hacker news with inline top comments    .. more ..    22 Dec 2015 Best
home   ask   best   3 years ago   
Instagram's Million Dollar Bug exfiltrated.com
1546 points by infosecau  4 days ago   511 comments top 55
1
secalex 4 days ago 41 replies      
Thank you to everybody who cautioned against judgment before hearing the whole story. Here is my response: https://www.facebook.com/notes/alex-stamos/bug-bounty-ethics...
2
tptacek 4 days ago 13 replies      
In stories like this, try first to remember that Facebook isn't a single entity with a single set of opinions, but rather a huge collection of people who came to the company at different times and different points in their career.

Alex Stamos is a good person who has been doing vulnerability research since the 1990s. He's built a reputation for understanding and defending vulnerability researchers. He hasn't been at Facebook long.

To that, add the fact that there's just no way that this is the first person to have reported an RCE to Facebook's bug bounty. Ask anyone who does this work professionally: every network has old crufty bug-ridden stuff laying around (that's why we freak out so much about stuff like the Rails XML/YAML bug, Heartbleed, and Shellshock!), and every large codebase has horrible flaws in it. When you run a bug bounty, people spot stuff like this.

So I'm left wondering what the other side of this story is.

Some of the facts that this person wrote up are suggestive of why Facebook's team may have been alarmed.

It seems like what could have happened here is:

1. This person finds RCE in a stale admin console (that is a legit and serious finding!). Being a professional pentester, their instinct is that having owned up a machine behind a firewall, there's probably a bonanza of stuff they now have access to. But the machine itself sure looks like an old deployment artifact, not a valuable asset Fb wants to protect.

2. Anticipating that Fb will pay hundreds and not thousands of dollars for a bug they will fix by simply nuking a machine they didn't know was exposed to begin with, the tester pivots from RCE to dumping files from the machine to see where they can go. Sure enough: it's a bonanza.

3. They report the RCE. Fb confirms receipt but doesn't respond right away.

4. A day later, they report a second "finding" that is the product of using the RCE they already reported to explore the system.

5. Fb nukes the server, confirms the RCE, pays out $2500 for it, declines to pay for the second finding, and asks the tester not to use RCEs to explore their systems.

6. More than a month after Facebook has nuked the server they found the RCE in, they report another finding based on AWS keys they took from the server.

So Facebook has a bug bounty participant who has gained access to AWS keys by pivoting from a Rails RCE on a server, and who apparently has retained those keys and is using them to explore Instagram's AWS environment.

So, some thoughts:

A. It sucks that Facebook had a machine deployed that had AWS credentials on it that led to the keys to the Instagram kingdom. Nobody is going to argue that, though again: every network sucks in similar ways. Sorry.

B. If I was in Alex's shoes I would flip the fuck out about some bug bounty participant walking around with a laptop that had access to lord knows how many different AWS resources inside of Instagram. Alex is a smart guy with an absurdly smart team and I assume the AWS resources have been rekeyed by now, but still, how sure were they of that on December 1?

C. Don't ever do anything like what this person did when you test machines you don't own. You could get fired for doing that working at a pentest firm even when you're being paid by a client to look for vulnerabilities! If you have to ask whether you're allowed to pivot, don't do it until the target says it's OK. Pivoting like this is a bright line between security testing and hacking.

This seems like a genuinely shitty situation for everyone involved. It's a reason why I would be extremely hesitant to ever stand up a bug bounty program at a company I worked for, and a reason why I'm impressed by big companies that have the guts to run bounty programs at all.

(and, to be clear, a friend, though a pretty distant one; I am biased here.)

3
dsacco 4 days ago 11 replies      
As a security researcher and engineer, I'd like to point out the following, without taking sides:

1. Facebook is not going ballistic because this is a RCE report. They have received high and critical severity reports many times before and acted peaceably, up to and including a prior RCE reported in 2013 by Reginaldo Silva (who now works there!).

2. The researcher used the vulnerability to dump data. This is well known to be a huge no-no in the security industry. I see a lot of rage here from software engineers - look at the responses from actual security folks in this thread, and ask your infosec friends. Most, perhaps even all, will tell you that you never pivot or continue an exploit past proof of its existence. You absolutely do not dump data.

3. When you dump data, you become a flight risk. It means that you have sensitive information in your possession and they have no idea what you'll do with it. The Facebook Whitehat TOS explicitly forbid getting sensitive data that is not your own using an exploit. There is a precedent in the security industry for employers becoming involved for egregious "malpractice" with regards to an individual reporting a bug. A personal friend and business partner of mine left his job after publicly reporting a huge breach back in 2012 (I agree with his decision there), and Charlie Miller was fired by Accuvant after the App Store fiasco. Consider that Facebook is not the first company to do this, and that while it is a painful decision, it is not an insane decision. You might not agree with it, but there is a precedent of this happening.

I'm not taking sides here. I don't know that I would have done the same as Alex Stamos here, but it's a tough call. I do believe the researcher here is being disingenuous about the story considering that a data dump is not an innocuous thing to do.

I'm balancing out the details here because I know it will be easy to see "Facebook calls researcher's employer and screws him for reporting a huge security bug" and get pitchforks. Facebook might be in the wrong here, but consider that the story is much more nuanced than that and that Facebook has an otherwise excellent bug bounty history.

Edited for visibility: 'tptacek mentioned downthread that Alex Stamos issued a response, highlighting this particular quote:

At this point, it was reasonable to believe that Wes was operating on behalf of Synack. His account on our portal mentions Synack as his affiliation, he has interacted with us using a synack.com email address, and he has written blog posts that are used by Synack for marketing purposes.

Viewed in this light (and I don't believe Stamos would willfully fabricate a story like this), it is very reasonable to escalate to an employer if they seem to be affiliated with a security researcher's report.

4
biot 4 days ago 5 replies      
Summarizing what I've seen here in analogy form:

 Researcher: "I found a way to unlock your door" Facebook: "Thanks, here's $2500. We've now fixed the problem." Researcher: "Oh, BTW when I unlocked your door I rifled through your stuff and found your passport, your banking details, and a lot of personal information. I've kept copies of these. I also found the keys to your car and looked inside, where I found a box in the trunk. That box contained sensitive documents including an employee badge / proximity card. I used this card to gain access to your workplace. In doing this, I also managed to get into the janitor's closet which had a set of keys. I used these keys to get access to the complete building and took a look at all the HR files and rifled through a bunch of corporate contracts." Facebook: <gobsmacked> Researcher: "Can I have my million bucks now?"
Where the researcher stepped over the line is using the door attack to escalate further attacks. It's little different than finding a way to reliably impersonate Mark Zuckerberg's credentials in such a way that others will 100% believe it. That finding is worthy of a reward. But then using that vulnerability to social engineer others to reveal passwords, using that as a launching point for mounting further attacks is going way too far.

5
daveloyall 4 days ago 6 replies      
In my opinion, the author is feigning shock...

He claims to have downloaded the content listed below. And he is surprised that Facebook responds coldly? Note the string "private keys" in this list... Doesn't the author know how long it will take them to recover from this breech? How much it will cost them?

On the other hand, it does sort of re-enforce the idea that he should be paid handsomely, doesn't it? :)

 * Static content for Instagram.com websites. Write access was not tested, but seemed likely. * Source code for fairly recent versions of the Instagram server backend, covering all API endpoints, some image processing libraries, etc. * SSL certificates and private keys, including both instagram.com and *.instagram.com * Secret keys used to sign authentication cookies for Instagram * OAuth and other Instagram API keys * Email server credentials * iOS and Android app signing keys * iOS Push Notifications keys * Twitter API keys * Facebook API keys * Flickr API keys * Tumblr API keys * Foursquare API keys * Recaptcha key-pair

6
tshtf 4 days ago 0 replies      
Note to self: Don't report any chained attacks to any large companies bug bounty programs. Alex Stamos contacting the employer of the bug reporter is completely out of line.

This is the fastest and easiest way for Facebook to stop good submissions to their bug bounty program.

7
Zikes 4 days ago 4 replies      
Facebook's calling his employer could be slanderous, possibly even criminal harassment.

Between stories like this demonstrating companies' apparent lack of understanding of whitehat infosec, and Weev's incarceration demonstrating the American legal system's apparent lack of understanding of whitehat infosec, it's hard to believe people still participate in such endeavors.

8
benmanns 4 days ago 0 replies      
I think the solution here is to pay $100k+ for RCE exploits and explicitly forbid pivoting access after the first vulnerability is discovered. Facebook offered $2,500 for a security vulnerability that could do much greater damage. What kind of vulnerability is a "million-dollar bug" if not RCE? How would you possibly have a "million-dollar bug" that is a single-point-of-contact bug and how would you verify that Facebook is paying you fairly? They didn't seem to in this case.
9
tptacek 4 days ago 4 replies      
Alex responds:

https://www.facebook.com/notes/alex-stamos/bug-bounty-ethics...

Critically:

At this point, it was reasonable to believe that Wes was operating on behalf of Synack. His account on our portal mentions Synack as his affiliation, he has interacted with us using a synack.com email address, and he has written blog posts that are used by Synack for marketing purposes.

Alex's timeline seems like it matches what I wrote earlier:

https://news.ycombinator.com/edit?id=10754627

10
danso 4 days ago 2 replies      
So if I'm reading this correctly, this massively compromising attack was made possible by doing a little research? e.g. Knowing about one of the admin services used by Instagram, looking in that admin's public repo, and musing whether Instagram had bothered to change the secret key from the default entry in the repo?

We'll probably never see a post mortem on this but it'd be interesting to hear how this got moved to production...: was the Sensu admin panel a nice scaffold for internal use and by the time they decided to make it remote, everyone just assumed the secret key had been changed at some point?

11
nathanvanfleet 4 days ago 2 replies      
Sort of an interesting conflict these bug bounties create. You have someone who wants to hack as deeply as possible to have a bigger bug bounty based on stated rules, but at the same time they will invalidate your bounty if they arbitrarily determine it as too much?

I imagine the initial report by his friend that the server was accessibly would not be a very high paying bounty compared to one accessing the server. But how deep is too deep?

12
joslin01 4 days ago 1 reply      
The thing that gets to me is the lack of gratitude on Facebook's end. Instead, they turn him into the villain for breaking imaginary rules. What would have been the harm in slapping him on the wrist and giving him some sort of reward for exposing a huge vulnerability? Instead, they eat the reward and shit on the guy who produced it. Real classy FB.
13
onewaystreet 4 days ago 2 replies      
> With the RCE it was simple to read the configuration file to gain the credentials necessary for this database. I connected and dumped the contents of the users table.

This was his mistake. This is a huge no-no. You never dump data unless you have permission. It's against the terms of most bounty programs.

14
phantarch 4 days ago 1 reply      
How likely is it that this sort of a thing stopped being a technical item of discussion and turned into a political one by the security contacts at Facebook?

I'm always curious about what sort of internal pressures would lead people to take a well-reported bug that the author did not take malicious action on and blow it up to the point that the CSO is getting involved.

15
dperfect 4 days ago 1 reply      
Not only did this person make several large and irresponsible mistakes in the process of uncovering and reporting the bug (dumping tons of private user information without permission, going far beyond simply discovering and reporting the bug, etc.), but they also keep referring to Ruby ("running Ruby 3.x, which is susceptible to code execution via the Ruby session cookie") as the vulnerable piece, when in reality, it's the version of Rails that had the vulnerability.
16
kirankn 4 days ago 0 replies      
@secalex I believe that the researcher clearly fulfilled the primary objective of bug bounty programs by exposing a weakness of yours which you, inspite of having large and competent teams, weren't aware of and had not sealed yet. And he did nothing to use that information with a malicious intent.

Your actions are detrimental to your relations to such good mannered external security researchers who are helping you keeping you infrastructure safe from the bad guys. You should have been a little more sensitive and a lot more generous that you have been.

17
shawn-butler 4 days ago 0 replies      
Wow what happened to Instagram?

Facebook really needs to go the way of myspace if they keep this sort of behavior up.

How can a CSO at Facebook legitimately tell a CEO of another organization that a vulnerability of "little value" was found when the researchers has your signing certs? Does he lack relevant info or is he just incompetent?

This is tantamount to mafia tactics. Hint, hint, we're facebook so get your people in line or else.

18
shaunol 4 days ago 0 replies      
If companies are going to keep trying to get out of paying bounties for insane vulnerabilities like this, white hat researchers will just move onto something else, leaving the bounties to be paid out by the black market. Bounties aside, contacting his employer is a disgusting move.
19
aioprisan 4 days ago 0 replies      
This is as clear cut a case of full exploit with escalation of privilege all the way to full services source code read access, SSL private keys, full admin AWS credentials, services API keys from Twitter to analytics, email server logins, the list goes on.. all of this without even looking at a single user profile or violating user privacy, and it's not a legit security bug? This has to be worth more than $2500, and I think Facebook sets a bad precedent where folks won't disclose big security issues because of how unclear the TOS are, so that they can avoid embarrassment.
20
ctvo 4 days ago 0 replies      
October 22nd: Weak passwords found and reported. Also grabbed the AWS keys from the config file.

October 24th: Server no longer reachable. Tested keys and they still worked, assumed to have went on a download spree.

Seems like this is the biggest issue with how Facebook handled this case. No one looked to see what Wes accessed when he logged in with the weak credentials? No one realized he could have accessed the AWS key?

To treat what Wes found as a minor bug and then fuck up like that is sort of hilarious.

21
ryanlol 4 days ago 1 reply      
The fact that Alex Stamos from Facebook contacted this researchers employer talking about potential lawsuits to threaten the employee via a proxy is probably the single most damning thing in the entire article.

That to me is entirely unacceptable, if you want to threaten someone then have your legal team send them a cease and desist. Don't go after their livelihood.

22
tptacek 4 days ago 1 reply      
Wait a sec.

Look at his timeline again.

He tested the AWS creds in October.

They shut the server off on October 24.

He reported the AWS creds in December.

Did he tell them about the AWS creds before then? His mails don't say that he did.

If he didn't, why didn't he?

23
zupreme 4 days ago 0 replies      
Ridiculous.

This is why many security professionals become disillusioned with bounty programs. This story is not uncommon at all.

Bounty programs, while presenting a tempting incentive to practice one's skills are a very poor income strategy.

You are essentially working, unpaid, for organizations who are just as likely to ignore you (or report you to law enforcement) as they are to pay you for your findings.

No wonder so many young talented security pros are easily tempted to trade their findings for the safety of a crypto transaction with an anonymous buyer than they are to submit them through official channels.

24
joeyspn 4 days ago 0 replies      
It's clear to me after reading between the lines of both sides of the story, that Instagram/FB sec team screwed up not acknowledging the severity of the bug and paying accordingly to the researcher.

Why get mad about a "low level bug"... I mean, if you can dump private user pics from a photo sharing app, how is this low level? really?

It's also pretty clear that the researcher shouldn't have dumped data although most likely he reserved this hidden card for later since he was expecting the lowball... but there are smarter ways to reply to lowballing.

IMO poorly managed on both parts.

25
pmontra 3 days ago 0 replies      
It's not the main point of the post, which is Facebook's response to the researcher, but I'm really surprised that they're storing unencrypted secret keys and source code on S3. They trust Amazon a lot and have no fear that somebody could eavesdrop Amazon servers (if I were a black hat I'd go for the accounts of the big guys, not for the one of a random guy)

http://www.exfiltrated.com/research-Instagram-RCE.php#One_Ke...

I wonder what any claim of protecting user's privacy is worth when they leave their credentials unprotected in that way.

https://www.instagram.com/about/legal/privacy/

"We use commercially reasonable safeguards to help keep the information collected through the Service secure [...]"

Ops.

I can imagine why they didn't appreciate the efforts of the researcher. Hopefully they'll change their current practices.

26
mef 4 days ago 0 replies      
An interesting decision on Alex's part to only pay the $2500 for the RCE bug.

On one hand, this signals to anyone else who might want to disclose security issues that Facebook bounties don't pay out anywhere proportionally near the full potential damage impact of the issue.

On the other hand, if they pay out a lot more now, they're signalling that if you find a vulnerability, you need to dig deeper in order to have insurance in case Facebook gets stingy.

Probably the best outcome would have been to pay out a more proportional bounty, even though Wes' exploration was beyond what's generally acceptable, so that Facebook's bounty program reputation is preserved.

That or press criminal charges to discourage any other researchers from going over the line.

27
Animats 4 days ago 3 replies      
The initial bug in Ruby/Rails is striking in its stupidity.[1] You can send something to Ruby/Rails in a session cookie which, when unmarshalled, stores into any named global variable in the namespace of the responding program. It's not a buffer overflow or a bug like that. It's deliberately designed to work that way. It's like doing "eval" on untrusted input. This was on YC years ago.[2] Why was anything so idiotic ever put in Ruby at all?

Something like this makes you suspect a deliberate backdoor. Can the person who put this into Ruby/Rails be identified?

[1] http://robertheaton.com/2013/07/22/how-to-hack-a-rails-app-u...[2] https://news.ycombinator.com/item?id=6110386

28
piker 4 days ago 1 reply      
Posting this write-up might be the last thing the researcher should have done--from a criminal liability perspective. First, the negative press might serve to piss off Facebook (who could have some perspective we are not privy to here). From Facebook's angle, the criminal aspect here may be a much closer issue, and this write-up could serve as the tipping point. Second, as a party admission, this post is could very well be admissible against the researcher at trial. Without a doubt, it can be used to contradict any testimony he might provide in defense of his actions here. (So, you HAD read the ToS, correct?) Even without Facebook's "pressing charges", a US Attorney with political aspirations might just decide she has enough here to move forward against the researcher in an effort to appear "tough on cybercrime". This whitehat stuff is murky territory for sure.
29
guard-of-terra 4 days ago 0 replies      
Once again we see how people act hard-ass in sight of gaping vulnerability in their system. Be it law system, computer system or moral system, you will see denial and intimidation.

We should have "pastebin hat" list and Facebook should definitely be on it.

The problem with humans is that they will rather go extinct over such things than behave properly. You could try to teach us by painful example but death will probably come first.

30
danra 4 days ago 0 replies      
I don't see how the CSO's response makes sense for Facebook's security interests. As CSO, it is in your interest to allow a researcher to exploit an RCE to its furthest. Otherwise, you would only ever allow researchers to inoculate your outest layer of protection, while leaving any inner level untested and thus less secure.

If indeed only credentials and technical information were obtained, all aimed at finding more security issues, Facebook should be thankful for finding all the vulnerabilities across all their security layers.

31
arbitrage314 4 days ago 1 reply      
If accurate (which it seems to be), a very disappointing handling by Facebook.
32
adrianmacneil 4 days ago 0 replies      
When reading the author's article, it would certainly be easy to grab the pitchforks. It is actually a pretty interesting/useful vulnerability that some low-level AWS keys were able to be escalated to some highly privileged keys, and that none of these keys where IP-whitelisted.

However, the biggest issue I see here is that the author (in their own timeline at the bottom of this post) says that they discovered the AWS keys on October 24, yet they did not report this to Facebook until December 1 (in the meantime, they were having various discussions with Facebook about whether their other submissions were valid). That is seriously concerning behavior, if you find come across some live AWS keys this should be reported immediately, you should absolutely not just sit on them for over a month as if they are some sort of bargaining chip.

33
kunle 4 days ago 1 reply      
If accurate, seems like a pretty counterproductive way to handle this.
34
joepie91_ 3 days ago 1 reply      
My two cents.

It seems that people defending Facebook's behaviour in this thread have collectively lost sight of what the point of a bug bounty is to begin with - to encourage people to report issues, rather than sell them.

We now have people arguing that "it is not acceptable to pivot beyond the initial intrusion for a bug bounty", even though a malicious attacker would have done the exact same thing. As long as standard no-damage rules are followed, where's the problem?

The bug bounty program is working exactly as intended, but the researcher is getting dinged over arbitrary rules. As somebody else here mentioned already: the reason blackhat work still pays, is because such arbitrary and bureaucratic rules do not exist there.

We should not forget that bug bounties are a tool, not a goal - the goal is to convince researchers to report rather than sell, and every part of a bug bounty and its rules must be designed accordingly.

Also: Why the hell were those AWS credentials not revoked immediately after compromise? This constitutes a grossly negligent failure on Facebook's part to assess impact, on top of their existing failure to have the "keys to the kingdom" on a single server to begin with.

And frankly, that failure only reinforces the need for the researcher pivoting into further systems, rather than just keeping it to a PoC - because evidently, nobody is going to assess impact at Facebook, if the researcher doesn't do it himself.

35
spicyj 4 days ago 0 replies      
Alex Stamos (Facebook CSO) just posted an official response:

https://news.ycombinator.com/item?id=10755060

36
Pxtl 4 days ago 0 replies      
On the one hand I got a little squicked in the story when he started cracking passwords, but on the other hand I kind of assumed that bug bounty systems would want the tester to find out how deep the bug goes. Otherwise the depth of your security isn't being tested.
38
Dolores12 3 days ago 0 replies      
The lessons i learned here are:1) any RCE vulnerability of Instagram leads to unrestricted access to user data. Facebook knows it, does nothing about it.2) facebook will not pay you your bug bounty reward, but will complain to your employer.
39
AVTizzles 4 days ago 0 replies      
Why call the CEO and not his Mom?
40
marincounty 3 days ago 0 replies      
"As a researcher on the Facebook program, the expectation is that you report a vulnerability as soon as you find it. We discourage escalating or trying to escalate access as doing so might make your report ineligible for a bounty. Our team accesses the severity of the reported vulnerability and we typically pay based on its potential use rather than rely on what's been demonstrated by the researcher."

Well, FB feels your bug bounty is worth $200? Strike that figure. We feel like your bug bounty is worth a $100 advertising credit, if you buy $100 in advertising? Next time just report the bug. Thanks!

(I don't know if my innate dislike of FB, or I feel it shouldn't be up to a company to determine what they feel a bug is worth? If you are going to have a bug program--put in some Very solid rules? They shouldn't be just winging it at this point? It's not some cute little start up? It's a huge machine that's making a fortune off it's victim?

I'm still not sure if FB really cared about this hacker's escalation of a potential attack, or it's about money? Would I want a hacker to show me my vulnerability with my clients information--no, but make that crystal clear in the TOS.)

41
giancarlostoro 4 days ago 0 replies      
I really don't want to imagine what would of happened if he wasn't part of the bug bounty and instead after malicious intent how bad things would of gone.
42
redditplebs 4 days ago 0 replies      
Looks like the sites' down.Mirror/Google cached page: http://webcache.googleusercontent.com/search?q=cache:vR9o3UY...
43
ishanr 4 days ago 0 replies      
It's really simple. This is the beginning of the end of Facebook. With their fake clicks on their ads and what not.
44
eecks 4 days ago 1 reply      
imo Facebook should be grateful for people like this instead of burning them
45
ianhawes 4 days ago 1 reply      
I'd like to see a service where a company's source code/database/confidential info is placed in escrow pending the payout from a bug bounty. Or, perhaps more likely, some sort of 3rd-party arbitration.
46
socrates2016 3 days ago 0 replies      
Nerd owns FB and wants to rub it in their face. FB power plays nerd. Nerd publicly pawns FB in retaliation.
47
henley-cs 4 days ago 0 replies      
that's a lot of posturing on both sides. FB had some severe vulnerabilities that the author certainly pointed out. And the author could have read the bucket contents without downloading them. FB clammed up. The author overreached. Neither ends up really winning anything here. Tis a shame.
48
ibic 3 days ago 0 replies      
CSO slaps a legal threat to a security researcher and talks about ETHIC? Good job man, gooooooooooooooooooooooooooooooooood job.
49
mml 4 days ago 0 replies      
Bad form on Mr. Stamos' part.

edit: if it's indeed true, but I have my doubts that's the case. Hard to say either way.

50
bsmartt 4 days ago 0 replies      
I thought their stack was django?
51
joshmn 4 days ago 0 replies      
> Ruby 3.x

Rails 3.x

52
twerkmonsta 4 days ago 1 reply      
Is it normal for security researchers to use Windows for their OS?
53
maemilius 4 days ago 1 reply      
Am I the only one mildly annoyed that the author constantly conflated Rails and Ruby?
54
blazespin 4 days ago 4 replies      
In general, if you have a green handle, you shouldn't be commenting on things like this. Otherwise we'll have sock puppets galore muddying the waters.
55
dang 4 days ago 0 replies      
Please don't do this here.
Show HN: Open Hunt an open and community-run alternative to Product Hunt openhunt.co
1072 points by mhurwi  3 days ago   176 comments top 61
1
mindcrime 3 days ago 8 replies      
I will definitely use this over ProductHunt. I mean, for crying out loud, I signed up for PH just now to leave a comment and the first thing you get is "commenting is restricted to those users invited by others in the community". Yeah, so I have to supplicate myself to some random Internet stranger and beg permission just to comment on your site? Not happening...
2
msvan 3 days ago 6 replies      
The idea is nice, but cynical me can't escape the idea that Product Hunt is successful in part because it is a mirror of reality, where capital and connections are the reigning currency. If you create a platform where capital and connections are deprioritized, you will not attract the people who have that in real life, making it less useful as a promotion venue.
3
jacquesc 3 days ago 5 replies      
For a bit of background:

- https://news.ycombinator.com/item?id=10739875

- https://news.ycombinator.com/item?id=10741827

I've been a Product Hunt user from their initial HN launch and am still a big fan. They've made a very important impact in the tech scene. Open Hunt is an honest attempt at a community run alternative, tailored to giving / getting feedback, and finding very early stage stuff.

Would love your feedback!

4
richardbrevig 3 days ago 2 replies      
I love this! "Login unsuccessful. Something went wrong: Error: api_calls exceeding plan authorized calls" when I went to log in with Twitter. Good problem for you to have, I look forward to you working this out so I can participate.

Honestly, I only signed up for Twitter to join Product Hunt. That was a huge disappointment when I found out that having an account didn't mean anything. This will be a pleasant change, it's about time.

5
DanBC 3 days ago 2 replies      
I'd join this.

It's asking for scary permissions:

> Read Tweets from your timeline.

> See who you follow, and follow new people.

> Update your profile.

> Post Tweets for you.

Please, consider adding more options, or explaining how you use those permissions. (For example, you can do what you like to my facebook wall.)

EDIT: Lack of public posting is an interesting choice. It doesn't feel like much of a community. I can see that public comments risks undue negativity or aggressive feedback.

6
mmohebbi 3 days ago 1 reply      
You should take a look at lobsters. They solve a lot of the transparency issues that some have with HN and ProductHunt.

"Some other link aggregation sites are operated by corporate entities which may have significant financial incentive to censor or artificially promote the links and discussion that relate to those entities, their investments, or their competitors. Some of these sites have had moderators of popular sub-forums banned after it became known that they were being paid by 3rd party companies seeking special treatment of their submitted stories.

All moderator actions on this site are visible to everyone and the identities of those moderators are made public. While the individual actions of a moderator may cause debate, there should be no question about which moderator it was or whether they had an ulterior motive for those actions.

All user voting and story ranking on this site uses a universal algorithm and does not artificially penalize or prioritize users or domains. Per-tag hotness modifiers do affect all stories with those tags, but these modifiers are made public and usually used to shorten the life of meta-discussions. If certain domains have to be banned from being submitted due to spam, the list will be made publicly available.

If users are disruptive enough to warrant banning, they will be banned absolutely, given notice of their banning, and their disabled user profile will indicate which moderator banned them and why. There will be no hidden or childish "shadow banning" or "hellbanning" of users popular on some other sites.

The source code to this site is made available under a 3-clause BSD license for viewing, auditing, forking, or contributing to. This code is always up to date with what is running in production on this website.

Public stats are available for site requests, comments submitted, stories submitted, and users created."

https://lobste.rs/about

https://lobste.rs/moderations

7
danielrakh 3 days ago 2 replies      
So who's going to be the first one to submit this to Product Hunt? :D
8
Vaskerville 2 days ago 2 replies      
It's ridiculous the way they hand out the ability to make comments. These days, the comments are so watered down many of them are mostly useless. "Tell us about your process"..."tell us more about onboarding". Comments are filled with marketers and friend of friends egging things along without substance. It's hurting the site - if they don't see this they are really missing the boat.

That being said, it's sad to see people rip on others sites/ideas blatantly. OpenHunt should quickly come up with an original design and find something unique in their approach.

9
mythun 2 days ago 0 replies      
Love the idea. But a positive part abut PH is that I can view the discussion on the product by people (sometimes) more experienced than me, and then decide if it is worth my time to install/test out the product. If feedback on OH is private that angle is removed.

But definitely back the idea - PH has become too undemocratic, and its obvious that if you don't have the right connections your product will never surface. I know people who've reached out to "influencers" on PH to have their product hunted by them.

10
tedmiston 3 days ago 0 replies      
You're #1 on Hacker News and Product Hunt today with an app whose repo was created 12 days ago and your server is not down. That's commendable in itself.
11
tarr11 3 days ago 2 replies      
Tried to join:

Login unsuccessful. Something went wrong: Error: api_calls exceeding plan authorized calls

12
MattBearman 3 days ago 0 replies      
I'm really happy to see this. As the solo-founder of a bootstrapped start up nowhere near Silicone Valley, things like Product Hunt can make me feel like a complete outsider.

Quick question: PH wants people to sign up with their personal Twitter account, rather than a company one, is that the case here? I never use my personal account, so would prefer to be able to sign up using @bug_muncher

Also, I love the "You reached the beginning!" message at the bottom, not sure why, but it really made me smile :)

13
Cyberdog 3 days ago 1 reply      
Could you please make the description text darker for each listing? Light gray text is very hard to read against a white background.
14
BorisMelnik 3 days ago 0 replies      
I also signed up for Product Hunt 1+ years ago and don't have the ability to comment even though I regularly share things on Twitter, purchase products, curate lists and interact as much as possible.

+1 for any alternative system.

15
goodJobWalrus 3 days ago 1 reply      
If you are naming it "Open Hunt", clearly as a jab at PH, you are giving it more attention than you should, given your mission, IMO.
16
sandGorgon 3 days ago 0 replies      
This is pretty cool - I notice you're building on top of Rails. Do consider using the source code of lobste.rs (which is like HN but open source). It has quite a bit if community development behind it and I daresay can be quickly adapted into the product hunt model.

https://github.com/jcs/lobsters

I'm trying to build in elasticsearch support in lobsters for a personal project - it currently uses sphinx. But it could be pretty cool if you can use that as a starting point.

17
bambax 2 days ago 0 replies      
Great idea and execution; already discovered a super-useful service, Bulk Resize Photos.

Not sure if this is a feature or a bug: when one clicks on the "comments" line, it opens a right-side panel for the current item; if one clicks another comments line, the right-side panel is updated with the new item => so far so good.

BUT, when one clicks on another item while the right-side panel is open, it doesn't update said panel; it opens a new tab to the item's website, but the panel doesn't change, so that when one comes back to OH, the panel doesn't match the last consulted item.

It's probably not an easy fix, because, what should happen when one opens more than one item?

However, since the comments pane is super simple, maybe it would make sense to open it under the corresponding item instead of to the side, so that it's visually related to the correct item instead of being in a generic location?

My 2 cents. Very cool initiative anyways.

18
sycren 3 days ago 0 replies      
Did you consider using http://www.telescopeapp.org/ to build this open version?
19
eecks 3 days ago 2 replies      
Without comments it doesn't feel like a community
20
kevindeasis 3 days ago 0 replies      
I will be using this because I think Product Hunt can't manage their waiting lists. I mean I've been waiting for a long time to be removed from the waiting list. I've also been doing their "suggestions" to get a full membership. But, I get nothing. Hopefully Open Hunt gets a stronger community.

BTW: your api calls for registration has exceeded

21
bonyboy 3 days ago 0 replies      
Congratulations, I hope this gets the traction it deserves.

Disrupting the disrupters.

22
pibefision 3 days ago 1 reply      
I like the idea.why comments are not public?
23
unclebucknasty 3 days ago 1 reply      
It seems that one problem with a purely community-driven site like Open Hunt is that the overwhelming majority of people are interested in publishing to it vs. consuming from it. Sure, you might browse it to see if anything there is interesting, but most of the enthusiasm will come from those seeking a channel for their product. Hence, the audience itself vs the publisher set is limited in comparison to "that other site".

OTOH, the latter site is presumably visited by potential investors and others who have a financial interest in consuming what's published.

Additionally, without "throttling", you have a ton of stuff featured, adding to the skew. Thus, much of what's submitted has only one or two votes. People are primarily posting and moving on.

Or, am I missing something?

24
pavornyoh 3 days ago 0 replies      
I really like how you keep updating the site throughout the day based on the feedback you are getting here. Also, the suggestions made by users going directly to the creator of a project is pretty awesome. Good job.
25
intrasight 3 days ago 0 replies      
Within a couple weeks, this is going to need curated categorization of products. At the highest level, I'd categorize as:a. physical productb. installed software productc. web service productd. hybrid software+service product

Could be even broader. Or use tagging. You probably wouldn't look in the above categories for performance events, dining out, or phone sex. Must decide how wide a net you wish to cast, and what ontological approaches to use. But this, in my opinion, is where it gets interesting.

26
mckee1 3 days ago 1 reply      
Where is the feedback shown? I have submitted "Too" and it says one person has left feedback but I can't see it anywhere (I am logged in with the account that submitted).
27
mrnismo92 3 days ago 0 replies      
1) This is pretty cool

2) I think this and Product Hunt can co-exist

3) I'm interested in learning about how other members think Open Hunt can go from "open community" to "sustainable community"?

28
return0 3 days ago 0 replies      
I find myself using it already - great job!

Edit: The subtitle font is way too washed out. i struggle to read it. Also some submissions are not "products" - is that appropriate?

29
astrowilliam 3 days ago 1 reply      
I'm getting this error when trying to sign up with Twitter.

"Login unsuccessful. Something went wrong: Error: api_calls exceeding plan authorized calls"

30
AndrewKemendo 3 days ago 0 replies      
I signed up and submitted actually.

I am curious, why are comments/feedback all hidden? I would certainly like to read those - even if they are made anonymous.

31
toni 3 days ago 1 reply      
Can you please add a RSS feed?
32
dayaz36 2 days ago 0 replies      
Will be interesting to see the quality of products from both sites. Will definitely be using Open Hunt from now on, then go over to PH to see the discussion on the products. I have no idea why they made the comment section private. That's the only downside I see to the site. Everything else I like.
33
webmasterraj 3 days ago 1 reply      
Make sure you guys get a daily newsletter going out asap. I don't have inside information, but I'd guess it drives a ton of PH's daily returnee traffic. I for one know I won't be checking this every day, but I would read something in my inbox every morning (same with PH)
34
sideproject 3 days ago 0 replies      
For those who would like to launch their own version of HN or PH, would love for you to check out HelloBox - something we've been working on for awhile.

https://www.hellobox.co

[Now that I think about it, I should put this on the OpenHunt!]

35
eps 3 days ago 2 replies      
Getting stuck on "Completing login..." screen, with the URL of https://www.openhunt.co/login/callback - just sits there and nothing happens. Using stock iPad.
36
voltagex_ 3 days ago 1 reply      
Uh oh: Login unsuccessful. Something went wrong: Error: api_calls exceeding plan authorized calls
37
peckrob 3 days ago 0 replies      
Hey, this is really cool! Any chance you could add a daily summary email (like PH and some other similar sites have), or am I just missing it? That's a really easy way for me to keep up with what's been featured.
38
safeharbourio 3 days ago 0 replies      
For upcoming PH excluded startups, this is amazing, good jobjaques, live long and prosper!
39
secondbond 3 days ago 2 replies      
Problem will be number of posts per day. There is gonna be huge number of products everyday and some gonna buried down not because of there are not good but there are not so visible - timezone problem.
40
goodoldboys 2 days ago 0 replies      
Just tried emailing you at the address listed on your site and got an undeliverable. Definitely interested in helping contribute.
41
andrewstuart 3 days ago 2 replies      
It should have paid as well as organic otherwise there's no business model and it's just a small rebellion that might be abandoned for lack of income.
42
secondbond 2 days ago 0 replies      
Interestingly, no news coverage yet for Open Hunt. May be, conflict of interest with Product hunt.
43
ex3ndr 2 days ago 1 reply      
What platform are you using behind this?
44
moron4hire 3 days ago 0 replies      
I don't like that the comments aren't public. I'm finding it way too easy to be short.
45
onurozkan 3 days ago 0 replies      
nice alternative to PH, i believe its a good chance to smaller projects to be on spotlight.

why OpenHunt is good for PH;

- It will be a PH's moderation app, every nice project can be submitted by PH's trusted members.- PH can get valuable feedback from this thread.- PH can integrate every feature from OH

46
pcmaffey 2 days ago 0 replies      
My suggestion for a name: "Gather"

or some iteration thereof...

47
eecks 3 days ago 0 replies      
Disappointed by the twitter only sign up but I am still going to join because I like the idea.
48
Uptrenda 3 days ago 0 replies      
Good ideas in retrospect always seem so obvious at the time. Love the idea OP.
49
t3ra 2 days ago 0 replies      
PH team's reactions must be like :

Day 0 : Yeah other 'PH is crap' HN/blog/medium post

Day 2 : Oh so someone 'anonymous' is building a competitor.. They are having a Google form.. How noobish

Today : haha Oh look they copied our design . how original

Future : oh we need to pivot

50
withoutfriction 3 days ago 1 reply      
Please fix the modal on mobile -- ios9 it seems impossible to get rid of the modal :)
51
kaushikt 2 days ago 0 replies      
Great job.

High time you add pagination on the landing page now. :)

52
KuhlMensch 2 days ago 0 replies      
Nice, but will wait until comments are public
53
misiti3780 3 days ago 1 reply      
tried to sign up and got this after twitter auth:

Login unsuccessful. Something went wrong: Error: api_calls exceeding plan authorized calls

54
iliaznk 2 days ago 1 reply      
I wish there was RSS feed.
55
free2rhyme214 3 days ago 0 replies      
Awesome!
56
boksiora 2 days ago 0 replies      
It was about time
57
tmaly 3 days ago 1 reply      
how long did it take you to put the site together?
58
ex3ndr 2 days ago 0 replies      
Will ProductHunt shutdown OpenHunt with power of law?
59
kilimchoi 3 days ago 1 reply      
how do you plan to filter spammy links?
60
purans 3 days ago 0 replies      
+100
61
mindcrime 3 days ago 0 replies      
And just to make things even more meta:

https://www.reddit.com/r/openhunt/

(If somebody affiliated with OpenHunt wants control of that sub, just message me).

The first person to hack the iPhone is building a self-driving car bloomberg.com
941 points by bcg1  5 days ago   445 comments top 62
1
jpfr 5 days ago 25 replies      
Prototypical case of the 80/20 rule. He has implemented the happy case. But that system is nothing people realistically would want to drive their cars.

What he did is impressive. But the results are not that outlandish for a talented person.

1) Hook up a computer to the CAN-Bus network of the car [1] and attach a bunch of sensor peripherals.

2) Drive around for some time and record everything to disk.

3) Implement some of the recent ideas from deep reinforcement learing [2,3]. For training, feed the system with the oberservations from test drives and reward actions that mimick the reactions of actual drivers.

In 2k lines of code he probably does not have a car model that can be used for path planning [4] (with tire slippage, etc.). So his system will make errors in emergency situations. Especially since the neural net has never experienced most emergencies and could not learn the appropriate reactions.

And guess what, emergency situations are the hard part. Driving on a freeway with visible lane markings is easy. German research projects autonomously drove on the Autobahn since the 80s [5]. Neural networks were used for the task since about the same time [6].

[1] http://www.instructables.com/id/Hack-your-vehicle-CAN-BUS-wi...

[2] http://arxiv.org/abs/1509.02971

[3] http://arxiv.org/abs/1504.00702

[4] http://www.rem2030.de/rem2030-wAssets/docs/downloads/07_Konf...

[5] https://en.wikipedia.org/wiki/Eureka_Prometheus_Project

[6] http://repository.cmu.edu/cgi/viewcontent.cgi?article=2874&c...

2
paragpatelone 5 days ago 4 replies      
"His self-funded experiment could end with Hotz humbly going back to knock on Googles door for a job."

The biggest thing here IMO is this is self-funded. Any startup trying to do what he is doing in this environment would have raised $50 Million, hired 100's of engineers from top notch schools, become accepted in YC, and have Marc Andreessen, Paul Graham, Sam Altman and all singing their praises.

Kudos to him for being self-funded.

3
thedz 5 days ago 16 replies      
> I understand the state-of-the-art papers, he says. The math is simple. For the first time in my life, Im like, I know everything there is to know.

Yep, he's still in his twenties.

4
1024core 5 days ago 1 reply      
Like most hard problems, it's easy to pick off the low-hanging fruit and claim that you have solution.

Self-driving cars (in some form or the other, under some loose definition of "self" and "driving") have been around since the 20s. But it still remains a vexing problem.

It is quite easy to program a car to stay between 2 cars and follow the car in front. It is quite another to have the same car drive on (a) a road without lane markings; (b) in adverse weather conditions (snow, anybody? Hotz should take the car to Tahoe); (c) in traffic anomalies (ambulance/cop approaching from behind; accident/debris in front; etc. etc.); and so on.

No offense to GeoHot, but I'd love to see his system work in rush-hour 101 traffic; or cross the Bay Bridge, where (coming to SF) the lanes merge arbitrarily.

The key challenges are not only to drive when there's traffic; but to also drive when there's NO traffic, because lane markings, etc. are practically nonexistent in many places.

Having said all that, I still admire his enthusiasm and drive(no pun intended). Tinker on!

5
ixtli 5 days ago 1 reply      
It's somewhat frustrating that he continues to get the credit for "hacking the iphone" when he was neither the first nor the only person on the project. The "iPhone Dev Team" was a group of five to ten people who built tools to jailbreak the phone and unlock the radio. If anything, the first person was a guy called Nightwatch who was also associated with various .tif exploits to unlock the PSP. As near as I could tell at the time he worked in some capacity for a South American university. Geohot worked only on the baseband unlock and was forced out of the closed discussions when he released exploits before everyone had time to prepare. This is important because some peoples participation in the project could have potentially affected their employment. Luckily I don't know that anything bad happened, but suffice it to say the kid is not a team player.
6
pjc50 5 days ago 3 replies      
The 21" monitor portrait-style in the car is fantastic.

The testing of a hacked-together system on the public road is not. He probably won't kill anyone, but if he were to I suspect he'd get the book thrown at him in the way that everyday death-by-DUI drivers don't.

Actually I'll go futher with this criticism: we've just seen drones being FAA regulated because users were unable to refrain from doing dangerous or nuisance things with them, such as flying near airports. DIY self-driving car research is similarly likely to damage the concept if it goes wrong.

7
reneherse 5 days ago 0 replies      
For comparison, a similar hacker spirit underpins Tesla Motors propulsion tech: Back in the early 2000's, there was a young engineer driving around Palo Alto in a brilliantly hacked electric Porsche 944, which would do about 130mph on the highway.

His name was JB Straubel, and nowadays he's Tesla's CTO.

Best of luck to Hotz!

8
jaybosamiya 5 days ago 7 replies      
> The last people with jobs will be AI programmers

Geohotz makes a decent point. The way the industrial revolution reduced manual labour, and made thinkers and tinkerers much more valuable, the advent of AI (true AI, mind you, not the tiny stuff that we currently assume) might actually make us obsolete. It is a peaceful and yet terrifying thought.

9
rhema 5 days ago 2 replies      
> Amazed, I ask Hotz what it felt like the first time he got the car to work.

>Dude, he says, the first time it worked was this morning.

I can't tell if this is a joke or unbridled hubris. Either way, self driving cars seem like a new hacker space.

10
hamhamed 5 days ago 3 replies      
> Frankly, I think you should just work at Tesla, Musk wrote to Hotz in an e-mail. Im happy to work out a multimillion-dollar bonus with a longer time horizon that pays out as soon as we discontinue Mobileye.

> I appreciate the offer, Hotz replied, but like Ive said, Im not looking for a job. Ill ping you when I crush Mobileye.

> Musk simply answered, OK.

I have to agree with Elon here, Hotz is such a good fit there. But Hotz knows best, if he thinks he can take down Mobileye then he did the right decision, sucks that Tesla wouldn't back it. I'm sure other car companies would buy Hotz's software

11
antoniuschan99 5 days ago 1 reply      
He seems like a pretty cool and level headed person. If you watch the video, they're working on phase 3 of car automation which is basically when you're on the highway (or on the smaller roads) and the car takes over for you. It seems like google is working on phase 4, which I feel is basically too far off (no reason for us to need cars that can drive themselves without anyone in it). Also, Tesla, Mercedes, those are all phase 3 (Autosteer).

Also pretty cool he's working in his garage :P.

12
deftnerd 5 days ago 1 reply      
@imgeohot - Before launch, you should look into a communications protocol between the vehicles. It appears to me that the new LiFi standard might be perfect. You might be able to use the laser range finders themselves to communicate between vehicles.

What to communicate? I'm not sure, to be honest. Road conditions or notifications of the position of obstacles is one obvious thing. Advertising the current version of the software and pushing signed OS upgrade binaries is another. Voice/Video chat with other vehicles in range would be cool, as is media syncing and discovery.

Building in some kind of Bitcoin based payment protocol would be fun too. You could load your cars Bitcoin wallet with some funds and tip cars around you all over the LiFi.

I'm not saying you need to build all that stuff, just put in a good hackable messaging protocol into the system before wide release :-)

Great work man. Good to see people with a good hacker ethos accomplish really cool things.

13
iblaine 5 days ago 2 replies      
>The smartest people I knew were in high school, and I was so let down by the people in college.

He seems like a good person to get into business with. He's so non-judgmental. Reminds me of myself and all the stupid things I said to VCs in my 20s.

14
blinkingled 5 days ago 1 reply      
>At Google, he found very smart developers who were often assigned mundane tasks like fixing bugs in a Web browser; at Facebook, brainy coders toiled away trying to figure out how to make users click on ads.

I'm not sure those two are equally horrible though - fixing complex bugs requires using lot of skills and the high you get when you finally nail it is nothing to miss.

Getting people to click on ads though - that's genuinely depressing.

15
hias 5 days ago 4 replies      
Sorry, but how can this be legal?With his homemade solution, he is not only endangering himself but all the other people in the cars around him.

Usually before you are allowed to use something like this on a public road your stuff has to be tested and approved by the state. At least this is how it is in Europe, does this not matter in the states?

16
hellofunk 5 days ago 1 reply      
I don't know what's going to happen with this project of his, but this certainly is an interesting article:

>Sitting cross-legged on a dirty, formerly cream-colored couch in his garage, Hotz philosophizes about AI and the advancement of humanity. Slavery did not end because everyone became moral, he says. The reason slavery ended is because we had an industrial revolution that made mans muscles obsolete. For the last 150 years, the economy has been based on mans mind. Capitalism, it turns out, works better when people are chasing a carrot rather than being hit with a stick. Were on the brink of another industrial revolution now. The entire Internet at the moment has about 10 brains worth of computing power, but that wont always be the case.

17
tmalsburg2 5 days ago 2 replies      
Surprised that no one else commented on this: It is completely mad and irresponsible to test a self-driving car on a public highway especially since the one who has built it admits that he has no idea what it is doing. Hotz is putting other people's lives in grave danger and everyone is applauding him for that.
18
dangirsh 5 days ago 0 replies      
I met Hotz at SpaceX, and can assure you he's not as cocky as this article makes him out to be.
19
ericjang 5 days ago 0 replies      
During my internship at Google I watched Hotz give a talk on QIRA and his Pwnium exploit.

George Hotz working his magic on the computer is the most fucking legit thing I have seen in my life.

20
dkns 5 days ago 0 replies      
Absolutely exciting stuff. Imagine if you have 100, 1000 or 10000 cars each with deep learning software on board. Have them all upload data after each drive to central repository and download updates from other cars. You might start without stuff like 'react to that deer that just jumped on the road' but when you have 10 000 or 100 000 cars that learn and share their knowledge between them you'll quickly learn a lot of corner cases.
21
tragomaskhalos 5 days ago 0 replies      
"Hold this, he says, dumping a wireless keyboard in my lap before backing out of the garage. But dont touch any buttons, or well die."

Quality.

22
erjjones 5 days ago 0 replies      
Self-Driving cars are very exciting but we know it can be done - super cool that Hotz got this working. Now he could really impress the community if he could solve 6 additional concepts http://gizmodo.com/6-simple-things-googles-self-driving-car-...
23
pyoung 5 days ago 0 replies      
Looks like the car he is using already comes with adaptive cruise control and lane keeping assist[1]. Can someone with more knowledge on the subject chime in on how/what he is doing that improves upon those?

[1] http://www.acura.com/Features.aspx?model=MDX&modelYear=2016&...

24
michael_h 5 days ago 3 replies      

 He thinks machines will take care of much of the work tied to producing food and other necessities. Humans will then be free to plug into their computers and get lost in virtual reality.
Well, that's an astronomically depressing future.

25
dvh 5 days ago 1 reply      
I always thought default Ubuntu WM is only used by the people who don't know how to change it.
26
nascentmind 4 days ago 0 replies      
Congrats geohot. Come up with a good development framework for people to build on and it would be awesome. This is good innovation and engineering.

Like the article said it sure beats writing code to make people click ads or fixing some obscure deadbeat bug in some useless software which nobody uses.

27
hcrisp 5 days ago 0 replies      
I dont care about money, he says. I want power. Not power over people, but power over nature and the destiny of technology."

This has echoes of J.R.R. Tolkien:

Anyway all this stuff is mainly concerned with Fall, Mortality, and the Machine. By the last I intend all use of external plans or devices (apparatus) instead of development of the inherent inner powers or talents -- or even the use of these talents with the corrupted motive of dominating: bulldozing the real world, or coercing other wills. The Machine is our more obvious modern form though more closely related to Magic than is usually recognised. . . . The Enemy in successive forms is always 'naturally' concerned with sheer Domination, and so the Lord of magic and machines.

28
SuperKlaus 5 days ago 0 replies      
"George Hotz will be a panelist at Bloomberg Businessweek Design 2016 on April 11, 2016."
29
edward 5 days ago 0 replies      
30
Wonnk13 5 days ago 1 reply      
Can anyone recommend a AI/economics book regarding the implications of a population where jobs are no longer necessary?
31
RIMR 5 days ago 1 reply      
This the same guy that Sony wanted to put in prison for figuring out how to run code on the PS3...

That stunt is also what lead to a coordinated attack against PSN that took the service down for more than a month.

32
quantumgoo 5 days ago 1 reply      
If it passes the written and driving tests at the local DMV, should the car be given a driver's license?
33
pfista 5 days ago 0 replies      
Is it really the best approach to only train from real world scenarios without any programmed constraints? Most humans are terrible drivers and there's a reason so many people die every year in car accidents. It seems like his approach might be more organic but it'd also be really hard to provide training data around emergency situations as others have mentioned here.
34
politician 5 days ago 1 reply      
If a self-driving car is designed around neural networks, then does that remove the liability dilemma introduced when such a car is involved in an accident? The car panicked and crashed.

If we could move the liability to the car itself, then maybe we could just add the car to its own insurance policy, you know, as if it were a dependent, like a teenage driver.

35
samlittlewood 5 days ago 1 reply      
Interesting to see an nvidia shield box on his shelves [0] - I've been playing with one, and the Tegra X1 SoC in there is an absolute beast. Nvidia are pushing this chip for automotive, supported by freely available learning and vision toolkits.

I'd not be surprised to see some interest and support from nvidia on this (if not, then they should REALLY look into it).

[0] http://www.bloomberg.com/features/2015-george-hotz-self-driv...

36
nojvek 5 days ago 0 replies      
I really like his 4 stage definition of self driving car. I don't really care about the fully autonomous like the google car. I've driven the adaptive cruise control VW in europe and that was an amazing experience. The only thing missing was lane control which this guy has done. Personally, where self driving really shines is long trips on the highway. All I really want is smarter cruise control that can stay on one lane and not bump into anything, and ideally send an alarm if it thinks it needs help.
37
macawfish 5 days ago 0 replies      
This one takes the cake for me: It scares me what Facebook is doing with AI, Hotz says. Theyre using machine-learning techniques to coax people into spending more time on Facebook.
38
iamleppert 5 days ago 0 replies      
Can we get some third party verification here? I live in Potrero and would like to take a ride in his car, or at least help out with his project... hit me up man!!
39
pakled_engineer 5 days ago 0 replies      
His AI strategy that doesn't use IF statements sounds influenced from the Sussman & Radul paper the Art of the Propagator. In this related course you also learn how to program AI decisions based on pattern matching like him giving space to a cyclist and the AI later doing the same https://groups.csail.mit.edu/mac/users/gjs/6.945/
40
giancarlostoro 5 days ago 0 replies      
He does a bit of interesting projects, hacking the iPhone, Android and even the PS3 to the point of being sued by Sony [1]. Geohot has potential, so it will be interesting what we see him accomplish, hopefully some company doesn't swoop in and ruin his progress.

[1]: https://www.youtube.com/watch?v=9iUvuaChDEg

41
devy 5 days ago 0 replies      
The article mentioned Elon's delaying tactic. I wonder what would happen if Hotz's idea/project was bought out by Tesla.
43
jacquesm 5 days ago 0 replies      
> I know everything there is to know.

Except the law when it comes to exceptions for being in control of your vehicle at all times. Somebody take this guys license before he kills someone due to a divide-by-zero. Testing this in an abandoned parking lot would be ok with me (probably still against the law but fine). In traffic is a definite no.

44
Grazester 5 days ago 1 reply      
Geo Hotz amazes me!!With that said, can he be prosecuted for using his driverless car on public roads without a license to do so?
45
lavezzi 5 days ago 1 reply      
Probably best that he's working on his own, doesn't seem like the kind of guy you'd want to work alongside.
46
bparsons 5 days ago 1 reply      
Good to see smart people working on something actually useful, and not another group chat or instagram clone app.
47
mandeepj 5 days ago 0 replies      
> In the coming weeks, Hotz intends to start driving for Uber so he can rack up a lot of training miles for the car.

Really? I did not expected this from him. Why don't he put his sensors\cameras\kit on few other hundred\thousand cars and pay them some money or get some early adopters.

48
myztic 5 days ago 1 reply      
(This is completely Off-Topic but it's been bothering me for such a long time now and I never got sufficient answers)

Why am I seeing Ubuntu on Screens of developers, experts, et cetera in Cover Stories such as these, most of the time with the 100% plain Ubuntu Desktop with all the craziness that comes with it?It feels like this is the case 90% of the time. Two more (recent) examples I can remember:

1) Fyodor (Guy behind nmap) running plain Ubuntu on a Notebook while giving a speech at a conference

2) Developers at Honda (Video was an Asimo promotional video) running plain Ubuntu

Since in my personal opinion Ubuntu is not the technically superior choice in these cases (though that can be debated), it can not simply be explained with it being backed by a company, there being support you can buy for the system if you need it.

What motivates technically extremely skilled people to use "Plain Ubuntu" instead of one of the many alternatives?

I really don't understand, please enlighten me!

(I actually think it's worth "spending" some Karma on this if I for once get a satisfying answer)

49
J0-onas 5 days ago 1 reply      
So how does his technology/software react on dangers? The video only shows how he keeps his lane...
50
daemonk 5 days ago 0 replies      
It looks like he has various sensors for gathering driving data. But how do you really know when you have gathered enough dimensions of data in this situation? How do you train for edge cases?

I imagine there will still have to be some hard rules in case the AI encounters edge cases.

51
joe563323 4 days ago 0 replies      
52
Allamaprabhu 4 days ago 0 replies      
But my intuition say. Google has fairly large amount of data. Their cars drove much distance than his leading them more space to test. More data to test more intelligent systems will be.
53
JustSomeNobody 5 days ago 3 replies      
So its more a fancy autopilot than a self driving car.
54
dominotw 5 days ago 0 replies      
Would be interesting to see demo that is not just car self-driving in a straight(ish) line.
55
pedrodelfino 5 days ago 0 replies      
What a cool article!
56
mschuster91 5 days ago 0 replies      
The fuck. Hotz is awesome... The only coder with a skillset so diverse yet immersive I know is Fabrice Bellard. I'd love to see them on a team together... probably will invent true AI O.o
57
ck2 5 days ago 1 reply      
I really liked Hotz until he went to work for the dark side (google's android security) and decided to make smartphones harder to root instead of easier.
58
et2o 5 days ago 0 replies      
I love this guy's personality.
59
ginsmar 5 days ago 0 replies      
Great!
60
kevando 5 days ago 0 replies      
> 99%
61
frik 5 days ago 2 replies      
He must have rich patents or a sponsor. The Lidar isn't cheap (50k).
62
samfisher83 5 days ago 0 replies      
The guys hacked the PS3. That guy can build a self driving car.
Big Company vs. Startup Work and Compensation danluu.com
712 points by ingve  3 days ago   393 comments top 62
1
jarjoura 3 days ago 16 replies      
250k a year in 5 years at a big corporation, really? Yea if you're lucky to work on a project/team higher-ups care about and are also willing to bust your ass working long hours to meet insane deadlines. Also, you better be someone who is excellent at communication and charismatic if you want to get invited to the table of interesting work.

There are a lot of brilliant hyper-competitive people who work at these big companies and you will be a small fish. So I think this article is spreading a myth that there is guaranteed piles of money to be made by working at Google, Facebook, Apple, etc.

2
herge 3 days ago 11 replies      
I'd recommend anyone looking for their first job out of university to consider strongly a job at a startup. Consider it a 'finishing school', where you'll have the highest chance to touch as many different technologies and tasks as possible (from system administration, to backend to frontend work), as opposed to the 'Big Company' where (especially for a first job) you'll be focused on one task.

The important thing is to leave after one year, no matter the compensation you are getting. Teams have a tendency to give the shittiest work to the most junior member, and there's very little inertia to replace that person if they are doing a stellar job at that shit work, but once you leave that startup with bankable experience under your belt, you'll have a much easier time interviewing and negotiating yourself a cushier position at either another startup or a big company.

Most big companies have a much better career 'ladder', where you'll be on a path to more interesting work once you've proven your worth, but I suspect you'd still be in a better position coming into the company one or two years in, rather than starting the treadmill at a lower salary/title.

3
arbitrage314 3 days ago 3 replies      
I've made this point before, but since it's a bit relevant here, I'll make it again (sorry to repeat):

If you're primarily interested in making money, or if you love the startup but not the compensation, you should NOT work at that startup.

If you're a good developer, you can get a better deal by working at an established company and simply investing. This has been true for every startup offer I've ever seen. Ever.

I've considered lots of startup jobs because I believed strongly in the companies. Every single time, however, I was able to get a larger chunk of the company by keeping my current job and simply investing.

To give an example, my current job pays about $250k, and one year, I invested $100k of that into a startup, leaving me with ~$150k of salary. This $150k + startup equity was a better deal than the startup was offering in both salary and equity (BY FAR). Plus, equity bought as an investor is much less tax toxic than equity options received as an employee of a startup.

On the other hand, most people who work at startups aren't interested in money. If that's you, that's totally cool!

4
vinceguidry 3 days ago 4 replies      
I didn't do more than browse the article because I didn't need to hear the arguments to accept the conclusion. I think the only place perhaps in the world where working in a startup could be seen as any way superior to working at an established business is in Silicon Valley, where enormous amounts of VC money come together to create a modern Rome.

Certainly we need Rome, the modern world wouldn't have existed without it, but Romans themselves are myopic and self-obsessed. They need to be, otherwise it wouldn't be Rome.

I love that Silicon Valley exists, but I wouldn't want to live there. I love the people that go there and exist on the bleeding edge of innovation. I'll happily sit here behind the curve and have a normal life with a house and car and kids. I'll root for the dreamers that go there and hope that they too can one day achieve their dream life. I don't need that glory.

5
lafay 3 days ago 1 reply      
I've worked at both startups and big companies since I first came to SV in 1999. And some startups that became big companies. For me, there's much more than the practical & financial considerations laid out here. Deep down I know that I enjoy taking risks -- I like the roller coaster ride, and having a very real and visible impact on whether the company as a whole sinks or swims. Know yourself and don't ignore your intuition.

Also, while "rand(100)" might be an accurate characterization of the returns of all employees over all startups, it is not entirely a game of chance. There is skill involved in picking the right startup to join: being proactive in your search, building a personal network, finding founders with track records, considering enterprise startups. You can learn to improve your odds -- a bit like learning to count cards.

6
stanleydrew 3 days ago 3 replies      
I don't want to criticize too harshly, because I do think this analysis is generally good (if slightly unoriginal).

The problem is that these analyses always focus on how you, as a prospective employee, can extract the most value from the world. Optimizing cash vs equity or arbitraging location or whatever.

You can see it seep through all over the place in the language used. Sometimes it's subtle:

> Ive told that anecdote to multiple people who didnt think they could get a job at some trendy large company, who then ended up applying and getting in.

Waiting and hoping to "get in" is pretty weak. It implies that we're all just meat-sacks working away until some of us get lucky and manage to convince a fancy company to overpay us and let us extract a lot of value from them.

If you have value to contribute to the world (and you definitely do), then go figure out someplace where you can best contribute it. Stop worrying about the best way to take things from the world and figure out the best way put stuff in. The rest will take care of itself.

7
lost_name 3 days ago 0 replies      
> A new grad at Google/FB/Amazon with a lowball offer will have a total comp (salary + bonus + equity) of $130k/yr.

I think these companies are actually too ideal to draw this conclusion from. For everyone Google/Amazon/FB, you also have a Comcast, an Oracle, an HP or Cisco.

You frequently hear about companies like Apple, Google, Facebook, etc trading employees. You don't hear about the typical big company poaching anyone besides executives.

Edit: The above doesn't seem to represent a clear thought. I'm trying to argue that the average big company doesn't pay as well as those three. Similarly, the average startup isn't going to be able to pay massive dividends in four years.

8
habosa 3 days ago 0 replies      
Equity at a startup is a joke these days, even as valuations climb to infinity. When you're an engineer at a VC-funded startup you're competing against VCs for a piece of a pie. And guess who will walk away with the pie at the end? Will it be the Ruby expert who wrote the backend, or will it be the VC partner who drew up the terms of the funding and the exit?

If you join a startup early you'd be very lucky to get 1%, 2% maybe? Ok so then 4 more rounds of funding go by and you're diluted. Then finally after 5 years you sell to Googapplesoft for $200M. Holy shit, payday is here! Wrong.

First you're going to pay out to all of the preferred shareholders, some of whom might have special payout clauses because you guys really needed the money. Then you find out your 1% is now 0.3% and you have to wait 6 months to sell any of it. So you busted your ass for 5 years for a few hundred thousand dollars when you could have had a full-benefits, low-stress job at Googleapplesoft in the first place and not put nearly so much at risk.

Oh and there's a 90% chance that exit never even happens and all you did was work way below market salary for worthless stock. Oh and that whole time you probably had crap health insurance and minimal 401k matching so your savings aren't looking too good either.

The point of the above is not to say "don't work at a startup" because it's obviously a great experience and the right choice for some. And who knows, maybe it will be WhatsApp and you'll be a billionaire and you can come back here and mock me. But if you run the numbers (as the article says), you really shouldn't work at a startup if you're after money.

9
minimaxir 3 days ago 0 replies      
It's worth nothing that the mean and median salaries of graduating Carnegie Mellon University CS majors, one of the top CS schools, is only $103k/105k:

http://www.cmu.edu/career/salaries-and-destinations/2015-sur... [pdf]

Having $130k as a baseline salary for the analysis is silly. (However, a total compensation of $130k is not silly)

10
miles_matthias 3 days ago 3 replies      
I don't see why this is getting much attention. You can look at the financials all day long, but what really matters is your happiness. Are you going to be happy at a big company doing the same job day in and day out? If so, great!

If you're the type of person that can't stand repetition and predictability and want the emotional roller coaster of creating something new, then join a startup!

We don't have blog posts talking about the payouts between being an artist and a hedge fund manager, and yet people still become artists. Why do we do this in the startup culture? We shouldn't feel apologetic or like we're missing out on something if we decide that what makes us happy is to work at a startup.

11
lilcarlyung 3 days ago 3 replies      
Working in Europe I can never believe these fantasy numbers from the U.S. 250k USD after 5 years, seriously? A good Senior Developer here, with 5-10 years of relevant experience, might have a base salary of around 50-60K EUR, and perhaps another 0-2K EUR in bonuses. Then you have to pay around 30% income tax and another 20% if you hit a certain income bracket (which you do with 50K) in many Western European countries. If you want to make more you need to do contract work or roll your own business.
12
tomasien 3 days ago 3 replies      
Getting a job at Google as an engineer is ridiculously hard. The guy that wrote Homebrew couldn't even get hired even though 90% of their engineers use his software.

https://twitter.com/mxcl/status/608682016205344768

If you can get a job at Google, it's very different than getting a job "at a big company" and has historically actually increased your odds of success later on (via the propensity of investors to fund Xooglers). So I would definitely agree - taking a job at Google when you haven't had one before vs. starting a startup is a very legitimate choice to make. Taking a job at Microsoft vs. starting a startup, I would argue (and the X-Microsofters in my life) a very different one.

13
dmourati 3 days ago 0 replies      
I spent the first 15 years of my career as follows:

3 years in small companies outside the bay area10 years in bay area startups~2 years in bay area big corporations

I can say the following. The transition from startup to big company was really tough. Part of this was because I was used to being "the guy" for such a wide range of things. At big corporations, these roles are divvied up into 5-10-15 different roles. This is both good and bad. On the plus side, I can relate somewhat intelligently to colleagues across a very wide range of roles. On the minus side, the colleagues all (rightfully) feel their areas are their domain and don't typically recognize expertise coming from outside their team. This knowledge with lack of credibility was hard to reconcile until I fully realized what was going on.

14
exstudent2 3 days ago 4 replies      
I don't think you can go into a company as large as Google and expect your salary to double in five years. HR will have set limits to how much of a raise you can get in any given year and even with promotions you would be very unlikely to see that kind of bump. I also don't think the middling programmers he mentions would hit the 250k year mark.

Orthogonal to the point of the article, but the only time you can really get a salary bump is before you start, so make sure to negotiate like hell before you get in. Once you're in, you're going to be grinding to get a 3% raise (contrary to what the OP states).

15
georgefrick 3 days ago 9 replies      
So I've been at this 9 years and I'm not making six figures. Fuck. I don't even understand where I went wrong. Part of me can't believe the article at all.

His comment about cost of living was kind of an outright dismissal, very odd? I don't think Google will let me work from Milwaukee.

Where is the information on travel, quality of life (owning a house?), etc?

16
sudo-i 3 days ago 0 replies      
Paul Graham/Sam Altman/Michael Arrington/etc... are just spreading their messages as they are always, because in the end more startups/more smart people at startups, the more it has an impact on their wallets.

It's just a fun as arguing which is a better phone, Android or iOS... it's super old and a boring, divisive conversation.

17
gniv 3 days ago 2 replies      
There is valid criticism to be made, but the negativity in this thread is out of proportion.

As somebody who worked at Google for 5+ years, I'd like to emphasize a point: If you sustain good work [1] for a few years, you will be rewarded well beyond expectations [2]. Your compensation will depend on your performance, and not on your starting salary. I think this is unique to Google and maybe a few other tech giants. From this point of view, the generalization to 'big company' is flawed. But otherwise the points made by OP are true, and I wish more new grads would see it (and believe it).

[1] Your overall contribution to the project is important. Whether you work 30 or 50 hours a week to get there, it depends on you, of course.

[2] And those rewards do not depend on the stock price going up. That's just cream on top.

18
richcollins 3 days ago 0 replies      
Author missed option 3:

Do contract work at $250 an hour or equivalent compensation in shares at >= series B funded startups. Choose the level of risk you're willing to accept in cash vs equity. (Nearly) completely avoid politics and other office related BS. Take vacation between gigs if you like. Get a very broad variety of experiences at different companies and get a good feeling for what companies are willing to pay for should you decide to start your own.

19
r0m4n0 3 days ago 1 reply      
Like everyone else... I couldn't get past the repeating theme:

> But the total comp for a good hacker is $250k+/yr, not even counting perks like free food and having really solid insurance

Maybe that's anecdotally true for the big companies in a small high demand area of the country (really just the bay) but not so most everywhere else. Probably why Paul Graham used a figure less than 1/2 that.

With that figure exaggerated, I'm not sure I can take any other points made here seriously...

20
binarysolo 3 days ago 0 replies      
To set people's expectations properly, this guy is high-tier dev that focused on his niche and probably had his payoff event 10 years into work. (Presumably his 8 year stint at Centaur and the buyout had some of that.)

AFTER all those 10 years, the Sr. Engineer plays at Google and Microsoft were probably 250k+, when they needed that 10 years of specialized experience for a $10M+ project and can pay to play.

Anec-data: As an SV person who's worked at BigCorp and funded startups (from co-founder to CTO)... these numbers definitely trend high amongst my friends and acquaintances who graduated Stanford CS in the early 2000s.

21
hacknat 3 days ago 1 reply      
When it comes to compensation I think it's pretty clear that Big Companies win. You don't even need to point to Google, Facebook, etc to make this point.

However, his argument becomes truly hand-wavey and spurious when it comes to the interesting work part. Of course some of the most interesting tech papers are coming out of Google, that doesn't mean anything for the average Google employee. Also, in his, argument, he goes from "here's what the average can expect for compensation" to, "you need leverage to work on interesting things at big companies...get some".

Of course not all start ups provide interesting work, but I think the dice roll is solidly in the camp of start ups for interesting work against the Big Cos, whose interesting work dice roll, I would guess, is similar to the start up comp dice roll. Unless rebuilding a bog standard UI framework is your thing.

At my first startup job I got to:

- build a compiler

- implement shared memory on high traffic services

- play with any language I wanted

- manage smart and interesting people

- more stuff, but I'm tired of typing.

22
more_corn 3 days ago 2 replies      
You had me till you non-ironically referenced mchurch.Seriously if you ever see him start talking just turn around and walk away.

Having worked at Google for 7 years and now at a startup, I have to say the big company bullshit factor is huge. Even at Google where where bullshit is gold plated and served with delicious, locally sourced, healthy and tasty side dishes.

I learned a lot there, worked with brilliant people, was able to carve out super gratifying work.But, it just got silly. I'm thrilled to be gone, and hope never to go back.

23
siculars 3 days ago 0 replies      
It may have been said elsewhere, but even if it has it should be said again. There is a huge difference between a tech "Big Company" like Google, FB, Amazon, Apple, etc., a Startup Company and a traditional non-tech "Big Company" like, oh, you know, most of the Fortune 500 in virtually every other industry - retail, pharma, insurance, transport, etc.

A tech Big Company values engineers and pays accordingly.

A non-tech Big Company simply does not value engineers or tech and consider both to be cost centers instead of drivers of growth.

I would plainly say that jobs at either a Startup or a tech Big Company would both be better options than a job at a non tech Big Company.

24
nostrademons 3 days ago 1 reply      
I've done both - 3 years as an employee across two different startups, 18 months as a founder, 5.5 years at Google, and now 18 months as a founder. I guess I'm quoted in the article too. :-)

All I can say is that the market is actually a lot more efficient than most people give it credit for. I remember coming out of school and thinking "Why would anyone work for a big company when the payouts for startups are so much better?" After a bunch of experience, I've found that:

1. Those big startup payouts are much rarer than a typical new grad conceives. They're also more widely distributed: perception is that startups are "go big or go home", but a number of companies end in talent acquisitions that are just slightly less or more than what the founders would've earned at a big company.

2. Compensation at big companies varies wildly, and people with the effort & effectiveness levels that you'd expect from a startup often are actually making startup-level money. There is zero reason for anyone doing this to publicize that fact, and oftentimes they're contractually forbidden from disclosing it.

For people trying to decide between these - forget about the financial rewards and ask yourself "What would you like your working life to be like?" I'd also forget the common wisdom about startups = no life & big companies = drudging pace; both of these are inaccurate on a micro-level, and you can find startups that prioritize work-life balance or teams within a big company where everyone's life revolves around work.

Instead, think about the problems you would like to solve. Do you want to do cutting edge research that pushes humanity's knowledge forwards? Work for a research lab or big company's research department. Do you want to bring new technologies to the masses? Then you want a startup, probably one that has spun out of a major university with a couple professors as founders. Do you want to put social hacks in motion and bring technology to ordinary lives? That's probably also a startup, probably one with young founders. Do you want to scale technologies and work with big data or machine learning? Big company; startups usually lack ownership of enough data, unless they're a consultancy. Do you want to apply technology to an industry that currently does things backwardly? Join a startup whose founders have significant domain knowledge in that industry.

If you work on problems that you believe in, you'll find that you're much more effective at solving them. The financial rewards follow after that; money is a lagging indicator for value generated, not a leading one.

25
autotune 3 days ago 0 replies      
As someone in The Bay Area looking for work as a sysadmin with a heavy interest in automation/devops (obligatory plug), it's not a question of Big Company vs. Startup, it's a question of who is hiring and has at least been open to interviewing; these have almost unanimously been startups. I'd like nothing more than the stability of a large company with interesting projects and decent pay but lets be honest, how many of us will really have the chance to work for Google or Facebook vs the earlier stage startup that's a bit more risky but has a product you find worth supporting and has reached out to you based on their interest in the projects you've been working on?
26
thesimon 3 days ago 7 replies      
Tangential to this article, but >pay outside of the US is often much lower for reasons that dont really make sense to me).

Can someone explain why salaries in for example Europe are so much less? Out of uni salary for example seems to be around 38k in Europe, whereas in US everything under 90k seems very low. Just the difference in purchase power and costs?

27
eldavido 3 days ago 0 replies      
I think the endgame of SV is to become more like Hollywood. Not that that's necessarily a bad thing.

Typical startup raises a $500k seed round and is two founders + 2 senior engineers building the v1. If founders want Google-caliber people, they can't afford to pay $200k; the cash just isn't there.

So companies will have to start giving out real chunks of equity (5% or more) to early key hires. And "who you are" will matter even more than it does now (e.g. look what having Spielberg or another A-list director does to a movie's prospects, they can get the good actors, etc.)

I just don't see any other way this plays out. SV will become more like Hollywood.

28
mcguire 3 days ago 0 replies      
Although, overall, I think this article is reasonably right, there are quite a few things sketchy about it. But I'll just start with the first that comes to mind:

If Google and Facebook are your median exemplars, I really want to know what your sample is. Those aren't exactly large companies. Amazon, too. Apple and Microsoft may be, at least in this industry, but I still have the feeling that the total number of the technical people that this article seems to be addressing is much larger than the total employment of the "large companies" (and small ones).

Also, another minor issue: During my years at IBM (technically, contracting for IBM, but even then you couldn't pay me enough to sign on), I did get to work on very interesting projects and learned a great deal from some very smart people. On the other hand, everything I did was shovelled into the trash can immediately after I finished it. Project cancellations, reorganizations (IBM: I've Been Moved), etc., these are fun facts. Of course, I don't expect start-ups to be any different in this regard, given their failure rate.

29
aeturnum 3 days ago 0 replies      
For money:

Work at whatever job meets your financial needs, everything else is gravy. This will be hardest at the start, but as you gain seniority, you'll have increasing freedom to work where you want. All things being equal, established companies will pay better. Save money, but don't take jobs you hate to save more money - it's not worth the equity.

For work:

If you know what you want to work on and can get a job in an established company, do that. Established companies are much more likely to actually have you work on what they hired you to work on. They are also much more likely to continue the project you were hired for. There are exceptions, but generally you will have much greater resources available to you. Your work may never see the light of day, or may only be used internally, but you'll walk away with a lot of experience on a specific area.

If you don't know what you want to work on or you like working a little bit on a lot of things, work for a startup. Especially for junior roles, there is enormous flex in terms of what you'll actually work on from day to day. This is not limited to programming, but includes all branches of tech work: architecting, service monitoring and setup, marketing, etc. The downside is that it can be hard for you to explain, in a substantive way, the amount of work you did during this time. The upside is that you learn a lot and get a feel for many things.

As for future options - startups will give you many shallow options, working at a big company will give you lucrative & focused options. If you work only in one area, understand that you are betting on that 'kind' of work to continue into the future. The more experience you have, the more value you have in that market. The value in that is entirely dependent on the value the market puts on your skills. You can often pivot, but it can be difficult. Keep that in mind when looking at future work.

30
mruniverse 3 days ago 0 replies      
I work at Big Company and although I grumble, I know it's probably better than going to a Startup. I think the Startup route is like trying to win in Vegas. Some win, most don't. Although it could be fun depending on what you're looking for.

At Big Company if I get bored I can move to a different group fairly easily. And I know my work will be used by millions of people a day. I think that's the part people forget; A lot of people will use your product. At a Startup good luck with that.

And another thing, if you start to have conflicts with someone at a Startup and it's not resolved, it will be a pain to work there. At Big Company, at least you can move to another group or hope they will.

31
LukeHoersten 3 days ago 0 replies      
I prefer to work for smaller companies because of the way work and responsibility are divided. At large companies I've worked for, work gets divided into much smaller chunks so each developer is working on a very small sliver of the total product. At a smaller company, your typically solving a smaller, more focused problem as a group, but also, you get a much bigger chunk of the work as a developer. It's easier to have ownership over a whole project. It's why the term "full-stack developer" is so common in the startup world and basically unused in the enterprise/corporate world. Of course all of this lies on a gradient of headcount vs. total workload so I'm sure there are great counter examples out there.
32
sinofsky 2 days ago 1 reply      
You could apply this same model to IBM very easily if you started from college any time from 1993 (April to be precise) and 2013. If you just worked your way up the promotion ladder you would have done super well financially (better than the SP500 by 4-5x).

The problem with any comparison is hindsight. Many other large cap tech stocks do not behave that way. Certainly you could have joined Microsoft at a certain time and "given up" at the "wrong time". Your cash comp might have been quite good (or not).

The thing to ask yourself (and I definitely am not judging or implying one way or another) is where does your code go and what does it do? A lot of that IBM code, well... And of course many startups don't make it as well.

If all you want is money with low risk the choice is clear. If all you want is a chance at a huge payoff with high risk then the choice is clear.

If you're happy with the end result of your code then in a Fountainhead sort of way that's what matters. Then whichever risk path you take for your compensation is secondary. And your views on this might change at different life stages.

Finally the ability and skills to navigate and succeed in either a startup or a big company are different. Depending on when you choose and how you grow and evolve you may or may not be at the right place at the right time.

That's my shortest comment to a very long topic :)

33
peter303 3 days ago 2 replies      
I dont think these high salaries will last because we are in the midst of a startup bubble with too much VC money chasing too few good ideas. Echo 1990s.

However even if return to the 2004 scenario of 80K/100K that is still comparable to other professional careers and better than most college majors. So I'd recommend staying in CS if you like it.

34
throwaway_lazy 1 day ago 1 reply      
Why not add consulting (i.e. helping startups out as someone "external") into the mix?

I make ~$110k/yr after taxes (!) and insurance and I work 10 hours per week, tops. I literally watch Netflix more than I work on an average workday. I know it's not great money (don't have a Tesla), but it's quite cozy.

Thoughts?

35
bigcothrowa 3 days ago 2 replies      
At my BigCorp employer, Senior Engineer starts at like, maybe $140k total compensation, on the low end. I don't know where the author is drawing these $250-350k minimum figures from, but it feels like "thin air."

That being said, a startup in my area would pay 50-70% as much.

36
invaliddata 2 days ago 0 replies      
I've worked at sv companies of all sizes, and I think that for a fresh grad especially, the most important thing as some have stated is to find a team (manager, coworkers) and project that are right for you. You want a place where you will be supported, where you will have interesting work, and where you'll be able to develop in all the aspects (not just technical ones) that you'll need as a more senior developer. You'll want to avoid toxic cultures and places where no real work gets done. In companies of all sizes and stripes there is a huge amount of variation internally. Unfortunately it's often difficult to know what a particular team is like unless you know an insider. This advice may seem like common sense, but in my own experience and through talking to junior colleagues, many people don't have much of a clue for what to look for in a job (beyond - they pay a bit better / I've heard of them and its a prestigious name / I have some idea about what they want me to do and it sounds vaguely intetesting).

For fresh grads there is almost no negotiating room on compensation. Additionally, what one learns and experiences is critical to career growth. At one sv bigco I got paid intern level wages to manually label machines in a server room for a month (hired as a developer). I'm sure this is not represent tative of that company. At another bigco I have seen fresh grads and interns get plum work assignments (and pretty good compensation, according to surveys), and I know that's not the case for many other parts of that company. Neither of these companies is appamagoogsoftbookflix, but I know both these scenarios can be found pretty much anywhere.

Even midcareer professionals should care a great deal about the people and projects they will be working with, but there the ability and need to optimize compensation can be more acute. So, avoiding optimizing for compensation and company prestige early in ones career is something to be cognizant of.

37
code4tee 3 days ago 0 replies      
Article makes some good points. The cash-out value of "equity" one gets in a startup can, if you are lucky, result in some nice lump sum at some point down the line. However, many often miss the point that this big lump sum is quite often still much less that the cash given up in the meantime by agreeing to accept lower cash comp in exchange for said equity.

No different than when people talk about how they bought a house for X and then sold it for Y at some point down the line, giving the impression that they made a nice return on investment. Off course such casual math forgets that it costs a ton of money in interest, taxes and maintenance costs to hold such an asset for this length of time and these need to be subtracted from what appears to be a nice lump sum payment down the line. In reality, net net many people never make a $1 owning their nice fancy house even though when they sell it results in a nice lump sum.

With jobs and houses there are lots of other factors at play, but when it comes to $ it's important to understand the difference between perceived "windfalls" and actual net return. The true results are often not what people expected.

38
shanwang 11 hours ago 0 replies      
Have to say i'm really jealous. You don't get nearly that much in google/microsoft London office, not sure about FB but I doubt it's much better.
39
morgante 3 days ago 1 reply      
I was nodding along throughout this and pretty much agreeing that overall a big company makes sense for most people.

Then I got to the final footnote. That kind of Kafka-esque bullshit is what keeps me working in startups. I could not stand working in a culture where policies which are widely seen as unhelpful and ridiculous are still routinely inflicted upon employees.

Yes, startup "bullshit" also exists, but the difference is that it's totally possible to avoid that bullshit by picking a good startup to work at. I've never had anything like the experiences described in [1], despite working at 3 different startups. On the other hand, big company problems seem to be universal: it's not possible to find a big company without at least some arcane and employee-hostile policies. (For example, Google's blind hiring keeps me from ever considering working there.)

[1] http://totalgarb.tumblr.com/tagged/startupbullshit

40
Rainymood 2 days ago 2 replies      
As a European constantly reading about total compensations in the 200k+ seems like FUCKING crazy to me, holy shit. What the hell.
41
methodover 3 days ago 0 replies      
> Moreover, the pitch that youll only need to work for four years is usually untrue.

Definitely, and not just for the reasons stated in the article. I believe it's pretty common for employees to get escalating stock options as they progress in the company. When I first joined my startup as the second engineer hire, I got something like 0.2%, under a four year vesting schedule. After a year I got a bit more, like 0.3%. After another year and a half or so, I was given enough to bring me up to what is currently 1% -- but again, under a four year vesting schedule. Most of my options vest under a four year schedule that started 2 1/2 years into working there.

Is it pretty common for regular engineers to get 1% options right off the bat? I thought it wasn't.

42
krisdol 3 days ago 0 replies      
How do you even argue with someone who thinks that the average "big corporation" pays and looks like Google or Facebook? The vast majority of them aren't. That's my experience from working at them, interviewing at them, and seeing my colleagues work at them. The best thing about big cos? Generally I had good comradery and in-office perks, as well as good hours. When it comes to pay, raises, innovation, passion, speed, benefits, on all of those terms I've always had a better experience at smaller companies.

Sure, that may not be true across the board, but the author's assumptions are far reaching. I mean, 250k? Really? I'm not questioning his honesty, I just envy the bubble he lives in.

43
theptip 3 days ago 0 replies      
The section on options doesn't mention early excercising and 83(b)s. I thought it was commonplace to allow options to be exercised before vesting, at a nominal valuation. File your 83(b), and then any increase in value of your options are not considered capital gains; you just pay tax on the final amount that you sell the shares for.

Is this an omission in the post, or is the early exercise option less common than I thought?

44
pyrrhotech 3 days ago 0 replies      
The median income for full time workers in the US is about 40k, not 30k. Also I don't personally know anyone who makes $250k cash comp, and I know people at google and facebook and a handful of other "big corps". I have a friend who's close tho, around $230k at google after 6 years. You can't count the appreciation of the stock on the RSUs
45
mychael 3 days ago 0 replies      
The grass is always greener on the other side. Unless you live in the Bay Area where you lose either way due to the cost of housing.
46
Cymen 3 days ago 0 replies      
The last couple rounds on this have talked about experience at startups but they neglected to go into the value of that experience. From the startup side, people will say the experience is valuable and what they mean is the experience of getting to make more technical choices and experiencing what it is like to have to make compromises to get something shipped in an early stage company.

So the startup people talk about experience in the context of assuming you will also want to do a startup.

The author of this piece kind of ignores the value of having to make those difficult choices in the face of shipping something. But that value is only towards actually starting a company. It's not nearly as valuable at a large company.

So that bias shows through in the writing although I agree with the rest of it. It's just a tiny argument towards the value of startup experience that in context for some people does have immense value while for others it is negligible.

47
kbenson 3 days ago 2 replies      
> Perceptive readers will note that 100 does not actually show up on a d100 or rand(100).

I was just perceptive enough to notice, that, copy the entire table into a comment and pontificate on it, then notice that I missed the sentence in question immediately after commenting, and delete it 3 seconds after posting it. :/

48
tabeth 2 days ago 0 replies      
So for me this begs the question, how do you get to this point? I've never cared too much about compensation, since though I went to a good school, I did the computer science major pretty quickly and after graduation am working at a start-up I think is great.

Should the goal be to spend time studying for interviews, or is this some other strategy? This article assumes you're at some level to command this level of compensation, but how do you get to that level to begin with? I know the classic advice: do good work, write excellent code, etc, but is there more specific advice?

49
joshjkim 3 days ago 0 replies      
2 things: (1) this may change soon but for the past 2 years I've seen a decent % of startups pay around the Google scale ($130-$160), with raises not too far from the scale set-out in the article. However, the big difference of course is that many of these startups will never make it to year 5... (2) this should be qualified as "...for Engineers" (maybe implied by the venue ha). The math is pretty different when you talk about (a) finance/consultant types deciding between big institutions and startups [pay is MUCH worse unless you win big, but hours and work satisfactions are higher..or supposed to be] and (b) sales/ops types [pay is comparable, hours are worse, but potential impact is higher..or supposed to be].
51
bambax 3 days ago 1 reply      
I wonder what people do with all that money. If you're capable of earning $250k working 5 days a week, why not earn $100k working only 2 days a week?
52
tvural 3 days ago 0 replies      
I appreciate some of the writer's points, but he's so eager to prove his point that he makes some obvious mistakes. The 38% of founders who failed took on average a few months to do so. Quality of research papers is produced is not a measure of how interesting work at a company will be - was Steve Wozniak churning out papers while he worked on the Apple II?
53
eecks 3 days ago 0 replies      
I make less than the year 0 at year 3.
54
fludlight 3 days ago 1 reply      
TLDR: Article about lifetime earnings that fails to mention cyclicality. Good luck with that.
55
142535 2 days ago 0 replies      
At my big company in Australia, I made 85k after 4 years, with high income tax and rent of $1800. I have quit to create a startup. I don't really know what will happen now.
56
vlunkr 3 days ago 1 reply      
Don't forget that there are other options. I work for a small consulting company. Our size allows us to have the agility of a start-up, but without the long hours and the stress of your product failing.
57
pinkunicorn 3 days ago 0 replies      
The last line is pretty important -

"You should figure out what the relevant tradeoffs are for you."

The author is just summing up his experience. Individual mileage definitely varies!

58
Xyik 3 days ago 0 replies      
The point of joining a start-up is to take risk and make more $. I'm not sure there is anyone who doesn't get that. Obviously joining a large stable company with consistent growth will net you high stable pay, the point is if you want to make an above average amount of money that moves the needle and makes your life feel different, a start-up is the way to go.
59
shocks 3 days ago 0 replies      
Can anyone give some figures for big companies in the UK?
60
SEJeff 3 days ago 0 replies      
Or you simply work in finance in tech.
61
TheOtherHobbes 3 days ago 0 replies      
Agreed. The article cleverly conflates "not impossible" with "possible" with "probable" with "likely."

And the comments about "I make >$250k at GooAppBook" are self-selecting, from those who didn't get shown the door. They may not be typical for many reasons.

More useful questions:

How likely is it that a programmer of median competence/non-laziness will make $250k after five years?

Conversely: how much of an exceptional workaholic do you have to be to have a reasonable chance at $250k?

How do the probabilities compare with those of a start-up, or a non-technical big corp, or a Wall St/City job?

Also relevant is what you get to work on, how much freedom you have to choose, how research-ish it is (if that matters to you), and how much you'll still be learning at T5.

And let's not assume big tech corps will still be big five or ten years from now. Former big tech corps - IBM, DEC, HP, etc - all looked unassailable at various times, but became very assailable within a few short years. It's naive not to think the same couldn't happen to the leaders today.

62
jsnell 3 days ago 0 replies      
Google / FB / Amazon are being used as examples of large companies, not as examples of startups.
Philips reverses decision to close the Hue Platform meethue.com
441 points by alaaf  5 days ago   164 comments top 18
1
mdip 5 days ago 10 replies      
A point brought up in the replies to their forum post warrants repeating: They claim that they were concerned about the quality of their brand being eroded by third-party bulbs that didn't reproduce the same quality experience that first-party/certified bulbs did.

They had the solution available to them from day one. Since they can clearly identify third-party bulbs, they could have simply presented a warning along the lines of "We've detected you're using bulbs that are not certified by Philips. For best results, we recommend using only certified bulbs (link to purchase here) and cannot guarantee a quality experience with the bulbs you've purchased. Click "OK" to continue."

2
mdip 5 days ago 1 reply      
I'm glad to see they've reversed the decision. It was the only reasonable choice they had with such an immature market that could have them dethroned as the leader very quickly. Their reasons for lock-in made no sense. For a product like this compatibility is a feature and many people chose the Philips products because of the ecosystem of compatible products available, the ZigBee protocol and third-party light bulbs.

I'm sure that third-party products were causing problems, however, wholesale blocking of them via software update is a terrible solution. They, literally, turned out the lights on their customers. Meanwhile, I'd be willing to bet support costs immediately spiked -- people call support when things don't work and they just pushed out a solution that increased rather than decreased that.

Unfortunately, I think they've bruised their reputation quite a bit with this move. It's now delayed my purchase of such a product until I am convinced that they have a solid third-party certification program in place (with very low licensing fees) or (even better) a guarantee with the product that they won't try this again when the market is more mature and they have the option of ignoring complaining customers.

Their competitors could see a rise in sales by taking advantage of this blunder and committing to open protocols. I haven't looked at the landscape in this category, yet, and had just assumed I'd be buying the Philips Hue eventually, but they've motivated me to do more research.

3
themartorana 5 days ago 2 replies      
Wow. Most companies are deaf to user outrage. The original decision wasn't fantastic, but I understand the whole "Friends of..." certification route.

At least in the future they'll be able to stick to "if it's not certified by us..." for customer support, which was likely the original impetus (along with a desire to cut off cheap alternatives to their devices).

I'm not mad at this at all.

4
HarryHirsch 5 days ago 4 replies      
Compare this with Ethernet. You plug it in - and it just works. No 3com/Realtek/Intel certification required. As a user I may be shielded, but I believe there are no interoperability issues between Cisco/Juniper/Brocade switchgear either.

With this as the background, it's surprising to see a large crowd defending the equivalent of Ford-branded gasoline.

5
DiabloD3 5 days ago 5 replies      
The thing is, to me, the fact that they ever decided to do this in the first place means I will never buy Philips smart home products ever.

They have proven they can't be trusted with this sort of power, and that is a one way trip. You don't come back from that, you don't get back off my list.

6
anc84 5 days ago 1 reply      
They can still control it and reverse the reversal in the future. You are at their whim. It is not user-friendly unless it is free software (and hardware). Amazon can still remotely remove books and no one bats an eye. This is just an issue because at the moment these kinds of home automation are per-dominantly "nerd" territory while e-book readers are already mainstream.
7
sismoc 5 days ago 2 replies      
I won't be so quick to "roll-back" my decision to boycott their products.
8
nichochar 5 days ago 0 replies      
I really respect philips for having the humility to come back on a decision like this. As someone who already owns hue and has bought into the ecosystem, this makes me want to promote their brand further, and I will.

Hat down to whoever made this happen over there! The world is better when things are open.

9
ohitsdom 5 days ago 3 replies      
"We underestimated the impact this would have upon the small number of our customers"

Do they really believe it is a small number of customers that use non-Philips light bulbs? I mean, good for them in reversing the decision, but the damage is already done (check out Amazon reviews for one) and it should have been easily foreseen.

10
sneak 5 days ago 3 replies      
The funny part is that they claim to have broken their customers' previously working functionality in good faith.

Who writes these things, and why do their supervisors allow them to keep working there?!?

11
tomlongson 5 days ago 0 replies      
I wonder if this had anything to do with the flood of negative comments to their Amazon product pages?

3/5 stars: http://www.amazon.com/Philips-455303-White-Starter-Generatio...

4/5 stars (previously 4.5/5): http://www.amazon.com/Philips-456210-Ambiance-Starter-Genera...

12
revelation 5 days ago 3 replies      
Not sure why people are screaming "boycott". Philips never advertised their system as being compatible with third-party lights. The fact that they use an open protocol to communicate with their own lights doesn't change this.

It's like connecting to your office chat with an IRC client because you figured out that's what they are using under the hood. Why would you scream bloody murder when one day your IRC client stops being compatible with it? They never advertised this to begin with!

You can't exactly demand functionality that you were never sold.

13
gedrap 5 days ago 0 replies      
A lot of the people are talking about how important integration and interoperability is. I agree with it, however, a lot of work has to be done to achieve it.

In order to do it properly, there should be standards that major providers agree upon making integration much easier and predictable. That takes plenty of time.

Then you probably need some walled garden to control the experience. Approved apps, approved 3rd party providers, etc. If some crappy app is released, regular users won't blame the developer but the platform, as it was discussed in great details in other threads. We need to get out of the HN bubble. Seriously. We forget that a computer is a device to watch porn and browse facebook and that's about it for A LOT of people. Chances are, it will cause a wave of anger in communities such as this one (where there's a strong sentiment for open systems).

This work has to be done be a number of large providers (read: long processes) and followed by startups popping up and disappearing now and then. This stuff always takes time.

14
donkeyd 5 days ago 1 reply      
Second large company this week to rollback a change after public outcry, with Valve rolling back a change in CS:GO. I hope their marketing people take a lesson out of this.
15
vilts 5 days ago 0 replies      
Sounds exactly like the FTDI FT232 "serial killer" saga all over again.

They got many people very pissed off and probably never buying or building products with their chips again.

16
toppy 5 days ago 0 replies      
How many developers does it take to change Philips lightbulb?
17
Nilef 5 days ago 1 reply      
Any recommendations for third-party lights?
18
josscrowcroft 5 days ago 0 replies      
"We fucked up, but we don't want to admit it."
The best icon is a text label thomasbyttebier.be
585 points by ZeljkoS  3 days ago   202 comments top 46
1
dizzystar 3 days ago 7 replies      
I remember getting into a debate about this subject with a self-described UI expert. It was part enlightening and part frustrating. He failed to see the point that so many of his ideas were US-centric, and didn't make sense in any context outside of English-speaking languages, and to be honest, they barely made sense in English. The author brings up Gmail, which has an icon for "archive" that makes zero sense no matter how I try to connect the dot, but at least Gmail gives you and out: turn the confusing icons to text.

Despite being a programmer -- but not front end work -- I find myself struggling more and more with UI and especially icons. I think so much of it reflects the current trend of zero empathy for the end-user. Fortunately, I know enough about computers to get around many of these issues, but icons are the one area that I still struggle with.

Unless you have some site with several million users, teaching end-users is a wasted effort, and it does well to either piggy-back on other ideas or use text. Even Facebook is using text, and it seems a little odd that anyone smaller would feel they have some lessons to teach the end-user about UI. UI, in my opinion, doesn't mean "pretty," it means "usable," which is sort of implied by U meaning "user." If a significant portion of your user-base is computer illiterate, which will often be the default, it does well to UI to the lowest common denominator. Once your user presses the back button because your icons made them feel stupid, you lost a customer, and that is a very high price for "pretty."

2
js8 2 days ago 1 reply      
I think we forgot many of the lessons from the 90s, in naive attempt to emulate Apple. Here's list of standard things that every application in the 90s had, that are frequently missing from the current UIs:

- Menu - Typically at the top of the screen or window, you can go there and find everything you can do with the application, at the consistent place; moreover, as you go over menu entries, an helpful explanation what does what will appear at the bottom of the screen.

- Toolbar - A place which has most commonly used tools. They are represented by icons, text, or both (and you can actually make a choice in settings). Typically, you can configure the toolbar to your heart's content. Toolbars can also depend on the context.

- Context menu - Right clicking on some object will give you menu of things that you can do with that object. Again, explanation of what each of these actions does appears helpfully at the bottom of the screen.

- Tooltips - As you mouse over any UI element, it will helpfully explain you what it's purpose.

- Buttons - Things that are clickable look visually differently than other things that are not. For example, they have different shading. Buttons may also give feedback that they are clickable when you mouse over them. Also, if you click thing that is clickable, it will give a feedback that it was clicked by changing the shading.

I think the big problem here is that UX/UI people want to be artists and so create art, not useful application for end users (which often means follow some standard!). So the end result is even more disastrous when programmers design UI (at least they are rational about it, in some sense), but the cause is the same - it's putting your own ego (behold at my artistic creation!) in front of actual usability.

3
brenschluss 3 days ago 7 replies      
> Dont use an icon if its meaning isnt a 100% clear to everyone. When in doubt, skip the icon. Reside to simple copy. A text label is always clearer.

The article is misguided, in that it assumes that the meaning of an icon only exists in the lines/color/visual form of the icon. Icons are visual language. You have to teach the user what the icon means. Either the user has seen the icon before (such as in airports), or if the user hasn't, your UI has to accommodate that.

Once that happens, then icons are way faster.

Icons are like visual acronyms. The sequence of letters 'T', 'C', 'P', 'I', 'P' means nothing to someone who doesn't already know what 'Transmission Control Protocol/Internet Protocol' is, but once you do, TCP-IP is way faster to recognize, speak, type, and to share.

4
rconti 3 days ago 4 replies      
I always laugh when I see that "unclear laundry icons" image, because I recently had the experience of trying to use a combined washer/dryer machine in a foreign country. The icons truly are asinine, you can't even get close to guessing what you want.

For fun, I looked it up. Some of the icons are obvious, a few make sense once you know the basics, and still others seem almost sillier once explained.

http://www.textileaffairs.com/lguide.htm

5
pool 3 days ago 6 replies      
For someone who follows HN somewhat, I really don't keep up on any current cool-and-hyped stuff. I'll just see websites become more and more useless with three-stripe icons for menus and then just random mysterious icons, and I'll tell myself that that no doubt these no-context meaningless icons must be derived from whatever iphones are doing this week.
6
yati 2 days ago 0 replies      
One of the best things I've read lately. At my last job, I voiced exactly the same concerns over the clarity of icons, and was always told that the users are going to get used to it after training (it was an enterprise product). It was really frustrating as a (back-end) programmer to load up my work in the browser and to hover over each icon every time to test it. I didn't get used to it, no one else ever was going to.
7
userbinator 3 days ago 2 replies      
The fundamental problem with icons is that they can mean so many different things, as the example with washing shows. I've heard this summed up as "a picture is worth a thousand words, but you don't want a thousand words when one will do."

I don't use Apple Mail, so this is an example of what a completely new user --- albeit one who has used computers for a long time --- thinks when they see those icons along the top:

- It's a closed envelope. Mail? Send? Close?

- Write? Edit? Compose? Sign?

- No idea what this is.

- Trash can. Deleted items? Delete?

- Left-pointing arrow --- but coming from bottom and looking like it expands outward. Back? Open message in separate window?

- Two left-pointing arrows. Rewind?

- Forward to next message? And why is this arrow not coming out of the bottom, unlike the two to its left?

- Flag. This is probably the clearest of them all.

8
TillE 3 days ago 3 replies      
I'd love to see some empirical data, but my intuition is that text + colored icon is the ideal (in terms of how quickly you can find what you want) for both new and experienced users. Every little clue helps navigation, and makes me feel more confident about using an application.
9
mschuster91 3 days ago 4 replies      
If you decide to use icons, offer a hover-tooltip.

Even if you decide to use a textual button, offer a hover tooltip if there's a keyboard shortcut. (Hello phpStorm, I'm looking at YOU!)

10
archagon 3 days ago 0 replies      
I thought about this a lot while designing my latest iPad app. On the one hand, icons make everything look beautiful and cohesive, and give you an almost intuitive sense of the UI if done right. On the other hand, it's hard to convey the meaning of a complicated tool using an icon alone, and I hate guess-and-checking the meanings of icons in other apps. My solution was to keep unlabelled icons for the obvious UI elements (in my case, undo/redo, play/rewind/record, erase, and metronome) and add small text labels underneath the icons that referred to more complicated or unique actions. For visual coherence, the labeled icons were kept in their own section: http://i.imgur.com/EeLzlVH.png

So yeah, I think the article is spot on.

11
jd3 3 days ago 1 reply      
I agree. Whenever the option to change icons to text labels is available, I will use it. It's a shame that Apple's finder is ostensibly shit when it comes to text label support. No forward, no change/shadow when `pressed`, etc. It's been maddening trying to use most websites these days that load 20MB of javascript and abstract their interface elements behind incomprehensible picons and boxes.

http://i.imgur.com/YyOYqxV.png

12
n0us 3 days ago 0 replies      
Non-text icons is one of the reasons I don't use IDEs all that often. I'm always wondering "damn, what did that icon do again?" or "I wonder where I can find the button to run this thing" but then I click the wrong thing sometimes and totally screw up my layout then spend a while looking for another button that will get me partially back to the way I was before I can even start looking for the button I wanted again. I guess I would get used to it eventually but it bugs me.

(I'm looking at you Eclipse)

13
maniacalrobot 3 days ago 1 reply      
I'd agree that many Icons are context sensitive and many require the user to learn their use, but they do, mostly, provide a language agnostic approach to navigation. An icon is the same size in any language, whereas the title could be very different.
14
masklinn 3 days ago 0 replies      
On the one hand text labels are convenient when you can read them, on the other hand when you can't (say because you're in japan and japan loves the hell out of its text labels) icons you might be able to decipher are better than text you definitely won't.
15
makecheck 3 days ago 1 reply      
The best icon is one you can opt-into. Don't eliminate them.

For instance I liked OS X's original toolbars, in that you could easily shift between modes that displayed text or did not display text. (Then they entered their phase where toolbars couldn't be customized and all icons were the same shape, which is far less sensible.)

16
ape4 3 days ago 0 replies      
No mentioned of the red | yellow | green buttons at the top of a window in MacOS.
17
iffycan 3 days ago 1 reply      
Amen to the Apple Mail icon problem he mentions. It gets me every time, too.
18
statoshi 3 days ago 1 reply      
Indeed; I've noticed often while observing people of older generations that one of their big problems using apps today (especially mobile) is that they don't have the same understanding of iconography as younger generations. It's usually not intuitive for them.
19
gburt 3 days ago 1 reply      
Icons, but not text, can be language agnostic and probably more resilient to cultural variation. Obviously well-recognized icons like arrows fit this property more so than time and culturally dependent things like floppy disks for save buttons.
20
pavanred 3 days ago 0 replies      
I used to flash different ROMs on my HTC Desire frequently a while back. I was experimenting with MIUI ROM and accidentally flashed a Chinese ROM. And, it so happened that I had to travel and I wasn't able to flash an English ROM back for a couple of days. I was surprised that I could manage just fine for a couple of days with a Chinese ROM (I don't know Chinese), I remember thinking about the UX because though I couldn't read the menus, I could manage just fine using the icons, for example a trash can in messages menu is definitely delete message.
21
zamalek 2 days ago 1 reply      
On Windows Phone 8.1 the settings screen is "text labels" and is completely unusable. They added icons in 10 and this resulted in a huge improvement.

Text-only is as-bad as icon-only. Combine the two.

22
frik 2 days ago 0 replies      
I personally prefer Icon+Text over Text-only. And icon-only is often confusing on websites/apps - it only works if one uses the website/app regularly like the Office <=2003 toolbar.

Also the recent trend for black and white icons makes them sometimes harder to understand. Colorful icons worked fine, in older Office <=2010 and elsewhere. Though finding a good icon set with 500+ generic icons that fits one needs means taking compromisses.

23
mrlyc 2 days ago 0 replies      
I have two modes of thinking when I use a computer program: text mode and graphics mode. I am in text mode while I am reading or writing. I find icons confusing as I have to change from text mode to graphics mode to figure out what the icon means.

The only time I prefer icons is when I am already in graphics mode while using graphics software.

24
ipsin 2 days ago 0 replies      
The best icon is a text label, written in the language of the user? Sure.

But the easiest icon is that weird squidgy thing that looks like a ... well, I don't know, I'm expecting users will click on it and eventually figure it out. Squidgy thing takes maybe an hour to create. The internationalization team's SLA is not an hour.

25
intrasight 3 days ago 1 reply      
In browser UX, you simply mouse-over an icon to get it's tooltip. But screens are big so there's almost always room for labels. In mobile UX, there's just not much room for labels. I don't see why more apps don't use a tap-and-hold approach for showing a tooltip.
26
miles_matthias 3 days ago 0 replies      
Definitely agree with this. This is also something we're looking to update, along with the great article about how the hamburger icon fails on mobile: http://deep.design/the-hamburger-menu/
27
spurgu 3 days ago 0 replies      
The paradox here is that the most effective UI would be one where you'd have minimal "signs" (text or otherwise) telling you what to do. The problem with this is that you'd have to _learn_ how to master it. What we have is a compromise. Something that tries to cater both to casual as well as power users.

I'm thinking about for example a swipe based touch interface. A lot of functions now are click here, then click there, when they could be done in a simple gesture. But the problem is that one would have to learn the gesture somehow in the first place. And people don't read manuals, even if there were any nowadays.

28
leeoniya 3 days ago 0 replies      
also known as Mystery Meat Navigation

https://en.m.wikipedia.org/wiki/Mystery_meat_navigation

29
megablast 3 days ago 1 reply      
Icons can transcend different languages though, a huge boon for small devs.
30
alariccole 3 days ago 0 replies      
The article took a wrong turn for me. Seemed to say that there was a fallacy in assuming frequent users would understand you iconography, then goes on to praise exactly that, for popular sites.
31
laichzeit0 3 days ago 0 replies      
Usability testing with eye tracking software. It's the only way to objectively show designers how crap their design ideas are. It's not even expensive to get this done anymore.
32
altonzheng 2 days ago 0 replies      
I think companies need to test their UI's with senile people first. Nothing has given me more insight into user experience than watching my grandma trying to use an iPad.
33
ada1981 2 days ago 0 replies      
Wait, I've been googling gcal for the last 2(?) years when my calendar tab needs populated when I could have just been clicking on the chessboard thing in gmail??! I was wondering where the hell gcal went!

>> Google decided to hide other apps behind an unclear icon in the Gmail UI, they apparently got a stream of support requests, like Where is my Google Calendar? <<

34
reitanqild 2 days ago 0 replies      
Also on (Windows) desktop you can (could) always hover over to see a description.

On mobile you have to try and hope it is not the "irrevocably delete thread" button.

35
bsenftner 2 days ago 0 replies      
I was an original Macintosh Beta tester back in 1983, and I raised this exact same issue. I built all my apps with text + icon buttons and got penalized for it. One of several reasons why an early Mac beta developer left Mac development, not writing code for the OS for a decade afterwards. (PC users were lucky to have Windows 1.0 around that time, and I did well writing GUIs for corporations that wanted better.)
36
huuu 2 days ago 0 replies      
The best icon has a text label.

I think icons next to a text label are very useful because they guide the eye so you can quickly see where your buttons are.

37
mheiler 2 days ago 0 replies      
Icons are little symbols that are equally incomprehensible in any language.
38
andrepd 2 days ago 0 replies      
You level criticism at Twitter for being unclear to new users, then excuse that same behaviour from Tumblr because meaning is clear to existing users. Isn't it a bit inconsistent?
39
OJFord 2 days ago 1 reply      

 > Facebook as a final example: they lately traded their > unclear hamburger menu icon for a frictionless navigation > that combines icons with clear copy. Well done
No, not well done. They went from almost conforming to the OS' (on Android) design guidelines, to totally ignoring them.

The 'hamburger' button is not "unclear", because it's so commonplace that at the very least it has an intuitive meaning in the context of an Android app - it's where I expect more options, settings, etc. How do I know that is now kept behind the much less clear icon that seems to show a man moving quickly?

40
WalterBright 2 days ago 0 replies      
Discussed at length a couple days ago:

https://news.ycombinator.com/item?id=10738891

41
fogisland 3 days ago 0 replies      
Various icons without text often make me feel like dumb...
42
mirimir 2 days ago 0 replies      
And then there are those of us who block so much crap that icon fonts sometimes don't load. Hover text is usually enough, though.
43
fauigerzigerk 2 days ago 0 replies      
Yes, BUT, you have to look no further than at the top of this page to see how utterly unclear text labels can be.
44
alejohausner 2 days ago 0 replies      
I came here looking for tips on how to turn on text labels in various UIs, and have not been disappointed.
45
jgalt212 2 days ago 0 replies      
Amen, the ribbon is the worst thing to happen to MS office.
46
agumonkey 3 days ago 1 reply      
In latin, for genericity.
Chemical clears Alzheimer's protein and restores memory in mice nature.com
452 points by coris47  4 days ago   138 comments top 13
1
blisterpeanuts 4 days ago 5 replies      
This is heartening news; if not a cure, at least it suggests a promising avenue for future research into this terrible condition.

This LiveScience[1] article is an easily read summary that also mentions a critique of the approach.

Given the unfortunate history[2][3] of falsified Korean scientific research, it would be prudent to withhold judgment until these results have been reproduced in other labs around the world.

1. http://www.livescience.com/53019-epps-chemical-washes-away-a...

2. http://www.nytimes.com/2009/10/27/world/asia/27clone.html?_r...

3. https://www.washingtonpost.com/news/to-your-health/wp/2015/0...

2
andy_ppp 4 days ago 6 replies      
Wow, you can buy some EPPS (the chemical in the article) here for 39.20?

http://www.sigmaaldrich.com/catalog/product/sigma/54465?lang...

Looks interesting research but I'm sure this stuff probably can't be that good for you!

3
reasonattlm 4 days ago 1 reply      
If you go digging around you'll find dozens of other similar results in the past five to ten years for dozens of various compounds, some of which produce larger effect sizes than this one. This is nothing to get excited over.

It is interesting the way in which various groups leap upon some research reports but not others. The challenge is always having the context for the broader state of research to understand whether it is meaningful or new or not.

The present mainstream view of Alzheimer's is that amyloid (and tau) clearance is the way to go. Immunotherapies are the most developed tool, but that is so far proving to be hard - it is too early to say whether failures in clinical trials are because it is hard or because amyloid clearance isn't as useful as thought in this condition. Which could be for any number of reasons including that amyloid-related biochemistry is the problem, but clearing a particular variant or stage of its aggregation doesn't touch that problem area.

Amyloid levels in the brain are in fact highly dynamic on a very short timescale. That Alzheimer's develops slowly supports the view that the condition is a slow degeneration of natural clearance mechanisms, such as the filtration performed by the choroid plexus, or the more recently investigated peristaltic passage of fluid out of the brain by other channels. E.g.:

http://www.ncbi.nlm.nih.gov/pmc/articles/PMC4245362/

On that latter point, the Methuselah Foundation just a few days ago seed funded a startup company that will investigate whether reversing the degeneration of peristaltic fluid passage with aging will improve clearance and thus stop the progression of Alzheimer's. It's based on as yet unpublished work by Doug Ethell at GCBS Western who presented at Rejuvenation Biotechnology 2015 ( http://www.sens.org/files/conferences/rb2015/RB2015-Program.... ), and has the merit that it should be a fast failure if the theory is wrong, unlike many of the other efforts in Alzheimer's research.

4
eveningcoffee 4 days ago 2 replies      
The title is "EPPS rescues hippocampus-dependent cognitive deficits in APP/PS1 mice by disaggregation of amyloid- oligomers and plaques" and it does not say that it reduces memory, it says "EPPS reduces A-aggregate-induced memory deficits in mice" but they also say that "We observed substantial rescue of working memory deficits in A-infused mice by EPPS treatment".

Of course this is only small part of the paper and I have no training to appreciate it more.

5
plg 4 days ago 4 replies      
it's a great day for mouse health
6
nashashmi 4 days ago 5 replies      
I am having an epiphany. Maybe this "Alzheimer protein" is supposed to be the brain's defenses to something much worse. Maybe this protein is a "reaction" similar to skin rashes when it absorbs poison ivy's urisol.

If Alzheimer was simply a deficiency of nutrients, I wouldn't think this way, but if it really is a protein that "can be cleared", why did it get there in the first place?

7
midnitewarrior 4 days ago 0 replies      
Wow, they've prevented Alzheimer's in healthy mice, and restored memory function to sick Alzheimer's affected mice. The treatment is non-toxic at ridiculous levels too.
8
keeptrying 4 days ago 1 reply      
There have been at least 3 previous solutions for AD in mice which have never panned out in humans.
9
daveguy 4 days ago 1 reply      
I would like to point out that the main study described in this article is not the "inject aggregated amyloid beta fibrils" that is described first. That study was a preliminary study that prompted the main study which uses genetically altered mice.

The test for alzheimers for the first study (previously reported but summarized again) was to quantify how much the mice deviates from solving a maze that they have been trained to solve.

In the first they injected amyloid beta aggregates into mouse brains and found that EPPS administered orally at 30 mg/kg and 100 mg/kg restores the ability of the mice to efficiently solve the maze.

Next they tested toxicity quantified the amount of EPPS that passes the brain/blood barrier. For toxicity they found no signs of toxicity at 2000 mg / kg (20x dosage). For blood/brain barrier, as you go up in blood concentration you should go up in brain concentration if there is a good penetration from blood to brain. If the barrier is high then you immediately get high blood and low brain concentrations. The point where there is no longer a significant increase in brain concentration when increasing blood concentration is used to determine effective dosage concentrations. They found that at 100 mg/kg they were starting to see increased blood/brain ratios so they targeted 10-100 mg/kg for the next study.

MAIN STUDY (which included identifying the dosage level) used mice that were engineered to "get Alzheimer's" starting around 5 months of age because they produce a human gene (transgenic) that is a precursor to form the AB plaques. This transgenic model is established and the mice showed the expected amyloid beta plaques and had difficulty solving the maze at 10.5 months as expected.

Starting at 10.5 months they gave oral doses of EPPS at 10 mg/kg and 30 mg/kg and monitored maze solving along with several additional tests: likelihood to freeze when presented with negative input (fear conditioning) and ability to find hidden platforms when swimming (water maze). Both tests improved significantly to the wild-type (no Alzheimer's) level when taking EPPS. They also did dose dependency at .1 1 and 10 mg/kg. There was a steady improvement at higher doses.

They also took slices of the mouse brain and tested whether or not the neurons responded differently to electrical stimulation. They found no difference in wild-type (WT, non-genetically altered) or transgenic (TG, altered) response to electrical stimulation with and without EPPS. This hints at no difference in neural activity with or without EPPS. They also gave EPPS to WT for the behavioral tests and did not see a difference (although that was not shown in the behavioral test figures).

They also took slices of the brain and stained them with a fluorescent dye to show the Alzheimer's associated plaques. There is a significant quantifiable reduction in plaques in the treated mice.

They used several other techniques to confirm that they were actually AB plaques and they disaggregated by a specific site of activity. I won't go into those specifics, but to say that this was a VERY well designed and executed study across multiple lines of inquiry and all of the lines of inquiry point to the same conclusion:

EPPS rescues hippocampus-dependent cognitivedeficits in APP/PS1 mice by disaggregation ofamyloid-b oligomers and plaques

And that's why it's a Nature article.

10
aantix 4 days ago 1 reply      
A slightly unrelated question; are there any companies out there that are working on a replacement for mouse models in disease research?

I'm think more in terms of computer simulation?

11
openbsdway 4 days ago 0 replies      
Perhaps Pinky can now stop asking Brain what it is they will be doing tonight!
12
antidaily 4 days ago 0 replies      
BUT it makes for pet chimpanzee super smart and and ruins human civilization, setting up en epic battle between apes and men.
13
heimatau 4 days ago 3 replies      
Ginkgo Biloba [1] is very solid at helping preventing Alzheimer's, even in some cases slowing it down when it's already occurring. Lots of research on the benefits of Ginkgo. Yet most don't know about it.

[1] https://duckduckgo.com/?q=ginkgo+biloba+alzheimer+site%3A.ed...

How Product Hunt really works medium.com
687 points by brw12  6 days ago   222 comments top 53
1
phantom_oracle 6 days ago 4 replies      
Nothing can hurt a well-meaning first-time founder of some useful side-project business then to learn that a non-entity like Product Hunt is a rigged game where the inner circle are simply gaming the system for their friends and people whom they benefit from and will benefit.

From "top 3% of coders" to "your product will get 1st spot if you scratch our back with a small slice of the pie or counter-promote our product with yours" to "we will only invest in you if you get referred through an acquittance of ours", the game surely does feel more rigged each day.

The upper echelons of tech sure does share more similarities with high-finance then they would like to admit...

2
minimaxir 6 days ago 6 replies      
Speaking of "PH is rigged by insiders," it's worth noting that a "top user" is selling a book on how to best pander to the PH userbase: http://www.amazon.com/gp/aw/d/B00TP3MFHE/ref=mp_s_a_1_5?qid=...

This is an odd racket, to say the least.

Re/code wrote a relevant article a few months back (http://recode.net/2015/06/18/product-hunt-the-startup-kingma...) about Product Hunt elitism, which I was interviewed for and the response from the PH team to the article was essentially "haters gonna hate." It's disappointing that nothing has changed since then, and arguably, things have gotten worse.

3
birken 6 days ago 8 replies      
Hacker News is a long-running, open, inclusive startup community that is subsidized by a related business, doesn't sell anything, and has proven time and again to do things good for the entire startup community.

Product Hunt is a new, closed, exclusive startup community run by a for-profit company that will eventually have to start selling you something.

Not sure why people complain about PH so much... just don't use it. There already is a perfectly good community of startup people out there that has much more incentive to stay "pure" than a for-profit one. Sure, HN isn't perfect, but fundamentally it is always going to be better than any for-profit communities.

(And also this obligatory comment: If you want to build a successful company, stop wasting your time browsing startup communities and spend your time talking with users and building your product)

4
OoTheNigerian 6 days ago 0 replies      
Below is a mail I sent in response to a Recode article in June about Product Hunt. Summary : horribly elitist and what the Valley should avoid becoming.

I'm almost never harsh to a fellow founder but I thank God Ryan Hoover doesn't weild much influence. Wrong hands to expect equity or fairness.

--

Hi Carmel,

I'm following up with you about your post on PH.

Summary,

There is insane bias towards outsiders of the club. Here is my case in point.

I submitted my startup https://callbase.co up to FIVE times and it was never approved. However aircall.io a competitor has made the front page TWICE in that period.

Of course having a handle @OoTheNigerian does not help :D

As at the time my second submission was being rejected, Mattermark's Newsletter was making the front-page as a product (1 of 5 http://www.producthunt.com/tech/mattermark-4#!/s/posts/matte...). Yup, ridiculous. (i have absolutely nothing against the great work Danielle is doing).

This is one of several.

I sent Ryan (copied) a stongly worded email after several ignored ones and he "offered" to allow mine through on a weekend. Lol.

This is just a case in point how hard outsiders (I live in Lagos, Nigeria) find it in the quest for success. Silicon Valley is a meritocracy but you have to be seen first to be considered. No?

Of course, it is his platform and can do whatever he wants with it. However, it should be clear to him what he is doing. Perpetuating the cycle of the powerful being more powerful.

It would be nice to see the demographic representation of his all powerful voting clique.

After reading this Ryan may (or not after seeing this) now go posting about us when we may be asleep or not ready.

Great write up BTW!

5
brw12 6 days ago 3 replies      
Interested in your thoughts, HN. I tried to write from a place of compassion and not be all haterating.
6
mootothemax 6 days ago 3 replies      
Surely if your app's sole source of success is a spending a short amount of time on some website's front page, you have bigger issues with your business strategy?

Go back a few years and everyone used to talk about their struggles getting featured on TechCrunch; I didn't believe it was make-or-break back then either.

7
tptacek 6 days ago 4 replies      
The only time I ever hear about Product Hunt is in the once- in- a- blue- moon posts like this I see about it on HN.

Do people take PH seriously?

8
sparkzilla 6 days ago 2 replies      
I am so happy to read this article and I commend Ben Wheeler on bringing it to light. I had written a similar article in July but did not publish it as I was promoting a new version of my site. I was afraid to speak out because I believed it would hurt my chances of getting funded. I should have gone with my convictions. I have now published it. [1]

Ryan Hoover has not only outsourced VC product discovery, he has outsourced its class system too. It's incredibly disheartening to be outside the loop, trying to get your product noticed, and submitting it to what you think is a free system only to have other products by well-connected insiders block it out.

When I saw Hoover and Jason Calacanis congratulating each other on Twitter I knew immediately what was going on. Despite multiple emails, Hoover wouldn't even give me access so I could comment on competing products. I'm glad this is coming back to bite him and his investors too -- they went along with it.

I don't expect anything to change because sites are a reflection of the personality of the people who run them and Hoover has already shown he is completely corrupt. Meet the new boss, same as the old boss.

[1]http://newslines.org/blog/the-new-gatekeeper/

9
throwaway415 6 days ago 0 replies      
I was initially really excited to learn about Product Hunt and what it meant to the existing ecosystem: Diversity.

An independent contender in the war for eyeballs/voice in the hacking/tech/entrepreneurship community -- how exciting! I would imagine while their motivations might be similar to what YC wants with HN (distribution, influence), they could possibly open up and serve new members in the ecosystem that aren't, can't, or don't want to be a part of the HN/YC pipeline.

Building a working group of heterogenous independent sources to serve new and exciting topics is important to breaking out of the echo chamber we so often create for ourselves within tech. I was hoping Product Hunt could bootstrap the entire venture, stay clean, and true to the spirit of a meritocracy.

Then they went through YC, and now I see the same "influencers" there as I do here, with the same system in place to promote their own vested interests. It just makes me slightly sad that the pressures of succeeding create collusion among players in this market, thereby perhaps obscuring the potential for new/interesting/different emergent technologies/startups to thrive.

Among my peers, over time PH has become less of a community set out to serve the good of the people, and instead has become more of a pipeline for quick sales or testing new ideas, leaving a feeling of what can only be described previously as the "Tech Crunch of Initiation".

Product Hunt has essentially supplanted Tech Crunch in the YC/TC relationship of yesteryear, albeit to an even more perilous extent. Products are no longer vetted by working professional journalists, whose obligation should be to the consumer and not the producer, but rather by the very product's investors, advisors, and "insiders".

We therefore must ask what is the value-add here? Is it truly a wonder that it proves marginal, and perhaps even detrimental, to the long term success of the startup community as a whole?

10
sagivo 6 days ago 0 replies      
I got to be #2 in product hunt featured list few weeks ago. a random dude saw my post here at HN about launching a beta and published it there. no inside connections, no promotions, and unfortunately - no preparations. we got ~5000 visits in a day and didn't really used the spike for anything special. we lost most of the momentum the next few days and when we were ready to better UI/Flow it was too late.
11
sharkweek 6 days ago 1 reply      
I don't visit Product Hunt much, but I do follow their founder on Twitter.

He seems like a super well-intentioned person, so I'm surprised to read all of the commentary here on HN. Am I being duped by some Product Hunt scam that I'm completely oblivious to?

12
onewaystreet 6 days ago 0 replies      
Startup founders care way too much about getting featured on HN, PH, TechCrunch etc. If you look at the successful startups of that last few years (http://techcrunch.com/unicorn-leaderboard/) many of them were successful before they were even noticed by the technorati. Unless your product is specifically targeted to these people, you are wasting your time.
13
wuliwong 6 days ago 0 replies      
I had a similar experience and I guess I am naive because I did let it bother me.

Someone submitted my site to PH a couple months ago, it got up-voted 20+ times in that "upcoming" area but never was moved to the front page. I believe it ended that first day with more up-votes than some of the products that were featured.

I reached out to the PH guys on twitter and they told me to get more people to vote for it or something to that effect. I noticed a few of products jumping straight to the front page without the upcoming purgatory.

I have read a number of comments writing these issues off to the fact that PH is a "for profit" company. I think that is a bit too jaded an opinion to have no expectations for this to ever be different. My understanding is that Reddit does not suffer these same issues. I think a for-profit venture could actually benefit greatly by being transparent. I think it would take founders that are looking further down the road than the PH guys appear to be and not getting caught up in the immediate gratification of glad-handing and being part of an 'inner elite.'

Full disclosure, I still look at PH pretty regularly. :-p

14
ryanSrich 6 days ago 4 replies      
It always surprises me when people get bent out of shape when they learn that blogs and forums are rigged to favor a certain group of people. There's A LOT of money to be had and if you think places like Product Hunt, Reddit, HN, etc. aren't all being rigged in some way, you're naive.
15
exolymph 6 days ago 1 reply      
Apparently I'm not cynical enough, because I was surprised by this. Does Reddit's front page work the same way?
16
michaelbuckbee 6 days ago 2 replies      
PH is more like a collaboratively edited magazine where the founders have selected a large group of friends to act as a top level filtration system for "products".

Mostly what they're selecting for is "is this of interest to our audience" - of which said audience is currently mostly free tech / designery / social type things (even as they start to add more categories).

While it's nice to be featured, it's quite unlikely to bring you a large amount of traffic and/or signups. A submission to a decent sized sub-reddit will likely drive 2x the traffic that ProductHunt will, a submission to BetaList more signups and a front page HN post 10x.

If there's a reason to get featured it's to try and get some feedback from the community (if they're your audience) as they tend to be quite helpful.

17
cromwellian 6 days ago 1 reply      
I think Product Hunt merely reflects the way things work in SV. SV is not a "meritocracy". Really shitty ideas get funded and acqui-hired all the time based on insider connections. You think Marissa bought Polyvore for $230 million because it was a rocket ship?
18
zenlikethat 6 days ago 0 replies      
The solution to this is easy. Don't visit Product Hunt or treat it as having so much value. It won't make or break a product.
19
marshray 6 days ago 0 replies      
I had never heard of Product Hunt. If I had heard of it, in the absence of information to the contrary, I would have assumed it was corrupt.

It appears in this instance my general cynicism of all-things-Marketed is confirmed.

But what would an alternative world look like? Is the industry trapped in some product placement local minimum?

What if we could trust online reviews by default? Would the same industry make more money or less, or would it just go to different people?

Often, defenders of invasive advertising say "it informs people of products which are relevant to their interests". Shouldn't then advertisers promote integrity in their other Marketing venues as well?

20
joshmn 5 days ago 0 replies      
I've had three products I wanted to push on PH and since I'm not in anyone's inner-circle / e-friend I was promptly told I had to find someone who was in order to gain access.

It's like a boy's club where they pass around the neighborhood bike for everyone to ride, only to find another one after they're all done riding it.

Even more so, I've seen more "here's a landing page, we haven't even a git repo yet, just trying to validate the idea, so give us your email" shit on PH than I would on Reddit.

21
volaski 6 days ago 1 reply      
In my experience, the OP is correct about one thing, it's waste of time to post on upcoming on PH. However this is nothing compared to how opaque Hacker News is. If your product is novel enough and reach out to these "insiders" beforehand (or even afterhand), I don't think you have trouble getting to the front page on PH, whereas on HN I see tons of people reaching front page by asking for upvotes from friends. The only difference is PH is--ironically--transparent about its opaqueness, whereas HN is opaque about its transparentness. To elaborate, on hacker news everything looks transparent, and to certain degree it is (you can find the raw stream under "new" tab), but the ones that reach the front page are not always there because 100% of the community decided so, there are many hidden things going on in the background that most people don't even know. Whereas all you need to do to get featured on PH is to reach out to these "insiders", to guarantee you reach front page on HN you need to get people to upvote you. I feel that PH is much more democratic than HN since everyone gets same chance whereas on HN the people with already existing audience wins.
22
lsniddy 6 days ago 5 replies      
One of my products was featured on product hunt in it's early days (no idea who submitted it). I remember thinking then - "well, cool, but people looking for new products are not really my target market."

Has anyone seen any value come from PH?

23
nl 5 days ago 0 replies      
What someone should do is create a ProductHunt competitor, and geo-block California. Nothing like faux-exclusivity to encourage adoption ;)
24
kilimchoi 5 days ago 1 reply      
One thing this article fails to mention is that YC startups automatically get featured on Product Hunt. This probably has to do with the fact that YC invested in Product Hunt.
25
odbol 5 days ago 0 replies      
Not to mention that Product Hunt violates their own rules all the time: I see plenty of posts for big companies like Microsoft announcing products that arent available yet (e.g. Hololens, Windows 10 before it came out, etc), even though their FAQ explicitly states that the product has to be available to the public at the time of posting.

Really what should tip people off even more is the inability to comment. If the viewers of the site cant actually interact, since commenting is only allowed for approved" users, they should realize that the whole thing is just a scam.

See any ads on Product Hunt? See any monetization strategies? Oh wait, the whole website is an ad, and only those in the know or those who pay will get featured.

26
aagha 5 days ago 0 replies      
It's interesting to read all these comments about PH over a year after previous posts (0,1) about PH's transparency. @rrhoover's comments are especially interesting as they indicate that PH is interested in moving to a more open and democratic (and diverse) promotion platform. Over two years later, it seems its still moving in the wrong direction.

0 - https://news.ycombinator.com/item?id=7980403

1 - https://news.ycombinator.com/item?id=8047647

27
nodesocket 6 days ago 1 reply      
This really feeds into my cynical attitude and sentiment that we are part of a rigged system. I've been trying to stay positive about technology and startups, but honestly it is everywhere. Tech news, advertising, fundraising, hiring.

Finance and the stock market is rigged the same way. A select few (the rich) get inside info, reporters and analyst write and give positive/negative spin on companies and profit, traders screw their customers, it is everywhere. Different market, same behavior.

28
nedwin 6 days ago 1 reply      
Hoover et al can build their product however they want, just be honest and consistent.

Looking through old threads I found this cracker of a post in reply to Ryan about their "anti voter ring policy" - which his tweet seems to counteract. https://news.ycombinator.com/item?id=9932641

29
tomasien 6 days ago 2 replies      
Startup advisors regularly take stakes in the full %'s? Since when? We have tons of advisors none of them have ever asked for a stake.
30
oelmekki 4 days ago 0 replies      
Hate everywhere, for a change...

I don't get why people think PH owes them in any way. Yes, it's all about curation. But yes, anyone could post there, provided they have a good product and they socialize a bit.

And this is what this is about. To me, PH is a social network for founders. They show off their project, discuss it and get feedback.

To all the people blaming how it's not egalitarian: would you create a twitter account, avoid engaging with anyone, then complain nobody is following you?

The same applies than in any social network: if you want people to get interested in what you're doing, start with being interested in what they're doing, and chat, a lot.

31
AndrewKemendo 6 days ago 0 replies      
So in other words, the same way everything in the "startup" world works: It's who you know.
32
hoodoof 6 days ago 0 replies      
I feel like its a mistake to hide content behind "see all" and arrow right buttons. I feel like people look at what is shown to them and they are willing to scroll down but far fewer people are likely to go to the trouble of pressing a right arrow or "see all" button.
33
manigandham 2 days ago 0 replies      
And now there's https://www.openhunt.co/
34
jbob2000 6 days ago 2 replies      
This is how I think Shark Tank and Dragon's Den work too. The "sharks" all parade their new products on TV under the guise of entertainment, and throw in a couple silly/heartwarming ideas and people.
35
sixQuarks 6 days ago 0 replies      
The "products" that appear in the top placements of Product hunt these days are laughable. They're mostly features, not products.
36
forrestthewoods 6 days ago 0 replies      
I've been visiting HN daily for 4 years. I've never heard of Product Hunt. Is it actually that big of a deal? I'm sure it's been on the front page here and I've missed it. But apparently not all that often?

Or maybe this is a case where now that I know the name I'll see it everywhere. Funny how that works sometimes...

37
stahlkopf 5 days ago 0 replies      
I've always imagined sites like these are run by a small circle of insiders, who essentially sponsor or promote specific products. I find it hard to believe the promotional buzz and hierarchy of an entry into a site like this completely natural.
38
callmeed 6 days ago 0 replies      
> That first submission is it ... it will end up on an internal list of products ineligible for future consideration.

This can't be entirely true. I see featured posts on PH that are nothing more than "Version 2" of some previously featured "products". But the links go to the same place.

39
brw12 5 days ago 0 replies      
Follow-up: Open letter by the fictional "Liam Cooper", or how @ProductHunt might respond to recent criticism.

https://news.ycombinator.com/item?id=10745098

40
dilap 6 days ago 0 replies      
Yeah, Product Hunt is a curated platform. I think it's always been pretty transparent about this?
41
hoodoof 6 days ago 0 replies      
The worst thing about Product Hunt is that I just don't find many of the products very interesting.

Oops having read the article - wow - Payola Hunt! https://en.wikipedia.org/wiki/Payola

42
chanux 6 days ago 0 replies      
Does anybody know how to delete a product hunt account?

PS: Apparently you have to email hello@producthunt.com

43
altonzheng 6 days ago 0 replies      
How effective is posting something to product hunt really though? I mean, you are basically sharing it to the same silicon valley tech community who live a life very divorced from the majority of people.
44
api 6 days ago 2 replies      
PH strikes me as a vanity metric. Does it really get you noticed that much?
45
quintin 6 days ago 0 replies      
The fact that not many readers will Recommend this article on Medium but has 146 upvotes on HN speaks of the circle that Ryan has and pros of the anonymity that HN provides.
46
chinathrow 6 days ago 0 replies      
TL;DR: it's mostly rigged by some users with privileges.
47
aagha 5 days ago 0 replies      
A lot of anger here for PH, but why not the people that back it? The Angel investors are listed on their site [0].

Are some of these folks so powerful that if you tweeted at them that they're backing a corrupt bro-club you'd lose any chance of funding?

0 - https://www.producthunt.com/about

48
varunjuice 6 days ago 0 replies      
Product hunt is native advertising.
49
pbreit 6 days ago 0 replies      
So it's not perfect and helps to know someone. Welcome to the real world!
50
Angostura 5 days ago 0 replies      
The parallels with the whole Digg v4 debacle seem quite pronounced.
51
artur_makly 5 days ago 0 replies      
How Meta is this?
52
anon8418 6 days ago 1 reply      
I feel the point of PH is not to create a real business in the sense of earning money by selling you a product or service, but rather to establish personal brand equity and influencing power of the management team.

This can be useful for future projects (such as finding funding), to increase their standing in the SV community, and to establish themselves as marquee valley power brokers.

In this sense, it doesn't make much sense to add more transparency and voting control to ordinary users.

This is pure speculation and assumes the worst. So take this with a grain of salt.

53
intrasight 6 days ago 0 replies      
And since not I nor anybody that I know has ever heard of or used Product Hunt - why do I care?
What You Believe Affects What You Achieve gatesnotes.com
419 points by pykello  5 days ago   148 comments top 31
1
codeshaman 4 days ago 9 replies      
I have the book, started reading it about a year ago and stopped halfway, because my bullshit cup got full.

The reason I think this book is nicely packaged bullshit is because it presents exceptions as rules and then tries to build a theory out of it.

I wish it were as easy as Dr. Dweck describes it, but there are gotchas.

I can agree with the distinction of 'fixed' versus 'growth' mindsets (although... .. how do you measure that?), but that success is guaranteed if you believe and try... Not necessarily. Ask 9 startup founders out of 10.

Not achieving "success" (failing) is rarely free: it leaves emotional and physical scars.. Repeat it a couple of times and you're either dead or on your way there.

No, success is not guaranteed even if you try many many times times, even if you train a lot and believe a lot.

In fact, the rule is this: No matter how hard you try, you might still lose. Sorry about that.

And the reason for this is not mindset - the reason is your definition of success. If you try to win at the wrong game, you will probably lose at it. So pick your game wisely.

Of course, a fixed mindset will only land you some semi-boring job, a family, a couple of kids and a lot of mainstream entertainment.. I guess that's the definition of "failure" these days... But is it ?

*

By the way, if you want useful advice about how to be successful in life, Bill Gates is a very bad choice. It might be counterintuitive at first, but think about it ... As a bird, is it smart to fly around with your mouth wide open in order to catch food... because that's what the whale does ?

2
jondubois 4 days ago 6 replies      
I think this is an inversion of cause and effect. The reality is much less inspiring; It's "What you achieve affects what you believe" not so much the other way around.

I know this for a fact because as I become more sceptical/pessimistic over time, my achievements increase. If I was a blind optimist, I would probably fail as soon as reality reared its ugly head.

If someone is really lucky throughout their lives, they will have an optimistic view about the world and the people around them.

Unfortunate people might find a statement like this offensive because they know for a fact (based on their own experiences) that this isn't true - It's almost like saying "It's your fault for being poor; it's all in your head!".

3
shardinator 4 days ago 2 replies      
There's an important idea I feel is being missed. Something can be true "in distribution" but not true in a "pathwise" sense. That means, over the long run, for most people, on average x is true. But for specific individual and/or specific time frame it can be very untrue.

Point being I can say to you "adopt a growth mindset", you do it, but it doesn't work and life throws you 'a curve ball' again and again. Doesn't mean my hypothesis was wrong, and doesn't mean you didn't follow through properly. We can both be right in this case.

All it means is, we should act as if our actions/thoughts count, but accept it as a fundamental property of the universe that they may not 'bear fruit'.

All we can do is embrace the chaos^

^ as in chaotic systems

4
thewarrior 4 days ago 3 replies      
This is a bit late but this should be noted :

"Bill Gates: No. I think after the first three or four years, it's pretty cast in concrete whether you're a good programmer or not. After a few more years, you may know more about managing large projects and personalities, but after three or four years, it's clear what you're going to be. There's no one at Microsoft who was just kind of mediocre for a couple of years, and then just out of the blue started optimizing everything in sight. I can talk to somebody about a program that he's written and know right away whether he's really a good programmer."

http://blog.codinghorror.com/how-to-become-a-better-programm...

So Does Bill still believe this or is he a hypocrite in hiding ?

5
matthewbauer 4 days ago 2 replies      
This is interesting in the context of American History. Basically, a majority of settlers were Calvinists. A big part of Calvinist belief was "predestination" which basically holds that a person's destiny (heaven or hell) is determined by God before they are born. This would seem to me to reinforce a "fixed mindset". Paradoxically, out of that same belief system came the "Protestant work ethic" which depending on who you ask made America the greatest country on Earth. I think that one could argue that the "fixed mindset" enabled a sort of wishful thinking attitude: believers though they were predestined so they focused on growth and self improvement over the usual Catholic traditions (which focused on a growth mindset in religious observance while having a more fixed mindset in practical work ethics).
6
choxi 5 days ago 0 replies      
I believe everyone should have a growth mindset, but the paper from Dweck is popularized and interpreted a little too loosely. The stricter interpretation is less compelling:

In the Bloody Obvious Position, someone can believe success is 90% innate ability and 10% effort. They might also be an Olympian who realizes that at her level, pretty much everyone is at a innate ability ceiling, and a 10% difference is the difference between a gold medal and a last-place finish. So she practices very hard and does just as well as anyone else.

According to the Controversial Position, this athlete will still do worse than someone who believes success is 80% ability and 20% effort, who will in turn do worse than someone who believes success is 70% ability and 30% effort, all the way down to the person who believes success is 0% ability and 100% effort, who will do best of all and take the gold medal.

It might seem pedantic, but I worry that propagating this loose interpretation will lead to many people believing their positive "growth" attitude, and not years of concentrated practice, is enough to grow.

From: http://slatestarcodex.com/2015/04/10/i-will-never-have-the-a...

7
dev1n 5 days ago 3 replies      
Gates speaking about the "fixed mindset" vs. "growth mindset" reminds me of this [1] article by Aaron Swartz.

[1]: http://www.aaronsw.com/weblog/dweck

8
hcarvalhoalves 5 days ago 1 reply      
Is this maybe a western cultural bias, that somehow God blesses you with talent and that's it? Some residue from aristocracy?

When you look at things like Japanese martial arts, it's all about learning from someone more experienced and lots of hard work. The limiting factor is your endurance, and the general sentiment is that "if someone learned before me, I can too".

9
karmacondon 5 days ago 1 reply      
Love this idea, but I do not recommend the book. It's clearly a science article that has been stretched into 250 pages. Same idea, repeated repeated repeated.

I highly recommend a summary, unless you think you'll benefit from reading twenty examples of the same concept. It's one of the few books that I started but didn't finish this year.

10
personlurking 4 days ago 0 replies      
"Energy flows where attention goes"

Above is another line, like the one in the title. On one hand, it's obvious because if you focus your attention, for example, on building a computer, of course your energy goes in that direction. On the other hand, if you don't realize your attention (ie, thoughts) is on certain matters, you may be expending energy on that unknowingly. Of course, if you're a generalist and your attention goes everywhere, your energy is following suit.

11
buro9 4 days ago 0 replies      
I think the same about the language we use.

Or rather, I think... "What we hear affects us, and we hear ourselves.".

This is an extension of the "surround yourself with positive people" thing, in that I believe it's important to be positive, kind, generous, as the language and tone that we use to express we hear constantly and those words, that tone, shapes our thoughts, mood, aspirations.

It's important to be mindful and to be the person you want to be. By doing so, we frequently are that person.

12
Simp 4 days ago 2 replies      
>When I was visiting with community college students in Arizona, one young man said to me, Im one of the people whos not good at math. It kills me when I hear that kind of thing. I think about how different things might have been if he had been told consistently youre very capable of learning this stuff.

Couldn't agree more with this specific example. But you shouldn't ignore reality either. A man with no legs is not going to win the 100 meters at the Olympics. Understanding where your potential lies is important for deciding where to invest your effort. That doesn't mean he can't improve at all though.

Especially in things like math, there is a popular belief that you need some kind of 'math gene' to be decent at it. There is little evidence that there are math specific genes beyond general learning ability.

[Same genes 'drive maths and reading ability'] http://www.bbc.com/news/health-28211676

Sadly, in a lot of cases this will lead to a self-fulfilling prophecy where you will stop trying to improve your math skills because you weren't "made for it".

But that's really more a problem of a false belief that these things are set from birth. A blind belief in 'I can do anything i want despite the situation or environment i am in!' isn't going to help anyone. I would advise the runner with no legs to invest his precious time and resources in something other than trying to win the 100 meters at the Olympics.

13
jgord 5 days ago 1 reply      
The central idea seems so important, with so much benefit to education if it were true, that it would justify a large scale rigorous experiment [ just as a new kind of promising medicine would be trialed over a wide sample ]

Maybe schooling is stuck in a local maximum, because we don't do things like this, because its not socially acceptable to 'experiment with our childrens education' ?

14
known 4 days ago 0 replies      
There is no intrinsic motivation.http://researchnews.osu.edu/archive/inmotiv.htm
15
shin_lao 4 days ago 1 reply      
Another way to view it is that the biggest limits in your life are the ones you set.

I'm perfectly aware that some people start with huge disadvantages in life, but whatever your starting point, you can end up much higher. Never let anyone tell you otherwise.

16
dmichulke 4 days ago 0 replies      
If you don't fail 90% of the time, you're not aiming high enough Alan Kay
17
devonkim 4 days ago 0 replies      
You know what's worse than thinking you're not capable? Others telling you you're capable and despite your best efforts you fail to meet these expectations whether those reasons are within your control or not. This is putting a carrot on a stick in front of a lot of kids potentially and saying "you just need to believe you can do this and try real hard, gosh anyone can do it!"

Expecting a person with severe learning disabilities that they can go work at a top HFT shop or a paraplegic that they'll be able to beat the world record for a 100 meter dash is the kind of goalpost that is being set for many children that are born disadvantaged. Bill Gates may have been studying what keeps the world's poor the way they are for a long time but there are a lot more factors that keep people down than just simply motivation.

Part of why I haven't started a company yet is out of fear of kind of literally destroying my life and others around me. The sheer amount of work that you put into a company is one thing, and not having the closest people you know be supportive of the work you do puts you into a position where you must either be so secure that failure is not a problem or that you must succeed on a first try.

Reid Hoffman's tips on when you DON'T want to start a company come to mind. Some of those criteria include "if you cannot get another job" or "you will put yourself in harm's way by doing so" (paraphrased, can't find the slides he had). So for the poor, despite having not much to lose in theory, they do have everything to lose in that their lives are all they can give up in the absence of capital or remarkable domain knowledge / skill advantages. Risk tolerance for the poor is actually very low thusly.

18
jqm 4 days ago 1 reply      
Ya, but... are some people more genetically predisposed to have growth mindset? :)
19
huuu 4 days ago 0 replies      
I did not read the book, but I think the book is not about becomming succesful but about getting to know your potential. Success and potential are related/connected but there is a huge difference.

Being able to help out your neighbor isn't connected to success in our society. I think a lot of posters in this thread don't realize the destinction between potential and success.

20
metafunctor 4 days ago 0 replies      
Also, take this to the second derivative. You can learn to learn faster and more efficiently. You can set yourself up for success. You can start small, and gain momentum from there. You can learn to hack your motivation.

Will this guarantee success and a happy life? Of course not. But it will greatly increase your chances.

21
NumberCruncher 4 days ago 1 reply      
I think it is easy to praise growth mindset if you are the one who wants to learn and wants to get better through failing. But what about the other side of the coin?

Just imagine you are a teamlead and one guy in your team tells you "hey, I have found 2 new ways how not to impelent Feature X. May I work on feature Y and use the knowledge I gained fucking up feature X?"

Or you have a project team and the profect manager tells you "Hey, I found one new way how not to manage a project, how not to deliver on time and how not to motivate people. May I manage your next project and maybe waste an other million dollars?"

In my experience situations like these end badly...

22
hv23 4 days ago 0 replies      
There was a good episode on the podcast "Invisibilia" discussing this topic of expectations influencing/shaping reality: http://www.thisamericanlife.org/radio-archives/episode/544/b.... Some pretty fascinating stories in this one; well worth a listen! I believe Dweck is referenced/interviewed early on in the episode.
23
popee 4 days ago 0 replies      
I only know that if you have strong Will you can achieve many things. Personally, the difference between Wish and Will is when you decide to achieve what you wish.
24
_navaneethan 4 days ago 0 replies      
The same thing [Derek Sivers] explains with amusement:

https://www.youtube.com/watch?v=pYTN7yVYbeg

Fortunately, yesterday night I was listening it.

[Derek Sivers](https://sivers.org/)

25
tcannon 4 days ago 0 replies      
Interesting contrast, stories like this compared to the stories about how everyone who is successful feels like they are a fraud.

Maybe my study will be of note: If you believe headlines, you should read more.

26
god_bless_texas 4 days ago 0 replies      
Takeaway from this: I'm imagining Bill Gates practicing his fadeaway jumpers.
27
gesman 5 days ago 0 replies      
Well, if you read title, then you can safely skip the rest of it.

It's a good summary of an essence :)

28
devinhelton 4 days ago 0 replies      
Can someone explain to me what claim Dr. Dweck has demonstrated that is both novel and true? I have read a bunch of articles about her work, but it all seems to me like she has framed "growth mindset" against a strawman.

It seems blindingly obvious to me that ability in most fields is a function of both genes and effort. Genes shape how fast you improve with effort, and where you plateau. Genes shape the curve of the achievement-to-effort graph. Effort determines where you are on that curve. Effort determines how much of your potential you actualize. This dynamic is true in basketball, math, golf, painting, speech-making, guitar playing and virtually every other complicated human endeavor.

Some people need to be told, "You have are naturally gifted in this field, stop being so hard on people who are not as good as you, they are doing the best they can."

Some people need to be told, "You are naturally gifted in this area. You have a responsibility to work extra hard in order to maximize your gifts. If you work your butt off, you have the potential to be truly special."

Some people need to be told, "This stuff might not come as naturally to you. You're going to have to work extra hard to keep up."

Some people need to be told, "Look you have been practicing harder than anyone, and honestly, I just don't think you have the raw talent to be a professional in this field. You can do it for fun, but be realistic about your career choices."

Some people need to be told, "Look you can't say you are bad at painting/writing/music/math/etc. You haven't even tried to learn it. This stuff is not natural for most people, there are books and youtube videos that can show you how to do it. You need to build step-by-step. Practice one technique until it is in mental memory and then add more complexity. Unless you're mozart, you don't just start from day one being able to produce great stuff."

It seems that as a culture, there are mistakes in messaging going both ways. For example, the premise of the "No Child Left Behind" education law was silly. There is in fact a bell curve with regards to natural academic aptitude. For instance, if you are in the bottom ~20% of that curve, it is nearly impossible to learn algebra. ( for some articles from a real teacher who is trying to teach algebra in the field, read: https://educationrealist.wordpress.com/2012/08/19/algebra-an... and https://educationrealist.wordpress.com/2013/10/31/noahpinion... ). Someone in the middle of the bell curve can learn algebra, but if they try to go into a career that involves advanced quantitative or logical skills, they will be competing against those who both have a natural aptitude and an economic incentive to try hard. The person with normal aptitude will likely lose that competition. So it might not be good advice to tell that person to double-down on math, even if they could make themselves better.

On the other hand, I hear a lot of smart friends say stuff like, "I'm just bad at math" or "I'm just bad at painting." In many cases, they never had good teaching, or they never tackled the problem aggressively. They never tried to learn incrementally, by building muscle memory on a simple technique and then adding more complications. They started with the hard stuff, and when it did not work, they just assumed they were bad at it. For people like that, a "growth mindset" can be helpful.

All of this should be pretty darn obvious. I don't really gather what new, credible information Dweck is adding to our understanding of how learning, motivation, and achievement works.

29
marklgr 4 days ago 0 replies      
Growth mindset does not imply you can achieve anything, just "you definitely can get better". Perhaps overconfidence can become a risk, but it seems a much lesser evil versus the cost of believing the opposite: "Here is your definitive level, for ever (don't bother)".
30
xyzzy4 5 days ago 2 replies      
Well the problem with the growth mindset is that ultimately you die, so your growth does a nosedive eventually.

If something excites or intrigues you, then do it. But don't delude yourself that your personal growth really matters.

31
jasey 4 days ago 0 replies      
Mindset is everything (at-least extremely important for any level of success in entrepreneurship and most other things)

Most entrepreneurs solving ambitious problems look crazy to outsiders. Hence the famous Steve Jobs quote

"The people who are crazy enough to think they can change the world are the ones who do."

Look at what the Gates, Jobs and Musks of this world have achieved with their 'anything-is-possible' mindsets..

Btw, for those who are interested in this stuff I've created an app to help people develop a growth/positive mindset at http://positivethinking.net

My positive experience as a woman in tech verou.me
514 points by sebkomianos  3 days ago   379 comments top 34
1
indifferentalex 3 days ago 6 replies      
10/10 Will read again.

The sexism debate has indeed painted a bleak picture, people so often try to show a different side of the picture but end up using the wrong words or simply adding ambiguity to the discussion, most of the time only making the matter more complicated, and worst of all, pulling us even further from a potential solution. This one showed us not only a potential solution, but also proved it's effectiveness.

Lea Verou (the author of the article) perfectly explains that even though there is undoubtedly a problem, a problem whose degree is not/can not be calculated (she also indirectly, simply by not giving it more article-time, makes us understand that the lack of statistics doesn't mean this problem doesn't exist or should not be resolved), this problem can and has already been solved, not by company policies or special rules, but simply by people treating others (women included) nicely, or as my first grade teacher taught me, by following the golden rule, treat others the way you want to be treated, and amazingly across all mindsets and ways of thinking this rule means, for anyone beginning from the wee age that they understand what those words mean, that one should be treated in a way that is free of bias, fair and rational.

I will read this article again, and I will recommend it to friends and acquaintances and family, because sexism is a problem beyond tech too (in certain industries it might be an even bigger problem). I think this article and hopefully ones like it that either exist already that I do not know of, or ones that will be written afterwards, are a great way to make us realise that all people should be treated the way that we want to be treated, and I truly believe that will be enough to fix the problem of "women in tech".

2
golergka 3 days ago 5 replies      
> Its impossible to know, especially since they dont know either! If you confront them on their sexism, they will deny all of it, and truly believe it. It takes a lot of introspection to see ones internalized stereotypes. Therefore, a lot of the time, you cannot be sure if you have experienced sexist behavior, and there is no way to find out for sure, since the perpetrator doesnt know either. There are many false positives and false negatives there.

Thousand times this.

I know that things like racism and sexism is bad and evil. But I also know that I am these things subconsciously. Having lived in a country with a long tradition of racism and sexism, and given I've ever talked to a black person for a first time half a year ago, I know that there's no chance that I don't have these stereotypes inside on some level. Of course, I try to fight that and become a better person, and on a rational level I know exactly why these traits are evil.

But when I'm trying to explain it to someone, too often they just hear "I'm racist" or "I'm sexist" and decide that I'm a total asshole :(

3
cubano 3 days ago 12 replies      
Here is my personal experience with the fringes of this issue over a lifetime of watching it play out before my eyes...

If a female is attracted to the guy, things he says or does are considered "cute", "flirtatious", and/or "interesting".

If not, the same actions are often considered "creepy", "jerkish", and yes even "sexist".

I think its just human nature to perceive things in this way, and since women grow up in such a vastly different, sexually charged environment (I'm watching it happen with my 13 year old daughter right now) as guys do, it is, of course, impossible for me to understand all the nuance.

Just my anecdotal thoughts on it...btw it is good to see this woman make an attempt to address the issue.

4
gloves 3 days ago 0 replies      
> "when no positive stories get out, the overall picture painted is bleak, which could scare even more women away."

In a world where there is so much bad press and news, it is nice to read something from the other side. Refreshing and encouraging.

5
ZeroGravitas 3 days ago 2 replies      
> "Ironically, one of the very few times I have experienced any sexism in the industry was when a dude was trying to be nice to me."

I'm not sure how ironic this is. It seems to be setting up a straw man of sexist behaviour being the domain of moustache-twirling villians, rather than something that often perfectly normal men and women inflict on each other and experience unwanted outcomes of because of their culture and the structures of the society they grew up in.

6
SCHiM 3 days ago 3 replies      
Keep in mind that the situation she recalls, the one with the guy that apologizes to her for cussing, is perhaps not the sort of sexism you would want to try and get rid of.

The way I see it, this coming from a early 20s male (read, shall we say, constantly aware of the opposing sex), is that that attempt to be polite to a woman has nothing to do with her being a woman in tech, but simply being a woman in a social situation.

I guess what I'm trying to say is that it's pretty normal for a guy/girl to alter his/her behaviour when in a social situation with a member of sex he/she's interested in. Eveb uf the situation in question is supposed to be 100% platonic and/or work related. There is a limit, of course, to how far we can/should excuse this behaviour in people. But I don't think it's fair to stomp on people when they behave different within limits.

Because you _are_ a woman, and it _does_ make a difference, but obviously not in the sense that you'd be any more/less competent because of your gender.

7
kelukelugames 3 days ago 0 replies      
>I would rather not call out sexist behavior ten times, than wrongly accuse someone of it once.

Story time!

An admin at work complimented me for having a cute girlfriend. Two of the younger women claimed that objectified women. On the other extreme, the CEO made jokes in the hallway about having sex with other people's wives, but no one ever complained.

Sexism from management is too often ignored. I suspect people rather nitpick minor issues with peers and subordinates then tackle real problems against people in power.

8
michaelwww 3 days ago 0 replies      
Some people command respect, others get respect without asking because they deserve it, some are ignored one way or the other, being kind of neutral persons, and some get disrespect for a lot of little things they are not aware of, and some get outright scorn because they deserve it and know it. This has nothing to with gender.

As a male, I've always tried to be someone who deserved respect. My first impression of Lea Verou is that she deserves respect and possibly something in her bearing gives off the impression that she commands it (that last part is pure speculation to make my point.)

I've noticed a lot of complainers of either gender aren't getting respect for the little things they are not very conscious of (and this is another reason for the disrespect - little self-awareness,) things like being late, doing sloppy work, gossiping, being greedy or careless with common resources, making inappropriate comments, and so on. I'm not saying there isn't gender discrimination, but I feel there are other factors that should be considered as well.

9
hahamrfunnyguy 3 days ago 0 replies      
Glad to hear the positive side of this. I can't say I've encountered any negative behavior in the course of my career that I would consider sexism.

I typically avoid crude humor and innuendo in the workplace because it's impossible to know who is going to get offended. That said, I wouldn't be surprised if I was more even more cautious around women lest something be construed as harassment.

10
sonabinu 3 days ago 1 reply      
There are definitely good experiences. I think the problem is when management pretends they did not hear something. I remember another female colleague (absent at the meeting) being referred to as a 'chick' and the other men laughing it off. It was a very bad experience. Being the only woman in the room, I did not speak up but I wish I did.
11
pervycreeper 3 days ago 1 reply      
Blackstone's formulation for those who didn't bother to click through:

>"It is better that ten guilty persons escape than that one innocent suffer"

Wise to keep this in mind if you wish to be justice-conscious.

12
jenshoop 3 days ago 0 replies      
This is one narrative in an overall spectrum of experiences. Important not to sidebar someone's very real experience or assume every "woman in tech" goes through the same thing, so I welcome the introduction of a new perspective that runs against the grain a bit. I wonder if this was prompted by a well-intentioned friend asking "what it's like to be a female in tech these days"? This is a question I get frequently and I'm just sort of at a loss as to what to say -- I see a lot of problems with the lack of diversity especially at the senior leadership level and have been through my fair share of negative experiences, but I've also been fortunate to have insane mentors -- male and female (well, if I'm keeping score, more male than female) -- to help me progress, learn, develop. For me, and maybe this is fraught with its own issues, I've always just sought to prove myself, demonstrate my value by working hard, and earn respect that way. Few people -- male or female -- can hold you in poor esteem if you constantly work to be an ethical, industrious team-player.
13
anc84 3 days ago 0 replies      
> Stories like mine should become the norm, not the exception.

We don't know if that is not the case already. The echo chamber is powerful and viral.

A great post, thank you!

14
ionforce 3 days ago 0 replies      
I had the pleasure of attending one of her talks at a conference and she was one of the more entertaining, engaged, and articulate speakers there.

Glad to have come across her work again here!

15
exodust 3 days ago 0 replies      
Now we just need a "neutral experience as a woman in tech" piece and we'll have discussed the full spectrum of this topic.

I didn't read the article. When someone has a positive experience in tech "as a woman", that is the norm. I don't subscribe to that being noteworthy, regardless of the campaigns insisting otherwise.

maybe some stories about nasty manipulative women in tech should be shared. Or not. Bad vibes and all, who needs bad vibes. I worked with a backstabbing IT exec woman in a previous job. Piece of work she was... Won't go into it of course but sometimes people just suck. Male or female.

The danger is that poor performance can be insulated by the distraction of over sensitivity to the "women in tech" issue that's memed at campaign levels.

16
dajohnson89 3 days ago 7 replies      
She had me until the very end, with the anecdote about the guy apologizing for swearing in front of her.

I would apologize if I said "fuck" near my country's president, or even the president of my small-ish company. Both of whom are male. It's a sign of respect. In the context of women, I see it in a similar light to holding the door open for a lady. It isn't me assuming she's too weak to open a door, it's just a common courtesy.

I'm genuinely sorry that the author was offended by the guy apologizing for saying "fuck" near her. I can't speak for him, and perhaps he was a total douchebag. But perhaps he was aware that on average men can be more crude than women, and in a professional (male-dominated, numerically speaking!) setting like that one, it's prudent to avoid language that could make people feel uncomfortable.

17
danr4 3 days ago 1 reply      
>"It takes a lot of introspection to see ones internalized stereotypes."

I think she hit spot on with this - But that bit was directed at men, when the reality is that it goes both ways.

The problem is that it's a cycle hard to break from - it's not just men being sexist, it's women being unconsciously sexist towards themselves because they grew up in a sexist environment.

That's why you need to raise awareness, to make men AND women more aware of their thoughts and actions which they did not know were a result of sexism. Gotta break the pattern.

18
FussyZeus 3 days ago 1 reply      
Personally I've only ever witnessed sexism at play in larger companies, startup culture by it's nature I think is anti-sexist, the highly competitive market for employees combined with the sense of "who gives a shit about genders, we gotta get this thing fixed NOW" kind of makes it a defacto meritocracy.

Not to say that it can't happen in startups of course, just saying in the Perfect World, a startup culture would eliminate it before it even had a chance to take foothold.

19
kohito 3 days ago 1 reply      
I think the reason the overall picture painted of women in tech is bleak because the typical experience of being a woman in the tech industry is bleak. Women are scared away from tech by their experience in tech, not by tech's reputation, so I'm not surprised there aren't more Lea's out there.

Women who quit the tech industry (56%) do so at a significantly higher rate than they do in science (47%) and engineering (39%) ("HBR Research Report: The Athena Factor:Reversing the Brain Drain in Science, Engineering, and Technology" -- and I'll add that the report is good about addressing why childcare and the heavy workloads don't entirely account for the quit rate.)

Quit rates in the industry shouldn't be higher than other STEM industries. Even if you grant a pipeline problem, in which case sharing positive stories about women in tech improves the situation, once women are involved, positive stories can't impact how they are treated. The quit rate suggests it's a worse situation for women than in similar industries.

One commenter here suggests Lea's case shows nothing needs to change, which is odd, since Lea doesn't say that. It's also odd that this commenter suggests rule changes addressing inadequacies ought to be characterized as "special rules" -- special changes to fundamentally sound policy -- instead of "better policy" -- fundamental changes to flawed policies, policies demonstrated to be flawed by their unfair and differential impact on women.

Nonetheless, it is great Lea has had a positive experience. I am glad she shared it.

20
vinceguidry 3 days ago 0 replies      
> It takes a lot of introspection to see ones internalized stereotypes. Therefore, a lot of the time, you cannot be sure if you have experienced sexist behavior, and there is no way to find out for sure, since the perpetrator doesnt know either.

I had the thought today that the sexism debate is actually a war, but it's not a war fought by humans against other humans. It's fought by groups of neurons against other groups of neurons, our conscious minds are just pawns.

Many times, those groups of neurons war inside the same person's brain. Biological warfare is fierce.

21
JDiculous 3 days ago 0 replies      
Thank you for writing this, this was a much needed post that sheds light on the other side of the story that you never hear about.
22
ljw1001 3 days ago 0 replies      
thank you
23
reitanqild 3 days ago 2 replies      
Don't see why this was flagged. It us a well known fact that a lot of women thrive in tech.

I've said this to many times already but I've been told by women how much they enjoy working with men because we are so straightforward.

Edit: that said, didn't vote at all on this one, but flagged to death? No.

24
sktrdie 3 days ago 4 replies      
Am I the only one who thinks "sexism" is overrated? It's misinterpreted by so many and I'm not sure I understand what it means most of the time. I think humans are prejudice about so many things that it's hard to keep track and "give a name" to every single prejudice. Obviously "sex" does set us apart much more strongly than, say, race, or probably any other thing, so I really find it normal that there are stereotypes and prejudices about "sex" specifically.

Obviously there's a problem if your stereotype, whichever it may be, becomes offensive and disrespectful. But I mean -- " I noticed for the first time that day that I was the only woman in the room. His effort to be courteous made me feel that I was different, the odd one out" -- there's no way you can label this "sexist". It's just a dude who probably thinks a girl is cute and is therefore a little awkward around said person.

I guess what I'm trying to say is that labels can mean different things to different people and I really hate using them to express my specific situation.

25
tomp 3 days ago 5 replies      
That's the general theme of public discourse... Americans killing Muslims in Iraq are "soldiers", wherears Muslims killing Americans in the US are "terrorists".

Edit: Looks like I've hit a very sore point...

26
silentplummet 2 days ago 1 reply      
This is fair, but let's recognize that the discussion takes place in the context of a few well known individuals who have made an enviably successful career as freelance victims, who stridently prevaricate about the persecution they've experienced in the industry, but by all accounts don't actually do any work on technology at all.

One wrote a story for a mediocre video game and claims publicly to be a game developer. Is she a 'woman in tech'? It's like if I painted a mural on a house during construction this one time and went on claiming a career in carpentry. But don't you dare claim I'm not legitimately a carpenter, because hey, stop persecuting me!

The dichotomy isn't false, it's quite real and true, and it seems obvious to me that there are a handful of lamentably visible charlatans who are to blame for it. On the other hand, I could list dozens of women in the industry whose output I greatly respect and they seem to experience great success, but you never hear a peep out of them. It's almost like the more "tangentially involved" one is with tech, the more vocal one becomes about this supposed persecution...

27
DrNuke 3 days ago 1 reply      
HN is a bubble made of few making it real, mostly in the Bay Area, and a lot of marginal daydreamers from all over the world. For this reason, the mood and the overall narrative is sometimes bizarre: we have a front page with one topic bashing India as corrupt (it may be 90-95% of the planet, actually) and this one where gender (race, age, culture, attitude) does not affect the industry. A bit detached from ordinary life, both the makers and the dreamers, uh?
28
anon4 3 days ago 0 replies      
Interesting. I was actually expecting a blank page.
29
Chris2048 3 days ago 1 reply      
I think, when we see things like this, we maybe need to clarify where (country) these experiences come from. I suspect that the worst of sexism in tech comes from the US, and that Europe is generally great...
30
sarahnadav 3 days ago 4 replies      
I am glad that this woman had a good experience, but it is the exception rather than the rule. Anyone who wants to use this as social proof that gender discrimination isn't a huge problem in the industry is fooling themselves.
31
Kenji 3 days ago 0 replies      
As a man, I'm really glad to read things like that. You know, the sexism problem makes both sexes feel bad. I think it is really important for our society in general that we don't let differences like sex get between us. It's silly and petty.
32
tangled_zans 3 days ago 0 replies      
Great article.

Odd though that so many commenter choose to interpret this as "look! clear proof that there is no sexism! everyone has been overreacting about it!"

If you don't believe that sexism is a real issue, look at source [0]. It says so right there:

"While women have gained many more rights and freedoms in most of the developed world, especially since the beginning of the 20th century, women still face discrimination and harassment worldwide. Until then, women in most of the world did not have the right to vote, and were treated with even greater disrespect than today."

https://simple.wikipedia.org/wiki/Woman

33
lifeisstillgood 3 days ago 5 replies      
Sexism is not "over-rated"

OECD's Social Institutions and Gender Index Is at http://www.genderindex.org, and is a litany of baked in prejudice, violence, lack of access to education, lack of access to property and other normal legal rights.

When we compare the lot of a 16 yo girl in Rwanda to a High schooler in SF, yes it is hard to find where the High schooler is having problems, but we just have to look at the ratio of men and women in tech to see there is a problem - even in modern, western, progressive San Francisco.

So globally, sexism is a violent oppressive force holding back progress for billions. In our happier world, it's waaaay better, but still not equal - and where there is inequality, there is profitable arbitrage opportunity. Both for talented women and for companies willing and able to introspect and overcome whatever is blocking their use of talented women.

The most obvious example I can see is I should be able to hire the very best development talent, for 80% of the price of the equivalent male talent ! Win!

34
daleharvey 3 days ago 5 replies      
It really isnt surprising this is pretty much the only article about gender discrimination that is allowed to be on the hacker news front page.

Lea is obviously a talented and confident person and it is great that she has had such a positive experience. Entirely agree that she can and should share it.

It is however sadly predictable that the comments on HN lean very much towards self congratulatory 'gender discrimination isnt really a problem!' discussions. The huge amount of discussion around the problematic areas of tech culture are routinely censored from this site giving people who have the privilege of not having to suffer from the systematic discrimination an easy pass to believe that there is no problem when even a token effort to look makes it more than obvious that there is a massive problem of discrimination in our field.

Fed Ends Zero-Rate Era bloomberg.com
424 points by lpage  5 days ago   350 comments top 26
1
roymurdock 5 days ago 18 replies      
Fed raising interest rates 0.25% and setting a goal of "normal" 2% by 2018 means little to nothing. Market already priced the miniscule rate hike in as the move was widely expected, and move did nothing to assure markets that the Fed is in control, or set credible, measurable goals for future hikes.

Fed can continue to push on the supply side of money at the bank/institutional level all it wants. We need the Federal government to stimulate aggregate demand at the consumer level. How? Investing tax dollars in a smarter manner. Not raising the interest paid out on short term bonds so that institutions are incentivized to keep even more money in bonds rather than putting them to work in the economy.

Monetary policy needs to work hand in hand w/ fiscal policy. I feel bad for the Fed...its decisions are largely restricted and inconsequential when gov spending is broken, yet it receives all the attention and the blame.

2
randomname2 5 days ago 4 replies      
Analysis from TD on how banks (Wells Fargo, US Bankcorp, JPMorgan, M&T, PNC, Citi) rushed to hike the prime rate to 3.50%, and forgot to increase the deposit rate:

As CNBC reported [1], "a change in the federal funds rate will have no impact on the interest rates on existing fixed-rate mortgage and other fixed-rate consumer loans, a Wells Fargo representative told CNBC. Existing home equity lines of credit, credit cards and other consumer loans with variable interest rates tied to the prime rate will be impacted if the prime rate rises, the person said."

The good news: the rates on mortgages, auto loans or college tuition aren't expected to jump anytime soon, according to AP, although in time those will rise as well unless the long-end of the curve flattens even more than the 25 bps increase on the short end.

What about the other end of the question: the interest banks pay on deposits? Well, no rush there:

"We won't automatically change deposit rates because they aren't tied directly to the prime," a JPMorgan Chase spokesperson told CNBC. "We'll continue to monitor the market to make sure we stay competitive."

Bottom line: for those who carry a balance on their credit cards, their interest payment is about to increase. Meanwhile, those who have savings at US banks, please don't hold your breath to see any increase on the meager interest said deposits earn: after all banks are still flooded with about $2.5 trillion in excess reserves, which means that the last thing banks care about is being competitive when attracting deposits.

[1] http://www.cnbc.com/2015/12/16/wells-fargo-bank-announced-we...

3
chollida1 5 days ago 3 replies      
Nanex, an account that follow market micro-structure, had an interesting tweet that showed how the liquidity on 10 year Treasuries just dried up prior to the announcement.

https://twitter.com/nanexllc/status/677202959030083584

I'm surprised this story has gotten so many votes so fast. This rate hike was widely predicted, as intentionally as the fed could by law so that they don't impact the markets too much.

Alot of people think this is the first of a few small rate hikes we'll see in the next 12 months.

IMHO, this is good news for the US economy,

- it will help give the the fed some wiggle room/ammunition to soften the fall when the next recession hits

- a slowly raising rate could stimulate the economy by convincing companies to spend now on large projects rather than wait, ditto for housing/consumers

Having said all that, keep in mind the rate hike is only 0.25% upping the overnight rate to 0.3% so this is likely to have an almost negligible impact on the every day consumer.

4
SeoxyS 5 days ago 6 replies      
This could have wide implications for the startup community. A lot of people think that the current really high late-stage startup valuations, and the money pouring into the seed stage is an effect of the low interest rates. With no way to get any decent yields with these rates; it incentivizes institutional money to chase returns in alternative investment classes.
5
noname123 5 days ago 1 reply      
Curious if anyone knows what is the average VC fund return for the time-span of 2010-2015 for the past five years?

Suppose if Fed plan to gradually raise interest rates to 2.0% to 2016 year's end; and with that corporate investment bonds, municipal bonds yield also rising to match and go beyond that baseline.

Then, how attractive would VC funds be for mutual and pension funds in relation to other investment alternatives: a) bonds, b) publicly-traded companies following general market trends, c) REITs, d) commodities and precious metals?

For comparison, major Internet IPO's since inception:

GRPN (-87.97%)

TWTR (-42.23%)

FB (+176.6%)

BABA (-10.02%)

ETF Tracking since ETF inception:

SOCL (ETF for Global X Social Media) (-38.8%) vs. SPY (+62.93%) vs.TLT (+1.85%);

FDN (ETF for DJIA Internet Fund, but distorted to contain established Internet companies; GOOG) (+267%) vs. SPY(+65.62%) vs. TLT (+44.18%)

6
downandout 5 days ago 2 replies      
This will have an impact on the flow of money to VC's, which will have an impact on the flow of burnable cash to unprofitable startups. No more $1.5 million rounds for apps like Yo [1] (the investor community should be embarrassed and horrified that this kind of thing was getting financed anyway).

Winter is indeed coming for those that don't have a business model, and that's a good thing.

[1] http://www.businessinsider.com/yo-raises-15-million-at-a-5-1...

7
lpage 5 days ago 1 reply      
This was very much in line with expectations, ergo the muted reaction in the markets. It's worth noting that the Fed used gradual in lieu of measured to describe the increase. Measured implies a steady series of increases (announced every few meetings until the target rate is reached) versus a gradual approach in which there's a long term number in mind but no strict mandate on getting there - a dovish tone.
8
myth_buster 5 days ago 2 replies      
Would this end up being the pivotal moment of this decade? There is already speculation of recession in the 12-18 month time frame[0] and the energy sector [1] is going downhill since April. I'm seeing some cities and suburbs expanding unlike anything in a while but how much of that could be sustained?

To word it differently, did the Fed blink or are the underlying indicators where they want it to be?

[0] Given the cyclic nature of recessions, we seem to have artificially delayed it a bit.

[1] https://www.google.com/finance?catid=us-TRBC%3A50&ei=jLpxVtG...

9
javiayala 5 days ago 7 replies      
Hi HN, can someone please explain what are the implications here for the average-Joe?
10
irln 5 days ago 1 reply      
It will also be interesting to see how much of the FED Assets [1] will need to be sold directly or indirectly in open market action to get to their target rate.

[1] http://www.federalreserve.gov/releases/h41/Current/

11
johnz133 5 days ago 2 replies      
It'll be interesting to see how this affects the lending models spawned from low interest rates.
12
huac 5 days ago 0 replies      
Markets predicting and 'pricing-in' Fed actions is not evidence that this rate hike is meaningless.

But if you want to feel pessimistic about the hike, here's the corresponding Zerohedge 'article': http://www.zerohedge.com/news/2015-12-16/fed-hikes-rates-unl...

13
nkassis 5 days ago 0 replies      
I was thinking about this earlier and I have a question about inflation. Could increasing the interest rate cause inflation to rise a bit in the near term?

My reasoning for this is that given that banks were borrowing at near zero, could they have had no real reason to put all the borrowed money to work since it wasn't costing them anything to hold it in reserve for later when the rates did increase? Now that the rates are increasing would they not have to use the money a bit to ensure they stay ahead of the interest rates. I was also thinking that there is a threshold at which banks wouldn't have any more money that is just sitting there and having to borrow at higher rates reduces their demand for new funds from the fed thus undoing this initial effect to the hike.

Hopefully this isn't completely naive. Please let me know if I'm misunderstanding how the fed and banks relationship works.

14
jayess 5 days ago 0 replies      
Markets are cheering central planning and price fixing. Yay!
15
seansmccullough 5 days ago 1 reply      
Finally! In 2-3 years bonds will actually yield something.
16
narrator 5 days ago 1 reply      
What is this going to do to interest payments on the national debt? Will this put a squeeze on spending? Cause tax increases? Or will it be business as usual and the fed buy as many bonds as needed?

In the latter case, I think that will cause inflation to pick up unless we can export it all out the trade deficit.

17
randyrand 5 days ago 0 replies      
So this helps people with savings in certain types of investments, right?
18
daodedickinson 5 days ago 0 replies      
Need is the construction of the world order; satiety is the universal conflagration. (Kahn translating Heraclitus) If you want to stoke consumer demand in a country where the poor have massive televisions and cable, maybe notch up the bullying of people wearing cheaper brands and carrying fake designer brands and charge 30 grand for VR headsets but advertise them during the Super Bowl? I dunno. I've never even had a real job and there aren't any gadgets I want and I want to get more crap out of my house than I want to add. Eliting schooling for hypothetical kids I'll probably never have is the only big ticket purchase I can seem to summon strong desire for.
19
enahs-sf 5 days ago 1 reply      
Does this mean that buying a home in San Francisco, where 1/4 of the homes sold are all cash, just got a little bit more difficult?
20
marcusgarvey 5 days ago 0 replies      
Keep an eye on emerging market bonds and high-yield bonds. The latter was already looking a little shaky prior to today.
21
carsongross 5 days ago 0 replies      
To modify Andrew Jackson: "The Fed has raised its funds rate; now lets see them enforce it."
22
panglott 5 days ago 1 reply      
Why can't we just have a boom?
23
peignoir 5 days ago 0 replies      
making some reserves for the next crisis?
24
joe-mccann 5 days ago 1 reply      
Sell volatility (VIX)
25
chad_strategic 5 days ago 1 reply      
Unicorns can't exist in ZIRP. (Zero Interest Rate Policy)
26
gotchange 5 days ago 1 reply      
Fed => Wall St. Bankers => Private Eguity/Venture Capital => Silicon Valley => Start-ups (disruption in labor market & layoffs) => leaner corporations and more profits $$$ => Wall St. Bankers => PE/VC ad infinitum

You get the picture by now where's the Fed's loyalty lies in this reverse Robin Hood wealth redistribution scheme. Isn't capitalism wonderful?

Move Fast and Fix Things githubengineering.com
537 points by samlambert  6 days ago   90 comments top 20
1
jerf 6 days ago 8 replies      
I'll highlight something I've learned in both succeeding and failing at this metric: When rewriting something, you should generally strive for a drop-in replacement that does the same thing, in some cases, even matching bug-for-bug, or, as in the article, taking a very close look at the new vs. the old bugs.

It's tempting to throw away the old thing and write a brand new bright shiny thing with a new API and a new data models and generally NEW ALL THE THINGS!, but that is a high-risk approach that is usually without correspondingly high payoffs. The closer you can get to drop-in replacement, the happier you will be. You can then separate the risks of deployment vs. the new shiny features/bug fixes you want to deploy, and since risks tend to multiply rather than add, anything you can do to cut risks into two halves is still almost always a big win even if the "total risk" is still in some sense the same.

Took me a lot of years to learn this. (Currently paying for the fact that I just sorta failed to do a correct drop-in replacement because I was drop-in replacing a system with no test coverage, official semantics, or even necessarily agreement by all consumers what it was and how it works, let alone how it should work.)

2
cantlin 6 days ago 2 replies      
The strategy of proxying real usage to a second code path is incredibly effective. For months before the relaunch of theguardian.com, we ran traffic to the old site against the new stack to understand how it could be expected to perform in the real world. Later of course we moved real users, as incrementally as we possibly could.

The hardest risk to mitigate is that users just won't like your new thing. But taking bugs and performance bottlenecks out of the picture ahead of time certainly ups your chances.

3
mwcampbell 6 days ago 3 replies      
This is tangential, but given the increasing functionality and maturity of libgit2, I wonder if it would yet be feasible to replace the Git command-line program with a new one based on libgit2, and written to be as portable as libgit2. Then there would be just one Git implementation, across the command line, GUIs, and web-based services like GitHub. Also, the new CLI could run natively on Windows, without MSYS.
4
rcthompson 6 days ago 2 replies      
How does Scientist work with code that produces side effects? In the example, presumably both the new and old each create a merge commit. Maybe these two merge commits are done in in-memory copies of the repo so that the test result can just be discarded, but what about in the general case where a function produces an output file or some other external effect?
5
smg 6 days ago 5 replies      
I am trying to understand why the new merge method needed to be tested online via experiment. Both correctness and performance of the new merge method could have been tested offline working with snapshots (backups) of repos. Could a github engineer shed more light here?
6
clebio 6 days ago 0 replies      
Seems like the biggest takeaway is "have good tooling and instrumentation". I'm working with a complicated legacy production system, trying to rebuild pieces of it, and we have little or no instrumentation. Even _introducing_ such tooling is a potentially breaking change to production systems. Ach schade.
7
daveguy 6 days ago 0 replies      
Very cool. I like this parallel execution of the original version and the update with comparisons between the two. They use a ruby package developed in house that has been made open source, Scientist. Does anyone know if there is an similar type package for python (preferably 2.7) development? It seems like an interesting area in between unit tests and A/B tests.
8
eric_h 6 days ago 1 reply      
> Finally, we removed the old implementation which frankly is the most gratifying part of this whole process.

On average, I get much more satisfaction from removing code than I do from adding new code. Admittedly, on occasion I'm very satisfied with new code, but on average, it's the removing that wins my heart.

9
_yosefk 6 days ago 0 replies      
TIL that github used to merge files differently than git because it used its own merge implementation based on git's code, to make it work on bare repos. Showcases a benefit of open formats and open source, showcases a downside as well (I'd never guess it might merge differently.)

It's a good thing nobody contributes to my github repos since noone had the chance to run into the issue...

10
danielsamuels 6 days ago 1 reply      
I wish they would add the ability to fast-forward merge from pull requests. I know many large projects (including Django) accept pull requests but don't merge them on Github simply because of the mess it makes of the history.
11
nod 6 days ago 1 reply      
This is inspiring reading. One may not actually need the ability to deploy 60 times a day in order to refactor and experiment this effectively, but it's clearly a culture that will keep velocity high for the long-term.
12
netghost 6 days ago 2 replies      
For operations that don't have any side effects, I can definitely see how you could use the Science library.

I'm curious though if there are any strategies folks use for experiments that do have side effects like updating a database or modifying files on disk.

13
blt 6 days ago 0 replies      
Github sounds like a great place to work.
14
abritishguy 6 days ago 2 replies      
Wow, strange that people weren't reporting these merge issues when they were clearly impacting people.
15
__jal 6 days ago 0 replies      
Nothing really to contribute or ask, other than to say that I really enjoyed the writeup. Although I have nothing coming up that would use the code, the new library sounds really neat. Kudos!
16
dlib 6 days ago 0 replies      
Very interesting, definitely gonna try this out as I have seen similar use-cases.

Any change Github is at anytime going to show the specific merge-conflicts for a PR that cannot be merged?

17
openfuture 5 days ago 0 replies      
Humans will always reverberate around truths like this.

The emphasis shift on breaking vs fixing looks like a good example of how fashion trends in tech create artificial struggles that help new people understand the "boundaries" of $things.

Fashion's like a tool for teaching via discussion

Edit: I'm just commenting on what I percieve as a fashionable title not the article.

18
jcchee88 6 days ago 2 replies      
When running with Scientist enabled, doesn't that mean you will add both the runtime of the old/new implementation instead of just one implementation?

I could see this begin ok in most cases where speed is not a concern, but I wonder what we can do if we do care about speed?

19
cmrx64 6 days ago 4 replies      
Does anyone know what an "O(n) issue" is? I can think of a few possible meanings in the usage here, but I've never heard it before and they all seem wrong.
20
yarrel 6 days ago 0 replies      
The word "debt" is not just a financial term. There are debts of gratitude, debts to society, debts of honour, and so there are also technical debts.

Objecting to the name "technical debt" on the basis that it is not the correct financial use of the term is like objecting to the name "work day" on the basis that it isn't measured in joules. It's a category error.

Netflix socks detect when you've dozed off and pause your TV show netflix.com
446 points by ChrisArchitect  5 days ago   190 comments top 36
1
floatrock 5 days ago 8 replies      
I RTFA, I know this an arduino-based DIY hobby project. But if something like this ever comes out for real, the ability to doze off and pause your TV show will be a trojan horse...

You've seen those charts where people use their smart watch to record their heart rate during the game of thrones finale? (No? Here you go: http://blogs.wsj.com/digits/2015/08/13/what-game-of-thrones-... )

Sure, downloading the Netflix pause-your-stream-when-you-fall-asleep app is comfortable, but it also provides a treasure trove of audience response data. Forget focus groups, now you have the real-time emotional response of many thousands of people A/B testing your original content in real environments.

And this ain't old-media Nielson, this is biggest-user-of-AWS technology-first Netflix.

2
bpicolo 5 days ago 6 replies      
I'm mostly sad that Netflix detects nothing and pauses my show anyway after a couple episodes. : (
3
JeffreyKaine 5 days ago 4 replies      
But let's be serious here... WHO WEARS SOCKS TO BED?!
4
entilzha 5 days ago 1 reply      
My cheap/effective solution is doing a

 $ sleep x && pkill Chrome
if I think I might fall asleep after x seconds.

5
cafard 5 days ago 0 replies      
In Thomas Pynchon's novel V, there is a fellow who has a switch on his skin that detects whether or not he is awake (by the resistance? I forget), and so controls the TV. Judging by the Wikipedia article, this is Fergus Mizolydian; I don't have a copy lying around the office.
6
OJFord 5 days ago 0 replies      
By IR? So this is for 'smart TV's' or bluray players etc. with Netflix on them - and those with IR.

Hmm. I was too hopeful for a Sock API.

7
emerongi 5 days ago 2 replies      
Instead of flashing an LED, the socks could warm up. That way, if the socks start getting warm and you're still awake, you can react to that, but if you're asleep, your feetsies will be nice and warm.

But this would be hard as a DIY project.

8
cwt 5 days ago 1 reply      
Most of the people I know who watch Netflix at night want it to keep playing after they fall asleep.
9
matt_heimer 5 days ago 0 replies      
The website, http://makeit.netflix.com/ asks for us to submit our own ideas. Most of the things I think would be cool to do with Netflix involve having some form of API access to its catalog or apps. IR socks are not Netflix socks.
10
dheera 5 days ago 0 replies      
I suspect something more accessible to the general public could be done with the heart rate sensors and accelerometers already in Android watches, Apple watches, and Fitbits.
11
11thEarlOfMar 5 days ago 1 reply      
I thought NFLX was up today due to the Fed raise. Glad to know it was the socks.
12
ubercow 5 days ago 1 reply      
Was sad to read that there's nothing Netflix specific here. The hidden requirement is your box running Netflix has to support receiving IR signals.

For example, I use an Xbox One, which to my knowledge doesn't have an IR receiver.

13
CaseyM 5 days ago 5 replies      
What about socks for truck drivers to detect if they are dozing? Have them set off a phone alarm, etc. Better yet, can FitBit, etc. detect dozing and use the vibrating alarm to alert?
14
emeraldd 5 days ago 1 reply      
Ok ... so how do you wash them without blowing the electronics?
15
pingou 5 days ago 4 replies      
It's cute, but is it a joke or something more serious ?

I don't see any use for it, except perhaps saving bandwidth.

Surely it must takes some time for the device to find out that you're actually sleeping, then you anyway have to rewind back to the point you stopped watching, so I don't think it makes a big difference to go 10 minutes or 1 hour back.

16
Animats 5 days ago 1 reply      
Aren't there systems for that already? Vizio's connected TV watches you, with a camera. Kinect watches you, with cameras and LIDAR.

Orwell saw this coming. Winston Smith watches his exercise program: "6079 Smith W! Bend lower! You're not trying."

17
njharman 5 days ago 1 reply      
I thought title meant some socket library or socks proxy? Came here to mention how, out of context, people would be confused wondering what Netflix foot underwear has to do with networking.

Only to realize I was the fool. ;)

18
Zekio 5 days ago 1 reply      
This is pretty damn awesome!
19
potassiumk 5 days ago 0 replies      
lazy-ass first world problemsGood lord, what hackers have become...
20
TeMPOraL 5 days ago 0 replies      
They refer to the method used as "actigraphy", which apparently is commonly done with wrist-watch packages. Sounds like an idea for a Pebble watchapp!

[0] - https://en.wikipedia.org/wiki/Actigraphy

21
schwap 5 days ago 0 replies      
Maybe netflix could consider partnering with SparkFun for some of this stuff... the colours even match already.
22
ljw1001 5 days ago 0 replies      
Who says Silicon Valley isn't solving the really important problems any more.
23
pla3rhat3r 4 days ago 1 reply      
I'm more afraid if it knows I'm doing something else.
24
peterwwillis 5 days ago 0 replies      
This is clearly overengineering. All you need to do is hack your kinect to look for eyeballs; no eyeballs for a minute? Pause the show.

Might not work if you have cats.

25
jchendy 5 days ago 0 replies      
Are these instructions thorough enough for somebody with no hardware experience? How long might this project take for such a person?
26
fmax30 4 days ago 0 replies      
Quick Question: Who is responsible if the battery blows up and you have burns on your foot ?
27
marshray 5 days ago 1 reply      
I found this part rather ominous:

However, there are ways to increase your socks accuracy. More on this later.

28
mesozoic 5 days ago 0 replies      
Great invention for narcoleptics.
29
pknerd 5 days ago 0 replies      
For a moment sounded like a April fool joke
30
kbart 4 days ago 0 replies      
Wait, this isn't a joke?
31
whacker 5 days ago 0 replies      
webcam + motion detection would be a way to do this without additional hardware.
32
markm248 5 days ago 0 replies      
Your move Slack.
33
potassiumk 5 days ago 0 replies      
first world problems....
34
idop 5 days ago 0 replies      
Featuring auto pause and nail fungus.
35
joncp 5 days ago 1 reply      
Or Netflix could just prompt the viewer to continue to the next episode.

...but then they wouldn't be able to sell you special socks.

36
anonymfus 5 days ago 4 replies      
Please don't use Netflix and other paid streaming services. By doing this you support Digital Restrictions Management development and finance copyright lobby.

https://stallman.org/netflix.html

If you want to watch their shows too much, download them illegally via file sharing services. They can arrest a very limited number of people, and by engaging in such activity you lower other people's chances to be persecuted.

Martin Shkreli Arrested on Securities Fraud Charges bloomberg.com
379 points by choult  4 days ago   290 comments top 33
1
dang 4 days ago 1 reply      
The curiosity being gratified here cannot remotely be called "intellectual".

https://news.ycombinator.com/newsguidelines.html

2
gizmo 4 days ago 16 replies      
It was alleged that Martin Shkreli harassed an ex-employee, including spouse and their children. Quoted: "I will see you and your children homeless"[1], in a sworn affidavit.

Although Shkreli never explicitly denied it, he had implied the accusations were false. Until yesterday, where he bragged about it during an interview with DX:

 Im definitely the real fucking deal. This is not a fucking act. I threatened that fucking guy and his fucking kids because he fucking took $3 million from me and he ended up paying me back. He called my bluff. He said, Youre not fucking going to go after me. [I said] Yes I motherfucking will. I had two guys parked outside of his house for six months watching his every fucking move. I can get down. I dont think RZA knows that. I think he thinks Im some powder puff white guy CEO thats got too much money. No. No, no, no.
Not the kind of behavior you'd expect from the CEO of a publicly traded company.

[1] http://mic.com/articles/125657/turing-ceo-martin-shkreli-wan...

[2] http://hiphopdx.com/interviews/id.2825/title.martin-shkreli-...

3
bedhead 4 days ago 9 replies      
Quick reminder that he was arrested for SECURITIES fraud - this isn't related to drug prices. Feel free to read the lawsuit filed against him by his former company to understand why Martin got arrested.

The guy is a pure sociopath. I had long ago predicted this day would come and it's quite nice to see. Will be happier when he's convicted and sentenced.

http://www.sec.gov/Archives/edgar/data/1438533/0001193125152...

4
jacquesm 4 days ago 5 replies      
Shkreli is a total asshole but let's not forget that large pharmaceutical companies use the exact same strategies on many drugs only with prices lowered just enough to stay this side of outrage. Life is 'priceless' and people will pay anything to extend their lives so if all that stands between you and the grim reaper is a patented molecule you can bet that that molecule is an expensive one. Whatever the market will bear is not always something reasonable.
5
patorjk 4 days ago 1 reply      
Given this guy's character, it's not too surprising. Not only is he greedy, but he seems to take a lot of joy in trolling people. If you look at his twitter feed, he gushes about buying the only copy of Wu Tang's previous album and talks about putting holes in the discographies of other artists. Last week he had a public poll about who he should solicit for a private album. It seems like he takes a lot of glee in riling people up.
6
nomercy400 4 days ago 1 reply      
Convenient.

To have the guy that abused the system to such extremes that the people and media noticed it, pressuring government to regulate, be taken into custody for something unrelated to this. As if they couldn't have found this a year ago.

It really sounds like "let's find some dirt on this guy".

7
aikah 4 days ago 2 replies      
> Prosecutors charged him with illegally taking stock from Retrophin Inc., a biotechnology firm he started in 2011, and using it pay off debts from unrelated business dealings. He was later ousted from the company, where hed been chief executive officer, and sued by its board.
8
brudgers 4 days ago 1 reply      
We're not meant to cheer this as a win for financial fair play. It's meant to evoke our self-righteousness. It's prosecutorial discretion with the same logic that this community decries when applied to other people whose violations of law or social mores we find more sympathetic.
9
sergiotapia 4 days ago 1 reply      
He was live streaming last night on YouTube from some hotel. Even gave out his cellphone number and was taking questions about investing and whatnot. Was he arrested this morning? He was streaming at around 3am, 5 hours ago.

https://www.youtube.com/watch?v=I-4D6yj-cR4

10
dnautics 4 days ago 1 reply      
am I the only one bothered by this? As a bit of a disclaimer, I am disgusted by what Shkreli is doing in the pharma business (if anyone doubts this, I run a nonprofit dedicated to the opposite of what he's doing).

But what it says is that the SEC is motivated by sometimes petty reasons to go after people that are indirectly related to actual commission of SEC violation. Which of course, every CEO makes pretty much every business day. If the SEC were neutral, why didn't they find and eliminate Shkreli before social media got all hot to trot on hating him? The SEC is basically saying, well, he's unpopular, we have the power to take him out, let's do it.

Something about that seems wrong to me.

11
wanda 4 days ago 1 reply      
What kind of person would think that they could get away with such blatant extortion and embezzlement? In this day and age?
12
mtalantikite 4 days ago 0 replies      
Hopefully this makes Bill Murray's job a lot easier: http://www.theverge.com/2015/12/11/9890908/rza-bill-murray-w...
13
genieyclo 4 days ago 0 replies      
And just yesterday he was about to bail out Bobby Shmurda from jail for $2 million.

http://hiphopdx.com/interviews/id.2825/title.martin-shkreli-...

14
DominikR 4 days ago 0 replies      
I agree that if the allegations are true, Martin Shkreli is an immoral person to say the least, but I wonder about one thing:

The whole conduct of the prosecutors doesn't look impartial to me. It seems as if someone was vilified by the media and next thing you know he is arrested and charged with fraud in an unrelated case.

As if this was still a society where you had to slaughter the occasional sacrificial lamb to appease the anger of the people.

15
meesterdude 4 days ago 1 reply      
Best news of the day! Glad that little dipshit has some justice coming his way. But lets not forget, there are many, many more people just like him
16
zghst 4 days ago 0 replies      
Pretty sure some Feds were looking to pin him after his story broke earlier this year. Protip: Be a quiet or unknown capitalist oppressor
17
AKifer 4 days ago 1 reply      
The price of flying too high, there's a reason big pharma executives rarely show in the front media.
18
padseeker 4 days ago 1 reply      
How will his arrest affect the price of the drug? That is really the only I care about.
19
powertower 4 days ago 0 replies      
If you want to see what he does in his spare time -https://www.youtube.com/channel/UC8gjB1PSXv_oAUSAQ16S0fA
20
ehosca 4 days ago 0 replies      
when is he running for president?
21
MrZongle2 4 days ago 0 replies      
"The password is...schadenfreude".
22
jaboutboul 4 days ago 0 replies      
They only arrested him because he was about to bail out Bobby Shmurda and the feds don't want Bobby Shmurda out.
23
talideon 4 days ago 0 replies      
Couldn't happen to a nicer guy.
24
ninjakeyboard 4 days ago 0 replies      
Wait, so he bought a million dollar record and then stole money that he gouged sick people for to pay it off? If he just kept the drugs at the same price and didn't buy the record the world would be a better place and he wouldn't be going to jail. I thought he said he did the price gouging for the shareholders, not for WuTang.
25
toxoid 4 days ago 0 replies      
I wonder if he will be able to afford Daraprim when he gets out of jail...
26
MrPatan 4 days ago 0 replies      
Couldn't have happened to a nicer chap.
27
adamsea 4 days ago 0 replies      
What goes around comes around
28
jacquesm 4 days ago 0 replies      
That conclusion seems to be un-warranted from the information presented here.
29
gotchange 4 days ago 3 replies      
What do they say about karma?
30
BrandonBradley 4 days ago 0 replies      
I hope Wu-Tang and/or Bill Murray make a move. Right now!
31
alistproducer2 4 days ago 1 reply      
I started a GoFundMe to support Martin. Please donate so we can keep him stocked with Vaseline while he's doing time in federal prison.
32
SwellJoe 4 days ago 0 replies      
This guy seems more and more like a comic book villain every day. The next step, I suppose, is when he's sentenced to spend eleven days in a minimum security prison and he falls into a vat of industrial chemicals while working in the laundry. It turns him even whiter and he takes on a silly name, and disappears into the night, embarking on a spree of ne'er-do-wellery.

Then again, he's already screwed over a lot more people as CEO of a pharmaceutical company than he probably could as a super villain. It takes the efficiency of capitalism to achieve real evil, I guess.

33
bko 4 days ago 10 replies      
I don't know the details of this particular case but whenever I see a very public figure arrested, no matter how reviled, I grow a bit concerned. Despite being sleazy and unethical, his raising of drug prices was not against the law. Financial law was written purposely vague such that it can be used a hammer to arrest those who dissent from the will of those in power.

Yulia Tymoshenko, former prime minister of Ukraine was convicted of "embezzlement and abuse of power". Julian Assange, editor-in-chief of Wikileaks is facing extradition. Elliot Spitzer, former attorney general, was ousted from power due to a prostitution scandal that appeared targeted.

Whatever you think about US health care and drug prices, we should not rely on a system that requires individual actors to be good people. We should strive for a system that does not require moral actors to function.

Of course I could be wrong. Shkreli arrest could be legit and be purely coincidental to the outrage that he has drawn.

Why Python 3 Exists snarky.ca
415 points by cocoflunchy  4 days ago   262 comments top 21
1
andrewstuart 4 days ago 11 replies      
IMO one of the reasons for all the angst is that .encode() and .decode() are so ambiguous and unintuitive which makes them incredibly confusing to use. Which direction are you converting? From what to what? The whole unicode thing is hard enough to understand without Python's encoding and decoding functions adding to the mystery. I still have to refer to the documentation to make sure I'm encoding or decoding as expected.

I think there would have been much less of a problem if encode and decode were far more obvious, unambiguous and intuitive to use. Probably without there being two functions.

Still a problem of course today.

2
danso 4 days ago 3 replies      
> We have decided as a team that a change as big as unicode/str/bytes will never happen so abruptly again. When we started Python 3 we thought/hoped that the community would do what Python did and do one last feature release supporting Python 2 and then cut over to Python 3 development for feature development while doing bugfix releases only for the Python 2 version.

I'm guessing it's not a coincidence that string encoding was also behind the Great Sadness of Moving From Ruby 1.8 to 1.9. How have other mainstream languages made this jump, if it was needed, and were they able to do it in a non-breaking way?

https://news.ycombinator.com/item?id=1162122

3
Animats 4 days ago 1 reply      
Unicode worked just fine by Python 2.6. I had a whole system with a web crawler and HTML parsers which did everything in Unicode internally. You had to use "unicode()" instead of "str()" in many places, but that wasn't a serious problem.

By Python 2.7, there were types "unicode", "str", and "bytes". That made sense. "str" and "bytes" were still the same thing, for backwards compatibility, but it was clear where things were going. The next step seemed to be a hard break between "str" and "bytes", where "str" would be limited to 0..127 ASCII values. Binary I/O would then return "bytes", which could be decoded into "unicode" or "str" when required. So there was a clear migration path forward.

Python 3 dumped in a whole bunch of incompatible changes that had nothing to do with Unicode, which is why there's still more Python 2 running than Python 3. It was Python's Perl 6 moment.

From the article: "Obviously it will take decades to see if Python 3 code in the world outstrips Python 2 code in terms of lines of code." Right. Seven years in, Python 2.x still has far more use than Python 3. About a year ago, I converted a moderately large system from Python 2 to Python 3, and it took about a month of pain. Not because of the language changes, but because the third-party packages for Python 3 were so buggy. I should not have been the one to discover that the Python connector for MySQL/MariaDB could not do a "LOAD DATA LOCAL" of a large data set. Clearly, no one had ever used that code in production.

One of the big problems with Python and its developers is that the core developers take the position that the quality of third party packages is someone else's problem. Python doesn't even have a third party package repository - PyPI is a link farm of links to packages elsewhere. You can't file a bug report or submit a patch through it. Perl's CPAN is a repository with quality control, bug reporting, and Q/A. Go has good libraries for most server-side tasks, mostly written at Google or used at Google, so you know they've been exercised on lots of data.

That "build it and they will convert" attitude and the growth of alternatives to Python is what killed Python 3.

4
tzs 4 days ago 2 replies      
In the Reddit discussion of this, someone linked to this criticism [1] of Python 3's Unicode handling written by Armin Ronacher, author of the Flask framework.

I am not competent to say whether this is spot on or rubbish or somewhere in between [2], but it seemed interesting at least.

[1] http://lucumr.pocoo.org/2014/5/12/everything-about-unicode/

[2] Almost all of my Python 2 experience is in homework assignments in MOOCs for problems where there was no need to care about whether strings were ASCII, UTF-8, binary, or something else. My Python 3 experience is a handful of small scripts in environments where everything was ASCII.

5
rkrzr 4 days ago 2 replies      
IMO the biggest reason to use Python3 is its concurrency support via async + await.

Fixing the unicode mess is nice too of course, but you can get most of the benefits in Python2 as well, by simply putting this at the top of all of your source files:

from __future__ import unicode_literals

Also make sure to decode all data from the outside as early as possible and only encode it again when it goes back to disk or the network etc.

6
BuckRogers 4 days ago 2 replies      
I chose to port from CPython2 to PyPy4, rather than to CPython3. It just made more sense. I for one see no value in Python3 (unicode has been supported since 2.6). My reasons for migrating to PyPy4 instead of Python3-

1) It was easier than porting to CP3.

2) It gave me a tangible benefit by removing all CPU performance worries once and for all. Added "performance" as a feature for Python. Worth the testing involved.

3) It removed the GIL. If you use PyPy4 STM, which is currently a separate JIT. Which will be at some point merged back into PyPy4.

So for me, Python3 can't possibly compete, and likely never will with PyPy4 once you consider the performance and existing code that runs with it. PyPy3 is old, beta, not production-ready, based on 3.2 and Py3 is moving so fast I don't think PyPy3 would be able to keep up if they tried.

Python3 is dead to me. There's not enough value for a new language. I'm not worried about library support because Py2 is still bigger than 3 and 2.7 will be supported by 3rd party libraries for a very long time else choose irrelevance (Python3 was released in 2008, and still struggling to justify its existence...). My views on the language changes themselves are stated much better by Mark Lutz[0]. I'm more likely to leave Python entirely for a new platform than I am to migrate to Python3.

PyPy is the future of Python. If the PyPy team announces within the next 5 years they're taking the mantle of Python2, that would be the nail in the coffin. All they have to do is sit back and backport whatever features the Python2/PyPy4 community wants into PyPy4 from CPython3 as those guys run off with their experiments bloating their language. I believe it's all desperation, throwing any feature against the wall. Yet doing irreparable harm bloating the language, making the famous "beginner friendly" language the exact opposite.

I already consider myself a PyPy4 programmer, so I hope they make it an official language to match the implementation. There's also Pyston to keep an eye on which is also effectively 2.x only at this time.

[0]http://learning-python.com/books/python-changes-2014-plus.ht...

7
rdslw 4 days ago 4 replies      
I love when people with native english skills write monsters like this: "If people's hopes of coding bug-free code in Python 2 actually panned out then I wouldn't consistently hear from basically every person who ports their project to Python 3 that they found latent bugs in their code regarding encoding and decoding of text and binary data."

This should be under penalty ;)

Anyone to divide it into few simpler sentences?

UPDATE:And another one from our connected sentences loving author:"We assumed that more code would be written in Python 3 than in Python 2 over a long-enough time frame assuming we didn't botch Python 3 as it would last longer than Python 2 and be used more once Python 2.7 was only used for legacy projects and not new ones."

8
Scarbutt 4 days ago 7 replies      
Since python3 is not backwards compatible with python2, why didn't the python devs leverage the opportunity for creating a more performant non-GIL runtime for python3?
9
nulltype 3 days ago 0 replies      
So Python 2 did not have super obvious string handling. One of the odd things that they seemingly could have fixed pretty easily is to change the default encoding from 'ascii' to 'utf8'. That would have fixed a bunch of the UnicodeDecodeErrors that were the most obvious problem with strings: http://www.ianbicking.org/illusive-setdefaultencoding.html

If they had to make Python 3 anyway, I think the main thing they were missing is that they should have added a JIT. That makes upgrading to Python 3 a much easier argument. If the only point of the JIT was to add a selling point to Python 3, that probably would have been worth it.

10
collinmanderson 4 days ago 0 replies      
It seems to me if bytes/unicode was the only breaking change we would probably be over the transition by now.

There are a lot of other subtle changes that makes the transition harder: comparison changes and keys() being an iterator for example. These are good long term changes, but I wish they weren't bundled in with the bytes/unicode changes.

11
diimdeep 4 days ago 2 replies      
Str is tip of the iceberg. Python before 2.7 and current Python is completely different language semantically; methods, functions, statements, expressions, Global interpreter lock behavior.. This is sad that this blog post and discussions around it didn't mention anything about it.
12
cft 4 days ago 0 replies      
We migrated to Go from Python 2, since instead of incompatible Python 3 we needed faster Python 2 replacement.
13
PythonicAlpha 4 days ago 1 reply      
The reason, I still did not port to Python 3:

(and yes, Unicode in Py2 is a mess ...)

They just broke to many things (unnecessarily!) internally. Particularly they changed many C APIs for enhancement modules, so that all of them had to be ported, before they could be used with Python 3. They did not even consider a portability layer ... why not??

Some (not all) of the bad decisions (like the u"..." strings) they did change afterwards, but than it was a little late.

So many modules are still not ported to Python 3 -- so the hurdle is a little to high -- for small to nil benefits!

So, the problem (from my side) is not Unicode at all ... just the lack of reasonable support from the deciders side.

---

Maybe, some time later, when I have to much spare time.

14
henrik_w 4 days ago 0 replies      
This is a pretty good explanation of unicode in Python: http://nedbatchelder.com/text/unipain.html
15
euske 4 days ago 0 replies      
I like Python3 personally. It's new and better but a different branch. I'm annoyed by people abbreviating it as "Python" and treating it as a substitute for Python2. In my opinion, the "Python" name should be exclusively used for Python2, and Python3 should've been always used as one word. The whole Python3 situation caused unnecessary confusion to the outside (non-Python) people, which I think could be avoided.
16
makecheck 4 days ago 0 replies      
Since I'm trying to keep a small footprint, I rely on the system version of Python on Mac OS X, which is 2.7.10 now.

To use anything newer, I'd have to ask users to install a different interpreter, or bundle a particular version that adds bloat. There's no point. The most I've done is to import a few things from __future__; otherwise, my interest in Python 3 begins when Apple installs it.

17
echlebek 4 days ago 1 reply      
The Go authors have solved this problem thoroughly. When working in Go, I usually never have to think about this.

https://blog.golang.org/strings

18
niels_olson 4 days ago 1 reply      
How long is the transition going to take? Serious question. Because I'm rather tired of starting new work and finding some module that drags me back to 2.x.
19
onesixtythree 4 days ago 13 replies      
From the outside, Python 3 seems like a much better language. I don't have strong views of its object system (I avoid OOP as much as I can) but it seems like the string/bytes handling is much better, and I'm also a fan of map and filter returning generators rather than being hard-coded to a list implementation (stream fusion is a good thing). Also, I fail to see any value in print being a special keyword instead of a regular function (as in 3).

What I don't get is: why has Python 3 adoption been so slow? Is it just backward compatibility, or are there deeper problems with it that I'm not aware of?

20
mathgenius 4 days ago 2 replies      
Ok, fine. Can we have the print statement back?
21
gnrme 4 days ago 3 replies      
I think this is the primary reason why some scripting languages end up in the education space (as a tool for learning), while others go mainstream and ubiquitous in the commercial space. Breaking stuff between versions is a headache and expense for everyone except the most superficial users.

The 'there should be one and preferably only one obvious way to do it' rule sounds like another reason. It's like being asked to choose between a perfect general use knife or a Swiss army knife.

Congress has added CISA to the federal budget bill theverge.com
578 points by fisherjeff  5 days ago   121 comments top 22
1
kossTKR 5 days ago 2 replies      
Why is this not getting massive attention here on Hackernews? Right now a post about a dude hacking together a selv driving car has garnered 5X the amount of votes on this post (not that the other post isn't interesting).

Remember that:

Apple, Reddit, Twitter, the Business Software Alliance, the Computer and Communications Industry Association, and other tech firms have all publicly opposed the bill. And a coalition of 55 civil liberties groups and security experts all signed onto an open letter opposing the bill in April. Even the Department of Homeland Security itself has warned in a July letter that the bill could flood the agency with information of dubious value at the same time as it sweep[s] away privacy protections.

http://www.wired.com/2015/10/cisa-cybersecurity-information-...

Isn't this massive news?

I mean the bill in itself is horrible policy making, but the way it's being snuck in is scandalous in its own right.

Have i misunderstood something?

2
ccvannorman 5 days ago 2 replies      
985-222-CISA

If you live in the United States, this phone number connects you with your congresspeople and senators in order to make your voice heard.

Citizens stopped CISA before, we can do it again. Don't lie down.

3
disposition2 5 days ago 1 reply      
Looks like it is actually worse than CISA...

https://www.techdirt.com/articles/20151215/06470133083/congr...

4
CM30 5 days ago 12 replies      
Probably a silly question, but is there a reason all these 'additions' are being snuck into bills and what not? Why does the system allow members of congress to add unrelated extras to bills in the first place?

Wouldn't a simple fix for things like this be 'only allow a new law proposal to be about a single topic and nothing else'?

5
dude3 5 days ago 1 reply      
This is interesting too

TEMPORARY H-1B VISA FEE INCREASE.Not-withstanding section 281 of the Immigration and Nation-ality Act (8 U.S.C. 1351) or any other provision of law,during the period beginning on the date of the enactmentof this section and ending on September 30, 2025, thecombined filing fee and fraud prevention and detection feerequired to be submitted with an application for admissionas a nonimmigrant under section 101(a)(15)(H)(i)(b) ofthe Immigration and Nationality Act (8 U.S.C.1101(a)(15)(H)(i)(b)), including an application for an extension of such status, shall be increased by $4,000 forapplicants that employ 50 or more employees in theUnited States if more than 50 percent of the applicantsemployees are nonimmigrants described in section101(a)(15)(L) of such Act.

6
MrQuincle 5 days ago 0 replies      
Welcome to the rest of the world. We're being eavesdropped legally by your congress for ages. :-)
7
tmaly 5 days ago 3 replies      
it would be great if we could have all these bill changes in a git repo with commits from the representatives that added them. open source gov.
8
DanielBMarkham 5 days ago 0 replies      
As I understand it, by slipping it in on an Omnibus budget bill, leaders get to add in bullshit that nobody in their right mind could defend on the floor and then expect an up-down, yes-no vote on the entire budget, including the add-in, by the membership.

In addition, because it's a budget bill, regular conference committee rules don't apply. The idea was that having conference committees dicker over each line item would be a great way to prevent both houses from agreeing. So the "fix" they made for money bills can be used for cyber-surveillance bills too.

I may have missed the details. Apologies if that's the case. If this was added to the Omnibus, the reason why was obscurity. My misunderstanding of the details is a prime example of voters not being able to track who's responsible. That's the point.

9
Zikes 5 days ago 0 replies      
So now they're legally allowed to do what they've already been doing without oversight anyways, which they were legally never allowed to do in the first place and still aren't legally allowed to do due to Constitutional restraints.

I don't like to sound defeatist, but honestly what does this change?

10
j_s 5 days ago 2 replies      
Any specifics on which congress-people are responsible for this?
11
tptacek 5 days ago 1 reply      
Since it's linked upthread: Techdirt is one of the least trustworthy sources on the Internet for information about Internet law.

(Here's a summary of CISA I wrote a few months ago on HN: https://news.ycombinator.com/item?id=10454172 )

Today (and yesterday), Techdirt claims the following changes to CISA:

1. Removes the prohibition on information being shared with the NSA, allowing it to be shared directly with NSA (and DOD), rather than first having to go through DHS.

2. Directly removes the restrictions on using this information for "surveillance" activities.

3. Removes limitations that government can only use this information for cybersecurity purposes and allows it to be used to go after any other criminal activity as well.

4. Removes the requirement to "scrub" personal information unrelated to a cybersecurity threat before sharing that information.

'yuhong helpfully posted a link to the revised bill attached to the budget bill.[1] I compared it clause for clause to the version that passed the house. That is 10 minutes of my life I will never get back. Unsurprisingly, only one of Techdirt's claims is true (but worded misleadingly). The other three are simply false.

Here's the breakdown:

<strike>1. The "CERTIFICATION OF CAPABILITY AND PROCESS" part of Section 107 now allows the President, after CISA has been started by DHS, and after publicly notifying Congress, to delegate to any federal agency, including NSA, the authority to run the process described by the rest of the bill. The previous version required DHS to run the entire process. Techdirt isn't wrong about that change. Techdirt is wrong to be confused about why NSA would be a designated coordinator for threat indicators under CISA (NSA houses virtually all of the USG's threat intelligence capability; no other department has comparable expertise coordinating vulnerability information).</strike>

I was wrong about this; the new bill specifically disallows DoD or NSA from running the CISA portal.

2. The bill doesn't change the authorized usage of cyber threat indicators at all (nor does it change any of the definitions of threat indicators, vulnerabilities, and so on). The few places I found changes at all actually improved the bill (for instance: Section 105 5(A) no longer allows threat indicators to be shared to investigate "foreign adversaries").

3. CISA has always allowed the USG to use cyber threat information in law enforcement pertaining to a specific list of crimes --- that is one of the ways CISA is significantly worse than CISPA. But Techdirt suggests that CISA can be used by the DEA to investigate drug crimes. You cannot have read the bill and believe that to be an illustrative example, because drug crimes aren't among the listed crimes: fraud/identity theft, espionage, and protection of trade secrets. It should not surprise you that the list of applicable crimes has not changed in the budget bill version.

4. The new CISA act retains all the "specific person" and "technical capability configured to remove any information" language regarding personally identifiable information in "cyber threat indicators". The "scrub", by the way, has always applied to private entities (Techdirt may have tripped over themselves to write this bullet point, because the new bill clarifies "entity", "federal entity", and "non-federal entity", and so the scrubbing language now reads "non-Federal entity" --- but the original bill defined "entity" as "private entity"!)

[1]: http://docs.house.gov/billsthisweek/20151214/CPRT-114-HPRT-R...

12
beatpanda 5 days ago 0 replies      
P.S., the reason you don't see as much wrangling or dramatic threats to shut down the government over this budget bill is because a bunch of stuff like this was loaded into it. Because Congress is under enormous pressure by law enforcement and intelligence agencies to undermine computer security in the name of "safety", but they can't be seen doing it because it's extremely unpopular.

What will be interesting is if all the riders on this budget bill are so unpopular that the voting public demands a government shutdown.

Personally, I think everyone here is better off spending time writing software to make surveillance less practical. Even if the U.S. government is nominally constrained by laws (they aren't in practice), there are plenty of other actors in the world that aren't governed by any constraints and will monitor all electronic communications up to their technical capacity to do so.

If you care about privacy and information security you need to be working on tools to make it impossible for surveillance to occur, not petitioning a Congress that is dead-set on screwing you.

13
ccvannorman 5 days ago 2 replies      
News flash, privacy is going to (keep) getting worse before it grts better. This is why the instant someone invents a totally secure and private way for me to exist online, I'm going to dump a truckload of money down their coffers.
14
ck2 5 days ago 1 reply      
I don't know the origin of the word "scumbags" but it seems to fit perfectly here.

Can you imagine sitting across from someone you are negotiating with and you are about to sign and they slip a sheet of paper inbetween the document, making you agree to it?

Of course not. But what you'd never do to a fellow american in person, congress is more than okay with doing to you without you being there or realizing what is going on.

Lowest of the low.

15
newman314 5 days ago 3 replies      
So can someone please help explain to me how this is permissible?

Taking this to extremes, why would politicians not sneak every crazy wild idea that they have onto this bill if it's a must-pass bill?

16
profeta 5 days ago 0 replies      
and the people that did that will go largely unpunished in any way and continue to receive the same votes as always.
17
pnathan 5 days ago 0 replies      
Rolling in a little late here, I am actually wondering what substantive rationale exists here. There are super competent people in the government, and they do percolate information out to Congress. So I don't think it's fully appropriate to call the Congress-critters chumps (although it's a national pastime), and I do also wonder what the effective means of altering policy are(No, I don't think the EFF is being effective).
18
micwawa 5 days ago 1 reply      
So if I delete my YikYak account today will I still be employable in the future?
19
collin123 5 days ago 0 replies      
:( ugh not again
20
dang 5 days ago 0 replies      
There have been close to a dozen posts about this. We merged the threads that had comments.

If another article is significantly more substantive, let us know and we can change the URL.

21
imglorp 5 days ago 0 replies      
"So this is how liberty dies...with thunderous applause."
22
MrZongle2 5 days ago 0 replies      
Don't you get it, America? Your masters want this. Why can't you have the good grace to let yourselves be observed and controlled without raising such a ruckus?

/s

Obama Signs CISA Bill into Law npr.org
376 points by benevol  2 days ago   219 comments top 19
1
tptacek 2 days ago 3 replies      
CISA passed the Senate with almost 3:1 bipartisan support in October.

PCNA, the House's (worse) version of CISA, passed with similar margins in April.

Obama has publicly supported the bill all year.

As much as HN and Twitter wants to believe CISA was enacted in some shady backroom deal, the process that actually occurred, including publicly available amendments and months-long review, is pretty close to "Schoolhouse Rocks".

The debate on CISA was over. Thankfully. The only debate left was how close CISA would come to PCNA, with its broader law enforcement ties and vaguer language (EFF claims PCNA would have in some cases authorized large private companies to "hack back" computers they believed had been trying to hack them). Instead, Senate's CISA is the law of land almost verbatim to what they passed --- in a drawn out, public process --- in October.

Later:

Someone downthread asked for a summary of the bill. I did my best to strip the legalese out of it:

https://news.ycombinator.com/item?id=10763827

2
randomname2 2 days ago 7 replies      
How this happened [1]:

In a late-night session of Congress, House Speaker Paul Ryan announced a new version of the omnibus bill, a massive piece of legislation that deals with much of the federal governments funding. It now includes a version of CISA as well. Lumping CISA in with the omnibus bill further reduces any chance for debate over its surveillance-friendly provisions, or a White House veto. And the latest version actually chips away even further at the remaining personal information protections that privacy advocates had fought for in the version of the bill that passed the Senate.

Snowden's comment on this:

Shameful: @Facebook secretly backing Senate's zombie #CISA surveillance bill while publicly pretending to oppose it. https://t.co/du7RK7V1WJ Edward Snowden (@Snowden) October 25, 2015

[1] http://www.wired.com/2015/12/congress-slips-cisa-into-omnibu...

3
egwynn 2 days ago 5 replies      
I believe that CISA is mostly about changes within the government itself about sharing data between agencies. It seems to interface with the non-government world insofar as it lets companies share their data with government agencies without getting sued. I do NOT believe it contains any further provisions requiring private companies to share their data without a warrant. Can someone tell me if Im reading it correctly? Not saying I like it, but if its not specifically requiring cooperation, then I guess theres still some hope left.
4
mixedmath 2 days ago 3 replies      
There have been very many versions of laws similar to CISA that have been proposed, modified, and changed/passed/failed/delayed. When I try to understand exactly what this CISA version includes, most rhetoric I read is alarmist and not conducive to actually knowing what can and cannot be done under CISA.

Is there a digestible explanation of what this CISA entails?

5
atomicbeanie 2 days ago 1 reply      
Since they're enjoying Star Wars while legislating, maybe Padme's quote is apropos: "So this is how liberty dies. With thunderous applause."
6
x1024 2 days ago 1 reply      
Well, this whole Internet thing was nice while it lasted.
7
jordanpg 2 days ago 0 replies      
A semi-serious proposal: why don't we just stop caring about this?

By "we", I mean those of us with the technological know-how to protect our own privacy if desired.

I bring this up because laws like CISA are meant to deal with large-scale collection of data for ostensibly well-meaning reasons from the vast majority of internet users. Those vast majorities that aren't lurking on HN, who don't know or care about the technical details of privacy beyond maybe vaguely wanting it, who want the internet to work, fast, free, and easily.

It seems to me that with the vast law enforcement and intelligence agencies on the one side and the even larger internet economy on the other, there is no serious getting in the way of whatever flow of information those two groups agree on. It doesn't matter what you, me, the EFF, or Edward Snowden think. There is far too much money at stake. And the "privacy" threat, as we discuss it here, is irrelevant to just about everyone.

Beyond implementing strong crypto with trusted software, for those who care to, I don't see that there is anything to be done here. As Schneier pointed out a few years ago, this ship sailed a long time ago: https://www.schneier.com/blog/archives/2013/03/our_internet_...

8
joshmn 2 days ago 0 replies      
Al Franken (D-MN) voted against the original bill; he voted to pass the bill that was signed into law here. He has a long history of fighting for privacy and the internet. Having said, if he thinks this is OK, I probably don't need to read it. (though, I did)

Original: https://www.techdirt.com/articles/20151022/10133932597/cisa-...

Votes against the bill that was signed into law: https://www.govtrack.us/congress/votes/114-2015/s339

9
crb002 2 days ago 1 reply      
Rand should filibuster everything until a CISA removal bill is passed.
10
rmac 2 days ago 1 reply      
So is there room to build products to help facilitate the sharing of data as mandated in CISA?

Is there a standard or format for how the government will expect this threat data to be packaged? STIX / TAXII?

Startups; assemble!

11
sschueller 2 days ago 2 replies      
How does CISA apply to US companies with subsidiaries in Europe like Microsoft? Will Microsoft now be required to hand over data located in datacenters abroad?
12
transfire 2 days ago 0 replies      
I think the "big deal" about CISA is that it essentially gives the heads of state the ability to say "cybersecurity threat indicator" and by so doing collect any information or spy on any system they wish without warrant or any other form of informed oversight.
13
ck2 2 days ago 3 replies      
By the way, I haven't heard CNN or NBC mention CISA once this week.

So apparently corporate media has no problem with CISA for some reason.

Since congress rarely write their own laws and let the industry write it for them - who actually wrote CISA ? There's no way congress would know what to ask for. Did the NSA write CISA?

14
imaginenore 2 days ago 0 replies      
Well, more encryption should be our response. It will backfire in ways they didn't even consider.
15
rayalez 2 days ago 1 reply      
I don't get it, can somebody explain this to me, why does this stuff happen in democracy?

How can public fight government for years and lose?

How is it possible to pass a law in US that is clearly against everyone's will? I mean for all I know, most of the people are strongly against it, except for a few polititians, nobody wants this to happen, so how is that even a discussion?

16
transfire 2 days ago 0 replies      
My favorite clause...

"(e) Prohibited conduct -- Nothing in this title shall be construed to permit price-fixing, allocating a market between competitors, monopolizing or attempting to monopolize a market, boycotting, or exchanges of price or cost information, customer lists, or information regarding future competitive planning."

Does this imply it could have been construed that way without this clause?

17
tosseraccount 2 days ago 1 reply      
The debt to GDP ratio keeps rising: http://www.tradingeconomics.com/united-states/government-deb...

The day of reckoning is coming.

18
rplst8 2 days ago 2 replies      
The article doesn't mention CISA. If it did, they changed it.
19
clientbiller 2 days ago 0 replies      
Anyone know how to find out who wrote the bill?
Wireshark 2.0: Now with Qt lwn.net
347 points by signa11  3 days ago   148 comments top 9
1
creshal 3 days ago 8 replies      
It's a shame how far GTK is falling behind. From a user's perspective, I liked GTK2's smooth, clean interfaces much more than anything made in Qt, so much that I didn't even mind putting up with its insane APIs.

But now? GTK3 interfaces are horrible from an user's perspective client-side decorations are a sin that we should know better than to repeat, plus a whole load of changes just for change's sake to spite users (the file chooser dialog has a much worse UX; mouse wheel support was widely gutted because apparently I'm supposed to want touch interfaces instead?) , and the APIs are still as bad to use, most changes seem to have been made out of spite; a small shim would have allowed most programs to switch from GTK2 to 3 without code changes, had it not been for those.

Now I find myself increasingly switching to Qt programs. While the interfaces are still somewhat rougher than GTK2 ones and not as unified, it still beats GTK3 crap. That seems to be turning from "a reasonable toolkit for all X11 invironments" into "the official Gnome 3 toolkit, beg us if you want interoperability".

2
tenfingers 3 days ago 1 reply      
I'd say good riddance GTK3. I really liked GTK1/2, to be honest. I liked the column-based (unixy) file dialogs, detachable menus that you could use as a poor-mans toolbars, and many minor tweaks.

The API was always horrendous (it still is!), but as user I liked it so I just coped as a developer anyway.

Since the full embrace of gnome, I started to dislike GTK2/3 more and more. The stupidity of file dialogs starting in "recents mode" also for save, to name one. Saving a file again? You see restarting at the top directory, just like in windows. Well, it's because the file dialogs don't have any saved state if you happen to destroy the dialog instance. A tweak that costs literally nothing to implement, but probably "not granma friendly"?

GTK3 is also downright slow. The new theming mechanism might be fancy, but objectively I have some UIs that I left at GTK2 intentionally for lower latency.

I re-evaluated QT4 as a user. The API and developer tools are just light-years ahead.

It's unfortunate that I cannot say I like the evolution of QT5.

3
dorfsmay 3 days ago 1 reply      
Two things about Witeshark that I hadn't realised until recently but that changed my life:

 - Wireshark has a Command Lime Interface that is very usable and incredibly useful to debug a machine you can only ssh to: tshark - you can look at packets captured with tcpdump with Wireshark/tshark

4
noselasd 3 days ago 3 replies      
Note that 2.0 still can be used with GTK. I'm a daily wireshark user and had to switch back to the GTK version - the Qt version is currently incredible buggy - at least on Windows.
5
jaybosamiya 3 days ago 0 replies      
> There are many more keyboard shortcuts in Wireshark 2. The full list of those shortcuts can be found from the "Help" menu. In addition, individual windows have their own shortcuts, which can be listed from the window itself.

More keyboard shortcuts always makes me happy. Less usage of that tiny little touchpad on my laptop.

6
topspin 3 days ago 1 reply      
Watched someone via GoToMeeting try to use 2.0 yesterday on a Windows server. They couldn't start capture on the interface; start button grey'd out with no explanation. Installed the older version (1.12.8) and it worked perfectly. QT is great and all but I'll have to stick with the legacy stuff for a while.
7
shmerl 3 days ago 1 reply      
I wish Firefox would also start using Qt.
8
NelsonMinar 3 days ago 0 replies      
I've been using the 1.99 builds on my Mac for, oh, a year now. And I'm so grateful. It works great and was miles ahead of the old X11-based thing.
9
WhitneyLand 3 days ago 4 replies      
I wonder if they would have considered HTML5 if NW.js / Electron had been around when they started.
DuckDuckGo grew more than 70% this year qz.com
378 points by nichodges  4 days ago   183 comments top 43
1
newscracker 4 days ago 14 replies      
> Our biggest challenge is that most people have not heard of us, Weinberg says. We very much want to break out into the mainstream.

It won't help at all if more people get to know of DDG and then leave it after a single trial because the results are not great.

I value privacy a lot and want something like DDG to succeed and become really big, but I get frustrated very often with DDG. I know many people are very happy with the results from DDG. For most of my searches though (on technical and other matters), I end up doing a second search on Start Page or Google because DDG still does not have search by date and the search results are nowhere close to Google.

I do have and use DDG as my default search engine in the hope that DDG keeps analyzing the volume of !s or !g queries as an indicator of how much DDG is lacking and takes action to improve it.

2
bsbechtel 3 days ago 9 replies      
Most of the comments here are complaining that, while people like the idea of DDG, the search results are poor. Two comments regarding that:

1) the only way DDG is going to improve search results is by you using it regularly. Using it regularly drives not only revenue, allowing them to hire additional developers, but it also drives feedback to help DDG improve search results.

2) I suspect that the difference in search results may partly be conditioned responses. We are accustomed to what we find through Google, so when DDG presents something that looks different (e.g. showing a different answers site that has the exact same result), we feel uncomfortable and think it's not what we want. I think this is just something that takes time to adjust to, but also something DDG needs to think about how try to figure out how to overcome.

3
bad_user 3 days ago 5 replies      
I'm trying to use DuckDuckGo, but for now the local search results are really, really poor. I can't blame them much though, because Yahoo and Bing suck as well. But then Bing's index is in fact the only competition Google has and DuckDuckGo cannot improve as long as they depend on Bing.

One favorite example that I've been using for feedback is when I'm searching for "restaurante" (the Romanian word for "restaurants"), in Google Search I'm getting links to nearby restaurants. Which is normal since they've got my location and so on. But they also know that in my country (Romania) the people are speaking Romanian and so they are showing me results in the Romanian language of restaurants from my city.

On the other hand in DuckDuckGo:

1. The instant answer is terribly wrong, mistakenly identifying a plain vocabulary word from at least 3 romance languages (!!!) as being the name of some insignificant 1-star GitHub project that nobody cares about. Ouch!

2. Even though the region selected is Romania, aproximately the first eleven results contain the translation of the word "restaurante" from Spanish, a link to some "el Restaurante" magazine I've never heard about and a link to some latin restaurant named Kuuk from Mexico, plus a "Top 10 Berlin Restaurants" (needless to say Berlin is not in Romania)

3. Out of 30 links I get, none of them is related to Romanian restaurants, Romanian cuisine, or anything related to Romania, even though the selected region is Romania and that word is a Romanian word.

4. OK, lets assume that some users searching for "restaurante" are interested in Spanish results. Well, one problem would be that Mexico is different from Spain, but lets ignore that as well. The biggest problem is that this set of results is completely useless for Spanish speakers as well.

4
wila 3 days ago 3 replies      
DDG has been my search engine of choice for the past few years and in my experience it is pretty rare that I have to use google for better results. In general I'm quite happy with it.

One thing I would love to see as a feature is the ability to add under settings a list of sites I'd prefer not to see any results from.

For example experts-exchange where they want you to sign up to see the answer. There's also a bunch of scraping websites that don't have actual answers which just pollute the results. Being able to suppress that kind of site would be wonderful.

I'm aware you can use an option on the search itself, problem is that the list of sites I like to remove from the search is too long to type each time.

5
scope 3 days ago 2 replies      
DDG results have improved tremendously, top stack overflow / github matches are shown partially which is really neat

I FULLY switched to DDG (& also away from Chrome) when I found out when I click save password on login forms my password is sent to Google Servers (I must have missed it on the TOC)

6
XJOKOLAT 3 days ago 1 reply      
Good to see them progressing.

I made the switch a year ago having found their results had improved greatly to the point of "good enough". Before that I agree there was a problem.

For maybe 2-3% of the time I'll need to revert to google et al, but I see that as a fair price/compromise for even a small taste of privacy ... which is like tasting the purest of waters.

DDG is my default.

7
myztic 3 days ago 0 replies      
DuckDuckGo really looses the battle when it comes to search results.

And since they make the case with privacy, I also want to make clear, they don't loose because Google tracks us all, even if you are logged out from your account, use vpn servers, delete all of your cookies and cache, Google is just so much better and DuckDuckGo awful and some search results are just weird.

I tried once (it must have been this year) to use DuckDuckGo as my main search engine, basically whenever I did not find something quickly enough I just switched to Google and then found my object of desire often times instantly. One of my VPN-Servers is blocked by Google and because of that I am using Bing at the moment, which also seems so much better than DuckDuckGo was when I used it.

I installed LinuxMint on a non-techy person's machine a while ago (few weeks) and DuckDuckGo was set up as default search engine with Firefox, even that person used Google, because he/she wasn't happy with the search results. Used Google even though he/she had to manually go to google.com every single time

"We don't bubble you" is a unique selling point they have profited greatly from, and that's what made them well known to begin with, nothing else really.

8
takee 3 days ago 2 replies      
Has anyone considered that the slightly longer and forgettable name DuckDuckGo might have something to do with the low mainstream presence? I think they should rebrand and market with duckgo or maybe just duck.com if at all practically possible.
9
lips 3 days ago 1 reply      
My experience has been reminiscent of the old SE days, when different engines would often fare better/worse for varying queries, vs there being an all-out winner. I think of DDG as avoiding a fair amount of overtly "consumer" content. Google is great at getting to "interaction points," DDG is great for information. I quite like the DDG ability to play embedded videos from the search results page, and their accompanying privacy warning.
10
rlv-dan 3 days ago 2 replies      
I've been using DDG for many years now, and I think the search results are excellent in most cases. Sometimes I'm not satisfied, and try the same seach on Google. Most of the time though, I get the same results there.

My only gripe is that the last half year or so, w3schools has been getting at the top of the search results. (Previously w3schools did not show in the search results.)

11
CM30 3 days ago 0 replies      
It's not surprising, but if they really want to become mainstream, they'll have to get people caring more about privacy than they already do. I mean okay, the Snowden leaks and stuff about PRISM got a lot of people using it, but those people were still most tech savvy types who value their privacy over the quality of the search results.

DDG is getting better, but it'll have to beat Google and the likes on a quality level if it's going to get the interest of people who don't seem to give a damn about their privacy.

12
Dolores12 3 days ago 1 reply      
Using duckduckgo i found out that google blocks booksee.org domain. I spend some time trying to find ebook using google, implying its the best search engine in the world.
13
dexterchief 3 days ago 0 replies      
Wikipedia has lots of disambiguation pages but somehow this idea has never made it into the search world.Perhaps the idea of a single text box that you can type "Michelangelo" into is not a good one. Tracking the user so you can get some context (is it Ninja Turtles or art history usually with this person?) seems a logical extension of the lunacy of that situation.

I use DDG a fair bit but I feel like without revisiting that assumption that a single context-free text box is even desirable, ditching the tracking (which I am totally in favour of) feels like they are dooming themselves.

I've played a little with running Yacy locally and directing it to crawl only sites I care about. So far that habit has not stuck.

The bangs are a step in the right direction.Suggesting additional search terms isn't quite right, and neither is doing a site specific search since I don't know what site will have the information.

Maybe a "metabang" where you search all the bangs in a category? "python !!tech"

Anyway, its good to see DDG growing.

14
dpcan 3 days ago 1 reply      
I feel like the search results are getting better.

EDIT: Complaint #1 removed. I can change the THEME in DDG to get blue links. Awesome.

#2 Complaint is that I dislike the font-weight changes on search sites. I don't need my search words bolded. I know what I searched for, I trust that those words are in the search results, you don't need to show them to me.

It's actually the SUPPORTING words around my keywords that are going to make me click them after I've already searched. So if anything should be bold, it should be those words because they set each listing apart from the others.

The Positive (for me):

As I do SEO for some companies sometimes, I often times use DDG as a baseline because it doesn't track me. If I see one of my companies ranked high in DDG AND Google, I believe what I'm seeing in Google in terms of SEO A little more. I know it's not really accurate, and I tell my clients this, but it's nice to say that DDG is not tracked so it's not influenced by my previous searches, and seeing a site ranked high there too is a really good thing in my opinion.

15
akkartik 3 days ago 0 replies      
I seem to have finally switched permanently a couple of days ago[1]. Pleasantly surprised.

[1] The clincher? Copying a link on Google and finding for the umpteenth time that it was a #$%# redirect. (This is on my phone so greasemonkey plugins don't help.) There comes a time when you say enough.

16
JayNeely 3 days ago 1 reply      
I started using DDG this year. I've found the main thing that drives me back to Google (and frequently) is searching for anything where freshness of results matters; that's where I'm seeing the biggest difference in quality of results.
17
truncate 3 days ago 0 replies      
I recently started using DDG as my default search engine. I'm usually fine with searches, however what troubles me most times is the extracted content on result page. For example, when I search "How to make coffee"[1] the result links are good for both, however the extracted text shown in Google results are generally more relevant to my query. In this example, Google shows me instructions to make coffee in each result, while DDG shows the first text it could find which is totally irrelevant to what I want.

So in short, I feel a lag when deciding when and what to click with DDG.

[1] http://imgur.com/a/7jCEH

18
qwertyuiop924 3 days ago 1 reply      
I don't actually use DDG for privacy primarily. I use if for the instant answer and !bang goodness. If you're a developer, both of these are indispensable. If if the results don't work, you can always !g.
19
lesdeuxmagots 3 days ago 1 reply      
FYI: DuckDuckGo primarily leverages the Yahoo BOSS api in the US.
20
andrea_sdl 2 days ago 0 replies      
Wow, so many people talking about how DDG is lacking good search results.

Here's my personal experience.I've tried using DDG 2 years ago, and it sucked. In my language (italian) results were poor, and also for general searches.

6 Months ago I gave it a try again, and I've been pleased enough to use it both at work, at home and on my smartphone.

The results are not always perfect, but I find myself using !g bang mainly when I feel there's something missing (which doesn't happen that much) or when I need to find a very selective piece of information.

I also loved the integration with stack overflow. Works nicely, it doesn't always "answer" your question, but just yesterday it did and the moment was like "wow, it's getting interesting".

So, while I admit that DDG may not be ready for prime time yet, I guess there's a chance that many of us (developers, etc) might start liking it and using it constantly.

While it would be naive to say "I wouldn't go back to google", I'm now an happy user of DDG, and I wasn't expecting it to begin with (In fact I was very skeptical).

21
edpichler 3 days ago 0 replies      
It's really good to see that even in a such powerful monopoly that it is, the "search" who Google has, it still have space for competition. DDG focus on a niche on this, and they are growing.
22
ssaddi 4 days ago 0 replies      
It's a great search engine, and gettig better with time ..
23
tofupup 3 days ago 0 replies      
I made the switch. My biggest problem with the lack of privacy is that I don't know in X years how my data will beused. In X years - laws may change - mores may change - the fortune of google may change. It just doesn't seemprudent for me and my progeny.

For example searching for information about cigarettesor cigar clubs - 30 years ago may have been sociallyacceptable. Today if that information were available from the 80's it could provide signal for insurancecompanies determining rates.

24
4lejandrito 3 days ago 1 reply      
Maybe slightly off topic but wouldn't it be nice to have something like WSQL (Web Search Query Language) such as:

 "Select text from *.co.uk where page contains = XXXX and page.popularity > YY".
We then could have different implementations as we do with SQL (mariadb, postgres...) name them Google, Duckduckgo, Bing...

I did a quick search on my default search engine (DDG) and couldn't find anything related...

25
pcr0 3 days ago 1 reply      
I really like how their instant answers are open source, and they're really nice. (e.g. npm, GitHub, regex/vim cheatsheet)

I do have 2 complaints, and together, they made me switch back to Google.

1) Results aren't as relevant, especially when I'm searching for very new or specific things.

2) Speed. I'm not sure why, but DDG seems to stumble on some searches, which end up taking 2-3x the time they're supposed to.

26
bane 3 days ago 0 replies      
I switched to DDG maybe about a year ago, not because of privacy concerns exactly, but because I was getting concerned that Google's results were getting less and less accurate (literal) for what I was searching for.

I think this is something that technical people tend to care about more than non-technical. I find now that I'm using DDG for very specific searches and Google for "fuzzier" things (via !g).

Google also tends to order results better than DDG, where DDG might have the result I'm looking for in its result set, the relevance ranking of the results isn't quite as good as Google.

About the only other things I search Google for are images (!gi) and if I need to constrain the date range down on the results (afaik DDG doesn't have any way to say "between these two dates" or "in the last month").

27
funkyy 3 days ago 3 replies      
In all honesty, despite me knowing about DDG for reaaaaalllly long time, I still tend to forget their name. "something duck" is how non-tech people reference it. Cant you really name it something easy to remember and (ouch) Google like Duckgo? Or Ducker? Or anything else that can be pronounced by anyone within one breath?
28
Illniyar 3 days ago 1 reply      
If I remember correctly, DDG doesn't crawl the web on their own, so considering the many comments here saying they stopped using DDG because of bad result, is there any way for them to improve on this?

Are all improvements made to the actual search results caused by improved from Yahoo or Bing ?

29
jgalt212 3 days ago 0 replies      
I use DDG almost exclusively on my phone, and Google almost exclusively on my laptop.
30
rodionos 3 days ago 0 replies      
Interactive DDG Search Traffic Stats: http://apps.axibase.com/chartlab/e8635882/10/
31
xedarius 3 days ago 0 replies      
I love DDG but I think as the world turns away from document indexing and more toward intent based search, plus the ever increasing use of implicit data (gps location, speed of movement etc) - I can't see how DDG are going to grow.

Ultimately search will end up with something a bit like Siri (but something that works). The hound demo (if real) is a very impressive glimpse of the future of search.

For those who haven't seen it : https://www.youtube.com/watch?v=M1ONXea0mXg

32
sn 2 days ago 0 replies      
RE: https://duck.co/help/company/advertising-and-affiliates I think it would be cool if it was possible to do ads direct with DDG.
33
makecheck 3 days ago 0 replies      
I generally like it but I definitely don't like some of its apparent integrations.

For instance, I search for recipes a lot. And Yummly "wrappers" seem to come up a lot on DuckDuckGo, often barely acknowledged as being Yummly. I don't know what Yummly is but it just seems scummy...it seems to wrap pages that I know are clearly recipes on other web sites, yet they're made to appear like Yummly pages. Why? There's no reason for this kind of middle-man stuff.

34
pholz 3 days ago 1 reply      
On desktop I only use DDG, mostly because I think their visual design & typography is much more pleasing than Google's, and the search results are usually just as good.
35
msh 3 days ago 1 reply      
I love ddg for english searches.

For non english searches it is still behind google. For example "pizza name-of-my-town" lacks half the pizza places google lists.

36
hyperdunc 3 days ago 0 replies      
I've been using DDG almost exclusively for the past two years. It's improved a lot in that time and now I hardly ever have to !g.
37
eva1984 3 days ago 1 reply      
Tried a few queries with it. Seems like its accuracy has improved greatly over last year, but still throws me a Japanese article for no reason.

Search is really a very hard business, in terms of both technology and market. I don't think they have Google level quality right now, so I won't consider use it seriously.

38
pilooch 3 days ago 1 reply      
DDG is basically a meta-search engine. It is then better to host it yourself with https://github.com/asciimoo/searx

Set it up remotely and you basicially have your own DDG.

39
Kenji 3 days ago 1 reply      
The privacy of DuckDuckGo is worthless when I click on the first link and it includes ajax and fonts from the google domain (and facebook and twitter buttons and whatnot) - might as well just type my search term in google.
40
korzun 3 days ago 0 replies      
Going to chime in on the whole 'results are getting better'.

They might be. On paper; because there is more data.

Unfortunately, nobody is accounting for the 'stale' factor.

Searching old news is well.. old news.

41
yclatewin2015 3 days ago 0 replies      
In all honesty, I don't care if they (google) track me. I just want to find the right information as fast as possible.
42
gloves 3 days ago 0 replies      
And rightfully so.
43
joryhatton 3 days ago 0 replies      
Much deserved progress.
I included emoji in my password and now I can't log in to my Account on Yosemite stackexchange.com
388 points by gdeglin  6 days ago   144 comments top 18
1
Twisell 5 days ago 4 replies      
And this is a perfect reminder that you should never try some crazy things on your only administrator account on your production machine.

Had he test his point on a dummy account : delete account = problem solved

2
OSButler 5 days ago 4 replies      
A client once had an issue where his account got compromised and everything pointed to having his actual login details leaked.His password was something like his username plus an assortment of random characters. It turned out that the system his account was on basically ignored everything after the 8th character, so that you were able to login with the username as the password.

Also, during the early days of inline password generators, there were cases where the suggested password was incompatible with the associated system.

3
bhaak 5 days ago 3 replies      
Such problems are the reason why I never use anything but ASCII letters as passwords (if the system doesn't enforce arbitrary password policies). I'd rather have a longer ASCII-only password than a shorter one I might not be able to input.

There's also the issue that often you are not sure what keyboard layout is current enabled and even such unsuspicious characters like ! or # are on completely different locations on different keyboard layouts (then there's the z-y swap on German derived keyboards and have you ever had a look at a French keyboard layout?).

You can never be sure if a system locks you out after failed attempts, so I want to be sure that there are as few error sources as possible.

4
minikomi 5 days ago 1 reply      
Hmm. Not really related, but now that it seems to be fixed - I discovered that using an equals sign in your name was enough to be "locked out" of Airbnb - it wrecked the cookie & every page would return 403. No bug bounty though haha. Guess it wasn't enough of an "attack vector" to try and convince someone to change their name.
5
Johnny_Brahms 5 days ago 4 replies      
I have had something similar bite me, although mine was easily fixed. I used swedish () characters for my disk encryption password. This worked fine, until I did a dist-upgrade and had my boot keyboard reset to US QWERTY (using a custom swedish version of capewell-dvorak).

The solution for me was to stick on LTS distros.

6
golergka 5 days ago 0 replies      
On one hand, I want to leave a witty comment in the line of "play stupid games, win stupid prizes".

On the other hand, I'm sad that I didn't try to do that myself.

7
paines 5 days ago 0 replies      
Many Linux installers suffered for years the situation that you would enter you password in the setup process with a different keymap than the one you got once the system then loaded, e.g. y-z were mismatched cause I was using QWERTZ instead of QWERTY. I think I saw something similar lately with on of the OSX'es.
8
grapeshot 5 days ago 0 replies      
The Chrome password manager still crashes the entire browser when trying to save any password with emoji in it on Windows. Firefox works perfectly fine.
9
socket0 5 days ago 0 replies      
Well, the account is now secure. Objective achieved?
10
r00fus 5 days ago 0 replies      
Reminds me of a time in France when someone at a customer site complained they were locked out of their laptop - his Win NT4 laptop had a QWERTY keyboard but he put his password in french using the keyboard switcher in the OS. Back then Windows didn't allow you to change keyboard type at the login screen - it kept what you were using when you logged off...
11
msftie 5 days ago 0 replies      
In college I worked at an Apple store. One day while on break in the back of the store, I changed my company account password to a lengthy sentence, something at least 30+ characters. The system accepted the change.

When I tried to log in to the timeclock application again using the password, it threw Null Pointer Exceptions (it was a Java app, incidentally). In order to get back on the clock and get paid again, I had to reset my password -- but entering my current password into the "old password" field caused the system to throw more Null Pointer Exceptions.

I called Apple IT to do a manual reset of my password, and after explaining my situation, the response a very cold, concise and condescending "why would you do this..."

12
BorisMelnik 5 days ago 1 reply      
Was really surprised to see such a great solution and walkthrough. I had no idea Mac's had "unicode text input" software on default machines. I wonder why Window's hasn't upgraded charmap.exe over the years?

Ok and hear me out on this: a startup idea based on emoji passwords that encodes/decodes emojis into their hex/binary equivalent. takers?

13
coldtea 5 days ago 0 replies      
You try to make things idiot-proof and they bring in better idiots.

1) The user tried to see if emoji can be used for the password.

2) Without checking on the web/forums/etc first.

3) On their main user account (not a disposable one).

4) With FileVault turned on.

I can't even...

14
nkrisc 5 days ago 0 replies      
Sure it's a silly thing to try, but this is entirely an oversight on Apple's part and is squarely their fault. They had the power to make this situation impossible and they didn't.
15
TazeTSchnitzel 5 days ago 0 replies      
I used as my password during (what Americans would call) middle school. Alt+numpad works on the Windows XP login screen. It never caused me any trouble.
16
RUG3Y 5 days ago 0 replies      
This is the funniest thing I've read in a while.
17
DonHopkins 5 days ago 1 reply      
You can use Emoji characters in Wifi network names. My network name is [POOP]. See what kind of fun you can have at the airport by making an ad-hoc network called [AIRPLANE][BOMB].
18
drdeca 5 days ago 0 replies      
I had problems when I set my admin username on my windows laptop to when setting it up for the first time. It wouldn't let me do things which required admin, iirc.
SpaceX launch webcast: Orbcomm-2 Mission [video] spacex.com
483 points by clessg  4 hours ago   223 comments top 58
1
TeMPOraL 2 hours ago 3 replies      
I join in congratulating SpaceX for this awesome achievement. It's like, holy fuck, they landed the rocket AND deployed 11 satellites, all in a single Pomodoro!

I also want to commend them for a few minor things:

- a real-time stream from landing (as opposed to holding it and releasing footage few days later, as before)

- a real-time stream from satellite deployment, with a camera placed so that we could see everything (as opposed to the typical low-quality stream of the engine nozzle)

- a launch timeline visible on the stream

This mission looked an order of magnitude better than anything they did before. It's like, before they were just playing around, and now they're doing serious business. Keep it up, SpaceX!

2
planckscnst 3 hours ago 7 replies      

 "Congrats @SpaceX on landing Falcon's suborbital booster stage. Welcome to the club!"
Oy... someone needs to tell Bezos it's a whole different scale than what he did.

https://twitter.com/JeffBezos/status/679116636310360067

3
lvs 3 hours ago 8 replies      
Stuck the landing! Congratulations! 10/10. Would land again.
4
FiatLuxDave 25 minutes ago 0 replies      
So, I've lived within earshot of the Cape since 1985, and I'm pretty used to hearing launches. Tonight, I had a new experience.

I was working on a signal distortion problem with a colleague when I heard the rumble of the launch. "Rocket just launched", I said. He was on Google chat with me and said, "It did?". He lives a few miles south of me and so he gets the sound waves a few seconds later ;).

A couple of minutes later I did a double-take. "THAT's a new sound!". I've heard rockets blow before, but I've never heard one come back to land.

Then I checked the internet to confirm what my ears had already told me.

Congrats to SpaceX and thank you for not landing it on my house!

5
jacquesm 3 hours ago 2 replies      
AMAZING THEY DID IT :)

hah! Tears in my eyes here this is absolutely incredible to watch.

I stayed up for this, I hope I didn't wake up the neighbours and it will take days to wipe the grin of my face.

6
tempestn 2 hours ago 2 replies      
This is so exciting. Not quite a moon landing, but still feels like watching a significant moment in history.

Does anyone know what specifically changed to allow a landing attempt on land as opposed to barge? Was it just that they gained enough confidence with the barges that they would at least be able to hit the target (and not crash into a building or something), or was some regulatory clearance received or something? Or something about this launch (ie lighter payload?) made a return to land feasible?

7
WJW 3 hours ago 2 replies      
They really poured on the PR, lots of people going "Hi, I'm lead mechanical engineer for this or that" and then delivering a perfect speech that would have taken a lot of prectice to deliver to a camera as smoothly like that.

It's nice to see a lot of the lessons from media training. :D

8
Rezo 1 hour ago 0 replies      
I think it's really impressive how SpaceX continues to iterate on the engine and rocket designs. This is the third major revision of the Falcon 9 engine since 2010, each time increasing the thrust and payload to orbit significantly even while operating a commercial launch service. I feel that this kind of willingness to continuously improve and push the envelope is what really sets SpaceX apart from the incumbents. Speed of iteration beats quality of iteration and all that.

It's quite interesting that their biggest competitor ULA is having to rely on tiny Blue Origin to develop a replacement for the Russian RD-180 that ULA uses on their big money maker Atlas V.

9
manaskarekar 3 hours ago 3 replies      
Youtube link for people for whom livestream videos won't work. (I believe the embedded player is livestream).

https://www.youtube.com/watch?v=O5bTbVbe4e4

10
DavidSJ 41 minutes ago 0 replies      
11
cmsmith 3 hours ago 4 replies      
I must have missed it, but can anyone explain why Orbcomm wants 11 satellites in the same orbit? The stage 2 engine isn't firing in between letting the satellites go.
12
iamcreasy 1 hour ago 0 replies      
Elon Musk posted an article "BACKGROUND ON TONIGHT'S LAUNCH" on SpaceX's website 15 minutes before the launch.

Link : http://www.spacex.com/news/2015/12/21/background-tonights-la...

14
JabavuAdams 2 hours ago 2 replies      
In the video of the fairing adapter deploying the satellites, there's some kind of white highlight or light-source in the upper-left part of the frame. What was that?

Also, what happens to the mass-adapter (i.e. the balancing 12th non-satellite)?

15
foxylad 2 hours ago 0 replies      
Anyone know how accurate the first-stage landing was? Obviously delta v is most important, but hitting the bullseye would just top off the accomplishment.
16
vankap 3 hours ago 0 replies      
Congratulations to everyone at SpaceX. This is a proud moment for all of you. And thank you for giving us the chance to watch this LIVE.
17
sqldba 50 minutes ago 0 replies      
I just wanted to ask, what kind of technology or science understanding do they have now which was required to make this happen now rather than X years ago?

(Also, is it fair to say that while this is an achievement, it is only more-so when they can reliably repeat it; I mean it's not exactly safe yet for people, who knows what a gust of wind could do?)

18
greglindahl 4 hours ago 2 replies      
On the agenda:

First flight since the failure on June 28

Attempt to land 1st stage on land near the launch site

First flight of an upgraded rocket

19
aidos 3 hours ago 0 replies      
Congratulations to team at SpaceX! There are going to be a lot of happy people in that building tonight.
20
XorNot 3 hours ago 0 replies      
Next big milestone will be when they launch with a reused first stage.
21
hackuser 1 hour ago 1 reply      
What changed that made this cost-effective?

1) The companies pursuing this, SpaceX, Blue Orgin, etc., can't be the first to think of it. If the first stage accounts for 75% of the cost of a launch, as one article I read says, I'm sure many have considered, going back to the first launches decades ago, how to reuse it.

2) The technology to land rockets vertically has existed for a long time, going back to the lunar lander at least.

22
frabcus 2 hours ago 0 replies      
Short video of just the landing: https://www.youtube.com/watch?v=1B6oiLNyKKI

(Becomes clear 25~ seconds in)

23
Animats 3 hours ago 2 replies      
So now how do they secure the booster they landed? Do they have some kind of truck mounted gantry they move into position? There didn't seem to be anything like that near the landing pad. They may want to let the engines cool and any excess propellant boil off before they move in, but they have to have something to hold it, tilt it down to horizontal, and carry it off.
24
gvb 2 hours ago 1 reply      
Interesting - something flaming separated from the first stage as it landed. You can see it separate, hit the ground, and burn as the landing completes.

https://youtu.be/O5bTbVbe4e4?t=2518

25
hackuser 1 hour ago 0 replies      
I came here to learn something about the mission, but sadly there is almost no content in this discussion.
26
ggonweb 3 hours ago 1 reply      
Trying to land a Rocketthe SpaceX Reusable Rocket Story https://medium.com/lazy-collections/trying-to-land-a-rocket-...
27
gansai56 3 hours ago 0 replies      
In case you missed, this is the background on tonight's launch:

http://www.spacex.com/news/2015/12/21/background-tonights-la...

28
deadowl 1 hour ago 1 reply      
I guess now the question is whether they can do it the majority of the time.
29
jacquesm 3 hours ago 1 reply      
Lots of eggs in this basket.
30
Meerax 3 hours ago 0 replies      
31
Perceptes 3 hours ago 0 replies      
Amazing! Also an incredible joy to watch is the recent rocket landing from Blue Origin, and the reaction of the engineers who built it as they watch it happen: https://www.youtube.com/watch?v=igEWYbnoHc4
32
jrobn 1 hour ago 0 replies      
Collective nerdgasm at 31:00 minutes into the video. The energy in the room is crazy. A lot of proud people at that moment.
33
lovelettr 3 hours ago 2 replies      
I live on the south end of Merritt Island, FL (~25 miles from the launch complex) and the sudden noise reminded me I wanted to watch this! For a second, based on the sound, I thought it may have catastrophically failed until I caught the live stream and people cheering.

Are there any replay videos?

34
xvf33 3 hours ago 2 replies      
What's with all the fluff videos? Can we have a channel with just a comms feed?

T-4 minutes and still zero actual mission audio...

35
PhilWright 2 hours ago 1 reply      
If SpaceX is so much cheaper than everyone else, how come they launch so infrequently. Seems like they should be launching every month but they are nowhere near that.
36
port6667 3 hours ago 0 replies      
wow holyshit that booster thing just landed perfectly!
37
ColinWright 3 hours ago 0 replies      
They landed the first stage!
38
jcadam 3 hours ago 0 replies      
Just saw it -- beautiful, I love night launches. I live about 20 miles south of the Cape, so I just have to step outside onto my front lawn and face north :)
39
adomanico 3 hours ago 0 replies      
Really impressive

More interesting stuff on the Falcon 9 rocket:http://www.spacex.com/falcon9

40
notjustanymike 3 hours ago 1 reply      
Planetary landing is so hot this year! We've got Space Engineers, Elite: Dangerous, Star Citizen, and now SpaceX!
41
msandford 3 hours ago 0 replies      
Thanks very, very much to whoever posted this!
42
InclinedPlane 3 hours ago 0 replies      
43
mstade 3 hours ago 0 replies      
Awesome, now do it again. And again. And again...
44
sneak 1 hour ago 0 replies      
Prediction: this is the most important milestone in the development of the Earth's IP network since I was born in the early 80s.

I can't wait for this to fuck over Comcast and every other last-mile monopoly acting like jerks to their customers.

45
manaskarekar 3 hours ago 0 replies      
Who would have thought landing on Earth could be as exciting, if not more, than landing elsewhere in the Universe?
46
agumonkey 2 hours ago 0 replies      
It was a pretty "hectic" second from the burn in the sky to standing still.

Epic.

47
revelation 4 hours ago 1 reply      
This is the first launch since the SpaceX rocket went kaboom [1] and they will be attempting a landing.

1: https://youtu.be/PuNymhcTtSQ?t=3m15s

48
chrismartin 3 hours ago 0 replies      
Saw it in the sky from Northern FL! Glad the first stage came back down.
49
jostmey 3 hours ago 0 replies      
Amazing.

So how high does the first stage fly?

50
obilgic 2 hours ago 0 replies      
so 0-60 is 10 seconds? I blame space/astronaut movies.
51
dantheman 3 hours ago 0 replies      
AMAZING! CONGRATS SPACEX!
52
drudru11 3 hours ago 0 replies      
Great engineering!!!!
53
lance26 3 hours ago 0 replies      
They did it!
54
lance26 3 hours ago 0 replies      
They did it!!
55
slem 3 hours ago 0 replies      
Awesome!
56
ORioN63 3 hours ago 1 reply      
It's landing!!!
57
fbbbbb 3 hours ago 0 replies      
They landed it!!
58
nate_martin 3 hours ago 6 replies      
Not sure if the "USA" chant after the first stage landed was warranted.
Juniper screenOS authentication backdoor - master ssh password posted rapid7.com
395 points by ghshephard  1 day ago   165 comments top 18
1
rdtsc 1 day ago 8 replies      
I'd like to hear how this was discovered and who's name ended up on git blame line next to that password.

I have done a malicious source code injection as part of a network security exercise at the university. That was before git or other sane source control and I basically inserted a semi-obfuscated piece of code in the source repository, which gave our team an advantage in the game (the game was to crack and find a weakness in a protocol, but the whole machine was a target/battlefield). The clever part was first rooting the server via suid vulnerability.

I won the contest, but while doing it I thought, yeah, this shit will never work in the real world. And then this story made me remember that. That's pretty crazy.

2
_jomo 1 day ago 4 replies      
> The argument to the strcmp call is <<< %s(un='%s') = %u, which is the backdoor password, and was presumably chosen so that it would be mistaken for one of the many other debug format strings in the code.

That's very clever from the attackers point of view, extra kudos to hdmoore for finding it!

3
tw04 1 day ago 2 replies      
Can I just point out I find it hilarious reading about all the people debating how amateur it was to put the password into the code in plaintext was... all while ignoring the fact that this backdoor survived for 3 YEARS of code reviews? Obviously the way it was implemented was ingenious, and it likely far surpassed whoever put it there's wildest expectations.
4
Deregibus 22 hours ago 3 replies      
It'll be interesting to see a more in-depth look at the code surrounding this and some theories on how it could have been implemented in a way that avoided obvious detection. The naive assumption is that someone just added to the code:

 if(!strcmp(password, "<<< %s(un='%s') = %u")) return true;
which is certainly possible, but seems too easily detectable and risky for someone on the inside, and too lazy for someone on the outside that had already gone through the trouble to get write access to the source.

The string itself looks like it's part of some logging system, so my guess is that it already existed and was opportunistically chosen rather than created. If this was passed through a macro, then it's possible that the attacker didn't have to touch the auth code at all and may have been able to implement this by changing only a handful of characters in an area of code that was more amenable to obfuscation.

5
ra1n85 1 day ago 1 reply      
Brutal. From conversations with other engineers, this is a very common network operating system with banks in Europe.

Would not be surprised if urgent code reviews and security audits are taking place at the campuses of other large network software/hardware vendors.

6
zouhair 1 day ago 4 replies      
How can we know that it is the only backdoor? Wouldn't be safer to just stop using Juniper's products altogether?
7
jdiez17 1 day ago 3 replies      
It was a matter of time before it leaked. If you're going to put a back door in, at least make sure only you can use it (Nobody But Us). Why didn't they use a keypair?
8
kabdib 1 day ago 1 reply      
This smells like:

- Underhanded C . . . maybe. Seems difficult to just insert a strcmp in the middle of a sensitive piece of the login path

- A compromised toolchain that is inserting the code

Would love to hear what Juniper has to say about it, but I doubt that they will, or will be allowed to say.

9
wepple 18 hours ago 0 replies      
This may be a good time to bring up the various big corps who are trying to prevent reverse engineering... while even they can't keep tabs on knowing what is actually being executed on the hardware we pay them for.
10
gbin 1 day ago 0 replies      
Anybody tried to see in their logs if someone used it ?
11
sandworm101 1 day ago 1 reply      
So ... if this is a backdoor for some three-lettered agency, what are the chances that this backdoor, even this same password, is present in other products?
12
rmdoss 17 hours ago 0 replies      
If you follow good security practices and restricted your SSH access, you were safe against it:

https://twitter.com/danielcid/status/678907293770059776

If you are managing any login system, try to implement ip white listing whenever possible.

13
isido 21 hours ago 0 replies      
Now that the cat's out of the bag, could the esteemed hacker(s) just post the source code, so that we can see how it was implemented :) (j/k)
14
mmaunder 19 hours ago 1 reply      
Anyone running ScreenOS was already scrambling as fast as they could to patch the issue before the backdoor password was posted. Just thought I'd point that out.
15
revelation 1 day ago 2 replies      
So, did they have time for a git blame yet? It's one thing to say you have found a backdoor, another is to clear up how it got there in the first place.
16
nodesocket 1 day ago 1 reply      
Forgive me if I am wrong, but these devices phone home right? Can't they just hot fix this over the air?
17
rasz_pl 23 hours ago 1 reply      
> We were unable to identify this backdoor in versions 6.2.0r15, 6.2.0r16, 6.2.0r18 and it is probably safe to say that the entire 6.2.0 series was not affected

this sounds fishy, like Juniper trying to push users to upgrade from _non affected_ builds to a new firmware with a fresh set of NSA backdoors.

18
_jomo 1 day ago 0 replies      
You can telnet or ssh to a Netscreen device, specify a valid username, and the backdoor password <<< %s(un='%s') = %u. If the device is vulnerable, you should receive an interactive shell with the highest privileges.
Angular 2 Beta released angularjs.blogspot.com
417 points by javajoshw  6 days ago   262 comments top 36
1
DigitalSea 6 days ago 6 replies      
Congratulations to the Angular 2 team on shipping before Christmas. The estimate was originally somewhere around early 2016, so this is a huge deal for them to get this out before the year was up. Unfortunately, Angular 2 launched into beta too late. In the amount of time that Angular 2 has taken to get to beta, ReactJS has slaughtered the front-end market share (in a good way) and completely taken developers by storm with its simplistic component based approach.

Unlike React, Google does not really treat Angular as a first-class citizen because they have such split focus and conflicting React like library for web components called Polymer. They provide some resources, but nowhere near the amount of resources that Facebook throws behind React and React Native.

Now lets talk about the fact that the Angular 2 project got off to a shaky start and I know they actually rewrote various parts from scratch more than once (hence why it took so long to reach beta, approximately 2 years). That horrible templating syntax needs to be mentioned, the decision to use square and rounded brackets for binding events/data and using things like asterisks in my opinion makes Angular 2 fall into the same trap that Angular 1 did in regards to developer accessibility.

I am really loving TypeScript these days and I think the decision to support it as a first-class citizen out-of-the-box was a good one (the partnership with Microsoft definitely paid off). But with that said, I think Rob Eisenberg (of Durandal fame) beat the Angular 2 team to the punch in the small space of a year in releasing his framework Aurelia (http://aurelia.io). It is what Angular 2 should have been in my opinion. Nice syntax, convention over configuration and a breeze to use.

2
segphault 6 days ago 0 replies      
Angular 2 addresses a lot of the serious shortcomings in Angular 1.x. The Angular 2 approach to components and encapsulation feels cleaner and less complicated than the previous mess of services, factories, and directives.

Though initially skeptical of Typescript, I've found that Angular 2 really benefits from the advantages of having a coherent object model and optional type safety. Typescript never gets in the way, you can selectively use type declarations only where you want to use them. It's often helpful to leave them out while prototyping and then add them later when you want more robustness and easier debugging while you are working on writing the glue code and application logic that connects your various components.

As other posters have noted, you're still saddled with a lot of the artificial complexity and odd terminology that is pervasive in Angular 1.x. There are also bits and pieces of the library ecosystem, particularly the routing engine, that are over-engineered and painful to work with in practice. But, in general, I find version 2 much more intuitive and easier to reason about than version 1.x. Key features like data binding are much saner and behave more predictably.

I've never particularly liked Angular or React (my personal preference right now is for Vue or Polymer), but I think Angular 2 is a solid improvement over its predecessor. More significantly, I think the improvement is substantial enough to justify the team's decision to do a clean break.

3
sjclemmy 6 days ago 2 replies      
I've just started working on an app using Angular 2 and Ionic 2.:

1. TypeScript - It's really nice to be able to use a typed version of JS, although it does feel like I'm writing C# sometimes! It supports lambda syntax / ES6 which is great.

2. Annotations seem a bit clunky, not really sure what the point of them is.

3. Absolutely love the functional reactive / RxJS stuff they've incorporated - it's going to make it VERY easy to write really powerful apps.

4. It's a million times easier to develop with than angular 1. $scope.apply anyone?

4
yonibot 6 days ago 7 replies      
When people point out that Google is behind Angular, they fail to mention that the level of investment is nowhere near that of Facebook in React.

I've been loving using React. Building in components is fantastic, and it just feels like writing Javascript. That's a win in my books.

5
morley 6 days ago 6 replies      
I'm curious what Angular 2 is like for developers who normally write React? I hear 2 is a lot better than 1, but I'm still turned off by the amount of Angular-specific terminology, whereas most of React terminology is not necessarily React-specific.
6
paublyrne 6 days ago 4 replies      
I am in Germany and this link forces a redirect to angularjs.blogspot.de because of my location (which is a version of the blog in German, which I don't read).

No simple way around this, and no link I can see to go to .com instead. That's quite frustrating.

7
interdrift 6 days ago 2 replies      
I'm a C# developer. I have been patiently waiting for angular 2.0 with the hopes of switching my stack to TS.Node + Angular and I'm really excited about trying this!
8
estsauver 6 days ago 4 replies      
I had a really painful time trying to contribute to the angular 2 project. I get the impression that the developers actively working on this are working with discussion mostly internal to Google.

It's a shame, because it does seem like both a very powerful and nice approach to building SPAs that I would love to contribute to.

9
cdnsteve 6 days ago 9 replies      
How many Angular folks are sticking with native ES6 and babel vs TypeScript? Angular is clearly directing folks to TypeScript. I don't want to have to use TypeScript on front-end and ES6 + Babel in Node. Trying to pick one.
10
javajoshw 6 days ago 0 replies      
Video of the team announcing the Beta release. https://www.youtube.com/watch?v=WitNPCLSZr0
11
haxa 6 days ago 2 replies      
Anyone has the experience working with NativeScript and Angular 2? How's it compared with React Native? And is there any chance this will evolve to a viable alternative to developing native apps using web technology?
12
_alexander_ 6 days ago 1 reply      
Looks promising... But personally I dislike TS., and I know that it not required for Angular 2..., Now I prefer ES6 + babel, maybe in future I'll change my attitude to TS.
13
dtm5011 6 days ago 1 reply      
The incremental upgrade path is disappointing.

Step 1: Include the Angular 2 and ng-upgrade libraries with your existing application

Is anyone with a serious application actually considering this? It would have been nice to include only the pieces of Angular 2 that you actually use. Instead, we have to ship both libraries, our application code and an additional plugin down the wire? I don't see this upgrade path as a legitimate option for anyone who cares about page load times.

14
thoughtpalette 6 days ago 0 replies      
Excited to finally start playing around with this.
15
doczoidberg 6 days ago 0 replies      
I recommend Angular CLI for new users: https://github.com/angular/angular-cli

It is based on ember CLI and helps a lot scaffolding new projects.

16
KuhlMensch 5 days ago 0 replies      
I've played around with Angular 2 quite a bit the last few weeks. These are my (early) views for anyone interested:

* Templating syntax is intuitive after an hour or two

* Decorators are great! (sidenote: Warning Babel6 decided to remove them until the spec settles down)

* Typescript I'm undecided about. Its a bit of a pain to work with and tooling is still early days e.g. if you want to import a single js file/lib, you create a Type definition file (.tds) just for that. And if you don't want to document every interface in that .tds, then you can give it an "Ambient" aka "whatevs" definition. But in that case it will not be retain its semantics.

* The new component router wasn't ready for prime time 2 weeks ago. I doubt that has changed. And frankly, I feel a bit uncomfortable with how magical it is. That could change though, I know allot of effort is going into it.

* One of the best things is losing many of the hacky artifacts of Angular1 (pseudo-modules system, 9 types of component, config phases etc etc)

* IMHO the lack of opinion built into the framework will still cause allot of foot-shooting around the globe, especially compared to Ember or Aurelia.

That said, if I was going to start a large enterprise project right now, I'd SERIOUSLY consider the core being written in Angular 2 + Redux. I'd have to revisit Ember before I had that decision though, its been over two years ...

17
polysaturate 6 days ago 2 replies      
The only thing I haven't really seen on their 'Quick Start' and 'Guides' site is any examples that show retrieving data from an API. Are those out there and I didn't see them?
18
blisterpeanuts 6 days ago 0 replies      
This looks pretty cool. I've just been learning about Angular 1, so I guess the thing to do is start using Angular 2 as soon as it's available and not bother with the ngForward tool?

I'm looking for tools that will help me create web apps with rich client experiences. I've read the critiques of AngularJS here and it sounds like it does have some limitations, but still a very good framework for corporate web apps with moderate user base and small # of browsers.

19
nikon 6 days ago 1 reply      
Anyone have an upgrade plan for 1.x?

I work on a rather large Angular 1.4 codebase daily and while this is good news, I'm not sure how we'd ever upgrade to be honest.

20
Omnipresent 6 days ago 2 replies      
Resources for learning Angular2?
21
knes 6 days ago 0 replies      
We had a look at Angular 2 at Pusher since a lot of our customers are using Angular to build app. If you want to check out a quick tutorial and see some actual working angular 2 code in action , you can go to https://blog.pusher.com/real-time-apps-angular-2/
22
_alexander_ 6 days ago 3 replies      
Angular size really impressive:

angular2.min.js - 568K

Version 1.4.*

angular.min.js - 148K

File size really increased (Angular1 * 4 == Angular2), if compared with first version. Something went wrong.

23
danpeddle 6 days ago 1 reply      
Server side rendering is mentioned in the post - for me, angular 1.x was a dead end because it did not run on the server (disregarding the confusion around services, factories etc, and all the horror in templating logic, debugging it etc) - can anyone give some insights into what this is like?

I've previously written & been part of teams for a few non-trivial 'full stack' js apps that run both on the client and server, and react's abstraction from the DOM is perfect for such things. Wondering what the 2.x approach is here.

As an aside, seems to me that the days of running JS purely in the client are coming to an end, for projects when developers can have a free hand on the tech stack.

24
SureshG 6 days ago 0 replies      
For those of you who are using Dart, https://github.com/ng2-dart-samples has many Angular 2 demos and samples and it's pretty nice ;-)
25
chvid 6 days ago 1 reply      
Angular2 wants dependency injection and for that to work well it needs named interfaces and thus ends up with TypeScript as its first citizen language.

This is fair choice but it shows the background of the designers of Angular and that they in some sense really don't grok JavaScript.

Here is a blog from mr. Ruby-on-Rails explaining why DI is a stranger in the Ruby world:

http://david.heinemeierhansson.com/2012/dependency-injection...

With some parallels I think.

26
snickmy 6 days ago 1 reply      
Angular 2 is late to the party. The user base of Angular 1.x has already moved on.

I wish the success of a web framework was a bit more about the technology nature of it rather than the market adoption and hype.

27
moogly 6 days ago 1 reply      
Trying to find info on their packaging story. Last I heard the official tooling seemed to be moving off systemjs+jspm in favour of WebPack, but I don't see any clear info on this; does anyone know?

We've started experimenting with systemjs and really like it (though support is a bit limited right now, plus it not really liking PhantomJS/karma), and we want to modernize our Angular 1.x app packaging/loading/bundling, but don't really want to do needless work if we have to move to another solution for Angular 2.x.

28
rsuelzer 5 days ago 0 replies      
I use both react and angular. At work we lean toward angular because of the overhead of having to train design teams with no real JavaScript backgrounds how to work with jsx.

That being said, I use both react and angular. Angular is a full library that solves all of my problems, even if the solution isn't what I would consider ideal. React forces me to do a lot more work to get something running as it is not a framework. It is a tradeoff of time versus flexibility.

29
halayli 6 days ago 0 replies      
Any suggestions for a good material UI framework that works well with Angular 2? Unfortunately, angular's material framework only works on 1.x so far.
30
nezo 5 days ago 1 reply      
The whole angular.io documentation is telling me "well f*ck you vanilla JS user, go learn TypeScript and come back"
31
noahjcz 6 days ago 0 replies      
Maybe I'm reading wrong, but Rx.js seems to be 70k minified. Seems like a giant dependency for a mobile-focused framework...
32
Halienja 5 days ago 0 replies      
New Project - Angular2 OR React and why?
33
awqrre 6 days ago 0 replies      
I probably will get down-voted seeing all pro-Google comments but what I don't like about frameworks like Angular is that it obfuscates HTML...
34
rw2 6 days ago 10 replies      
Uh did Angular not get the memo that people hate the new syntax and typescript?

This is how you turn the most popular javascript MVC framework to nothing.

35
tvararu 6 days ago 0 replies      
> While you can upgrade apps in a "big bang" approach where you halt production until everything is rewritten

That is some very unsound advice. I find it worthy of ridicule that it's being suggested as a possibility.

The upgrade path was very necessary to address the huge amount of breaking changes.

36
revelation 6 days ago 4 replies      
That's Google for you, having to present your exciting MVW toolkit on the crash accident of a website that is Blogspot.

Right now, there is a massive cookie consent form blocking my view of the actual article.

Secret Code Found in Juniper's Firewalls Shows Risk of Government Backdoors wired.com
332 points by r721  2 days ago   117 comments top 16
1
tptacek 2 days ago 4 replies      
Just a quick note that 'lawnchair_larry has me dead to rights on this one.

I conceded awhile ago that Dual EC was a crypto backdoor (before BULLRUN and the antics that were uncovered with RSA and with the European standards, I had suggested, as some other crypto people had, that Dual EC was too hamfisted and obvious to be a crypto backdoor).

But I've maintained since then that virtually nobody uses Dual EC, so its impact --- while clearly malign! --- is probably limited.

Nope. ScreenOS apparently (I'm not 100% sure, but that seems to be the way the wind is blowing) uses it to key VPN connections!

FULLY CONCEDED. The immediate known practical impact of Dual EC is, if that's true, enormous.

The weird thing about this particular backdoor is that the adversary seems to have modified the Dual EC parameters. Dual EC is an RNG with an embedded public key, where an adversary with the private key can "decrypt" the random bytes it generates to recover its state and rewind/fast forward it. This backdoor appears to swap out the public key, which is something NSA has no interest in doing.

My money is that this is the work of GCHQ, the world's most unhinged signals intelligence agency, and our partners in peace.

2
blisterpeanuts 2 days ago 3 replies      
"I am shockedshockedto find that gambling is going on in here!"

--from "Casablanca"

I'd be shocked to learn that there are no back doors in routing equipment. Having that kind of control is just too appealing to the most powerful players -- the NSA, China, perhaps Russia.

One hopes that people who care about the privacy of their communications are not relying on the routers for encryption. I would encrypt end-to-end. Even if the spooks are capturing the data, let them work for their cleartext.

Of course, we have to use algorithms that aren't compromised, either.

Annoying and disturbing. And they can't claim it's needed to stop terrorism, either. The U.S. anti-terrorism apparatus didn't spot an obviously dangerous couple in San Bernardino, even after one of them posted jihadist goals on her stream. They didn't stop the Tsarnaev brothers from bombing the Boston Marathon even after the Russians phoned to warn us about them. Idiots.

3
peterkelly 2 days ago 1 reply      
I like CNN's take on the story:

http://edition.cnn.com/2015/12/18/politics/juniper-networks-...

Obviously it must be either Russia or China - NSA couldn't possibly be responsible ;)

4
kabdib 2 days ago 3 replies      
I'll bet you ten dollars there are more backdoors, better hidden than the ones they found. Say, with Underhanded C style coding. An additional ten bucks says that Cisco and the top handful of consumer appliances also contain such backdoors.

I hope the folks at Juniper are checking their toolchains, build machines and repositories for signs of similar attack. Of course, enough time has elapsed that they may need to establish a cleanroom for their code. Hoo boy.

5
hyperdunc 2 days ago 3 replies      
The honeymoon is over. The Internet is now a hostile environment. We cannot assume good conduct from any party of reasonable size and should assume deception from anything that isn't fully open source and vocal about it. It sucks to assume the worst...
6
acd 2 days ago 4 replies      
This also highlights why it would be better to use opensource firewalls such as Openbsd instead of proprietary ones!

If you care about your security then you need to be able to inspect the code that protects your assets.

Distributed open source firewall vs propritary firewall with backdoors.

7
stickfigure 2 days ago 5 replies      
I'm confused. Are these accidental vulnerabilities or deliberate backdoors? If deliberate, why is there speculation about who might have installed this "secret code"? Do they have version control? Is there a specific human attached to the relevant commits? Serious question.
8
huuu 2 days ago 3 replies      
It's sad but events like this one make me turn away from Internet.

I started using Signal because I don't want people seeing the messages I post. But in the end it's only trust that makes me think Signal is safe to use.

A lot of people also trusted Juniper. But that trust is gone. And not only for Juniper. What about other brands? We don't know.

9
Buge 2 days ago 2 replies      
Wow that nation state is stupid.

They embedded the backdoor password right into it. Clearly they should have embedded the hash of the password instead. Then it would be unbreakable and no other party would be able to use the backdoor.

Hashing passwords is extremely basic security practice.

10
blazespin 2 days ago 0 replies      
The big story here is not that Juniper is weak but rather that these types of attacks are succeeding. If Juniper has fallen, god knows what else is vulnerable.
11
hdmoore 2 days ago 0 replies      
If anyone is interested, you can find the unpacked firmware and some rough diffs online at https://github.com/hdm/juniper-cve-2015-7755/
12
acd 2 days ago 0 replies      
Some corporations will not know about the issue or ignore it and thus will get hacked by the backdoor. Now this backdoordoes not only benefit those who implanted it, it will benefit the opposing side who can hack using it.
13
gtirloni 2 days ago 0 replies      
I think these is a good example for people that complained about OpenBSD refusing to use cloud servers for their infrastructure. Point being security at this level shouldn't be taken lightly. Juniper must have a ton of security measures in place and they end up with this.
14
mtgx 2 days ago 1 reply      
Juniper is using Dual EC....are you kidding me? Now I have zero doubt this is Juniper's fault because of its cooperation with NSA to keep backdoors in its systems.

If I remember correctly even tptacek was claiming initially that "Dual EC is not so bad...not that many companies use it anyway, because they would be stupid to use a 1000x slower algorithm". Yeah, except some of the biggest networking equipment makers in the world who do use it, and who sell products to many other small and large companies, too. Quite a bit of an attack surface for the NSA.

The point was always that Dual_EC should've never become a NIST standard, no matter how "bad it was and that probably nobody would use it anyway". It was made a standard for a reason by the NSA, to convince at least some of the big companies to use it. And they succeeded in that.

We can only hope that the good people who work in standard bodies will never allow something like that to happen again, because in the end backdoors always end up being used for "evil", whether by the initial creators or by someone else who finds them later.

15
y04nn 2 days ago 2 replies      
Don't gouvernements can check the source code? like for Windows?
16
danso 2 days ago 2 replies      
I'm looking at Juniper's news page [1] and its Twitter feed [2]...it doesn't give me a lot of confidence that this security breach or even its (apparently inadequate) patch doesn't even a news item or a Tweet.

[1] http://newsroom.juniper.net/

[2] https://twitter.com/JuniperNetworks/with_replies

Flint, MI: So much lead in childrens blood, state of emergency declared washingtonpost.com
403 points by uptown  6 days ago   320 comments top 21
1
rickdale 6 days ago 9 replies      
I'm glad to see this on HN. Flint is often a forgot about place in the world. I grew up there and now live outside of Flint. My dad was murdered there.

But I always think Flint is prime for opportunity. The people need basic essentials, water, food, shelter. But the infrastructure to build factories is there. Power, train lines, the whole deal. It's really a shame. The sad part is, the people are still hell bent on supporting the companies that destroyed the town. Michigan in general is like this, its why they don't allow Tesla vehicle sales.

Growing up my family owned a junkyard and the Flint river ran behind it. It was disgusting. Some of the guys would wade through it on their way two and from work. It was a shortcut, but you had to be a true animal to go that route.

2
russdill 6 days ago 3 replies      
The one thing I don't see is the lead levels of the water supply. Doesn't the EPA have limits on that and isn't it an easy thing to test?

It is true that different water supplies will have different levels of contaminants (lead, arsenic, etc) but can all be within EPA limits. Switching to a water supply with a higher level of contamination will increase exposure. The medical study seems to look at the percentage of children below 5g/dL before and after the switch. It goes from 2% to 4%. So with the old water supply, a certain percentage of children were already being exposed to elevated levels of lead. Switching to a water source with higher lead levels will push more children who are being exposed to lead through other sources to above the 5g/dL mark. However, this would seem to indicate that the primary source of lead for these children above 5g/dL is something other than the water.

3
yummyfajitas 6 days ago 7 replies      
So Flint has failed to govern itself - hardly the first time - and now children are poisoned. The city apparently now expects the rest of the country to pick up the tab for the cleanup of their mess.

At some point it should become necessary to recognize and acknowledge that self-government has failed and must end. I'd suggest some form of a city death penalty - declare the city dead and give the locals a one-time offer of relocation assistance to an approved list of better places. The city government, and anyone who remains, are officially on their own.

We've known Flint (and many similar cities) are doomed for decades. Why do we keep them alive as zombies rather than just help the humans and let the municipalities die?

4
a3n 6 days ago 4 replies      
> Through continued demonstrations by Flint residents and mounting scientific evidence of the waters toxins, city and state officials offered various solutions from asking residents to boil their water to providing them with water filters in an attempt to work around the need to reconnect to the Detroit system.

Can you boil lead out of water, or does it just become more concentrated?

5
nashashmi 6 days ago 4 replies      
I just took a look at the Map of Michigan. I realized after zooming into Flint to try to understand where the water was coming from that Michigan has many, many bodies of water scattered all around the place. Plus they are right next to the world's biggest lakes.

And yet they never took care of their water supply? The one state with so much fresh water has little regulation on keeping water protected.

I keep wondering why its been prophecied that the world in the end will wage war over water, not oil. And now I am beginning to understand.

6
ionforce 6 days ago 4 replies      
What institutional failure led to this? It seems like this has been a long time coming. Why has the leadership of the area allowed this to happen?
7
golergka 6 days ago 1 reply      
The fact that this kind of isse will generate publicity after just a year, and that citizens will actually care enough to fight for their rights, and that mayor will feel fallout because of that it makes me feel so jealous of US.

Americans that cry about how the system "doesn't work" really don't have a clue about how this would turn out in other countries.

8
artlogic 6 days ago 0 replies      
If you are interested in a detailed breakdown of everything that's been happening over the past year or so, I would suggest reading Michigan Radio's excellent coverage: http://michiganradio.org/term/flint-water

Full disclosure: my wife works as a reporter Michigan Radio, but generally doesn't cover Flint.

9
jhallenworld 6 days ago 0 replies      
I've been trying to understand what the heck happened, since pH management has been standard part of water treatment forever. I mean did they not bother to consult with any water supply engineers first?

It all looks like a game between Emergency Managers appointed by the governor to see who can save the most money fastest.

http://www.freep.com/story/news/politics/2015/10/24/emergenc...

10
jostmey 6 days ago 2 replies      
Someday Silicon Valley may be left in the same disarray and disrepair. Jobs can be outsourced and bright people lured away to work on new things.
11
cakes 6 days ago 0 replies      
This story has been building up and up for a while now, Michigan Radio has several stories/reports/etc.

http://michiganradio.org/term/flint-water#stream/0

12
usefulcat 6 days ago 1 reply      
Was looking at a map of Flint and noticed that the City of Flint Water Plant is right next to three metal scrap yards.

https://www.google.com/maps/place/43%C2%B003'25.2%22N+83%C2%...

13
elorant 6 days ago 6 replies      
The article failed to explain how the river got so toxic in the first place.
14
cowardlydragon 6 days ago 0 replies      
So... Flint is the new libertarian dreamland where no regulation exists?
15
rayiner 6 days ago 5 replies      
What led to this particular situation was apparently rate hikes in the Detroit water system, which caused Flint to switch to using the Flint river as their water source last year. Beyond that, water systems all over the country are in bad shape. Because water rates are subject to public control, they are far too low and there is a huge under-investment in water systems:http://www.infrastructurereportcard.org/a/#p/drinking-water/...
16
whitehat2k9 6 days ago 0 replies      
Hmm, so in addition to their existing problems with acute lead poisoning, they now have to deal with chronic lead poisoning.
17
purephase 6 days ago 1 reply      
Does anyone know the extent that the surrounding townships would be impacted by this? My parents live just outside of Flint, but the article only mentions that Flint is impacted.
18
JuanaMango 6 days ago 0 replies      
If what they say about lead levels decreasing IQ is true not there is not much left for Flint to do.
19
paulajohnson 6 days ago 1 reply      
So in ten years time someone is going to kill someone and blame it on the lead he was poisoned with when he was a kid. What would the just result be in such a case?
20
EliRivers 6 days ago 3 replies      
I particularly like the comments to that article stating that only "liberals" believe the water supply is heaving with lead. The ridiculous political bun-fight infects everything, it seems. It's a mental disease.
21
twoquestions 6 days ago 1 reply      
Why should the Michigan state government care about this? Flint is a bunch of liberals, and the State government is Republican.

The Snyder administration will certainly pay a heavy price for "giving free handouts" to the Democrats in Flint, all to remedy a problem that many Republicans don't believe exists.

EDIT: wording

Juniper: Recording Some Twitter Conversations imperialviolet.org
330 points by tptacek  2 days ago   38 comments top 7
1
tptacek 2 days ago 7 replies      
Stop and consider for a second how crazy this page is:

https://kb.juniper.net/InfoCenter/index?page=content&id=KB28...

Dual_EC is a PKRNG. PKRNGs are a kind of crypto random number generator (CSPRNG). All the crypto keys in modern cryptosystems come from CSPRNGS.

PKRNGs are special because they embed a public key in the generator. Anyone who holds the corresponding private key can "decrypt" the output of the RNG and recover the generator's "state"; once they have that, they can fast-forward and rewind through it to find all the other numbers (read: crypto keys) it can generate.

Juniper is here saying that they recognize the problem of Dual_EC --- it's a PKRNG, and the USG may hold its private key.

So instead, they generated their own private keys and embedded them in the CSPRNGs of the VPNs they sold to customers.

WAT?

But see also this thread:

https://news.ycombinator.com/item?id=10764359

2
unchocked 2 days ago 2 replies      
Is this going to become the primary case study on why back doors are a bad idea?

If so, it's important to get a quality layman's explanation out fast, and this is the framework of a great one.

3
mooneater 2 days ago 3 replies      
I would love to know what the commits in the source code look like for these. Author, message, date.

How did they bypass the review process? Was the process socially engineered, or was the repo hacked directly?

What will the new process be to ensure this doesn't happen again?

This has implications for the process at most companies.

4
e12e 2 days ago 1 reply      
So, if we assume this is indeed a backdoored Dual_EC PKRNG - how are those typically initialized? Are we looking at something equivalent to the Debian ssh/ssl bug, where we have some millions of "known bad keys", or is it more likely each case is different (ie some knowledge of the state is needed for a useful attack)?

Does anyone have a pointer to a proof-of-concept "evil" (or "escrow-enabled") system based around such an RNG?

5
mythrowawayaway 1 day ago 0 replies      
If you recall, Juniper was a part of the China backed Auroa attacks (http://www.marketwatch.com/story/juniper-networks-investigat...), which was in 2010.

Once the backdoor administration password is posted publicly, we can try to use it against older versions of ScreenOS code to do a process of elimination to find out how long ago it was added.

6
lukeh 2 days ago 1 reply      
Not the most serious issue but, how come they're encoding these constants as ASCII strings?
7
cant_kant 2 days ago 0 replies      
No Such Agency...
Slack Platform Launch slackhq.com
365 points by thejosh  6 days ago   219 comments top 35
1
cromwellian 5 days ago 11 replies      
Facebook F8 all over again in the sense of startups throwing the success or failure of their company onto a proprietary centralized system that can block or cut them off for any reason.

Or rather, another incarnation of IRC chat bots, email listservs, and stuff that's been around forever as commodity autoresponders, only now it's worth millions in investments to write the equivalent of a weekend hack IRC bot because of artificial scarcity imposed by a non-open platform.

2
abrkn 6 days ago 4 replies      
Every program attempts to expand until it has an app store. Those programs which cannot so expand are replaced by ones which can.
3
chuhnk 6 days ago 10 replies      
I feel like the world has lost it's mind slightly. When a 2 year old startup launches an $80m fund. I mean I understand they want to be a platform and can see the strength in funding projects that will empower a platform model but still. This is the point at which I think we're really in a boom heading in that bubble direction, and I was never one to fall in to the trap of calling it a bubble before. Love slack, love the platform play, but my God this is getting crazy.
4
thatindiandude 5 days ago 1 reply      
I don't think it's reasonable to say we're in a bubble because of a $80M fund around developing for a new platform. Few companies truly become platforms, and it's a misnomer to call it a bubble if this only happens to one company. It takes a lot of money or momentum to develop one. Facebook had by far the most compelling one in the last ten years, and the obvious incentive there was it's >300M users at the time. The case is less compelling for a B2B platform like Slack, but it makes sense as many of these investors also invest in B2B startups that can gain huge visibility through the Slack platform.

By having six investors in the fund, each fund can mitigate risk of Slack's platform not getting traction while lowering the barrier for developers to enter. This slideshow by A16Z outlines why the venture capitalists (including some on the list of Slack fund contributors) are tightening their belts around investing and telling companies like Slack to generate reliable business models rather than IPO prematurely.

This premature IPO behavior was the reason for the last bubble, and I think this investment fund is proof that we are NOT in a bubble. The new strategy for these investment funds is to allow their startups to generate revenue on a much more stable basis without the need to go public (and get cash for equity) for this to happen. Most B2B companies would eventually benefit from a recurring-fees model built around the Slack platform, and this enables smaller, fledging companies to scale much more quickly towards long-term cashflow positivity.

In all, the kings of tech companies are those that find some sort of platform or natural monopoly. Slack may be next in line to follow Airbnb, Uber, Twitter, Facebook, and Google respectively. Overall, by allowing a method to build these platforms while not going public, investors increase returns for their companies in the short AND LONG term while maintaining a course of innovation!

5
nubela 6 days ago 5 replies      
Please guys, no. Don't build your startup on top of another platform. Remember Facebook? Remember Twitter? That 80M is a farce by the VCs that actually re-contributes back into Slack, not so much for you.
6
adamseabrook 6 days ago 2 replies      
No need to build your entire startup on Slack but a solid integration can drive serious initial revenue for your startup especially if you do not get a lot of direct traffic. "One click install" is what helped Woocommerce and others get massive growth on the back of Wordpress through top exposure in the plugin directory.

Slack is still very much at the bottom of the growth curve. I have seen electrical contractors who need a way to chat with onsite workers at various projects switch from using WhatsApp/SMS to Slack. If one click job scheduling apps start appearing in the Slack App Store they will be quickly adopted by these businesses. I would be surprised if Slack or something like it has not completely wiped out internal email in 5 years.

7
martin-adams 5 days ago 0 replies      
So if I build something on top of this that actually turns out to be popular and turns a good profit, what is to protect me from Slack then building it in the core product that cutting me out or shutting me down?

Not much I guess. Twitpic anyone? [1].

1. https://blog.twitpic.com/2014/09/twitpic-is-shutting-down/

8
jaksmit 6 days ago 0 replies      
Kind of funny for people to say that a new startup launching a fund means there's a bubble. That's exactly what Twilio have been doing even since 2010: https://gigaom.com/2010/09/23/got-a-twilio-based-app-get-som...

http://techcrunch.com/2013/03/01/twilio-and-500-startups-lau...http://recode.net/2015/05/20/twilio-launches-50-million-deve...

9
pkrumins 6 days ago 3 replies      
Does anyone know how you can apply for a Slack Fund grant?

I'd love to create a Browserling integration. Browserling (www.browserling.com) is a live interactive cross-browser testing service and this integration would let you embed a live browser directly in Slack.

Use case: Let's say a user reports a bug in IE10 on Windows 7 in your webapp. You just use `/browserling windows7 ie10 URL` command in Slack and that will embed a real interactive IE 10 on Win7 that runs your webapp at `URL` directly in Slack.

10
altonzheng 6 days ago 1 reply      
Slack is great and all, but I personally don't feel like it's revolutionary. It's just an iterative improvement over a chat client, nothing groundbreaking there.
11
fideloper 6 days ago 2 replies      
2 points:

1. Remember when Dropbox was dumb, because rsync? (Bunch of naysayers here citing fee alternatives).

From what I'm seeing, bots and integrations are great and here to stay.

Businesses will gladly pay money in exchange for time and complexity not spent rolling your own.

2. This seems like a boon for us happy slack users!

12
raymondgh 5 days ago 0 replies      
That's 80M against the commoditization of hosted chat. Smart way to put up barriers to entry.
13
spdustin 5 days ago 0 replies      
Their dev blog post [0] mentions an AWS Lambda Blueprint to go along with a chatbot framework (BotKit) and an "Add to Slack" workflow. This (AWS Lambda) is a smart move; it reduces the friction of writing a quick integration with Slack considerably, making it almost a commodity-level feature. This bet on AWS Lambda will likely be a big deal for general AWS Lambda adoption, given how insanely popular Slack integrations are.

[0]: https://medium.com/slack-developer-blog/launch-platform-1147...

14
anonfunction 6 days ago 2 replies      
Really like the announcement of botkit[1], I was just looking at adding a vote bot to our slack and only found a really old example that ended up not working.

1. https://github.com/howdyai/botkit/

15
chopete 5 days ago 1 reply      
It is yammer all over againhttp://i.imgur.com/DKODqy3.png

I can't help but post this based on my experience pitching to vendorsto join an app store.

Slack CEO: Yammer made $1.2B. We need to make $12B. For that I need to makea hit song with 10,000 background dancers with me on the stage.

Board: How much can you pay each dancer?.

CEO: $10/hr

Board: Ok. Announce an App Store.

You are already a hero and there are hundreds of them to jump on stageto dance with you in that 5 minute song.

CEO: Now you are talking!

16
brightball 5 days ago 1 reply      
I summarize Slack this way generally:

- If you've never used Hipchat, Slack is completely revolutionary.- If you've used Hipchat, Slack is still cool...and then you see the price comparison and ponder...WHY?

17
asbromberg 5 days ago 0 replies      
Interesting, could this be the beginning of something like WeChat for businesses, where every business function you think of can just be completed on Slack? I doubt there's anything about the U.S. market that makes these non-open / corporation controlled platforms undesirable (as some other comments suggest); after all, Windows dominates the business landscape. Its just a question of whether Slack can go from convincing start ups x,y and z to use these apps, to convincing Fortune 500 companies to take the plunge.
18
kriro 5 days ago 0 replies      
I've never used slack and don't know what types of apps they want to integrate but it seems like a disruption of a nice chunk of a market that ERP vendors have ventured into (the job productivity/project management etc. branch). That sounds good because quite frankly often the stuff ERP vendors offer in that space is somewhat lackluster "well we have to be in this area" material.

I think the slack platform could eventually branch out into more traditional ERP areas (accounting, production etc.) and it could be an interesting potential shift from "everything from one hand" to "let's configure our ERP from different services"

Building a platform like this is nontrivial and there's tons of problems ahead but I like the general idea.

19
thallukrish 5 days ago 0 replies      
I feel an App ecosystem definitely helps to expand the functions. However I also feel it is opposite of a nimble app which does one thing clean. In general we have always had this conflict and it is difficult to choose to stay lean and simple especially when you decide to grow and scale to engulf everything. Its almost like 'Let me grab as much as I can before some one comes' sort of thinking. Only the market can prove if this is the right thinking in the long run. But when you see it in the short span, you do not have much choice.
20
ihuman 5 days ago 0 replies      
How does BotKit compare to slack-client[1]?

[1] https://github.com/slackhq/node-slack-client

21
hayksaakian 6 days ago 2 replies      
Can someone who uses slack comment on the value over skype for example?

It seems like text chat is hard to get wrong, and with so many options, I wonder why (real) people choose slack specifically.

22
bhuga 6 days ago 0 replies      
Does anyone know if this comes with an initiative to fill in the gaps in Slack's administrative API so addons can be created around that, too? I'm working with SlimerJS to audit message retention and a few other settings.

Slack has a great core experience and I understand why it's doing so well. But it's weird to see an $80m fund to invest particularly in Slack addons when a lot of existing features don't yet have API support.

23
mark_l_watson 6 days ago 1 reply      
I used Slack for a few months this year. A customer didn't use email, preferring Slack. Slack is an awesome platform, but I missed the asynchrony of email. When I code I like to have 30 to 40 minute uninterrupted work periods and I found an always on Slack took me out of the flow. Using Slack with specified "turn it off" quiet times would solve that issue however.
24
adoming3 6 days ago 1 reply      
The fund is a great play for Slack to become the next enterprise app store. A welcome alternate to the Salesforce AppExchange IMO.
25
dblock 5 days ago 0 replies      
Slack team did a great job with this.

Here's a fresh integration with Slack Button in Ruby, https://github.com/dblock/slack-bot-server serving a "Hello World" bot. Hope it helps someone.

26
mikemockup 5 days ago 0 replies      
Nice move by Slack and great opportunity for slackbot developers. We discover zero interfaces and just launched analytics bot http://www.brobot.io You can use it with Google Analytics, Mixpanel, New Relic.
27
nikon 5 days ago 1 reply      
Wonder if their stack is still PHP/MySQL etc?[0]

[0] https://twitter.com/SlackHQ/status/426469205005705217

28
jim-greer 5 days ago 0 replies      
In this thread: a lot of people who haven't used Slack attacking it...
29
djhn 5 days ago 0 replies      
Evernote had a developer conference. They wanted an ecosystem, and kind of had a platform. They bought sucessful apps.

Past tense! Much better/realistic parallel, than Facebook F8.

30
tangled_zans 5 days ago 1 reply      
I've never used Slack, but people keep saying that it's good because of the apps. What sort of apps are those?
31
JohnDoe365 5 days ago 0 replies      
I definitely witter a new IT bubble
32
viach 5 days ago 0 replies      
Looks like SHOW HN will be crowded more than often after this weekend.
33
BrainInAJar 5 days ago 1 reply      
Christ, they just don't get it... What we need isn't "apps for Slack" what we need is onprem Slack. Because sending confidential information to "the cloud" is all kinds of stupid and potentially violates a bunch of laws
34
ossreality 6 days ago 2 replies      
I'm sorry, I've scoffed at other valuations and investments, but I'm just completely beside myself. Why does a chat room need "apps"?

It's kind of weird actually. There's two sorts of people that defend these announcements, I've found:

The first thinks that they are going to build an "amazing" platform some day and that they'll follow this model for "growing revenue". So of course they defend it.

And then there's the second group that has some "great idea" who plans to build on Slack's platform. Personally, I look forward to 2 years of stories about how Slack was unfair to them, or changed the rules on them, or broke an API. Or didn't review fast enough, or any of the other complaints that pop up monthly about other closed platforms.

35
beyondcompute 5 days ago 2 replies      
Why not fix all the bugs that are there before lunching new products/features?
A visualisation of all of the money in the world visualcapitalist.com
312 points by onion2k  3 days ago   115 comments top 18
1
retube 3 days ago 13 replies      
The derivatives piece is totally wrong of course. Gross Notional is a completely meaningless number - it does not represent what value is owed or how much risk there is.

E.g GS could have 1tr of gross notional of derivatives with JP but with zero risk or monies owed if the positions all offset (as indeed in real life they do, banks run very little net exposure).

But of course newspapers and grotty rags like to perpetuate this narrative that derivatives are going to blow up the world.

2
cs702 3 days ago 6 replies      
Fun mental experiment:

Should the world ever value the global stock of Bitcoin similarly to gold, Bitcoin's market capitalization would increase by around 1,300 times, from ~$6 billion to ~$7.8 trillion, and the price per Bitcoin would increase from around $460/BTC to around $600,000/BTC, give or take.

If this sounds "crazy," consider that in many ways, Bitcoin is more convenient than physical gold: it's cheaper to secure, transport, and hide; and unlike gold, it's backup-able.

--

On a related note, here are some additional thoughts on Bitcoin I wrote four years ago, when its price was $9/BTC:

https://cs702.wordpress.com/2011/05/29/on-the-potential-adop...

3
andrepd 3 days ago 2 replies      
In a similar vein, going more in-depth:

https://xkcd.com/980/

4
graham1776 3 days ago 0 replies      
As the commercial real estate guy, I am wondering where resisdential real estate is.

Also think there are quite a few asset classes left out of this chart (although it is awesome!).

CalPERS (one of the largest worldwide pension funds) does an awesome annual report showing thier holdings. For me it is an awesome way to see all the different ways one can invest. Link: https://www.calpers.ca.gov/docs/forms-publications/annual-in...

5
nopinsight 3 days ago 1 reply      
Considering that the nominal value of above-ground gold reserves is comparable to that of commercial real estate worldwide, it looks overvalue to me.

There is so much productive use of commercial real estate, while gold is at best a medium of exchange and quite an inconvenient one relative to coins and banknotes. (Gold's industrial value is much lower than this and arguably its psychic value would not hold up well without its liquidity as money.)

6
xixi77 3 days ago 0 replies      
Nice chart, although it would be really important to see references to the data sources and more notes on methodology (at the very least, they should have included dates on which the valuations were measured! Also, how exactly do we define "debt" and how is it computed/where is it referenced from?)

Also, the "Rest of the World" stock market capitalization is much larger than I would have expected, since it seems to exclude the largest exchanges (US+Europe+China+Japan). It would be nice to see a more detailed breakdown of that; perhaps I should do one :)

I would guess India+Brazil should be pretty large combined, and there are probably companies with tiny & illiquid float trading on obscure exchanges, but large capitalizations.

And yes, as another commenter noted, using the notional for derivatives valuation is really quite misleading -- I guess this is the easiest number to compute, and is probably the one supporting the point they are trying to make, but there should at least be more of a note telling people about it.

Still, nice work! It's good to see things in perspective.

7
Raphmedia 3 days ago 0 replies      
xkcd did it before

https://xkcd.com/980/

8
simonswords82 3 days ago 0 replies      
When I scrolled down and saw that derivatives were so large by an order of magnitude I was reminded of this awesome 2010 Oscar winning documentary that I only watched a couple of weeks ago:

Inside Job: https://archive.org/details/cpb20120505a

It's about how US executives created the financial crisis back in 2008 and is pretty relevant here. I'd well recommend watching it...some of the information provided is uniquely depressing and terrifying.

9
hodwik 3 days ago 3 replies      
Read this critique on Reddit this morning. Thought it was interesting.

Sharing here:

"Ah, this misleading derivatives stuff again...In two steps:Firstly, I'll use as an example something called an interest rate swap. If you have a loan with floating rate interest payments, then this lets you change that to a fixed interest rate of say 4%. As follows:

The lender requires you to pay floating rate interest. The swap is an agreement with a third party derivatives guy that you should receive a floating rate from him and pay fixed to him. So every month you will receive whatever the floating rate is from the derivatives guy, and pay a fixed rate to him - and the floating you receive pass on to the guy charging interest on the loan.For example: the loan has a floating rate payment which at the moment is 4%, and you agree with the derivatives guy that you should pay him a fixed rate of 4% and will receive whatever the floating rate is. If the floating rate rises to 8%, then you pay the derivatives guy 4% and receive 8% and pass those 8% on to the lender. If the floating rate falls to 2%, you pay the derivatives guy 4% and receive 2% and pass those on to the lender.

But 4% of what? For the calculation to work, you need a monetary amount to calculate 4% of. That is the notional. You receive cash of the floating rate * the notional, and pay cash 4% * the notional. You need some way to translate the percent into actual cash payments and that happens through the notional.

If your loan is 10m, then the notional amount you want is probably 10m. If you only want half fixed half floating, then you can set the notional amount to 5m.But the notional amount is just the basis used for calculation. It's not "money". It's a figure plugged into a formula. The notional isn't put into the bank and can't be withdrawn from it, and at the end of the period of interest payments the notional isn't there anymore because its only purpose was to calculate those interest payments.

If someone wanted to they could break that entire counting system by simply making a swap with a notional of 1 centillion dollars and deciding the payment isi equal to 5% * notional / 1 centillion. If you wanted to swap 100m USD you would need 100m of these contracts for a notional of 100 million centillion dollars. The actual money changing hands is nowhere near the notional.

Secondly:Sometimes people use derivatives for speculation. What they can do is enter a contract and then after prices change they enter the opposite contract.For example: contracts for oil 6 months from now are $50 per barrel. Someone buys contracts for 50 million barrels. Then the price changes to $60 per barrel. He then sells contracts for 50 million barrels.

The only practical effect of this trade is that he receives a cash sum today. In 6 months nothing happens - they are automatically matched and offset.In this case the notional amount would be the price of 50 million barrels of oil times 2.

Now, it's possible to do this at high speed. So rather than wait until the next day, he enters a contract and then the opposite seconds or milliseconds from each other. As long as the buying and the selling is for the same amount, this could make for an arbitrarily high notional.

There are absolutely risks in derivatives. For example, what happens if one party loses enough money to go bankrupt and all the bonds they placed as security for that event isn't enough to cover the loss. But the notional amount is not a good place to start to understand risks. Like, every type of derivative will have its own rules for how the notional translates into actual cash - e.g. for an oil contract it would be the full value of the oil, and for an interest rape swap it would just be the amount that's multiplied by the percentage.

Not someone who works with this daily, but covered it quite well in studies."

10
byteorder 3 days ago 1 reply      
My experience is that big tech company jobs are much better than at the typical startup.

I got my first job working for one of the big 3 tech companies a couple of years ago after a long string of startups that failed or fizzled going back to the dot-com days. I always felt like I was making reasonable-to-good base salary at startups with the potential to hit it big with stock options.

Starting my job as a regular IC at big tech company was immediately an eye opener. Out of the gate my base salary was 10% higher than I made as a manager at my most recent startup. With bonus and publicly traded stock value after a year, I was making ~50% more and stock becoming even more valuable over time.

My first startup was great as I went in at 25 with no college and only self taught tech skills. In hindsight, this was a great (probably only) way to start but pivoting to big tech would have been a better move instead of trying to strike it rich at a startup.

11
david927 3 days ago 0 replies      
According to this, there are 1 billion ounces (35,000 tonnes) of silver and 186,000 tonnes of gold. But... I thought gold was rarer than silver.

Edit: I wonder if it has something to do with the fact that silver (unlike gold) is consumed in manufacturing processes such as photography.

12
LoSboccacc 3 days ago 0 replies      
I imagined for whatever reason that if one would account the 'global economy' as a closed system then debt + value would come at a balance. Didn't consider derivates as holding such a huge value. That also mean most of the debt is backed by gambling with production yield, which is scary.
13
Someone1234 3 days ago 1 reply      
I'm surprised Bill Gates is the richest individual again. I thought he gave away so much money that it pushed him off the top #5 list a while ago?

Is his fortune largely tied to Microsoft's share price?

14
kazinator 3 days ago 0 replies      
So now if we just square that, we get all evil in the world!
15
MichaelGG 3 days ago 0 replies      
Wow, really puts into perspective the quote on Starfighters.io:

Willie Sutton: "I rob banks because that's where the money is."

You: "Amateur."

16
swiley 3 days ago 0 replies      
Can't zoom.
17
DennisP 3 days ago 5 replies      
Interesting that there's more debt than money. Apparently a lot of money is borrowed to lend out.
18
ChicagoDave 3 days ago 0 replies      
Once you taste the life of self-employment, you will never go back to working as an employee.
Compiling to WebAssembly: Its Happening mozilla.org
302 points by mnemonik  4 days ago   216 comments top 25
1
c0nfused 4 days ago 10 replies      
Web assembly always makes me a little sad. It feels like we are going back to flash only it won't be bad this time, I promise, no really.

I always feel like the most obvious use for it is to start writing truly hateful and abusive code.

I'm sure this is because I'm getting old.

2
klodolph 4 days ago 0 replies      
This seems like the modern trend, and I like it. I'm going to compare this to the recent developments with OpenGL and Vulkan. With OpenGL, you ship textual source code for your shaders written in GLSL, and you have to hope that the compiler on your client's machine does the right thing! With Vulkan and SPIR-V, the compiler is taken out of the equation, and you can use whatever language you want to write shaders, validate them ahead of time, and ship the validated binary blobs to the client. Incidentally, I'm looking forward to WebGL 2. I really miss being able to use texture arrays, integers, and instancing.
3
andrewchambers 4 days ago 3 replies      
Web browsers are turning into giant, poorly designed operating systems. My current operating system can already run binaries, this is reinventing the wheel in a massively over engineered way.
4
wilg 4 days ago 1 reply      
In the recent press tour about Swift, Apple seems to be really gung-ho about people using Swift everywhere.

Since Swift is built on LLVM and there's direct LLVM support for WebAssembly, I wonder if Apple will get behind WebAssembly so they can get Swift in the browser.

5
jacobolus 4 days ago 2 replies      
Is there (or are there any plans to add) a WebAssembly -> asm.js compiler, so that I can write some code by hand in WebAssembly and still get it to run fast in old browsers? Or are there features of WebAssembly that would be impossible to add in asm.js?

The reason I ask is that asm.js is really painful and cumbersome to write by hand and wasm seems substantially nicer, but I only have small bits of numerical hot loops which I want to use wasm/asm.js for, and I have no desire to bring a bunch of code written in C into my little project.

6
kalsk 4 days ago 7 replies      
This sounds like an odd question, but I honestly need somebody to explain this to me...what is the motivation behind the modern trend to put everything on the web? Is there something you get by running your program from a browser that you don't get from downloading and running an elf or a text file, or is this entire trend based around appealing to users who don't actually know how to use their computers?
7
vvanders 4 days ago 0 replies      
Exciting stuff. Just further solidifies in my mind that C/C++ is one of the few languages that will run everywhere.
8
wilg 4 days ago 2 replies      
Does code written in WebAssembly have access to the DOM somehow? How will that work?
9
eecks 4 days ago 3 replies      
WebAssembly lets people write in C++, Ruby, Python, etc and for that code to work in the browser like Javascript does at the moment. Am I correct?
10
saosebastiao 4 days ago 3 replies      
Does anybody know if there are plans for an API for garbage collection? The WASM spec as it currently exists seems to be only useful for non-GC languages, and it would be a shame if we ended up shipping a new GC implementation for every page that we load. Perhaps something that would allow compilers to tap into the native JS GC?
11
jokoon 4 days ago 1 reply      
So does it just do what NaCL was already doing, or at least is the objective the same?

I'm more worried about more specific things like hardware access (GPU, mouse inputs, networking, windowing)

It seems wasm runs at native speeds and take full advantage of optimization, but can it really be a solution fits all? There must be some things wasm can't do. And so far, since JS did almost everything, I don't see the point of wasm if it can't do what other language can.

12
tevlon84 4 days ago 1 reply      
Hi Alon,

thank you for sharing. I am a Computer Science Master student and i would like to contribute to the development. The git looks really full and i don`t know where to start.

13
n00b101 4 days ago 2 replies      
So the current toolchain involves using emscripten to generate asm.js and then using binaryen to convert asm.js to WebAssembly. Unfortunately emscripten depends on a fork of LLVM (FastComp), with no plans for a proper LLVM asm.js backend.

Are there plans for a properly WebAssembly LLVM backend that does not depend on forking LLVM (like emscripten)?

14
geon 4 days ago 1 reply      
Is there any progress on making the compilers utilize the js gc instead of including their own entire runtime?
15
tuyguntn 4 days ago 2 replies      
Does this mean anyone can write Python to wasm converter then run it on browser, looks like LLVM backend?
16
shurcooL 4 days ago 1 reply      
I'm very interested in compiling Go to WebAssembly. Based on what I read, it seems that so far you can primarily try it with C/C++ code.

If one were to build a Go -> WebAssembly compiler, what are good routes to take? I can see there's going to be multiple possibilities.

17
exabrial 4 days ago 1 reply      
Cool, but why not just use, you know, Java bytecode? Existing toolchains, compilers, runtimes, virtual machines could all be reused I'm sure. Actually there are a hundred different great virtual machines that could be used... Why, yet, another?
18
hDeraj 4 days ago 0 replies      
I see WebAssembly this way:

WebAssembly is to JavaScript what WebGL is to Canvas

19
iandanforth 4 days ago 1 reply      
My experience is that the barrier to entry for JavaScript is not that it's a new language, but that you have to learn async thinking and are restricted to a single thread.

Does WebAssembly address either of those points?

20
currentoor 4 days ago 0 replies      
I'm hoping for a day where I get two threads in my JS runtime. Now that would be nice...
21
ajarmst 4 days ago 0 replies      
I'm sorry, but I'm not following. What's the problem this is supposed to solve?
22
al2o3cr 4 days ago 0 replies      
WebAssembly sounds interesting, you could use it to write little apps that embed into a page.

And call them "applets". Nobody's ever done that before, right? :trollface:

23
mei0Iesh 4 days ago 0 replies      
Finally! Maybe now someone can build a web app that enhances the reading and discover of documents. Each browser could be a repository of text files, each with an address, so you can have words in the text pointing to another document's address.
24
yoavm 4 days ago 5 replies      
I suspect too many web applications are going use WebAssembly to obscure their code and the way they work, thus making it impossible to learn by studying their code. As someone who learned programming mostly by looking at other people's code, I'm afraid the web will change in a way that would make it a lot harder to do so.
25
etiene 4 days ago 1 reply      
YES YES YES!!! OMG! THANK YOU <3 <3 <3 I've been waiting so long for this!Maybe my dream of running native Lua on the browser will come true?Will I already be able to run Lua's interpreter now? :D :DGonna look deeper into this as soon as I have time, omg so excited <3
About those lava lamps github.com
335 points by ColinWright  14 hours ago   62 comments top 12
1
samstokes 7 hours ago 1 reply      
This is a great story, but describing the lava lamp as a "completely irrelevant stimulus" misses a key insight into why this worked: it introduced (or strengthened) social pressure to fix a tragedy of the commons.

"Everyone knew broken builds should be fixed quickly", but each individual felt a benefit of being able to push code without waiting for compilation / tests to run. Breaking the build had a cost, but that pain was being distributed across the team (other programmers finding the problem), and delayed (waiting for them to complain). So the feedback loop was too weak to discourage breaking the build.

This is a classic tragedy of the commons, and far from being "unreasonable" as the author suggests, it's a fairly rational inclination for each individual actor. Other people will find my bugs and breakages for me, and probably do some of the diagnostic work for me too - why wouldn't I pass off that work to them?

Since a team is (hopefully) a society rather than a competition, one answer is "because I don't want to be known as a careless individual who creates work for others". That's why paying attention to the lava lamp isn't "unreasonable" either - everyone can see it, so it makes that social pressure much more visible. It also means the cost of a broken build is less likely to get spread across the team - if someone hits a problem, instead of puzzling for half an hour whether the build is broken or they did something stupid, they can just glance up and see the red lava lamp, and immediately exert social pressure.

By making social pressure stronger and more immediate, the lava lamp pushes the cost of breaking the build back onto the person who broke it. That restores a missing feedback loop, which is often an effective way to change a culture.

2
kaiuhl 12 hours ago 6 replies      
Left alone to our own willpower, most of us would be less accomplished. We'd live in dirtier houses, wash the dishes less, and treat ourselves less well. It's the promise of others seeing our accomplishments, being around our mess, or seeing us naked that keeps us doing right by ourselves. Doing chores is a chore, but social pressure and acceptance is a powerful drug.
3
astazangasta 12 hours ago 1 reply      
A better way to state this, rather than a reason/unreason lens:

"In every job that must be done / there is an element of fun. / You find that fun and snap! The job's a game."

4
bananaboy 29 minutes ago 0 replies      
At a video game studio I worked at a while ago I hooked up some (real) traffic lights to talk to our CruiseControl.NET server to report breakages. But actually it was just for fun and didn't make any difference - the main thing was that we managed to instil into the culture a desire to always have a working build. Pretty much all the programmers were very proactive about fixing breakages, even when it wasn't a programming problem. It was sometimes possible for artists and level designers to break the build, and the programmers would always be pretty quick to respond and help them figure out the problem and to fix it or build in safeguards and tests to ensure they couldn't check in broken stuff.
5
marshray 7 hours ago 1 reply      
At one company I worked, we had a rubber chicken. When you broke the build, the rubber chicken lived on your desk until somebody else broke the build.

One developer got a little annoyed at this so he cut the chicken's head off, then repaired it with hose clamps. It was sort of a Frankenchicken.

6
wlesieutre 12 hours ago 2 replies      
If you were to use a higher wattage bulb with a dimmer that lets you adjust the melting time and then deliberately set that time to 15-20 minutes, would people still try to beat it?

My guess is no. Once a person gets involved in picking the time, it stops being a fun thing to challenge yourself against, and starts being your annoying boss trying to micromanage failed builds.

7
tantalic 2 hours ago 0 replies      
We use a old traffic signal powered by a Raspberry Pi to similar effect. We have found it quite useful in providing timely feedback and encouraging the quick resolution of issues.

You can see pictures and source: https://github.com/tantalic/build-light

9
javajosh 9 hours ago 2 replies      
So what's a good way to build a build lava lamp in 2015? I'm thinking wall adapter that has wifi and offers a simple webserver that switches on and off on POST.
10
programminggeek 1 hour ago 0 replies      
Programmers would be wise to understand how irrational people are and that reason rules very little of our lives.
11
jhpriestley 6 hours ago 1 reply      
Why do people treat a broken build as some kind of emergency, when you can just revert the commit? It's a trivial fix that anyone can make in about a minute.
12
Shivetya 12 hours ago 1 reply      
reminds me of the days when large computer hardware had warning lamps mounted on top, whether it was a printer or tape drive, so that it was obvious to even those unfamiliar with the systems that something was wrong. So it was almost a sense of pride among the operations staff the lights were always out
       cached 22 December 2015 05:11:02 GMT