to cover up the real story."

"Good says Putin. We will give him refugee status if he promises not to do anything else to further harm the USA. After all, it will take time for all the information to filter out to the media. We will hide him so that the media has to focus on the facts.

And then Putin adds, "Do you think he discovered anything that we don't know already?"

And the KGB leader replies "We have known of this lax security for years. Our team of sleeper agents set up many channels of information for us years ago, so we think this only means that the world will learn what we already know."

13
rodrodrod 4 days ago 0 replies      
Wait, what? There's no way that's a valid legal argument. That's insane.
14
jkarni 4 days ago 0 replies      
If I understand this correctly, is it really that worrying an argument? One can't use covert telephone recording (i.e., without two-party consent) as evidence in most states, and it's important that the person being recorded didn't intend for the conversation to be recorded and available in the future as evidence. Similarly, one would expect leaks to not hold up as evidence.

Much as I also dislike the ruling, the argument here seems quite reasonable to me.

15
gamerDude 4 days ago 0 replies      
Well, in a way this is a similar kind of right as the people have to not be prosecuted after an un-warranted search.

Can we get a warrant to search every portion of the government for illegal activity? We just have to find some sort of suspicion that they might be doing this...

16
squozzer 4 days ago 0 replies      
The ruling seems to have put the kibosh on legal redress. Now the question becomes of what to do next. So how does one neutralize something like an NSA? Where are their pressure points?
30
What Snowden really revealed aljazeera.com
228 points by kostyk  2 days ago   53 comments top 10
1
Derbasti 2 days ago 4 replies      
At this point, it may well be impossible to shut down the NSA. I imagine every opposing politician gets visited by some agent at some point, showing him records of his own wrongdoings.

Imagine every politician ever be forced to choose between the end of his career and opposing the NSA. How can we get out of this mess?

2
canadev 2 days ago 2 replies      
I think this was well written and I enjoyed reading it.

It brought some interesting information to my attention that I was not aware of (e.g. the porn habit blackmail scheme) - there have been so many articles about the leaks that despite them being important to me, I've made a conscious decision not to read them all.

I really like the quote (that I can't find a source on) that he "defected from the American government to the American people."

Edward Snowden is one of my heroes. This is something I find that I don't say very lightly or very often about anybody.

3
Ygg2 2 days ago 5 replies      
I wonder, at what point would NSA start manufacturing threats. It seems like clear progression of their behavior. Because you can't constantly cry wolf, you have to fight a straw-wolf from time to time.
4
radiorental 1 day ago 1 reply      
What Snowden _really_ revealed is that the goal of the terrorists has been achieved. The 2996 souls who lost the lives on 9/11 were unfortunate collateral damage.

The hysteria since and "hollowing out of our democracy" is the goal of a terrorist.

This is not to say things weren't peachy before the attack, but the US has lost so much moral standing, respect & power since due to our government's actions.

We should have kept calm and carried on, we did the complete opposite.

5
joseflavio 2 days ago 0 replies      
"all experience hath shewn, that mankind are more disposed to suffer, while evils are sufferable, than to right themselves by abolishing the forms to which they are accustomed" -- Preamble of the declaration of independence

It is going to be very difficult to motivate people to change something... until a big part of population is starving I believe...

6
DanielBMarkham 2 days ago 1 reply      
Hey I'm as big of a hair-on-fire guy as the next guy, but this is getting too much.

A bit of context. Please.

The U.S. has always overreacted to existential threats. In fact, that's the way the system is designed. If it has to fail, it fails towards a dictatorial president and overbearing laws -- which are removed by a frequently-elected and truly representative Congress as soon as the threat is gone. We've been going along like this for 240 years or so. There is nothing new about the abuse of power or removal of freedoms (unfortunately).

So what's changed? First, internet companies are tracking every freaking thing you do online. They figured out that the average Joe will give up his privacy for free email, and they're having a field day with it.

Governments trump companies, and since the data is already collected, every government on the planet is wanting a piece of that action.

Second, there is no ever-changing Congress looking to score points with the folks back home. Instead, there's a static political system that fears looking bad -- and it's grown a perpetual fear machine built up around terror that can make it look really bad.

Folks do this issue a great disservice when they focus only on the U.S., or only on the NSA. Look guys, if the U.S. and the NSA disappeared tomorrow, you'd have the same problems you have now -- you just wouldn't know so much about them. This has nothing specifically to do with them. (I'm not making excuses, only pleading for context).

The tech community brought this on themselves. We are the people to blame. The trade-off of tracking data for free stuff was too good to be true. In fact, instead of the tracking data being almost worthless to the average citizen, as it turns out this data is much too valuable to give up under any circumstances, at least in the aggregate. Until that leaky bucket is fixed somehow, nothing changes.

7
boldklubben 2 days ago 1 reply      
> We have sacrificed our freedoms and morals in order to make war on those abroad

There are unperceivable powers that be. Possibly and even likely without what we consider morals. Bear with me. When you had enough wealth and can own or have anything, what's next? It's human nature.

8
daphneokeefe 2 days ago 0 replies      
This is one of the clearest explanations of the situation that I have read.
9
DonGateley 1 day ago 0 replies      
What's wrong with this logic is the presumption that the intelligence community would share any effective results of their work with the public. That would be just plain stupid. Rather than an endless argument over disclosing and justifying results, it is far simpler to simply say there aren't any. Yeah, image takes a hit but those people are much less concerned with image than with doing what they have been chartered to do.

Anyone to whom any of this (other than the capabilities) comes as any surprise at all is naive indeed and probably has no memory of the hostile spy era that spawned and justified it.

10
jebblue 1 day ago 1 reply      
The article is hosted on the same site that cooperates with terrorists, regardless how you feel about Snowden, pro or con: http://www.aim.org/aim-column/al-jazeera-still-promoting-gun...
       cached 3 January 2014 16:11:01 GMT