hacker news with inline top comments    .. more ..    15 Aug 2015 Best
home   ask   best   3 years ago   
Even when told not to, Windows 10 doesn't stop talking to Microsoft arstechnica.co.uk
439 points by gregmolnar  2 days ago   247 comments top 23
1
bsilvereagle 2 days ago 4 replies      
> And finally, some traffic seems quite impenetrable. We configured our test virtual machine to use an HTTP and HTTPS proxy (both as a user-level proxy and a system-wide proxy) so that we could more easily monitor its traffic, but Windows 10 seems to make requests to a content delivery network that bypass the proxy.

Does this mean a Win10 machine setup to use something like Tor will leak the user's actual IP back to Microsoft? If you're VPN'd, is some traffic still leaking outside of the VPN?

From an engineering perspective, how is this happening? Does Microsoft have a second network interface hidden away using hardcoded settings for DNS, etc?

On a somewhat related note, if a Win10 app is cert pinning, is there a way to force it to use your cert so you can MITM it?

2
thescrewdriver 2 days ago 5 replies      
Until recently Microsoft had taken a far more reasonable approach to privacy than say Google. Anyone remember the MS "gmail man" ads mocking the way Google inspects your email when MS doesn't? It seems that MS under Nadella has taken a decidedly Google-like turn away from privacy with Windows 10. MS seems as hell-bent as Google and Facebook to collect as much data about you as possible, even if it is for seemingly innocuous purposes.
3
jammycakes 2 days ago 4 replies      
In all these discussions about Windows 10 phoning home, there are a couple of things that I haven't yet seen properly discussed.

1. Do the different versions of Windows (Home/Pro/Enterprise/Education) behave differently? If so, how?

2. Do the pro/enterprise versions behave differently when they're connected to a domain?

I'd imagine that the answer to at least one of these questions would be "yes." This kind of behaviour would be a deal-breaker in many enterprises.

4
bhouston 1 day ago 1 reply      
Given that it is proven that the NSA spied on European companies for economic reasons, this isn't a good idea. Now the NSA can just tap into Microsoft, either covertly or through court order, and spy on the whole world.

Details of economic spying -- may not be the best article but the easiest to find:

http://www.hurriyetdailynews.com/nsa-spied-on-french-economy...

5
datainplace 1 day ago 6 replies      
Stupid question, but my Mom lives in a really rural area. Pays quite a bit for internet and is charged by the MB. Can we ask Microsoft to pay for their bandwidth usage?

Since upgrading to Windows 10 she's been hit with $200 in overages.

6
enqk 2 days ago 1 reply      
This highlights what we really lost when consumer operating systems started replacing enterprise-grade operating systems. I would have never imagined this kind of things happening on something like Solaris or Irix, which were the base operating systems of many workstations. At some point when Linux became popular it suggested that the regular consumer would benefit from the robustness, focus, reliability of an entreprise grade OS. Not so..

That large companies accept this state of affair is extremely surprising.

That we accept that our electricity and communication bills are being diverted to serve the interest of an operating system's creator.. that sounds crazy. It's like letting the creator of your fridge eat your food and drive your car.

7
mark_l_watson 1 day ago 1 reply      
I was downvoted and criticised a few days ago for defending Microsoft on Windows 10. I am starting to change my opinion after looking into the issue more. I watched a recent Richard Stallman talk on youtube and went through the process of making the tightest privacy settings I could on my iPad, Windows 10 laptop, and Android phone. (I left my Mac and Linux laptops as is since I just use those for development.)

I think that Microsoft looked at the Google Now user experience on Android phones and decided to emulate that type of AI assistent in Windows. Google collects all sorts of user context information and Microsoft decided to do the same.

This is a guess but the difference may be that (some) people are willing to have less privacy on their smartphones but care more about privacy on their computers.

8
pdkl95 2 days ago 0 replies      
From the image of the captured data that is sent when telemetry is "off", a few bits are obviously Windows-style UTF-16. The GUID is obvious, and is that an assert error message? Very strange...

 prod e5ff4669-311a-0933-dee2-9444eee86460 instrumentation.cpp Instrumentation::StartQosExperience (Utilities::HashMapContains(_qosUXScenarioDataById, scenerioId) == false) Assertfailed: (Utilities::HashMapContains(_qosUXScenarioDataById, scenerioId) == false): Instrumentation is active when we try 
(it cuts off after "try")

9
cautious_int 2 days ago 0 replies      
Windows 10 seems to transmit information to the server even when OneDrive is disabled and logins are using a local account that isn't connected to a Microsoft Account.

Well there you go. If you ever wondered whether this is happening only on the Microsoft Account(tm).

10
ultramancool 2 days ago 0 replies      
Hah, I mentioned this a few days ago. Glad to see someone picked it up and ran it.

https://news.ycombinator.com/item?id=10037753

11
jcadam 2 days ago 1 reply      
Wow. I use Linux and BSD on my own machines, but the rest of the family is on Windows 10. This sort of thing makes me seriously think about trying to get the wife and kids to consider switching :/
12
jorgecastillo 2 days ago 2 replies      
I am sticking with Windows 7 until I get out of college and after that I am ditching Windows forever.
13
fumar 2 days ago 2 replies      
I'm not savvy enough to discern whether OSX os iOS does this. Does anyone know if iDevices also ping back to Apple?
14
elcct 2 days ago 1 reply      
Is Microsoft paying for that traffic?
15
otis_inf 1 day ago 1 reply      
In the post-Snowden era, USA tech corporations, like Microsoft, felt the downturn on trust from non-USA companies and citizens in their online offerings. With Microsoft betting more and more on their cloud services, I find it strange (or maybe it isn't strange, but let's be naive for a minute here) that Microsoft goes against this and actually gives people _more_ reasons to not trust them than less.

As if they're thinking we all don't give a shit. But if we all didn't, why the downturn in trust in USA tech corporations post-Snowden?

I can't help but think that this is either massively naive from their part (people/companies won't care, they will buy our stuff and services regardless) or very short-sighted (as it will hurt their cloud services offerings in the long run, the more they hammer down the trust from their own users in MS' wares.)

16
tdkl 1 day ago 1 reply      
Funny, nowadays there seem to be more firewall rules needed for outbound traffic then inbound on Windows. In the old days we had a name for that - spyware.
17
w8rbt 1 day ago 0 replies      
Windows 10 reminds me of a saying an old co-worker of mine used a lot, "Vendors lie... packets don't."
18
cryptophreak 1 day ago 1 reply      
Of course this is true. Companies make money by spying on their customers. Did we really imagine that flipping the Stop making money preference was going to work?
19
jellicle 1 day ago 0 replies      
I have a really hard time understanding how "enterprises" are going to upgrade to Windows 10.

An operating system that is sending random internal data to random places on the internet seems to violate both a wide selection of national laws related to data privacy, and many corporate policies relating to trade secrets, privacy, internal operations and so on.

Microsoft must have thought of this. What's their plan for continuing to sell to these customers?

20
mjcohen 1 day ago 1 reply      
I got a refurbished HP Stream 11 for $120 (Groupon) and spent 3 hours upgrading to Windows 10. I then installed Chrome and LibreOffice. It works fine, but, with all these privacy invasions, I see no reason to use it. My Acer C720 Chromebook (upgraded to a 128GB SSD) with Crouton and Ubuntu 14.04 is much more useful to me.
21
tempodox 2 days ago 3 replies      
Maybe I'm just jaded, but does that really surprise anyone? Most developments at MS have been nothing but successive layers of lipstick-on-a-pig. No amount of lipstick can make the pig underneath go away.
22
yellowapple 1 day ago 1 reply      
It's hard to know without inspecting the exact data involved, but I feel like this is dangerously close to a HIPAA or HITECH breach, and I know of several hospitals who are strongly on the Microsoft bandwagon and are considering Windows 10.

The "send search data to an internet endpoint even if it's patently obvious that the search is for local resources" reeks strongly of Ubuntu's Amazon Shopping Lens. Did Mark Shuttleworth switch gears from Canonical to Microsoft when I wasn't looking?

23
PythonicAlpha 2 days ago 3 replies      
You agreed to the privacy terms, so you are at the mercy of whatsoever Microsoft implemented. Windows 10 even could totally ignore your settings.

I say this, not because I think that this is OK, but to reflect, that even the change of the settings do not save you from the harm, that was done from the privacy terms!

Why downvoted? When you disagree, than give arguments, not gutless clicks!

Edward Snowden at IETF 93 github.com
425 points by grey-area  1 day ago   129 comments top 15
1
travjones 1 day ago 5 replies      
I think it's a shame how mainstream media suggests that Snowden is a "coward" for not "coming home to face his charges." It's clear that he released confidential docs to reporters and this would be incredibly easy to prove in court, thereby landing him in prison for the rest of his life. I don't know any sane person that would surrender to this type of treatment, considering that he wouldn't be able to defend his actions legally. Stay on the run, Ed. Thank you for releasing this information so that the American public has some idea of the degree to which we are electronically surveilled on a daily basis.
2
vog 1 day ago 1 reply      
I like Snowden's final conclusion:

> if the internet and technology does become a danger to us in the future, it's our own fault because we decided not to participate and we let other groups and other influences to decide for us rather than being part of it [...]

Before that, he argues that more people should involve themselves more in the IETF and similar groups:

> [...] However, when you look at the IETF, they literally don't make a decision unless it's based on consensus. There are no requirements. There are no academic standards or qualifications that anybody has to meet before they can be involved in a working group. Literally, anyone can join, anyone can participate in the process, anyone can make themselves heard, anyone can influence the standards that we develop, put forth, and decide. [...] It's a more inclusive community than it ever has been before [...]

3
pythondz 1 day ago 0 replies      
When Snowden exposed facts about MAC addresses, it's very scary knowing that IoT is coming in our life.I'd like to have a firmware for wireless electronic devices that can use a random MAC address every thirty minutes without using actual spoofing tools that are easy to use only on desktop/laptop/smartphone.I want the same tools for my bluetooth headset, my car wireless devices and so on...
4
rodionos 1 day ago 2 replies      
This is the first time I've read his point of view first hand and actually listened to his presentation. He seems to be incredibly smart and well-versed in his subject domain.
5
merrywhether 1 day ago 4 replies      
I'm always struck by the strange cognitive dissonance US law has for corporate whistleblowers vs governmental whistleblowers. How can you recognize the value of one while dismissing the value of the other? It's not like a whistleblower defense is a get-out-of-jail-free card either, as you must prove that what you did was actually in the public interest. It's a shame that there's no movement for reform in this area, because ultimately it would be very interesting to see Snowden return to the US for a "fair trial" and see the public response (both within the US and globally) to the outcome.
6
tptacek 1 day ago 4 replies      
When asked about DNSSEC, which is a forklift upgrade of a core Internet protocol that has the deliberate effect of giving NSA and GCHQ control of TLS keys for hosts in .COM, .UK, .NET, .ORG, and .IO, this was Snowden's answer:

Edward Snowden: So, I agree with you and I mean this is what's important about the IETF. Just because I say it, doesn't mean it's gospel. I can be wrong about an incredible amount of things. Nobody should trust me. Nobody should grant any sort of outsized weight to what I say.

When I talk about the NSA, I mentioned it in correlation with DANE and the DPRIVE initiative as well because the whole idea is that, yes, providing some mechanism for authentication of the responses between DNS queries is valuable. It's not an end to itself.

We still have to be able to say, "Well, all right, the certificate that you're getting from it, for a server is also reliable," and then we have to actually do more armour the requests themselves to make sure that they dont become a new vector, they don't become manipulated.

Who knows like if eventually the DNS responses themselves that are provided through this become some sort of vulnerability because of the way they're parsed or whatever, but the whole idea is that we gotta start somewhere and then we've got to iterate from that point.

We've gotta begin building and when I think about things like DNSSEC, I don't think it's the golden age, we can solve all of the problems, but I do think that it's a start. It's better than the status quo. It's better than what we have today

And by getting the community thinking, by coming together and trying to develop some kind of solution, some kind of standard, we can start developing things that will allow us to build a bridge to the next generation of what we need to protect us against the next generation of coming attacks, and there's a lot of things that get in there. I mean cryptographic agility is one of the big hot things that we have to deal with as well.

I can barely follow this at all, but the part where he says DNSSEC is "better than the status quo" is pretty clear. The questioner responds, "so let's implement it".

Please be careful with what Snowden says. Whatever you think of his disclosures --- and most of my friends think they were brave and incredibly useful --- there is very little evidence that Snowden is qualified to advise anyone on cryptographic security, and some pretty significant evidence to the contrary.

7
rafaelferreira 23 hours ago 2 replies      
The interview would've probably been a lot more fruitful if questions centered around what he knows about the surveillance capabilities of the agencies he was involved with, in technical detail, than asking for his opinions on technology policy, an area where he is admittedly not an expert.
8
wdewind 1 day ago 2 replies      
The internet doesn't belong to vendors. The internet doesn't belong to governments.

The internet belongs to the user, right?

The thing is, this is literally false. The infrastructure of the internet is paid for by governments and vendors. A user wouldn't be called a user if it belonged to them...

The internet is a great decentralization when compared to traditional media like television, but it's not nearly as big a difference as people make it seem. With how most people use it it's not far from just having more channels on your existing cable box.

9
mike_hearn 23 hours ago 2 replies      
Ed's views on Bitcoin are a little surprising. I'm not sure what he means by "nobody likes to talk about Bitcoin any more". It's not that old!

One of the problems Bitcoin solves is that you cannot have personas or unlinked identities in the traditional financial system. Governments, and therefore the banks they control, all view financial privacy or pseudonymity as only useful for criminals. That's a rather narrow viewpoint. Especially as the notion of "criminal" becomes more divergent between ordinary citizens and their rulers. There's some truth to it (anonymity does sometimes enable bad stuff), but it's excessively black and white.

Regardless, given that Snowden views payment methods and such as being very important, he even brought that up himself, I don't know how else he thinks it can be done, other than with Bitcoin. If you try and create a payment method that has privacy the banks won't give you the time of day. Being completely decentralised and independent is the only way to do money that exists outside of the status quo.

10
mercurialshark 15 hours ago 0 replies      
I pretty much agree with Marc Andreessen, on each point. Instead of attempting to paraphrase his points, just watch:

http://www.cnbc.com/2014/06/05/snowden-a-traitor-andreessen....

11
hellbanner 1 day ago 1 reply      
Props to Mnot (or whoever did it) for providing links out of the transcript.
12
rbcoffee 19 hours ago 0 replies      
13
lsllc 1 day ago 0 replies      
Wow, he's got me. Reddit, HN and grandma's cookie site!
14
jokoon 18 hours ago 1 reply      
If a republican is elected, ed might stay away from the US for a long time.
15
chatmasta 1 day ago 4 replies      
Ferrolic ferrolic.com
353 points by jpatokal  2 days ago   68 comments top 25
1
rolfvandekrol 2 days ago 2 replies      
Cool!

The designer (http://zelfkoelman.com/) is Dutch, and the name is actually a pun in Dutch. The word 'Ferrolic' is pronounced almost the same as the Dutch word 'vrolijk', which means 'happy' or 'joyful'.

2
edent 2 days ago 1 reply      
It reminds me of the game World of Goo - those uncanny black blobs floating around.

As the site says, the device can only withstand a few months of sustained use - which is a pity.

3
adiabatty 2 days ago 0 replies      
My first thought after seeing the video was "you could make a really cool James Bond-movie introductory title scene or five with this".
4
codeshaman 1 day ago 4 replies      
At first I thought 'this is so cool' , but then after thinking about it for a while, I realised that it's no cooler than any of the 200 videos or pictures with 'cool stuff' that I see every day.

I think it's a pretty useless expensive gimmick created out of toxic materials to excite the numb neurons of the bored inhabitants of the digital realm for 2 minutes or so.Then we'll all forget about it and move on to the next thing.I'm already looking for something else :).

5
linkydinkandyou 2 days ago 2 replies      
This is very beautiful. The clock is probably the "killer app" for this.

It would also keep the cats amused; like watching a fishtank for them.

6
matthewmcg 1 day ago 0 replies      
If you like this sort of machine for art's sake, you'll love the kinetic sculptures of Arthur Ganson: http://www.arthurganson.com/pages/Sculptures.html

Check out "Machine with Oil": https://www.youtube.com/watch?v=__GhJl_UQg0

7
haliax 2 days ago 1 reply      
How are they creating a magnetic field that writes out the time? Is it a large grid of magnets or something more clever?
8
toothbrush 2 days ago 0 replies      
This paper (PDF) contains some more information on the design. http://isea2015.org/proceeding/submissions/ISEA2015_submissi...
9
Kiro 2 days ago 1 reply      
What will this cost in retail? I hope it isn't anywhere close to 7.500 euro.
10
startswithaj 2 days ago 4 replies      
Does anybody know where I can find other music similar to that of the video?
11
jvandonsel 1 day ago 1 reply      
Almost as good (and cheaper and longer lasting) would be a nice JS tool to render text in a "Ferrolic" font, with dripping, re-forming, etc.

Maybe this will be my next weekend project.

12
joshfraser 2 days ago 0 replies      
That video is the most mesmerizing thing I've watched in a while.
13
pronoiac 2 days ago 0 replies      
Things I want to see:

* the game of life

* someone blowing smoke rings

* Robert Patrick from Terminator 2

* maybe a waterfall

14
joshontheweb 1 day ago 1 reply      
If you have seen Ridley Scott's Prometheus, this might be a bit unsettling to have in your home. Last thing I need is a Xenomorph running around the house!
15
oori 2 days ago 0 replies      
24 pieces on pre-order at 7500
16
PSeitz 1 day ago 0 replies      
This first urge is to build an AI around this, because it seems to be alive. But it's too expensive as a gadget.
17
manibatra 1 day ago 0 replies      
Amazing! Loved how I felt an instant emotional connection with the product! Great product, great video!
18
fit2rule 2 days ago 0 replies      
This is brilliant .. a wonderful piece of artwork and technological whimsy in a way that playfully pushes the edge of display as an art-laden tool, and of course makes me wonder the difficulties of emulating it in software, so that everyone can have one and so that the ferro-fluid part isn't necessary (runs out of magnet-juice, requires containment, is icky in real life, etc.)
19
amelius 2 days ago 1 reply      
I'd be interested if they made a clock out of this, somehow.
20
IshKebab 2 days ago 0 replies      
Nice to see someone has done this finally!
21
otis_inf 1 day ago 0 replies      
Modern day Lava Lamp. Very nice!
23
daveloyall 1 day ago 0 replies      
Shut up and take my money.
24
rezamoaiandin 2 days ago 0 replies      
25
drinchev 2 days ago 3 replies      
Ember.js 2.0 Released emberjs.com
372 points by makepanic  2 days ago   125 comments top 15
1
nercury 2 days ago 9 replies      
> If your app runs on Ember 1.13 without raising deprecations, it should run on 2.0.

Every framework should take note: that's how you avoid creating another framework and fragmenting community!

It's is great to see this in action :). Amazing work.

2
lclemente 2 days ago 4 replies      
The file size (ember.min.js) went down due to the cleanup:

 1.13.8: 488K, 126K gzipped 2.0.0: 424K, 110K gzipped

3
mrinterweb 1 day ago 1 reply      
One dependency that has been holding me back is ember list-view https://github.com/emberjs/list-view. List-view does not work with Ember 1.13 and does not work with 2.0 since it does not support the new Glimmer engine. In a post on the ember site http://emberjs.com/blog/2015/06/16/ember-project-at-2-0.html, they said "Starting with Ember 2.0, we will coordinate every release of Ember with releases of the main ecosystem tools maintained by the core team:" and list ember list-view as one of the main ecosystem tools. Without list-view, I can't upgrade my app past 1.12.

I guess the best thing would be for me to quit complaining and just fix list-view, I just haven't had time available. I suppose the same is true for the maintainers. Is it planned for ember list-view to still be treated as part of the main ecosystem and updated to work with 2.0 soon?

4
atonse 2 days ago 0 replies      
Congratulations to the Ember team! It's been a real pleasure upgrading each minor version with minimal headaches. I can't imagine making this process more simple it's one of the main reasons I use Ember a lot (mature, well thought out moves like this).
5
richerlariviere 2 days ago 0 replies      
I'm amazed with that kind of release. Ember didn't do the same thing like Angular, CakePHP, Python, etc. That ensure that the documentation and all the Stack Overflow questions will stay relevant.
6
Dorian-Marie 2 days ago 1 reply      

 Doesn't add new features Remove all depreciated features

7
outside1234 1 day ago 0 replies      
Ember is a really a great project and miles ahead of its competitors - thanks so much for your hard work and congrats on the release!
8
joeevans1000 1 day ago 1 reply      
Ember is an interesting example of when an also-ran doesn't catch up in time. It was better than Angular, but React came along. This seems to be a pattern... something cool happens and then improved versions crop up, but by the time they get traction, the paradigm has shifted.
9
thejosh 2 days ago 3 replies      
So I wanted to try it out, being a nodejs newbie I tried:

sudo npm install -g ember-cli

And it gave me:

$ ember -vversion: 1.13.8Could not find watchman, falling back to NodeWatcher for file system events.Visit http://www.ember-cli.com/user-guide/#watchman for more info.node: 0.12.7npm: 2.13.4os: linux x64

Is cli still 1.x?

10
hknd 2 days ago 0 replies      
"Angle-Bracket Components and One-Way Data Flow" in the pipeline => Awesome!
11
imauld 2 days ago 2 replies      
Will I need to update ember-cli or will it automagically use Ember 2.0?
12
sparaker 2 days ago 0 replies      
I was waiting for this. Thanks alot keep up the good work. Can't wait to start using it in this new app that i am trying to build for a while.
13
fokinsean 1 day ago 0 replies      
This is awesome! It is my dream that one day our team can move to ember from sproutcore...
14
hliyan 2 days ago 1 reply      
Where does Ember Data stand?
15
revskill 2 days ago 10 replies      
Brains Sweep Themselves Clean of Toxins During Sleep (2013) npr.org
412 points by Practicality  20 hours ago   176 comments top 24
1
roymurdock 18 hours ago 10 replies      
My friends and I were up late on a road trip once. We started to argue about how long it would take someone to die from lack of sleep.

Initially, I held the position that sleep was probably more important than eating food, and that you would die from sleep deprivation before you died from starvation. We looked it up, and learned about a disease called fatal familial insomnia. A mutated protein causes the onset of permanent insomnia, and there is no cure.It affects about 100 individuals worldwide. [1]

The average life expectancy of a patient is 18 months after the onset of symptoms. The first 9 months is a worsening case of insomnia, where the patient will experience paranoia, panic attacks, and hallucinations. Sleeping pills and barbiturates have been shown to worsen the clinical manifestations and hasten the onset of the disease. The individual then becomes completely unable to sleep, and will enter a state of dementia before becoming completely mute and unresponsive. This second state of permanent insomnia lasts for 9 months.

So ultimately, we learned that you can go for 9 months without sleeping before you die. I'm not sure at what point you'll suffer irreversible brain damage, but that was an interesting finding for me nonetheless.

[1] https://en.wikipedia.org/wiki/Fatal_familial_insomnia

2
david_shaw 20 hours ago 14 replies      
The engineer in me has to wonder: is this something we can synthesize?

If it were possible to induce this "dishwasher-like" surge of cerebrospinal fluid in the brain during waking hours, would we be able to live off of significantly less (or no) sleep?

I'm not saying that it's necessarily a good idea, but it would have a plethora of practical applications -- pilots, truckers, etc. would be able to stay awake in a healthful way, rather than by ingesting stimulants.

I've been interested in the science of sleep for a while -- I wrote a side project, http://sleepyti.me, that actually gets quite a bit of traffic -- but neuroscience is mostly lost on me.

3
roflmyeggo 13 hours ago 0 replies      
Yet another reason to get a good nights sleep.

Many of these metabolic degradation products (not just beta-amyloid) of neuronal cell activities should readily be cleared quickly and efficiently from the interstitial space of the brain due to the highly sensitive nature of neuronal cells to their environment.

Some negative effects documented from these byproducts include: negatively effecting synaptic transmission[1], decreasing cytosolic Ca2+ concentrations[2] (Ca2+ is one of the final players in the triggering the release of neurotransmitters into the synapse between neurons to facilitate messages), and irreversible neuronal injury[3].

[1] - K. Parameshwaran, M. Dhanasekaran, V. Suppiramaniam, Amyloid beta peptides and glutamatergic synaptic dysregulation. Exp. Neurol. 210, 713 (2008)

[2] - K. V. Kuchibhotla, S. T. Goldman, C. R. Lattarulo, H. Y. Wu, B. T. Hyman, B. J. Bacskai, Abeta plaques lead to aberrant regulation of calcium homeostasis in vivo resulting in structural and functional disruption of neuronal networks. Neuron 59, 214225 (2008)

[3] - M. P. Mattson, Calcium and neuronal injury in Alzheimers disease. Contributions of beta-amyloid precursor protein mismetabolism, free radicals, and metabolic compromise. Ann. N. Y. Acad. Sci. 747, 5076 (1994)

4
akilism 19 hours ago 0 replies      
I just read two really good neuroscience articles over on nautil.us. This stuff is super interesting.

http://nautil.us/issue/27/dark-matter/heres-why-your-brain-s...

http://nautil.us/issue/27/dark-matter/the-neurons-secret-par...

5
pizza 19 hours ago 4 replies      
I can't help but imagine that if this is the case then increased water intake (prior to bed or simply throughout the day) would help intercellular water flow. Anyone know anything about drinking water improving sleep quality? Or generally well-informed sources that describe which bodily processes improve when you drink more water?
6
omarchowdhury 20 hours ago 1 reply      
All is one; during sleep the undistracted soul isabsorbed into this unity; in the waking state, being distracted, it distinguishesdiverse beings. (Chuang Tzu)
7
alexholehouse 20 hours ago 0 replies      
Related discussion from a few weeks ago;

https://news.ycombinator.com/item?id=9895094

8
clumsysmurf 19 hours ago 0 replies      
Its possible that sleeping on your side allows the glymphatic pathway to clear waste more efficiently.

http://www.futurity.org/side-sleeping-brains-979872/

9
johndevor 18 hours ago 0 replies      
I'd be curious to know if anything similar happens during meditation.

I often feel just as refreshed from meditating briefly as I do from a quick nap.

10
tim333 16 hours ago 0 replies      
There's a nice gif on Wikipedia showing something like fluid flow in question:

https://en.wikipedia.org/wiki/Cerebrospinal_fluid#Circulatio...

11
vlunkr 17 hours ago 0 replies      
It's fascinating to me that we still don't know why we sleep. We spend 1/3 of our lives in a self induced coma-like state and we aren't sure why, except that if you don't you start to go crazy. It will be interesting to see how this develops!
12
stdgy 19 hours ago 1 reply      
The brain continues to fascinate. I wonder how the brain acts while under anesthesia or induced to sleep through sleep aids? Is it different than naturally falling asleep?

More particularly, it sounds like brain cells (At least in mice) shrink during sleep and then enlarge during wakeful consciousness. That shrinking mechanism may play a role in the cerebrospinal fluid recycling/cleaning process, which itself may play a role in ridding the brain of harmful plaques. Does an Alzheimer's patient not show the same level of growth and shrinkage? Could forced sleep improve their outcomes? (IE: Could forced sleep lead to a more normal growth/shrink cycle?)

I am, unfortunately, ignorant on most of the medical science at play here. Any biologists, doctors or hobbyists have any thoughts?

13
rebootthesystem 15 hours ago 0 replies      
Many years ago, during a stupid-er time in my life, I stayed up three nights in a row.

I was working on a robotics paper to present at a conference. My first. It was a massive project and things had fallen behind schedule. With just three days left until I was supposed to be on a plane I had no choice but to work on the thing continuously and get it done.

It was a solid three days of writing code and building/testing boards. I got done and packed with a couple of hours to spare before having to go to the airport. For some reason I could not sleep on the flight from Los Angeles to Seattle.

Once I got to the room at the hotel I pretty much collapsed on the bed. My talk was scheduled for the next morning. I figured I could sleep a solid 12 hours and have a couple to get ready for the talk/presentation.

Somewhere in the middle of the night I woke up. I have no clue how long I slept up to that point. I had lost all sense of time. I went to the bathroom. And that's when the nightmare started.

I washed my face and almost immediately my ears started to buzz. It was something like a 1kHz sine wave. It started at a low level and got louder and louder. Scary.

At a certain point, my field of vision started to turn milky white. The tone got louder and all I could see was a bright white light engulfing my entire field of view.

I was blind and deaf and in the worst possible circumstances I could imagine.

I have no clue how long it all lasted. It felt like somewhere around 15 minutes. It could have been just thirty seconds but I had no sense of time and I was freaking out. All I could do was sit on the bathroom floor, hold on to something and think through the worst possible scenarios.

After what I guess was about fifteen minutes my vision started to slowly come back and the tone started to fade away. That must have taken another 5 to 15 minutes. I was drenched in sweat and scared like I had never been in my life. I've never done drugs or alcohol. I imagined this had to be like a grade-A drug addict overdose experience, or worst.

All I could do was go back to sleep after that. I was exhausted.

The next day I asked to have my talk re-scheduled and went to see a doctor. He told me I was an idiot and lucky not to have ended-up in the ER with brain damage.

That was the last time I worked on anything overnight.

I know tech companies have a culture of working long hours to get things done. Be sure you are not killing yourself to crank out another 100 lines of meaningless code. The world can wait. And if your VC's don't understand you'd like to live a long an healthy life, well, fuck them.

14
brad3378 10 hours ago 1 reply      
I have a harder time controlling my appetite if I don't get enough sleep.

Could these toxins be related?

15
asciimo 18 hours ago 0 replies      
>If this proves to be true in humans as well...

Wake me up when they publish that paper.

16
cthyon 16 hours ago 0 replies      
Does anyone know if there is research about whether this at all impacts/plays a part in causing dreams?
17
lxfontes 18 hours ago 0 replies      
brain: longest garbage collection cycle ever
18
bjd2385 7 hours ago 0 replies      
This is fascinating!
19
jeffdavis 18 hours ago 0 replies      
So why does a lion need to sleep for 18 hours then?
20
carsongross 17 hours ago 1 reply      
21
pwagle 19 hours ago 0 replies      
Has anyone determined which stages of sleep this occurs?
22
rudolf0 17 hours ago 7 replies      
>In Guantanamo they kept prisoners awake 11 days

Somewhat off-topic, but how could anyone possibly argue this is not torture?

23
jws 19 hours ago 1 reply      
Perhaps you could make an infomercial selling a dietary supplement that cleanses your brain from toxins. Then with the money you earn from that you can fund an actual drug that really does it?
24
saalweachter 19 hours ago 3 replies      
Blinking Commits annharter.com
332 points by gurraman  1 day ago   96 comments top 30
1
svckr 1 day ago 1 reply      

 git commit -F <(curl https://raw.githubusercontent.com/thiderman/doge/master/doge/static/doge.txt) # [0]
Oh god do I feel bad about this. What have I done?

[0] https://github.com/thiderman/doge

2
0x0 1 day ago 1 reply      
Funny timing, with the recent "Terminal escape sequence XSS" post on oss-security in mind: http://www.openwall.com/lists/oss-security/2015/08/11/8
3
creshal 1 day ago 2 replies      
Regrettably (?), you can't use this to implement marquee.

But you can make your text black with a black background. Or re-order lines, which I suspect to be "fun" for git logs.

4
jamesdsadler 1 day ago 1 reply      
iTerm2 supports images in the terminal. May as well take this as far as it will go.

https://iterm2.com/images.html

Edit: even animated gifs

5
rurounijones 1 day ago 1 reply      
I actually quite like the idea of control codes in commit messages for internal teams where you can implement rules.

It could be useful for highlighting risky commits in red or other visual markers.

Would play merry hell with almost every other way of viewing commits though :D

6
thom_nic 1 day ago 0 replies      
Anyone know if an issue has been opened (or any relevant discussion on the dev list) on stripping escape sequences? It does seem like it could be harmful.
7
tempodox 1 day ago 2 replies      
Has nothing to do with git, or committing, it just applies VT100 control codes that work anywhere in a compatible terminal.
8
catern 1 day ago 0 replies      
To insert a literal character (like the Escape entered in this post) in Emacs, use C-q.
9
GuiA 1 day ago 1 reply      
Of course, you can also use other escape codes to make your commits colored (e.g. [92m for green), underlined ([4m), etc.
10
Cthulhu_ 1 day ago 0 replies      
So, 1990's Geocities commits are now a thing again? ^[[5m#UNDER CONSTRUCTION^[[0m
11
nichochar 1 day ago 0 replies      
The writing style is clever and funny. You should keep writing!
12
dlss 1 day ago 0 replies      
I think this post just changed my position on censorship :p
13
cousin_it 1 day ago 0 replies      
Will it still work if I omit the closing bracket? Or put it in a different commit message, further down the page?
14
im3w1l 1 day ago 3 replies      
Haha, what a coincidence. Just the other day we discussed string special cases[0][1], to which I contributed ansi escapes. Unicode "fonts" seem to work in commit messages as well.

I think this is quite harmful, especially the character movement ansi escapes could be used for nefarious purposes.

[0] https://news.ycombinator.com/item?id=10035008

[1] https://github.com/minimaxir/big-list-of-naughty-strings/blo...

15
brillenfux 1 day ago 0 replies      
In the world of ANSI escape codes and terminal emulators things are never that easy.

Works for OS X apparently.

16
Perceptes 1 day ago 2 replies      
This works for me in OS X's built-in Terminal app, but not iTerm. Both report xterm-256color as $TERM, so I'm not sure what about iTerm is configured differently to prevent it from working there.
17
rmc 1 day ago 3 replies      
I wonder if GitHub do/will support this and parse it to HTML
18
stupejr 1 day ago 0 replies      
Didn't downvote but just a guess: nitpicking, not adding anything of value.
19
erikb 1 day ago 1 reply      
Doesn't work in my gnome-terminal. Looks like the commands get escaped by git somehow. Did anybody test it?
20
madaxe_again 1 day ago 1 reply      
Every time I use a control character, my mind strays back to CHR$141.

Although I do wonder what havoc you could wreak on hosted git services with cunning sequences of control characters. Smacks of injection.

21
forgotmypassw 1 day ago 0 replies      
First emojis, now blinking text, this has to stop.
22
imauld 1 day ago 1 reply      
You were more concerned with whether or not you could you never stopped to think whether or not you should
23
mey 20 hours ago 0 replies      
All this talk about ASCII control codes and no one mentions 0x07 aka ?
24
belgianguy 1 day ago 0 replies      
Can you turn it off? I'd imagine a big project (e.g. Linux Kernel) could start to look like a Christmas tree...
25
ins0 1 day ago 1 reply      
ok now i need a spam filter for git log - everything is flashing like "look at my nice changes here!" :)
26
cranium 1 day ago 1 reply      
After the emoji, the blinking... Will git commits become like the 2000s web? :p
27
zamalek 1 day ago 1 reply      
We just need a marquee now.
28
tibbon 1 day ago 1 reply      
Surely, there is a way to do this in Sublime?
29
eldude 1 day ago 2 replies      
This is a really entertaining writing style: technical enlightenment through demonstration via humorous examples. For the lazy (and additional humorous demonstration), I wish he'd provided an example gif showing it in action (i.e., Github, terminal, Sourcetree, etc...).
30
DonHopkins 1 day ago 0 replies      
Who remembers when most of the blogs syndicating discussions about RSS all started blinking at once, when somebody posted an item whose title was "What happens when you put a <blink> tag into the title?"
Black Hat USA 2015: The full story of how that Jeep was hacked kaspersky.com
316 points by mzs  1 day ago   130 comments top 20
1
ChuckMcM 1 day ago 7 replies      
The sad thing for me, and I see this way too often, is that someone, somewhere, no doubt said "Of course its secure, you can only READ the CANbus, the software doesn't even HAVE a write capability!" and everyone in the room nodded and went on with the rest of the review.

Manufacturers and engineers have to get it through their head that IF you can change the firmware ANYONE can change the firmware. If the firmware is SECURITY CRITICAL then the only way to change it can be through physical presence, loading encrypted and and signed firmware, with external validation. (something like the car asking for a third party to authenticate the operation ala nuclear launch codes). You can still get screwed but it will be hard enough to do that otherwise low value targets will remain relatively safe.

2
NeutronBoy 1 day ago 4 replies      
You're sorely mistaken if you think Jeep is the only car manufacturer with this setup. I'd bet that most cars produced within the last few years don't have airgapped CANBus systems. By definition, any car with 'drive' settings you can adjust by the headunit console (suspension, sport modes, charging status, etc) is not airgapped. I mean, in a Tesla you have the option to change suspension settings based on location from a Google Maps -based GPS system. It also can drive itself from your garage to your front door based on meetings scheduled in your calendar.

We literally have the same information for any auto manufacturer that we have from Jeep - empty assurances that 'we design our cars with the utmost cyber-security protections, trust us'.

3
twrkit 1 day ago 0 replies      
Has there been a consensus reached on whether or not this could have been a factor in the death of Michael Hastings? [0]

[0] https://en.wikipedia.org/wiki/Michael_Hastings_(journalist)#...

4
mzs 1 day ago 2 replies      
Remote Exploitation of an Unaltered Passenger Vehicle

Dr. Charlie Miller

Chris Valasek

August 10, 2015

http://illmatics.com/Remote%20Car%20Hacking.pdf

5
stevecalifornia 1 day ago 3 replies      
A simple fix would be to allow me, the owner, to turn off the wifi device and the connection to Sprint. I am not using those features and don't wish to have them.
6
hmmmmmmmmm 1 day ago 1 reply      
Could this have happened in a Mercedes as well?http://www.occupy.com/article/exclusive-who-killed-michael-h...
7
sprite 1 day ago 1 reply      
This is the recall text from Jeep:

Safety Defect/Non Compliance Description and Safety Risk:

SOME 2013-2015 MY VEHICLES EQUIPPED WITH SPECIFIC RADIOS HAVE CERTAIN SOFTWARE SECURITY VULNERABILITIES WHICH COULD ALLOW UNAUTHORIZED THIRD-PARTY ACCESS TO SOME NETWORKED VEHICLE CONTROL SYSTEMS. A SUCCESSFUL EXPLOIT OF THIS SECURITY VULNERABILITY COULD RESULT IN UNAUTHORIZED REMOTE MODIFICATION AND CONTROL OF VEHICLE SYSTEMS. FCA US HAS NOT MADE A DETERMINATION THAT THIS SECURITY VULNERABILITY CONSTITUTES A DEFECT. ALTHOUGH FCA US HAS NOT DETERMINED THAT A DEFECT EXISTS, IT HAS DECIDED TO CONDUCT A REMEDIAL CAMPAIGN AS A SAFETY RECALL IN THE INTEREST OF PROTECTING ITS CUSTOMERS. EXPLOITATION OF THE SOFTWARE SECURITY VULNERABILITIES COULD LEAD TO EXPOSING THE DRIVER, THE VEHICLE OCCUPANTS OR ANY OTHER INDIVIDUAL OR VEHICLE WITH PROXIMITY TO THE AFFECTED VEHICLE TO A POTENTIAL RISK OF INJURY.

Repair Description:

CUSTOMERS AFFECTED BY THE RECALL WILL RECEIVE A USB DRIVE WHICH THEY MAY USE TO UPGRADE VEHICLE SOFTWARE, PROVIDING ADDITIONAL SECURITY FEATURES INDEPENDENT OF THE NETWORK-LEVEL MEASURES. ALTERNATELY, CUSTOMERS MAY VISIT HTTP://WWW.DRIVEUCONNECT.COM/SOFTWARE-UPDATE/ TO INPUT THEIR VEHICLE IDENTIFICATION NUMBERS (VINS) AND DETERMINE IF THEIR VEHICLES ARE INCLUDED IN THE RECALL. IF SO, THEY MAY DOWNLOAD THE SOFTWARE THEMSELVES, OR VISIT THEIR DEALERS, WHERE TECHNICIANS WILL PERFORM THE INSTALLATION. THERE IS NO CHARGE FOR THE SOFTWARE OR, IN THE CASE OF DEALER VISIT, INSTALLATION.

I'm getting a 404 on the update page [nevermind it's case sensitive and needs to be downcased]. Does anyone know if this update actually fixes the issue? From reading the exploit details it seems more like a systems design issue that can't easily be patched in software.

8
ImJasonH 1 day ago 2 replies      
Remote control of steering wheel, engine, breaks? Free OTA driverless car update!
9
retrogradeorbit 1 day ago 1 reply      
Vintage cars have never been more appealing!
10
jessaustin 1 day ago 1 reply      
From this point forward we should make very few assumptions about electronic systems.

I'll just leave these here: http://jalopnik.com/why-its-unlikely-someone-killed-michael-...

http://jalopnik.com/aols-story-about-terrorist-carhacking-is...

11
aembleton 1 day ago 1 reply      
I'm not so worried about hackers gaining access to change radio stations, but writing to the CANBus is concerning.

It sounds like the weak point in this was the ability to rewrite the firmware of the V850 controller. If that could somehow signed then I'd feel safer.

12
wkcamp 1 day ago 0 replies      
I'm sure many engineers overlook the "guy who knows a guy" situation. The whole car itself is one giant system that works in unison; practically everything in that car IS connected. Which obviously means everything is accessible one way or another. Isolation is not really isolation as isolation more than likely depends on something.
13
antoinealb 18 hours ago 0 replies      
A lot of automotive manufacturers are migrating to FlexRay (https://en.wikipedia.org/wiki/FlexRay) and Ethernet so hopefully they will use the extra bandwith to implement a bit more of message authentication to their protocol.
14
lelandbatey 1 day ago 1 reply      
> This is the thing that all the manufacturers always refer back to when it comes to IT-security of cyber-physical systems: there is an isolation they say, the air gap between connected and physical parts of these systems.

> [the] multimedia systems controller itself cant communicate directly with CAN bus, it actually can communicate with another component which is connected to CAN bus, the V850 controller

That... that's not what an air gap is. Usually I'm forgiving about security that's fudged, since it's hard and marketing and higher-ups rarely understand. That's the entire point of an air gap: there isn't anything to understand, it's a physical disconnection. It's either plugged in or it's not.

When asked "is there an air gap", if the answer is no and you answer yes then you're lying in the most blatant and bare-faced way I can imagine. It's like saying "that car is four wheel drive" when it's only two wheel drive, or saying "that car has an 18 gallon tank" when it has a 7 gallon tank.

15
morsch 1 day ago 1 reply      
Employing this trick you can find all of Chryslers cars equipped with this kind of head unit. Over a million of them were actually recalled by Fiat Chrysler. After that all you need is to choose the right one. Funny thing is that its rather hard to do, its much easier to hack all the Jeeps than the certain one, as the researchers say.

However, picking the wanted Jeep is doable as well, thanks to the option of the GPS tracker.

Better double check that you're not crashing another Jeep which is in the wrong place at the wrong time...

16
im3w1l 1 day ago 0 replies      
Software can not be trusted. It is too complicated and people get things wrong.

If something really needs to be be read only, enforce it with physical diodes or similar.

17
retrogradeorbit 1 day ago 2 replies      
If you can hack a car like this, what about a Boeing?
18
rndmind 1 day ago 0 replies      
I'm going to just ride my honda ruckus moped and forget buying a new car.
19
satyajeet23 1 day ago 0 replies      
Why would someone who knows how to use a computer want a Jeep?
20
joshu 1 day ago 1 reply      
Rust in 2016 rust-lang.org
352 points by aturon  23 hours ago   135 comments top 19
1
fpgaminer 21 hours ago 5 replies      
I had the opportunity to work with Rust >1.0 recently, implementing an image processing algorithm. Knowing that the compiler was looking out for me, a wingman of sorts, was quite the pleasant experience. When coding in C I have a very paranoid mentality, constantly questioning every line of code and its impact on program state/memory. It results in my C code being almost always free of memory related bugs, but the work is absolutely _exhausting_. Rust was great in this regard, dramatically reducing the amount of mental capacity expended while coding. Either the compiler would catch the bugs, or worst-case a run-time assert would catch it and point me directly to the problem.

The major criticism I came away with, due in part to the type of program I was coding, was for Rust's lack of implicit type casting (more specifically, widening). What I mean is, adding a u8 and a u16 is an error in Rust. Rust will refuse to implicitly cast the u8 to a u16. These situations came up very frequently while implementing my program because I had to do a lot of optimized, low-level math. The scattering of type casts throughout the program resulted in clutter without any obvious benefit.

When I looked into the problem, the arguments I saw against it were often explanations that Rust is meant to be explicit and non-magical. But Rust, for example, already has type inference which I classify as "magical". Implicit type widening is hardly magical. And I don't see how it would be confusing or result in bugs, as long as only safe widening is done implicitly.

I think those involved in the Rust project were just scared off from it because of C's bizarre implicit type casting rules which result in bugs for typical programmers. I can understand that, but it's not like it can't be done better in Rust. Besides, if Rust is meant to be a system programming language, won't math between differing types come up often? And wouldn't handling those cases gracefully be a boon to productiveness in Rust?

2
saosebastiao 22 hours ago 2 replies      
I would easily pay 3x the Xamarin price for a Xamarin-like platform for Rust. And I'm pretty sure I'm not alone.

It's the perfect language for a mobile platform, and I would love to use the zero-runtime-cost abstractions without resorting to the C++ hand-grenade roulette. The fact that it has an ML heritage, with all the goodies that entails (ADTs, pattern matching, type inference, etc), is even better.

3
endgame 22 hours ago 5 replies      
How is nobody talking about push-button cross-compilation? It could be huge! The only language that I'm aware of that does it at all well is C and that's because the only build tool that does it at all well is automake. But even then the library situation is very hit-and-miss. If rust nails this it's going to be awesome.
4
6d65 22 hours ago 1 reply      
Glad to see the language evolve.

It feels great, once one gets used with the borrow checker messages.

One thing that could make the language better(and was mentioned in the post) is faster compilation.

Having programmed in Go, this may be one of its best points, just have a watcher that recompiles the program on change(and maybe run the unittests). Though it can be argued that not all types of programs benefit from such workflow, it's still one of my favorite things.

5
krat0sprakhar 22 hours ago 1 reply      
> And you can do so in contexts you might not have before, dropping down from languages like Ruby or Python, making your first foray into systems programming.

I guess I'm one of those programmers who is quite alienated from systems programming - probably due to my daily work in Python / JS. The Rust lang book is quite good (great job @steveklabnik et al) but from my past experience I've found it easier to stay committed to learning a new programming language when I have a project that I can work on.

Can someone suggest a few "getting started" but useful systems programming projects that I can use as a test bed for learning Rust?

6
gbersac 21 hours ago 1 reply      
When I read it, I think two things :

1- Great job. This is both innovative and powerfull. Like the idea to test nighties on every crate available on github. I am sure no other language does it.

2- So much feature may be a little disappointing. Take specialization. It may be interesting, but I don't even understand what it is. And I am not a beginner anymore ! Don't you fear that, by adding more and more feature, rust will become like the language it is aiming to replace (c++) : a huge mess of feature ?

That being said, I am definitely a rust enthusiast (I bought the book https://www.kickstarter.com/projects/1712125778/rust-program...). Carry on !

7
cpeterso 22 hours ago 1 reply      
How long does Crater take to compile all (2792!) crates in stock on crates.io? It ought to be embarrassingly parallelizable. Is there a dashboard page showing the Crater results for rust nightlies?
8
Animats 21 hours ago 2 replies      
If they add 'reuse' of old compilation intermediate results, the test for whether the source has changed should not be timestamp-based. That never works reliably, which is why "make clean; make" is so common. The source files must be compared by some cryptographic hash.
9
BonsaiDen 19 hours ago 0 replies      
For anyone interested in the talks from the recent RustCamp, the videos are now available: http://confreaks.tv/events/rustcamp2015
10
PudgePacket 9 hours ago 0 replies      
"We plan to extend the compiler to permit deeper integration with IDEs and other tools; the plan is to focus initially on two IDEs, and then grow from there."

Any ideas which IDEs will be chosen?

11
nnethercote 8 hours ago 0 replies      
> Rusts greatest potential is to unlock a new generation of systems programmers. And thats not just because of the language; its just as much because of a community culture that says Dont know the difference between the stack and the heap? Dont worry, Rust is a great way to learn about it, and Id love to show you how.

Wonderful stuff.

12
drewm1980 6 hours ago 1 reply      
Are compiler features to support writing something like libeigen still on the roadmap? rust is IMHO a bit of a non-starter for many engineering fields until it has a really good story for array math.
13
khyryk 22 hours ago 2 replies      
Certainly looking forward to the borrow checker improvements as it's quite tedious to work around the match borrowing problem.
14
digitalzombie 21 hours ago 3 replies      
They should put having technical books on Rust as a goal.

I learn via technical books btw.

Does anybody know if there's a rust book coming out?

I mean Julia is having a book from Manning and they're not even version 1.

15
jhasse 23 hours ago 1 reply      
Sounds wonderful! I especially can't wait for incremental compilation. I can't understand how others do any work without it.
16
grayrest 22 hours ago 2 replies      
Is there an RFC or thread covering the IDE integration plans?
17
joliv 22 hours ago 0 replies      
Aaron Turon and Niko Matsakis gave a talk on this for their Rust Camp keynote, you can see slides on it here if you prefer that format:

http://rustcamp.com/schedule.html

18
coldcode 21 hours ago 0 replies      
It will be interesting to see Rust and Swift evolve as Swift moves to the server side (at least on Linux). Both are modern languages although each has its own target users.
19
jebblue 22 hours ago 2 replies      
Samsung unveils 2.5-inch 16TB SSD arstechnica.com
286 points by twsted  2 days ago   162 comments top 14
1
jaawn 1 day ago 7 replies      
Every piece of storage news I've seen for the past year or two reinforces my opinion that there is a great deal of price-fixing happening in the consumer storage market. The price trend of 2TB HDDs, for example, just does not make sense.

When I see that a company can now create SSDs with ~16x more capacity than the best consumer option, I feel like something fishy is going on that is artificially slowing the pace of larger capacity drives making it into the hands of consumers at a reasonable price.

2
jtchang 1 day ago 4 replies      
Holy that is a lot of storage in a very small amount of space. Besides the fact that I want one right now I am starting to wonder how much heat this will generate.

A lot of 1 unit rack servers can fit about 8 2.5" drives. 128TB of storage in 1U is pretty crazy storage density.

Everytime they reveal a larger capacity drive I just wonder what the backup strategy is going to be. Longer tapes?

3
HorizonXP 1 day ago 2 replies      
I'm reading the Innovator's Dilemma right now, and I just finished the chapter about the storage industry. The author draws the conclusion that solid-state drives may eventually move upmarket from cash registers and embedded applications to PCs and such.

Having seen the move from 5.25" HDDs to 3.5" HDDs, then the move from desktops to laptops, and now seeing SSDs becoming extremely common in laptops, tablets, and phones, I have to believe that the author predicted the future when he wrote the book.

Since PC sales have dropped, people are not buying as many HDDs, and buying more SSDs, usually indirectly. Cloud infrastructure has likely gobbled up the existing HDD supply.

But even there, SSDs are preferred for many applications, such as databases, since they're faster overall, storage limitations be damned.

And now we're seeing the first SSD that has a capacity greater than HDDs, in a similar sized package. And no current HDD company has an SSD offering worth mentioning.

It's disruption happening right before our eyes. History seems to repeat itself all too often!

4
intrasight 1 day ago 1 reply      
A version of Moore's Law seems to apply to storage, which is very much a good thing. The first IBM Winchester I used cost a couple year's salary and stored 30MB on 14" platters. The next I used was an 8" ~150MB and only cost a couple months salary. Forward 30 years and I can buy a 500GB drive the size of a stick of gum for a couple hours salary. 30 more years? Can't wait to see. I assume I will eat the stick of gum and by doing so know everything in the Library of Congress.
5
IanDrake 1 day ago 5 replies      
Can someone explain to my why SSDs still cost more than HDDs?

When I look at all the moving parts in an HDD, I'm shocked they can still be produced for less.

6
MaysonL 1 day ago 2 replies      
The really amazing thing is one of their other announcements [0]:

Samsung has designed the PM1725 to cater towards next-generation enterprise storage market. This new half-height, half-length card-type NVMe SSD offers high-performance data transmission in 3.2TB or 6.4TB storage capacities. The new NVMe card is quoted with random read speed of up to 1,000,000 IOPS and random writes up to 120,000 IOPS. In addition, sequential reads can reach up to an impressive 5,500MB/s with sequential writes up to 1,800MB/s. The 6.4TB PM1725 also features five DWPDs for five years, which is a total writing of 32TBs per day during that timeframe.

[0] http://www.storagereview.com/samsung_announces_tcooptimized_...

7
ChuckMcM 1 day ago 0 replies      
Interesting given the reliability news Facebook posted on their SSDs. With a 5x10^11 UBER you could not even read all the sectors on a 16TB disk reliably. Something I'll be looking at when I get my hands on one.
8
markhahn 1 day ago 2 replies      
what's that in stationwagons full of LTO6 tapes?
9
AlexEatsKittens 1 day ago 1 reply      
I'm slightly surprised by the numbers given for IOps. The example they give is 48 drives giving 2MM IOps:

2,000,000 / 48 = 41,666.66 IOps

45k IOps for 16TB limits its use cases a bit. I don't know enough about storage to make an educated guess, but anyone know what the constraint there might be? Aren't there controllers that can do 1MM IOPS on single EFDs? 45k is still a ton of operations, but I expected more somehow.

10
Gladdyu 1 day ago 1 reply      
I wonder how this will compare to Intels 3D NAND flash chips (http://www.ipwatchdog.com/2015/08/12/intel-micron-develop-3d...). Some competition on similar technologies is never wrong!
11
riobard 1 day ago 3 replies      
Am I right to assume that NAND flash has higher storage density than magnetic disks? I've been trying to find some definitive data about this but failed so far. I'd really appreciate if someone can point me the right direction to search.
12
vegabook 1 day ago 2 replies      
Moore's law is passing the baton from GHz to the storage stack. Whereas you once had a simple RAM + HD setup, you now have a teamworking hierarchy of storage technologies: Cache / 3d stacked mem / DRAM / X-point / SSD / HD. Each one of these is behaving just like GHz did: doubling in speed/capacity every 18 months. Given that this is where the performance bottleneck has been, we're looking good on exponential performance upside for a long time to come if we extrapolate the recent trend. Excellent.
13
logicallee 1 day ago 3 replies      
if they really wanted to make waves they would unveil the world's fastest AND the world's largest hard-drive, two in one, with an onboard battery and hybrid 64, 128, or 256 GB of RAM (not SSD) in 2x, 4x, or 8x 32gig dimms exposed as a physical Drive, costing +/- $800, $1600, and $3200 respectively, in addition to the 16 TB second physical drive, all integrated in one package so you can't disconnect the battery and nuke your lightning-fast drive without being extremely aware that you're doing so.

The hard drives would have ironclad firmware that keeps the RAM refrehsed until its battery goes down to 15% (or whatever the conservative 10 minutes of power is), at which point it takes the ten minutes to dump the contents of that RAM to SSD, and reverts to having that drive also be SSD until the power is reconnected long enough to charge battery back up to 80%. Then it reads it back into RAM and continues as a Lightning Fast 64 GB + Very fast 16 TB drive.

You would store your operating system on the lightning-fast drive.

The absolute nightmare failure state isn't even that bad, as even though the RAM drive should be as ironclad as SSD, in case it ever should lose power unexpectedly through someone opening the device and disconnecting the battery or something, it can still periodically be backed up, so that if you pick up the short end of six sigma, you can just revert to reading the drive from SSD rather than RAM and lose, say, at most 1 day of work.

thoughts? I bet a lot of people would be happy to pay an extra $800 to have their boot media operate at DIMM speed, as long as the non-leaky abstraction is that it is a physical hard drive, and the engineering holds up to this standard.

There is a lot of software out there that is very conservative about when it considers data to be fully written - it would be quite a hack for Samsung to hack that abstraction by doing six or seven sigma availability on a ramdrive with battery and onboard ssd to dump to.

14
ck2 1 day ago 0 replies      
VW Has Spent Two Years Trying to Hide a Big Security Flaw bloomberg.com
296 points by Sami_Lehtinen  1 day ago   211 comments top 30
1
coldpie 1 day ago 5 replies      
To anyone with any background at all in computer security, this is such a "duh" moment. If Sony et al can't secure their massively important corporate infrastructure, what are the odds your car's wireless computers are secure in any way? They aren't, they knew it, and you knew it. Sorry.

It'll be interesting to watch the fallout from these obviously-present vulnerabilities. I see three possible outcomes, in decreasing order of likelihood: status quo, where they just "fix" the bugs as they hit the news; some sort of massive push towards real computer security, in this and other industries; or a massive reduction in features to avoid the flaws.

This is really just another symptom of the current state of computer security, best described as "a joke." My guess is in 50 years we'll have decent computer security. There's nothing that precludes it in theory. But it's going to be an ugly, ugly couple of decades while we pay off the wave of computer-security-debt that we have been riding.

2
toyg 22 hours ago 3 replies      
I have a Passat from late 2013 -- it cannot be remotely started but doors are keyless. Twice in the last 16 months, somebody rummaged through it overnight, without breaking anything. We religiously close the car every night, especially after the first occurrence, but still it happened again. After it happened to my next-door neighbor's 2013 Golf as well, I reported it to VW and they never even bothered getting back to me.

I'm not surprised in the slightest, I think this sort of news will keep popping up all over the place and manufacturers will keep trying hard to suppress it. We know it will never end: good crypto is hard and inconvenient, so it's unlikely that car manufacturers will ever implement it properly. Bad guys get all the info they need, eventually, so it's just a matter of time before any digital lock is broken.

3
rwmj 1 day ago 1 reply      
The "new" (actually 2 years old) thing is the UK courts granting injunctions preventing the publication of security research from a well known UK university. WTF.

http://www.theguardian.com/technology/2013/jul/30/car-hackin...

4
usrusr 23 hours ago 1 reply      
So the immobilizer does not immobilize as much as expected/hoped. While that sure isn't something the manufacturer should be proud of, it is hardly a really critical problem, nowhere close to "stop driving until resolved". Immobilizers may have lowered car theft before, but never fully stopped it. The incentive situation for thieves has shifted a bit, that's all, a gradual change, not a 180 degree bit flip.

The bigger mistake than sourcing imperfect components is the attempted cover-up and I am positively surprised that this is even reflected in the headline. (at least theoretically: the first glance takeaway message for this story will always be "security hole in car!", no matter how much the author tries to put the cover-up in focus)

5
JamesBaxter 1 day ago 2 replies      
So has VW taken advantage of the time given to them by the courts to release fixed transponders in new vehicles and slowly replace the current defective ones as part of a routine service?

Otherwise they've just delayed the information getting out which seems pointless?

6
altharaz 1 day ago 5 replies      
"There's no quick fix for the problem - the RFID chips in the keys and transponders inside the cars must be replaced, incurring significant labor costs."

What a nightmare. Car manufacturers have to design more resilient systems.

Based on the difficulty to secure hardware systems after deployment, they will be for sure trying to put more and more features on the software-side.

If so, they will also have to think about a quick way to deploy security fixes remotely. One way could be working with connectivity solutions for Embedded Systems (e.g. SigFox).

7
ibejoeb 23 hours ago 1 reply      
If I read this correctly, the vulnerable vehicles are not really left in a worse state because of this defect. If they did not have cryptographic electronic start, they'd simply be vulnerable to old-fashioned hotwiring. I could be wrong, as I haven't been in a recent model, but I assume there is still a physical steering column lock that needs to be disabled, no?
8
DIVx0 1 day ago 2 replies      
Besides locking your car into a garage, is there anything a VW owner can do to make it more difficult for these types of thefts to occur?
9
le_clochard 22 hours ago 0 replies      
These recurring events (of auto makers exposed for not owning up to faults) reminds me of is the Fight Club description of the recall formula.
10
bro-stick 15 hours ago 0 replies      
Off topic but a point about the persistence of cults around unreliable vehicles:

<rant>As owner of an 1985 Westfalia, I have nothing but contempt for the inconsistent and poor engineering of this beast. Even with the factory Digijet pro training materials and factory service manual and several mechanics later, this thing still won't idle right when cold or warm. Systemically went through each system (fuel, air, electrical, mechanical, vacuum) individually and triple-checked per procedures and looked at general stuff like grounds and wiring too. Maybe the community factor akin to Mini Cooper owners: ostensible value built on hazing by ostentatious, expensive repairs due to substandard engineering. Sure VW has/had the hippie thing too, perhaps also due to them being difficult/expensive to maintain or being less powerful.</rant>

I'm grateful though the beastie doesn't have OBDII or keyless entry. (Like most German vehicles of this vintage, the drivers' side door doesn't lock without the key to avoid locking oneself out.)

11
sarahprobono 1 day ago 8 replies      
So what manufacturers do seem to care about security? If I wanted to buy a car made in the last few years, who is least likely to be cracked?
12
cblock811 20 hours ago 1 reply      
Articles like this make me love my 2000 Subaru even more. I'm gonna hate getting a newer car one day, but maybe by then manufacturers will better secure their cars.
13
wepple 9 hours ago 0 replies      
paper: https://www.usenix.org/sites/default/files/sec15_supplement....

"The transponder uses a 96-bit secret key and a proprietary cipher in order to authenticate to the vehicle."

not sure there's anything more you need to know than "rolled their own crypto"

14
genericuser 19 hours ago 1 reply      
So why were the researchers willing to publish a redacted version now, but were not willing to publish the redacted version 3 years ago when they were researching the issue?

I am actually curious because this is the only part of this whole thing that does not make sense to me. Even if I disagree with Volkswagon's decision to not notify existing owners that there was a vulnerability known or eventually provide them with a fix, the decision at least makes sense because it probably was deemed more profitable for VW.

"The scientists wanted to publish their paper at the well-respected Usenix Security Symposium in Washington DC in August, but the court has imposed an interim injunction. Volkswagen had asked the scientists to publish a redacted version of their paper Dismantling Megamos Crypto: Wirelessly Lockpicking a Vehicle Immobiliser without the codes, but they declined."

http://www.theguardian.com/technology/2013/jul/26/scientist-...

15
Havoc 12 hours ago 0 replies      
Honestly I'm not really bothered about the whole "hacking cars" thing. I've spent enough years in dangerous countries that this seems like a non-issue.

I do object to car companies knowing about a safety issue & keeping quiet due to it being "cheaper" to accept a couple of deaths than fix it. That kind of thing should be punished with eye watering fines in my view - not to save those 12 lives but to put the message out there that car companies need to get it right instead of playing the odds.

16
acd 19 hours ago 0 replies      
For an analogy you can look inside a car engine take it appart verify its components. But if you take a look inside the software and take it apart you are suddenly potentially breaking license agreements. This agreements violate free speech if you find something you may not tell others about it or risk getting sued.
17
marze 20 hours ago 0 replies      
Is it just me, or is the peak of stupidity in this episode the fact that the car will verify/reject a few hundred thousand passwords in 30 minutes?

Shouldn't that be security 101, limiting the rate to a couple per minute, max? Why allow such brute force attacks in the first place?

EDIT:

Or in other words, why is the phrase "brute force password attack" still even heard in 2015?

18
JoachimS 10 hours ago 0 replies      
The question I have is what VW did after receiving the injunction? Did they work with their customers for the last two years to fix the vulnerability? Or was the injunction their solution by itself?

If it was the latter case, somebody should really serve them a class action suit. Security by gag is not helping the end customer.

19
jshelly 1 day ago 2 replies      
In VW's defence it sounds like they just sourced the parts from Megamos who is ultimately responsible for the flaw
20
tempestn 17 hours ago 0 replies      
FTA:

"There's no quick fix for the problem - the RFID chips in the keys and transponders inside the cars must be replaced, incurring significant labor costs."..."A VW spokesman responded: 'Volkswagen maintains its electronic as well as mechanical security measures technologically up-to-date and also offers innovative technologies in this sector.'"

Since they haven't recalled the vehicles and replaced the chips, that would be... not precisely true?

21
_nedR 21 hours ago 1 reply      
22
devy 23 hours ago 0 replies      
There was a talk about the paper of breaking Megamos crypto in 2013. https://www.youtube.com/watch?v=R_8eYSJlWic
23
known 7 hours ago 0 replies      
Closed source software does the same;
24
circa 23 hours ago 1 reply      
Happy to see the GTI not listed on there but why would that be any different from the other models? You think they would use the same across the board.
25
x0054 13 hours ago 0 replies      
Why on earth are they using 96-bit cryptography in 2012?
26
probablyfiction 18 hours ago 0 replies      
96-bit keys??? Even in 2012 when VW released the feature, 96 bits was laughably weak.
27
callesgg 1 day ago 1 reply      
My question is if VW has switched the affected stuff in newer models since they found out about the issues?
28
davidgerard 1 day ago 1 reply      
ITT: nobody so far advocating "responsible disclosure", because this is the sort of vendor abusiveness that made "full disclosure" clearly a good idea, and an essential protection for the interests of the end user.

The Internet of Things will recapitulate all the painful experience of how this stuff works out we just spent twenty years getting sorted out in the software field.

29
porsupah 23 hours ago 0 replies      
The Thai finance minister, apparently:

http://www.smh.com.au/articles/2003/05/13/1052591776195.html

"Suchart said he was on his way to give a speech to central bank officials from 17 countries when his ministry-assigned BMW car stalled on a road, not far from his house.

The engine stopped, the air conditioning shut down, the doors got locked and the windows wouldn't roll down, he said, adding that he was trapped for about 10 minutes.

"We couldn't breath because there was no air," he said.

Suchart and his driver waved at passers-by to draw attention to their plight, but it took a while to make them understand that they wanted the windows smashed.

Finally, a guard of a nearby building came to their rescue with a sledgehammer and broke a window. Suchart then climbed out of the car through the hole."

30
larrys 23 hours ago 1 reply      
Every 30 minutes Windows 10 sends all typed text to Microsoft translate.google.com
299 points by cantrevealname  2 days ago   209 comments top 20
1
czechdeveloper 2 days ago 3 replies      
About information source: Aeronet.cz is known Russian propaganda website in Czech. Nothing close to credible source. I don't judge content, but this should be noted.

Just try

https://translate.google.com/translate?sl=auto&tl=en&js=y&pr...

2
Beltiras 2 days ago 8 replies      
It's in the privacy policy. I didn't believe what I was reading. Windows 10 is unusable for anyone handling any sensitive data. Think doctors, psychologists, anyone under an NDA.

https://www.microsoft.com/en-us/privacystatement/default.asp...

3
knowaveragejoe 2 days ago 1 reply      
Analysis here:

http://localghost.org/posts/a-traffic-analysis-of-windows-10

Doesn't look like the original source of the info is very trustworthy, will need other people to verify this.

4
guardian5x 2 days ago 0 replies      
Is there any other reliable source for this? Extraordinary claims require extraordinary evidence. Having a keylogger in the system by default sounds like a move that would exclude MS from competing in any businesses in the future.A move that seems illogical.So it would be nice to back that story up with some more information.
5
signal11 2 days ago 0 replies      
I don't have a Windows 10 box near me but I remember an option to send typing data back to Microsoft, which I switched off. I see they have a short FAQ about it too: http://windows.microsoft.com/en-us/windows-10/speech-inking-...

"Go to Start, then select Settings > Privacy > General, and then turn Send Microsoft info about how I write to help us improve typing and writing in the future on or off."

Does anyone know if this stops Windows 10 from sending typing data across?

6
llama052 2 days ago 7 replies      
What is it lately with Windows 10 privacy issues blowing up in Hacker-news since windows 10 came out? I know most of you guys are Apple/Linux guys (I myself love Linux like the rest of you) but come on, Apple does this, your smartphone does this, most services you use do this. Just getting tired of the big bad M$ hate bandwagon. This isn't even a credible article and people are already going off about it. This is no different than Yosemite which logs your location and searches that you make with Spotlight and Safari. Yet, I don't recall seeing articles constantly on the front page about that? Seems a little biased to me.

NOTE: Not that I condone what Microsoft is doing, just a little hypocritical to think that big bad Microsoft is doing anything new in the industry, especially when the products you guys are talking about jumping ship to, have the same problems. This is nothing new

7
dothis 2 days ago 0 replies      
I don't want the OS to talk to anywhere except for a clearly defined, lean, verifiable process that fetches security updates.

That's why I use Debian. And hope they do the right thing.

8
wtbob 2 days ago 2 replies      
I wonder if Microsoft also send typed-in passwords to themselves.
9
splitbrain 2 days ago 1 reply      
However this will turn out (for now it looks like the source not very trustworthy) I wonder if there's a small little tool you can install on a fresh Windows 10 that will let you disable all the various privacy related setting in one screen. Just a list of checkboxes with short descriptions of the setting and what feature you will lose when disabling it.
10
amelius 2 days ago 1 reply      
When using Google Docs, the same thing happens :)

It is just part of the new trend, that everything runs in the cloud somehow.

11
chris_wot 2 days ago 0 replies      
What is with these privacy violations? Lenovo just got caught out installing a BIOS root kit on a wide range of laptops [0], now Microsoft is phoning home?

0. https://news.ycombinator.com/item?id=10053419

12
mahouse 2 days ago 5 replies      
Off-topic, and please believe me I'm not trying to start a flame war, but I'm really concerned about this and I think it could be time to switch -- is OS X any better in this regard? I had heard it has been phoning Apple since forever. (I'm not going to consider Linux for a desktop)
13
steeples 2 days ago 3 replies      
14
steeples 2 days ago 1 reply      
Wait...what?

`oca.telemetry.microsoft.com.NSAtc.net`

15
jand 2 days ago 0 replies      
Just in case anybody wants to know:

If you want a Windows 10 without Cortana, simply disable the sound card during installation (BIOS or physically).

This is not a solution, but a workaround for those having no other choice. Tested with Windows 10 Pro N.

16
adam12 2 days ago 0 replies      
I guess we won't be seeing any more of those Scroogled ads.
17
beauzero 1 day ago 0 replies      
...and I just watched Kingsman the other day too. I don't need this crap.
18
arca_vorago 2 days ago 0 replies      
First of all, as others have said, this source may be slightly dubious, but I have seen a handful of similar sources saying similar things, but I have yet to see an extensive reverse engineering effort. For the time being though, because of the variety of similar reports and side effects, I am considering Windows 10 an surveillance state approved operating system.

For example, in another HN submission where someone posted a tool to delete/disable tracking services and add ip lists to the hosts file, a user has reported startup errors. To me this indicates Windows 10 is trying to communicate even during boot without the users knowledge! That's a big deal in my book... I don't know about yall.

The one reason I have suffered the slings and arrows of Windows so long is for gaming purposes, more recently because I wanted to release my hobby side-project, a game in Unreal Engine 4, on Windows and so I have kept one of my computers on Windows 8.1.

Last night that machine was compromised, and despite my fairly extensive malware fighting abilities, I couldn't get rid of it. That means a complete wipe and only moving data over that I must have, and not trusting that data, not to mention never trusting the HDD again (going to have to throw it away). I also question my bios, so I'll need to flash bios too.

I run three main computers, Windows on a Asus laptop, OSX on a Mac Air, and Linux/DragonFlyBSD dual boot on a Macbook Pro 2014. I think Windows 10 just might be the excuse I need to push myself completely away from the MS ecosystem. I've been talking about it for years, but the power of their tie-in is not to be trifled with.

I also fear for the state of linux in the same way though. At >10 million lines of kernel code, I think the many eyes theory has a weakness, namely that complex and huge codebases are antithetical to the many eyes theory working. that's why I personally think the future of computing will be in code simplicity and pairing down existing codebases. A good example of a try at this is Minix 3. <10k loc. (of course lacks many features).

That's also why, even thought I'm a huge GPL/GNU guy, I am increasingly leaning towards the top down ecosystem of the BSD's.

I think there are a lot of fundamental issues in personal computing that many of us just ignore and don't want to discuss because the implications of the conclusions could be uncomfortable. I think it's time for those of us who are considered power users to start having this difficult discussions more often and in more public ways.

19
systemz 2 days ago 1 reply      
20
CmonDev 2 days ago 4 replies      
The US digital service samaltman.com
306 points by S4M  23 hours ago   272 comments top 34
1
ritchiea 21 hours ago 7 replies      
I really wanted to work for the digital service and my experience applying was horrendous. The recruiter scheduled an appointment to call me and didn't at the scheduled time. She followed up weeks later and I finally got my phone screen. Phone interview went well, she said we would schedule another interview. The followup from her didn't happen until another month later. Then I had a technical interview where the interviewer talked over me and asked whether I would use a list or an array for a particular data structure, to which I replied I use Ruby & Python so I don't know what you're asking because it would be a question of semantics, to which he finally clarified he meant a linked list and chided me for not "knowing the difference between the properties of a linked list and an array." How can you expect me to know the difference between two data structures if you're using unclear shorthand to refer to one of them? And the interviewer was an ex-Google engineer so I imagine he had some familiarity with Python (where a "List" is what many languages refer to as an array) since it's an official Google language.

And then of course I didn't get the job (and no feedback on why). The whole thing was maddening, took 3 months total just to get railroaded by an aggressive and imprecise technical interviewer. It sounds like great work though, wish them the best of luck. Wish I could work on their projects.

2
rasmi 22 hours ago 3 replies      
Also check out 18F [1], which focuses on pushing forward how tech and the government work together. They run a 12-month Presidential Innovation Fellows program [2] which works more intensely on innovating with specific groups within the federal government. USDS is more focused on modernizing and ensuring some basic technical functionality of a lot of the core aspects of the government (which is incredibly important and impactful, but is less about innovation -- see a comparison here [3]).

[1] https://18f.gsa.gov/

[2] https://www.whitehouse.gov/innovationfellows

[3] http://ben.balter.com/2015/04/22/the-difference-between-18f-...

3
paulsmith 19 hours ago 5 replies      
At the risk of being self-promotional, there's another part of the rebel alliance of which USDS and 18F are the main players, and that is better technology contractors. ("Better" meaning, engineering practices and outcomes that the audience of this site would recognize.) There's Nava, and the company I co-founded, Ad Hoc. Greg and I were on the original HealthCare.gov rescue squad with Mikey et. al. We're still working on HealthCare.gov, but instead of helping to prop up the bad old code (which was necessary work to save the site and help actual people), we're rebuilding parts of the site from scratch, using things like Go, AWS, Angular. During the last open enrollment period over the winter, our code (healthcare.gov/see-plans/) had 100% uptime, served ~ half a billion page views, and had a mean response time of well under 100ms. (And _no_ garbage hiding in the 99th percentile.)

One thing I'll say about government work -- you're not really breaking new ground, from a technology perspective. (Unless you're at DARPA I suppose.) Don't come into thinking you're going to innovate in some bleeding-edge area. But government was left so far behind the consumer technology curve that basic, competently-executed, well-designed software that's fast is an _enormous_ leap forward. 2008-era web tech is sorely needed across government. In a way, that is the innovation: dependable software that reliably delivers services to people for whose user-experience has never been put on the same playing field as consumer online services.

If you're interested in being part of the rebel alliance, and for whatever reason USDS or 18F aren't right for you, consider contracting. There's enormous opportunity to make real change and see your code help others. Believe me, small teams can have a big impact on government, even from outside government. If you want to know more about Ad Hoc, get in touch (http://adhocteam.us/). We also have projects with the Department of Veterans Affairs, and state Medicaid programs.

I never thought I'd be a government contractor. I did the startup thing, and just happened to get roped into the HealthCare.gov rescue. I can tell you it's sometimes frustrating, but always satisfying work. And there are several avenues in.

4
vippy 22 hours ago 0 replies      
I'm a contractor under the GSA's OCSIT, sharing a floor with 18F, the PIFs, and occasionally members of the USDS that come to hang out. It's great to see the feds hiring awesome technologists and doing great things, including some of the technologies that are currently only available to teams with, as the developers of them say, "a reasonable pain tolerance". My only advice to 18F is that they should figure out pathways to provide the services they intend to provide, create a management plan, and stick with it. I would recommend them to check out the business models of Peter Corbett's iStrategyLabs, who is right here in Washington D.C. and doing great work for some really big brands, and VICE's Carrot Creative, from Brooklyn, if they want to see the agency model in action.
5
brandonb 22 hours ago 3 replies      
As Sam alludes to, many YC alums have joined the government in some capacityhealthcare.gov, US Digital Service, Nava, Presidential Innovation Fellowsand are on HN.

Jason Shen from YC S11 recently wrote about the concept of a "Tour of Duty": http://www.jasonshen.com/2015/when-did-you-do-your-tour-of-d...

If anybody has questions, feel free to ask and I'm sure one of the alumni will reply!

6
sarciszewski 22 hours ago 6 replies      
If I were to dedicate any time to helping anyone, I feel like my time would be better spent helping the Tor Project than helping the US Government.

I know I'm not alone here, either.

7
twright 22 hours ago 2 replies      
The USDS Playbook[1] reminded me a lot of the GDS Design Principles[2] and even shares a few points. I think they also set a feeling for each of the Governments they're related to.

[1] https://playbook.cio.gov/

[2] https://www.gov.uk/design-principles

8
ekianjo 7 hours ago 1 reply      
> serving your country

Erm. Serving your country does not equal to serving the government. Often the government in place actually has an active role in destroying the country or making it worse. Look at the NSA - are the NSA folks really serving their country or their goverment first ?

9
rdl 21 hours ago 2 replies      
I've met a lot of the U.S. Digital Service people and it is an amazing organization. I had a list of concerns (how they work with contractors already in place, how things would evolve with a new administration, whether they would get sucked into long term staffing at agencies, etc) and they had addressed all of them.

There are a few negative things as overhang from the rest of government (requirement for citizenship: so many of the great people I know are non citizens, even if many have green cards; drug testing, which doesn't really serve a meaningful purpose), but those are the reality, and don't diminish the value of the program in any way.

I would strongly recommend looking into USDS to anyone who who wants to make a difference in tech. It is a great place to go in the middle of a longer career at a post IPO company like Google/FB, or are between projects.

10
jordigg 22 hours ago 4 replies      
Really happy seeing these initiatives and the way the White House is thinking about bringing technology to the government.

I just can't understand why other government bodies and countries still give all their work to big corporations asking for ridiculous amounts of money for delivering questionable work quality. Their only thinking is how we can deliver the worst software ever that require us to maintain it for as many years as possible.

Give the work to smart folks who are willing to make it happen because they believe in that country and how they can make a true impact and you'll get wonderful software at a reasonable price that will just work.

11
niels_olson 21 hours ago 5 replies      
Navy doc here. One project where a huge difference could be made, now, would be if smart people could hold Leidos to task with the new military health care system. It's something like $16 billion dollars and "integrating with the VA proved to be too expensive".

Many thanks to the folks at 18f and the US Digital Service.

How far behind is government IT? I'm trying to get the Navy HPC systems (the cutting edge, right?) to "modernize" to Python 2.7.

12
nightski 22 hours ago 6 replies      
Did he take his own advice? Also regarding the rewrite of HealthCare.gov - I don't know the specifics but aren't re-writes always way cheaper and far easier than the initial implementation? Is it really a fair comparison?
13
clebio 11 hours ago 0 replies      
Honest question, because I can't find it in the copy on the USDS page, but have seen comments here about this:

Do you treat this as a job with a certain known tenure, or rather as a sabbatical? It seems like they want specific periods of work, but how does that fit with a regular job where you're vaguely working for a company indefinitely?

How does relocating to the DC-metro area fit in with that? Relocation is expensive and a hassle, after all.

14
aerovistae 22 hours ago 2 replies      
Can we vote on what they work on?

I just want to be as sure as possible that they never get around to fixing the traffic ticketing system.

God forbid the state cops ever realize how many times the local cops have pulled me over, or vice versa, and that's before we even get out-of-state violations involved.

Good lord, keep them away from the traffic tickets. COBOL is just fine for that.

15
fitzwatermellow 21 hours ago 2 replies      
They even run a kissmetrics-style real-time analytics page:

https://analytics.usa.gov/

Between immigration and weather one can cover 70% of queries right there ;) And thanks to sama for the write up.

16
neves 21 hours ago 1 reply      
Will this scale? For me it looks like a kind of organizational anti-pattern. Imagine you are working in your project, then comes the "Know it all" guys trying to redo everything you know about. After rebuilding everything they will leave, take all the credits and leave the bomb with you.
17
jchendy 22 hours ago 2 replies      
Any idea what the compensation is like? Would the "tour of duty" be considered a sacrifice or is it a viable way to make a living for a talented engineer?
18
adamkochanowicz 22 hours ago 6 replies      
Is it me or does $4M annually still seem like a high cost?
19
u14408885 12 hours ago 1 reply      
I wonder if there is an equivalent in Australia (or other countries).
20
finkin1 12 hours ago 0 replies      
According to this talk, the work hours were pretty insane to fix healthcare.gov. From the 2014 Velocity Conference in New York City, Mikey Dickerson's keynote: "One Year After healthcare.gov: Where Are We Now? https://www.youtube.com/watch?v=7Vc8sxhy2I4
21
tunesmith 22 hours ago 1 reply      
I would have been all over this a few years ago, but being married to someone who can't also move to DC for a multi-month period makes it unworkable. For my career, I work 100% remotely - I would love to do some work for the digital service if they had opportunity for remote working.
22
navahq 20 hours ago 0 replies      
If this resonated with you, check out:

Mikey Dickerson (head of USDS) at SXSW: Why we need you in governmenthttps://medium.com/@USDigitalService/mikey-dickerson-to-sxsw...

Previous HN discussion on USDS: https://news.ycombinator.com/item?id=8988819

23
hippich 18 hours ago 0 replies      
I agree that you should stop complain about anything IT-related in government and instead try to make a change (and complain about, let's say, bogus process of winning government contract)

That been said, I don't believe USDS/18F/GSA in big need for engineers from my own experience. So don't afraid to apply :)

24
binoyxj 19 hours ago 0 replies      
Here's Todd Park's (White House Technology Advisor) talk during the recently concluded Twilio Signal devcon. He's then followed by the co-founder of Twilio, newest avenger in the USDS team https://youtu.be/4QXZl4cFw24?t=50m33s
25
nphyte 22 hours ago 2 replies      
yes government needs good tech but we as a global community also need good leaders that understand implications of new tech , policy and innovation.
26
jcnnghm 22 hours ago 2 replies      
Did the people that charged $200 million to build healthcare.gov get to keep the money after the project failed? What about the people that allocated that money, do they still have their jobs?

It seems kind of disingenuous to ask engineers to do a "tour of duty" at a substantially reduced rate, when they could instead contract at normal rates and actually deliver working software. If you want to help the government, contract at normal rates and actually deliver high-quality, working software - don't take a pay cut to do it.

27
lifeisstillgood 4 hours ago 0 replies      
I attended one of the UKs GDS road shows this week. I have been trying on and off for a while to get better OSS into local government (http://www.oss4gov.org) and am impressed still by the focus there is in government in doing the right thing.

The big wins they are having is enforcing OSS licenses for bespoke development, pooling purchasing into rolling 6-9 month call-off frameworks and generally waving the agile and cheaper flags.

I am not convinced that the idea of a sort of Peace Corps couple of years will be the solution - if we get government software based on an infrastructure of OSS then it's likely both private and public developers will be familiar with those Eco systems anyway.

28
ilaksh 17 hours ago 0 replies      
Technology makes government and other traditional institutions irrelevant. Focus you efforts on decentralizing technologies that replace giant outdated systems entirely.

The US government, like all traditional states, is just a really official type of organized crime. The DNA of the state is past its expiration.

29
dnesting 20 hours ago 0 replies      
If I (as a software engineer) want to improve the way IT works in the government, can you suggest a better use for my time and skills?
30
tomjen3 22 hours ago 0 replies      
31
mtgx 21 hours ago 0 replies      
32
notsony 21 hours ago 2 replies      
33
brandonmenc 22 hours ago 4 replies      
34
TheMagicHorsey 9 hours ago 0 replies      
Ohm (YC S15) is a smarter, lighter car battery that works with your existing car techcrunch.com
272 points by blueintegral  2 days ago   256 comments top 45
1
sandworm101 2 days ago 12 replies      
(1) Those nasty things inside car batteries are easily recycled and in fact are recycled more often than not (like 95%+)

(2) Car batteries do not last only 3-4 years as per the OP. Car batteries can last decades. There are many variables, but the car in my battery is far older than 4 years. (lol)

(3) Replacing an easily-recyclable product with a less-recyclable one is no step forwards.

(4) XX addressed by OP comment, see below XX This thing is a capacitor? What's the voltage potential in there? Any device with internals significantly beyond that may be a serious fire risk in a crash..

(5) Car batteries are not needlessly heavy, nor are they a stock size. Manufacturers do care about performance. If they thought the car could do with lighter battery they would use one. Have some respect for the thought behind stock engineering before replacing it.

(6) Shutting down the voltage supply can be a real pain. A "dead" battery generally still has enough juice to keep electronics ticking over. Cutting it completely is not like turning off a switch. It often means resetting/rebooting stuff once the voltage is restored. For some (BMW) it can even mean a trip to the dealership for a special new battery ritual.http://www.bimmerforums.com/forum/showthread.php?1355106-Why...

2
oppositelock 2 days ago 1 reply      
Modern cars with keyless entry typically draw ~50mA@12V when "off", this power is used to power the receiver, keep ECU state for such things as learned fuel maps, blink the alarm-on indicator, etc. 45Ah capacity gets you a bit over a month to drain down the battery, while 10Ah gets you a bit over a week. This isn't good, you'd have to keep it on a battery tender if you're not driving the car for just a week.

I can also see how one would implement a low voltage cutoff to prevent running down the battery, but then, how in the world do you automatically re-engage the battery to allow starting the car? You've shut off the power to the whole car, so you no longer have a circuit to monitor. If you're allowing some amount of current to trickle out, you must, by definition, be allowing the voltage to sag, which can run the ECU or alarm out of spec, causing havoc.

As the battery designer, your only input to make these decisions is the resistance of the car's electrical system.

The only thing you control is your own internal resistance.

3
krapht 2 days ago 3 replies      
Lead acid is traditionally very forgiving with regards to temperature. How does the electrical performance of your battery vary with temperature, especially at extremely cold (-40C) and extremely hot (80C) conditions?
4
sokoloff 2 days ago 3 replies      
> Oh, and its lifespan (7 years) is about twice that of a lead-acid battery (3-4 years).

I live in Cambridge, MA (so we get winters) and I can't remember the last time I've had a regularly driven car's battery fail in under 7 years.

5
smithkl42 2 days ago 3 replies      
My car has a significant design flaw(1), in that it allows children to turn on the backseat car lights and leave them on. I've had more dead batteries in the five years I've had sentient children than I've had in the 40 years prior. This is a great idea.

(1) Perhaps the design flaw is in the children.

6
allworknoplay 2 days ago 1 reply      
This is cool. Rarely in such established industries do people step back and reconsider the actual product requirements in such a practical way. Car batteries serve two TOTALLY distinct purposes (starting engine and running electronics), and this is a great solution for those.

I'd be worried about the impact of rapidly increasing electrification (including hybrids) on the high end market (the most likely consumers for this), but it's such a huge market at present that it probably doesn't matter.

Kudos, guys.

7
msandford 2 days ago 2 replies      
How does it handle a car that's iffy on starting? It's probably not hard to get something that'll crank a starter for a few seconds. But what happens if it needs to crank for 60 seconds over a 90 second window?

I've got a 2006 Forester with a manual. I'll occasionally stall it backing out of a parking spot, so I'll have to start it again. For some reason it's much more difficult to start in between cold and warmed up, so it'll take several seconds of cranking to fire back up. If I were to stall it again trying to get going, would I then be in trouble?

It doesn't happen often, perhaps only once a month. But if I'm stuck there for 30 seconds while the LiFe batteries recharge the supercap I'm not going to be happy.

8
blueintegral 2 days ago 12 replies      
Hey everyone! I'm Hunter, one of the cofounders of Ohm. Let me know if I can answer any questions.
9
gscott 2 days ago 2 replies      
Recently my wife's car batter died, end of life. When a new battery was put in it the car ran poorly. Apparently when the battery dies something in the car resets and the car "figures" out the settings again and runs rough at idle. We called a repair shop and they said to just wait a few days and it will fix itself. Which was true, runs fine now. The moral of the story is that with a new car if the battery dies, weird things happen.
10
sbierwagen 2 days ago 3 replies      
Lithium-ion car batteries are already commercially available, though cripplingly expensive: http://www.jegs.com/p/Lithium-Pros/Lithium-Pros-12-Volt-Lith...

The innovation here seems to be the capacitor bank, which lets you get away with a much smaller and cheaper lithium ion pack.

11
murbard2 2 days ago 2 replies      
So aside from what's been said, I can get this for $200http://www.batteryspace.com/Powerizer-LiFePO4-Battery-12V-15... and it has 50% more storage than what is being advertised. What's the difference? The supercapacitors?
12
Cshelton 2 days ago 5 replies      
So yesterday Audi/Porsche/VW announced a new v6 engine that will be used in variations across all their vehicles. Further down the line, they said that engine would include an electric drive component as well, incorporating a battery, effectively making all their cars "hybrids".

This seems to be the trend, see racing tech (Formula 1, WEC, etc.). We will probably see this in all new consumer cars sometime soon.

Once every car has a battery, wouldn't the standard car battery that's most common today be obsolete?

At your price point, performance/luxury cars seem to be your only market, which are also the cars that will electric drive before mid to low end cars. These are also the owners who will replace their cars every 3-5 years anyway. Either from a 3 year lease or the 4 year warranty is out and they want something new.

I don't mean to be discouraging but, it seems your market viability, if there is any to begin with, is already limited to 5 years at the most.

I do love the idea of saving 30 lbs weight, it's negligible for most of my driving in my sports coupe, but I like to feel like it's making a difference!

13
jhallenworld 2 days ago 0 replies      
It would be nice if the battery had multiple outputs: for example, connect the capacitor to just the starter motor and have a second output for everything else. This way all the lights in the car would not dim during starting (why should the electronics have to deal with brown-outs?). Diodes could be used for the charging current input.
14
trhway 2 days ago 1 reply      
it is only 10Ah! Comparing that to 45Ah+ typical car battery is like that MongoDB write performance comparison without actual writing to disk :)

Such small capacity would work only for perfectly starting engine. Any issues and you're out of capacity. Cranking an engine requires hundreds of Amperes, like 500-800A. Thus each 10s of cranking burns 1.5-2.5Ah.

The CCA rating of a car battery is the current the cold battery can produce during 30s. 10Ah LiPo at 30C would mean maximum 300 CCA - i don't think it would satisfy any official reqs for any passenger car around. The super capacitor produces higher current, yet for much shorter bursts. Thus again only easy starting engines on smaller cars.

15
hughes 2 days ago 2 replies      
Can this battery be used to jump another (traditional or Ohm) battery when required?
16
ilurkedhere 2 days ago 1 reply      
Car user here. I didn't know I had this problem.
17
dmitrygr 2 days ago 1 reply      
1. put this into a modern car

2. do not drive for a month

3. car's slow but steady draw drains battery to where it self shuts off

4. attempt to enter car

5. realize that it is a modern car, and without electricity from the battery you cannot even open the door

6. ...

7. profit?

18
itg 2 days ago 1 reply      
Wouldn't this need to get DOT approval? Also looking at the replies from the founder, it looks like there hasn't been much actual safety testing done yet.
19
savrajsingh 2 days ago 0 replies      
I've been looking at ultracaps on digikey for a while, for just this application. Looks like a great implementation, please sign me up for the beta!
20
seesomesense 2 days ago 1 reply      
LiFePO4 batteries for cars are not new.You can even buy them on Ebay right now.

EV Power is just one of several companies that have been making them for years.

21
jasonlaramburu 2 days ago 1 reply      
Great idea in a very stagnant market. How do the LiFePO4 cells perform at high temperatures? I've worked with this battery chemistry before, and found most off the shelf cells have internal safety circuitry that disconnects the battery at temperatures >70C. Typical engine running temperature is 60-80C (or as much as 90 on a hot day).
22
netcan 2 days ago 0 replies      
I wonder what the long game is here. High end replacement batteries for existing cars seems like a beachhead attempt rather than the real target.

Apart from the environmentals (see sandworm101), are debatable and the main tradeoffs is weight vs capacity.

Sports car enthusiasts seems like the most likely market. Some of these guys will drill holes into foot pedals to save grams. You'd need to look at what's available to them to see if this would sell. Comparing to average lead batteries is not much use.

Anyway, this probably isn't the long game.

23
sakopov 2 days ago 0 replies      
Perhaps I am in the minority here, but in the 15 years I've owned cars I don't remember a time when I planned changing the battery. It was happens in the worst time, most frequently when I'm trying to get to work or home. So getting a new battery is always an emergency to get my car rolling so I don't get it towed or start accumulating parking tickets. Getting an eco-friendly battery is the last of my worries. I wonder how many folks out there feel the same and how this could impact a novel product like this going forward.
24
saidajigumi 2 days ago 1 reply      
How does the Ohm battery handle extended cold conditions? I lived in a cold climate for a number of years in grad school, cold but not block-warmer cold. My experience was that I had to pay close attention to the cold-cranking amps rating of replacement batteries, so they'd still be able to start my car under the long-duress of winter. Likewise, I found that car batteries seemed to be consumables relative to my warm-climate experience().

() explaining the plural "batteries", above.

25
aidenn0 2 days ago 0 replies      
I've prototyped similar with just 7 maxwell caps in series wired in parallel with a lead-acid battery. The caps can start an engine entirely on their own, and the lead-acid maintains the voltage when off. It works fairly well.

I think someone already sells a device to work like that for commercial tractors, and I was wondering when someone more interested in starting a company than I am would realize you could have a tiny battery plus EDLCs for a car.

26
smoyer 2 days ago 1 reply      
I'd love to have a lighter bank of batteries in my (small) sailing yacht but I need something that can be "deep-cycled". Getting rid of several hundred pounds of batteries would leave capacity for more stuff!

I could replace the engine's starter battery with this one for a bit of weight savings ... and it's protected from the "house" circuits" by a charging diode, so there's no risk of discharge.

27
bbcbasic 2 days ago 1 reply      
I remember watching youtube videos of a guy starting his car with just a capacitor a year ago (was it one of you guys?) and thought this idea had a lot of potential. Good on you for bringing it to market.

Please be careful to not make it too 'smart'. I don't think a car battery needs to be connected to the internet of things that can be remotely hacked into :-).

28
kseifried 2 days ago 1 reply      
How does this battery handle -40C weather? What about sitting at -40C for say 12 hours (not everywhere has plugins for block heaters). Currently a ~$100 winter battery will handle that no problem. I'm from Canada so this is not a hypothetical question.
29
franch 2 days ago 0 replies      
This kind of tech has been around for about a year...http://semiaccurate.com/2014/06/30/pretec-takes-step-flash-c...
30
PeterWhittaker 2 days ago 2 replies      
JOOC, what is the CCA rating? I don't recall seeing it in the comments.

There aren't many of us who run winches, but thems of us that do want quite a few (650 CCA is not uncommon, and some winch manufacturers recommend deep cycle batteries like the Yellowtop Optima).

31
kazinator 2 days ago 1 reply      
> Oh, and its lifespan (7 years) is about twice that of a lead-acid battery (3-4 years).

Nonsense; lead acid batteries easily last 5 years or more.

Since the article lowballs the life of a lead-acid battery, it's reasonable to suspect that it's likewise overestimating the seven year life of this new battery, which would make them about equal.

> Theyre filled with garbage materials that are terrible for the planet.

More FUD. The garbage materials are sealed, and batteries get recycled. Places that sell you the new one take back the old one, generally.

Battery places are not going to know what to do with this new-fangled thing.

So it's down to the 6 pounds and gas mileage. Okay, realistically, let's talk about the environment now: this is for an internal-combustion-engine car that spews several tonnes of carbon into the atmosphere. If you want to save the planet, ride a bicycle. Still, this could make in excess of a one percent difference in fuel economy, which is significant, and will easily more than pay for the battery. Say you spend 200 bucks on fuel per month. Get 3 of those back thanks to the 6 pound battery, that's 36 over 12 months. If it holds up for 10 years, 360 saved.

Easier on the lower back is a plus. For many people, this is a do not care; only the DIY battery swappers who do it in the parking lot will be somewhat relieved, as well as the people who swap batteries as part of their work duties.

Poor capacity is a minus. People don't just run the stereo while parked; sometimes they have the headlights on or use other accessories, not always ones built-into the car. On a warm day you might listen to the stereo, and have a fan circulating the air. How about emergencies? If you're stranded somewhere with a dead engine, it's better to have more battery capacity than less for whatever. Flashing your lights at another car, say.

> They die without warning

That is not entirely true: there are in fact warning signs which, combined with age (being say > 5 years) add up to "change the battery". A lead-acid batter that has given you five warnings will then die without an additional warning, if five warnings is all which that battery has been blessed with. Those who don't recognize the warnings of course curse the battery for dying without a warning.

Who is to say this battery won't exhibit sudden failure modes? Suppose the business takes off and millions of these that are actually sold to consumers are made in sweatshops overseas, with all kinds of corners cut to save costs. Will those units still hold up? Let's compare prototype to prototype, shipping product on the shelves with shipping product on the shelves.

32
frgewut 2 days ago 0 replies      
I have always wondered whether it would be possible to remove alternator from ICE cars and substitute it with a chargeable battery.
33
teekert 2 days ago 0 replies      
Perhaps it is time to start using CMSs that translate units into local units as can already be done for timezones. Just a thought :)
34
walshemj 2 days ago 0 replies      
Is the weight/size of a battery really that important in the total mass of a car - what's the USP here.
35
legulere 2 days ago 0 replies      
I wonder how this will play with deposit refund systems for lead acid car batteries like they exist for instance in Germany.
36
bliti 2 days ago 1 reply      
@Founders: Any data comparing it to Optima batteries?
37
digitalneal 2 days ago 0 replies      
I could see this being an attractive solution for a battery to power electric turbos but not as a main battery replacement.
38
toddkazakov 2 days ago 0 replies      
39
gcb0 2 days ago 2 replies      
if it is so smaller inside the big case, why not pack twice the caps and have double the running time/service life?
40
rebootthesystem 2 days ago 0 replies      
A solution looking for a problem.

Sorry, it isn't my intention to be less than cordial. I just don't see a problem screaming for a fix. Nobody I know is screaming about the batteries in their cars. I don't even know (or care) what batteries are in our vehicles and I am far more aware of automotive matter than the average person out there.

Longevity isn't an issue.

Weight? People are far more interested in losing 34 lbs of fat from their bodies than 34 lbs of battery from their cars. The former would make them very happy while the latter is completely off their radar.

"It costs more but it's better" (paraphrasing). The world is littered with the carcasses of businesses who thought "better" was equivalent to "sales". I've done that before and lived to learn a few expensive lessons. This might very well be better in objective terms from a certain point of view but people are not going to hand over another $50 for something they truly don't care about. This isn't an iPhone or a Nest type product where "luxury makes me feel good" is part of the mental process.

I do agree the racing community might have interest in something like this. That said, if I were building a race car I would use Lithium Polymer battery packs that deliver tremendous power at a lower volume and weight. Are there rules prohibiting this due to fire hazard issues?

And yet, I could be absolutely wrong in my view.

41
sliverstorm 2 days ago 2 replies      
One challenge in going after the enthusiast market is going to be, the enthusiast market already has options.

Back when I drove a fast sporty little car, I got one of these:

http://www.amazon.com/gp/product/B0002ILK6I

$100, 4 pounds. Proven technology. I can buy it today.

Half the cost, 60% more capacity, and 2/3 the weight of this "Ohm". Smaller too, from the looks of the "Ohm".

I'm not trying to rag on you guys, but I can't figure out why I would pick the "Ohm", unless maybe it's got a really rippin' CCA.

Edit: Amazon is incorrect, ODYSSEY quotes the battery as 15.4lbs:

http://shop.odysseybattery.com/p/pc680-p

To compare like for like, we would look here:

http://shop.odysseybattery.com/p/pc310-p?pp=12

8Ah, 5.9lbs, tiny, $163 on Amazon. I hope you can beat it on CCA.

42
jchomali 2 days ago 0 replies      
This is great!
43
venomsnake 2 days ago 0 replies      
> Ohms battery reserve comes in at 10 amp hours;

Have these guys tried to start atmospheric diesel at -20 C? That capacity is absurdly low. I roll my 80 hp diesel with 7 times the capacity.

I see no benefit at all - you take something reliable as hell, make it unrealiable by adding hardware and software, reduce the capacity, just to shave 20 pounds of weight of a 3000 pound car.

If it was normal sized battery with some smarts - it could have been useful. But the current incarnation is - works only in the very moderate climates with mild winters.

44
curiousjorge 2 days ago 1 reply      
so another inaccurate and unscientific claims that investors love throwing their money at because it's a startup. Techcrunch is like the tabloids for questionable startups and it's really hurt the perceived quality. I've built a filter mechanism for TC since a few years ago when they just became a dvertising platform rather than a serious journalism
45
kevin_thibedeau 2 days ago 2 replies      
Running three hours of Ruby tests in under three minutes stripe.com
277 points by nelhage  1 day ago   103 comments top 25
1
dankohn1 1 day ago 1 reply      
We're not nearly at Stripe's scale, but my startup (Spreemo) has achieved pretty amazing parallelism using the commercial SaaS CircleCI. We have 3907 expects across 372 RSpec and Cucumber files. Our tests complete in ~14 minutes when run across 8 containers.

One of the great strengths for CircleCI is that they auto-discover our test types, calculate how long each file takes to run, and then auto-allocate the files in future runs to try to equalize the run times across containers. The only effort we had to do was split up our slowest test file when we found that it was taking longer to complete than a combination of files on the other machines.

I also like that I can run pronto https://github.com/mmozuras/pronto to post Rubocop, Rails Best Practices, and Brakeman errors as comments on Github.

2
clayallsopp 1 day ago 3 replies      
I'm super curious how Stripe approaches end-to-end testing (like Selenium/browser testing, but maybe something more bespoke too)

My understanding is that they have a large external dependency (my term: "the money system"), and running integration tests against it might be tricky or even undependable. Do they have a mock banking infrastructure they integrate against?

3
com2kid 1 day ago 2 replies      
I am tired of this technology having to be re-invented time and time again.

The best I ever saw was an internal tool at Microsoft. It could run tests on devices (Windows Mobile phones, but it really didn't care), had a nice reservation and pool system and a nice USB-->Ethernet-->USB system that let you route any device to any of the test benches.

This was great because it was a heterogeneous pool of devices, with different sets of tests that executed appropriately.

The test recovery was the best I've ever seen. The back end was wonky as anything, every single function returned a BOOL indicating if it had ran correctly or not, every function call was wrapped in an IF statement. That was silly, but the end result was that every layer of the app could be restarted independently, and after so many failures either a device would be auto removed from the pool and the tests reran on another device, or a host machine could be pulled out, and the test package sent down to another host machine.

The nice part was the simplicity of this. All similar tools I've used since have involved really stupid setup and configuration steps with some sort of crappy UI that was hard to use en-masse.

In comparison, this test system just tool a path to a set of source files on a machine, the compilation and execution command line, and then if the program returned 0 the test was marked as pass, if it returned anything else it was marked as fail.

All of this (except for copying the source files over) was done through an AJAX Web UI back in 2006 or so.

Everything I've used since than has either been watching people poorly reimplementing this system (frequently with not as good error recovery) or just downright inferior tools.

(For reference a full test pass was ~3 million tests over about 2 days, and there were opportunities for improvement, network bandwidth alone was a huge bottle neck)

All that said, the test system in the link sounds pretty sweet.

4
ryanong 1 day ago 3 replies      
If you want to implement this locally without using mini-test checkout test-queue by Aman Gupta at github.

https://github.com/tmm1/test-queue

One thing that really sped up our test suite was by creating an NGINX proxy that served up all the static files instead of making rails do it. This saved us about 10 minutes off our 30 minute tests.

5
sytse 1 day ago 0 replies      
Very cool stuff. For reference at GitLab we use a less impressive and simpler solution. We split the jobs off in https://gitlab.com/gitlab-org/gitlab-ce/blob/master/.gitlab-... These jobs will be done by separate runners, this brought our time down from 1+ hours to 23 minutes https://ci.gitlab.com/projects/1/refs/respect_filters/commit...
6
yjgyhj 1 day ago 1 reply      
One thing I've noticed since coding with immutable data structures & functions (rather than mutable OOP programs) is how tests run really fast, and are easy to run in parallell.

I/O only happens in a few functions, and most other code just takes data in -> transforms -> returns data out. This means I only have few functions that need to 'wait' on something outside of itself to finish, and much lesser delays in the code.

This is coding in Clojure for me, but you can do that in any language that has functions (preferable with efficient persistent data structures. Like the tree-based PersistentVector in Clojure).

7
sigil 1 day ago 0 replies      
We opted for an alternate, dynamic approach, which allocates work in real-time using a work queue. We manage all coordination between workers using an nsqd instance... In order to get maximum parallel performance out of our build servers, we run tests in separate processes, allowing each process to make maximum use of the machine's CPU and I/O capability. (We run builds on Amazon's c4.8xlarge instances, which give us 36 cores each.)

This made me long for a unit test framework as simple as:

 $ make -j36 test
Where you've got something like the following:

 $ find tests/ tests/bin/A tests/bin/B ... tests/input/A tests/input/B ... tests/expected/A tests/expected/B ... tests/output/ $ cat Makefile test : $(shell find tests/bin -type f | sed -e 's@/bin/@/output/@') tests/output/% : tests/bin/% tests/input/% tests/expected/% @ printf "testing [%s] ... " $@ @ sh -c 'exec $$0 < $$1' $^ > $@ @ # ...runs tests/bin/% < tests/input/% > tests/output/% @ sh -c 'exec cmp -s $$3 $$0' $@ $^ && echo pass || echo fail @ # ...runs cmp -s tests/expected/% tests/output/% clean : rm -f tests/output/*
You get test parallelism and efficient use of compute resources "for free" (well, from make -j, because it already has a job queue implementation internally). This setup closely resembles the "rts" unit test approach you'll find in a number of djb-derivative projects.

The defining obstacle for Stripe seems like Ruby interpreter startup time though. I'm not sure how to elegantly handle preforked execution in a Makefile-based approach. Drop me a line if you have ideas or have tackled this in the past, I've got a couple projects stalled out on it.

8
jtchang 1 day ago 0 replies      
Love this. Sometimes testing can be a huge pain in the ass. I know more than one project I work on where getting them to run is a lot of effort in itself.

There is something to be said about code quality and having tests run in under a few seconds. The ideal situation is when you can have a barrage of tests run as fast as you are making changes to code. If we ever got to the point of instant feedback that didn't suck I'd think we'd change a lot about how we think about tests.

9
atonse 1 day ago 0 replies      
On a previous project, I had built a shell script that essentially created n mysql databases and just distributed the test files under n rails processes.

We were able to run tests that took an hour in about 3 minutes. It was good enough for us. Nothing sophisticated for evenly balancing the test files, but it was pretty good for 1-2 days of work.

10
vkjv 1 day ago 1 reply      
"This second round of forking provides a layer of isolation between tests: If a test makes changes to global state, running the test inside a throwaway process will clean everything up once that process exits."

But, then how do you catch bugs where shared mutable state is not compatible with multiple changes?

11
arturhoo 1 day ago 1 reply      
Congratulations on what look a very challenging task. I'm assuming a part of those tests hit a database. How have you dealt with it? I assume that a single instance, even on a powerful bare server could be a road blocker in this situation. A few insights on the Docker/Containerization part of it would also be nice!
12
Ono-Sendai 1 day ago 1 reply      
This is an interesting and possibly overlooked problem with using slow languages like Ruby - your unit tests take forever to run. (unless you spend a lot of engineering effort on making them run faster, in which case they may run somewhat acceptably fast)
13
raverbashing 1 day ago 2 replies      
I guess a lot of problems come from the stupidly brain dead way people usually write tests (because it's the "recommended TDD way")

Things like using the same setup function for every test and setting up/tearing down for every test regardless of dependencies

Also tests like

 def test1(): do_a() check_condition_X()
then

 def test2(): do_a() check_condition_Y()
Or

 def test1(): do_a() check_condition_X() def test2(): do_a() do_b() check_condition_Y()
When it could have been consolidated into 1 test

Then people wonder why it takes so much time?

Also helpful is if you can shutdown database setup for teststhat don't need it

14
falsedan 1 day ago 3 replies      
Oh hey, we have the same sort of system here. It's 60,000 Python tests which take ~28 hours if run serially, but we keep it around 30-40 minutes. We wrote a UI & scheduler & artifact distribution system (which we're probably going to replace with S3). We run selenium & unit tests as well as the integration tests.

We've noticed that starting and stopping a ton of docker containers in rapid succession really hoses dockerd, also that Jenkins' API is a lot slower than we expected for mostly-read-only operations.

Have you considered mesos?

15
cthyon 1 day ago 3 replies      
Not sure if this has already been answered, but would Stripe's methods only work with unit tests where tests are not dependent on each other?

How would one go about building a similar distributed testing setup for end-to-end tests where a sequence of tests have to be run in particular order. Finding the optimal ordering / distribution of tests between workloads would certainly be more complicated. Maybe they could be calculated with directed graph algorithms?

16
hinkley 1 day ago 1 reply      
needle scratching on record

They have an average of 9 assertions per test case. I think I may see part of their problem.

17
meesterdude 1 day ago 0 replies      
I wrote a rubygem called cloudspeq (http://github.com/meesterdude/cloudspeq) that distributes rails rspec spec's across a bunch of digital ocean machines to reduce test execution time for slow test suits in dev.

one of the things I did that may be of interest is to break up spec files themselves to help reduce hotspots (or dedicate a machine to it specifically)

Not as complex or as robust as what they did, but it works!

18
grandalf 1 day ago 1 reply      
It's interesting to imagine, for a test suite that would take three hours, how much of the execution time is state management vs algorithm execution.
19
throwaway832975 13 hours ago 0 replies      
Pull-based load balancing is a generally underrated technique.
21
rubiquity 1 day ago 0 replies      
Does this mean each process has its own database or are you able to use transactions with the selenium/capybara tests?
22
teacup50 1 day ago 6 replies      
How much cheaper (in time, code, effort, complexity) would it be if:

- Their language runtime supported thread-based concurrency, which would drastically reduce implementation complexity and actual per-task overhead, thus improving machine usage efficiency AND eliminating the concerns about managing process trees that introduces a requirement for things like Docker.

- Their language runtime was AOT or JIT compiled, simply making everything faster to a degree that test execution could be reasonably performed on one (potentially large) machine.

- They used a language with a decent type system, significantly reducing the number of tests that had to be both written and run?

23
chinathrow 1 day ago 3 replies      
Any reason why a financial infrastructure provider like Stripe would run CI tests on someone elses infrastructure? Isn't that a no go from a security point of view? Or - how do you trust the hosted CI company not to look at your code?
24
edoloughlin 1 day ago 1 reply      
25
smegel 1 day ago 0 replies      
Stop Looking for a Cofounder dontscale.com
263 points by adrianmsmith  22 hours ago   143 comments top 30
1
rcarrigan87 20 hours ago 7 replies      
Too many people who are new to entrepreneurship only see startups as their entry point. Part of this is media coverage, everyone is talking about funding mega rounds and the VC fueled entrepreneur world.

I think many entrepreneurs are less interested in building Billion dollar companies and are more seeking freedom from suppressive corporate jobs.

But when the only narrative you see is mega startups it starts to seem like that's the only worthwhile path to entrepreneurship. Small business sounds like your Mom's flower shop - lame. So you have to find a co-founder and raise VC and pick a huge market, and work on your pitch deck, etc. etc.

Reality is having a couple million a year business can really lead to a fantastic lifestyle if done properly.

2
jondubois 23 minutes ago 0 replies      
I think if someone needs a cofounder to motivate them to keep going, then they probably aren't that passionate about the idea.Founders should have realistic expectations and give themselves a lot of time to find a market fit.

I think the less funding/marketing/hype your startup has, the longer it will take to find market fit but once you do find it, it will be rock solid.If you can find people to use your product in spite of it being completely unknown, then that is the highest form of validation that a product can receive.

If, on the other hand, people only use your product because 'every one else is using it' then that is a really weak form of validation.

3
paulsutter 19 hours ago 1 reply      
Even if you want to build a scalable/fundable startup, stop looking for a cofounder. It's needy and the wrong motivation. Start working on the project get help from the smartest people you know / can find. Get their help in any capacity you can. You're more likely to find a cofounder indirectly through on this path than in an overt "cofounder search". Plus you'll actually be making progress.
4
danieltillett 17 hours ago 4 replies      
I am going on a rant, but can we stop using the term lifestyle business for non-VC startups? Almost anything would be better - I came up with the term founder focused as an alternative [1], but almost anything would be better than the term lifestyle. A serious business is a serious business no matter the funding source.

1. http://www.tillett.info/2014/11/24/lets-kill-the-term-lifest...

5
brightball 19 hours ago 4 replies      
He's not wrong, but a lot of what he says is very dependent on self-discipline. Having a partner, in addition to all of the other perks, also gives you a point of accountability the forces prioritization and a real plan.

It is entirely possible to start a business by yourself. People do it successfully every single day but there are a whole lot of complicated factors from financial, legal, technical and psychological at play just to get started.

Having a support system around you can insulate you from a lot of the complications that come from going it on your own, but that support system is usually based on goodwill not vested interest.

Even people who "go it on their own" but happen to be married when they do so very clearly have a partner in the business.

6
jcrubino 21 hours ago 4 replies      
PG context of a startup is a company that has the potential to make it into a leading stock market index. Anything else is considered a "life style" business and not within YC or most other VC's scope of interest for funding.
7
crocal 20 hours ago 0 replies      
Having just gone through bad experience with co founders, I should be on the same page as John. But I am not. It is essential to have co founders even with all this accelerating software available, just because of the fatigue. It's a lot of work to achieve quality and willingness to pay in software, no matter what. My mistake was to try to make it all by myself with only non-tech partners. If I had had just one strong cofounder as involved as I were I think things would have turned out very differently. Be humble!
8
swalsh 19 hours ago 1 reply      
If you're a programmer, and you're relatively young (like under 40) you probably don't have a lot of experience. Sure you have a lot of experience programming, and solving problems. But it's VERY unlikely that you know an industry, and it's unsolved or badly solved problems. To get to know these problems, I think you need some outsider experience.

For example, i'm in the healthcare industry. I can name a whole bunch of problems here, but none of them are ripe for a new startup. That's because I really only find out about a problem from my little part of the world. The few times i've had glimpses beyond my world I certainly haven't had enough of a glimpse to really try and tackle it.

So to me, that's important. Without a cofounder who really knows an industry, you're going to work on 1st world problems that a normal person might run into, that are solvable by a single person.

To be honest, of the problems left in that space they're not really interesting businesses. Either they won't make too much money, or they solve a boring non-problem.

As a technical person I want to find someone who has ran into good problems, and will know if a solution will work or not.

9
crimsonalucard 21 hours ago 0 replies      
At the same time I would say, don't dismiss the benefits of having a cofounder. It's easier to explore new territory as a team then it is alone. Just the psychological boost that comes with camaraderie is well worth it.
10
graeme 20 hours ago 1 reply      
As others have noted, this is addressing a different type of business than PG was talking about.

The author is talking about bootstrapped businesses. There are many niches where a well run business can earn revenue of $100,000-$500,000 per year, and be ably run by a single person. These niches do require upkeep, but they are not so likely to be invaded by major competitors or large companies. The returns are too small. However, the returns are excellent for a single founder.

It is also true that it's easier to scale such a business than it used to be. So there is probably more bootstrapping potential than before, especially as more people move online and there are therefore more niches to fill.

But this approach also rules out many types of businesses, and with rare exceptions it rules out larger revenue streams. These are among the trade offs.

11
aesthetics1 20 hours ago 1 reply      
I believe John is writing for an audience that PG is not addressing. He is taking his lifestyle business approach and saying that it should apply to businesses that are seeking funding and trying to ultimately have an exit, or become a shiny unicorn. This just isn't the right advice for YC style companies.
12
omouse 21 hours ago 1 reply      
A cofounder just makes some things easier; you have someone that's available 24/7 to talk about ideas and implementation. When it's just you it feels a little easier to give up unfortunately.
13
tgeery 18 hours ago 0 replies      
The whole time i could not stop thinking of this wozniak quote. Although... I guess he eventually had a cofounder.

http://www.brainpickings.org/2012/01/18/woz-on-creativity-an...

14
antaviana 21 hours ago 1 reply      
I found the following book to be quite a good tool with practical advice for the proposed approach:

http://www.amazon.com/Start-Small-Stay-Developers-Launching-...

15
cha-cho 8 hours ago 0 replies      
I feel that this line should be in bold: "It doesnt really matter what your friends think of your ideas or you in regards to starting a businessthe votes that count come in the form of paying customers."
16
j_lev 15 hours ago 0 replies      
"Finding" a co-founder wasn't a choice for the uncountable husband-wife partnerships over the ages. Sometimes for better or for worse you're stuck with your spouse as your co-founder.

I remained in the corporate world for about five years after making the decision mentally to quit until I had confidence that both the technology and my own skill had reached a point where I could have a good shot at hustling a living with my wife as "co-founder." The article somewhat vindicates my decision.

17
free2rhyme214 11 hours ago 1 reply      
Having cofounders or not is a matter of personal preference. Statistically teams in 2 or 3 do better than teams of 1.

Look at the most successful tech IPO's and funding rounds. Sure there's Amazon & Flexport etc. but those are exceptions.

18
seizethecheese 19 hours ago 1 reply      
The post is saying that you don't need a cofounder for the subset of ventures that a very technical person can tackle alone. The types of ventures that YC funds are generally not plausible to tackle alone. There is no conflict between PG's ideas and this essay so long as you accept that there are ventures of differing scope, some need more than one founder and some don't, and YC generally invests in the latter.
19
latishsehgal 19 hours ago 1 reply      
I have been trying to bootstrap a one man software shop for the last 2 years and recently released v2 of the software. How I usually explain it to my "work" friends is that the highs are higher and the lows are lower while trying to do everything yourself. I would have jumped at the opportunity of having a cofounder for that reason, but never found the right people interested.
20
adidash 17 hours ago 0 replies      
Met the founder of a startup accelerator in Singapore and shared my idea. His first question - "will it be a billion dollar company?" I said no but has the potential to scale to a few million dollars and his reply was - "then its not a startup but just a lifestyle business."
21
jlarocco 20 hours ago 3 replies      
I've always thought people desperately looking for cofounders on HN, or asking how to find them, are kind of goofy and lame. Has there ever been an even moderately successful company cofounded by strangers who met while slumming the internet for cofounders?

It seems to me that PG almost certainly didn't mean people were better off starting companies with random strangers than they would be starting off alone.

Looking at the big successful companies that were started with multiple founders, it was almost always a group of friends, or co-workers, or acquaintances from school with similar interests, or something like that. There's more to being "cofounders" than just meeting randomly and deciding to start a company together.

22
api 21 hours ago 4 replies      
"If youre unable to convince friends to start a business with you, PG says its a vote of no confidence. But, what if youre like me and you dont have a lot of entrepreneurial friends? Or, maybe you do, but they dont want to work on your ideas? It doesnt really matter what your friends think of your ideas or you in regards to starting a businessthe votes that count come in the form of paying customers. Since its cheap and easy to spot faults in unproven business ideas, early votes of no confidence, even from well-meaning friends and family are standard fare. Expect and take them with a grain of salt. Some of the best companies today sounded pretty dumb on paper yesterday."

This is probably the clearest refutation of Graham's single founder section I've seen.

I'd expound a bit on one of the later points:

If what you're doing is somewhat domain-specific, only the opinions of people in your target area and market matter. You might know a lot of people, but if they're not in your target area and market they might not get it. If you're getting negative feedback from them, it might be irrelevant. The only negative feedback you should listen to is from people who really get your target area.

23
jasonswett 19 hours ago 0 replies      
24
eldude 18 hours ago 2 replies      
Please don't stop looking for a cofounder. It's true that all it additionally takes to be a solo-founder is self-discipline, but as a human being you are psychologically and emotionally unequipped to deal with this. Let me explain...

On History, there's a self-filmed TV show about 10 survivalist dropped off separately on Vancouver Island competing for $0.5M to be the last standing. The show is fantastic, not for the impressive survival skills, but for the human psychology. The show is called "Alone," and I'm fairly certain they (re)named the show after filming. What you witness over the course of just weeks, is nearly every wilderness expert abruptly losing their will to go on because there is nobody to share it with. They openly acknowledge that they have what it takes to continue, and were originally okay with being away from their family indefinitely, but they all just completely lose their desire and interest in winning or continuing because they are so alone.

In short, isolation doesn't just make it more difficult for you to achieve your goals, it rips the desire to achieve them from your psyche altogether! This is empirically shown and self evident in numerous aspects of society: solitary confinement being classified as torture, team dynamics, mentors, pair bonding, tribalism, etc... It's also why YC (mostly) doesn't accept solo-founders, as well as many other respected VCs.

[1] http://www.history.com/shows/alone/about

25
MCRed 21 hours ago 1 reply      
I'm leaning this way now myself, after previously believing that co-founders were essential and prior to that being dubious about their value.

Two things I've seen kill startups are bad cofounder relationships, and Venture Capitalists. Almost 50-50, with VCs in the lead because they cause a lot of the bad co-founder relationships.

The person you are likely to make your cofounder should probably be your first employee. Make them significant, give them a VP title or whatever, get feedback from them, pay them in equity. But don't let them be in a position where leaving or failing to pull their weight would doom the company.

Finding a good cofounder is nearly impossible for many people for many reasons. If you are a group of people who know each other already and want to start a company-- great.

But cofounder dating is a bad, bad idea. Couples live together for years before getting married, yet co founders want to "get married" within days or months? Even if you choose well on a number of areas, you simply can't know your cofounder well enough.

26
rebootthesystem 16 hours ago 0 replies      
With the right project, skills, dedication, some funding and a little luck it is quite possible for a single person to build a business that produces $100K to $200K per month free cash. I understand that SV culture of building for $100MM+ exits but that is utopia. All you have to do is run the stats against total business startups (and failures) per year to confirm this claim.

As for single vs. multi-founder companies. I see SV from afar as an environment where young VC's incubate all manner of ideas by young inexperienced people. It's an educated shotgun approach. And it obviously works or it would have died off a long time ago.

In that context I would say it is absolutely imperative to have more than one person on a team. Why? Because business is hard and most 20-somethings today have never done anything even remotely as hard in their lives. When business slaps you around and tests your limits and you are an inexperienced young person without a support system around you failure is almost guaranteed. Add co-founders to spread the stress, discuss, find solutions and feel like a team with a dose of guidance, money, advise and the benefits of the experience of good VC's and you can make interesting things happen.

Again, in that context, yes, you need multiple founders.

With more experienced entrepreneurs who've been tested in business I don't think the solo founder thing is a problem at all. We can manage the business just fine and we can hire good people to do what's needed. The benefit of experience is that problems are met with aplomb and a mental and business toolbox that turns mountains into hills.

Money is a a thing separate from the single/multi founder issue. You can fail miserably with lots of money and a large team and you can succeed with little money and a guy coding at home (PlentyOfFish anyone?).

What money can and does do is light a rocket under a good thing at the right point in time to make it go. Money is like the blood in the veins of a business. Without enough of it you are not going to go run a marathon and win.

28
makeitsuckless 21 hours ago 8 replies      
29
hughguiney 18 hours ago 2 replies      
30
unabst 18 hours ago 0 replies      
OpenBSD removes support for non-UTF8 locales marc.info
228 points by ingve  22 hours ago   160 comments top 5
1
kragen 21 hours ago 7 replies      
I wonder what the pros and cons weighed in the discussion were.

Clearly not supporting Unicode text in non-UTF-8 locales (except through, like, some kind of compatibility function, like recode or iconv) is the Right Thing. One problem that I have is that current UTF-8 implementations typically are not "8 bit clean", in the sense that GNU and modern Unix tools typically attempt to be; they crash, usually by throwing an exception, if you feed them certain data, or worse, they silently corrupt it.

Markus Kuhn suggested "UTF-8B" as a solution to this problem some years ago. Quoting Eric Tiedemann's libutf8b blurb, "utf-8b is a mapping from byte streams to unicode codepoint streams that provides an exceptionally clean handling of garbage (i.e., non-utf-8) bytes (i.e., bytes that are not part of a utf-8 encoding) in the input stream. They are mapped to 256 different, guaranteed undefined, unicode codepoints." Eric's dead, but you can still get libutf8b from http://hyperreal.org/~est/libutf8b/.

2
gnuvince 20 hours ago 2 replies      
As a French-speaking person, I cannot tell you how much the announcement[0] that after 5.8, basic utilities, including mg(1), will be UTF-8 ready pleases me. I'm a huge Emacs fan, but I like to use mg(1) for quick edits and this is very exciting news for me!

[0] http://undeadly.org/cgi?action=article&sid=20150722182236

3
fletchowns 21 hours ago 10 replies      
I dream of a world where everything is UTC, UTF-8, and metric.
4
Animats 21 hours ago 3 replies      
How does locale work on the keyboard side, then? What determines whether text entry is right to left or left to right?
5
jlarocco 21 hours ago 0 replies      
Heh, I initially read it as "improves", and was wondering why they'd bother. Removing it is surprising, but makes sense.
The Bail Trap nytimes.com
185 points by japhyr  1 day ago   200 comments top 21
1
bail-throw-away 1 day ago 7 replies      
OK - so I just had two experiences with a bay area law enforcement agency, and I am beside myself with disgust and anger:

I was accused of doing something I did not. I was taken to jail and they held me on bail - and set my court date for about three weeks from the time I was booked, but an arraignment in about 5 days.

I had just accepted a new job - but still had a week on my current.

I HAD to post bail (and I didn't really have the money for it) so I had to get a bail bond. so I could get out and go to work!! This cost my $3,000 out of pocket.

So I did, and then went to my arraignment: Guess what "no charges filed and case rejected for lack of any evidence at all"

But now - I am out $3,000 and I have an arrest on my record for something that was simply a false accusation! Further, WHile I was in jail over night, the guards and police are absolute douchebags. They treat EVERYONE like crap.

I now hate all cops. ALL of them.

2
xacaxulu 1 day ago 3 replies      
If you've ever dealt with police in other countries (I have everywhere from France to Zimbabwe), the interactions are amazingly more peaceful. As a former US Marine (Afghanistan and Iraq), the hyper-vigilant police mentality I see more and more scares the heck out of me. It's no secret that it's getting worse, and coupled with a racket like "The Bail Trap", prison industry based products and one of the highest incarceration rates in the world, things are looking very sad here in the US. I'm sure it's not perfect anywhere, but we are way off base with our justice system. When you have to have a dash cam or a hidden cam/mic on you to prove you didn't do anything, that's pretty sad.
3
mindslight 1 day ago 2 replies      
The only real solution to this is to stop externalizing the cost of false positives onto the victims.

Kidnap someone and put them in a cage for a month so they lose their salary, job, apartment etc? That adds up to an awful lot of easily demonstrable financial damage that the justice system is directly responsible for. Only when false arrests and prosecution start directly impacting these organizations' budgets will they possibly care about the harm they do.

4
conover 1 day ago 3 replies      
It's unclear to me how these situations are not a violation of the Eighth Amendment.

United States v. Salerno: "the government's proposed conditions of release or detention not be 'excessive' in light of the perceived evil."

Stack v. Boyle: "excessive" is "a figure higher than is reasonably calculated" to ensure appearance

I guess it's easy to beat up people who don't have the means to defend themselves. Someone should start an Occupy Justice movement and have everyone request jury trials to cause a system crash.

5
tyingq 1 day ago 2 replies      
The US prison/jail vendor ecosystem is a trap as well.

The phone system is a good example. Inmates have some scheduled time where they can make phone calls, provided someone on the outside has funded an account.

You, of course, expect it to be a little more expensive than normal phone service.

However, here's the reality.

You deposit $25, then:- $7 service fee for the credit card processing- $4.50 for the first minute of every call- then $2.50 a minute for any subsequent minute

So, yes, a 2 minute phone call, within the same state, costs the family $14.

These are real numbers, from one of the big vendors in the space...Global Tel Link. Source: Have relative that was in jail...this is what I had to pay.

Here's an older article on the subject:http://www.prisonpolicy.org/phones/pleasedeposit.html

6
gtCameron 1 day ago 0 replies      
John Oliver also did a great segment on this issue: https://www.youtube.com/watch?v=IS5mwymTIJU
7
craigds 1 day ago 2 replies      
This kind of nonsense is why as a tourist, I would think very carefully before ever going to the US, and have little desire to.

Based on what I know about the place, I'd feel uneasy the whole time I was there, as though I could be arrested at any moment just for crossing the road the wrong way.

One time I took my Irish passport instead of my NZ one by mistake when entering Australia, and I was subjected to dog sniffs and minor harrassment by the border control staff, which made me very uncomfortable. From what I understand that's nothing compared to what you can expect as a foreigner entering the US.

Do other non-Americans feel this way or is it just me? I can't imagine this situation does wonders for American tourism or business.

FWIW my experience of police (in both NZ and in Germany) has been that they're always very pleasant to deal with.

8
rsp1984 1 day ago 1 reply      
Besides the questionable bail system, what I really don't get is why there's jail time on minor drug possession delicts.

One can debate about the war-on-drugs (I think it's failed) but even if society thinks drugs are a bad thing and worth fighting against it, it's the dealers that should go to jail, not the people who use drugs.30 days for holding a straw that might contain some heroin, really? Something is obviously very very broken here.

9
tsotha 1 day ago 0 replies      
There's are a lot of things to cringe about in this story, but bail isn't one of them. The article says so-and-so was held in jail because he couldn't pay bail, but that's not really accurate. The guy is held because he was arrested. Bail is an out you get until the trail if you can convince the judge you're gonna show up for the trial.

IMO there are two real problems with the story about the "main character". First, the DA comes to the judge with a case against a guy charged with possessing a straw. The judge should have thrown it out and said "come back when you have evidence of a crime".

Second, we have the means to protect inmates from each other. There's no reason for a three week stay to mean a busted up face. Jail should be boring, but safe, and the state should be liable for every rape or assault that happens inside.

10
yason 1 day ago 0 replies      
I'm somehow always a bit worried when travelling to the US and reading these stories just makes it worse. I don't know what the risk for a visitor is in reality. These cases seem to happen out of nowhere. I don't have any reason to be arrested, really, and I'll probably be fine absolutely most of the time but if something should happen and I happened to be around I'm, as a foreigner, in a very weak position to understand what's going on.

I should probably read a couple of books on US legal system and how things work there but the need for doing so would usually arise from having to travel to some totalitarian developing country. In certain countries, you should expect to have some money as it might be customary to bribe the police officer or other officials but once that's settled things generally unfold fine from there. It seems that in the US, you should expect to have lots of money as it might be customary to bribe the court yet things can generally get quite uncertain from there, based on what I've read. It's hard to evaluate the risk, though: the probability is rather low but the impact can be devastating.

I get the feeling that if only you're a "regular Joe", ideally white (or fit in the "good" ethnicity of your city), you don't stand out of others, and you have money, you're likely to be fine. The further you deviate from that the more unpredictable things can get.

11
russnewcomer 1 day ago 3 replies      
In reading the article, part of the conclusion that I came to is not that cash bail is inherently broken and unfixable, but the sense of scale by the people setting bail is. To a lower-income person with minimal savings and unpredictable income (like most of the subjects of the article), an unplanned $500 expense like bail is potentially crushing, whereas to a higher-income person with decent savings and regular predictable income (like the judges), an unplanned $500 expense is annoying but not catastrophic.

Restructure the law so that bail cannot be easily set over $100 for non-violent misdemeanors, and that 100% of the bail is returned to the person posting it for amounts under $1000, and NYC (of which I am not a resident) will be well on it's way to solving the current problems of the bail system, and then have a whole new host of problems with the new system to solve in 50 years once all of its weaknesses are exploited.

[edit] corrected improper use of bailbond to bail

12
rectang 1 day ago 3 replies      

 > Without bail and the quick guilty pleas > that it produces courts would come under > significant strain. "The system would shut > down," Goldberg says.
It doesn't cost much to bail out some poor people. Seems like a great opportunity to screw with an unjust system!

13
CPLX 1 day ago 0 replies      
There is a four word solution that would wipe out a massive, massive percentage of this problem: End the drug war
14
mcantelon 1 day ago 1 reply      
There seems to be a lot of NGOs opposed to cops, the prison industrial complex, etc. but AFAIK there's none that will provide bail aid, which would likly make more of an impact than anything.
15
codecamper 1 day ago 3 replies      
Maybe technology could help this situation?

It sounds like a big part of the problem are too many arrests for things without enough evidence.

Wouldn't everyone benefit for better logs & statistical analysis? If a certain police officer had a 15% conviction rate, and he actually liked his job, then he'd be sure next time to be more sure about his arrests. Such a tool could track recent trends as well.

Also, it sounds like there needs to be a system (email??) to contact employers. All employers required to have an official address and courts are required to contact it with current case status.

Anyone else have ideas about how tech could help the situation?

16
eevilspock 1 day ago 2 replies      
I wish HN was more inclined to vote up articles like this and figure out how the tech community can effect change. Most of us will never be subject to this injustice, so it is ever so easy to avert our eyes and focus on topics such a Apples Products are Getting Harder to Use and the 1983 version of Unix System V Release 1 Programming Guide, both of which are ranked higher and have more comments despite being posted 9 hours earlier.
17
abarrettjo 1 day ago 0 replies      
The same author writes on this topic/related issues somewhat frequently. Here's one on the origins of the police force itself: http://www.nytimes.com/2015/01/18/magazine/the-point-of-orde...
18
tedks 1 day ago 2 replies      
"""Tomlin broke off to go inside the store and buy a soda. The clerk wrapped it in a paper bag and handed him a straw. Back outside, as the conversation wound down, one of the officers called the men over. He asked one of Tomlins friends if he was carrying anything he shouldnt; he frisked him. Then he turned to Tomlin, who was holding his bagged soda and straw. He thought it was a beer, Tomlin guesses. He opens the bag up, it was a soda. He says, What you got in the other hand? I says, I got a straw that Im about to use for the soda. The officer asked Tomlin if he had anything on him that he shouldnt. I says, No, you can check me, I dont have nothing on me. He checks me. Hes going all through my socks and everything. The next thing Tomlin knew, he says, he was getting handcuffed. I said, Officer, what am I getting locked up for? He says, Drug paraphernalia. I says, Drug paraphernalia? He opens up his hand and shows me the straw."""

This isn't even the main point of the article but I think it speaks volumes on its own.

19
gohrt 1 day ago 1 reply      
The average persons more powerful weapon against police misconduct is Jury Nullification. Refuse to convict defendants until the police start obeying the law.

https://en.wikipedia.org/wiki/Jury_nullification

20
graycat 1 day ago 0 replies      
I'm not a lawyer but I am a US citizen.

To me, the police, prosecutors, and judgesin the OP are, really, just out to attackthe poor people, just attack them likewild, mad, rabid dogs, attack them for nogood reason, just declare war on them, outof hate, arrogance, self-exalted ego, likethugs that just like to beat up on people.

Let's see:

"Amendment VI

In all criminal prosecutions, the accusedshall enjoy the right to a speedy andpublic trial, by an impartial jury of theState and district wherein the crime shallhave been committed, which district shallhave been previously ascertained by law,and to be informed of the nature and causeof the accusation; to be confronted withthe witnesses against him; to havecompulsory process for obtaining witnessesin his favor, and to have the Assistanceof Counsel for his defense.

Amendment VII

In Suits at common law, where the value incontroversy shall exceed twenty dollars,the right of trial by jury shall bepreserved, and no fact tried by a jury,shall be otherwise re-examined in anyCourt of the United States, than accordingto the rules of the common law.

Amendment VIII

Excessive bail shall not be required, norexcessive fines imposed, nor cruel andunusual punishments inflicted."

So, the OP violated:

"Amendment VI

In all criminal prosecutions, the accusedshall enjoy the right to a speedy andpublic trial, ..."

The trials are not "speedy". Any judgewho has any respect for the Constitutionand is not out just to act like a wild,mad, rabid dog out to declare war on thepoor people should immediately dismiss anycase without a "speedy trial".

So, the OP violated:

"Amendment VII

In Suits at common law, where the value incontroversy shall exceed twenty dollars,the right of trial by jury shall bepreserved, ..."

The "right of trial by jury" was not"preserved". Instead, the delays in thesystem and the excessive bail canceledthat right.

So, the OP violated:

"Amendment VIII

Excessive bail shall not be required, norexcessive fines imposed, nor cruel andunusual punishments inflicted."

The bail was deliberately excessive andthe jail situation "inflicted" "cruel andunusual punishments" as a means to coercea guilty plea without a trial.

In addition, from

"The rest of the file contained Tomlinscriminal history, which included 41convictions, ..."

the system clearly convicts and punishesthe defendants based not on the crime theyare accused of but often just on therecord of crimes of the past, crimesfor which they have "paid their debt tosociety", that is, multiple jeopardy.

In addition, it is now essentially illegalto carry more than, say, a few hundreddollars in cash. Seeing such cash, it iscommon for the police just to confiscateit, in wild violation of

"Amendment V

... nor be deprived of life, liberty, orproperty, without due process of law; norshall private property be taken for publicuse, without just compensation."

So, from the OP:

"The documentation submitted by thearresting officer explained that histraining and experience told him thatplastic straws are 'a commonly used methodof packaging heroin residue.'"

That's essentially the same as saying that"his training and experience told himthat" commonly criminals breathe and thathe observed the defendant breathing soarrested him.

The judge should have laughed the policeofficer out of the court room and askedthe public defender to file charges offalse arrest against the officer andbringing a nonsense legal case against theprosecutor. Instead, the judge just wentalong with wild, mad, rabid dog attack onthe citizen.

No, clearly, actually his training andexperience told him that the defendant waspoor so should be viciously attacked withthe intention of ruining his life -- theexcuse was that he had in one hand abottle of soft drink and in the other handa soda straw.

Here the police, prosecutors, and judgesare just declaring war on a large fractionof US citizens -- just war, no cause, noreason, wildly illegal andunconstitutional, very dirty business.

The whole system is wildly in conflictwith the Constitution. If the US legalsystem had any honest functionality atall, then any lawyer should be able tomake a motion that would shut down thewhole situation coast to coast in an hour.

21
danielweber 1 day ago 4 replies      
A colleague had his ex file for child support, putting him suddenly thousands of dollars in the hole (it was backdated to when they separated, not when she asked for suppor) because he's not from a socioeconomic class that keeps thousands of dollars hanging around.

That left him unable to renew his driver's license, drastically impacting his ability to get work and pay child support.

He now, for unrelated reasons, has full custody of his kids. But he still can't get a driver's license to get a job to support his kids because he's still behind on that child support. For the kids he has in his house.

He deserves some responsibility for this, but it's like the system wants him to fail and fail hard.

Russian antivirus firm faked malware to harm rivals, say ex-employees reuters.com
183 points by uptown  1 day ago   96 comments top 23
1
Rudism 20 hours ago 3 replies      
I'd find this very surprising, if true. When I worked for a company that was essentially developing malware, we were able to get ourselves whitelisted by most anti-virus software (either by going through an automated submission process, or outright bribery). The only one who wouldn't budge on principal, no matter what we offered, was Kaspersky. All the others either auto-whitelisted us when we asked or after we paid them. I gained a lot of respect for Kaspersky for that (and lost a lot of respect for the majority of their competitors).
2
yetihehe 23 hours ago 3 replies      
The whole article sounds funny.

"VirusTotal had no immediate comment."

"[...], Kaspersky denied using this technique. It said it too had been a victim of such an attack in November 2012, when an "unknown third party" manipulated Kaspersky into misclassifying files [...]"

"The former Kaspersky employees said Microsoft was one of the rivals [...] They declined to give a detailed account of any specific attack."

"In a subsequent interview on Wednesday, Batchelder declined to comment on any role Kaspersky may have played in the 2013 printer code problems or any other attacks. Reuters has no evidence linking Kaspersky to the printer code attack."

"Avast Chief Operating Officer Ondrej Vlcek told Reuters in April that he suspected the offenders were well-equipped malware writers and "wanted to have some fun" at the industry's expense. He did not respond to a request on Thursday for comment on the allegation that Kaspersky had induced false positives."

So, no one says it's Kaspersky, someone called "former employees" says it was, but can't provide any example...

3
dbhattar 1 day ago 3 replies      
We have started seeing a lot of bad publicity and innuendos targeted toward Kaspersky after they uncovered and published about hacking attack against their infrastructure in recent past. Feels suspicious to me especially with comments attributed to 'former employees'.
4
davidu 21 hours ago 0 replies      
I know this is just my $0.02, which I generally avoid... but:

I would be very skeptical of this entire article, having worked with researchers from Kaspersky for many years. They are terrific partners and care deeply about infosec.

Also, Kaspersky has been known in the past, which they have disclosed, for planting red herrings in malware archives, because they accused (and were right) of other vendors just looking at what Kaspersky blocks and just automatically copying it, without actually doing AV research. That's not what they are being accused of here...

Finally, Joseph is a great journalist, but this article stinks in terms of providing actual evidence.

5
ogurechny 5 hours ago 0 replies      
There's a link to Kaspersky's forum post from 2012 floating on the net: http://www.anti-malware.ru/forum/index.php?showtopic=24588&p...

(Web Archive shows this topic initially about Avast breaking Windows by blocking tcpip.sys but turned into flame about shitty free antiviruses, their lack of analytics team, and pirated software quite soon existed in 2012.)

He explains it had been done a couple of years back to demonstrate the problem to Computer Bild journalists. A number of executable files with funny code that could not do any actual harm were made and 50% of them were added to Kaspersky's detection list under distinctive names. Then they all were shared on VirusTotal (and thus with other vendors). Surprisingly enough, only those viruses that triggered Kaspersky Antivirus on VirusTotal started spreading through others' databases, often with the same name. Still, there was no article written on that for some reason. These results were later presented to analytics and investors visiting Kaspersky's conference (Security Analyst Summit 2012).

So what's left is to ask Computer Bild if they participated in something like that test and/or someone who was on that conference.

6
Romkinson 19 hours ago 0 replies      
Ex-employee here.I keep seeing articles like this one consistently getting published like every 4 months by various media. It's funny to see how many times the crowd can buy the same story about accusing Kaspersky in such activity. Now you Reuters.
7
acd 21 hours ago 0 replies      
This would explain incidents of other antivirus software deleting system files. I remember this happening in the past and it now makes more sense.

"Avira Antivirus update cripples millions of Windows PCs ...""Broken McAfee DAT update cripples Windows workstations""Update gone wrong. Panda antivirus removing system files ...""Bad BitDefender Antivirus Update Hobbles Windows PCs ..."

Kaspersky labs has defended against US government malware so they might also get into trouble for that.

8
ablation 23 hours ago 0 replies      
This whole article feels very, very shaky to me. I'm no Kaspersky fan but nothing about this feels very convincing.
9
kazinator 18 hours ago 1 reply      
This seems like fair game, and it benefits the consumer by keeping the anti-virus people on their toes.

Kaspersky has demonstrated a weakness: that the firms copy each other's data and blindly trust each other as well as the initial submissions. They have a submission process for infected files which can be demonstrably abused to inject false positives.

Also this:

> Then, when competitors ran this doctored file through their virus detection engines, the file would be flagged as potentially malicious. If the doctored file looked close enough to the original, Kaspersky could fool rival companies into thinking the clean file was problematic as well.

What?? Infected files are always similar to clean files. An infected MS Word 2010 still looks mostly like MS Word 2010 and is even usable as such. Knowing clean from infected is the bread and butter of anti-virus. They are supposed to take doctored files, and register them as malicious, while recognizing clean ones as clean. If similarity between dirty and clean them causes a false positive, you would think that this is a fundamental problem. It shows they are using some weak heuristics to guess that files are clean instead of, say, strong checksums. They are guessing whether that DLL belonging to MS Word 2010 is clean or not because they have no idea what clean looks like, and Kaspersky has shown that they can be induced to guess wrong.

A proper implementation would detect so much as a single bit difference between a clean file and an altered one.Rather, they must be working off the assumption that there is some minimum difference between a viable infection and the clean file. In keeping with this, there is a database of the known dirty files only, and not of the clean reference files. Anything close to the dirty example within some small "edit distance" is just a variation on dirty and is declared dirty. Anything distant is either a different, unknown form of dirty, or clean. Either way it is declared clean. If that's how things work in an AV program, it has a weakness. Competitors should be merciless in identifying and exposing that weakness, because that's good for the consumer in the end.

10
thescrewdriver 23 hours ago 1 reply      
Why does the article title lead with the nationality of the company?
11
r721 23 hours ago 1 reply      
>In one technique, Kaspersky's engineers would take an important piece of software commonly found in PCs and inject bad code into it so that the file looked like it was infected, the ex-employees said. They would send the doctored file anonymously to VirusTotal.

>Then, when competitors ran this doctored file through their virus detection engines, the file would be flagged as potentially malicious. If the doctored file looked close enough to the original, Kaspersky could fool rival companies into thinking the clean file was problematic as well.

I don't quite understand - what about hashes? VirusTotal doesn't work as they say it works.

12
theworstshill 22 hours ago 3 replies      
Someone wants to push people off Kaspersky. Counter-intuitive as it is, everyone in the west should use eastern (russian/chinese) anti-viruses and OS, and vice versa. That way, it'll be harder for each government to abuse and spy on their own citizens since I doubt Kaspersy entertains any request from foreign govs.
13
mc32 1 day ago 1 reply      
I can see if rivals were 'aping' their software, whatever that means, that Eug might get angry. It's another thing to engage in this kind of retaliatory behavior because not only can it lead to data loss for users caught in this juvenile dispute but raises other grave questions about what else they might engage in.

Most worrisome is what other unscrupulous behavior is he willing to engage in? Is he willing to do the bidding of the motherland at the expense of the trust customers put into the product?

14
huhtenberg 1 day ago 1 reply      
Ethics aside, that's pretty neat actually. That's like ordering a linkfarm SEO package as a Xmas gift for your competitors :)
15
andrei_c 19 hours ago 0 replies      
I believe it. We supported several shareware products during the period described in the article and most of our sharewares were at some point tagged as malware by antivirus programs - Norton Antivirus, most notably, but never by Kaspersky.

The signatures that triggered it were in 3rd party installer code that we used. If you think of it, it is a perfect attack method as by targeting shared installer many products were made false positive with little effort.

16
LorenPechtel 21 hours ago 3 replies      
It seems to me that the only people harmed by this were those who were aping Kaspersky instead of doing their own research. How is this different than mapmakers putting irrelevant bogus things on their maps to detect who copied their maps?
17
gweinberg 22 hours ago 0 replies      
would seem to me that an antivirus software company should guard pretty heavily against this kind of attack, since if it works anyone could sabotage a rival by anonymously submitting doctored versions of their software.
18
ZanyProgrammer 1 day ago 0 replies      
In addition, it ruins the reputation of Windows and PCs in general, and just makes lives miserable for (at an absolute minimum) less tech savvy users.
19
ild 18 hours ago 0 replies      
So the annoying PCMatic ads were right???
20
yellowapple 19 hours ago 0 replies      
The current title is misleading, and should be rephrased as "Russian antivirus firm accused of faking malware to harm rivals" (or, better yet, "Kaspersky accused of faking malware to harm rivals"). There's absolutely zero actual evidence or examples in the article of Kaspersky doing anything, and the article title in its current form reeks of sensationalism and click-baitiness.

Perhaps a mod should step in and cleanup the title a bit? I realize it's technically the original, but it's still misleading.

21
pppp 23 hours ago 2 replies      
Title is inaccurate - the important part at the end was cut off: "- Ex-employees"

Accusation is presented as fact.

This would be a better title:"Russian antivirus firm faked malware to harm rivals - say ex-employees"

22
rebootthesystem 16 hours ago 2 replies      
23
JanSolo 1 day ago 3 replies      
One trillion edges: graph processing at Facebook scale [pdf] vldb.org
195 points by mrry  2 days ago   25 comments top 4
1
Smerity 2 days ago 1 reply      
If anyone is interested in graph processing at scale, the largest Web Data Commons Hyperlink Graph[1] (created from Common Crawl[2] data) is 3.5 billion web pages and 128 billion hyperlinks. To my knowledge, it's the largest freely available real world based graph dataset.

Numerous graph systems have been made that can scale to this data, frequently on just a single powerful node, including FlashGraph[3] (using SSDs for high), Frank McSherry's single laptop Rust implementation[4], and Dato's GraphLab Create[5].

As Frank McSherry points out at [6], there's a lot of room to improve state of the art in graph computation systems, especially as the current academic evaluations are broken.

(where "broken" means that a single threaded graph system written in Rust on a laptop can beat the benchmarks created by a cluster of high performance machines)

[1]: http://webdatacommons.org/hyperlinkgraph/

[2]: http://commoncrawl.org/

[3]: https://github.com/icoming/FlashGraph

[4]: http://www.frankmcsherry.org/graph/scalability/cost/2015/02/...

[5]: https://twitter.com/CommonCrawl/status/623615774909857792

[6]: http://blog.commoncrawl.org/2015/04/evaluating-graph-computa...

2
Xyik 1 day ago 0 replies      
I thought facebook was located at 1 Hacker Way not Hacker Lane
3
anotherangrydev 2 days ago 3 replies      
4
logicrime 2 days ago 3 replies      
DEFCON 23 Badge Challenge potatohatsecurity.tumblr.com
240 points by zioto  22 hours ago   40 comments top 14
1
InAnEmergency 9 hours ago 0 replies      
This doesn't even mention there was an entire newspaper filled with misdirection (Themela, Enigma machines, Mad Hatter, They Live, chromosomes...) or the Shavian text on the badges (all quotes from Buckaroo Banzai I believe). 1o57 even wore a Buckaroo Banzai shirt...gah.

Edit: Also, "Howdaddyisdoing" is an anagram for "Why did I add goons" which seemed very suggestive.

2
knodi123 18 hours ago 1 reply      
Wow, it just kept going and going. I've done scavenger hunts like this, but easier and short, and I still didn't finish before declaring myself too exhausted to continue.

I wonder what the reason was for not giving the message found on the wooden skull?

3
k8tte 5 hours ago 2 replies      
I'm confused by the "WFST HDXE HGY BNK BAWH QJG PSOR WNFATG IDDW OQUHVNKINGCY GQG CTUK." vigenere cipher.

if decoded with "LASTORY", i get "lfaatmzthofnwmqaeocsieswyiwhptoppmydqcohwmxnojkpsvcbbw."

how did they come up with "WELL DONE GET THE BLUE KEY PASS PHRASE FROM OPPENHEIMERS BIG BANG."

http://www.cs.du.edu/~snarayan/crypt/vigenere.html

4
ChuckMcM 15 hours ago 1 reply      
That sounds crazy fun. I am in awe both of your tracking down the solution and the work 1o57 put into setting it up!
5
joshuapants 17 hours ago 1 reply      
Windows XP? Curious to know if there's a hackery reason behind that or just personal preference.
6
davmar 16 hours ago 0 replies      
that's just crazy. totally wild. well done solving all those challenges! great storytelling in your blog too.
7
poizan42 18 hours ago 3 replies      
He lost me at "room keys". WTH are those? I didn't get a DEF CON room key.
8
amingilani 18 hours ago 1 reply      
Hahaha, I had so much fun reading along. One day I'll solve the bad challenge before you guys, and post something similar. One day. Until then, I'll just work to the point where I can afford to hit a Defcon :D

Thanks for posting this!

9
spydum 13 hours ago 0 replies      
This looks awesome, one day I will need to attend just to participate in these challenges! Side question: Why are there two step_11's?
10
stephendicato 14 hours ago 2 replies      
Congratulations!

I'm always curious; what drives you to do these challenges? It is the competition? The collaboration? The general enjoyment of solving puzzles?

11
ProAm 17 hours ago 1 reply      
How long did this take your to solve? Impressive for sure.
12
izqui 17 hours ago 0 replies      
this is so crazy. congrats
13
tanglesome 17 hours ago 0 replies      
My head hurts! Well done!
14
astockwell 18 hours ago 0 replies      
Off topic: anyone seen any write-ups of the various CTFs?
Tesla Announces $500M Common Stock Offering teslamotors.com
187 points by cpwright  2 days ago   152 comments top 12
1
_xander 2 days ago 2 replies      
This is a timely announcement following chatter about Tesla's cash flow problems[1][2].

[1] http://www.scmp.com/business/companies/article/1846965/tesla...

[2]Flagged HN thread from 3 days ago: https://news.ycombinator.com/item?id=10030101

2
noipv4 2 days ago 4 replies      
They just mass emailed Model S customers to reduce Super Charging.

https://i.imgur.com/ruKYVHF.png

http://www.teslamotorsclub.com/showthread.php/51482-Supercha...

3
jonknee 2 days ago 2 replies      
These sort of things can spook investors, but Elon purchased $20M of the offering himself as a show of good faith. That's a big insider buy! TSLA is currently trading up 2.5% so apparently it was also quite a convincing play.
4
blacktulip 2 days ago 6 replies      
I am not too familiar with financing stuff. So is this a dilution? Does it mean that current shares will be devalued?
5
dtparr 2 days ago 1 reply      
So how do secondary offerings work, practically speaking? They've named the amount they want to raise, not a number of shares. So do they wait until trading closes one day, issue how many shares they need to to make that work out to $500M and then sell it to people who've "registered" to purchase $X of it? And then when the market starts the next day there's just an extra $500M in market cap but all the shares trade similarly?
6
cpplinuxdude 2 days ago 5 replies      
I feel like buying some stock in Tesla to make a contribution toward our future, not in the hopes of making money.

If these shares make money, that will be a bonus.

7
IBM 2 days ago 5 replies      
Frankly Tesla would be stupid not to issue as much stock as possible when it's trading far above its intrinsic value.
8
tdees40 2 days ago 8 replies      
So here's a thought. If I have lots of businesses with a high chance of failure, and I bring them under one roof, any one business is more likely to destroy my entire company. So if I have two high-risk businesses (electric cars and energy storage) having both in the same company greatly increase the total company's chance of insolvency and failure.

On a higher level, I LOVE Elon Musk, but what made Steve Jobs so great is that he could innovate like crazy and make gobs of cash. Right now, Elon is innovating, but his companies are really struggling to even sniff profitability.

9
_pmf_ 2 days ago 1 reply      
Any decent OEM can currently buy Tesla with spare change. It's criminally undervaluated.
10
cwt137 2 days ago 2 replies      
11
crimsonalucard 2 days ago 0 replies      
Anybody have an opinion on tesla stock? Are they overvalued or undervalued? How are there fundamentals?
12
loceng 2 days ago 1 reply      
FreeBSD 10.2 freebsd.org
188 points by forkandwait  1 day ago   50 comments top 8
1
asymmetric 1 day ago 1 reply      
I'll state the obvious, but coming from Linux it's impressive and at the same time weird to look at a full OS's changelog.
2
gergles 1 day ago 2 replies      
What about this change from 'latest' to 'quarterly' with no good way to change that for pkg? I don't want to only get new packages 4 times a year. Is that what's going to happen?

It also feels like the documentation around doing things like pinning you could do in apt is lacking; if there are some packages I can say "retrieve these packages from latest" then I'd be more okay with everything else only updating 4x a year.

3
zxcvcxz 1 day ago 2 replies      
Is there an easy way to install a FreeBSD container on a Linux system?

For example, I can do

 # debootstrap --arch=amd64 unstable ~/debian-tree/ # systemd-nspawn -D ~/debian-tree/
And be in a debian container. Is there a simple way to get a FreeBSD container?

4
protomyth 18 hours ago 0 replies      
Did the upgrade, and it seemed to go ok, but now the pw command is really slow (around 1 minute to complete). This might be a bit of fun figuring out.
5
bleomycin 1 day ago 1 reply      
Does anyone know how the virtio network performance is on this release when virtualized under qemu/kvm? I know that pfsense is moving to 10.2 soon and i've been unable to use it virtualized due to its atrocious virtio net performance.

While the linux based firewall alternatives are incredibly fast they just don't have anywhere near the ease of use/feature set of pfsense!

6
olavgg 1 day ago 0 replies      
FreeBSD 10.2 do come with some ZFS fixes which could occur under high load.
7
bmir-alum-007 1 day ago 2 replies      
Running this on our AWS sandbox ec2 instance after snapshotting it:

 freebsd-update fetch install && freebsd-update -r 10.2-RELEASE upgrade
EDIT: Updates to 10.1-RELASE-p17 (currently) before upgrading

8
msbarnett 1 day ago 0 replies      
Downloading the VM image to a new Linode right now!

edit: that was fast

$ uname -aFreeBSD 10.2-RELEASE FreeBSD 10.2-RELEASE #0 r286666: Wed Aug 12 15:26:37 UTC 2015 root@releng1.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64

Show HN: Guess which government programs work 80000hours.org
174 points by robertwiblin  1 day ago   53 comments top 16
1
robertwiblin 1 day ago 6 replies      
I'm one of the creators of the quiz!

Note that the projects were not chosen based on their results, and certainly not because the results are counterintuitive. Rather they are the ten best understood social programs we could find.

You can read about the findings of our research into whether people can guess what works and what doesn't ahead of time: http://www.vox.com/2015/8/13/9148123/quiz-which-programs-wor...

2
alexandercrohde 1 day ago 2 replies      
I was thinking about why this website triggered my skeptic alarms and came up with a few things.

1. The web interface makes it hard to go back. The first thing I want to do when I see a surprising answer is reread the question. I understand this is likely just bad engineering, but it makes the whole site feel less trustworthy.

2. Some questions get summarized poorly. For example, the mindfulness question asks "What effect does mindfulness based stress reduction have on self-reported mental health (rates of anxiety, stress, and depression)?" but then summarizes the choices to "reduction rates of mental health issues." You can't drop a word like self-reported from a question, after all physically disabled people self-report being happier after their disability (e.g. http://www.ncbi.nlm.nih.gov/pubmed/21870935).

Also in the "Drug Substitution Programs" question the text indicates that the research is based off of cases where "Addicts were given heroin or substitutes such as methadone or buprenorphine, based on their needs," however the choices are formed "Positive effect - Prescribing heroin to addicts reduces crime rates," [note that it dropped the or substitutes]. This feels like going for shock value.

3. At the end the website is selling very hard about some newsletter. Apparently the website seems to be focused around a career guide? If you truly have no axe to grind then present high-quality information and I'll naturally explore the site more.

4. If your objective is really to help raise awareness about how often media publicity for social interventions doesn't reflect efficacy as measured in journals then I would think at the end you would propose a plan of action , such as "When hearing about a social program, you can use google scholar to tap into research findings..."

3
asgard1024 1 day ago 2 replies      
This is great! One of the interesting things about social sciences (and engineering, although just like computer hacking, social engineering has unfortunately strong negative connotations) is that the real world is often counter-intuitive. In particular, people tend to believe in punishment a lot, while it commonly escalates the problem (I like the quip "emphasis on punishment is the sign of an obedience frame").

I am dismayed that I didn't do better than random chance, even though I like to read about social issues. I think this really shows the importance of empiricism in social sciences and engineering.

4
noir_lord 1 day ago 0 replies      
The Elderly care question said that there was no effect on 3 year mortality, which is fine and I'm sure that is accurate but it doesn't answer the question of "Did it have a net positive/negative effect on quality of life for those 3 years".

Not been a negative nelly just an observation that something as complex as social interaction problems can't always be summed up with a clear net gain/loss.

Loved the idea and implementation though.

5
dang 1 day ago 1 reply      
Having conclusive evidence that a program doesn't work (or even is harmful) is significant. How effective is it for actually getting such programs stopped? Have any been?
6
superuser2 1 day ago 1 reply      
Home visits for older adults is a little disingenuous. The purpose is not really to reduce death risk, but to increase quality of life. I don't think that counts as "no effect" just "no effect on mortality" which is unsurprising.
7
ridgeguy 1 day ago 1 reply      
I got way fewer of these right than I would have hoped. It's clear that I need to update my understanding of the questions presented. I owe a debt to those who put this together. Thanks very much.
8
jrnvs 1 day ago 1 reply      
It would be nice to see a summary of the projects and their effects after finishing the quiz. By that time, I had already forgotten about some and wondered what the answers were.
9
mattmanser 1 day ago 1 reply      
While the content is great, the tech seems bloody awful. Why is it so slow to load? It takes 5-10 seconds to load on both my laptop and my desktop (both < 1 year old) and I have nice fast fibre. Why would you start with a loading screen in this day and age? And worse a loading screen that doesn't tell you what it's loading. Flash is dead.

It severely impacts the usability, it looks like nothing is happening and I can imagine a lot of people just close it before it loads.

And it's (virtually) static content! Why doesn't it load with the opening page at least?

10
blakeweb 12 hours ago 0 replies      
This may be specific to me (though I'm using the latest chrome, latest mac os, so I doubt it), but the "share on facebook" link didn't work at all for me, and the facebook "like" link took me to a page to share the post on my timeline, not just "like" it. Didn't see any easy route to report such things, so here it is!
11
pluma 1 day ago 1 reply      
I find it a bit unintuitive that "no change" errors are valued the same as "opposite" errors (e.g. answering "positive" when the change was actually negative). I find it far less interesting when the discrepancy is whether there is any change or not than when the effect is actually opposite to what one would apparently expect.

Additionally as others have pointed out some of the questions and answers aren't very clear (though maybe it's just my reading comprehension that's failing). I too am unhappy about the way the elderly question is posed -- it's not clear whether all of the programs were actually focussing on reducing mortality. In fact the introduction mentions that it's merely one of several goals and from anecdotal evidence I would expect that the mortality metric is thrown off by patients stabilizing once their health has deteriorated enough to require them to be placed under permanent care -- that you're less (or equally likely) to die doesn't mean you're more (or equally) healthy.

12
iopq 1 day ago 0 replies      
It's really hard to tell "negative effect" and "no effect" apart, I got two of them switched.

Besides, I would consider both of those failed programs, not even sure if there's a point in distinguishing.

I got 7/10 right, only one successful program I got wrong.

13
frabcus 1 day ago 0 replies      
Ben Goldacre (of Bad Science) wrote a paper with the UK Government on A/B tests of policies.

http://www.badscience.net/2012/06/heres-a-cabinet-office-pap...

14
Freeboots 1 day ago 1 reply      
Interesting that the average user is less than 50%. I got two wrong and still felt like an idiot.
15
eli_gottlieb 1 day ago 0 replies      
Ha! I'm as good as a coin flip! Take that, the average user, who is actually nonrandomly bad!
16
crdoconnor 1 day ago 0 replies      
Beginner's Guide to Blockchain Technology blockstrap.com
179 points by bytebot  1 day ago   24 comments top 9
1
anttipoi 1 day ago 1 reply      
I found the O'Reilly book Mastering Bitcoin excellent.

It's been a while since a tech book gave me such enjoyment. In an age when when word innovation typically is used to mean "I duck-taped these two turds together" it is great to encounter real novelty in tech.

The book makes the wonder of blockchain easily approachable if you have some background in CS and takes some nice excursions to topics like elliptic crypto.

2
nnx 23 hours ago 2 replies      
It doesn't really feel "for beginners" to me. Quite the opposite, difficult (if not slightly boring) to read.

On the other the free ebook Mastering Bitcion by Andreas M. Antonopoulos, available at http://chimera.labs.oreilly.com/books/1234000001802/index.ht... is an absolute pleasure to read imho.

It starts by explaining the core blockchain/bitcoin concepts in humorous layman terms ("nerd money!") and slowly goes deeper and deeper down the rabbit hole while keeping things pleasant.

The chapter that explains cryptographic hashing (SHA1 and all) is a masterpiece at opening the tech to non-technical audience.

3
huskyr 1 day ago 2 replies      
Anyone else having trouble reading the slides in Chrome? I'm getting "Uncaught SecurityError: Failed to read the 'localStorage' property from 'Window': Access is denied for this document." in the console. Works fine in Firefox though.
4
johnnynomics 16 hours ago 0 replies      
Hey everyone, Johnny from Blockstrap here. I tweet from @johnnynomics.

This course was presented as a free series of workshops we did around Europe this summer - you can read more about it here - http://blockstrap.com/en/blog/onboarding-europe/.

These slides make a lot more sense when we talk you through them - we're currently editing the video and will be sharing it on Blockstrap when finished. There's only so much structured learning we could fit in a day, so we thought this presentation was a good starting point for those new to Bitcoin and the underlying tech.

If you're interested in building blockchain applications come check out our stack at http://blockstrap.com. We have an API, framework, and several open source starting points. We welcome contributions from the community and we're very open to alternatives to SlideShare.

5
holri 1 day ago 1 reply      
Privacy Badger blocks the tracking cookie of slideshare.net and linkedin.com. Therefore the slides do not work for me.

Is this content also available without privacy infringement?

6
nvk 1 day ago 2 replies      
Shameless plug: If you need an API for multisig checkout Coinkite's over 1,500 startups using it and over 260,000 bitcoins transacted in the last 30 days!

Manage wallets, multisig up to m-of-15, any/all keys can be generated offline, payment processing, Pubnub notifications and much more

- https://coinkite.com/startups

- https://docs.coinkite.com/api/index.html

Ping support on IRC (#coinkite) or support@coinkite.com if you need some Testnet coins to play.

7
Ernestas 1 day ago 0 replies      
8
benbristow 1 day ago 2 replies      
It says these guys do talks. Anyone got a video of one?
9
zubairq 1 day ago 0 replies      
Markdown and LaTeX Editor s2cms.ru
170 points by ommunist  1 day ago   61 comments top 15
1
stared 1 day ago 1 reply      
See also rMarkdown (http://rmarkdown.rstudio.com/) for Markdown supporting LaTeX (and bunch of other things) and its real-time editor editR (https://github.com/swarm-lab/editR).

Or for a longer list/discussion: https://hackpad.com/New-scientific-markup-language-utAjFcYuv... (it includes https://stackedit.io/).

2
mhartl 1 day ago 3 replies      
Softcover handles Markdown + embedded LaTeX on your local machine (no 'net connection required) using a standard text editor and web browser:

http://softcover.io/

I use Softcover to write and maintain both the code-heavy Ruby on Rails Tutorial (http://railstutorial.org/book) and the math-heavy Tau Manifesto (http://tauday.com/tau-manifesto). (Disclosure: I'm also the principal author of Softcover.)

3
JohnHammersley 1 day ago 9 replies      
I'm curious as to the percentage of users here that use Markdown regularly? I'm one of the founders of Overleaf, and we've found that our users tend to either want to be able to edit in full LaTeX or want to avoid the need to code even in markdown (hence the reason we built a rich text layer for overleaf[1])

If you do use Markdown regularly, how often does it allow you to do everything you need (i.e. how often do you have to switch to something else)?

Feedback appreciated, thanks.

[1] https://www.overleaf.com/blog/81

4
hyperhopper 1 day ago 2 replies      
I have the same setup in atom using Markdown Preview Plus (https://atom.io/packages/markdown-preview-plus)

Works amazing and is offline, I highly recommend it.

5
flying_whale 1 day ago 0 replies      
I have been using https://stackedit.io/ a lot for Markdown editing and have loved it's simple and straightforward preview interface.

For LaTeX, I've used https://www.overleaf.com/ till now.

From my initial interactions with this editor, it just might prove to be a single replacement for both the above sites!

6
robinhoodexe 1 day ago 1 reply      
I'm quite amazed at how responsive it feels compared to sharelatex or the likes. It's extremely simple. I like it. I may not use it myself, but I'll mention it to friends who are learning LaTeX.
7
chestervonwinch 1 day ago 2 replies      
Does this use mathjax? It doesn't seem to send my CPU into a whirlwind when typing latex as mathjax sometimes does (although I didn't test it for very long). I enjoy that there's more of a pause between typing the latex and seeing the updated version. I hate how some sites bounce up and down due to formatting on every keyup when editing latex.
8
verusfossa 1 day ago 0 replies      
If you haven't seen it yet ProseMirror is a hopefully to be open-sourced CommonMark editor. I'm sure LaTeX support could be added as a module.

https://www.indiegogo.com/projects/prosemirror

9
haddr 1 day ago 1 reply      
I really like it! It seems lightweight, and editing is almost instant.

What i'm not quite sure is what is the subset of available latex commands? Can you use only math formulas or there is also something else?

10
torthrw 1 day ago 1 reply      
Very curious as to why this so much more responsive than overleaf and sharelatex. Anyone?
11
geyang 1 day ago 2 replies      
What about writing in a WYSIWYG, and get a LaTeX document and a markdown document?

http://www.escherpad.com/signup

12
jugad 1 day ago 0 replies      
Markdown + LaTeX editors that I have personally used (and recommend)

https://stackedit.io/

Atom editor + markdown preview with Katex

iPython notebook with mathjax

13
S4M 1 day ago 0 replies      
The real url where the latex rendering takes place seems to be here: http://tex.s2cms.ru/

The link that was submitted has an editor that detects latex formulas, send them to the link I mentioned earlier, get back an svg and insert it on the page.

14
siavosh 1 day ago 1 reply      
Is there a good js library available for LaTeX markdown that can be integrated with others markdown libraries? I'm working on http://www.faqt.co and would love to add LaTeX support.
15
btreecat 1 day ago 0 replies      
I would love something similar for reST or ascii doc
Android libstagefright still exploitable exodusintel.com
162 points by amatus  1 day ago   143 comments top 19
1
stevenh 1 day ago 10 replies      
Any competent malware developer must have already figured out how to exploit this the first time around. Now that every single one of those malware developers has learned it is still exploitable, the payload they've spent the past month perfecting can now be deployed in the wild.

So, can someone explain why a disastrous worm hasn't already swept the globe and infected 99% of Android devices on the planet within ten minutes of being released in the wild?

1. Text payload to victim

2. Payload executes on victim's phone and texts itself to all of the victim's contacts

3. Repeat

Assuming the average Android phone owner has 20 contacts who also have Android phones, and assuming also that texting the payload to those 20 people would take two minutes to complete, the infection would spread exponentially and only take ten minutes for the initial text to result in the infection of 10 billion devices worldwide.

Why am I not currently being bombarded with MMS video texts from infected devices? It frankly seems a bit miraculous. Did Google set up an emergency arrangement with all of the carriers to block suspicious video texts so this wouldn't happen?

2
jimrandomh 1 day ago 2 replies      
Summary: A little over two weeks ago, it was publicly disclosed that MMS messages can cause Android phones to decode video with libstagefright, which is a C++ library with vulnerabilities and insufficient sandboxing, leading to remote code execution without user interaction. Today, Exodus Intelligence is reporting that the patch to fix one of these vulnerabilities does not, in fact, fix it. Thus, all Android phones are still vulnerable.

You can partially mitigate the risk by disabling auto-downloading of MMS messages in whichever app you have set to handle text messages, such as Messaging or Hangouts. If you have not done so already, this is urgent. Furthermore, you should assume that auto-downloading of MMS messages will not ever be safe, no matter how many individual security fixes are applied, until this component of Android is significantly re-architected.

3
hoopism 1 day ago 4 replies      
Is this timeline correct?

April 2015 - Original stagefright exposed

July 31st - Author noticed patch was not sufficient but could not test (did not notify google)

August 6th - Patch released

August 7th - Author notified google that patch was not adequate

August 13th - Author went public?!?!

They are counting the original date of exploitation as the start date for notification. I would think a more responsible and friendly date would be August 7th. Just me.

4
archmikhail 1 day ago 4 replies      
Even if Google patches this, there's an incredible delay in getting the patch to users. Android in fundamentally flawed in this respect.

http://www.extremetech.com/mobile/197346-google-throws-nearl...

5
josh2600 1 day ago 2 replies      
Did I read that right? They reported the bug to Google on August 7th and disclosed it publicly on August 13th?

Is this still responsible disclosure if they give Google basically 6 days to respond and use the original notification date as justification? I'm not learned enough in the practice of responsible disclosure to know if this is common, but I've not seen that before.

6
lnanek2 1 day ago 1 reply      
Doesn't seem very responsible behavior by the reporter. Google accepted the suggested patches, fixed the original cases. Now some other cases are discovered for these larger numbers, OK, that seems like a new thing to fix next. Not sure why I have to read paragraphs of hate when the company put the suggested patches in already. Seems like just an excuse so they can ride the page view wave.
7
captainmuon 1 day ago 1 reply      
And I was wondering at the beginning of the article why they were doing

 if (SIZE_MAX - chunk_size <= size)
and not the more readable

 if (size + chunk_size >= SIZE_MAX)
Of course, C integer overflow. The real WTF is that this is possible in C.

What would be more sensible than integer overflow would be to automatically promote integers to a larger type in the context of a comparison, so that they don't overflow. I wonder if you could add that to the language in a backwards-compatible way? Maybe add a new builtin (compiler-specific, but shared by popular implementations?) like

 if __no_overflow(x + y > z)
that would make the addition of two ints become long, two shorts become int32, and so on. (Two long longs would internally become BigNums, but that wouldn't be exposed.)

And while we're at it, add a __checked(a+b) construct, that sets a flag if overflow occurs (or maybe raises an assertion - or maybe we should have both options).

8
autobahn 1 day ago 1 reply      
Just to give everyone a bit of calm, nobody's demonstrated a successful exploit with ASLR bypass.

Meaning that while the vulnerable is technically exploitable, the chance of system compromise is very low on modern android phones (I think post 4.0)

9
anon1385 1 day ago 2 replies      
>Deadline exceeded automatically derestricting>The flaw was initially reported over 120 days ago to Google, which exceeds even their own 90-day disclosure deadline.

It always seemed likely that Google's hubris[1] would come back to haunt them. I guess this is that day.

It would be funny if it wasn't remote code execution affecting 950 million phones, with no official patch in sight.

[1] https://news.ycombinator.com/item?id=8896221

10
VMG 1 day ago 4 replies      
Why are arithmetic overflows and underflows not exceptions/crashes by default, like divison by 0?

Aren't the cases where you actually want an over/underflow the exception? Why not resort to special instructions/macros/operators for these operations?

11
cautious_int 1 day ago 1 reply      
This is a common problem in C. Integer types are inherently type unsafe and are silently promoted with many different rules which are hard to remember and understand. As is seen in this case, even the ( borderline paranoid ) flag -Wconversion would not catch the bug.

I think this problem in C would be solved with a single flag: -Wwarn-if-using-integers-of-different-types-in-an-operation , forcing you to cast the integer if the types don't match in a arithmetic operation, or an assignment.

12
pacquiao882 1 day ago 1 reply      
The bigger issue of libstagefright is that it there's a ton of code involved with media playback at the native level that has access to many system resources. This specific exploit was just looking at a small part of the MP4 handling -- one of the many parts within the library. It is very likely more severe exploits like this one will surface as a result of this huge library.
13
ambrop7 1 day ago 0 replies      
I think the proper check is:

// size_t size; // uint64_t chunk_size;

if (chunk_size >= SIZE_MAX - size) { return ERROR_MALFORMED; }

Due to size being a size_t and SIZE_MAX being well a maximum size_t, SIZE_MAX-size is properly calculated. The comparison with chunk_size is also properly done (due to the C promotion rules - as strange as they are, they do work "as expected" when your values are nonnegative, which they are here).

Also, I am slightly puzzled why one would use SIZE_MAX as a limit rather than some "small" number, like a few megabytes or whatever is a reasonable bound for this buffer. In this case the fix may be a bit more complex than this: if (chunk_size >= SIZE_MAX - size || size + chunk_size > the_limit) .

14
ikeboy 1 day ago 0 replies      
Can carriers (and by extension, the Hangouts backend itself) check messages and block "evil" ones? Wouldn't that be an easier way of fixing these things quickly?

At the very least, Google should block any Hangouts message that triggers the bug even on non-updated devices.

15
jsingleton 1 day ago 0 replies      
There was an Android update pushed to my phone recently. I wanted to know if it was an urgent security fix so I checked the diffs. It's hard to tell but it doesn't seem to be. It's a bunch of fixes to do with video out, SIP etc.

I thought maybe the patch fixed this security flaw. It wasn't clear what it was for from the phone. I had to do a fair bit of digging. Are there any change-logs or release notes for these system updates?

16
RexRollman 1 day ago 1 reply      
IMO, the Android echosystem is a clusterfuck and Google needs to get a hold of it. I would buy a Windows phone before I would buy an Android device.
17
mondoshawan 1 day ago 0 replies      
http://www.cyanogenmod.org/blog/more-stagefright

Looks like Cyanogenmod has patched this toot-sweet.

18
gionn 1 day ago 0 replies      
19
johansch 1 day ago 6 replies      
Apes may be closer to speaking than many scientists think wisc.edu
178 points by adamnemecek  21 hours ago   96 comments top 14
1
jonnybgood 19 hours ago 6 replies      
This Slate article is worth a read, concerning the science involving Koko.

"Critics also allege that the abilities of apes like Koko and Kanzi are overstated by their loving caregivers. Readers with pets may recognize this temptation; we cant help but attribute intelligence to creatures we know so well."

http://www.slate.com/articles/health_and_science/science/201...

2
ohsnap 19 hours ago 1 reply      
A lot of skepticism is in order with anything Koko. No skeptical scientists have been allowed to 'communicate' with Koko. Thus only believers, people who are willing to provide very generous interpretations of the ape's behavior are allowed to work with her.
3
sandworm101 19 hours ago 6 replies      
Someone thought that apes couldn't control their breathing well enough to vocalize? Really? All mammals have pretty advanced control over their airways, otherwise we would be constantly inhaling nasty things. Carnivores need control to sniff (see wolves) and herbivores need to hold their breath to be quiet enough to hear the wolves (see deer).

I'm about ready to say that all animal and human science from the 30s through the 50s should be tossed. From all birds mating for life, belly-dragging dinos, to apes that cannot hold their breath ... were they just making stuff up?

4
rickdale 19 hours ago 1 reply      
There was a monkey experiment called Project Nim with a documentary about. The footage in that movie is amazing. They used to sit in smoke circles and pass the joint to the chimpanzee. Ultimately the story turned sad when the funding for the research was pulled and I know this is about apes, but I am just saying animals are capable of much more than we think.

http://www.imdb.com/title/tt1814836/

6
nogridbag 18 hours ago 0 replies      
Interesting... I was just browsing Koko's wikipedia page and assumed someone had vandalized the "Life" section [1].

"Koko enjoys seeing human nipples and will request her female caregivers to show them to her on occasion."

But after some googling it appears to be true..

[1] https://en.wikipedia.org/wiki/Koko_(gorilla)#Life

7
AndrewKemendo 20 hours ago 3 replies      
Just assuming for a moment that this capability increases enough for an ape to say something that humans would find "profound", I wonder if humans would give more weight to what an Ape had to say than a fellow human.
8
jonah 12 hours ago 0 replies      
The embedded videos show some good mimicry but not much understanding.

 Handler: How about coughing? Ape: Sneezes. Handler: That was good! Handler: Koko, can you sneeze? Ape: Blows Nose. Handler: ...
Not impressed.

Just because something (ape breath control) looks like something else (speech prerequisites), doesn't mean theyre the same thing...

9
juliann 20 hours ago 0 replies      
Wow, really impressed when watching those videos, wasn't expecting such human looking movements and gestures when blowing his nose.
10
freyr 13 hours ago 0 replies      
Some apes have already learned to speak. We call them humans.
11
known 7 hours ago 0 replies      
Animals talk/communicate to each other; Is this news?
12
mortenjorck 19 hours ago 2 replies      
13
csours 18 hours ago 1 reply      
Have Great Apes ever been domesticated?
14
sergimansilla 16 hours ago 0 replies      
CS224d: Deep Learning for Natural Language Processing stanford.edu
181 points by andreaespinosa  1 day ago   29 comments top 6
1
aabajian 22 hours ago 3 replies      
I was fortunate to take this class the first time it was offered. I found it a great introduction to the material, but a bit over my head. Deep learning requires a strong grasp of linear algebra - and particularly at the "Stanford" level. My undergrad didn't prepare me well for visualizing outer products and matrix / tensor derivatives. Once you get over those hurdles, deep learning is quite fun. It often works like magic. I'll give you an example:

A firetruck is _____

Try typing this in Google and you'll get "red", "moving" and "made". During the course you build a network that trains next-word completions using arbitrary bodies of text. You can train it for hours, days or weeks...and it just gets better and better. Eventually you will max out the capacity of your network, but then you can fiddle with the number of nodes and other hyperparameters. In the end you're just training a "black-box" nonlinear function to best approximate an unknown function defined by training data.

2
xigency 23 hours ago 0 replies      
I wish I had more ideas for applications using techniques like this, otherwise I would probably spend much more time researching natural language processing.

Instead, I did a simple project on searching using language processing and just read Foundations of Statistical Natural Language Processing [1], which is not too difficult, and Speech and Language Processing: An Introduction to Natural Language Processing, Computational Linguistics and Speech Recognition [2], which is a pretty heavy read but a great reference. I was able to find a used copy of the second book for $0.30.

I also put a bit of study into articulatory phonetics and speech recognition as part of a graduate study-abroad, which is an interesting field on its own, but I always wanted to come back to computational linguistics.

[1] http://www.amazon.com/Foundations-Statistical-Natural-Langua...

[2] http://www.amazon.com/Speech-Language-Processing-Introductio...

3
napolesmarble 1 day ago 2 replies      
I have a folder to bookmark machine learning resources.

Here's another good one from the creator of coursera (Stanford grad I think)

https://www.coursera.org/learn/machine-learning/home/info?ut...

4
viksit 20 hours ago 0 replies      
It's interesting that this is trending at the same time as a RNN based NLP powered assistant that I've just posted on HN.

It uses a lot of the same concepts - recurrent nets and word embeddings. If you guys want to play around with it in a real life scenario, head over there to check it out. Discussion here [1]. Link here. [2]

[1] https://news.ycombinator.com/item?id=10060074

[2] http://getmyra.co

Edit: Update wrong link.

5
pkaye 1 day ago 3 replies      
I'm still not clear on the difference between deep learning and machine learning. Also are there good primer books on machine learning fundamentals?
6
bradneuberg 16 hours ago 0 replies      
This and the convolutional neural net class were offered at Stanford both physically and online. Is anyone aware of anything similar being offered this fall quarter?
Oxford University Machine Learning Course ox.ac.uk
174 points by jcr  1 day ago   18 comments top 4
1
krat0sprakhar 22 hours ago 3 replies      
The best part about this ML course is that all assignments are in Torch (a deep learning framework in Lua) for which Andrej Karpathy has good things to say on his blog[0]

> "Brief digression. The code is written in Torch 7, which has recently become my favorite deep learning framework. I've only started working with Torch/LUA over the last few months and it hasn't been easy (I spent a good amount of time digging through the raw Torch code on Github and asking questions on their gitter to get things done), but once you get a hang of things it offers a lot of flexibility and speed. I've also worked with Caffe and Theano in the past and I believe Torch, while not perfect, gets its levels of abstraction and philosophy right better than others."

[0] - http://karpathy.github.io/2015/05/21/rnn-effectiveness/

2
spike021 21 hours ago 5 replies      
What's the barrier to entry like for this?

For example, I've never been particularly great at math.

3
anuj_nm 9 hours ago 0 replies      
I took Nando's ML courses at UBC 2 years ago. He's great at explaining complex concepts in digestible chunks. He's able to show how ML theories are modeled after natural processes well too (such as how speech recognition and image processing work using deep learning and neural nets).
4
wahsd 18 hours ago 1 reply      
I don't get it. I can't recall a single piece of learning content from Oxford that didn't have the audio quality of a tin can phone. I sounds like an over-compression issue, but it is just made even worse by horrible audio in what seems like tiny little boxes that lectures are held in. Someone please point Oxford towards a course on audio recording.
Disable Windows 10 Tracking github.com
143 points by SoMuchToGrok  2 days ago   141 comments top 18
1
nathanaldensr 1 day ago 0 replies      
I wrote a PowerShell script that enables or disables various Windows 10 tracking components.

https://github.com/nathan-alden/windows-10-tracking

I based the script on the https://github.com/10se1ucgo/DisableWinTracking repository, but the code in that repository is Python and compiles to a Windows executable. I much prefer PowerShell so that the code can be more easily changed and deployed in automated environments. Additionally, that Python code doesn't undo changes, whereas my PowerShell script does.

I'd appreciate any feedback (probably as a GitHub issue).

2
andrewmcwatters 1 day ago 1 reply      
This is really crudely put together, completely disregards recent findings from news articles proving you cannot completely disable W10 telemetrics, and the author acknowledges he doesn't want to support reversing destructive processes with it.

You shouldn't bother using this.

3
pilif 2 days ago 1 reply      
> Set the AllowTelemetry string in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection to 0

AFAIK, setting this to 0 only has meaning in the Enterprise edition. In the consumer edition, 0 has the same meaning as 1.

Here's a screenshot from the group policy editor of my Windows 10 VM:

http://i.imgur.com/3s3AT9p.png

as you can see, 0 only does something in Enterprise builds.

4
nerdy 2 days ago 2 replies      
Be careful with this! From the README under the "HOSTS" section:

"Append known tracking domains to the HOSTS file located in C:\Windows\System32\drivers\etc"

However there are other articles which suggest changing the hosts file can cause instability[1]:

"Of course, the first thing that comes to mind is disabling communication with these servers (by introducing the server into the hosts file and settings to 127.0.0.1 localhost), but as I tried, after disabling the Windows 10 start acting suspiciously otherwise. Error messages pop up, sometimes the message of "service failure", there are problems with Skype, it is not possible to maintain a stable connection. The problem is with VPN connections that fall. But it is possible that this is just some incompatibilities and nevyladnost new OS. Apparently, it is necessary not to prohibit certain sites and have available to make things work, but I had no time to analyze them one by one, what causes them off in the long run in Windows 10"

Of course, there are a whole bunch of other potentially dangerous things the tool does like change services and edit the registry. Take care!

[1] https://translate.google.com/translate?hl=en&sl=cs&tl=en&u=h...

5
kozukumi 2 days ago 4 replies      
Far better is to not use Windows 10 and tell Microsoft why.
6
davexunit 2 days ago 7 replies      
Best way to disable Windows 10 tracking: Switch to GNU/Linux.
7
huhtenberg 1 day ago 1 reply      
Keep in mind that Windows filters the contents of etc/hosts and basically ignores (some) entries for its own domains. For example, you cannot null-route Windows Update servers this way.
8
nly 2 days ago 4 replies      
Checked my parents PC on a visit this morning to find the latest Patch Tuesday set of updates hadn't installed automatically because Windows Update was too busy advertising Windows 10. I was also greeted with a balloon popup rather than just the subtle GWX icon in the tray nagging me to install it.

Microsoft are pushing this OS fervently and, given their aggressive service integration, I've recently been musing about whether the Microsoft of today are really 'better' just because they've become more open with their software, or whether they're actually just a different, possibly nastier, kind monopolistic threat.

We could look back in 5 years and see the majority using Bing (via the Start Menu), Cortana, IE, OneDrive, and syncing all their devices through MS servers and cringe. Microsoft can't win on the strength of their brand when it comes to consumer facing services (except for Xbox), so maybe integration will see them break through and muscle out the likes of Chrome, Google, Gmail, Android, and Dropbox.... if W10 on mobile takes off that is.

Oddly, despite not owning and having never owned any Apple product, I find myself comforted these days that they are there with an almost bottomless pile of money.

9
mesozoic 1 day ago 0 replies      
Apparently you can't fully disable it so it looks like it's Windows 7 for me for another 5 years or so.
10
blackbeard 2 days ago 0 replies      
One KB or sfc run later and that'll all be turned back on again...
11
thescrewdriver 1 day ago 0 replies      
You have to know that your privacy defaults are batshit crazy when people start developing tools to automate correcting them.
12
EugeneOZ 1 day ago 0 replies      
With such "open" system don't even think about large or government companies, especially non-US.
13
mtgx 2 days ago 3 replies      
Yeah, so I've been using that since a few days ago along with DoNotSpy10, and disabled almost everything. Then I installed a traffic monitoring tool and I still found Cortana to be calling home, even though I checked and both web searches (search box) and Cortana were disabled.

I think this article is right - you can't fully stop Windows 10 from calling home, no matter what you do or how many thing you disable.

http://arstechnica.com/information-technology/2015/08/even-w...

And according to this article, Microsoft has an OS-level keylogger that catches all of your typed characters (all passwords, all "secure" communications) even from the virtual keyboard, for "no good reason".

http://localghost.org/posts/a-traffic-analysis-of-windows-10

14
crystalgiver 1 day ago 0 replies      
I run Windows as a guest with vga passthrough and completely disable networking (though a very strict firewall could also work, e.g. For online games).
15
Spearchucker 1 day ago 1 reply      
16
kn9 1 day ago 0 replies      
Can anyone please share the list of GPO's to block in enterprise environment
17
talles 1 day ago 0 replies      
Kudos for stating on the README what it does.
18
juliangregorian 1 day ago 1 reply      
Personally, I'd rather fuzz their servers with terabyte after terabyte of garbage, but to each his own.
       cached 15 August 2015 15:11:01 GMT