hacker news with inline top comments    .. more ..    28 Feb 2017 Best
home   ask   best   2 years ago   
Cloudflare Reverse Proxies Are Dumping Uninitialized Memory chromium.org
3232 points by tptacek  4 days ago   991 comments top 146
tptacek 4 days ago 10 replies      
Oh, my god.

Read the whole event log.

If you were behind Cloudflare and it was proxying sensitive data (the contents of HTTP POSTs, &c), they've potentially been spraying it into caches all across the Internet; it was so bad that Tavis found it by accident just looking through Google search results.

The crazy thing here is that the Project Zero people were joking last night about a disclosure that was going to keep everyone at work late today. And, this morning, Google announced the SHA-1 collision, which everyone (including the insiders who leaked that the SHA-1 collision was coming) thought was the big announcement.

Nope. A SHA-1 collision, it turns out, is the minor security news of the day.

This is approximately as bad as it ever gets. A significant number of companies probably need to compose customer notifications; it's, at this point, very difficult to rule out unauthorized disclosure of anything that traversed Cloudflare.

_wmd 4 days ago 7 replies      
Step 1) MITM the entire Internet, undermining its SSL infrastructure, build a business around it

Step 2) leak cleartext from said MITM'd connections to the entire Internet

I recently noted that in some ways Cloudflare are probably the only entity to have ever managed to cause more damage to popular cryptography since the 2008 Debian OpenSSL bug (thanks to their "flexible" ""SSL"" """feature"""), but now I'm certain of it.

"Trust us" doesn't fly any more, this simply isn't good enough. Sorry, you lost my vote. Not even once

edit: why the revulsion? This bug would have been caught with valgrind, and by the sounds of it, using nothing more complex than feeding their httpd a random sampling of live inputs for an hour or two

jkells 4 days ago 5 replies      
My first thought was relief, thank god I'm not using Cloudflare.

Where would you even start to address this? Everything you've been serving is potentially compromised, API keys, sessions, personal information, user passwords, the works.

You've got no idea what has been leaked. Should you reset all your user passwords, cycle all or your keys, notify all your customers that there data may have been stolen?

My second thought after relief was the realization that even as a consumer I'm affected by this, my password manager has > 100 entries what percentage of them are using CloudFlare? Should I change all my passwords?

What an epic mess. This is the problem with centralization, the system is broken.

fagnerbrack 4 days ago 2 replies      
TL;DR for the lazy ones:

> The examples we're finding are so bad, I cancelled some weekend plans to go into the office on Sunday to help build some tools to cleanup. I've informed cloudflare what I'm working on. I'm finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings. We're talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything.

This is huge.

I mean, seriously, this is REALLY HUGE.

user5994461 4 days ago 2 replies      
> The greatest period of impact was from February 13 and February 18 with around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage (thats about 0.00003% of requests).

1) From the metrics I recalled when I interviewed there, and assuming the given probability is correct, that means a potential of 100k-200k paged with private data leaked every day.

2) What's the probably that a page is served to a cache engine? Not a clue. Let's assume 1/1000.

3) That puts a bound around a hundred leaked pages saved per day into caches.

4) Do the cache only provide the latest version of a page? I think most do but not all. Let's ignore that aspect.

5) What's the probably that a page contains private user information like auth tokens? Maybe 1/10?

6) So, that's 10 pages saved per day into the internet search caches.

7) That's on par with their announcement: "With the help of Google, Yahoo, Bing and others, we found 770 unique URIs that had been cached and which contained leaked memory. Those 770 unique URIs covered 161 unique domains." Well, not that we know for how long this was running.

8) Now, I don't want to downplay the issue, but leaking an dozen tokens per day is not that much of a disaster. Sure it's bad, but it's not remotely close to the leak of the millennia and it's certainly not internet scale leak.

9) For the record, CloudFlare serves over one BILLION human beings. Given the tone and the drama I expected way more data from this leak. This is a huge disappointment.

Happy Ending: You were probably not affected.

spydum 4 days ago 1 reply      
People are going to lambast CF for downplaying the impact, and there could be merit in that.

However, I really want to say I am absolutely impressed with both Project Zero AND Cloudflare on so many fronts, from clarity of communication, to collaboration, and rapid response. So many other organizations would have absolutely tanked when presented with this problem. Huge kudos for CF guys understanding the severity and aligning resources to make the fixes.

In terms of P0 and Tavis though, holy crap. Where the heck would we be without these guys? Truly inspiring !

dantiberian 4 days ago 1 reply      
From Twitter:

"@taviso their post-mortem indicates this would've been exploitable only 4 days prior to your initial contact. Is that info invalid?" - https://twitter.com/pmoust/status/834916647873961984

"@pmoust Yes, they worded it confusingly. It was exploitable for months, we have the cached data." - https://twitter.com/taviso/status/834918182640996353

Xorlev 4 days ago 0 replies      
> One of the advantages of being a service is that bugs can go from reported to fixed in minutes to hours instead of months. The industry standard time allowed to deploy a fix for a bug like this is usually three months; we were completely finished globally in under 7 hours with an initial mitigation in 47 minutes.

Great, that makes me feel so much better! I'm sorry, don't try to put a cherry on the top when you've just leaked PII and encrypted communications.

Additionally, most vendors in the industry aren't deployed in front of quite as much traffic as CloudFlare is. It's a miracle that ProjectZero managed to find the issue.

CapacitorSet 4 days ago 4 replies      
>Cloudflare pointed out their bug bounty program, but I noticed it has a top-tier reward of a t-shirt.

Considering the amount and sensitivity of the data they handle, I'm not sure a t-shirt is an appropriate top-tier reward.

kyledrake 4 days ago 2 replies      
Friendly reminder that Cloudflare willingly hosts the top DDoS-for-hire attack sites, and refuses to take them down when they are reported.

Run WHOIS on them, it's almost 100% behind Cloudflare: https://www.google.com/#q=ddos+booter

I would be less concerned about the fact that Cloudflare is spraying private data all over the internet if people weren't being coerced into it by a racket.

We won't have a decentralized web anymore if this keeps going. The entire internet will sit behind a few big CDNs and spray private data through bugs and FISA court wire taps. God help us all if this happens.

nikisweeting 4 days ago 1 reply      
I've compiled a list of 7,385,121 domains served through cloudflare using several scrapers. https://github.com/pirate/sites-using-cloudflare

The full list is available for download here (23mb) https://github.com/pirate/sites-using-cloudflare/raw/master/...

I will be updating it as I find more domains.

AYBABTME 4 days ago 5 replies      
This comes around to me as something that just shouldn't have happened. CloudFlare are pretty big on Go, as far as I can tell (and I guess Lua for scripting nginx). Why was this parsing package written in a non memory-safe language? Parsing is one of those "obvious" things easy to mess up; the likelihood of a custom, hand written parser being buggy is pretty high. If it's somehow understood that your library is likely to have bugs, why do it in C/C++, where bugs often lead to bleeding memory? In a shop that's already fluent in Go, where they have the institutional knowledge to do it safely? Sure performance is not going to be the same, but with some care it'll get pretty close.

Sorry I hate to just be a coach commentator. Obviously hindsight is 20/20. Still I think there's a lesson here.

mattbee 4 days ago 8 replies      
Cloudflare isn't just a security hole in the middle of the internet, they're a protection racket.

If you wanted to pay to DDoS a site, search for "booter" and you'll get a list of sites that will take another site off the internet for money with a flood of traffic.


etc. etc. - from the first 30 results I could find 2 booter sites that weren't hosted by Cloudflare.

But hey, pay Cloudflare and your site too can be safe from DDoS attacks...

dmitrygr 4 days ago 4 replies      
Cloudflare's announcement, as it is currently worded, deserves the understatement-of-the-centry award.
vermontdevil 3 days ago 1 reply      
I got an email from Cloudflare and here's an excerpt about the # of sites affected by this.

Not sure what to make of it - the low number of domains affected.


In our review of these third party caches, we discovered data that had been exposed from approximately 150 of Cloudflare's customers across our Free, Pro, Business, and Enterprise plans. We have reached out to these customers directly to provide them with a copy of the data that was exposed, help them understand its impact, and help them mitigate that impact.

Fortunately, your domain is not one of the domains where we have discovered exposed data in any third party caches. The bug has been patched so it is no longer leaking data. However, we continue to work with these caches to review their records and help them purge any exposed data we find. If we discover any data leaked about your domains during this search, we will reach out to you directly and provide you full details of what we have found.

rdl 4 days ago 2 replies      
Neither this thread nor the Cloudflare blog post include concise steps for customers who were exposed.

There's an argument for changing secrets (user passwords, API keys, etc.) for potentially affected sites, plus of course investigating logs for any anomalous activity. It would be nice if there were a guide for affected users, maybe a supplemental blog post.

(and yet again: thank you Google for Project Zero!)

DannyBee 3 days ago 1 reply      
So, does the t-shirt say:"I found a zero-day bug in cloudflare and all i got was this lousy




the_common_man 4 days ago 1 reply      
How does such a simple bug not get picked by auto tests, ci or end to end tests? I am baffled. Since we are behind cloudflare, I am not sure what I should tell my manager now. I lack the technical know how to parse that extremely technical article. Are we supposed to just assume all our traffic that passed via cloudflare is possibly compromised?

It's also a bit sad that travis has to contact cloudflare by twitter. Seriousy?

Edit: https://twitter.com/taviso/status/832744397800214528 is the tweet in question

thurston 3 days ago 2 replies      
Author of Ragel here.

An experienced Ragel programmer would know that when you start setting the EOF pointer you are enabling code paths that never executed before. Like, potentially buggy ones. Eek!

DangerousPie 4 days ago 5 replies      
Has anybody else actually received an email from Cloudflare about this? I'm a paying customer, but haven't heard anything from them yet. I hope they don't expect they can leave it at a random blog post that will go by unnoticed?
chm 4 days ago 1 reply      
Some important parts:

 The examples we're finding are so bad, I cancelled some weekend plans to go into the office on Sunday to help build some tools to cleanup. I've informed cloudflare what I'm working on. I'm finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings. We're talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything. Cloudflare pointed out their bug bounty program, but I noticed it has a top-tier reward of a t-shirt. Cloudflare did finally send me a draft. It contains an excellent postmortem, but severely downplays the risk to customers.

bartkappenburg 3 days ago 1 reply      
From a cloudflare employee:

"We were working to disclose the bug as quickly as possible, but wanted to clean up search engine caches before it became public because we felt we had a duty of care to ensure that this private information was removed from public view. We were comfortable that we had time as Google Project Zero initially gave us a 90 day disclosure window (as can still be seen in their incident tracker), however after a couple of days, they informed us that they felt that 7 days was more appropriate. Google Project Zero ended up disclosing this information after only 6 days."

jgrahamc 4 days ago 5 replies      
joepie91_ 4 days ago 2 replies      
This is probably a good moment to recall the article I published a while ago about how CloudFlare is actively putting the web at risk: http://cryto.net/~joepie91/blog/2016/07/14/cloudflare-we-hav...

This is precisely why. The only thing that surprises me about this, is that it was an accidental disclosure rather than a breach. Other than that, this was completely to be expected.

EDIT: Also, this can't be repeated enough: EVERYBODY IS AFFECTED. Change your passwords, everywhere, right now. Don't wait for vendors to notify you.

Anything could have irrevocably leaked, and you have no way of knowing for sure, so assume the worst.

Tiksi 4 days ago 2 replies      
> Many of the logged urls contained query strings from https requests that I don't think they intended to share.

I guess this confirms a few things.

- The complete query strings are logged,

- They don't appear to be too concerned with who accesses the logs internally or have a process that limits the access, and

- They're willing to send those logs out to a random person.

mabbo 4 days ago 0 replies      
Signs you are about to have a bad time: Tavis Ormandy publicly tweets that he urgently needs someone from your security team to contact him, and no, the public disclosure form won't do.
ComputerGuru 3 days ago 0 replies      
Some day, the world will wake up to the fact that we've taken the beauty of a decentralized internet and willingly traded it in for a single-point-of-failure design.

I will refrain from any criticism of Cloudflare and what I think about this because they're going through hell as it is. But everyone else is fair game. The higher a level of service you centralize, the more you stand to lose.

xenadu02 3 days ago 1 reply      
Another day, another C memory safety bug that completely breaks all security everywhere.

We're definitely doomed to repeat the same mistakes over and over.

steven_pack 3 days ago 0 replies      
If only there were a systems programming language, offering c-like performance with memory guarantees and well suited to high throughput network servers that would catch this class of bugs at compile-time [1] [2]

[1] https://www.rust-lang.org/en-US/[2] Self declared rust fanboy

tr32q423 4 days ago 1 reply      
The root cause is apparently coming from auto-generated code that causes buffer overrun:

 /* generated code */ if ( ++p == pe ) goto _test_eof;
With the help of Google, Yahoo, Bing and others, we found 770 unique URIs that had been cached and which contained leaked memory. Those 770 unique URIs covered 161 unique domains.

The examples in the report shows Uber, okcupid , etc. It would be good to know the full list, to know what password might have been compromised.


alkonaut 3 days ago 0 replies      
Just stop using pointer arithmetic and manually managed buffers for anything security/safety related already.

Had this proxy been written in nearly any other language it wouldn't have had this vulnerability, like so many similar vulnerabilities.

Using ML or Rust or Java or whatever doesn't magically make all vulnerabilities disappear but it sure makes those that are intrinsic to C disappear. And that's not just a few.

There is just no excuse.

dkarapetyan 4 days ago 1 reply      
Every piece of dependency in your stack is a vulnerability vector. I feel like this is the only sane assumption to make these days. Yesterday I was thinking of doing some stuff with cloudflare and today I'm reading this report.

The modern web requires a paranoid attitude.

tannhaeuser 3 days ago 2 replies      
Holy sh*t. Is this the end of Cloudflare with the trust being absolutely destroyed and lawsuits coming in? Can't say I'm sad for them. Cloudflare sells you DDOS protection, and hosts (eg. masks the IP of) the very DDOSers to protect against themselves, which I find bordering on the criminal.

Hosters like Hetzner, OVH have for a year now offered DDOS protection (I'm guessing it's heuristic rate limiting, but they won't tell details b/c that would make it trivial to workaround it, so they say). Could someone characterize their offering and tell me if it's any good?

To those spinning a story against C programming here: it is entirely possible (trivial, even) to isolate address spaces between requests, and has been for like 25 years (CGI programming) and more. When you absolutely must use a long running, single-address space service container, OpenBSD's httpd shows how to do it right (goes to great lengths to randomize/re-initialize memory etc.). I agree, though, that using straight C isn't a good choice for the latter.

ffjffsfr 3 days ago 0 replies      
Does anyone know answer to this question someone is asking there at the end? Is it related?

> could you tell us why a lot of people had to re-authenticate their Google accounts on their devices all of the sudden? It may not have been related, but Google definitely did something that had us all re-authenticate.

I too had to reauthenticate and was very worried because it was first time I had to do this, I thought something bad happened with my account and it was very suspicious.

pmahoney 4 days ago 1 reply      
I haven't found a clear answer to this:

CloudFlare has multiple SSL configurations:

> Flexible SSL: There is an encrypted connection between your website visitors and Cloudflare, but not from Cloudflare to your server.

> Full SSL: Encrypts the connection between your website visitors and Cloudflare, and from Cloudflare to your server

(I'll add Full SSL mode still involves CloudFlare terminating SSL (decrypting) before re-encrypting to communicate to your server)

If I am running in Full SSL mode, is (or was) my data vulnerable to being leaked?

hehheh 4 days ago 2 replies      
I'm a little drunk so please forgive me if I'm way off base here or if I'm ultimately describing a service that already exists.

Unless I'm mistaken, CloudFlare's services necessarily require they act as a MITM. Would it be possible or practical change the DDoS protection service such that it uses an agent on the customer's end (the CF customer) that relays relevant data to CF, instead of having CF MITM all data?

As it is now, we have:

 End user <-> CF MITM to inspect packet data <-> CF Customer site
where CF uses the data discovered through MITM (and other metadata such as IP) to determine if the end user is a bad actor.

What if we, instead, had something like:

 End user <-> CF TCP proxy <-> CF Customer site ^ | | v CF decision agent <-- CF metadata ingest
The CF captive portal would not work with this but they could still shut down regular ol boring TCP DDoSes.

pjmlp 21 hours ago 0 replies      
Time for the C. A. R. Hoare's weekly quote, taking time to reflect on what happened since 1981 regarding computer security on system languages.

The first principle was security: The principle that every syntactically incorrect program should be rejected by the compiler and that every syntactically correct program should give a result or an error message that was predictable and comprehensible in terms of the source language program itself. Thus no core dumps should ever be necessary. It was logically impossible for any source language program to cause the computer to run wild, either at compile time or at run time. A consequence of this principle is that every occurrence of every subscript of every subscripted variable was on every occasion checked at run time against both the upper and the lower declared bounds of the array. Many years later we asked our customers whether they wished us to provide an option to switch off these checks in the interests of efficiency on production runs. Unanimously, they urged us not to - they already knew how frequently subscript errors occur on production runs where failure to detect them could be disastrous. I note with fear and horror that even in 1980, language designers and users have not learned this lesson. In any respectable branch of engineering, failure to observe such elementary precautions would have long been against the law.

-- Turing Award lecture 1981

jlgaddis 4 days ago 4 replies      
Anyone wrote a script yet that checks the top 1M (or so) web sites to find out which use Cloudflare? It would help with knowing what secrets I need to change (as an end user -- I'm not a Cloudflare customer, thank $deity).
Karupan 3 days ago 0 replies      
This is huge and CF is certainly downplaying the issue. To be clear, I think the kind of tech that they deal with is extremely complex, which makes it ever harder to test or uncover them easily. And they have been reasonably good with disclosures (prior to this incident).

When I was evaluating CF for a small personal app, I really thought hard about using a public reverse proxy and decided that it wasn't worth it for the scale I was dealing with. No one can predict these security issues, but I sure am glad I didn't go with them!

askvictor 3 days ago 1 reply      
Could this be the reason behind having to reauth my Google accounts in the past couple of days? I.e. did Google invalidate all auth tokens in case they leaked via a third party website via CF?
aioprisan 4 days ago 0 replies      
CloudFlare's disclosure severely downplays the impact that this can have on their customers. We're going to close our account shortly.
ThrustVectoring 4 days ago 0 replies      
Maybe I'm being a bit too paranoid, but shouldn't your services be set up in a way that doesn't let Cloudflare touch that sort of sensitive data in the first place? You can't distrust everything, of course, but "compromised reverse-proxy acts as a MITM by logging and exfiltrating sensitive information" seems like it ought to be in the threat model of service providers.
sparkling 4 days ago 1 reply      
This might be the time to point out the CloudFlare watch blog: http://crimeflare.com/
omgtehlion 3 days ago 1 reply      
What bothers me is not the bug itself, but the fact that so much sites and apps terminate SSL at cloudflare that NSA/FBI/other-3-letter-agency does not need to come after any separate company, but just needs to tap cloudflare and call it a day.
xt00 4 days ago 0 replies      
Wow apparently they never fuzzed their input and looked at the output. A malformed html input should be about the easiest possible thing to try... yeouch...
packetized 4 days ago 0 replies      
Salient question at this point: Did Cloudflare have any systems in place that would allow themselves to identify queries that were abusing this defect?
homakov 3 days ago 2 replies      
Chrome marking Cloudflare HTTPS as "Secure" must be turned into something different, like "Not So Secure" or whatever. Secure = end to end.

Cloudflare is MitM by design. Chrome and others must not tolerate it. This vulnerability is just another reason to do it asap.

manigandham 4 days ago 0 replies      
Side note: HackerNews uses CloudFlare.
artursapek 4 days ago 1 reply      
Holy shit, this could be a company-ending event. For CloudFlare or any of its clients.
actuator 4 days ago 0 replies      
I wrote a script which checks the domains you have visited from your chrome history to see if they use Cloudflare by checking if the header `cf-ray` is present in their response headers: https://gist.github.com/kamaljoshi/2cce5f6d35cd28de8f6dbb27d...

Found my bank's site on it. :(

chousuke 3 days ago 0 replies      
I used the lastpass CLI tool and some UNIX tools to do a tentative check of which of my domains might be affected. Something like the following should work okay:

 lpass ls | egrep -o '[a-z]+\.[a-z]+' | sort > mydomains.sorted sort sorted_unique_cf.txt > cf_really_sorted comm -12 mydomains.sorted cf_really_sorted
It's not perfect (since it will only look at the lastpass item description, not the actual URL, and will only match foo.tld type domains), but it still found a number of domains for me

dreamcompiler 3 days ago 0 replies      
Only inherently unsafe languages like C make it possible for an amateur-hour HTML parsing blunder to spew secrets all over the Internet. If you can't be bothered to check your return codes, at least use a language that doesn't multiply the damage from that mistake a million-fold.
abalone 4 days ago 1 reply      
Cloudfare's bug bounty maximum reward[1]:

1. Recognition on our Hall of Fame.

2. A limited edition CloudFlare bug hunter t-shirt. CloudFlare employees don't even have this shirt. It's only for you all. Wear it with pride: you're part of an exclusive group.

3. 12 months of CloudFlare's Pro or 1 month of Business service on us.

4. Monetary compensation is not currently offered under this program.

Guessing they're gonna reconsider #4 at this point.

[1] https://hackerone.com/cloudflare

kogir 4 days ago 2 replies      
I'm not 100% clear: Only three features were affected, and only sites with one or more of those features enabled leaked data into their pages.

But was the leaked data similarly limited to only the sites with the features enabled? Or could it have come from any request - even an entirely unrelated site?

techolic 4 days ago 0 replies      
Is there an International Day of Internet Security? I think we should make today that day.
DanielDent 4 days ago 0 replies      
There are still a lot of results with leaked data in Google's Cache and they are pretty easy to find..

Some possible queries: "CF-Int-Brand-ID", nginx-cache "Certisign Certificadora Digital",

Once you find one, you can look through the results for unusual strings/headers which you can use to find more results.

Many results have clearly been removed from Google's cache, but.. many also have not.

bcl 4 days ago 0 replies      
Here's a simple little Rust app to check a list of domains for CF usage -- https://github.com/bcl/uses-cf
kmfrk 4 days ago 2 replies      
So how does one find or generate a list of companies using CloudFlare to figure out how you're affected - kinda like HaveIBeenPwned.com?
loeg 4 days ago 2 replies      
Anyone know which password manager uses Cloudflare? Just trying to figure out if I'm affected.
jitbit 3 days ago 0 replies      
Webmasters and App-devs running on CloudFlare. You (at least) have to "force-logout" your users that have "remember me" cookie set.

At least change the cookie name so the token stops working. For example, in ASP.NET - change the "forms-auth" name in the web.config file. etc etc.

hendzen 4 days ago 1 reply      
I think this bug is kind of an indictment of Ragel. It has some great ideas, but since the generated code is so low level - and allows arbitrary blocks of code to be executed in the guts of the parser, bugs like these can result in this horrible memory issues - particularly since the generated code is often used to parse untrusted user input.
ta2987 4 days ago 1 reply      
We need an official and comprehensive list of domains served by Cloudflare throughout the affected period.
wereHamster 3 days ago 0 replies      
So.. when are we going to stop using unsafe languages which allows these kinds of memory corruption or leaks? If this is not reason enough, what else needs to happen before people realise that whatever language the cloudflare proxy is written in is a really bad one?
afandian 3 days ago 0 replies      
In addition to comments here calling the words 'memory leak' disingenuous because it's technically correct but underplays the problem, I'm now seeing articles in non-technical publications referring to the incident as a "leak".

In the wider world the word "leak" doesn't mean memory access patterns, it means deliberate sabotage.

The headline in "The Verge" is "Password and dating site messages leaked by internet giant Cloudflare". That's technically correct too, but also gives completely the wrong message.

Simpler, proactive messaging from Cloudfront might have helped here.

mrep 3 days ago 1 reply      
What is the optimal balance between centralization and decentralization? Most people in this thread are complaining about how using a big centralized service (cloudfare) causes so much damage when security issues come up, and yet I have seen many people advocate using a single password manager (like 1password) to which this exact type of huge security problem can happen (your password manager is the single point of security failure which can comprimise all of your accounts!!!).

What is the optimal solution???

jjoe 4 days ago 1 reply      
Everyone: change your HN password asap!
Blackthorn 4 days ago 3 replies      
This is probably gonna get buried at this point, but one thing I'm surprised about is this seems like yet another parser bug. Why are we still using hand-written parsers? Even if you're Very Smart, you'll probably get it wrong. We have parser generators for a lot of things. Even for mostly unparseable garbage like wild-type HTML we have pretty good libraries for handling it. Fresh hand-written parsers are just bombs waiting to explode.
daxfohl 4 days ago 1 reply      
Anyone know of a way to google for your passwords (assuming you have strong, unique passwords) to see if they've been exposed anywhere, without exposing them?
coindork 4 days ago 1 reply      
And it shall be called Cloudbleed.
Globz 3 days ago 0 replies      
I was planning on moving my website over DigitalOcean and I now http://www.doesitusecloudflare.com/?url=www.digitalocean.com is telling me that they are affected by cloudbleed, I guess I should wait it out...
rickdmer 3 days ago 0 replies      
I created a Chrome extension that searchs your bookmarks for sites that use Cloudflare: https://chrome.google.com/webstore/detail/cloudbleed-bookmar...
cypherpunks01 4 days ago 0 replies      
"We also undertook other search expeditions looking for potentially leaked information on sites like Pastebin and did not find anything."

How comforting!

fulafel 4 days ago 0 replies      
Yet another strong argument for end-to-end security. Terminate in the middle, and you risk things like this.

Hopefully people will learn something from today.

danvdragos 3 days ago 0 replies      
How was https traffic leaked? Cloudflare, in order to offer its services, acts like a man in the middle and internally decrypts https traffic [0]

[0]: https://scotthelme.co.uk/tls-conundrum-and-leaving-cloudflar...

mixedbit 3 days ago 0 replies      
There is a huge fleet of compromised machines out there that belong to botnets. Soon we will see the botnets operators extracting content from these compromised machines browser caches to hunt for data leaked in this incident. Clearing search engines caches is just not enough, all secrets need to be replaced.
stevebmark 3 days ago 0 replies      
Is there a government body that can enforce fines over this? Or is a class action lawsuit the only way to seek damages?
borplk 3 days ago 0 replies      
It says their bug bounty program has a top-tier reward of a t-shirt? Wow ... don't go bankrupt Cloudflare.
symlinkk 4 days ago 0 replies      
I've been going through Google's and Bing's caches for about 2 hours looking for leaked credentials and I don't see much - many results don't have an option to view a cached copy. I think Google and Bing are wiping any cache entry that are affected by this vulnerability.
helper 4 days ago 0 replies      
I was able to get a few hits from a quick google search that are still in google's webcache.
_pmf_ 3 days ago 0 replies      
From the incident report at https://blog.cloudflare.com/incident-report-on-memory-leak-c... (not the article):

> About a year ago we decided that the Ragel-based parser had become too complex to maintain and we started to write a new parser, named cf-html, to replace it. This streaming parser works correctly with HTML5 and is much, much faster and easier to maintain.

I'd assume that at this point, customers would like to have a little more than a vague promise.

planetix 4 days ago 1 reply      
So time to reset password and logout of all mobile apps to get new authorization tokens?
SandB0x 4 days ago 1 reply      
Can someone provide a lay-person's explanation of the issue and its implications?
acd 3 days ago 0 replies      
Cloudflare is also breaking anonymous surfing by throwing captchas at you.Security wise they do DDoS ok but not WAF which Incapsula does a lot better.When I mean better I mean protection against exploits.
bovermyer 4 days ago 0 replies      
Well, my day tomorrow is going to be busy. So's my evening tonight, I guess.
sparkling 4 days ago 1 reply      
I know what Cloudflare is but i don't quite understand the underlying issue.

Can someone explain in simpler terms what happened here and how it a) affects sites using Cloudflare and b) Users accessing sites with Cloudflare?

hacknat 3 days ago 0 replies      
I'm surprised to learn that people with real security concerns are using Cloudflare. I put it in front of my blog, but I would never use it in front of something that has sensitive data. I just don't get how companies like Zendesk could be so stupid. I barely blame Cloudflare. If you think terminating SSL with a CDN is a good idea you get what you deserve.
aerovistae 4 days ago 3 replies      
I noticed StackOverflow is on the list of compromised sites. I sign into that via my google account. Does this mean I need to change Google credentials?
tete 3 days ago 0 replies      
Wow, I only recently had a discussion about "What if this happens?". Great timing to make a point. Unique "told you so" opportunity, but I actually am sad that this happened. Millions of people wasting time on password changes and related things again. :(

And now off to resetting a lots of password and checking where OTPs are possible.

mderazon 3 days ago 0 replies      
So did anyone find out why so many Google accounts got "action required" alerts yesterday ?
a3n 3 days ago 1 reply      
Password managers are mentioned.

I looked on the lastpass blog (s/www/blog/), nothing about this. Is it just too early?

SadWebDeveloper 3 days ago 0 replies      
Oh boy what a great week... first we have SHA-1 getting a fast-track to the obsolete hashes and now cloudflare is f*cking everyone because they tried to obfuscate emails from websites and fail to "test every edge" case... whats next is the question.
csomar 3 days ago 0 replies      
Oh boy, this is bad as fuck. Major bitcoin exchanges were affected and these are exchanges where if you can login, you might be able to withdraw the cash irreversibly for ever.

I'm trying to figure out how bad this is; and a part from the exchanges I'm using which other sensitive sites are concerned.

piker 4 days ago 1 reply      
Given that the plaintext is cached (or feared to be), is googling/binging one's passwords a bad way to check for pwnage?
matthewowen 4 days ago 0 replies      
So, they know which sites leaked data in responses. It sounds like they can also say categorically that some sites won't have been affected (if they don't share any infrastructure with the sites that could have leaked data).

Will Cloudflare be explicitly notifying customers about whether data from their site could have been leaked by this bug?

faragon 3 days ago 0 replies      
Does anyone know if there is a way for mapping virtual addresses to areas with zeroes and replacing it with the memset to 0 on write access, so software could be still efficient without calling calloc() instead of malloc()? (i.e. memset to 0 only for actually written zones)
mordant 4 days ago 0 replies      
Apparently, the only way to change one's Uber password is to use the 'Forgot password' path on their login page.

So, I clicked on that - and I get a 500 error from NGINX.

My guess is that a lot of services are going to be overwhelmed by the sheer volume of password reset requests, thus preventing users from resetting their passwords.

dorianm 3 days ago 0 replies      
Here is a list of domains where I found public leaked data: http://doma.io/2017/02/24/list-of-affected-cloudbleed-domain...
Rican7 3 days ago 1 reply      
Yeaaaaa, this isn't good.

This is what CloudBleed looks like, in the wild: https://gfycat.com/ElatedJoyousDanishswedishfarmdog

A random HTTP request's data and other data injected into an HTTP response from Cloudflare.


XorNot 3 days ago 0 replies      
Incidents like this remind me that the password problem is only partially solved by password managers: most of the internet (i.e. if you're not my bank) needs a simple, easy to script protocol that allows me to automate the process of rolling a lot of passwords.
tkachenko 3 days ago 0 replies      
Small service to check if your site is POSSIBLE affected to CloudFlare data leakshttps://cloudflareleaks.webtls.com/
hkjgkjy 4 days ago 1 reply      
One of the reasons I prefer paying with Bitcoin over credit card, is that when using cryptocurrency I don't have to give them they key to my account - instead they give me an inbox that I send the value into.

Guessing a lot of credit card details are ripe for picking in the data they leaked.

secfirstmd 4 days ago 0 replies      
"and even plaintext API requests from a popular password [1Password] manager that were sent over https"


djhworld 3 days ago 0 replies      
Can someone explain to me why they were parsing HTML in the first place? That's the bit I don't fully understand, but I've not got experience of what Cloudflare does, I thought they were a CDN
soheil 4 days ago 1 reply      
What's the rationale behind sending user PII through a CDN? Presumably that is useful to that one user only so a CDN wouldn't be super useful in distributing the load across its edges. Also doesn't CDN caching kinda defeat the purpose of having SSL?
fagnerbrack 4 days ago 0 replies      
Cloudflare blog post related to this incident: https://blog.cloudflare.com/incident-report-on-memory-leak-c...
joeyh 4 days ago 0 replies      
The bug was in cloudflare servers, not code run on customer's own web servers, right?
stevenhubertron 4 days ago 0 replies      
Well now I have a great response to the sales guy that bugs me everyday.
no_protocol 4 days ago 1 reply      
Is there a list of sites potentially affected?

I'm assuming I need to change my passwords on a significant number of sites. So far none of them have alerted me to a potential breach. Would love to have a head start.

snikeris 3 days ago 0 replies      
Anyone have any additional information about this bit from the comments:

> and even plaintext API requests from a popular password manager that were sent over https (!!).

apple4ever 3 days ago 0 replies      
I have yet to receive an email about this. Very disappointed that I had to find out via another source 12 hours after the blog post was up.
yclept 4 days ago 0 replies      
for easy firewalling and i'm sure a fun internet experience https://www.cloudflare.com/ips-v4
frankmoodie 3 days ago 2 replies      
Question: what about the %99 of the internet users who have no idea what SSL/HTTP/any other web tech is ? How are they even going to be notified?
nkkollaw 3 days ago 0 replies      
Could some kind soul do an ELI5?

I'm not lazy, it's just overwhelming trying to figure out what's actually going on with all these comments...

stephenr 4 days ago 0 replies      
Who wants to bet this won't change a lot of developer's making statements like "I use <Insert HTTPS offering CDN> so my site is secure"
meowface 4 days ago 1 reply      
Never been so relieved my company uses a different CDN...
Soarnrobertson 4 days ago 0 replies      
This article is beginning to look like a whole bunch of people talking about a leak and not saying that they would use that data for vicious things.
benevol 3 days ago 0 replies      
Well, keep centralizing and this is what you get, sooner or later.

Also, mono-cultures have always been a very bad idea, not just in agriculture.

hatsunearu 3 days ago 0 replies      
>(It took every ounce of strength not to call this issue "cloudbleed")

and some chap did it anyways. yay, i guess.

Soarnrobertson 4 days ago 0 replies      
Welp, time to move and get a different IP again :\
jtchang 3 days ago 0 replies      
This is scary stuff. Any key/password that you used on a cloudflare site should be considered compromised.

That's a crapton of keys.

curuinor 4 days ago 7 replies      
Can we start a list of affected right now? I found:



people claiming 1Password, can't find





Digital Ocean

Montecito Bank and Trust

hkjgkjy 4 days ago 0 replies      
HaveIBeenPwnd must be having a great day today!
clebio 3 days ago 0 replies      
So, two of the three hard problems in computer science (fencepost and cache invalidation)?
willtim 3 days ago 0 replies      
If you must write your HTML parser in C/C++, then you should expect buffer overruns.
jacquesm 4 days ago 0 replies      
Hm. Not so good. The main website that I log in to that uses CloudFlare is this one.
codezero 3 days ago 0 replies      
Why do they need to add google analytics to random people's web pages?
brilliantcode 3 days ago 0 replies      
how far back does this affect websites on cloudflare? I removed mine a year ago because I was using it for the SSL.

This will put the final lid on cloudflare anyhow. Sticking with AWS.

HugoDaniel 3 days ago 0 replies      
So its not only the tor browser experience that sucks with cloudflare.
Soarnrobertson 4 days ago 1 reply      
So, would LastPass be involved in this at all? Do tey use CloudFlare?
jcwayne 4 days ago 1 reply      
Makes me wonder if the Great Firewall has a caching layer.
philip1209 4 days ago 2 replies      
Interesting. Cloudflare uses a lot of Go, which should hypothetically be memory safe. Was this system in Go? If so, I would be interested in seeing proof of concept code for a vulnerability like this.
orasis 4 days ago 2 replies      
Our CNAME pointing to github pages was down on Cloudflare today with a 1014 error. I'm guessing they broke some other stuff while scrambling to fix this privacy issue? Not a good day for them.
sambull 3 days ago 0 replies      
RIP Cloudflare 2017.. took you long enough
jhgjklj 3 days ago 0 replies      
Cloudflare please stop asking me if i am a robot and then ask to pick the store board posts for ever. What kind of idiot coded that, asking me always.
ReedJessen 3 days ago 1 reply      
Reddit just told me my account was compromised
throwaway7959 4 days ago 1 reply      
Can anyone ELI5 what's going on?
johnhenry 3 days ago 0 replies      
ers35 4 days ago 1 reply      
Hacker News uses Cloudflare: http://bgp.he.net/dns/news.ycombinator.com#_ipinfo

Add the following to your hosts file to bypass Cloudflare and access HN directly: news.ycombinator.com

snek 3 days ago 0 replies      
gg to project0
enraged_camel 4 days ago 1 reply      
Your comment got flagged and killed, which I thought was bullshit so I vouched for it.

Because you're correct: if CF's info sec team is "very very good at their jobs", how did this incident happen?

edoceo 4 days ago 2 replies      
anc84 3 days ago 1 reply      
implr 4 days ago 0 replies      
chiefalchemist 4 days ago 1 reply      
Let's be honest. There are holes. More than we care to admit. The truth, if embrassed, could undermine the world's economy. It's just question of when.
Sami_Lehtinen 3 days ago 0 replies      
I made similar site too, but with geolocation, tags, and fully threaded replies and private messages. Like & Dislike - As well as machine learning which will dig most interesting posts for you. As well as score near by posts higher etc. But nobody cared. So I'll be shutting it down in 6 months. (Domain expires)
cwisecarver 4 days ago 1 reply      
This sounds to me like an object lesson in "Why you shouldn't write your own HTML parser."

Every time I see a dev trying to parse HTML with a custom solution or regex or anything other than a proven OSS library designed to parse HTML I recoil reflexively. Sure, maybe you don't need a parser to see if that strong tag is properly closed but the alternative is ...

I am an Uber survivor medium.com
1690 points by NelsonMinar  9 hours ago   644 comments top 91
leggomylibro 7 hours ago 8 replies      
>Travis is well known to protect high performing team leaders no matter how abusive they are towards their employees. The HR team was known to be deftly[sic] afraid of Traviss tendency to blame and ridicule the women and yell at HR whenever they went in with complaints of abuse. I heard about Travis personally congratulating Mike#2 for meeting strict deadlines months after I complained to HR about my abuse.

This is why I'm skeptical of Uber's promise to investigate these allegations. When I heard that they had retained Eric Holder to investigate, my knee-jerk reaction was petty and cynical: "Great, retain a Chicago politician so you know you'll get the answer you're paying for."

I was a little disappointed in myself at the time, but damn. With this company, I'm starting to think that impression might have been on the money.

tyre 7 hours ago 10 replies      
I'm really happy she felt comfortable doing this. What an incredibly brave and strong personI can't imagine what she must be feeling.

What I really want to see is the other 20 men on her team tell their bosses to cut that shit out.

We cannot rely on the abused to stand up for themselves; for every one who does there are thousands who cannot. It is on every one of us to report abhorrent behaviour, even if we think someone else has/will.

Change comes from those in power, from people who could very rationally not care, but who go out of their way to do the right thing. It isn't an economic decision, a business decision, or a political decision. It is a personal decision on the world one wants to live in.

We can do better. We must do better. Enough is enough.

jastingo 7 hours ago 13 replies      
I'm not in the business of defending Uber - quite the contrary - but reading through the comments it seems that most people are assuming that this post by an anonymous person is 100% true.

These types of posts are worrying to me. Why could this post not have been crafted by someone at Lyft? Or one of Uber's many other detractors? Given the PR nightmare that Uber is in why not pile on while the public seems primed for that type of information and stretch out the negative news cycle?

Just thought I'd throw out a word of caution: we know literally nothing about the credibility of this person.

sidlls 7 hours ago 4 replies      
Some of the responses to that article express a sentiment that women should fight back and not just silently take it.

I wonder (doubt) if they've ever been abused. It's hard for someone who has been abused to come forward, let alone stand up to an abuser.

Besides, men outnumber women in tech by a very large margin. It's on our shoulders to help women fight back. Strength in numbers is a thing, and having men who speak up on their own, and who support and reinforce women who come forward can only a be a good thing.

grandalf 6 hours ago 4 replies      
I think the bottom line is that some founders believe that you have to tolerate abusive personalities in order to hire the best.

I had a person on my team once who I did not hire but who had a reputation for being one of the smartest and most capable engineers. As his new manager, I expected that I'd soon promote him. But then I saw that he treated others on the team very poorly and often said highly inappropriate sexual things.

I talked to the founder and was told that he's really a great guy, etc. As it got worse I mentioned the pattern to HR, and HR was initially concerned, but then after HR met with the founder it was as if I was imagining the problem.

I tell this story simply to point out that the same culture that tolerates bullies and harassment can happen even when there is a female founder.

I know it's a cliche that bullies are always deeply insecure. I think that is the case for workplace bullies too. The brash, over-confident, aggressive act that these people put on works to help them find out who they can victimize.

Others who interact less closely often perceive people (particularly engineers) who have a brash, confident attitude as being smart and capable. Just because someone quickly points the finger and shoots down other peoples' ideas doesn't mean his/her ideas are smart :)

I don't think bullies can thrive in a healthy workplace culture. There should not be any question that certain behavior is inappropriate and is grounds for a stern warning (or worse). But once this doesn't happen, a sort of law of the jungle emerges and bullies and exploiters can take over.

The more information that comes out about Uber's culture, I think Travis probably needs to go.

actuallyalys 8 hours ago 0 replies      
It comes as no surprise to me that a company as cavalier toward local laws and its drivers as Uber is would also mistreat its other workers.

On the off-chance Amy or Susan is reading this, thanks for sharing your stories.

voodooranger 2 hours ago 2 replies      
I consider the HN community to be one of the most thoughtful I've found on the web, yet am stunned by how quickly a righteous mob is formed based on an anonymous, cartoonish, and IMO barely plausible account of what it's like to work for a large US tech company.

Having spent years working at multiple SV tech companies, where even the slightest tinge of a racist or sexist affront would land you in an office in front of HR and a company lawyer, I find this account to be very difficult to believe. Slanty eye joe? Please.

We don't know if this is a (poorly written) attempt to sink Uber (which I don't happen to care for) by someone with a short position and an evening to spare, or if it has been penned by an employee with a grudge.

Please have some credulity before parading your #deleteuber hashtags and morally superior posturing so the world can marvel at how virtuous you are. There has never been a more evil force in the world than an outraged, self-righteous mob inflamed by twisted anecdotes.

And yes, I've resorted to creating a throwaway account, fully expecting the flagging and down-voting groupthink brigade to be in force. If there's a shameful story here, it's more likely this disturbing human phenomenon, not an anonymous blog post, the veracity of which we know nothing about.

dongslol 1 hour ago 2 replies      
Social justice fundamentally needs an economic basis to stand on. If you want to stop sexual harassment, install a financial penalty.

Sexual harassment cases inevitably end in one of two people leaving, and bullying an employee out is cheaper than firing an executive. In corporate hierarchies, managers are valued about half an order of magnitude higher than their employees. And unfortunately it's entirely possible to be both ruthlessly effective and a complete pig. Yet this is bad for Uber in the long term. Fewer women will work there. Fewer quiet, thoughtful people will work there. #DeleteUber sufficiently hurt Uber that they're willing to humiliate themselves by pleading with users at the delete screen. The public strategy should be to get this penalty to backpropagate faster.

On that note, some thoughts:

* The internet was supposed to democratize this stuff. We have people like Balaji Srinivasan saying the FDA should be replaced with Yelp for drugs. Why isn't Glassdoor more effective? Why wasn't Uber's toxic work culture public knowledge, gorgeously pinned to the top of Google's search results, long before Susan or Amy started interviewing?

* When people like Mike interrupt meetings to tell his subordinates not to be a "whiny little bitch," presumably it makes all the quiet, thoughtful people in the room teem with unease. Ideally every instance of this would add a quantum of incentive for them to stand up and leave the company. How can that be encouraged? Is there a good, easy website a la VotePlz that tells employees precisely what their rights and options are? Can we end the stereotype that leaving your job signals weakness? Susan joined Stripe a week after resigning from Uber; can switching jobs become less painless?

* I don't know anything about this, but weren't unions supposed to be designed for this kind of thing? What protections would unions offer to a group of valiant Uber engineers who today decided to walk out in a group?

panitaxx 7 hours ago 2 replies      
I think it's pretty obvious that Travis Kalanick should resign. He is the constant in all these stories supporting this nasty company culture. In the past year he has also been linked with Uber's shady business (attacks on press, fake income for drivers, etc) . He is the one pushing on borderline legal tactics. Even their business model is borderline legal (if anything). How he can deny knowing anything like the sexual harassment not happening ?
harryh 8 hours ago 11 replies      
Why would someone write an anonymous blog post but then declare that they are:

 1) A woman in her late 20s 2) Who used to work at Uber in Engineering working on database and networking scalability 3) Went to a top private college 4) has a Masters in Information Systems 5) previous to Uber worked as a Data Analyst in a tech company in the Midwest and left when it was acquired by a Chinese firm 6) Is 5 foot 7 Caucasian with dark hair

cosinetau 7 hours ago 4 replies      
diebir 6 hours ago 5 replies      
Without getting into any details this: "Once in a group chat, team members referred to a new Asian American recruit as slanty eye joe" seems very strange to me. The Uber tech org is like 80%+ foreign born, this makes pretty much zero sense. Disclaimer: I work for Uber.
reledi 7 hours ago 4 replies      
Amy, many people believe your story. But based on the flags this story is getting, many don't, at least not yet.

Is there any way you can verify the authenticity of your story without losing your anonymity to the public? For example, would Susan be able to verify you as an ex-employee?

jordigh 7 hours ago 2 replies      
"There is no place for ethics in this business sweetheart. We are not a charity."


I don't know if this is real or not, but given how Uber acts publicly about everything else (breaking the laws until governments are forced to amend the laws for Uber), I'm not surprised at all if this really is the overall attitude that they have for everything.

mi100hael 7 hours ago 5 replies      
> I remember how the interviewers constantly tried to trigger me and insulted my intelligence to see if I break under pressure.

What the fuck? I'd walk and never entertain an offer from a company that spent the interview insulting and provoking me. Who would be stoked to get an offer after an experience like that, much less accept it??

primitivesuave 8 hours ago 2 replies      
It's unfortunate that the Silicon Valley work culture is being tarnished by companies like Uber. There are many companies that respect women and have HR departments that actually fulfill the purpose of being helpful Resources to Humans. I hope the anti-Uber sentiment grows so other companies can learn from this example.

I'm glad the author is sharing her story.

aioprisan 7 hours ago 0 replies      
Yet another example, with lots more that won't come out publicly, of just how toxic Uber's culture of growth at any cost and personal allegiances to Travis really is. The current internal investigation by insiders is a complete joke and only a class action lawsuit can start to right the wrong.
austincheney 7 hours ago 0 replies      
How insidiously toxic. I cannot think of a better or more perfectly descriptive word than toxic (at least this is the word we use in the military for environments less bad than that).

> Therefore, it hurts me to say that despite my grit, I was not prepared to deal with the abuse and dehumanizing treatment I received from my supervisors and colleagues at Uber.

Nobody should expect to be so prepared. Nobody volunteers to become the equivalent of a prisoner of war.

joezydeco 8 hours ago 12 replies      
"In essence, the HR department blackmailed me that if I make noise, Id be fired. I was distraught by the HR departments response especially considering that most of the HR folks I dealt with were women."

Say it over and over, say it loud, and say it to every single person entering the US workforce from day one:


Amy's situation was grave, and kudos to her for getting out. But everyone should read these stories and burn this line into their heads permanently.

sergiotapia 5 hours ago 0 replies      
>Once in a group chat, team members referred to a new Asian American recruit as slanty eye joe. It was normal for guys to refer to other guys as fags when they didnt participate in private parties where sex and drugs were involved. It was normal for guys to openly refer to attractive female colleagues as sluts when they refused to go out with them. They had private chats where guys wrote sexual fantasy stories about female colleagues and supervisors where they performed all sorts of demeaning acts on the women.

This feels so unreal, just incredible! Amy Anon, time to sue Uber and get yourself a piece of the Uber VC. What kind of cretins work at Uber?

findyoucef 16 minutes ago 0 replies      
I don't understand why these jobs are even worth it to anyone? How much are they making 130-160k to work 16 hour days and are abused on top of that? Fuck that.
shawnee_ 3 hours ago 1 reply      
Rock the boat, people. You are a part of your company's culture: not an observer of it, not a victim of it.

From an article I wrote a couple years ago:

"My two cents for the conversation is pretty simple: there are only two different kinds of humans in the world: Those who actively exploit women, and those who actively speak out against the exploitation of women. Keeping your mouth shut for fear of rocking the boat -- this is a form of apathy all its own." http://ink.hackeress.com/2015/01/why-im-boat-rocker.html

comments_db 8 hours ago 1 reply      
I'd like to thank these brave women for coming out and speaking against these evils. I rarely use Uber but more importantly, I'm not interviewing/working for Uber ever.

p.s. I've had one opportunity in the past that I declined due to lower pay package. Current one seems good, but I'm not going forward.


flippe 5 hours ago 0 replies      
We've gotten to a point where regardless of who's in the right, the most (only?) effective way to attack a huge company is controversial allegations posted under the veil of anonymity. Regardless of what (if anything) in these allegations happened, this is costing Uber ridiculous amounts of money and all it took was an anonymous blog post.

I know I'm a horrible person to say this, but if I were an Uber competitor, these posts would be part of my marketing arsenal. If unaccountable journalism produces results, it's going to be used. If it isn't already, it will. There's too much money and not enough risk in it.

And the only way to fight against this is to not let yourself be part of outrage culture. We have evidence-based courts for dealing with these things.

relics443 5 hours ago 1 reply      
I have friend who is an engineering middle manager at Uber. I was having drinks with him and some of his direct reports (including 2 women), and they all told me that they've never experienced or heard of any of this behavior until recently.

Obviously that's anecdata (although it has the benefit of me knowing that it's true, as opposed to Amy's story), but I think people are jumping to conclusions here.

It seems that there is some kind of problem at Uber. The scope and size of it remains to be seen.

rubicon33 7 hours ago 0 replies      
I assume (and have some anecdotal proof) that this type of stuff happens with regularity in other "older" industries. Go to any law office and you'll find women with horrifying stories.

Kudos to the tech community, the majority of whom, don't accept this type of reprehensible behavior.

asymmetric 7 hours ago 3 replies      
This is terrible, and one more reason to despise Uber, but I find the usage of the word "survivor" out of place in this context, at least in my understanding of its meaning.

I know this is not the main point to take home from this situation, and I also know I'll be attacked from making it, but I felt it was important nonetheless.

user5994461 7 hours ago 1 reply      
Let's forget about the drama for a minute and focus on running an actual business.

It seems like a lot people are about to leave Uber and that's a business opportunity!

Here's a list of Uber employees that can be recruited away with little to moderate effort: https://www.linkedin.com/search/results/people/?facetCurrent...

DigitalSea 2 hours ago 0 replies      
Oh, man. Uber sounds like a seriously sick, toxic environment. Get rid of Travis, get rid of everyone in a management position, fire the HR team and actually make an attempt to better the working conditions at Uber.

I'm a man, and reading this plus Susan's story shared recently makes my stomach turn. It truly is sickening. I deleted Uber off my phone, I refuse to support a company that runs like a gentlemens club operating in 1955.

The sad thing about all of this is, when women report this kind of behaviour they get told to "report it", but it seems in the case of Uber (and who knows where else) these claims come with a huge cloud of being fired hanging over your head or they're just ignored.

I think Uber needs to be investigated by an impartial third-party and to be honest, the only way this will happen is if the investors step in and do something about it.

Fuck Uber.

dopamean 6 hours ago 0 replies      
If I were in a meeting and anyone referred to one of my coworkers as a "bitch" I would walk out of the meeting immediately and report it to HR. There's no way to know that the men in the room when "Amy" was insulted like that didn't report it to HR but it really makes me wonder.

There are so many more me in tech than women that they really do need us to be part of the fight against this shit. It is crazy to me that this kind of behavior really exists.

ganfortran 7 hours ago 0 replies      
OK, Uber is off the list for my next company. This toxic masculinity, whose dick is bigger contest is no good for stable person like me. Good luck with your alpha male culture, Uber :)

Edit: Triggered Uber employee just sent his downvote. Pretty affirming. Good job, Uber :):P

vondur 8 hours ago 0 replies      
Wow, while I expected more stories to surface, this one seems to be a whole different level. But then again, Uber seems to be a really dysfunctional company.
r00fus 6 hours ago 2 replies      
Are there any female Uber employees on HN? I wonder what they think about a) the veracity of this claim and b) why they are sticking with Uber.
c141charlie 48 minutes ago 0 replies      
I'm not sure the author wants to be anonymous. The amount of data she shared about herself in the third paragraph is probably enough to social engineer your way to her true identity.
tasty_freeze 1 hour ago 0 replies      
I can only imagine that the bulk of the employees at Uber in that room with her were young and still intoxicated by startup success to allow Mike#2 to say things like that.

I am 12 years away from the valley, but was at half a dozen startups in 20 years prior and I can't remember ever being on a team that would have put up with a manager saying something like that to a coworker.

xd360 1 hour ago 0 replies      
I think it's about time Uber was slapped with a class action lawsuit by all of it's former employees who have faced similar workplace abuse. Uber may smear the reputation of one of two women who try to sue them and bury their case, but if they all come together and file a class action lawsuit then their case cannot be just thrown out or buried and Uber certainly cannot manage to smear the reputation of all the plaintiffs in the group. The #ubersurvivors have a very strong chance of getting justice that way. And when the case is so strong, with all victims coming together as one, they will even receive legal support from top lawyers, who will also want to take their case since it's stronger and winnable now, and if not for justice, they'll do it with the incentive of a cut from the compensation or the glory of suing a billion dollar company. The good thing about class action lawsuits is that it leaves no room for the judge or jury to believe that a dozen people are lying and cannot just ignore the plaintiffs' allegation and proofs (chats, emails, alibis). So, I hope the #ubersurvivors seriously consider coming together, teaming up and getting the justice they rightfully deserve.
josephlord 2 hours ago 0 replies      
Uber seems to be a slightly special case in terms of how blatant discrimination seems to be and the explicitly deceitful and in the obviously abusive responses from HR but the general problems of harassment and discrimination are not unique.

I'm aware of multiple issues at Google and issues at Docker (although not the full details of that one). HR being useless and protecting company and senior management is common although they may be less blatant about it than Uber. Google is obviously huge so many areas may be OK.

Those are just issues I'm aware of following a few women on Twitter, they are the tip of the iceberg, some issues never come out at all, others are privately shard between women and others that might be vulnerable (I'm not in that loop).

Emc2fma 8 hours ago 0 replies      
If this is true, then it's horrifying. I didn't agree with the crowd and delete Uber earlier for the protest stuff, but if this is true, then bye-bye Uber.
pharrington 4 hours ago 0 replies      
Company that has skeezy and predatory business practices has skeezy and predatory company culture. God damn shocking

Speaking unsarcasticly, the women who are starting to come out and reveal this are very brave.

CodeSheikh 8 hours ago 2 replies      
A very sad read. Uber is in deep ethical trouble recently. Postpone that IPO plan guys.

Would not it be better if HR of your company can be managed by some third party with 100% transparency?

owly 3 hours ago 0 replies      
Rise up people and take action. Boycott uber and let them fail. As others have said, there are plenty of other companies in the space ready to fill the void. #deleteuber
torpfactory 2 hours ago 0 replies      
I've had co-workers, upon a woman passing by in the cafeteria, say things like "would you do her?"

I told them "shut the fuck up. You debase yourself by saying shit like that." Look them in the eye, say it with the confidence of the truth you know it is. If HR wants to debate me on cursing my co-workers, I'd be happy to oblige. What are they going to say? Don't tell your coworkers it's wrong to demean women?

bbarn 6 hours ago 0 replies      
I've said this elsewhere in comments, but people really need to let it sink in that HR is not there to help them, they are there to help the company.

It is never in their interest to say "You're right, let's go get that guy!" They are institutionally there to deflect and play things down and prevent law suits.

If you are abused, harassed, or mistreated, see a lawyer, not your company's HR team, who are only going to be advising their own lawyers later.

smnscu 7 hours ago 0 replies      
That's the tipping point for me. I don't care about being ruthless in business, but you don't pull shit like this. No more Uber for me, although I enjoy using their service.
ogezi 8 hours ago 0 replies      
Although this post is anonymous, Given what has come out recently about Uber, I'm strongly inclined to believe what she wrote. If Uber gets into any more trouble then the board and investors will have to do something because the bad press would be directly hurting their business.

"Visibly angry, Mike#2 covered the microphone ofthe conference phone, he reached over tohold my hand tightly and told me to stopbeing a whiny little bitch."

I can't imagine that because someone performs well at their jobs they'd be entitled to treat another person in such a demeaning manner.

halayli 6 hours ago 1 reply      
Someone should build an app that can help in compiling such cases by automatically recording audio/vid anytime it hears a voice(s) we teach/specify (HR conversations, managers etc...) After some time I am sure the case solidifies with proofs.

Sometimes you don't have the opportunity to pull your phone and open a recording app. It needs to be like siri and friends where once it recognizes a voice it starts recording.

alinspired 5 hours ago 1 reply      
what every man needs to ask himself and reflect on:

- would i stand up to a pig in the room

- would i stand up to a pig in the room that is way up the ladder

princetontiger 5 hours ago 0 replies      
I'm glad more of this stuff is coming out. As a male, I've been demeaned by a woman at one of the largest tech companies on earth. I ended up quitting, and I last I heard that woman was demoted/fire.

Our media is super powerful, and I love getting more of this out. 1984 can't happen with a free press.

virtuexru 7 hours ago 2 replies      
> My paycheck is 18% less than my less qualified male colleagues.

I stopped reading here.

ChicagoDave 8 hours ago 1 reply      
Everyone needs to #deleteuber.
jimbokun 7 hours ago 2 replies      
I know this is politics and maybe distracting from the main conversation but...

The United States voters just decided similar behavior is not disqualifying for the office of President. So how can we possibly convince other men this kind of behavior is not conducive to attaining the money, power, and influence they may desire?

spraak 8 hours ago 1 reply      
Very sad that I expected more stories like Susan's to come out.
user5994461 8 hours ago 3 replies      
> It was normal for me to get to work at 7 in the morning and leave late at night with only a thirty minute break in between.

Yep, sounds like a bad place to work.

Just a reminder that you can change jobs after 6 months in the valley, there is really no need to put up with that or wait for evil managers to make the place hell.

ohyes 7 hours ago 2 replies      
Why aren't any of these shitbags getting named?

This type of thing should ruin the guy's career.

Fair or not I'm just going to assume Travis and anyone working for him is just like this disgusting mike#2 fellow.

zuck9 7 hours ago 2 replies      
Noob auestion: why "Mike#2" instead of simply "Mike"?
digitalmaster 5 hours ago 0 replies      
It honestly and truly disgusts me to hear what's been allowed to go on at this company. #uninstalled #lyftBetterBeGood
Tycho 3 hours ago 0 replies      
It's a sign that the election hysteria is finally fading that we are back in the thrall of these corporate kiss-and-tell scandals and intrigues. Thank god.
yalogin 7 hours ago 0 replies      
Its appalling she went through that and shameful to see people like this Mike #2 exist in the tech world in 2017. From what I can gather he still works there.

It looks like the HR department at Uber exists purely to manage employee pay and nothing else. They are severely defanged and pander to star hires. At this point they could may be replace them all with some API and be done with it.

jijojv 8 hours ago 1 reply      
horrific - how can this really be happening in 2016 ?
tps5 4 hours ago 1 reply      
Just an aside, I think it's insane that women in tech are pressured (or feel pressured) to wear heels. Is this common in California?
macsj200 7 hours ago 0 replies      
I wonder what some of the considerations are for posting something like this under an alias v.s. attaching one's real name to a post. Obviously, one most likely wouldn't attach a real name to this kind of writing while one is working at the relevant company, but are there any other factors one might consider, aside from criticizing a current employer? Specifically, are there any possible concerns with being labelled a "problem case" and being blackballed in the tech industry as a whole?

Is the author's credibility hurt significantly by choosing to use a pseudonym, or is the power of the message not greatly impinged?

I have a huge amount of respect for anybody that has the courage to write about these kind of experiences, regardless of if a pseudonym is used or not.

CodeWriter23 3 hours ago 0 replies      
Someone puts hands on you at work, file an assault complaint with the police. Period.
cdelsolar 8 hours ago 0 replies      
this is awful.
AndyMcConachie 7 hours ago 1 reply      
Wouldn't it be great if the US had some place they could take these kinds of complaints? We could call it a national labor board or national labor relations board. They could maybe investigate these kinds of problems and impose penalties.

Oh right, we can't because Republicans. They weren't allowed to reach quorum under Obama and now they're fucked under Trump. This is the reality of the war on regulation.

jacquesm 7 hours ago 1 reply      
There is no place for ethics in this business sweetheart. We are not a charity.

You can't make this up.

lsjdfkljdfwkwdf 5 hours ago 0 replies      
Another article with some fake name and pull the woman card to justify slandering....Uber probably did not meet your expectations but for sure they aren't much worse than most companies in this field.
Lee1989 4 hours ago 0 replies      
My friend worked for the Santa Monica office and told me some wacky stories. Sounds like Uber needs an HR overhaul.
zelias 7 hours ago 1 reply      
Is it possible that the flaggers have been mobilized by Uber to shut down criticism?
Grue3 8 hours ago 3 replies      
There's really no reason not to name Mike #2. If this is real, he already knows who you are.
upofadown 5 hours ago 0 replies      
>There is no place for ethics in this business sweetheart."

"Oh, we are doing pet names for our coworkers now? From now on I will refer to you as 'dickhead'".

losteverything 6 hours ago 1 reply      
Two comments

Future Amy's should always be prepared to start recording at a moment's notice. Think Roger Ailes

If you ignore a verbal wrong said to someone else and you don't say something, then it is like you said it yourself.

flamedoge 6 hours ago 0 replies      
You hear that? Uber stock crashing in background
chinathrow 8 hours ago 0 replies      
"Travis is well known to protect high performing team leaders no matter how abusive they are towards their employees."

Time for this Travis dude to resign, right?

kristofferR 6 hours ago 0 replies      
Is survivor really the right word here?

The pointless hyperbole makes it easy for those who would want so (subconsciously or not) to discard the real story here, of the toxic company culture.

chetanahuja 5 hours ago 0 replies      
At this point, after all the allegations of abuse and bad behavior at Uber, if the CEO is not fired, the community here must hold the Uber board complicit in these shenanigans. The situation here seems similar (or maybe worse) in magnitude as that at Zenefits. The board there took swift action once the accusations came out in public and perhaps saved the company (at least in the short term). What can the HN community, made up of founders/investors/technologists do here? Push for a consumer boycott of Uber? Refuse to work for Uber? Refuse to do business with Uber?
Lee1989 4 hours ago 0 replies      
My friend worked for the Santa Monica office and told me some wacky stories as well. This place needs an HR overhaul.
toephu2 6 hours ago 0 replies      
Where is Mike #1?
jordigh 8 hours ago 8 replies      
> tried to trigger me

Man, I really wish the internet hadn't decided that "trigger" means to anger or upset someone instead of the original meaning: provoke an anxiety or panic attack, like lighting firecrackers around war veterans.

Not that what Uber is doing here to "Amy" isn't despicable. I'm just a little bothered by this relatively frivolous usage of the word "trigger" compared to the original purpose for using it: to highlight the experiences of those suffering from PTSD. PTSD can come in many forms, not just from wartime trauma. That's what "triggering" someone was about.

idiot_stick 8 hours ago 0 replies      
We live in a world of fake news, but anyone who questions an anonymous blog post during a media hype-cycle surrounding Uber's sexual harassment allegations is flagged? It's important to be more diligent in these times, not less.
huac 8 hours ago 2 replies      
This is one of the most heavily flagged submissions I've seen in a while - hit #2 with 70 points, and now is at #6 with 174 points in 40 min, while the new #2 is 124 points in 2 hours.
throewai 8 hours ago 2 replies      
My opinion is that this anonymous post lacks credibility and the author is most likely LARPing. Is it really so offensive to have a skeptical view?

> It was normal for guys to refer to other guys as fags when they didnt participate in private parties where sex and drugs were involved. It was normal for guys to openly refer to attractive female colleagues as sluts when they refused to go out with them.

dba7dba 7 hours ago 1 reply      
I would NEVER EVER approach HR department of corporate America for anything except for maybe asking for a tissue box at my desk.

For those young enough to be thinking about approaching HR for issues as nefarious as this, well, now you know.

rublev 8 hours ago 1 reply      
JustSomeNobody 8 hours ago 6 replies      
Yet again the nerds have become the bullies.
meerita 8 hours ago 0 replies      
I question myself what would happen if she openly scream at his face with a nice: Why don't you go and f...
bad_throwaway 7 hours ago 1 reply      
I have no reason to disbelieve this but Amy please fix your writing. This has the tone of a teenager's Tumblr post.

Full of dramatic cliches and irrelevant details. (New Balance really?)

31reasons 8 hours ago 1 reply      
It is very strange to me when I read these "Survivor" stories. I really can't relate to them not because I am a male and don't work in Silicon Valley but because I know I can and I have quit companies because I couldn't tolerate to work there. There is not fucking reason to keep suffering at a company for whatever reason. QUIT as soon as you feel unhappy let alone you come to a point where they "break" you. Are you kidding me? This is not North Korea. No one is forcing you to keep suffering. You are living in a goddam United State of America, and in a goddam Silicon Valley.
ckdarby 8 hours ago 7 replies      
I don't believe HN should be front paging anonymous content without some proof of having worked at Uber.
kpwagner 5 hours ago 1 reply      
Is a "ubersurvivor" hashtag really what's needed?

WARNING: this comment is not a safe place and contains my opinions.

Victim praising will do nothing to change Uber's behavior. Expecting Uber to change anything as the result of your words is a fools errand. The more likely outcome is Uber will only harden it's shell. Do you expect one of the most highly praised startups of the last decade to suddenly find religion and say, "oh we were wrong, you are all right? (and actually mean it)"?

People vote with their feet (Milton Friedman). Talk is cheap (Fat Tony). If you want to start a revolution, don't try to change others, change yourself (Jordan Peterson).

Uber is suffering for its transgressions in the form of talent loss. Susan Fowler indicated the number of female engineers at Uber significantly reduced during her time there. The nice thing about employment at will is that it works both ways. It's scary to leave a high-profile high-status job and go into the unknown; it's also a very powerful action.

late2part 8 hours ago 4 replies      
Seems to me there are 4 issues here:

1. Racism.

Not okay. Fire him.

2. Sexist behavior

Not okay. Warn and then fire him.

3. Working people hard

That's okay. I was made to work hard. Long days no breaks hard deadlines. That's the world we live in.

4. How this affected her

I'm sorry she went through this and it's not okay. How she chooses to feel and deal with this are under her control. She shouldn't have perpetuated her pain by staying in the situation.

mjolk 8 hours ago 5 replies      
> I am afraid to make my name public. Lets call me Amy. For reasons only the #ubervictims know, lets refer to the villain of this story as Mike#2.

My default is "show me the evidence", but I believe Susan Fowler's account because she put her reputation on the line and I was willing to trust that she left, opposed to got fired, due to non-performance reasons based on being able to somewhat approximate/confirm her technical abilities.

This submission is just anonymous accusations. Absurd, unrealistic-sounding accusations. If the culture at Uber was as rampantly ridiculous as described in this blogpost, men and women would be falling over themselves to tell their stories.

> My paycheck is 18% less than my less qualified male colleagues.

If this was true, and the anonymous writer, who claims to be a skilled data analyst, was able to make a case that this was due to gender and not ability, she should be telling this story to a lawyer, not a blog site.

SpaceX to Send Privately Crewed Dragon Spacecraft Beyond the Moon Next Year spacex.com
1108 points by runesoerensen  7 hours ago   332 comments top 39
ChuckMcM 6 hours ago 7 replies      
Wow. This sends so many thoughts cascading through my head that I'm dizzy.

Some things to consider, China has been working up to getting a space capability to send people to the Moon with the full backing of the government funding, by 2035[1]. They started in 2003. SpaceX was founded in 2002 and they are saying they will fly someone around the moon next year? Dragon has the deltaV to land on the moon (not sure if it has enough to get off again though) and SpaceX certainly has the expertise in building spacecraft that land.

The next person to take a picture of the Earth from moon may not be on a government funded mission. That one really blows my mind. For so long it was only countries that could do something like that, now it is nearly within reach of individuals.

The UN has treaties about claiming (or not) the moon by a nation state, but there isn't anything about a privately funded and established outpost that wants to declare independence. All this time I imagined that some country would establish a base there, and grudgingly offer up some space for non-state use, and now there is this possibility of a private facility that states have to ask permission to visit? That is priceless.

[1] http://blogs.wsj.com/chinarealtime/2016/04/29/man-on-the-moo...

ironchief 3 hours ago 0 replies      
It is very likely Steve Jurveston.

1. In a comment about the announcement alluded to it as a "recurring dream"[1]

2. 5 years ago, described a moon orbit as "when I plan to fly in space. I have two specific missions in mind"[2]

3. SpaceX Board Member and investor

4. Has the money

5. Knows Elon "Mr Musk declined to reveal their identities, only saying that they knew each other"[3]

6. Is "nobody from Hollywood"

7. Liked this comment on his FB wall "Can I tag along?!? Ahhhhh!!!"[4]





runesoerensen 7 hours ago 9 replies      
> We are excited to announce that SpaceX has been approached to fly two private citizens on a trip around the moon late next year. They have already paid a significant deposit to do a moon mission.

Can't wait to hear who booked this trip! Definitely one of the coolest ways to spend a lot of superfluous money :)

suprgeek 7 hours ago 3 replies      
While this feat depends on hitting a lot of intermediate milestones - Falcon Heavy Test, Crew Dragon Unmanned to ISS, Crew Dragon manned to ISS, etc, there is no "show-stopper" that is apparent right now.

I like how they have avoided committing to the much harder "landing on the Moon and then return" scenario.

davidklemke 7 hours ago 2 replies      
Absolutely incredible. This will be the furthest that humanity has journeyed away from Earth in a very long time.

However it is worth noting that there hasn't been a single crewed Dragon flight yet. There are demonstator flights scheduled for this year though with the first NASA crewed mission slated for May 2018. That's an incredibly aggressive timeline but if anyone can achieve it, SpaceX can.

The long duration flight beyond the moon will be a fantastic proving ground, however.

grouplinkdave 5 hours ago 0 replies      
About 20 years ago as a young engineer I was given the opportunity to propose some solutions to NASA, and was invited to the Kennedy Space Centers LCC for the presentation. Prior to meeting with the exec team at the LCC they took me on a tour of the VAB, where I saw all the operations and was allowed to take digital images of some of the vehicle assembly and maintenance operations to demonstrate possible improvements. Such great energy at the whole KSC. What an honor to be there to feel that passion and gratitude!

Last month I was again at the KSC and LCC as a tourist, and the energy was just a minute fraction of what I'd seen 20 years before. We need this kind of vision [from SpaceX and others, e.g., like this other NASA-based article today with the young engineer comments, who did the hydroponics in microgravity at https://news.ycombinator.com/item?id=13743196 ] to push science and technology beyond the video game and entertainment markets. Congratulations to SpaceX, the microgravity hydroponics engineer, and the others with vision who are once-again elevating the bright eyes of brilliant youth, scientists and engineers.

hackuser 6 hours ago 2 replies      
Note that NASA, I believe at Trump's urging, recently said they would try to place humans on the first flight of the Space Launch System (the new heavy lift rocket) - i.e., no unmanned testing first.


Is Musk still maintaining a relationship with Trump? When Uber founder Travis Kalanick left Trump's business council, Musk was still on it AFAIK. I wonder if Musk is doing this or announcing it for related reasons. Certainly Trump has a history, even in his short tenure, of pressuring businesses into announcements that suit his agenda. And the announcement seems to fit Trump's pattern: Impossible, brazen bravado. (Musk gives the impossible some credibility, but that's what is meant by lending someone your credibility.)

It's speculative, but it's also sad and a bad sign when we must look for government interference in the free market at this level, to provide propaganda for the President.

ChrisBland 6 hours ago 0 replies      
Best news I've heard today, if I had that much $ I too would want to do something that only a handful of humans have ever experienced. If Elon reads this I will give you everything in my bank account and everything I will earn in the next 5 years to orbit the earth. It has been a dream of mine and seeing the privatization of space flight gets me so excited for the future. Sucks to be my kids as I hope I get to blow their inheritance on a trip to the moon.
jansen 7 hours ago 7 replies      
A quote from an article on the Verge says "Musk declined to comment on the exact cost of the trip, but said it was comparable or a little more than the cost of a crewed mission to the International Space Station."

Does anyone have a rough estimate how much a manned mission to the ISS currently costs?

Gravityloss 5 hours ago 2 replies      
I find this schedule very very unlikely. No humans have flown in the Dragon at all yet. Also none on any of SpaceX:s rockets. There have been lots of launch and pad failures.

I'm cheering for SpaceX for doing more towards spacefaring, but I'm very skeptical and think this will, at least, end up being negative PR to them, and, at worst, a lot more.

joshuakcockrell 2 hours ago 0 replies      
> This presents an opportunity for humans to return to deep space for the first time in 45 years and they will travel faster and further into the Solar System than any before them.

Shocking that it's been this long. There is an entire generation that hasn't seen man make it into deep space.

rodionos 6 hours ago 3 replies      
Shouldn't they consider a staged approach, not unlike FDA trials. Start with a Laika dog, proceed with a chimp, as all other space programs have done in the past?

Also, if this succeeds, what happens to Google's moonshot projects? Is rebranding in the works?

ktta 7 hours ago 5 replies      
I wonder if it is going to be only two people who are going to go. Will they add more people if they come forward with significant amount of money too?

Seems to me like the cost of taking in another person will be negligible in comparison to the funding they could contribute. This is literally a one-in-a-lifetime experience

avmich 6 hours ago 1 reply      
> "Falcon Heavy is due to launch its first test flight this summer and, once successful, will be the most powerful vehicle to reach orbit after the Saturn V moon rocket."

SpaceX at its usual :) . By which criteria Energiya is less powerful vehicle to reach orbit than Falcon Heavy?

dalbasal 5 hours ago 1 reply      
I love that a moon mission is a milestone en route to SpaceX' moonshot, not the moonshot itself. We need new idioms for these people.
DanielBMarkham 7 hours ago 1 reply      
Huge SpaceX fan here, but I've heard from various news sources that the company is famous for aggressively posting dates and then slowly letting them slide. Might that be the case here? (Still, even if it's 2 or 3 years, wow!)
clebio 5 hours ago 3 replies      
> ... two private citizens ... have already paid a significant deposit to do a moon mission. Like the Apollo astronauts before them, these individuals will travel into space carrying the hopes and dreams of all humankind ...

Except that these two private citizens are presumably absurdly wealthy. Whereas the nationalize space program which brought forth the Apollo mission gave all private citizens, as well as schoolchildren for generations, hope and aspirational outlooks.

Whereas the current national situation in the US, with respect to primary-school education and government-supported science is quite dire. So things are not at all hopeful right now, and many of us suffer nightmares of violence and deportation.

So, there's that.

stevespang 1 hour ago 0 replies      
Do you see the comments on one site: "about 2 rich fat cats all ego-ed out who paid Space X tens of millions, just smiling from ear to ear and gloating that the whole world is watching them make history, and the rest of us "lowlanders" have to watch them with envy - - only to have it by mere chance turn into a Roman spectacle - - - - of the whole world watching as they get bar-be-qued in space, never to see earth again.

A massive crowd will be assembled to attempt a Guinness book of world records, to moon the stars with bare asses all in unison in a soccer stadium just as they blast off into space, yelling out like the Romans did at the coliseum: "We salute you those who are about to DIE !" then post it on YouTube !

gigatexal 6 hours ago 5 replies      
Finally the tin-foil hats can be satiated when these tourists see the 50-ish year old flag on the moon.
_ph_ 7 hours ago 0 replies      
This is exciting news. Some time ago, looking at the F9 Heavy, it seemed to me that SpaceX could fly to the moon with it anytime they decided to. Of course their focus is the Mars. But in the day and age of multi-billionaires and the commercial availability of space flights via SpaceX, this makes absolutely sense. Private funding could push space flights much quicker ahead.
Mendenhall 3 hours ago 1 reply      
I want to know what the insurance company of the private citizens says to this.
c-slice 7 hours ago 2 replies      
I wonder what NASA is thinking about this? The NASA Commercial Crew program which helped fund the development of the Dragon was funded for manned flight to the ISS. I'm curious if they see this as part of the project scope?
ogezi 6 hours ago 2 replies      
I wonder who the people going on this trip are. Are they billionaires, a rich couple planning a honeymoon. You'd have to be rich to do this right? I also wonder which kind of insurance both Spacex and the individuals have for this.

It's amazing that private companies are now doing things that were previously only one by governments and nations.

I don't know how this will work out but congratulations to Musk, Spacex and NASA.

johngalt 5 hours ago 0 replies      
Next year seems extremely ambitious. Wouldn't humans next year, mean non-crewed test flight this year?
iklos55 6 hours ago 0 replies      
Finally. I am so so hyped for SpaceX's development. Hopefully they can stay afloat to experience stability and a stage where they can sit on funding and provide credit for fusion and/or antimatter research. Glad they're here to give us a glimpse into the future of space travel.
Animats 5 hours ago 0 replies      
So when will they launch a Falcon Heavy with a Dragon, unmanned? They've got to try that first. Will the initial Falcon Heavy test flight carry a Dragon spacecraft?
clock_tower 5 hours ago 1 reply      
Which would be more expensive: a personal SpaceX flight to the Moon, or personally funding a high-speed rail line from Seattle to Vancouver?
mLuby 4 hours ago 0 replies      
Count on SpaceX to renew faith in humanity. ^_^
CodeSheikh 6 hours ago 0 replies      
Mission name Apollo-X. Anyone?
skosuri 7 hours ago 2 replies      
I wonder who the two people are.
gydfi 7 hours ago 1 reply      
Just looking up records: the furthest anyone has ever been from Earth is Apollo 13 who passed 158 miles above the lunar surface.

I imagine that would be a pretty easy record to break, if you're doing a translunar flight anyway then getting a bit higher doesn't take much more energy (source: played a lot of Kerbal).

On the other hand the passengers might prefer a close-up view of the Moon to a record.

robtaylor 7 hours ago 0 replies      
...and back!
biosoup 7 hours ago 3 replies      
I'm gonna make my tip, given Elon's history:

Sergey Brin and Larry Page

Two of his freind rich enough, geeky enough, to go first.

vanattab 3 hours ago 0 replies      
Trumps going to space!
danmoreno 7 hours ago 2 replies      
zuck and priscilla?
soheil 7 hours ago 2 replies      
Who are the two "private citizens"? Seems to be mere urge of "universal human exploration" to go around the moon and not landing on it, etc. isn't doing much exploring, but rather taking a lot of risk on a manned spacecraft that has never been tested with people.
skizm 7 hours ago 3 replies      
Is it still a thing, where going to space makes you infertile due to radiation? I feel like I remember basically once you go into space (male or female) kids are off the table afterwards unless you have frozen your sperm or eggs beforehand. Not sure if that was solved at some point or not.
Udik 7 hours ago 5 replies      
So, hmm, we wants to send people around the moon, a year and a half from now, with a rocket he never tested and with a capsule that never flew?I expect half of the directors of SpaceX to resign in the next two days...
List of Sites Affected by Cloudflare's HTTPS Traffic Leak github.com
906 points by emilong  3 days ago   215 comments top 43
r1ch 3 days ago 7 replies      
Just got this classy spam from dyn.com. Wonder if they're going through this list emailing every domain contact.

> As you may be aware, Cloudflare incurred a security breach where user data from 3,400 websites was leaked and cached by search engines as a result of a bug. Sites affected included major ones like Uber, Fitbit, and OKCupid.

> Cloudflare has admitted that the breach occurred, but Ormandy and other security researchers believe the company is underplaying the severity of the incident

> This incident sheds light and underlines the vulnerability of Cloudflare's network. Right now you could be at continued risk for security and network problems. Here at Dyn, we would like to extend a helpful hand in the event that your network infrastructure has been impacted by today's security breach or if the latest news has you rethinking your relationship with Cloudflare.

> Let me know if you would be interested in having a conversation about Dyn's DNS & Internet performance solutions.

> I look forward to hearing back from you.

actuator 3 days ago 4 replies      
I wrote this(1) script to check for any affected sites from local Chrome history. It checks for the header `cf-ray` in the response headers from the domain. It is not an exhaustive list but I was able to find few important ones like my bank site.

1: https://gist.github.com/kamaljoshi/2cce5f6d35cd28de8f6dbb27d...

crottypeter 3 days ago 2 replies      
Today I learned that uber does not have a change password option once you are logged in. You have to log out and pretend you forgot the password. Bad UX if you don't know.
ig1 3 days ago 7 replies      
Worth noting this statement by Cloudflare CTO:

"I am not changing any of my passwords. I think the probability that somebody saw something is so low it's not something I am concerned about."


nikisweeting 3 days ago 1 reply      
Aww man I submitted my list hours ago but I guess it never made it past the New page. https://github.com/pirate/sites-using-cloudflare

Original post: https://news.ycombinator.com/item?id=13720199

koolba 3 days ago 2 replies      
That's a wide impact. While any hijacked account is bad, some of these are really bad.

For example, https://coinbase.com is on that list! If they haven't immediately invalidated every single HTTP session after hearing this news this is going to be bad. Ditto for forcing password resets.

A hijacked account that can irrevocably send digital currency to an anonymous bad guy's account would be target number one for using data like this.

Cyphase 3 days ago 1 reply      
You missed the "possibly" in the header.

And the disclaimer right at the top:

This list contains all domains that use cloudflare DNS, not just the cloudflare SSL proxy (the affected service that leaked data). It's a broad sweeping list that includes everything. Just because a domain is on the list does not mean the site is compromised.

cloudvrfy 2 days ago 2 replies      
I wrote a simple website[1] to show if user have visited the websites included in the list automatically without browser plug-ins. It uses :visited CSS pseudo-class to highlight the site user have visited before. It is not 100% accurate, but it can be a fun way to quickly show people that they may visit sites on the list.


pulls 3 days ago 0 replies      
For what it's worth, as part of work on the effects of DNS on Tor's anonymity [1] we visited Alexa top-1M in April 2016, recording all DNS requests made by Tor Browser for each site. We found that 6.4% of primary domains (the sites on the Alexa list) were behind a Cloudflare IPv4-address. However, for 25.8% of all sites, at least one domain on the site used Cloudflare. That's a big chunk of the Internet.

[1]: https://nymity.ch/tor-dns/

jitbit 3 days ago 2 replies      
Webmasters and App-devs running on CloudFlare. You (at least) have to "force-logout" your users that have a "remember me" cookie set.

At least change the cookie name so the token stops working. For example, in ASP.NET - change the "forms-auth" name in the web.config file

JaggedJax 3 days ago 2 replies      
In an email from Cloudflare sent out this morning they said:

> In our review of these third party caches, we discovered data that had been exposed from approximately 150 of Cloudflare's customers across our Free, Pro, Business, and Enterprise plans. We have reached out to these customers directly to provide them with a copy of the data that was exposed, help them understand its impact, and help them mitigate that impact.

Does this jive at all with the Google or Cloudflare disclosures? They are claiming that across all caches they only found and wiped data from ~150 domains, can that be true?

Splines 3 days ago 1 reply      
If I have an account on an affected site, but did not interact with the site (via my browser or through some other site with an API call) during the time period when the vuln was live, am I still at risk?
edaemon 3 days ago 0 replies      
This list doesn't appear to include sites that use a CNAME setup with CloudFlare -- i.e. sites on the Business or Enterprise plans that retain their authoritative DNS and use CNAMEs to point domains to a CloudFlare proxy.

There probably aren't many but with something this serious it could be important. I'm not sure how one would go about finding the sites that use the CNAME option. If it helps, they use a pattern like:

 www.example.com --> www.example.com.cdn.cloudflare.net
Hacker News is one such site, but it's listed in the "notable" section (it's not in the raw dump).

vmarsy 3 days ago 3 replies      
Something I have a hard time understanding, is how Cloudfare's cache generator page had access to sensitive information ?

Were the 2 things running on the same process? If they were not, there's no way that the buffer overrun could read an other process memory, right? it would have failed with a segfault type of error.

If so, shouldn't Cloudfare consider running the sensitive stuff on a different process, so that no matter how buggy their caching engine is, it would never inadvertently read sensitive information?

nodesocket 3 days ago 1 reply      
This is ridiculous and somewhat irresponsible. This is just a list of domains using CloudFlare. The leak was only active under a set of very specific cases (email obfuscation, server-side excludes and automatic https rewrites).

I question Pirates (https://github.com/pirate) motives for even doing this? Karma? Reputation?

jschpp 3 days ago 3 replies      
That list isn't that useful...First of all, there is a LOT of pages hosted by CloudFlare @taviso acknowledged that in the original bug report. (https://bugs.chromium.org/p/project-zero/issues/detail?id=11...)Furthermore, you can't say which sites were hit by this bug and simply listing all CloudFlare sites is more or less fearmongering. If you are a verified victim of this bug CloudFlare will contact you.Lastly, if you want to be sure to mitigate effects of the attack just do it... If you want to be absolutely sure that your session keys etc will remain uncompromised simply repeal all active session cookies.
jandy 3 days ago 2 replies      
I'm confused by the "not affected" remarks. I thought the issue was any site which passes data through cloudflare could be leaked by requests to a different site, due to their data being in memory. Have I misunderstood?
arca_vorago 3 days ago 1 reply      
Apparently root case was:

/* generated code */if ( ++p == pe ) goto _test_eof;

"The root cause of the bug was that reaching the end of a buffer was checked using the equality operator and a pointer was able to step past the end of the buffer. This is known as a buffer overrun. Had the check been done using >= instead of == jumping over the buffer end would have been caught."

Detailed timeline:

"2017-02-18 0011 Tweet from Tavis Ormandy asking for Cloudflare contact information

2017-02-18 0032 Cloudflare receives details of bug from Google

2017-02-18 0040 Cross functional team assembles in San Francisco

2017-02-18 0119 Email Obfuscation disabled worldwide

2017-02-18 0122 London team joins

2017-02-18 0424 Automatic HTTPS Rewrites disabled worldwide

2017-02-18 0722 Patch implementing kill switch for cf-html parser deployed worldwide

2017-02-20 2159 SAFE_CHAR fix deployed globally

2017-02-21 1803 Automatic HTTPS Rewrites, Server-Side Excludes and Email Obfuscation re-enabled worldwide"

Seems like a pretty good response by cloudflare to me.

dikaiosune 3 days ago 0 replies      
I've been tinkering with a Python notebook for a few minutes to try to quickly assess how much of my LastPass vault is affected:


Improvements welcome.

One interesting thing: the raw dump that's linked from the list's README doesn't seem to include a couple of notable domains from the README itself, like news.ycombinator.com or reddit.com. I may be mangling the dump or incorrectly downloading it in some way.

EDIT: disclaimer, be responsible, audit how the dump is generated, etc etc etc

AdmiralAsshat 3 days ago 1 reply      
Authy is on the list. It would be really nice if they confirmed whether they are vulnerable or not, considering they hold all of my 2FA tokens. Otherwise I'll have to re-key the database.
RidleyL 3 days ago 0 replies      
I wrote a python script to help check your LastPass database for any potentially affected sites.


danjoc 3 days ago 2 replies      
Is there a "standard" in the works for changing a password? Stuff like this is happening rather too frequently for my taste. I need a tool I can use to update all my passwords everywhere automatically and store the new ones in my password manager.
grogenaut 2 days ago 0 replies      
I ginned up this little tool tonight to help people out instead of grepping.


Sorry for the index.html, trying to figure out how to get index file to work on cloudfront.

You can also run the python script on the website anonymously on your computer to dig sites out of your email, which is a good indicator that you have an account with them.

kiallmacinnes 2 days ago 0 replies      
And, I've found several of my domains on this list.. Some of which don't host web content etc and only use cloudflare for DNS. The list is currently ~4.3mil entries, which honestly feels like a rather low figure. I have no data to back up my gut feeling though ;)

Anyway, I'm OK with them being on this list, as I believe understanding the scope of the problem is important to figuring out how we prevent these kinda problems in the future.. (For example, answering this question requires understanding who uses CloudFlare: Why are so many sites concentrated on a single infrastructure?)

pmontra 3 days ago 3 replies      
I have hundreds of passwords in my password manager. That's going to take a week, considering I also have to work.
Wrhector 3 days ago 0 replies      
This list seems to be missing any sites that are using custom nameservers, which would be common on top sites using the enterprise plans. A better way to detect if the proxy is being used would be to resolve the IP and see if it lies in Cloudflare's subnets.
luckystartup 3 days ago 1 reply      
Oh crap. I've entered my banking password into Transferwise quite a few times.

Welp, time to change all my passwords.

em0ney 1 day ago 0 replies      
The list of websites once again reminds me of what avenue Q immortalised in song: the internet is for porn
janwillemb 3 days ago 0 replies      
Thanks for posting and curating this list.
pbhjpbhj 3 days ago 0 replies      
Do browsers still leak history info (eg http://zyan.scripts.mit.edu/sniffly/) is it possible to have a page show visitors if they are likely to be affected?
iKenshu 3 days ago 1 reply      
What if I sign in with facebook or other? Should I change muy password con facebook or what?
paradite 3 days ago 1 reply      
Couldn't find a practical description of who is affected anywhere. Is it just the customers who have Cloudflare HTTPS proxy service being affected, or anyone using Cloudflare DNS is affected?
arikrak 3 days ago 2 replies      
It would be more useful if there was a way to see sites that actually were using the Cloudflare features that caused this bug. A large number of sites use Cloudflare, but few should have been affected by this bug:

> When the parser was used in combination with three Cloudflare featurese-mail obfuscation, server-side excludes, and Automatic HTTPS Rewritesit caused Cloudflare edge servers to leak pseudo random memory contents into certain HTTP responses.https://arstechnica.com/security/2017/02/serious-cloudflare-...

base698 3 days ago 1 reply      
Has Cloudflare fixed the issues? Should I update passwords now or wait?
vasundhar 3 days ago 1 reply      
Unfortunately this seem to include news.ycombinator.com
tonyztan 3 days ago 1 reply      
Just received an email from Glidera, a Bitcoin exchange. This is the first service to ask me to reset my password. I wonder why Uber, NameCheap, FitBit, and many others have yet to warn their users? Is Cloudflare downplaying this?

> Hi [Username],

> A bug was recently discovered with Cloudflare, which Glidera and many other websites use for DoS protection and other services. Due to the nature of the bug, we recommend as a precaution that you change your Glidera security credentials:

> Change your password> Change your two-factor authentication

> You should similarly change your security credentials for other websites that use Cloudflare (see the link below for a list of possibly affected sites). If you are using the same password for multiple sites, you should change this immediately so that you have a unique password for each site. And you should enable two-factor authentication for every site that supports it.

> The Cloudflare bug has now been fixed, but it caused sensitive data like passwords to be leaked during a very small percentage of HTTP requests. The peak period of leakage is thought to have occurred between Feb 13 and Feb 18 when about 0.00003% of HTTP requests were affected. Although the rate of leakage was low, the information that might have been leaked could be very sensitive, so its important that you take appropriate precautions to protect yourself.

> The actual leaks are thought to have only started about 6 months ago, so two-factor authentication generated before that time are probably safe, but we recommend changing them anyway because the vulnerability potentially existed for years.

> Please note that this bug does NOT mean that Glidera itself has been hacked or breached, but since individual security credentials may have been leaked some individual accounts could be vulnerable and everyone should change their credentials as a safeguard.

> Here are some links for further reading on the Cloudflare bug:

> TechCrunch article: https://techcrunch.com/2017/02/23/major-cloudflare-bug-leake...> List of sites possibly affected by the bug: https://github.com/pirate/sites-using-cloudflare/blob/master...

> If you have any questions or concerns in response to this email, please contact support at: support@glidera.io

StavrosK 3 days ago 5 replies      
I would like to point out that, if most sites used two-factor authentication, this leak would be at most a minor inconvenience. Maybe we should push for that more. Just days ago I talked to Namecheap about its horrible SMS-only 2FA and asked them to implement something actually secure, maybe contact your favorite site if they don't have 2FA yet.
jasonlingx 3 days ago 0 replies      
Do I need to change my cloudflare password?
yeukhon 3 days ago 0 replies      
Would Internet Archive able to "cache" the leaks?
beachstartup 3 days ago 0 replies      
this is another data point that supports my personal, hare-brained theory that the expectation of privacy on the internet is simply naive, a fool's errand. it never existed, and never will.

this is despite (or maybe because) of my best efforts to secure systems as a major part of my job.

djph0826 3 days ago 0 replies      
amq 3 days ago 1 reply      
The title is misleading (for now). It is just a list of all sites using CF, compromised or not.
cromulent 3 days ago 3 replies      
"List of Sites possibly affected"

Sites using Cloudflare, really. However, Cloudflare say that only sites using three page rules were affected - email obfuscation, Server-side Excludes and Automatic HTTPS Rewrites. [1]

Is this over-estimating the impact, perhaps?

[1] https://blog.cloudflare.com/incident-report-on-memory-leak-c...

Alphabet's Waymo Alleges Uber Stole Self-Driving Secrets bloomberg.com
902 points by coloneltcb  4 days ago   348 comments top 46
chollida1 4 days ago 17 replies      
From another source to provide some colour:

> According to a lawsuit filed today in federal court in California, Waymo accuses Anthony Levandowski, an engineer who left Google to found Otto and now serves as a top ranking Uber executive, stole 14,000 highly confidential documents from Google before departing to start his own company. Among the documents were schematics of a circuit board and details about radar and LIDAR technology, Waymo says

> The lawsuit claims that a team of ex-Google engineers used critical technology, including the Lidar laser sensors, in the autonomous trucking startup they founded, and which Uber later acquired

I was confused as to what stealing a patent actually meant:)

Waymo has also posted this....


From this post...

> Recently, we received an unexpected email. One of our suppliers specializing in LiDAR components sent us an attachment (apparently inadvertently) of machine drawings of what was purported to be Ubers LiDAR circuit boardexcept its design bore a striking resemblance to Waymos unique LiDAR design.

> We found that six weeks before his resignation this former employee, Anthony Levandowski, downloaded over 14,000 highly confidential and proprietary design files for Waymos various hardware systems, including designs of Waymos LiDAR and circuit board. To gain access to Waymos design server, Mr. Levandowski searched for and installed specialized software onto his company-issued laptop. Once inside, he downloaded 9.7 GB of Waymos highly confidential files and trade secrets, including blueprints, design files and testing documentation. Then he connected an external drive to the laptop. Mr. Levandowski then wiped and reformatted the laptop in an attempt to erase forensic fingerprints.

Ooops, that does sound bad after a first read.

dantiberian 3 days ago 1 reply      
A really critical thing that hasn't got much attention is that shortly before leaving Waymo, Levandowski had a meeting with senior Uber execs(!). The day after the meeting, he formed 280 Systems which became Otto.

The implication in the filing is that Uber planned this with Levandowski, and he only created Otto as a plausible corporate vehicle for developing the LiDAR technology before Uber acquired them. Given what we know about Uber and the assertions in the complaint, this sounds entirely plausible, maybe even likely.


w00tw00tw00t 4 days ago 10 replies      
I had an interview there where the manager asked me to leave my laptop behind and go for a walk. I was hesitant after hearing stories of Uber conducting electronic espionage against its competitors. They could easily bypass Macbook security with a USB device (I had heard of that on HN too) so I was very nervous to leave my laptop behind and noted its exact orientation and position on the table. Sure enough when I returned my laptop had changed both position and orientation, but only enough to tell if you had specifically memorized it. I could be paranoid. They could have simply moved things on the desk. But anyway, people who are paranoid like me are advised not to take their laptops into Uber interviews. They are capable of just about anything, or so thinks my now paranoid self.
Fricken 4 days ago 0 replies      
In related news, Tesla is accusing ex-autopilot director Sterling Anderson of stealing code from Tesla before starting up Aurora with Chris Urmson (the former CTO of Alphabet's self driving car program):


glibgil 4 days ago 3 replies      
> searched for and installed specialized software onto his company-issued laptop

That could mean he downloaded an SFTP client like Cyberduck. He could have searched the internet for a client and then installed it. It doesn't say he did not have auth.

Imagine a Google security engineer being deposed for this lawsuit.

Lawyer: "Show me on the MacBook how he downloaded the files"

Engineer: "Well, he used Cyberduck"

Lawyer: "Is that part of the Mac?"

Engineer: "No, he'd have to download it separately"

Lawyer: "So, he searched for and installed specialized software onto his company-issued laptop?"

Engineer: "Um, sure"

Lawyer: "Thank you, that's all the questions I had"

twinkletwinkle 4 days ago 0 replies      
Interesting. I vividly remember a commenter here on a thread about Uber's acquisition of Otto. The user said based on the timeline and filings, it seemed like Otto hadn't really accomplished anything yet, and was probably founded purely to be acquired by Uber. I wonder if there's even more here...
golfer 4 days ago 2 replies      
Does anyone else remember this New Yorker profile [1] of Anthony Levandowski and self driving cars? Way back from 2013, when this tech was still novel. Google let Levandowski run the show for this piece -- his name is mentioned 57 times in the article. Goes to show how important and trusted he was in Google's universe.

[1] http://www.newyorker.com/magazine/2013/11/25/auto-correct

fasteddie 4 days ago 1 reply      
Maybe I have a selective memory as a former Zynga employee, but generally these "stolen documents" lawsuits in high profile tech companies have generally turned out to be pretty factual. Easy to prove, and hard to fake.
jplayer01 4 days ago 3 replies      
I always was incredibly surprised at how quickly Uber had working self-driving cars (with the required, highly specialized hardware). Guess this explains it.
sriram_sun 4 days ago 2 replies      
What kind of employee would download 14K files to a personal drive right before quitting? It is trivially easy to watch what files get copied over to external drives.

I think you can follow the money trail here and find some answers for sure. Now if Uber/Otto has a clause that prohibits employees from bringing in confidential data from previous companies, how can they be held liable? Does Google have to prove that those stolen documents were actually used in Uber designs?

jpeg_hero 4 days ago 0 replies      
Lots of Juice here.


>Waymo was recently and apparently inadvertently copied on an email from one of its LiDAR component vendors.

Is this going to be a legal test of that annoying lawyer email footer language?

>This message contains information from xxxxxx that may be confidential and privileged. If you are not an intended recipient, please refrain from any disclosure, copying, distribution, or use of this information and note that such actions are prohibited. If you have received this information in error, please notify the sender immediately by telephone or by replying to this transmission.

Ha! More legalese BS that never holds up.

> Otto launched publicly in May 2016, and was quickly acquired by Uber in August 2016 for $680 million.

The fact pattern here is going to be absolutely brutal for Uber. A non-technical judge is going to see the allegation: ex-google employee downloads technical documents in December 2015, launches a company 5 months later in May 2016, and is bought for $680M (later speculated to be $1B+) for all its technical accomplishments. How much fundamental research did they do in the 3 months between May-16 and August-16?!?!? Or was it just to buy the stolen IP that google had developed over 7 years?!? Brutal for Uber!


A public company recently settled a similar lawsuit (competitor hires exec, exec is proven to have downloaded documents) for $130M on much smaller numbers. And the defendant was run through the legal wringer first.


Expect Uber spankage, bigly.

> shortly after Mr. Levandowski received his final multi-million dollar payment from Google

Funny because of all the recent press that Google paid autonomous driving talent too much that they left!

>Infringement of Patent No. 9,368,936 (Against All Defendants)

Real nasty. If a trade secrets lawsuit is an arrow, throwing in a patent infringement claim too, is poison tipped and barbed!

This is some good "old skool Google" where they used to show broad competence across many domains; in this case legal.

Fricken 4 days ago 0 replies      
Presumably you're in Arizona at the moment, Mr. Levandowski, it's close to the border, run for it!

We'll take a moment to remember the salad days, when you were just a crazy college kid who showed up at the Darpa Grand Challenge with a self driving motorcycle:


bitL 4 days ago 4 replies      
This is going to be interesting to watch. Alphabet just:

- went nuclear on Uber/Otto

- revealed what they track internally to all their employees

tlrobinson 3 days ago 0 replies      
Well, that would help explain how Otto went from nothing to $680 million acquisition in ~7 months.
the_watcher 4 days ago 1 reply      
Minor fix: Waymo is suing for stealing secrets, not patents. As far as I know, it's not actually possible to steal a patent.
danjoc 4 days ago 5 replies      
There's something very wrong in the world when the people who invent things aren't the main beneficiary of their own inventions.

Edit: A guy downloads 9.7GB of other people's work, walks off with it, and sells it. Flushing years of work from hundreds of engineers down the toilet. You down voters really support that? Amazing.

Animats 4 days ago 1 reply      
Google might have been better off with patents than trade secrets. There are financial penalties for theft of trade secrets, but once the secret is out, no injunctions. The one who stole it can use it. With patents, injunctions are available, although hard to get.

Anyway, several companies are developing automotive LIDAR units which are better than Google's rotating things. Quantergy and Velodyne claim to be close to low-cost solid state LIDARs, and ASC has good ones now at a high price point. (An ASC unit just docked the Dragon spacecraft with the ISS.) By the time this gets to court, Google's secret technology will be obsolete.

The question is whether Uber will defend Levandowski or leave him to twist slowly, slowly in the wind and go to jail.

guelo 4 days ago 2 replies      
Wow this has got to be the worse single month for a company that I've ever seen.
croddin 4 days ago 0 replies      
It looks like bloomberg updated the title to: "Alphabet's Waymo Alleges Uber Stole Self-Driving Secrets", which makes more sense. We should change the title here.
praneshp 4 days ago 1 reply      
Could a mod change the title to "Alphabet's Waymo Alleges Uber Stole Self-Driving Secrets", which is what the Bloomberg article says (for now)?
aramadia 4 days ago 0 replies      
home_boi 3 days ago 1 reply      
Despite the damning alleged evidence, I get the feeling that all the offenders knew that they would be found out ahead of time, evaluated the risk reward trade-off and decided that they could somehow get away with it.

Are there any lawyers here who could make an educated guess how they could?

donjh 4 days ago 4 replies      
And Google Ventures is an Uber investor... so Google is effectively suing one of their own portfolio companies.
jfoster 4 days ago 0 replies      
> Recently, we received an unexpected email. One of our suppliers specializing in LiDAR components sent us an attachment (apparently inadvertently) of machine drawings of what was purported to be Ubers LiDAR circuit boardexcept its design bore a striking resemblance to Waymos unique LiDAR design.

Doesn't sound plausible. At a minimum, this would have to be the "dumbed down" version of how they uncovered this.

selftemp 4 days ago 1 reply      
Copy-pasting from my comment on Reddit.

The first thing that caught my attention after reading the whole lawsuit! https://drive.google.com/file/d/0B7dzPLynxaXuQjY3dkllZ2ZKb0k... [Item 42- 49] itself is some of the timings regarding Otto's inception and Uber's acquisition.


* Levandowski first registered the domain for his then(now Otto) company on Nov'15

* The suit says on 3rd of Dec'15 he searched for the LIDAR docs and on 11th of Dec'15, he downloaded 14,000 docs from Google's servers.

* Google alleges that on Jan'16, Levandowski told his colleagues that he plans to replicate the Waymo tech at one of Waymo's competitor.

* One of the damning allegation from Waymo is that he met with top execs at Uber at their HQ in SF on Jan 14th 2016.

* Just a day later on 15th he officially formed one of his company(280 Systems, now part of Otto), later on Feb 1st he also registered his other company(Otto Trucking) Feb 1st.

* Strangely after working at Google for about 7 years, he quit Google without a notice(from suit) on Jan 27th.

This is from the interview Bloomberg's did after Uber acquired Otto: 'Kalanick began courting Levandowski this spring, broaching the possibility of an acquisition during a series of 10-mile night walks from the Soma neighborhood where Uber is also headquartered to the Golden Gate Bridge. The two men would leave their offices separatelyto avoid being seen by employees, the press, or competitors. Theyd grab takeout food, then rendezvous near the citys Ferry Building. Levandowski says he saw a union as a way to bring the companys trucks to market faster.'

From the above details, it can imply any of these three things might have happened,

* Scenario 1: He or Uber didn't do anything different from the official story so far.

* Scenario 2: Levandowski went to Uber saying he has custom LIDAR tech but ended up starting his own company the next day and 8 months later Uber just bought them for $680M for the team and tech he alleged stole from Waymo.

* Scenario 3: Levandowski went to Uber in Jan'16, said he has the tech for custom LIDAR, Uber wants it, but there is non-suspicious way for taking the tech directly to Uber since Levandowski alone can't build it. Instead Uber suggests to spin off his own company, hire a team (mostly from Waymo), put together a demo in Nevada desert. This brings in all the press and validity that Otto has the self-driving tech and team. So at this point Otto and Levandowski is a Self-driving tech startup not a LIDAR startup. Now Uber can come in, acquire this hot startup and team, in a market that's worth Trillions. Now Uber is suddenly in the trucking business, gets a huge PR and valuation bump. In this process they also get the LIDAR tech that's build in just 9 months.

What it means is that if the 3rd theory is true, Uber was always buying the LIDAR tech from Levandowski even before he left Waymo. Otto and other components are just a proxy so that it gives them a great story without any suspicions.

To put things into perspective, a single Velodyne HDL-64E LIDAR that almost all self-driving companies use costs around $75,000. Waymo says their equivalent custom alternative costs less than 10% (<$7000). This is a huge cost saving for a tech that is going to go in 100,000+ cars Uber hopes to have in the market in the future. So yea, this can be a bullshit Lawsuit (based on the evidence, less likely) or a well executed corporate espionage!

dnautics 4 days ago 0 replies      
Is the HN headline correct? The bloomberg article says "trade secrets" which are very different from patents, the video also says that this is not primarily a patent case.

edit: 0:48 in the video

monktastic1 4 days ago 0 replies      
His favorite quote: "I drink your milkshake."

Wish I were kidding.

sebleon 4 days ago 1 reply      
Seems like Google/Waymo has known about this for a while, funny how they timed this lawsuit announcement during the Fowler blog post uproar
amaks 4 days ago 0 replies      
Things couldn't be worse for Uber these days. Sexual harassment scandal, Didi Chuxing plans for global expansion, now this lawsuit.
brilliantcode 3 days ago 0 replies      
This will put a permanent blow to Uber, it's in a tight spot already and self driving cars are it's only chance of survival.

If there's anyway to short Uber or any of the other unicorns kept afloat by low interest venture capital, please let me know.

giis 4 days ago 3 replies      
Interesting questions for google employees:

Does Google force you to use specific version of OS?

Do they have pre-installed software?

Is it not-okay to format and install any OS you want?

I work in startups, they provide only laptops and doesnt care about OS or software. There is no mandatory software requirement from company side.

lsh123 4 days ago 1 reply      
mylons 4 days ago 0 replies      
uber is a DUMPSTER FIRE right now. feel bad for the engineers there who didn't steal anything.
lexap 2 days ago 0 replies      
The timing here is just way too coincidental. Coming at a fresh nadir in Uber's standing in the tech industry, the week after Fowler's post.

For how long did Google know Levandowski had swiped its secrets?

This is how PR war is waged.

seesomesense 4 days ago 0 replies      
sriram_sun 3 days ago 0 replies      
The medium article also notes that a couple more employees stole confidential information. Five years later Waymo employees will be bitching and moaning about corporate overreach and will have these fucktards to thank. (If allegations are proved).
huangc10 4 days ago 1 reply      
> Alphabets venture capital arm, GV -- formerly known as Google Ventures -- is an early backer of Uber.

Correct me if I am wrong, but does that mean Alphabet is suing itself since Alphabet owns both Google Venture, Waymo and has an investment in Uber...?

samfisher83 3 days ago 0 replies      
Google has shares in uber. If they sue them and win their shares are theoretically worth less. I guess if they win enough money it works out.
powera 4 days ago 2 replies      
Patents, or Trade Secrets?
gumby 4 days ago 0 replies      
dang: just like we have warnings for [video] and [pdf] could we have warnings for autoplay video? I accidentally had the sound enabled on my computer.
james_niro 4 days ago 0 replies      
I need popcorn and front row seat for this
zump 3 days ago 1 reply      
Anyone here would do the same thing.
dba7dba 4 days ago 3 replies      
So a junior engineer took the files, left Waymo to join Uber and tried to pass off the files?

Correction. So he's not really a junior engineer. But how can he not think that everything he access on the Google's network is monitored?

ww520 4 days ago 3 replies      
How can you steal patents? Those are public info.

Infringing on patents?

KKKKkkkk1 4 days ago 0 replies      
It's sad how G lost its top engineers and is now trying to get back at them in the courts.
dkarapetyan 4 days ago 0 replies      
This is a little idiotic. Alphabet let all their talent walk out the door. I'm assuming mostly because of idiotic management and now they're suing. They're basically losing on all sides.
Cloudflare data still in Bing caches ycombinator.com
644 points by neonate  3 days ago   246 comments top 31
Smerity 3 days ago 8 replies      
From the parent thread:

 The caches other than Google were quick to clear and we've not been able to find active data on them any longer. ... I agree it's troubling that Google is taking so long.
That's really the core issue here - the Cloudflare CEO singled out Google as almost being complicit in making their problem worse whilst that exact issue is prevalent amongst other indexes too.

The leaked information is hard to pinpoint in general, let alone amongst indexes containing billions of pages.

I can understand the frustration - this is a major issue for Cloudflare and it's in everyone's best interests for the cached data to disappear - but it's not easy, and they shouldn't say as such (or incorrectly claim that "The leaked memory has been purged with the help of the search engines" on their blog post).

This is a burden that Cloudflare has placed on the internet community.Each of those indexes - Google, Microsoft Bing, Yahoo, DDG, Baidu, Yandex, ... - have to fix a complicated problem not of their creation.They don't really have a choice either given that the leak contains personally identifiable information - it really is a special sort of hell they've unleashed.

Having previously been part of Common Crawl and knowing many people at Internet Archive, I'm personally slighted. I'm sure it's hellish for the commercial indexes above to properly handle this let alone for non-profits with limited resources.

Flushing everything from a domain isn't a solution - that'd mean deleting history. For Common Crawl or Internet Archive, that's directly against their fundamental purpose.

MichaelGG 3 days ago 5 replies      
I've had a fairly high opinion of CF, apart from their Tor handling and bad defaults (Trump's website requires a captcha to view static content.) Yeah I'm uncomfortable with them having so much power, but they seemed like a decent company.

But their response here is embarassingly bad. They're blaming Google? And totally downplaying the issue. I really didn't expect this from them. Zero self awareness- or they believe they can just pretend it's not real and it'll go away.

kchoudhu 2 days ago 3 replies      
It's been pretty entertaining watching taviso's attitude towards CF go from "we trust them" to "dude, you're a tool".

I kind of understand what CF is doing here: they've screwed up, there's no way for them to clean it up, so all they can do now is deflect attention from the magnitude of their screw up by blaming others for not working fast enough in the hope that their fake paper multibillion dollar valuation doesn't take too big a hit.

Still a dick move though. Maybe next time don't use a language without memory safety to parse untrusted input.

tonyztan 3 days ago 4 replies      
Why is Cloudflare underplaying this issue? All data that transited through Cloudflare from 2016-09-22 to 2017-02-18 should be considered compromised and companies should act accordingly.
koolba 3 days ago 0 replies      
Rule #1 of breaches: you can't unbreach

At this point if you don't consider all data that was sent or received by CloudFlare during the "weaponized" window compromised, you're lying to yourself.

uladzislau 3 days ago 0 replies      
I briefly touched base with Cloudflare's Product Management and my impression was that they were overconfident and snobbish in every aspect, which is kind of opposite to what I'd expect from the company like this. Being humble never hurts.
rdl 3 days ago 0 replies      
I really hope people don't lose sight of how helpful Project Zero has been in finding ongoing vulnerabilities and making the Internet a better place.

There is a bit of tension between cloudflare and taviso over the timing of notification, but that is vanishingly insignificant overall.

mhils 3 days ago 3 replies      
Does Cloudflare have complete logs to rule out that someone noticed this before taviso and used it to massively exfiltrate data by visiting one of the vulnerable sites repeatedly?

If they can't tell, someone may now be sitting on a lot of very juicy data, far beyond what may be left in these caches.

paulcole 3 days ago 2 replies      
Just please tell me the people who found the issue got their free t-shirts.
sneak 2 days ago 0 replies      
Cloudflare's email to customers has been calling this a "memory leak", which means something entirely different than a "secret data disclosure".

One causes swapping. The other causes a month of extra work.

dorianm 3 days ago 1 reply      
I'm compiling a list of affected domains (with data found in the wild): http://doma.io/2017/02/24/list-of-affected-cloudbleed-domain...

If you find some samples with domain names / unique identifiers of domains (e.g. X-Uber-...) you are welcome to contribute to the list: https://github.com/Dorian/doma/blob/master/_data/cloudbleed....

acqq 2 days ago 1 reply      
It seems that, due to the Cloudflare's confusing disclosure, it's still not clear what and how is leaked. What I personally observed, just by following the discussion and the links to some examples:

- there is a smaller number of sites that used some of the special features of Cloudflare that allowed leakage for some months, according to what Cloudflare said.

- it seems the number of the sites was much bigger for some days, according to what Cloudflare said.

- the data leaked are the data passed through the Cloudflare TLS man-in-the-middle servers -- specifically not only the data from the companies, but the data from the users, and not only the data related to the sites through which the leak happened, but also other sites that just happened to pass through these servers. Again, also the visitor's data, both directions are leaked. From the visitors, their location data, their login data etc. As an example: if you imagine the bank which used Cloudflare TLS, in the caches could be both the reports of the money in the accounts (sent from the bank to the customers) and the login data of the customers (sent by the customers to the bank), even if the bank site hasn't had the "special features" turned on. That's what I was able to see myself in the caches (not for any bank, at least, but the equivalent traffic).

kijin 3 days ago 2 replies      
Millions of domains are on Cloudflare. We can't tell how many of them were affected.

Either we can search for obvious strings like X-Uber-* and try to scrub them one by one, or we can just nuke the caches for all the domains that turned on the problematic features (Scrape Shield, etc.) anytime between last September and last weekend. Cloudflare should supply the full list to all the known search engines including the Internet Archive. Anything less than that is gross negligence.

If Cloudflare doesn't want to (or cannot) supply the full list of affected domains, an alternative would be to nuke the caches for all the domains that resolved to a Cloudflare IP [1] anytime between last September and last weekend. I'm pretty sure that Google and Bing can compile this information from their records. They might also be able to tell, even without Cloudflare's cooperation, which of those websites used the problematic features.

[1] https://www.cloudflare.com/ips/

kfrzcode 3 days ago 0 replies      
IANAL --- what, if any, legal precedent/structure is there for what will happen to CF if, say, 1.5billion users are hacked and money shifts dramatically as a result or some other reasonably thinkable "hypothetical" situation that we, the Internet-At-Large, at this point, have no certain idea if the incident in question has or has not happened ... I'm saying, there's got to be negligence charges or something if there is money lost, that's how capitalism in America works... but this is a Global problem.

If this is how 2017 is pacing, we've got a long year ahead. This is an insanely interesting time to be alive, let alone at the forefront of the INTERNET.

Fellow Hackers, I wish you all the best 2017 possible.

foobarbecue 3 days ago 4 replies      
After reading this, I'm considering switching from cloudflare for my DNS servers. Recommend a similar free service?
flylib 3 days ago 0 replies      
I lost all respect for Cloudflare
bitmapbrother 3 days ago 1 reply      
eastdakota 19 hours ago [-] (Cloudflare CEO)

>Google, Microsoft Bing, Yahoo, DDG, Baidu, Yandex, and more. The caches other than Google were quick to clear and we've not been able to find active data on them any longer. We have a team that is continuing to search these and other potential caches online and our support team has been briefed to forward any reports immediately to this team.

>I agree it's troubling that Google is taking so long. We were working with them to coordinate disclosure after their caches were cleared. While I am thankful to the Project Zero team for their informing us of the issue quickly, I'm troubled that they went ahead with disclosure before Google crawl team could complete the refresh of their own cache. We have continued to escalate this within Google to get the crawl team to prioritize the clearing of their caches as that is the highest priority remaining remediation step. reply

taviso 6 hours ago [-] Tavis Ormandy

>Matthew, with all due respect, you don't know what you're talking about.

>[Bunch of Bing Links]

>Not as simple as you thought?

remx 2 days ago 0 replies      
If anyone wants to, they can access (cached/archived) pages from any number of services listed here: https://en.wikipedia.org/wiki/List_of_Web_archiving_initiati...

My personal favorites are:

- https://archive.fo

- https://archive.org/web/web.php

- https://historio.us

- https://timetravel.mementoweb.org

sersi 3 days ago 3 replies      
I have a question which might be stupid.

What happens for sites using Full SSL (a certificate between cloudflare and the user and a certificate between cloudflare and the server), could any information from ssl pages have been leaked?

patcheudor 3 days ago 0 replies      
Also still in Yahoo caches with the same leaks found in both Yahoo and Bing. I posted the URLs to the linked thread.
djhworld 2 days ago 2 replies      
Can someone explain why Cloudflare parse the HTML in the first place.

Is there some sort of information extraction feature service or something they offer? I don't get it.

Rapzid 2 days ago 0 replies      
As much as CF would like people to believe otherwise (oh and look at our awesome response time and automation!) this cat can't go back in the bag. They should step away from the mic and contact a PR firm that specializes in salvage jobs.

If I were google I would hit back hard. They prob won't just stop, but I would not bother trying to even clean up the data unless under legal pressure. It out there, it's too late.

rickdg 2 days ago 1 reply      
Any word on the possibility of credit card numbers having been exposed?
spyder 2 days ago 0 replies      
And the "irony" is that some of the data may leaked only to "bad bots" and "IP has a poor reputation (i.e. it does not work for most visitors)."

From their blog: https://blog.cloudflare.com/incident-report-on-memory-leak-c...

7ewis 2 days ago 0 replies      
How are people finding this info?

Is it possible to find if anything leaked from my site behind Cloudflare is in the caches?

grogenaut 2 days ago 0 replies      
To help with this, I made https://bleed.cloud/index.html

It lets you run domains quickly without downloading and grepping.

skrebbel 2 days ago 1 reply      
Folks, can we please stop downvoting the parent of the linked comment? It's of no use when it disappears from HN.
3 days ago 3 days ago 1 reply      
pvg 3 days ago 4 replies      
This is already a comment on the site, in the relevant thread. Seems a little meta as a post.
pikzen 3 days ago 1 reply      
Company engaging in practices that undermine internet security and MITM their users found to be doing stupid shit.

Not exactly breaking news. At some point, maybe people will realise that CF is actively making internet worse and less secure, and that it should be treated as nothing more than a wart to be removed.

gear54rus 2 days ago 0 replies      
I just wonder when we can stop beating this dead horse here...
Mozilla Acquires Pocket mozilla.org
854 points by qdot76367  10 hours ago   330 comments top 54
anexprogrammer 9 hours ago 10 replies      
Mozilla is growing, experimenting more, and can acquire startups.

Mozilla doesn't have the resources to continue with Thunderbird.

I am increasingly baffled by their decisions and how they relate to the strategic plans [0] they've been producing for a while. Despite the worthy words in their plan they seem to have no sense of direction. That saddens me.

That said I'm happier having Pocket as an open source part of Mozilla/Firefox than a surprise integration of a commercial app.

[0] https://wiki.mozilla.org/MoFo_2020

prirun 0 minutes ago 0 replies      
They're losing their Yahoo search money in the future and need to make it up somehow.
niftich 9 hours ago 2 replies      
Oh, what a twist!

In a story that began two years ago with Pocket's integration by Mozilla [1] in Firefox [2], large segments of the userbase spoke out with scathing criticism.

This, at first blush, appears unrelated: Mozilla previously announced its Context Graph initiative, which was a bold undertaking to be built partially upon a new and emerging set of W3C standards to take back some of the control over linkage, metadata, and the consumption and annotation of web content [3] from big incumbent providers who run content portals, content silos, or content aggregators (largely the usual suspects, including Google, Facebook [4], Apple, Microsoft, and Yahoo [5]).

To understand this play, temporarily forget about Mozilla the Foundation, and think about Mozilla as a strategic competitor to the above. In the case of Pocket, a hard-to-deny side effect is that Pocket's presence in Firefox, despite the exact nature of the integration, is likely here to stay. While this is bound to frustrate many, Mozilla's competitors routinely ship software or entire platforms with tight captive integrations, against which competition has proven difficult to mount solely on the merits of values and philosophical purity.

[1] https://hn.algolia.com/?query=firefox%20pocket[2] https://hn.algolia.com/?query=mozilla%20pocket[3] https://news.ycombinator.com/item?id=13729525#13740110[4] https://news.ycombinator.com/item?id=13375451#13375917[5] https://news.ycombinator.com/item?id=12863565#12867493

apetresc 9 hours ago 4 replies      
Something I've always wished Pocket would do is download an offline copy of videos I add to the list (using, say, youtube-dl [1]), so I can watch them on the subway, etc. But they never did this, presumably either for legal reasons, or because it was a giant waste of bandwidth considering a huge percentage of Pocketed articles never get read.

Now that Mozilla is promising to open-source this, I eagerly await adding this feature to my own fork :)

--[1]: https://rg3.github.io/youtube-dl/

wodenokoto 9 hours ago 3 replies      
I've always liked Pocket, but felt queasy about its integration with Firefox.

I consider this a great move for a better bookmarking experience in Firefox as well as a better pocket service.

SwellJoe 9 hours ago 3 replies      
Pocket, for me, is a weird product/feature. I've tried to use it, but it ends up just being like a clumsy bookmarking feature.

Allegedly, you can read things offline, but that feature never works for me. It seems the feature for offline reading doesn't exist at all in Firefox (which I'd assumed was the point of its integration, but my assumption was wrong), and I've tried the Chrome desktop app and the Android mobile app..nothing I save to pocket is ever readable without a data connection. It must work for some content for some people because I see people talking about it like it does. But, without that feature I see literally no utility in Pocket...it's just a clunky bolted-on bookmark manager, and so I end up going back to bookmarks with tags. I use Sync and I have Firefox on all of my devices. So, my bookmarks go with me.

So, I guess it's good that it's going open source. I wasn't comfortable with the way integration was presented back when they added it...it wasn't at all apparent, to me, that Pocket was a third party for-profit entity when the "setup your pocket" process launched in Firefox, since I'd never heard of it before that. But, it still seems like a solution looking for a problem. I'll give it another look. Maybe I was just unlucky with my choices of what to save...but it seems like if offline reading is not going to work on a page (for whatever reason) it should warn you. It'd suck to get on a train/plane or get lost in the woods, with plans to catch up on some reading, only to find there's nothing there.

But, maybe that's not even the primary purpose of Pocket? I dunno, it's still pretty fuzzy to me wtf it's for, if not that.

zyngaro 9 hours ago 1 reply      
"We believe that the discovery and accessibility of high quality web content is key to keeping the internet healthy by fighting against the rising tide of centralization and walled gardens" that alone is a reason to welcome this aquisition. Facebook has become for many, me included the entry point to the web much more so than the browser and I really don't like that. I can imagine Mozilla suggest content to users based in what they have saved in the past on pocket and integration with Firefox. Nice move.
bttf 8 hours ago 4 replies      
I have been working on a prototype for a competitor to Pocket and other save-for-later services with an emphasis on minimalism, privacy and ease of use.


Very early app, features are rolling out daily. My end goal is to build a recommendation engine out of user data, while keeping things anonymous.

Although social bookmarking has been done plenty times before, I think execution has been sub-par in previous solutions. My aim is to make things streamlined and fast for the user to go from 'what was that link?' to 'there it is' (sidenote: check out slushi.es opensearch, and how it behaves when there's one result (only works for signed-in users)).

A complaint I hear often from Pocket users (and other save-for-later users alike) is that they will save 100s of links without ever going back to reading them. I, too, shared the same sentiment until one day I experienced a 'what was that link again?' moment. It was rare and fleeting at the time, but since using slushi.es more and more, those moments have appeared with increasing frequency.

I believe the best save-for-later app will transform the regular web browsing individual's habits of reading an article and forgetting about it, to reading an article and remembering it later; either a day later, a month later, or perhaps years. The thing is remembering. I think a good save-for-later app works as a memory reinforcer; something that augments your ability to build and recall knowledge.

Touche 9 hours ago 5 replies      
This is weird. Has Mozilla acquired any startups in the past? Feels weird to me for a browser non-profit to own a web app product.
grappler 9 hours ago 3 replies      
Pocket's post about the acquisition, referring to the main value their product brings, says, a platform where high-quality, thoughtful content and free speech can rise above the rest.

Pocket used to have a feature aimed at surfacing high-quality content from the collection of things a user had already pocketed. They removed that feature. I was paying for their premium service before that change. After they removed it, I stopped the premium subscription because I wasn't sure what pocket's value to me was anymore.

Now they have a recommender that recommends things you haven't pocketed yet. But that just encourages the user to accumulate an ever larger collection of pocketed things, not surface the best things in that collection.

Ever since, I've reflexively kept saving things to pocket, hoping they would bring that feature back. But the only practical thing I have done with it is pull up something I just saved recently, because it will be near the top of the list.

Pocket's CEO also writes, In fact, we have a few major updates up our sleeves that we are really excited to get into your hands in the coming months. I hope they will bring that feature, or something with a similar aim, back.

philfrasty 9 hours ago 10 replies      
I have used Pocket for the last five years or so. 99.5% of the articles I bookmark every day I never actually read. Probably should make me think why I use it at all...
chrisabrams 9 hours ago 1 reply      
As a former del.ici.ous engineer and user, I'm happy to see that Pocket will be in good hands for a while :)
kennymeyers 9 hours ago 0 replies      
Pocket is one of my favorite products to use. Congratulations to the team!
cpeterso 9 hours ago 0 replies      
The Firefox bug to open source Pocket: https://bugzil.la/open-pocket
ttam 6 hours ago 2 replies      
Dear Mozilla, I'd love to help out with Pocket.

As a concerned user, I even wrote this a few months ago http://constantbetasoftware.com/2016/09/02/pocket.html

How can I apply?

datatan 9 hours ago 5 replies      
So much for my hopes of them removing it from Firefox. Uhg.
dleslie 9 hours ago 0 replies      
As I do a fair amount of offline reading, I'm a fan of pocket.
hkmurakami 9 hours ago 1 reply      
I was shocked to read the news since afaik Mozilla had never made acquisitions like this in the past (which they mention in the post).

I'm excited though, since the reason I hadn't used Pocket in the past was because I didn't want to be part of yet another walled garden (YAWG?).

A quick look at Crunchbase shows that they'd raised $14.5M from investors. Given Mozilla's ~$300M of annual revenue, I wonder whether this leans towards an acquihire or a technology/product acquisition (definitely not a business acquisition). Difficult for me to assess the significance of 10M users for a company like Mozilla.

1wheel 2 hours ago 0 replies      
I hope they'll remove some of the "growth-hacker" stuff from the chrome extension. Modifying the new tab page and injecting links on pages by default is super annoying.
codeisawesome 1 hour ago 0 replies      
I LOVE POCKET! I'm only very happy to hear that it's Mozilla who has bought them. Warm feelings of security and privacy.
adultSwim 6 hours ago 0 replies      
I think this is great. I'm weary of add-ons/extensions so only run a couple (which are from providers I trust)

I didn't really trust my saved article data to a random startup. Being under Mozilla means now I'll actually use it.

dochtman 9 hours ago 2 replies      
I'll keep saying that Mozilla should acquire Fastmail.

Now that would be a strategic acquisition.

Roritharr 8 hours ago 3 replies      
After this, why should I donate to Mozilla? I really don't get what's the difference between donating to Mozilla and donating to Facebook. Facebook open-sources some of their stuff.Facebook buys companies to generate revenues... I guess Mozilla doesn't need help anymore.
resfirestar 9 hours ago 0 replies      
The first thing I do with a new Firefox install is remove the Pocket button, but I still welcome the prospect of seeing the Pocket service becoming open source and part of Firefox Sync. There are definitely some interesting ideas around the Context Graph, and hopefully the Pocket team will be able help move the project forward.
gnicholas 8 hours ago 1 reply      
I use Pocket differently than most people here. I never save articles to Pocket I just use their Recommended engine to find interesting articles to read. Some of these come from sources I regularly read (NYT), but others come from obscure sources or big sources that I tend not to read for whatever reason. In a small way, it helps me get news from outside my bubble, and sometimes I'll end up reading regularly from a source I discover through Pocket.

My only complaint is that a large portion of the Recommended content is junk from Business Insider. Hopefully this will wane as Mozilla's priorities are implemented.

mark_l_watson 8 hours ago 0 replies      
It sounds like a good plan, making Firefox a platform for organizing information while web browsing, research, etc.

A question: what advantages privacy-wise does Firefox have over Safari on iPad and macOS? I frequently delete all cookies on Safari and set strong privacy options. I ask because I have transitioned in the last year or so to working on my iPad and MacBook, largely letting my Linux boxes collect dust. On Linux, using Firefox was an easy decision. On iPad and MacBook, Safari is more convenient.

bearcobra 9 hours ago 3 replies      
Does this mark a strategy shift away from search revenue as the primary funding source? A quick crunchbase search for other aquicisions by Mozilla yeilded nothing, so I'm curious if there are other examples of them buying up for-profits.
wirddin 9 hours ago 0 replies      
Huge fan of the Pocket App. Any guesses for how much the deal would be worth?
rocky1138 7 hours ago 0 replies      
If you're interested in using Pocket in Chrome/Chromium but aren't ready to hand over the insane amount of permissions required for their official extension, you can run the Add to Pocket (mini) extension.


bravura 9 hours ago 1 reply      
Can Pocket please finally support Facebook links to non-Facebook context? And just strip the Facebook URL junk?

Otherwise, you have to click on a FB link to get the unmangled URL, thus counting against your number of free views every month.

no_wizard 7 hours ago 0 replies      
I never used pocket, but I use instapaper.

I wonder if Pocket will be completely free now or if mozilla counts on this to fund more of its efforts. Beyond that. I also wonder if this means a read it later service will finally properly support RSS. Forgive me I don't know the features of pocket but as i understand it is does not correct?

I been using the built in firefox RSS feeder for years. with pocket integration it'd be a lot more useful.

ptrptr 7 hours ago 0 replies      
https://blog.mozilla.org/blog/2017/02/27/mozilla-acquires-po... explanation for this move is very laconic IMO. What are benefits? We already know majority of user were against even basic integration with pocket.
AJRF 9 hours ago 0 replies      
I was wishing Pocket would offer AWS Polly playback for articles, so I started making my own app to do it. Now that it is going open source I might just piggy back their parser as its a good bit better than mine.

Hope they build in some Context Graph projects into Pocket, as there is some great ideas their.

dewiz 8 hours ago 0 replies      
When they add ML clustering to one's pages, so that I stop using bookmarks, and find useful stuff automatically grouped together, plus recommendations...then perhaps I'll start using it
shmerl 9 hours ago 0 replies      
That's interesting. I see they plan to open source it. I might even use it after that.
idlewords 7 hours ago 0 replies      
Scea91 9 hours ago 0 replies      
I've used Pocket in the past but when I started using Evernote I discovered that I do not need Pocket anymore. Is there any killer feature that I do not know about that Pocket offers and Evernote doesn't?
phs 8 hours ago 0 replies      
I've been lately dissatisfied with pocket and related apps for lacking some admittedly fringe features.

The possibility of adding them myself without rebuilding the whole app is exciting!

hitlin37 8 hours ago 0 replies      
this is really great news. i like pocket integration on kobo aura one. i hope they keep making that integration improvements further.
xyos 10 hours ago 2 replies      
what will happen to pocket premium?
djhworld 8 hours ago 1 reply      
I use Instapaper on a daily basis, how does Pocket compare?
TekMol 5 hours ago 0 replies      
Mozilla has the resources to buy companies. But not the resources to make videos play smoothly. 2017 and Firefox has no hardware accelerated video playback on Linux.

Every time I read about something Mozilla does, I am reminded of this xkcd comic from 2013:


stonogo 8 hours ago 1 reply      
I will never again donate to the Mozilla Foundation.
gjjrfcbugxbhf 8 hours ago 3 replies      
Why would someone use pocket over zotero?
l3YAVThwTjo1mjl 9 hours ago 1 reply      
Will it become firefox exclusive?
kensai 9 hours ago 0 replies      
"save to pocket" :D
justanton 9 hours ago 1 reply      
How does Mozilla earn money?
DanCarvajal 9 hours ago 0 replies      
Two apps I no longer use because they became bloated and unfocused, they deserve each other
justin_vanw 9 hours ago 0 replies      
Synergy: One product that nobody uses is now bundled with another one.
vegabook 9 hours ago 0 replies      
I have no idea what Pocket is, but as a Firefox stalwart and a person looking to learn Rust, the fact that Mozilla is actually acquiring stuff gives me confidence on its financial stability. Very important issue in the decision making process on future technologies to back.
StudyAnimal 9 hours ago 0 replies      
Wow, I thought it would be the other way around!
throwaway206801 9 hours ago 2 replies      
Mozilla can spend money on this, but not Thunderbird or XUL-based extensions?
mi100hael 9 hours ago 4 replies      
> Mozilla is growing, experimenting more, and doubling down on our mission to keep the internet healthy, as a global public resource thats open and accessible to all.

...by buying a crappy, proprietary app?

manigandham 7 hours ago 2 replies      
This will give them plenty of data for their ad network, which is a nice strategic move. They always claimed to be privacy conscious so this is perhaps a nicer way to get interest and behavior information.
FCC weakens net neutrality rule in a prelude to larger rollbacks techcrunch.com
547 points by vivekmgeorge  3 days ago   306 comments top 24
guelo 3 days ago 3 replies      
I hate these types of articles that provide extensive quotes and even a screenshot of part of the pdf, but refuse to link to the actual documents. It's probably an advertising thing where they don't want people to leave the site.

The actual statements are available here https://www.fcc.gov/document/fcc-addresses-unnecessary-accou...

tomelders 3 days ago 4 replies      
Undersandly, the conversation in here revolves around the technicalities and semantics of net neutrality. But this isn't an issue of technology. It's a political issue, or worse, an ideological issue. It's not about the empirical truths of net neutrality, or the collective intent of those who created, and those who continue to develop the technology that has woven itself into the fabric of humanity. It's about idealouges imposing their ideals on every facet of our lives, regardless of the facts.

The sad fact is, this is yet another grim attack on net neutrality by nefarious agents who see the web as something to be dominated and bent to their will exclusivley for political and economic gain.

Like it or not, the work we do is going to become highly politicised. Are we ready for this? Do we have the moral fortitude to resist the influence that fuzzy, sloppy, and emotive politics seeks to have on our discussions?

I think back to how we handled the Brendan Eich debacle. I (regretfully) came down on the punitive side of that argument. And I participated in that debate with a level of anger and vitriol that embarrasses me now. But whichever side you took, there's no doubt that for a brief moment we were deeply divided. The Brendan Eich story was a flash in the pan compared to what is about to happen.

Should we engage in political debate, or should we avoid it? Can we buck the trend and participate in political debate in way that doesn't tear us apart, or should we ignore it as it happens around us and impacts upon our lives and work? Or is there a path between the extremes, where we can be neither ignorant to our political leanings nor beholden to them?

I don't dare offer any advice on how we should prepare ourselves for what is about to come, I just hope we can all think about how we hope to respond before it happens.

One thing I will say though, being someone prone to highly emotional reactions in all aspects of my life; developing software in teams has taught me the value of "strong opinions, weakly held".

morgzilla 3 days ago 4 replies      
I can see how a bit of outrage about this is how the NRA got to the place it is today. This by itself isn't that meaningful, but anything can be politicized, turn public opinion and gain momentum. That's why the NRA's position is to say NO to any kind of gun regulation, because they know that's how you ensure guns are made available and gun culture is for sure secure.

In the tech community I see people rising up against any kind of movement against net neutrality. And I do not want to see it erode. But I worry that by becoming averse to any reversal, any compromise, the communities stance will eventually be so politicized that it is just another part of the unreasonable and ultra biased political landscape that grinds progress to a halt.

jerkstate 3 days ago 13 replies      
Does anyone with a strong understanding of internetworking, peering and transit contract negotiation actually believe that "net neutrality" is possible? traffic shaping of saturated links seems like a necessary outcome to not undermine the smaller users (i.e. low bandwidth communications) that are impacted by heavy users (i.e. video streaming) if two peering parties can't come to terms on cost sharing for link upgrades.
seibelj 3 days ago 3 replies      
I know several people who are highly involved with the FCC, telecom industry, and telecom law that think that "network neutrality" is just 2 words. Until 1970, and only because of lawsuits, it was illegal to connect anything to your phone line. You could get any phone you wanted from Ma Bell as long as it was black.[0] If you wanted a different color you had to pay extra. It took force to make Ma Bell and the FCC allow you to plug in your own phone, your own computer, etc. The FCC supports monopolies, if you want competition you should applaud the deregulation of telecom.

[0] https://en.wikipedia.org/wiki/Model_500_telephone#Ownership_...

subverter 3 days ago 9 replies      
This raises the limit on the number of subscribers a provider can have before regulation kicks in. In other words, a larger number of smaller providers have one less regulation to worry about.

Isn't more competition among providers what we want? Shouldn't we be doing everything we can even if it's saving 6.8 hours per year in regulatory compliance to help these smaller guys be able to take on these horrible behemoths like AT&T and Comcast?

woah 3 days ago 1 reply      
I asked this in another thread a few days ago, but why are edge servers and CDNs not a violation of "net neutrality"? If you've got an edge server on an ISP, and are paying extra for a leased line from your main data center to that server, you are effectively paying the ISP an additional fee for priority over other traffic on their hardware.
ryandrake 3 days ago 0 replies      
Article didn't load for me:

ERROR: TechCrunch is not part of your Internet Service Basic Web pack. For an extra $29.99 a month you can upgrade to Internet Service Extreme, offering access to over 50 more web sites!

Crye 3 days ago 1 reply      
Let me put my hat in the ring here.

Deregulation of access to consumers will result in cheaper internet and most likely faster internet speeds. However, it will concentrate power to those who already have it. Large ISPs will charge heavy bandwidth companies and only the largest heavy bandwidth companies will be able to afford the fees.

Those heavy bandwidth companies paying the fees will recoup the money through advertising. Remember newspapers and large TV media companies make the majority of their money through advertising. When companies rely on advertising, the users are no longer the customers. They are the product.

Further protecting the companies which rely on advertising will allow those companies to focus less on the customers and more on the advertisers. Companies relying on the allegiance of advertising will naturally shape their political standing to views of the advertisers. Remember also that advertisers are not paying for just eyeballs, but they are all paying for control. If a company starts moving away from their advertisers' political ideology they will lose revenue. Net Neutrality will ultimately give more control to companies that already hold power.

Just my two cents...

pasbesoin 3 days ago 0 replies      
Google Fiber got to a couple of nearby communities before they put the brakes on.

I'm left hoping that's close enough to branch out wireless service in short order.

Otherwise, I'm left screwed, between an AT&T that refuses to upgrade its local network (and it's a dense, accessible, suburban neighborhood -- hardly the boonies), and a Comcast that has doubled its rates for basically the same service. Both with caps that will quickly look increasingly ridiculous in the face of the wider world of data transfer.

We'll be back to them insisting on big bucks for assymmetric streaming of big-brand content, with increasing pressure to make that their content (a la data-cap exemptions, etc.)

dopamean 3 days ago 3 replies      
Why is the FCC against net neutrality?
VonGuard 3 days ago 3 replies      
This is the end. If we think this guy's gonna listen to the people, we're completely wrong.
rebase 2 days ago 0 replies      
I'd like to add the only optimistic response I can think of. The only benefit of deregulation is the opportunity for disruption of monopolies. Especially so in a landscape of tech.

If provider A starts providing terrible bandwidth, incredibly high prices, and terrible service, it means that that provider X has a lucrative opportunity to provide better bandwidth, better prices, and great service.

I hope these rules aren't used to help entrenched monopolies, but provide an ripe opportunity for the space to innovate.

I hope these rules will be on the wrong side of history, but there is little stopping anyone from using the free market to their advantage.

Pica_soO 2 days ago 0 replies      
I wish we had a slow, but high bandwith alternative to the web in public hands. The problem is the infrastructure.. if there was a way to create a gnu add-hoc wifi network between every home hotspot - at least within a city, the web neutrality could be restored.
wav-part 3 days ago 1 reply      
Is not net-neutrality better handled by IANA ? If you are going to call your router "internet", you must treat all IP packets equally. Seems like reasonable terms to me. Afterall this is the property that made Internet what it is today.
fallingfrog 3 days ago 1 reply      
I suppose one way to enforce net neutrality might be to route all traffic through TOR.. that might mess up the caching for a service like Netflix though. (Could someone who knows more than I do comment on that?)
bobbington 3 days ago 0 replies      
Internet is plenty fast. Companies need to disclose what they are doing to customers, but government shouldn't regulate it
beatpanda 3 days ago 3 replies      
How long until access to the open internet costs extra?
lacroix 3 days ago 0 replies      
The FCC won't let me be
rocky1138 3 days ago 2 replies      
Can't we just create our own local Intranets using Ethernet cables running around cul-de-sacs?

Mine connects to yours which connects to his which connects to hers. Eventually we'll have formed a network.

transfire 3 days ago 0 replies      
This issue could well turn out to be Trump's Achilles heal. If they go too far, the engineers that actually make the Internet work can easily bring the whole shebang down in protest -- and the world is so addicted to the Internet at this point the outrage would be deafening. And if Trump is too proud to back down...
nicnash08 3 days ago 3 replies      
bobbington 3 days ago 0 replies      
Leave it alone. Stop demonizing the companies that give Internet.
boona 3 days ago 1 reply      
If Trump also continues with his plan to deregulate as well, I'm of the opinion that this is great news. This could make Google Fiber and other similar undertakings much more viable. It always gives me the hibby-jeebies when government takes strong control over an industry. This is especially true in the case of the FCC where their original mandate went from regulating airwaves, to regulating the content of said airwaves.
Linus' reply on Git and SHA-1 collision marc.info
700 points by sampo  4 days ago   262 comments top 28
notfed 4 days ago 11 replies      
Pertinent facts for the worried:

1) Git doesn't rely on SHA-1 for security. It relies on HTTPS, and a web of trust.

2) Even if git did rely on SHA-1, there's no imminent threat. What happened today was a SHA-1 collision, not a preimage attack. If a collision costs 2^n, a preimage attack costs 2^(2n).

3) Even if someone managed to pull off a preimage attack, creating a "poisonous" version of one your git repository's objects, they'd still have to convince you pull from their repo. This requires trust.

4) Even if you pulled it in, your git client would simply ignore their "poison" object, because it would say, "oh, no thanks, I already have that object". At worst, the code simply wouldn't work. No harm would be done.

When it comes to git, an attacker's time is better spent creating a secret buffer overflow than wasting millions of dollars on a SHA-1 collision.

paulddraper 4 days ago 7 replies      
Linus has toned down a lot from a decade ago.

> You are _literally_ arguing for the equivalent of "what if a meteorite hitmy plane while it was in flight - maybe I should add three inches ofhigh-tension armored steel around the plane, so that my passengers wouldbe protected".

> That's not engineering. That's five-year-olds discussing building theirimaginary forts ("I want gun-turrets and a mechanical horse one mile high,and my command center is 5 miles under-ground and totally encased in 5meters of lead").

> If we want to have any kind of confidence that the hash is reallyunbreakable, we should make it not just longer than 160 bits, we shouldmake sure that it's two or more hashes, and that they are based on totallydifferent principles.

> And we should all digitally sign every single object too, and we shoulduse 4096-bit PGP keys and unguessable passphrases that are at least 20words in length. And we should then build a bunker 5 miles underground,encased in lead, so that somebody cannot flip a few bits with a ray-gun, and make us believe that the sha1's match when they don't. Oh, and we need to all wear aluminum propeller beanies to make sure that they don't use that ray-gun to make us do the modification _outselves_.

> So please stop with the theoretical sha1 attacks. It is simply NOT TRUEthat you can generate an object that looks halfway sane and still gets youthe sha1 you want. Even the "breakage" doesn't actually do that. And ifit ever _does_ become true, it will quite possibly be thanks to sometechnology that breaks other hashes too.

> I worry about accidental hashes, and in 160bits of good hashing, that just isn't an issue.


chx 4 days ago 0 replies      
Extremely relevant discussion on stackoverflow from 2012 on how would git handle a SHA-1 collision, someone called Ruben changed the hash function to be just 4 bits padded with zeroes and checked what git actually does on collisions: http://stackoverflow.com/a/34599081/308851
Strom 4 days ago 7 replies      
Downloading the PDFs [1] and comparing their sizes takes less than a minute. They're the exact same size. Yet here we have Linus making one bet after another that size has to be different for this attack.

Now to be fair, he also keeps repeating that he hasn't seen the attack yet. Which leads me to question why is this post interesting to HN? Is it to show how Linus aimlessly speculates and gets his guesses wrong?


[1] http://shattered.it/

cpeterso 4 days ago 0 replies      
Here is Mercurial's response to the SHA-1 attacks: "SHA1 and Mercurial security: Why you shouldn't panic yet."


stickfigure 4 days ago 4 replies      
Several years ago I worked on a security product that used git as a sort of tripwire-type database. Since SHA1 was considered inadequate for Real Security, we had to hack jgit to use SHA256. It took a stupid amount of work - the 160-bit hash size was scattered all over the codebase in countless magic numbers. But it worked.

The product was cancelled. I always wondered if the patch would be of any use to anyone.

mcbits 4 days ago 1 reply      
In 20 years, the $100,000 attack will be a $100 attack (or perhaps a $1 attack), but programmers of the day will be overwhelmed with fixing all the 32-bit timestamps that everyone ignored for 50 years because the clearly forecast problem hadn't blown up in their faces quite yet.
vog 3 days ago 1 reply      
So many paragraphs in the beginning, just to finally read:

> Do we want to migrate to another hash? Yes.

Wouldn't all that time trying to explain away the SHA-1 issues be better spent on developing a safe transition plan?Work on this could have started long ago, and if it would have started, going from SHA-256 to SHA-512 to SHA-3 to ... would be a no-brainer by now.

In the simplest case, ensure that all newly created git repositories work woth SHA-256 by default (or SHA-512, or whatever), and switch back to SHA-1 for old repositories.

In the more advanced case, provide the possibility for existing repositories to have multiple hash values (SHA-1, SHA-256) for every blob/commit, then phasing out client support for old hashes as time goes on. When some SHA-1 collision happens, those who use newer git versions would notice and keep having a consistent repository.

If all those different browsers and web servers were able to coordinate a SSL/TLS hash transition SHA-1 to SHA-256, then a protocol like git with roughly 2 widespread implementations should be able to do that, too.

phaemon 3 days ago 0 replies      
There is some speculation on whether Linus got it right or wrong, but I haven't seen anyone actually test this with the shattered-1 & 2 files, so I did.

Git sees them as different despite them having the same hash. You can test with:

 mkdir shattered && cd shattered git init wget https://shattered.it/static/shattered-1.pdf git add shattered-1.pdf git commit -am "First shattered pdf" git status wget https://shattered.it/static/shattered-2.pdf sha1sum * md5sum * mv shattered-2.pdf shattered-1.pdf git status
So it doesn't see the files the same.

Apologies for those on mobile (please fix this HN!): the commands are:mkdir shattered && cd shattered && git init && wget https://shattered.it/static/shattered-1.pdf && git add shattered-1.pdf && git commit -am "First shattered pdf" && git status && wget https://shattered.it/static/shattered-2.pdf && sha1sum * && md5sum * && mv shattered-2.pdf shattered-1.pdf && git status

EDIT: Ah, of course! git adds a header and takes the sha1sum of the header+content, which breaks the identical SHA1 trick. You can add a footer on and they keep the same SHA1 though. Don't have time to play about with this more just now, but try it with `cat`ing some identical headers and footers onto the pdfs.

EDIT2: Actually, this is discussed more extensively in the other thread which I hadn't read yet. Go there for more details: https://news.ycombinator.com/item?id=13713480

dlubarov 4 days ago 1 reply      
> That usually tends to make collision attacks much harder, because you either have to make the resulting size the same too, or you have to be able to also edit the size field in the header.

> pdf's don't have that issue, they have a fixed header and you can fairly arbitrarily add silent data to the middle that just doesn't get shown.

This doesn't seem like much of an obstacle, since you can add silent data to all kinds of files, like

- With HTML, JS, etc. you can just add whitespace.

- Some formats like GIF89a have variable-length comments.

- With any media format that uses palettes, you can add extra, unused colors.

- Just about any compression algorithm can be tuned to manipulate the compressed size. E.g. with DEFLATE (which is used by PNG in addition to some archive formats), you can use a suboptimal static coding rather than the correct Huffman tree.

- With most human-readable document formats, you can add zero-width spaces or something similar.

moonshinefe 3 days ago 4 replies      
Correct me if I'm wrong, but if you're letting untrusted people push to your git repositories, you're pretty much screwed anyway.

Given a case where someone with permission to push gets compromised and a malicious actor can pull this sha-1 attack off, aren't there bigger problems at hand? The history will be there and detectable or if they're rewriting history, usually that's pretty noticeable too.

I may be totally missing a situation where this could totally screw someone, but it just seems highly unlikely to me that people will get burned by this unless the stars align and they're totally oblivious to their repo history. So I guess I agree with the "the sky isn't falling" assessment.

robertelder 4 days ago 1 reply      
I posted this on the reddit thread, but I thought it would be interesting to hear feedback here too:

I don't know much about git internals, so forgive me if that is a bad idea, but what does everyone think about it working like this:

If future versions of git were updated to support multiple hash functions with the 'old legacy default' being sha1. In this mode of operation you could add or remove active hashes through a configuration, so that you could perform any integrity checks using possibly more than one hash at the same time (sha1 and sha256). If the performance gets bad, you could turn off the one that you didn't care about.

This way by the time the same problem rolls around with the next hash function being weakened, someone will probably have already added support for various new hash functions. Once old hash functions become outdated you can just remove them from your config like you would remove insecure hash functions from HTTPS configurations or ssh config files.Also, you could namespace commit hashes with sha1 beging the default:

git checkout sha256:7f83b1657ff1fc53b92dc18148a1d...

git checkout sha512:861844d6704e8573fec34d967e20bcfef3...

Enabling/disabling active hash functions would probably an expensive operation, but you wouldn't be doing it every day so it probably wouldn't be a huge problem.

hannob 3 days ago 1 reply      
The Git docs have some very specific claims about cryptographic integrity of git:


These claims are wrong as long as it uses SHA-1. Full stop.

It'd be really nice if git had cryptographic integrity. Not just because it'd prevent some attacks on git repos, but because it'd make git essentially a secure append only log. Which would be interesting, as it'd more or less automatically give some kind of software transparency for many projects.

almog 4 days ago 4 replies      
Do you know if git objects' size header was designed to deal with a possible collision or does it serve another purpose as well?

Just some context - git calculates an object's name by his content in the following way. Say we have a blob that represent a file who's content is 'Here be dragons', then the file name would be:

 printf "blob 17\0Here be dragons\!\n" | openssl sha1 # => a54eff8e0fa05c40cca0ab3851be5aa8058f20ea
So the object gets stored in '.git/objects/a5/4eff8e0fa05c40cca0ab3851be5aa8058f20ea'

gsylvie 4 days ago 1 reply      
sandov 4 days ago 0 replies      
Sorry for my ignorance, but isn't SHA-1 in git supposed to protect only against data corruption and not against someone maliciously replacing the entire repo?
CJefferson 3 days ago 0 replies      
I wish they'd thought about this in advance. So many little things (like suffixing every hash with '1', and rejecting commits with hash values which don't end with '1') would have made the switchover much easier to do in a backwards-compatible way.
nialv7 4 days ago 1 reply      
> but git doesn't actually just hash the data, it does prepend a type/length field to it.

To me it feels like this would just be a small hurdle? But I don't really know this stuff that well. Can someone with more knowledge share their thoughts?

I think Linus also argued that SHA-1 is not a security feature for git (https://youtu.be/4XpnKHJAok8?t=57m44s). Has that been changed?

meta_AU 3 days ago 1 reply      
Painful to read all the 'this isn't an issue because of bad reason X, Y, Z'.

Git can implement checking for easily collided data and warn the user, potentially even look to implement the safer hash countermeasures too. The fact that this isn't a second preimage, or that SHA1 isn't used to auth a repo doesn't really factor in to it.

htns 4 days ago 0 replies      
This is a shocking aspect of crypto. Old standards get broken regularly, yet people waltz around with a "it would be embarrassing to do more since no one else does" attitude.
chmike 3 days ago 1 reply      
There is not mutch risk now, but git should be able to switch to another and longer hash. Truncating another hash to 40 chars does not "fix" the problem. It just move it into another place.

Another possibility, but this is a hack to keep key length to 40 chars, would be to change key encoding from hex encoding to base64. In 40 chars you could encode 240 bits instead of 160. It is preferable to get rid of the hard coded 40 char limit. It shouldn't be that hard.

hzhou321 4 days ago 1 reply      
What exactly is the security issue on a repository?
budu3 3 days ago 0 replies      
Can someone with more expertise shed mpre light on this? What does he mean? What kind of things are they hiding in the Git commit. If git is opensource then how can they hide anything?

> Git has opaque data in some places(we hide things in commit objects intentionally...

Gaelan 3 days ago 0 replies      
I've been toying with the idea of modifying git to use (iirc) SHA-256 so that any commit hash could be downloaded directly from IPFS. Seems like as good a time as ever.
trengrj 4 days ago 2 replies      
So would it be possible to migrate to a different hash seamlessly?
detronizator 3 days ago 0 replies      
I'm not an expert of SHA-1 collisions, but I'd take Linus word for it. :)
wmccullough 4 days ago 1 reply      
Normally I eye roll whenever I see that there is some sort of reply to anything from Linus, but this time I agree with him.
An Open Letter to the Uber Board and Investors medium.com
647 points by sdomino  4 days ago   374 comments top 30
tyre 4 days ago 5 replies      
This is a great example of why you should make sure that your goals align with those of your investors.

Kapor Capital has a strong focus on social impact companies that benefit the disadvantaged.[1]

Travis is a phenomenal salesman and fundraiser. Travis convinced Kapor that, amongst other things, Uber was a platform for democratizing transportation, citing things like racism amongst taxi cabs to spin Uber as social good.

So now you have a company that isn't actually what it pitched itself to be. For many investors, hyper-growth and skyrocketing valuation will wipe out other concerns around culture, impact, etc.

The Kapors are showing (awesomely, in my personal opinion) that they are serious about their social mission. They're doing what they can to influence a portfolio company to live up to their expectations. Travis probably doesn't like thatit sucks to be called out!but that's why you take investment based on aligned interests and not just awesome salesmanship.

[1]: http://www.kaporcapital.com/who-we-are/

lightyagamai 4 days ago 4 replies      
I'm a former uber s/w engineer. I've been with uber for nearly 2 yrs and most of the article content are valid. Employees voicing out genuine concerns will be met with severe rebuke. This will be swept under the carpet sooner or latter. For customers, the quality and experience of their ride is the only thing that will matter. This won't even affect their business.
rdl 4 days ago 17 replies      
I would be exceedingly reluctant to work with an investor who writes an "open letter" to a company in a situation like this, and particularly when that letter calls out the CEO in a pretty gratuitous way ("and we have both been contacted by senior leaders at Uber (though notably not by Travis, the CEO)"). You're supposed to be able to be open with investors and other advisors, so this is a deep breech of trust in a non-public company. I can't see taking advice from and sharing confidential or sensitive information with someone who has done that to you in the past.

(The sad part is I agree Uber has a problem and needs to change; Susan Fowler's blog post was remarkable.)

throwaway991999 4 days ago 6 replies      
Made a throwaway name because I have an unpopular opinion.

We've likely read Susan Fowler's blog post. If true, it's awful behavior on the part of HR and management at Uber, and action should be taken.

But that's the thing: a blog post does not establish truth. We've heard from only one side of the story. No one ever asks about the other side, or about whether we are being misled. We only talk about the bravery of the author and condemn the other side.

I think the saddest part of our collective behavior is how quickly we come with pitchforks to a witch trial. We must remember that justice is not decided on Twitter, or on blogs. Justice is not decided by the voice of the accuser.

Did you see evidence besides Susan Flower's putting phrases in quotation marks? She mentions screenshots of improper behavior but provides none. What if tomorrow new evidence comes out that this whole thing was exaggerated or flat out wrong. How would it feel, to being so easily manipulated into drawing a conclusion, into retweeting a fiction, into writing an open letter?

smallgovt 4 days ago 18 replies      
I'm sure this will be an unpopular opinion since most of us agree with what Mitch is saying and rightfully want change, but as a founder, this sort of behavior from an investor seems to be a giant breach of trust.

In early rounds, founders are looking for investors who will trust management to make decisions in the best interest of the company. EVEN if they don't agree with those decisions, it's expected that they'll be a team player and provide support in whatever way possible.

I'm sure Mitch thinks what he's doing is in the best interest of the company (and it probabily is!). But, he surely doesn't have perfect information on what's going on (only management has a full picture).

flyingramen 4 days ago 7 replies      
What would an ideal way forward be for Uber? Recent incidents combined with a tainted past make public trust in Uber not the best.

Lot of people have suggest these problems stem from the culture. Culture of companies and people is similar to the culture of, say, bread. The starter really matters and sets the tone. I'd be interested in hearing from people who have seen a drastic change in culture at a big place or better yet, have been behind that change.

The other idea is it could just be a few rotten apples giving everyone a bad name. I don't know the answer.

finkin1 4 days ago 3 replies      
Maybe the claims made by Susan Fowler are accurate and honest, maybe they aren't. This is why there are investigations. We want the truth, not a bunch of opinions which may or may not be credible.

The author seems to be claiming that Eric Holder is not suited to run such an investigation. Seems reasonable to me. Uber should find someone else.

My problem with the author is that it's pretty apparent conclusions are being drawn without actual evidence.

ebbv 4 days ago 0 replies      
Bravo to Mitch and Freada Kapor for going out on a limb like this. Uber has been toxic for years and everyone has remained silent. Every PR crisis has been swept under the rug and nothing has apparently changed. Hopefully an investor speaking up in this way will finally prompt the board to treat the problems in Uber seriously and have a truly independent investigation done.
princetontiger 4 days ago 2 replies      
Silicon Valley for the past five years has been afflicted by Wall Street ethics. I've seen this first hand at a few SV companies. As a male, I've actually faced reverse harassment. Never worked at Uber, but I'm speaking of much larger SV companies. HR is useless.

Silicon Valley is no different than any other place in the World. Just because people think they are "changing" the world doesn't mean ethics need to be on the line.


powera 4 days ago 2 replies      
This is a corporate crisis for Uber.

Right now, Uber is very clearly following the playbook that historically leads to dead companies.

It needs a truly credible response, not one that happens to use some celebrities they have on hand.

webXL 3 days ago 0 replies      
While those actions (and inaction) at Uber are despicable, part of me thinks that this was inevitable. In order to break up an entrenched, crony industry like ride hailing, you end up taking on some of their characteristics. Getting a female cabbie is incredibly rare in big cities[1], and associating with male drivers all the time is bound to produce some chauvinistic behaviors.

I'm not excusing the behavior, but I think this definitely rubbed off on them. It's an ends justify the means mentality, and it might not have been necessary under a different power structure. I suppose there's a chance that Lyft could have done it right, but who knows how they would have handled the other PR battles. Hopefully a new crop of managers at Uber, eventually dealing with a much more diverse group of drivers, one that includes machines, will be much less chauvinistic.

[1]: https://www.theatlantic.com/business/archive/2014/08/how-ube...

jonthepirate 4 days ago 3 replies      
As an investor in Lyft, I'm sorry to say that I hope Uber doesn't change anything they're doing. The Uber management is the best thing that's happened to my personal finances in a while.
rdiddly 4 days ago 1 reply      
Great sentiment, but I don't suppose anyone had the brilliant idea of actually divesting their holdings in Uber, rather than just talk-talk-talking? Wanting them to change, and being in a positon to profit from the status quo, are kind of mutually-contradicting are they not?

Looking for any investor with enough integrity and conviction to send a stronger message... I know, dream on, plus who would buy anyone out at this ridiculous level of overvaluation?

the_common_man 4 days ago 4 replies      
Does anyone know why Susan chose to "blog" instead of filing a law suit?
matz1 4 days ago 1 reply      
In reality how much people really care about the sexual harassment care?
socrates1998 4 days ago 1 reply      
It's going to be interesting to me to see how this all affects Uber's bottom line.

If they keep scaring away engineers and getting bad publicity, will be scare away customers too?

Or will the trail of engineers eventually catch up with the quality of the experience?

happy-go-lucky 4 days ago 0 replies      
> success must be measured in more than just returns.
nurettin 4 days ago 0 replies      
IF lyft is behind all this, I'm impressed.
mfringel 3 days ago 0 replies      
I've said it before and I'll say it again:

Uber has started a revolution. I do not require them to survive it.

mrgriscom 4 days ago 1 reply      
Wow, lotta founders showing their true colors in this thread re: contempt for their investors.
spcelzrd 4 days ago 2 replies      
gydfi 4 days ago 2 replies      
zizzles 3 days ago 1 reply      
> So apparently the problem is not fully solved.

You are completely right.

The problem of poor, dirty, violent, urban-youth infested communities is not fully solved.

kisstheblade 4 days ago 4 replies      
erikb 3 days ago 3 replies      
What do people here think about Susan's way of doing things? While I think most of her behaviour is valid and I'm impressed by her professionalism, I think she starts too fast to report people, which costs her political power to achieve her goals and makes people in HR more pissed off than necessary. E.g., being hit on by colleagues is a common thing that happens to women. But some can deescalate it without much problems. She didn't even try to deescalate it, just report it and be done with it.

It's a minor thing compared to all that which happened to her and I'm mostly thinking about it in terms of own career strategy.

petergatsby 4 days ago 3 replies      
"As investors, we certainly want to see Uber succeed, but success must be measured in more than just returns."

-- Sure, but Uber is already a mission-driven company whose success is inversely proportional to horrible things like DUI deaths -- statements like these impede their progress

ffef 4 days ago 4 replies      
As a male in my early twenties, working as a developer I've come to realize that it's just better to not even try to engage in small talk and/or non-work related conversations with female co-workers. I keep it dry and basic. Just last week I had a buddy who was on the phone with his brother and blurted "Bro, she was amazing, then I left her house haha" he was fired the next day because a co-worker overheard his conversation and felt uncomfortable.
anjc 4 days ago 1 reply      
An investor issues veiled threats while acting as if they're owners or management. Who cares if you're "available to make suggestions", and what makes you think you're entitled to work behind the scenes to change company culture?
mevile 4 days ago 4 replies      
I may be in the minority on this point of view, but maybe it's in the interest of the board and investors to wait on the results of the independent investigation before commenting on the contents of the accusation. They could though make a statement in support of the investigation and employees however.
petergatsby 4 days ago 1 reply      
Fowler's post shed light on Uber's serious internal problems -- no doubt. But going public with a post like this erodes founder-investor trust. It's across the line.

Publicly condemning the internal culture the post depicted would be reasonable, even helpful, but trying to "expose" Uber's leadership for showmanship and posturing ('hiring' Holder who was ostensibly involved long-before the Fowler post) to mitigate the pr fallout is counterproductive. Don't kick your founder when he's down.

Annotation is now a web standard hypothes.is
605 points by kawera  1 day ago   152 comments top 39
nostrademons 1 day ago 7 replies      
Is anyone using these? The blog post is put out by a company I've never heard of, and the credits listed on it include nobody who works on a browser, no major websites, and no comment-widget company.

Historically, web standards where a committee gets together and decides how a feature is going to look without the buy-in of users or browser vendors have a very poor track record of adoption. The way actually-successful web features get standardized is that users start clamoring for it, which leads someone to build a hacked-up JS implementation of it, which leads to a company founded around that hacked-up JS implementation, which leads to competition, which leads to browser vendors building it into the browser, which leads to an open standard.

Trying to skip steps doesn't seem to work. If you build the feature without users who want it, nobody will use it. If you build the company without the prototype, you won't get a working implementation. If you build it into the browser when there's a dominant monopoly company, people will continue to use the company rather than the browser's version (this is the story of Google vs. IE+Bing & Facebook vs. RSS & semantic web). If you standardize it before it's been adopted by multiple browsers, people will ignore the standard (this is the story of RDF, the semantic web, and countless other W3C features that have fallen into the dustbin of history).

And if any one of those parties are not at the table when the standard is written, they'll ignore the standard anyway.

gaxun 1 day ago 1 reply      
I spent about 40 hours in December and January implementing a browser extension for Chrome and a server that speak the web annotation protocol and use the web annotation data model in this specification.

It was very easy to pass the tests the W3C working group used to verify that they had two working implementations of the data model and protocol. Most of the test default to passing if the specified tag is not present. Basically, it's not clear whether a serious, real attempt to use this has been made. I'm unconvinced that the specification is robust enough to be useful without ending up with a lot of vendor lock-in.

The toy extension was playing around with using these annotations to alert publishers and potentially other users of typos in their articles and pages. It would be nice to have a side channel to report typos other than just using the comment section or trying to find an email address. Will the "meta web" ever catch on?

I never published it but I still might add a page about my experience on my website. I have posted about the idea there before.

blueyes 1 day ago 2 replies      
I know Dan Whaley, the author of the post, personally. This is not about promoting a company. This is about allowing people with knowledge to combat fake news. He has been working to make annotation a web standard for years. The fake news that he, in particular, is worried about is climate change denial. The pages of the WSJ and much of the Web are riddled with BS. This annotation enablement will allow, for example, climate scientists to set up channels that annotate the falsehoods and point to credible sources and facts.
mcbits 1 day ago 2 replies      
This is the first I've heard of this annotation initiative, so maybe I'm misunderstanding... Annotations are tied to a particular location within the content but maintained independently of the content and publisher?

What happens if the content changes? Random example: Someone highlights a picture of salad and notes "my favorite food!" and then the publisher changes the image to show roadkill instead of salad.

robbles 1 day ago 3 replies      
Federated comments/annotations sound really cool from a developer's point of view, but also seem like a nightmare for publishers. If you cede administrative control over the comments on your site, how do you control trolls/attacks/spam/etc.?

Services like hypothes.is can do some filtering automatically, but this is missing the level above that - editorial privileges on comments on your own domain.

JulianMorrison 15 hours ago 2 replies      
Comments you can't turn off and can't moderate and from which you can't ban misbehaving users seem to me like they will turn immediately into a cesspool of hate, bullying and stupidity.

You'd think we'd have learned our lesson by now. Free speech, by awful people, is overrated and can result in disasters.

soheil 1 day ago 2 replies      
A lot of startups/websites exist solely and sometimes to a large extend because there is no standard annotation capability on the web, e.g. Stumbleupon, Reddit, Hackernews! (Medium highlights), comment sections on any page (even NY Times articles!) Sites not having direct control over which comments should stay and surface to the top and which ones should go is going to be huge.

In my opinion this will open up the web immensely and make the web much more democratic, will be interesting to see how major players react.

libertymcateer 10 hours ago 0 replies      
This is pretty interesting. So, personal story:

* About a year and a half ago, I thought about getting into this field. I built http://lederboard.com as a result - it works pretty well, actually (plenty of bugs behind the curtain) but the idea was to try and open it up as a standard.

* If I do pick lederboard up again, I will likely convert it to use this open standard.

* My goal was always to have the 'features' of lederboard not be in the annotations themselves, but in the moderator controls, the ability to follow sites and specific users, etc., and to basically act like reddit-enhancement-suite for an internet-wide commenting system.

* However, I realized this was a truly tremendous mountain to climb. Like, crazily huge. So I wound up going in a different direction.

In any event, I think that the guys at Genius should take note of this and consider it very seriously. They raised a whole lot of money and, as far as I can tell, this is a direct shot across their bow and it has the backing of W3C, which is huge. I am pretty happy I didn't wind up in the middle of that fight. Though maybe I might get back into at some point.

In the meantime, I am focusing on easy-to-use encryption: http://gibber.it . I think that is probably a little more important right now. For background, I am a practicing attorney with a pretty substantial practice in software, startups, corporate finance and information law.

foxhedgehog 22 hours ago 1 reply      
I've been wanting to provide a high-fidelity many-to-many commenting system inside of a text editor or browser since I was in college. My thought was that if you could annotate something as complex as Shakespeare:


then you could annotate legal documents, code, and other high-density texts as well.

I've long felt that existing solutions fall down in a few ways:

1. UX -- this is a HARD UX problem because you are potentially managing a lot of information on screen at once. Anybody staring at a blizzard of comments in Word or Acrobat knows how bad this can get.

2. One-to-one -- Most existing exegesis solutions like genius.com only let you mark of one portion of text for threaded commentary, which is not ideal because complex text like the above example can have multiple patterns working in it at the same time:

http://imgur.com/x6BKKQW(a crude attempt to map assonance and consonance)

Really, what a robust commentary system needs is to map many comments to many units of text, so that the same portion of text can be annotated multiply (as this solution attempts) but also so that the same comment can be used to describe multiple portions of text as well.

3. Relationships between comments -- It's great that this solution gives threaded comments as a first-class feature, but you also want to be able to group comments together in arbitrary ways and be able to show and hide them. In my examples above, there are two systems at work: the ideational similarities between words, and the patterns of assonance / consonance. You could also add additional systems on top of this: glossing what words or phrases mean (and in Shakespeare, these are often multiple), or providing meta-commentary on textual content relative to other content, or even social commentary on the commentaries. You need a way to manage hierarchies or groups of content to do this effectively. No existing solution that I am aware of attempts this.

I literally just hired somebody yesterday to start work on a text editor that attempts to resolve some of this, but it's an exceedingly hard problem to solve with technology.

hyperion2010 1 day ago 0 replies      
Congrats to all the hypothes.is folks and everyone who worked on this!

I have been working with the hypothes.is folks for almost 2 years and have been using hypothes.is for manual tagging and automated annotation so I'm a bit biased. I have seen criticism that the standardization process was premature but given how hard it is to get browser vendors to implement things I think this could make a difference. That said, the way Microsoft did their annotation in Edge was just to take pictures of sites.

One of my hopes is that things like annotation can pull us back from the brink of the javascript apocalypse since it is very hard to annotate arbitrary states of a running program.

state 1 day ago 1 reply      
I first met someone working on hypothes.is at a party about, I don't know, eight years ago? Ten years ago? They pitched me more or less this exact idea. It seemed interesting at the time.

Is this really how long it takes to realize something like this? Sort of boggles my mind.

wyc 1 day ago 0 replies      
The online book Real World Haskell[1] has used a more integrated form of annotation via comments directly under each passage. It's pretty fun to observe how the comments play into the content...sometimes they're wonderfully constructive and other times they derail more useful discussion. It'll be exciting to see how these social norms evolve with the technology.

[1] sample chapter, http://book.realworldhaskell.org/read/programming-with-monad...

pen2l 1 day ago 1 reply      
I wonder how Genius feels about this news. But they were the ones rooting for this future, so probably they will be happy I think.
benmarks 1 day ago 1 reply      
I like the idea of an inherent ability for annotations to exist, but I think the glue will still be annotation (read: comment) vendors. My head hurts trying to conceive of existing commenting platforms facilitating this - especially since they exist in large part due to these ease of integration thanks to their walled central storage. That said, the door for disruption is much more open than before.
Animats 1 day ago 2 replies      
So who manages Annotation Central? Disqus? Google? Facebook? The State Administration of Press, Publication, Radio, Film and Television of the People's Republic of China?
bluejekyll 1 day ago 2 replies      
I think this is great news. As someone who blogs irregularly, I don't want to spend a ton of time integrating each discussion area into my site. This seems like it could lead to a very elligent way to automatically get that integration. It would be great to also get notified as discussion is happening in the various sites, without reading the spec, it's not clear to me if that's part of the standard.
thekodols 11 hours ago 0 replies      
This is such a great project. The potential here is just immense. I wish dwhly and everyone at hypothes.is the best of luck.

P.S. This url - https://hypothes.is/register - accessible from most pages by clicking "sign up" in the top-right corner, presents an error and doesn't redirect anywhere. https://hypothes.is/signup works fine, however.

strictnein 11 hours ago 1 reply      
To be honest, this sounds horrid:


An easy prediction: with wide usage of this, any page that generates a non-trivial amount of traffic will be in such a state as to make reading the annotations pointless at best.

Falkon1313 1 day ago 1 reply      
This sounds like a great way to reduce spam and trolling. It would give you the choice to see discussion by friends_and_family group, your professional_colleagues group, your casual_social_friends group or whatever instead of by the random_youtube_comment_trolls group. A possible downside would be that the filter bubble and confirmation bias would be web-wide if a user only selects groups that they agree with (as many would be likely to do).
netcraft 1 day ago 0 replies      
Annotation itself is great, but there are other (unsolved?) problems - I just recently came across this very implementation thanks to a HN comment - after trying it out it suffers from not being able to tied to revisions of pages - install the plugin and go to the home page of any major news outlet - there are comments from years ago - that works fine if its a news article - but not on a page that changes every day if not hourly. Also to get rid of comment widgets on pages you need to be able to subscribe which I don't see any way of doing.
tyingq 1 day ago 1 reply      
Reputation management companies are going to love this.

Currently, negative information (even if true) isn't as easily discoverable. This ties it all to every one of your pages. With, as far as I can tell, no direct control over moderation.

I suspect many website owners are more concerned about legit complaints that aren't easily discovered than they are about spam.

And, once reputation mgmt creeps in, that good (but negative) information will be buried with astroturfed annotations.

tomatsu 1 day ago 3 replies      
Does it do anything to prevent spam?
huula 11 hours ago 0 replies      
I'm using a self-made web page annotation extension on chrome everyday. It let's you mark the important information on any webpage, which is very useful for docs that you will come back and visit frequently.
StevePerkins 16 hours ago 0 replies      
Man, normally I hate it when people on HN talk about an article's layout or font kerning rather than its content.

However, this thing is just completely illegible without reading glasses and 150% zoom... and it's still uncomfortable even then.

I would be surprised if this company has anyone age 40 or up who actually looks at their own website on a regular basis.

antman 19 hours ago 0 replies      
The hypothesis team gives for their product only dev install instructions, there is only an old docker recipe, the offline install seemed to go through their website for authentication and when I asked on their IRC for proper installation instructions they said its on theirr TODO (last year).

I think that proper installation instructions,perhaps with docker compose, are more important than blog posts about annotation importance.

Dangeranger 1 day ago 3 replies      
If I leave an annotation with this standard must that annotation be public? Are there options for private annotations?

How much private data about my browser and my host am I leaving when an annotation is created?

Is there a practical way to delete these both from the page and the public record, or would they be stored in perpetuity?

perlgeek 21 hours ago 0 replies      
I'm curious to see how the legal front proceeds when this becomes more popular.

Somebody will post a slanderous comment on a company's website, the company will be very unhappy, and sue the comment provider for blending the comment into the company's website.

Is that free speech? Or is the comment not protected, because it's shown on the company's website, and thus should be under the company's control?

sanqui 19 hours ago 0 replies      
This sort of reminds me of Google Sidewiki: https://en.wikipedia.org/wiki/Google_Sidewiki
jachee 1 day ago 1 reply      
This is interesting. I hope it doesn't slow things down too much or become another spam vector.

Aside: That interactive SVG slide-show is pretty impressive in itself.

soheil 1 day ago 0 replies      
If this is going to be such a fundamental part of the web as claimed and integral layer, Annotation seems like a peripheral term and not whatever this ends up as deserves.
jlebrech 19 hours ago 0 replies      
double edged swords, could be good for trolls and also good to fight trolls (if moderators use it)
adamnemecek 1 day ago 3 replies      
this will fundamentally change the internet
aaronharnly 1 day ago 1 reply      
From Vannevar Bush's celebrated 1945 article, "As We May Think"[1], imagining the "memex" that is recognized as the conceptual forebear of hypertext and the web:

First, the core concept of associative indexing:

Our ineptitude in getting at the record is largely caused by the artificiality of systems of indexing. When data of any sort are placed in storage, they are filed alphabetically or numerically, and information is found (when it is) by tracing it down from subclass to subclass... The human mind does not work that way. It operates by association. With one item in its grasp, it snaps instantly to the next that is suggested by the association of thoughts, in accordance with some intricate web of trails carried by the cells of the brain.

Introducing the memex:

Consider a future device for individual use, which is a sort of mechanized private file and library. It needs a name, and, to coin one at random, "memex" will do. A memex is a device in which an individual stores all his books, records, and communications, and which is mechanized so that it may be consulted with exceeding speed and flexibility. It is an enlarged intimate supplement to his memory.

Associating one item with another is the essence of the memex:

This is the essential feature of the memex. The process of tying two items together is the important thing.

When the user is building a trail, he names it, inserts the name in his code book, and taps it out on his keyboard. Before him are the two items to be joined, projected onto adjacent viewing positions. At the bottom of each there are a number of blank code spaces, and a pointer is set to indicate one of these on each item.

Adding one's own annotations and links, and then sharing them to colleagues, is the vision:

First he runs through an encyclopedia, finds an interesting but sketchy article, leaves it projected. Next, in a history, he finds another pertinent item, and ties the two together. Thus he goes, building a trail of many items. Occasionally he inserts a comment of his own, either linking it into the main trail or joining it by a side trail to a particular item. When it becomes evident that the elastic properties of available materials had a great deal to do with the bow, he branches off on a side trail which takes him through textbooks on elasticity and tables of physical constants. He inserts a page of longhand analysis of his own. Thus he builds a trail of his interest through the maze of materials available to him.

And his trails do not fade. Several years later, his talk with a friend turns to the queer ways in which a people resist innovations, even of vital interest. He has an example, in the fact that the outraged Europeans still failed to adopt the Turkish bow. In fact he has a trail on it. A touch brings up the code book. Tapping a few keys projects the head of the trail. A lever runs through it at will, stopping at interesting items, going off on side excursions. It is an interesting trail, pertinent to the discussion. So he sets a reproducer in action, photographs the whole trail out, and passes it to his friend for insertion in his own memex, there to be linked into the more general trail.

Arguably we still do not have a satisfactory realization of the memex. The Web is not quite it; nor the personal Wiki, nor the personal mind-mapper, though each comes close. Perhaps the web with annotations will realize the dream? Though note that Tim Berners-Lee recognized in 1995 that even with a Memex, we might fail to organize our larger technical and social structures: "We have access to information: but have we been solving problems?"

[1] https://www.theatlantic.com/magazine/archive/1945/07/as-we-m...

[2] https://www.w3.org/Talks/9510_Bush/Talk.html

anc84 1 day ago 0 replies      
This is fantastic! hypothes.is is such an inspiring project, thank you!
niftich 1 day ago 0 replies      
I profess I don't know much about the company, but this effort is a continuation or an application of the W3C Linked Data Platform [1] initiative that are attempts to put Tim Berners-Lee's ideas [2] about the Semantic Web into practice, with renewed vigor and buy-in from many interested parties, and not speccing for its own sake.

Adoption is always the question that matters most to the public; arguably TBL's mid-2000s vision for the web as a Giant Global Graph [3] has been neatly cloned and co-opted by Facebook's concrete, incompatible, and inward-flowing Hotel California implementation [4], but if a new wave of startups and bigcorps can create a rich ecosystem using community-designed standards, the outcome may be different this time. Or maybe not, but I applaud and support them in trying, and I will evangelize the same.

What's different from the mid-2000s, you ask? For one, the ideas behind REST, despite often imperfectly or incompletely applied, have nonetheless entered community consciousness. Hard-fail-if-invalid attitudes have been replaced by a tolerance for imperfections, both in the community's rejection of XML-derived data formats, and an acceptance of the web's often haphazard, something-is-better-than-nothing nature. APIs implemented using HTTP over the Web are a mainstay instead of experimental integratons, and a new wave of commercial players is eager to exploit whatever competitive advantage against the incumbents.

The big content gardens have all pushed incompatible "protocols" (we call them APIs, but they behave like protocols) [5], which gives them network effects but also locks them (deliberately) out of the open web (i.e. a Facebook comment on a Facebook post that was spawned by sharing a web link is not a comment on the link; it's a comment on that Facebook post). Meanwhile, systems that can build on top of these standards to implement two-way data flow -- both inward and out -- can present richer experiences, while not precluding the usual business models and monetization schemes that are in use today. And even if commercially this all flops, we'll have nice specs and vocabularies to use where metadata is paramount: science, research, government, and the like.

[1] https://www.w3.org/TR/ldp/[2] https://www.w3.org/DesignIssues/LinkedData.html[3] http://dig.csail.mit.edu/breadcrumbs/node/215[4] https://developers.facebook.com/docs/graph-api/overview/[5] https://news.ycombinator.com/item?id=12893852

fiatjaf 1 day ago 1 reply      
Where will be the annotation data stored?
jimmcslim 21 hours ago 0 replies      
The ghost of Third Voice awakes...
ChrisNorstrom 1 day ago 0 replies      
Anyone know of a way to annotate online the way Microsoft Word does? Where it highlights the content and points an arrow to it's annotation kept on the right side of the page?
visarga 1 day ago 0 replies      
The annotation system of the web is reddit.
Machine Learning from scratch: Bare bones implementations in Python github.com
682 points by eriklindernoren  2 days ago   62 comments top 26
schmit 2 days ago 2 replies      
One quick comment: in general it is a bad idea to compute the inverse of a matrix (to solve a linear system). It's much better to compute the QR factorization or SVD instead (or simply call least square solver).

See for example: https://www.johndcook.com/blog/2010/01/19/dont-invert-that-m...

screwston 1 hour ago 0 replies      
A friend sent me a link to this - nice work, and I happen to be intermittently working on a very similar (and unfortunately similarly named) project - https://github.com/jarfa/ML_from_scratch/. Check my commit history if you suspect me of copying you ;)

I don't think I'll be implementing as many algorithms as you though, I should force myself to work on more projects outside my comfort zone.

imdsm 2 days ago 1 reply      
Great resource, but it could be a phenomenal resource if you documented each method and explained how and why it does what it does.

Don't get me wrong, having working code to play with is key, but when you don't fully grasp the concepts behind it, an explanation can become so valuable.

That being said, you've included names, so research can be done. Great work and I hope you're enjoying it!

compactmani 2 days ago 1 reply      
This is a nice project. I think it would be great to add references used for the implementations and some tests that demonstrate they return what is expected (or perhaps the same result of sklearn maybe).
f311a 2 days ago 0 replies      
onvalleysilic 2 days ago 1 reply      
Just tried it with an equities dataset and it seems to have performed nicely. Great work!
Jasamba 2 days ago 1 reply      
This is impressive, and kindof exactly what I am in the process of doing. It's certainly the best way to get familiar with the internal workings of these methods than just tune parameters like an oblivious albeit theoretically informed monkey. How long did it take you to do them?
fnl 2 days ago 1 reply      
This could become a fantastic resource for anybody who is teaching machine learning.

One vital improvement suggestion to make that path attractive would be if the Jupyter notebook format were used. It would be easier to add more documentation and references.

But in any case, thanks for sharing!

victor106 2 days ago 4 replies      
Would you suggest any books/resources to learn the theory behind these implementations so a newbie can follow along?
metaobject 2 days ago 1 reply      
In your RandomForest implementation, on the line in fit() where you're building the training subsets to give to each tree, it appears that your bagging approach doesn't use 'sampling with replacement' strategy.

 idx = np.random.choice(range(n_features), size=self.max_features, replace=False) 
It would appear that the replace=False prevents the 'sampling with replacement' behavior usually implemented by bagging algorithms. Should the replace=False be changed to replace=True?

onlyrealcuzzo 2 days ago 1 reply      
This is awesome! I'm working on something similar for JavaScript. Definitely will be using yours for reference. Thanks, dude!
mrcactu5 2 days ago 1 reply      
sci-kit learn is excellent, but their implementations are a bit to complicated to learn from.

this is for people who don't just want to tune parameters but build the whole thing from scratch

I can buy buy a pie all the fix-ins from a bakery, or I can buy the ingredients myself, and make it to exactly my liking. it may not be a professional.

ussser 2 days ago 1 reply      
Cool! How long did it take to learn and implement these models?
grzm 1 day ago 0 replies      
For the future, if it meets the guidelines, this likely should have been a Show HN:


jbrambleDC 1 day ago 0 replies      
This is awesome. I am currently building a decision tree from scratch in Java and will use yours as a reference.

One comment I have. in kNN, it is best to ensure that the neighbors list occupies O(k) space.

edshiro 2 days ago 1 reply      
Nice! I have started brushing up my maths and reading about machine learning in general. Next step is to get my feet wet in the implementation. I think looking at your project can give me a good idea as to how to implement some of the most basic algorithms.Good luck!
dnautics 2 days ago 0 replies      
Nice project! I'm doing something similar in julia, with the added advantage that as I build it the numerical types are variadic so I can play around with numbers that aren't IEEE FPs.
searchfaster 2 days ago 0 replies      
Very nice project! Very very useful for a ML beginner like myself. Thank you very much !
jogundas 2 days ago 2 replies      
Very cool! I have actually been planning to do exactly what you did, sir :)
peter_retief 2 days ago 1 reply      
I feel happy to see your wonderful work you share so freely
joelberman 2 days ago 0 replies      
Very nice project! Learning stuff makes me happy.
sp4ke 2 days ago 0 replies      
Amazing, thanks for sharing :)
Winterflow3r 2 days ago 1 reply      
This is really cool and inspiring!
thinkr42 2 days ago 1 reply      
This is awesome!
SvenDowideit 2 days ago 0 replies      
Deliver and release stuf that people actually use. Or work on projects that do.

Delivering value trumps painting every day

White House Bars NYT, CNN, and Politico from Briefing nytimes.com
657 points by ComputerGuru  3 days ago   383 comments top 50
clamprecht 3 days ago 21 replies      
For anyone who has actually watched these press briefings in their entirety: Does anyone else think these are pretty much the worst way to get to the bottom of issues? Here's how it seems to work:

* The press secretary (or President, or whoever) makes a statement

* He or she chooses a journalist to ask a question

* Journalist asks question

* Press secretary answers question in as much or as little detail as he/she wants

* Press secretary calls another journalist

* This goes on for maybe 20-30 minutes, and it's over.

How does this even help at all? It's not like the press secretary is going to answer a question that he/she doesn't want to answer anyway.

meentsbk 3 days ago 7 replies      
I'm finding I'm having a hard time reconciling the current climate - not necessarily at his supporters (or the opposite), but just at how polar opposite everyone seems to be on this.

For me, I see these organizations as not treating him poorly, but actually willing to call out things he is not being factual on.

But at the same time, maybe I'm being biased against him.

I want the discourse, but I'm just struggling to understand how the views can be so strongly split from one extreme to the other, and what that means moving forward.

KerrickStaley 3 days ago 4 replies      
The HN ranking algorithm buried this post really quickly.

Right now it has 466 points, 229 comments, is 1 hour old, and ranked at #32.

For comparision, https://news.ycombinator.com/item?id=13725093 has 197 points, 39 comments, is 4 hours old, and ranked at #13.

Does anyone know why the ranking algorithm demoted this article and not the other (even though this one is younger and more popular)? I know it applies penalties for certain sites and if an article is deemed "controversial" (more comments than votes), but I don't think either would trigger here.

mtgentry 3 days ago 8 replies      
Only the AP choose to not attend out of solidarity? Shame on ABC, CBS, and the rest.
Jun8 3 days ago 0 replies      
The reporting on this is a bit hazy right now, according to CNN it was not a formal briefing but a "press gaggle" (https://en.wikipedia.org/wiki/Press_gaggle) and the CNN reporter was barred by a WH staffer because the organization's name "was not on the list" (http://www.cnn.com/videos/politics/2017/02/24/cnn-blocked-fr...).

This is a mostly symbolic gesture (these organizations still have their assigned seats in the room) but is very much against WH press tradition. Coupled with Trump's strong words at the Convention this is a sign for these organizations to tune down their criticism of the President.

themgt 3 days ago 3 replies      
This country appears to be on a very dangerous path. I don't remotely deny Trump and his administration's responsibility and complicity for taking us down this path, but given how widely understood his issues are within mainstream discourse, I wanted to take a step back and critically look at the not-Trump aspects.

Firstly, Trump needs to be understood in context as the outsider who none of the establishment took seriously, who disrespected everyone and touched every third rail of US politics, who railed against a corrupt system and argued to burn it all down. And 46% of voters bought that and won him 85% of US counties and the presidency.

And ever since, a vast "bipartisan" swath of US media and civic institutions, the deep state and many members of the elites of both political parties have been edging towards outright hysteria, active #Resistance, bureaucratic mutiny and widespread media/celebrity/talking-head delegitimization of Trump's presidency on a level that is utterly unprecedented in modern US history. The level of abject, contemptful hostility from ostensibly "objective" media outlets like the NYT has been breathtaking.

Many, many stories have been exaggerated, slanted and framed in ways that cast Trump as some comic-book villain/Manchurian candidate/Hiter-in-wait beyond any basis in fact or contextualization within existing/recent US policy.

I want to just be clear that I don't support Trump or his policies, I've voted and volunteered for Obama/Bernie and other Democrats, but what I see occurring is a ratcheting up of tensions towards outright war between Trump and the existing establishment of this country. And that in fact is exactly the way Trump actually can justify cutting off media access and purging the ranks of the IC after all the leaks. Bannon and Trump want a war against the establishment, because they know how much of the country is disgusted by the establishment and wants someone to use them as a punching bag.

Trump himself should be like a relatively harmless pathogen within our government's co-equal constitutional immune system - perhaps even an excuse to strengthen legislative and judicial oversight that's been badly lacking in recent years of executive overreach. Instead we're witnessing the fourth estate and military/spook bureaucracy go to war with Trump, which is exactly the sort of non-credible/illegitimate opposition that can enable him to actually consolidate more public support and power.

aestetix 3 days ago 6 replies      
Title is misleading. Press was blocked from a single press briefing. I do not see anything in the article about briefings going forward.

Can someone change the title so it's less sensationalized?

Edit: thanks to the moderator for removing the "s" and making the word "Briefing" singular to accurately reflect the article.

dirkg 3 days ago 0 replies      
This country has gone mad. The Trump supporters will justify and applaud everything he does while he burns down the world.

Why even pretend we have a democracy anymore? Trump and his WH are busy eroding and suprressing every form of free speech and I can't think of a single thing him or the Republicans stand for that actually helps people.

trequartista 3 days ago 2 replies      
According to The Hill, these organizations were also barred - BBC, Daily Mail, The Hill, Buzzfeed, LA Times


nappy-doo 3 days ago 0 replies      
Well, I guess it's time to up my subscription level to the NYT.
agildehaus 3 days ago 0 replies      
Not only are they barring news agencies they don't like from press briefings, they're bringing in radio talk hosts in the form of submitted video to fill the gap. Completely insane.
hackuser 3 days ago 2 replies      
> Breitbart News, the One America News Network and The Washington Times, all with conservative leanings. Journalists from ABC, CBS, The Wall Street Journal, Bloomberg, and Fox News also attended.

The sentence is misleading and normalizes something that is very dangerous: The WSJ and Fox absolutely have conservative leanings. IMHO, WSJ, at least their editorial page, and Fox are propaganda outlets. (To be clear, I despise propaganda of all stripes; the conservative side is far more powerful these days - there is no left-wing propaganda outlet with a fraction of the power of Fox and the WSJ (or Rush Limbaugh and the rest of conservative talk). Huffington Post is maybe the biggest, but I don't read them enough to know if they qualify as propaganda. Publications like Common Dreams or Tom Paine are laughable as competition.)

praneshp 3 days ago 2 replies      
I was going to do a Ask HN, but will jump on this thread. What's the better subscription to get, NYTimes or WSJ?
twoquestions 3 days ago 1 reply      
This is not the action a strong, secure ruler would take. This signals that they're afraid of what they may ask and how their readers may react.

What does this accomplish that ignoring the reporters in question would not?

lisper 3 days ago 0 replies      
There was a time not so long ago when part of the argument for why we were better than the Russians was that we had a free press and they didn't.

You might still be able to see Russia from parts of the U.S., but it's getting harder and harder to see the moral high ground from here.

ComputerGuru 3 days ago 1 reply      
This story is being actively buried, fyi. [edit: confirmed that it's being flagged. Guess all is normal.]
vturner 3 days ago 1 reply      
Does anyone else find this article confusing or misleading?

"Organizations allowed in included Breitbart News, the One America News Network and The Washington Times, all with conservative leanings. Journalists from ABC, CBS, The Wall Street Journal, Bloomberg, and Fox News also attended."

So, we're the only outlets allowed in the "conservative leaning" ones or the not-so conservative ABC and CBS as well?

bnolsen 3 days ago 0 replies      
Considering NYT, CNN and Politico were all implicated via wikileaks for directly colluding with the Hillary campaign I don't blame Trump one bit. The mainstream media needs to be reigned in an not represent one single political party in this whole current mess, but it's not the government's job to do it.
bsder 3 days ago 0 replies      
GOOD! Maybe the press will start doing their job of digging for truth instead of pandering in order to get "access".
paradite 3 days ago 1 reply      
> Organizations allowed in included Breitbart News, the One America News Network and The Washington Times, all with conservative leanings. Journalists from ABC, CBS, The Wall Street Journal, Bloomberg, and Fox News also attended.

I wonder if the message conveyed would be different if we rephrase it another way:

> Organizations allowed in included ABC, CBS, The Wall Street Journal, and Bloomberg. Journalists from Breitbart News, the One America News Network, The Washington Times and Fox News, all with conservative leanings, also attended.

Also, I think NYT is playing with the word "allow" here. By saying "Organizations allowed in included X, Y, Z. ... A, B, C also attended", this gives the false impression that A, B, C are somewhat "not allowed" by separating the list into "allowed" and "also attended". This is obviously false since they attended it.

skolos 3 days ago 7 replies      
Is there a historic precedent for this?
ceejayoz 3 days ago 1 reply      
Well done to Time and AP, who skipped in protest.
MertsA 3 days ago 0 replies      
So I can see the rationale for Barring CNN, or more specifically, Jim Acosta from attending Press briefings after his disruption back in January but as for barring the rest, is this really as corrupt as it sounds? Only allow in press who are "Trump friendly".
dmode 3 days ago 0 replies      
This is great. More ammunition to build a case against Trump. This type of behavior doesn't benefit him, but scares a lot of independent voters. He will be in for a rude awakening in the next election cycle
kylewest 3 days ago 1 reply      
much ado about nothing. press access has always been limited to a select handful. even making it into the room doesn't guarantee you'll be acknowledged or, if called on, have your question answered.
kingnight 3 days ago 0 replies      
I know this may be a tired question, but why is this falling on the front-page when the points are continuing to increase?
beat 3 days ago 0 replies      
This isn't about banning particular media outlets for asking hard questions or being fake news or whatever. This is about setting up the mainstream media as the enemy, and treating them as such. Trump's target is his supporters. "Do you trust me? If you trust me, then you can't trust them."
rafiki6 3 days ago 0 replies      
Trump thinks he's still on the apprentice...doesn't like a news outlet, "You're fired!"
hackuser 3 days ago 0 replies      
Now we know which publications we can trust to stand up to the President. Why isn't the WSJ banned?
pasbesoin 3 days ago 0 replies      
I wrote a snarky if apt comment, but I'll rephrase it seriously.

I hope the resources put in limbo by this can be devoted to investigating and reporting some independent and accurate accounts of what's happening.

Such as, say, refuting every false statement that is coming from the press room podium.

I'd pay for that paper.

tcoppi 3 days ago 0 replies      
Sounds like he is getting desperate.
coldcode 3 days ago 0 replies      
See 1984, Ministry of Truth. Sadly the novel seems to be a how to manual instead of a warning.
a3n 3 days ago 0 replies      
I think at this point the White House Correspondents Association should disband, and all reputable outlets should pull their reporters, similar to how a government official might resign in protest of something.

What would we miss? Another story about spin?

ChicagoDave 3 days ago 3 replies      
Well proof will come out in the mid-terms. Do most voters want this kind of leadership or not?

Of course the GOP is going to contract voting rights as much as possible in the interim, so it's going to be a battle.

Liberals don't vote. Will that change?

throwaway13371 3 days ago 0 replies      
Not a Trump supporter in the slightest but after seeing how they mis-characterized Pewdiepie I have to say I have no trust in the media either so do hell with them.
alkonaut 3 days ago 0 replies      
Sane media should stop going. No point participating in a charade the administration is directing.

Edit: apparently this is already happening. Time and AP among those who chose not to attend.


marcell 3 days ago 0 replies      
But is this literal or serious? /s
randomname2 3 days ago 0 replies      
Just for some perspective, the previous administration was also not great in this regard:

"Obama shuts Fox out of press briefings related to Benghazi" [1]

"The Obama White House went to war against Fox News": Jake Tapper. [2]

"Fishbowl DC has been keeping tabs of which media outlets have been allowed to ask a question at President-elect Barack Obamas five press conferences so far. They report Fox News is 05. Questions instead went to such outlets as ABC, New York Times, CBS, Reuters and the Associated Press." [3]

"In 2010, President Obama said that Fox News had a point of view which was ultimately destructive for America...The University of Minnesotas Eric Ostermeier tallied up the number of questions each member of the White House press corp had been able to ask during all of Obamas first term press conferences. ABC, CBS, the Associated Press and NBC led the pack, with ABC having been selected for questioning 29 times over 36 solo press conferences. (Overall, reporters have had fewer chances to ask questions than any White House press corps since Ronald Reagans.)...Fox News, though it has a reach that far outstrips its competitors and sometimes rivals the broadcast networks, was in ninth place on the list, having been called on 14 times...NBCs Chuck Todd and ABCs Jake Tapper (now at CNN) were called on the most of any reporters they each got 23 chances to question Obama." [4]

"Mr. Axelrod said it was the view of the White House that Fox News had blurred the line between news and anti-Obama advocacy...By the following weekend, officials at the White House had decided that if anything, it was time to take the relationship to an even more confrontational level. The spur: Executives at other news organizations, including The New York Times, had publicly said that their newsrooms had not been fast enough in following stories that Fox News, to the administrations chagrin, had been heavily covering through the summer and early fall namely, past statements and affiliations of the White House adviser Van Jones that ultimately led to his resignation and questions surrounding the community activist group Acorn...Those reports included a critical segment on the schools safety official Kevin Jennings, with the on-screen headline School Czars Past May Be Too Radical; urgent news coverage of a video showing schoolchildren singing the praises, quite literally, of the president, which the Fox News contributor Tucker Carlson later called pure Khmer Rouge stuff...There followed, beginning in earnest more than two weeks ago, an intensified volley of White House comments describing Fox as not a news network....Then, in an interview with NBC News on Wednesday, the president went public. What our advisers have simply said is that we are going to take media as it comes, he said. And if media is operating, basically, as a talk radio format, then thats one thing. And if its operating as a news outlet, then thats another....We simply decided to stop abiding by the fiction, which is aided and abetted by the mainstream press, that Fox is a traditional news organization, said Dan Pfeiffer, the deputy White House communications director." [5]

December 2012: Several journalists reported that MSNBC hosts were meeting privately with President Obama to discuss the impending fiscal cliff fight. [6]

March 2015: Politicos media reporter, Hadas Gold, reported that a group of journalists and columnists, all on the left, met privately with President Obama, but the White House refused to say who else was at the meeting or what was discussed. [7]

[1] http://www.wnd.com/2014/01/fox-anchor-team-obama-threatened-...

[2] http://www.newsbusters.org/blogs/nb/kristine-marsh/2017/01/1...

[3] https://thinkprogress.org/fox-news-shut-out-again-at-obama-p...

[4] http://www.huffingtonpost.com/2013/01/17/obama-fox-news-pres...

[5] http://www.nytimes.com/2009/10/23/us/politics/23fox.html

[6] http://www.mediaite.com/tv/msnbc-hosts-spotted-visiting-obam...

[7] http://www.politico.com/blogs/media/2015/03/obama-holds-off-...

crispyambulance 3 days ago 1 reply      
Yes, its an offensive dick-move by Trump but rather than get agitated, I hope that more people will try look behind this.

This has been a relatively slow news week, I get the feeling someone needs a little attention?

kylewest 3 days ago 1 reply      
if we're going to be honest, most are upset because they have an issue with trump to start with. after he was elected Trump did hour-long interviews with 60-minutes, ABC, O-Reily, and Hannity. Where's the outrage over that? Shouldn't equal time have been given to Dateline, CBS, Anderson Cooper, and Van Jones?

Sooner or later there will be a real issue and most of us are going to tune it out because CNN/NYT/Others have treated every day since he took office as the 2nd coming of Hitler and beginning of WW3.

DLA 3 days ago 2 replies      
Maybe this will send a message to said media outlets to stop making crap up and traffic in real issues with some impartial professional journalism that used to occur in this country.
alphabettsy 3 days ago 0 replies      
Completely unacceptable!
aestetix 3 days ago 2 replies      
Wow, the downvotes are rolling in.
MrZongle2 3 days ago 1 reply      
boona 3 days ago 3 replies      
> He has taken to blatantly and explicitly lying about simple verifiable facts, and doubling down on those lies when challenged.

I'm not saying that's not true (I'm not a Trump supporter), but what sticks out to you as an instance of him doubling down on a lie?

Edit: It's disappointing to be down voted rather than being directly engaged. If you have a beef with what I said, please tell me where I've erred. I would love to change my mind on this topic. This is Hacker News after all, not Reddit.

mason240 3 days ago 2 replies      
andriesm 3 days ago 4 replies      
sidlls 3 days ago 1 reply      
I just can't get worked up about this. Had these "news" organizations been doing their jobs I might be more concerned. As it stands this is just elevating one group of propaganda orgs over others.

The difference between what Trump has done here and what prior administrations did is the publicity and brazen transparency around it. I find it amusing that people think this is somehow a terrible, ominous event. This is a trifling thing compared to the egregious ethical violations and corruption, especially around information dissemination through the press, that has existed in this institution for decades.

The most interesting and concerning thing about it is the apparent weight given to these briefings. Except in very rare circumstances (e.g. killing of OBL, some attack like 9/11), these things are basically just PR displays by the administration. They serve no newsworthy purpose.

mythrwy 3 days ago 4 replies      
Ya, well the press's treatment of Trump has been a bit one sided. And well out of proportion to his actual comments and deeds.

You might not like Trump, and you might have good reasons but the above is true all the same. And, he is sitting president of the USA right now, irrespective of how you feel about him, his platforms and his supporters.

The amount of vitriol involving Trump is ridiculous. It really is. I'm not saying Trump has good manners (because he doesn't) but the press hasn't been many steps behind in utter nastiness. And they have, in most cases, stopped even pretending to be objective. It's gotten where I can't even watch or read the news anymore. It's just irrational nastiness from one side or the other with zero nuance.

I don't know where this all ends if we stay on the trajectory. Gang warfare and cutting off heads maybe. Seems the veneer of civilization indeed might be pretty thin. Maybe we might have to relearn the hard way about the things we take for granted in the social order.

Video Pros Moving from Mac to Windows for High-End GPUs mjtsai.com
446 points by mpweiher  4 days ago   461 comments top 52
outworlder 3 days ago 15 replies      
Big surprise. Video Pros now, developers next, common users last.

While Apple is focusing on trying to create the thinnest notebook on every generation, other companies are actually making useful computers, laptops or otherwise.

Right now, I've decided to take the money I'd spend on the cheapest Macbook to buy a desktop system, plus a chromebook. I can have mobility and a lot of performance, for a fraction of the price.

Even Windows is becoming more viable again, ubuntu core and all.

feelandcoffee 4 days ago 3 replies      
In college I brought an iMac to learn edit video in FCP7. It was nice, not really fast but functional, a lot of my professors were apple fanboys since the Jobs era. Then came FCPX, even if it's good right now, the first version released was basically a stab in the back to those video pros who were faithful to apple for years, those were who keep buying in the hardest times of the company.

I saw a lot of video professionals jumping to the Adobe Ecosystem or to things like DaVinci for the GPU rendering.

In my case I ended up selling my mac, and with the money build good PC for the price. I feel stupid of not building one from the beginning. Good bye external disks and weird perif; hello SSD, RAID Storage, expandable RAM, and a GPU with CUDA that I can upgrade in two years, without trashing the rest of the system.

This is not a debate of Mac vs PC (that can go forever), or a PC Master Race propaganda, but the Mac Pro it's a bad taste joke. I get the idea of the "apple tax", but it's ridiculous here. The CPUs, SSD, and RAM are old, but specially the fact that the GPU it's soldered in the Motherboard it's just stupid. GPU are one of those rare things were you can still see the double of performance in each new iteration.

I love my Macbook Pro because reasons, but in Desktops, the PC it's the King.

iagooar 3 days ago 3 replies      
I think that Apple forget that video pros are also consumers. And their families. Usually Apple products thrive in families where at least one member is a professional that uses Macs for work. It just fits the whole idea of an ecosystem, so these people and their family members have iPhones, iPads, an AppleTV and maybe an Apple Watch.

Once these people start working on Windows machines, the benefit on an iPhone is reduced. It's still a great phone, but they might go for an alternative. Same applies to iPads.

Apple should wake up quick. The extraordinary sales numbers of the iPhone seem to have made the company live in a bubble where there is just the phones that matter. But who knows for how long smartphones are going to stay relevant and if a new piece of technology is going to replace them...

kalleboo 4 days ago 5 replies      
The current Mac Pro design seems like such a massive misstep in product design, it will be really curious to see if they will walk it back, or just drop the pro market completely.

I wonder what thinking lead to that product. Did they think the pro market would be worth it to them to keep investing in keeping the product up to date and then it turned out not to be worth the investment? Although, even before then the Mac Pro was only updated sporadically... Was it all just Jony Ive design hubris? Who is the Mac Pro designed for?

hunvreus 3 days ago 3 replies      
It isn't just video pros.

I've purchased Apple products for 12 years (and for my entire company for 7 years).

It always seemed to be the obvious choice; it just worked, reliably and with a better user/developer experience than alternatives.

This year both me and my team have started moving away. My next phone will be an Android device and we're now not buying Macbook laptops for new recruits.

Windows, Ubuntu or Elementary OS offer a better experience. I personally can't take the restrictions I'm getting from MacOS and iOS. I'm also infuriated to see my machine being close to unusable a couple times a week while "kernel_task" eat up 120% of my CPU.

The only reason I was still sticking with Apple was the hardware, but that too went downhill. The iPhone's screen is brittle. The battery is capricious. My latest 2 visits to the Apple store resulted in a unusable track pad and a damaged screen on my Macbook (which were then claimed to not be covered by Apple Care).

Others around me share my frustrations.

It may be anecdotal, but 3 years ago I would never have considered buying anything but Apple. I've reached the tipping point and I'm not the only one it seems.

touchofevil 4 days ago 1 reply      
The only thing Apple has left going for it at this point in the pro video market is the ability to encode video using the Apple Pro Res codec, which is an amazing codec. But other than that, they have totally abandoned the pro market. Final Cut X was not up to the job of professional editing when released. The trashcan Mac Pros are terrible for pros because you 1) can't install internal PCIe cards like BlackMagic Decklink cards 2) can't install desktop GPUs, 3) Can't install multiple internal hdds. PCs are just so much cheaper / more powerful / more expandable and Adobe Premiere is basically a Final Cut Pro replacement. There's not much reason to use a Mac for pro video anymore.
pasta 3 days ago 4 replies      
It's estimated that there are 20 million developers world wide.

Stack Overflow surveyed that 20% of developers use a Mac.

So lets say there are 4 million developers using a Mac. And lets say they buy a new Mac every 3 years. Then 1.3 million developers buy a Mac each year.

Apple sold 20 million Macs last year. So lets say 6.5% were developers and 10% of those developers are complaining about the new Mac series. If I am right that means that 130 thousand developers are complaining. That's 0.65% of Apple's customers.

Now I don't believe Apple is stupid. They are in business longer than some people here are alive.

So I can very much imagine that Apple decided to go for 2% more customers while losing 0.65% of them while making even more profit.

stcredzero 4 days ago 2 replies      
I'm moving to an ASUS laptop with a GTX 1070 GPU. I should be able to do all of my game development on it, be able to play games and do VR, and keep my old Macbook Pro around just in case I do any iOS stuff.
dcw303 3 days ago 1 reply      
For a company that understands computers are very similar to fashion (their SVP of retail was poached from Burberry), they show a disappointing lack of foresight by not keeping their taste makers happy.

Introducing OS X as the mobile Unix platform of choice on top of the first ever drop dead gorgeous notebook (The Powerbook G4 Titanium) declared Apple as the platform for discerning power users. Those power users could confidently brag about their systems, giving free advertising to non-power users. The halo effect of which can still be seen today, trickling down to Joe Coffee in your local cafe. How much longer that lasts in the wake of mis-steps like the touch bar is questionable though, even in the wake of massive unit sales to the broader public.

This article is about high end video / graphics users, and workstations are a slightly different use case. But not much. Once these users move off Mac, who is going to be left to champion the desktops?

redsummer 3 days ago 0 replies      
Tim Cook has just been repainting Jobs's toys for the last five years. Cook's success is a testament to how good the toys were, but nobody wants Woody and Buzz Lightyear anymore.

I'm an iOS developer. I'm sure if Apple were making decent machines I would be more optimistic about my job. But the current situation is making me prepare for an escape route. I'm sure there are many others who feel the same, and that will have a knock on effect on the iOS world.

ramigb 3 days ago 0 replies      
I use Windows 10 as my gaming PC, I own two MBPs one for work and one for personal use, I also make music on both Windows with FL studio and macOS with Logic Pro X. Lately I've been feeling that Windows 10 is really smooth and easy to deal with unlike my previous Windows experience so I've started coding -again- on my Windows and to be honest minus some built in macOS applications like QuickTime and preview I don't really mind going back to Windows at all, Unlike Windows 8 or 7 I feel that Microsoft has started listening to users which is really good.
cdnsteve 3 days ago 0 replies      
When you solder SSDs and RAM into a machines logic board that doesn't exactly make your very expensive investment future proof. Let alone glue a battery into the case and the battery life is horrible on my touchbar MacBook Pro.

Apple machines are now appliances that cannot be modified. They are throw away, so spend your dollars wisely.

rayiner 3 days ago 1 reply      
The idea of video pros, programmers, and IT guys being "tastemakers" is laughable. People used to ask me for computer recommendations 15 years ago, when specs mattered and computers were scary. Today, people just get a Mac because their fellow non-technical people have one, or because they have an iPhone or Apple Watch already.

Indeed in our household it works they other way around: My completely non-technical wife has prohibited me from buying non-Apple products. ("You know how whiney you get every time you buy a non-Apple product.")

marricks 4 days ago 1 reply      
So they had to switch to Nvidia for their amazing 1080 GPU, makes sense. Guess I wouldn't blame apple for not appealing to a niche market, as a reply on that post said they chase big markets and do really well in them.

It's interesting that in some ways Microsoft may be doing the same. They cut support for older CPUs, they cut a lot of their workforce for QA, and seem to be focusing too.

It'd honestly kind of cool if they margins reaching specialty users became so small that they stopped getting supported so Linux fills in the gap. I mean, the transition is bad, but the end opportunity for Linux and diversity in general seems good.

modfodder 3 days ago 0 replies      
As someone who is a video pro, cutting commercials in NYC and LA (and former post facility engineer), I'm not seeing it. I don't know of one editor or post facility that has moved from Mac to Windows or Unix. One River Media (the co. that posted the blogpost about switching) is using Davinci Resolve as an NLE, a far more niche choice than cutting in FCPX. Resolve is a color correcting tool (a very popular one that I've used to color grade features) that has added editing support. I've yet to meet anyone in the wild using it for editing.

Even the editors I know that cut on Adobe Premiere which is available for both PC and Mac aren't switching from Mac, which honestly has surprised me a bit because of the greater choice in hardware. But for most video editors at this level, you're just trading speed in one area for problems in another. Editors whine and complain every time there is a tiny change in the interfaces they use, they hate change. They have been forced to embrace FCP and Premiere over the years (and complain about it incessantly). Very few will choose to make the jump to Windows for the same reason.

As you step down the ladder, the move will make sense for some. Your all-in-one facilities or one man bands (production and all aspects of post handled by one or two people). But in my experience, this group has already been heavily invested in the Windows side because of the cheaper initial costs (that money you save early will be spent later and the Windows post-house will cost as much or more than a comparable Mac post-house, at least it did when I was an engineer).

And the other aspects of video post production, the CG, 3D and compositing sectors already heavily lean toward Windows or Linux and have for over a decade.

There just isn't a huge need for massive speed increases in the hardware side for most video editors. We've gone from needing very fast, high end systems with fast (and expensive) SAN storage to laptops and SSDs that allow us to do more, faster than ever. iMacs or MacBook Pros are all the average editor needs, with more and more working remotely from home. I cut a project for the NBA over the holidays on the first gen USB-C MacBook and years ago cut a project for REEBOK on the just released MacBook Air. Both these projects came up unexpectedly while I was traveling but went off without a hitch on underpowered hardware (that I bought for web surfing and writing).

That's not to say that I wouldn't appreciate (and most likely purchase) a new and expandable Mac workstation. But for the most part, I'd be spending money to just spend money. It wouldn't speed up 98% of my job. And that other 2 percent isn't slow enough to cause me any issues.

bleair 3 days ago 3 replies      
Does Apple really need or care about the "Pro" market?

It seems like all of their priorities are related to everyday consumers (beats headphones, air buds, several new phone models every N months, etc.).

Why would apple waste their engineering man-hours building products for any market except the common consumer who aspires to be part of the wealthy crowd?

alkonaut 3 days ago 2 replies      
They aren't stupid - it's entirely possible that Apple have run the numbers and found it uneconomical to keep pro gear up to date. So they simply give up the share of the market that contains video pros and similar. Obviously they'll lose the whole families of those professionals, and perhaps their whole businesses too - but Apple must have calculated that risk.

So most likely it's simply better business to cater to the consumer/prosumer part of the market and ignore "true pro" gear.

Fomite 3 days ago 0 replies      
I've begun painfully shifting away from Mac Pros for scientific computing work as well, which six or seven years ago I wouldn't have believed. But my lab recently bought a high-end workstation and the MP didn't make sense, and my current MP is getting a bit long in the tooth and, unless something very unexpected happens, it's replacement won't be made by Apple.
JimmyAustin 3 days ago 2 replies      
I dont understand why Apple doesn't offer a clone program for workstation Macs. Dual socket and above only (so that it doesn't compete with the iMac or the Mac Mini), restrict it to Intel, but give Dell/HP/custom builders the opportunity to build the pro systems that don't make much of a profit themselves, but support the army of content creators for their other devices.
baldfat 3 days ago 0 replies      
I contract for video work from time to time for a few decades now.

Windows has always been the majority of video editing till about 2009 when Final Cut was the buzz word. I HATE Final Cut and just its vocabulary was so frustrating. Most were either Premier or some special Linux farm for HUGE projects. Apple won due to the idea that creatives used Apple and nerds used Windows. I always was the Amiga guy then the Linux nerd (Light Works is great but the plug ins are limited)and now I just am happy to not have to use Final Cut for anything.

dcdevito 3 days ago 1 reply      
Has anyone else realized this article is almost a year old? I agree with the whole macOS exodus, as I was a Mac user of 9 years before switching to PC in mid-2015 (you know, when it wasn't yet cool to do so). At first I thought I made a huge mistake, but since then I built a powerful rig last summer and I love it. Windows 10 is fast, stable and reliable, three words I used to describe OS X when I switched to Mac in 2006.

As a former developer now Project Manager, I don't code much anymore, but I tinker with stuff every now and then. I got into gaming for the first time since I built a custom PC back in 2004, and you know what? I love it! I thought I was "past that" phase in my life, but I enjoy my Windows 10 Desktop PC.

I still miss the Mac, and man do I miss the retina screens! But I feel macOS is simply now a legacy product to Apple that they simply cannot afford to ditch, not so much for business - obviously that would be bad - but I think it would be much worse from a PR perspective more than anything. And the whole thing bothers me. I feel like macOS is now an obligation for Apple to string along, but its real focus is now iOS. We all know iOS is the future, who are we kidding? At least with Windows 10 I feel Microsoft is trying to add neat features and updates annually now, and since mobile passed them by in the dust they have to scramble desperately to get Windows 10 in the forefront of tech enthusiasts again. I think for developers it's working (or at least they're trying very hard). I'm kind of excited for built in VR functionality, ubuntu core (WSL) seems really promising for developers.

cxromos 3 days ago 0 replies      
I'm finding problems with the escape key, not the hit/miss which is not a problem at all, but while coding I like to rest my finger on Escape key on certain occasions. That's not possible on MacBook Pro Touch. Also have to adjust that my Launchpad button is now where Siri is by default, next to the Touch Id Sensor. Everything else is better, touch pad, for which I thought I won't have use for included. Also, up and down keys are somehow easier to miss which is strange, probably due to keyboard elevation. As for the keyboard, finally, this is keyboard. I started developing on Mac as iOS and Android developer in 2012. Had hard time to get used to gummy MacBook keyboard. Touch Bar is something keyboard manufacturers in the PC world tried to make for years ending up with horrible keyboards no developer would touch. Industrial design is better as well. My 'old' MacBook Pro Retina now seems big and clumsy (both are 15"). This is the feeling I have when I use it.
ksec 3 days ago 0 replies      
A lot of Pro are also moving from Mac Pro to iMac. Where the current processing power fits their needs. But Video / CG Pros seems to have infinite appetite for CPU and GPU processing power, and Apple's line up are not catering for them.

Not only do I wish they could rethink the Mac Pro trash can, I wish they could design the Mac Pro with Server Rack in mind.

Corrado 3 days ago 1 reply      
I agree that Apple shouldn't be chasing every bit of chickenfeed and producing lots of similar products. In fact, I would like to see Apple go back to 4 main macOS products; home desktop, home portable, pro desktop, pro portable. Getting rid of the MacBook Air/MacBook/MacBook Pro/iPad4/iPad Air/iPad Pro/iPad Pro2 confusion would go long way to making it possible to recommend an Apple product to my friends & family.

As it stands now, when someone asks me what computer to buy I have to interrogate them on their exact usage pattern and then spend a couple of hours looking at all the different Apple products to see which one might serve them best. 10 years ago it was simple; you just want to send email, browse Facebook from home, get an iMac. If you wanted to compile code at Starbucks, get a MBP. Goofing off at the library, get a MB. Simple.

mayrosedgdotcom 3 days ago 0 replies      
I have been loving ubuntu. I still use windows for games, but I could never go back to windows for getting work done or running severs
frik 3 days ago 2 replies      
What video editing software are you using on Windows?

Adobe Premiere Pro? Avid? something else?

xt00 4 days ago 4 replies      
For the external GPU route on a mac, does anybody know how fast the bus would need to be? Like could you use two USB-C ports in parallel on the latest and greatest mac or something??
Mankhool 3 days ago 0 replies      
I work in a video production facility. We hate the trash cans. 3rd party chassis for them all fall short of an "all in one solution". These are our last Macs for production. We'll be on Windows boxes by this time next year. As a lifelong Apple user (Starting with the Apple II) this makes me sad, but Apple has done this to themselves.
JofArnold 3 days ago 0 replies      
What about external GPUs? I wonder if Apple should be doubling-down on that because it turns even the weakest MBs into incredibly capable machines.
iampliny 3 days ago 1 reply      
Pro was always a stepchild at Apple. Steve Jobs never stopped by NAB for the Final Cut Pro press events. And more than a decade ago I started seeing middle managers being "promoted" from Pro Apps to other divisions like iTunes.

The hard truth is that we pro folks aren't that lucrative. Pro users probably sit in the bottom of a smiling curve with high-volume consumer products on the one side, and high-revenue Enterprise on the other. To a company like Apple, pro users represent the worst of both worlds.

That's why you also see "media storage" companies like G-Technologies, who introduced pro products (like the late G-Speed) only to abandon that market for high-volume, low-touch consumer products like LaCie Rugged.

I want a new MBP with an nVidia GTX 1080 as much as the next guy, but I'm not holding my breath.

krschultz 3 days ago 0 replies      
Apple should license a single boutique manufacturer to make high quality workstations. It's clearly not a big enough market to interest Apple, but with the right agreement in place they could come up with a satisfactory solution.


- A Mac Pro owner that is seriously considering getting something else.

VeejayRampay 3 days ago 2 replies      
Apple is the Teflon company. It seems like no matter how many subpar (yet overpriced) products they put on the market, their reputation and public perception never suffers.

To this day, I have a negative opinion of Microsoft for their questionable practices in the past and god knows they've been lambasted in the past for their general attitude (though it feels like this is starting to change). Apple on the other hand can totally afford to rehash their products from a few years ago, sit on a stash of gold, disappoint designer and programmers alike for years, leave Mac OS on a sidetrack and never has to face any kind of serious backlash.

It really says a lot about their marketing genius.

elif 3 days ago 1 reply      
I am curious if there is a single person that doesn't regret their 2013 mac pro (trash can) purchase.

I feel like an idiot. I multibox videogames and my $1,000 entry-level alienware frequently out performs this $5,500 art piece.

tibbon 3 days ago 0 replies      
I moved to OS X for Protools circa 2002, when Windows support for it was just awful. When I build my next studio machine, I think I'm moving back.

I need a machine that is large, powerful, and expandable. The Mac Pro isn't this.

I don't like Windows, but the only programs I'm going to use are Protools and Ableton Live. Just like on my gaming computer, which essentially just runs Steam (and games) I can deal with it.

For live sets, I'll keep using a Macbook Pro, because if one breaks I can buy another in any city in 5 minutes and I will know it will work almost immediately for what I need.

intoverflow2 3 days ago 0 replies      
Did exactly this in December for CUDA based 3D rendering.

Been a mac user for 15 years. It was hard to make the jump but I came to the realisation Apple just doesn't care about my work and therefore my money anymore.

intrasight 3 days ago 0 replies      
For those complaining that all PCs have flaws, the great thing about PCs is that you can build your own. All the parts for my new Skylake Xeon arrived this week. Can't wait to see what it can do! I'd been waiting for the Samsung 960 Pro 512GB which finally arrived. The 960 Pro is my boot drive. A 960 Evo 1TB is my data drive. No more spinning glass platters for me. Build your own and you get to make your own compromises.
amelius 3 days ago 0 replies      
Apple suffers seriously from NIH syndrome, so they will probably never let NVidia play a major role in their ecosystem. Too bad, customers move away.
tempodox 3 days ago 1 reply      
I found the top comment on the site (from `has`) quite illuminating. I don't like the message at all but it seems to explain a lot.
randsp 3 days ago 0 replies      
After thinking a lot about buying an iMac for development (I've been using MacBook Air for five years now), I just decided to forget about it and consider another platforms as ASUS VivoPC X, it is good looking enough, incomparable horse power and way too much less expensive. The only thing I am sure I am going to miss is MacOS.
kondro 3 days ago 0 replies      
Video pros need high-end, fast, high-memory machines with fast storage.

99% of us developers don't. Even if you have a lot of VMs.

Corrado 3 days ago 0 replies      
Here is a more recent take on the original article - http://finance.yahoo.com/news/apple-strategy-forcing-pros-di...
jlebrech 3 days ago 0 replies      
If apple reinvent the IDE for use with touch on ios they might be able to drop their laptops altogether for development, and maybe market some kind of cloud-cube that people who want more grunt could purchase, rather than be limited to what can fit in a 2mm thick laptop.
unicornporn 3 days ago 0 replies      
Yup we do. OS X user for 11 year, recently switched to two laptops. One Window 10 laptop for video and photography work, one Linux laptop for the rest.
znpy 3 days ago 0 replies      
Windows has improved a recently, and many of those might actually like it.

I guess no one cares at Apple: if the hugest slice of revenue comes from phones and tablets...

jscipione 3 days ago 0 replies      
The performance gap between Apple's latest today and the industries latest is not nearly as great as in the late PPC era.
taude 3 days ago 0 replies      
I was under the impression from friends who work in Hollywood and television that not much video editing was done on Macs, anyway. That Avid software running on proprietary/custom hardware was standard. But this was five or six years ago. Maybe people had been switching to Macs in more recent times? (I remember a similar discussion came up when Apple consumerized Final Cut, and was told that pros don't use it anyway.)
al2o3cr 3 days ago 0 replies      

 due to the inherent bandwidth limits that Thunderbolt has as compared to the buss speeds of these GPU cards
[citation needed]

There probably are applications that need every single GBps of the x16 connector, but just saying "bandwidth limitations" isn't sufficient - see also the common SLI setup which switches to x8/x8 if two cards are installed.

draw_down 3 days ago 0 replies      
Their neglect of the pro market and the Mac Pro continues to be an embarrassment.
dimillian 3 days ago 0 replies      
Yes Apple, it's not rocket science, please stop using 2 years old GPU in your latest laptop...
astrodust 3 days ago 0 replies      
This is a reblog of the same article from 2016 that's been revivified and is making the rounds again.
12fkingheros 4 days ago 0 replies      
with GCE GPU, very little reason to have a local anymore.
sneak 3 days ago 1 reply      
ITT: People pretending the world's wealthiest company isn't building a 64 bit ARM desktop powerhouse.

Why would they continue dumping money into refreshing Intel-based systems when they screwed them on 32GB of ram in the LPDDR4 thing on the new rMBP?

Can you imagine how annoyed the Apple people are that they can't sell you a $499 32gb ram upgrade along with your $1299 1500gb SSD upgrade on your $4299 computer?

Apple's future is ARM and to expect any more powerhouse Intel systems from them was folly even a year ago.

Linus on Git and SHA-1 plus.google.com
547 points by dankohn1  2 days ago   168 comments top 19
joatmon-snoo 2 days ago 1 reply      
The actual mailing list discussion thread can be found here, and is infinitely more informative than any of the bull being spouted in this thread: http://public-inbox.org/git/20170226004657.zowlojdzqrrcalsm@...
bascule 2 days ago 13 replies      
Linus's transition plan seems to involve truncating SHA-256 to 160-bits. This is bad for several reasons:

- Truncating to 160-bits still has a birthday bound at 80-bits. That would still require a lot more brute force than the 2^63 computations involved to find this collision, but it is much weaker than is generally considered secure

- Post-quantum, this means there will only be 80-bits of preimage resistance

(Also: if he's going to truncate a hash, he use SHA-512, which will be faster on 64-bit platforms)

Do either of these weak security levels impact Git?

Preimage resistance does matter if we're worried about attackers reversing commit hashes back into their contents. Linus doesn't seem to care about this one, but I think he should.

Collision resistance absolutely matters for the commit signing case, and once again Linus is downplaying this. He starts off talking about how they're not doing that, then halfway through adding a "oh wait but some people do that", then trying to downplay it again by talking about how an attacker would need to influence the original commit.

Of course, this happens all the time: it's called a pull request. Linus insists that prior proper source code review will prevent an attacker who sends you a malicious pull request from being able to pull off a chosen prefix collision. I have doubts about that, especially in any repos containing binary blobs (and especially if those binary blobs are executables)

Linus just doesn't take this stuff seriously. I really wish he would, though.

runeks 2 days ago 2 replies      
One thing SHA-256 has going for it is that millions can be made from finding pre-image weaknesses in it, because it's used in Bitcoin mining. If you could "figure out" SHA-256, and use it to take over Bitcoin mining, you'd make $2M the first 24 hours, at current rates. And if you play it wise, it could take a long time before anyone figure out what's going on.

With regards to market price for a successful attack, I don't think any hash function stands close to SHA-256. And for that reason I think it would be the right choice.

maxander 2 days ago 2 replies      
I don't really get the threat model here. If an attacker is pushing commits into your repository, you're long since toast on all possible security fronts, right? Is there anything nefarious they could accomplish through hash collisions that couldn't be done simply by editing commit history?
hannob 2 days ago 0 replies      
One thing that I think is worth mentioning: This was completely avoidable. Git isn't that old, it wasn't taken by surprise by the SHA1 attacks.

The first paper from Wang et al, which should've put SHA1 to rest, was published in 2004, the year before the first ever Git version was released. It could have been easy: Just take a secure hash from the beginning.

ploxiln 2 days ago 0 replies      
If anyone is really interested in more assurance of git commit contents, there's "git-evtag", which does a sha-512 hash over the full contents of a commit, including all trees and blob contents.


simias 2 days ago 0 replies      
While this post sounds very reasonable to me there's one point that I really don't get: why does he keep saying that git commit hashes have nothing to do with security?

If he believes that, why does git allow signing tags and commits and why does Linus himself sign kernel release tags? Isn't that the very definition of "using a hash for security"?

luckydude 1 day ago 0 replies      
Linus is a little behind the times with this comment:

``Other SCM's have used things like CRC's for error detection, although honestly the most common error handling method in most SCM's tends to be "tough luck, maybe your data is there, maybe it isn't, I don't care".''

BitKeeper has an error detection (CRC per block) and error correction (XOR block at the end) system. Any single block loss is correctable. Block sizes vary with file size so large files have to lose a large amount of data to be non-correctable.

hackuser 2 days ago 1 reply      
Related, from Mozilla:

* The end of SHA-1 on the Public Web


As announced last fall, weve been disabling SHA-1 for increasing numbers of Firefox users since the release of Firefox 51 using a gradual phase-in technique. Tomorrow [Feb 24th], this deprecation policy will reach all Firefox users. It is enabled by default in Firefox 52.

butwhynotmore 2 days ago 0 replies      
In the specific case of cryptography where it's unknown how bulletproof the algorithm will be why not use multiple hash functions? Perhaps using the top 10 best hash functions of the day. That way you're not putting all your eggs in one basket and if nefarious collisions are able to be created in the future you still have the other hash functions to both "trust" and double check against. It's even more unlikely that nefarious collisions will be able to be constructed that collide all the other hash functions as well. You could just append the hashes to each other or put them in a hash table or something. Maybe my computer science is not up to snuff but it seems like this would provide more resiliency against future and non-public mathematical breakthroughs as well as increased computing power such as quantum computing. Yes, it would take a little longer to compute all the hashes in day to day use, but with the benefit of a more robust system both now and in the future.
godzilla82 1 day ago 0 replies      
Newbie question .. can some one please help me understand the attack scenario. if I, as the attacker, want to inject malicious code/binary into a git repo, then I need to write my malicious code/binary in such a way that the resultant hash collides with one of the commits (? Or the last one?) in the repo. Is this correct?
claar 2 days ago 0 replies      
Also see discussion of Linus's earlier comments at https://news.ycombinator.com/item?id=13719368
frik 1 day ago 2 replies      
Can someone correct me. SVN/Subversion and GIT are affected by SHA-1 problem. SVN uses SHA-1 internally, but exposes only a numeric int as revision. GIT uses SHA-1 internally and as revision. So if someone commit a modified PDF that collides he can run havoc on both SVN and GIT at the moment. It seems easier to fix the issue in SVN than GIT.
theseoafs 2 days ago 1 reply      
Have there been writings on what exactly git's migration strategy to a new hash function will be? Apparently they have a seamless transition designed that won't require anyone to update their repositories, which seems like a pretty crazy promise in the absence of details.
jmount 2 days ago 0 replies      
Probably isn'y the sky falling. But if knowing the length fixed all hash function issues then cryptographic hashes would just use a some more bits for length.
yuhong 1 day ago 0 replies      
I do wonder how many outside of crypto circles know about SHA-2 circa 2004.
colin_fraizer 2 days ago 1 reply      
This, btw, is why we have e-cigarette bans. The fact that the generally high-IQ, paid-to-think-about-subtle-categorization community of software developers needs to be inoculated against the "I Heard SHA-1 Was Bad Now" meme, should serve as a reminder for why most things should not be managed by democracy.

(Yeah, I know this will be read as a plea for monarchy and downvoted. It simply proves my point: people are WAY too subject to errors in the classes (1) "I hate him because he said something 'bad' about something 'good'." and (2) "I hate him because he said something 'good' about something The Tribe now knows is 'bad.')

dboreham 2 days ago 0 replies      
Um what? Software written in the past 20 years has a baked-in assumption that the length of some ID can't change?
debatem1 2 days ago 4 replies      
I'm mystified as to why this is even a discussion.

SHA1 is busted. That impacts some git users. The fix is not invasive. Fix the bug. Make the transition. Move on.

Super unprofessional.

I was just asked to balance a Binary Search Tree by JFK's airport immigration twitter.com
586 points by z3t1  1 day ago   278 comments top 43
rjtobin 1 day ago 8 replies      
Once (also in JFK) I was quizzed a bit by the CBP officer. I told him I was a math grad student, he said "well, then tell me about the Euler problem". I explained that Euler was a fairly prolific guy, and asked if he could be more specific. He didn't relent, apparently he had seen some documentary that was all about the "Euler problem".

Eventually, we moved on to my background, and I mentioned I had done a masters in computational neuroscience. He said something like "oh neuroscience, my great aunt had that", I think he thought it was an illness? Was sort of expecting the reality TV cameras to be busted out at that point...

He let me through though! Usually I clear immigration in Ireland (one of the few places you can do the immigration before you leave), and those folks are always much more pleasant.

belltaco 1 day ago 3 replies      
I wonder if P = NP would end up being proven by someone who didn't want to be sent back after 23 hours of traveling.
egeozcan 18 hours ago 5 replies      
More I read about things like these, even more I love Germany (my new home). The officers in Frankfurt Airport are always nice and I never had any problems nor heard about one. I hear it's even better in Berlin.

I don't understand why host countries don't try to make themselves the most favorite country in the world for their guests. I believe, "not allowing terrorists/drug dealers/illegal workers etc. etc. inside" is just the marketing as I seriously doubt people who slip through the cracks of a saner screening process would be a significant problem. Therefore, I wonder the real reason but can't think of any.

jpalomaki 22 hours ago 10 replies      
In a away this actually makes sense. Instead of relying on automatic systems and algorithms, you rely on people, namely the agent performing the interview. A short chat about selected topics might be actually quite revealing. Point not being if you know the exact right answer for the BST question but more how you react and if there are inconsistencies in your story (most people are pretty bad at lying).

All of this could be backed by the personal data has been collected before hand.

The old (and often linked?) article about airport security in Israel[1] describes how the actually rely a lot on people being able to spot strange behavior.

[1] http://www.huffingtonpost.com/daniel-wagner/what-israeli-air...

orless 20 hours ago 0 replies      
Around 2002 we (a group of Russians) were returning with friends from a ski trip in Austria back to Germany. There happend to be a police control in the train. Then I've realized I had no passport with me. The best ID I had was my business card (of course, no photo on it).

So the policeman looks at it and says "Oh, the database department. Which databases do you guys use?" Basically I was able to identify myself with some Oracle and knowing who Scott Tiger was.

The policeman appeared to be an IT drop-out who switched to police.

peterkelly 1 day ago 3 replies      
This happened to an Australian guy recently. Was asked to code up some stuff in Python.


pfarnsworth 1 day ago 5 replies      
I'm going to wait for more information before believing this. There have been so many cases of fake twitter outrage that it makes sense to wait a day or two before taking out the pitchforks.

What's sad is that in this climate it's not completely unbelievable that something like this could happen.

gk1 1 day ago 0 replies      
Something similar happened to me around 5 years ago. I'm a white 20-something male and was returning from Colombia on my own, with no bags except a small backpack. I guess that seemed suspicious enough that I was asked specific, quiz-like questions about my profession, and then sent to secondary screening.

In other words, this does not seem to me like anything new.

everybodyknows 23 hours ago 2 replies      
Returning from Canada back in the 90's, I was asked what I had been doing there.

"Attending a conference on computational geometry."

"What's that?"

Pause for thought -- several seconds.

"Applying computers to solving problems in geometry."

This got me waved in. Co-workers told of the encounter later on proposed an alternative reply: "You wouldn't understand." Given the tone of the agent, those might have been very costly words.

misja111 20 hours ago 2 replies      
Not as spectacular, but 4 years ago when I arrived at SF airport after a 11 hour trip the immigration officer asked why I was there. I told them I was visiting a software conference. To my surprise he then asked me to write 16 in hexadecimal. Luckily I didn't screw up.

I asked him how come he knew about that stuff and he told me that in a former career he was working in IT as well. I thought it was funny.

fahimulhaq 1 day ago 7 replies      
I want to joke that CBP might be looking for referral bonuses by referring great candidates to tech companies.

However, if it's really true, it is depressing. He was actually given an A4 sheet to balance a BST. Wow.

What if he failed the test? I assume that CBP cannot deny you entry because you didn't brush up on your algorithms and data-structures during your flight. But, they can still keep you detained for secondary screening.

wrasee 17 hours ago 1 reply      
I think there's been quite a bit of overreaction here.

Part of their job is simply to determine that you are who you say you are. They do this every day - within reason I expect they can ask you any arbitrary question related to you and your life to observe how you respond. They just want to catch those out that aren't, for whatever reason, being genuine about their story. I think there's a false assumption here that somehow @cyberomin's ability to actually _solve_ a BST was in some way tied to his likelihood of entry. That's obviously ridiculous. I imagine his response was still genuine enough that they believed him. Frankly as another commenter joked, I think they could have asked him to prove P=NP. It's when you reply confidently with an 'obvious' solution that they might raise an eyebrow.

Yes it would be unreasonable if their ignorance actually lead to you being denied entry. But in not one of the experiences here, or with @cyberomin, was that actually the case. The thing is, of course, that they're aware of their ignorance and the absurdity of their questions. You see, they know that they're bluffing. That's kind of the point.

It is, perhaps rather unfortunately, part of their job to make you feel uncomfortable, ask probing questions and weed out inconsistencies in your responses. Isn't that part of professional questioning? I can understand the frustration at the abruptness of the questioning, and it's hardly a friendly welcome. I've been angered leaving immigration before and I have to remind myself that ruffling my feathers is all part of the act. When first complaining to a friend she asked, "what did they insult you or something?" Actually, no. They just asked me lots of questions.

Clearly I'd like to think some questions are off-limits - I know there have been justified concerns about this - especially recently. And I understand this is hot topic right now - precisely why I think we should be careful - more careful than ever - not to overreact. From what I observe: The guy arrived, he was asked questions about his profession, his answers were evidently sufficient and he was let in. It happens to thousands of people every day. Honestly? I don't think there's a story here.

vickychijwani 17 hours ago 1 reply      
I have a theory on how CBP is trained to scan people, that seems more plausible without assuming malicious intent: they're not expecting you to know exactly how to balance a BST, but just enough to hold a conversation about it while they look for telltale signs. My guess is that even a reply like, "Look, I'm a self-taught web developer and I don't deal with algorithms day-to-day, sorry. But you can ask me web dev questions if you wish." would work.
sAbakumoff 17 hours ago 1 reply      
December 2016, I arrive in JFK from Moscow and a border officer asks me about the purpose of my visit. I explain that I attend the business meeting in NC. She wants to help and informs me that I have to pick up my luggage in NYC and then check it in for my next flight. I smile and reply "fortunately I don't have any luggage". Immediately she becomes suspicious of me and asks "But you are here for a business meeting, where is your business suit?" I explain that I am IT and everyone in my company is OK with a casual style". She nods and let me go. "Thanks God IT does not really care about my clothes" I think and successfully enter the land of the free.
mstade 18 hours ago 1 reply      
I flew to the USA late last year, through London. When going to the desk for my connecting flight at LHR, the gentleman there did some sort of pre-authorization and asked me a number CS question. Nothing as specific as the above, but things like what languages I used for work, specific tooling, who my clients were etc. It felt quite strange to be asked these things, it's never happened to me before when traveling anywhere including stateside. What's more, this was a person hired by American Airlines, not some CPB officer or, at least, it seemed that way.
zwischenzug 22 hours ago 0 replies      
Not even close, but similarly: travelling to Israel for work some years ago I was asked what I did for a job. Software engineer, I said. 'Where is your laptop?' I explained I didn't have one, that I worked only on desktops. It took some persuading the guy that you could be a software engineer without a laptop.
dorfsmay 23 hours ago 1 reply      
The best CS subject to talk about in such context would be "race conditions"!
ankurdhama 1 day ago 1 reply      
Potential answer: "Call the balance method on the BST object"
Corrado 15 hours ago 1 reply      
At first I thought this was a joke, but after reading some of the comments here I'm truly scared of traveling abroad. I've been programming computers for 25 years and I don't think I could build a binary search tree, let alone balance one. :O
somberi 19 hours ago 0 replies      
I have been asked something similar about 7 years ago, when I went to renew my Green Card, few days ahead of my scheduled appearance. The agent, a math major with a sense of humor, asked me to do 12 factorial and then he woulde accommodate me. I did, and he held his side.

But I kindly doubt this guy's binary search claim.

khazhou 21 hours ago 0 replies      
Google's recruiting tactics are getting ridiculous!
rsynnott 17 hours ago 0 replies      
Are they doing this for everyone? "Oh, you work in a slaugherhouse? Disembowel this cow."

Absolutely absurd.

Grue3 22 hours ago 1 reply      
That's pretty impressive that the immigration officer knew what a binary tree is. People who can't code a FizzBuzz but faked their way through an interview should be concerned.
BWStearns 15 hours ago 0 replies      
ezoe 21 hours ago 0 replies      
This is a story I've read it somewhere.

"At the airport, When I said I am Japanese, the officer handed me a Japanese newspaper and asked me to read it aloud. The newspaper had really rare name of the place I couldn't read it. The officer suspected me."

daveheq 12 hours ago 0 replies      
elif 21 hours ago 0 replies      
I wonder if they are that insistent on people whose occupation is porn actor. I imagine so many lines of questioning there could be legally considered sexual harassment that the interviewer would decide to let you go out of self-interest.
jwilk 18 hours ago 1 reply      
For those who wonder what the optimal algorithm is:


remx 13 hours ago 0 replies      
Some of the replies in the Twitter thread are hilarious

 whiteboarding, it's the new waterboarding? Furious /@AnnieTheObscure

jplayer01 19 hours ago 2 replies      
... This is odd considering that a disproportionate amount of terrorists are engineers.
crypto5 20 hours ago 0 replies      
And looks like he didn't give answer: https://twitter.com/cyberomin/status/835997085916872704
jlebrech 19 hours ago 0 replies      
"i'm a CS phd", "prove it" .. non-story.

but i think they should have asked him to spend a bit of time writing cool oss code (maybe before his flight)

quiyile 12 hours ago 0 replies      
I would say I had just got off a flight and I was tired and needed a shower and I was not in the mood to work as I was on vacation.
samsonradu 11 hours ago 0 replies      
Could be that they're hiring.
lz400 17 hours ago 0 replies      
If you answer with your hourly rate they let you in?
nippples 16 hours ago 0 replies      
inb4 turns out to be complete bullshit
ma-nu 20 hours ago 0 replies      
if I wrote a program to draw a doughnut, will they be able to make out that I just pulled their leg :) ?
throwaway_374 17 hours ago 0 replies      
What is the point of CBP? Can't their jobs just be automated away by immigration kiosks? Surely there's no human value they actually add. What even is the effectiveness of these routine "randomly selected" checks beyond sniffer dogs for cocaine mules.
oh_sigh 1 day ago 2 replies      
coleifer 1 day ago 2 replies      
oh_sigh 1 day ago 3 replies      
Anyone want to take odds on this story being fabricated?
beedogs 21 hours ago 0 replies      
Still waiting on the impeachment proceedings. Any day now.
noobermin 1 day ago 1 reply      
Sounds like grounds for a suit of some kind.
How to Self-Publish a Novel in 2017 zhubert.com
481 points by zhubert  15 hours ago   145 comments top 37
ilamont 14 hours ago 3 replies      
The author mentions getting a copy editor, but I would also advise hiring a development editor and/or getting feedback from beta readers. Quoting Stephen King (1):

Show your piece to a number of peopleten, let us say. Listen carefully to what they tell you. Smile and nod a lot. Then review what was said very carefully. If your critics are all telling you the same thing about some facet of your storya plot twist that doesnt work, a character who rings false, stilted narrative, or half a dozen other possibleschange that facet.

It doesnt matter if you really liked that twist of that character; if a lot of people are telling you something is wrong with your piece, it is. If seven or eight of them are hitting on that same thing, Id still suggest changing it. But if everyoneor even most everyoneis criticizing something different, you can safely disregard what all of them say.

In the same piece, King advises if its bad, kill it. (When it comes to people, mercy killing is against the law. When it comes to fiction, it is the law.)

1. http://www.jerryjenkins.com/guest-blog-from-stephen-king/

austenallred 14 hours ago 4 replies      
I just finished my first book, and I went a little bit different of a route than the author here.

I know this isn't very DIY, but it's probably worth knowing it's an option: I simply hired someone who works at a book publishing company to edit and typeset the book for me on the side. The person I hired does it for a living and is incredibly good at it. Let's just say it's not the most lucrative career choice, so I had the entire book (198 pages) edited and typeset by a professional for about $400.

This also had the added benefit of letting me write and get feedback from early readers using google docs, which was incredibly important.

I ended up paying her a pretty big bonus on top of that (as we pre-sold $110,000 worth and since publishing a couple days ago have brought in another $2,000 - all straight profit since we're ebook only so far and not on Amazon) but for my time and sanity it was very, very worth it.

scandox 14 hours ago 1 reply      
Forget all the tooling. There are two battles:

1. To write the best book you possibly can

2. To print, market and sell that book

Far and away the most important thing is No. 1, because No. 2 cannot happen effectively without that. And the bar is high - very high. So in many ways the battle is lost or won by the time you've put down your pen. Yes marketing and distribution are incredibly important. Design too. But none of it is going to do much good unless the book really works. And making a book work is not hit and miss. It's the product of a very exact type of knowledge and skill - this is especially true of genre work. Of course, there have been a few tremendous exceptions - but you'll know if you're one of those.

So with self-publishing, as with ordinary publishing: first write a great book.

For that the tools you need are:

1. Someone who can give you tough feedback and who knows what they're talking about

2. A writing group for softer, more regular feedback

3. Long practice in writing shorter work

4. Long practice in critical reading of other people's work, especially unpublished work. You'll never make a mistake once you see that mistake and understand it in someone else's work.

skookumchuck 22 minutes ago 0 replies      
If your scifi book synopsis contains one of the phrases:

1. journey to the end of the universe

2. the fate of the universe hands in the balance

3. voyage to the end of time

I put the book back on the shelf.

teach 14 hours ago 2 replies      
How to self-publish a paperback novel, that is. Looks like a lot of good advice!

For my use case (self-publishing a digital-only book):

I wrote "Learn Java the Hard Way" using Leanpub and I was pleased with the experience, but their build tools are closed-source and sort-of creaky and the tweak-compile-preview cycle is WAY too slow for my workflow.

I intend to use Softcover for my next one.

Recently I switched to Gumroad for fulfillment and I have been incredibly happy with them. Highly recommended.

chipotle_coyote 10 hours ago 1 reply      
I'm not sure that figuring out the tooling for indie publishing is too difficult these days. I recently published my first novel, and while it actually isn't self-published--it was accepted by a small press I'd worked with before--in terms of the tooling, it's being approached as a self-published project: I did the typesetting myself, for both ebook and print. (Like Zack Hubert, I used Vellum for the ebook, although I did the print version with LaTeX, which I'll probably write up a short guide to sometime.)

While my press paid for the cover art, printing, ISBN, and other stuff, and they've done some advertising, a lot of the promotional work is left up to me...and in a lot of ways I think marketing is a much harder problem to solve. My novel came out of an intensive workshop led by a Nebula, Hugo and World Fantasy Award winner (Kij Johnson), has a blurb from a recent Nebula novel nominee (Lawrence Schoen, author of BARSK), was available for pre-order, and I've done what I could to promote it...and it turns out all those people saying it's tough to get your book noticed are, surprise, absolutely right.

tl;dr: while I'm interested in how Mr. Hubert produced his book, I'm more interested in how he finds an audience for it. (Beyond writing an article about it that gets linked on the front page of Hacker News!)

vgt 11 hours ago 0 replies      
My wife is an aspiring novelist (on her 9th draft of the novel) with an MFA in fiction and some experience working for a literary agent. Some perspective from that side:

- 99% of all drafts sent to literary agents are objectively non-publishable. Simple lack of quality, lack of maturity, or other quantifiable factors. One or two drafts is not enough, even for experienced established novelists. Sadly, you can often tell within the first 5 pages, and even within the first paragraph.

- Out of the 1% that have the potential to be publishable, at least 4 drafts, and often much more, are required to reach the quality desired to actually be publishable.

- Good novels that are simply not what the agent/publisher is looking for at that time is also a factor, but a very distant one relative to just quality of work.

- In fact, if your novel is "good" but the agent/publisher is not inclined to pick it up, they are more inclined to ask for a full draft, to give great editorial notes, or to give referrals to other agents/publishers.

- If an agent thinks that they cannot take a specific "Good" book to market, they will frequently give pertinent feedback and often suggest specific revisions in order to make such a book marketable.

- At PNWA and other literary conferences vast majority of attendees bring single or maybe two-draft.

I should note that "number of drafts" is not an absolute requirement. Different folks write differently, and having a high number of iterations on your novel is not an indication of quality, rather than indication of prerequisite work required to produce a good product.

So while the publishing world is far from perfect, and both publishers and agents tend to gravitate towards what's fashionable, the reality is that the vast majority of aspiring work is simply far from finished, despite the authors' claims (this doesn't preclude garbage like "50 shades" from seeing the light of day, mind you).

Self-publishing gives those 99% a window to self-publish with only marginal quality controls. This in a way has the potential to overwhelm the system, and the objectively higher quality works can get drowned out in the noise.

Not to mention that, once self-published, a book is highly unlikely to be re-published by a traditional publisher, especially for a first-time author.

I'll close this tirade on a positive message. If you're a writer, you've already succeeded. The inner battles fought every single day for months and years on end alone make you a winner.

gozur88 11 hours ago 1 reply      
The copy editor is a sore point with me. It's getting more and more common for me to run across jarring errors in novels. I don't mind so much if it's a digital-only 99 cent Kindle book, but if I spend six bucks on a book I don't expect to see duplicate sentences or incorrect word choice. "Tow the line", for example, or "then" when "than" would be correct.
dlubarov 8 hours ago 0 replies      
My advice would be to look at the pricing of CreateSpace versus Lightning Source/Spark before choosing one. And keep in mind that LS is the only one which lets you control the Ingram discount, down to 20%.

Here's the LS pricing guide: https://myaccount.lightningsource.com/documents/LSI/files/pr... and here's the CS pricing: https://www.createspace.com/Products/Book/Royalties.jsp

For example, I sell a very short book via LS. The MSRP is $2.99, I set a 20% Ingram discount, and the print charge is only $1.56 (though the pricing guide now says $1.72; I think it's increasing soon). So I make $0.84 per book. With CreateSpace the lowest possible print charge is $2.15 per book, and given their fixed 40%/60% sales channel fees, it wouldn't be possible to sell the book for as low as $2.99.

LS isn't always cheaper though; you should do the calculation for your particular book size and page count.

Working with LS does make things a bit harder. You have to buy your own ISBNs, spend time waiting for certain manual processes (like for them to review your account application or a new book), and deal with their clunky website. But for me, it's worth the effort to be able to publish short books much more cheaply.

sireat 8 hours ago 0 replies      
If you plan on translating or writing in another language beware of KDP!

Time for my annual rant on KDP and Amazon not caring about writers in non-English.

The list of supported languages is incredibly limited:https://kdp.amazon.com/help?topicId=A9FDO0A3V0119

Finnish is allowed but Estonian is not... it is ridiculous.Latvian and Lithuanian is not allowed, Russian is not allowed etc etc.

It took a shaming campaign by the British press to get Welsch added.

This restriction is so silly when the book comes out perfectly on Createspace paper version.

It looks fine doing my own conversion for the Kindle but Amazon will not let me publish the books in unsupported languages.

I do editing and typesetting for a non-profit as a hobby/volunteer effort and end up publishing the paper books on Createspace but ebooks have to go through Kobo and other non Amazon venues.

eslaught 10 hours ago 1 reply      
I think the author missed the most important point (maybe they haven't gotten this far yet): marketing and especially market-fit.

If you just want to release an ebook or even in paper, you can do that easily. If you want to release an ebook and have it be a success, that's really hard. It's hard even for traditional publishers, and it's certainly not any easier for self-published authors.

Anecdote: I helped my grandmother release her first book (here: http://carolynnslaughter.com/book/). The technical aspects are frankly not that hard. For anyone with halfway reasonable technical skills, launching a book is simply a matter of following various instructions online.

How much did we sell? Pretty close to rounding error of zero. Honestly, we were never expecting much success, because the book is fairly academic.

Edit: Less anecdotally: "Ninety percent of your books success will be determined by the quality of your book. The other ten percent is distribution, marketing and luck." (From Mark Coker, founder of Smashwords: https://www.smashwords.com/books/view/145431)

I understand that as HN readers we gravitate towards technical solutions. But the sibling comment by scandox is on the nose here. The hardest problem by far is writing a book that people will be willing to pay money for. The second hardest problem is marketing it, and all these other technical aspects come somewhere after that.

cstross 12 hours ago 2 replies      
NOTE: Step 2: Write the Novel ... You know, the easy part.

For those who have never written a novel, writer is being sarcastic here. The equivalent in terms of reference more familiar to the regulars on HN might well be: "Step 2: study for a CS degree, then decide which industry you intend to disrupt, learn how it works, and come up with a strategy. Oh, and write the killer app."

This is just the framework for the business plan: it's helpful, but it's insufficient on its own.

marak830 3 hours ago 1 reply      
As someone who is working with another chef to release their own cook book and associated app, this and the comments are immensely helpful. Thank you :-)
mindcrime 10 hours ago 0 replies      
CreateSpace is fine as self-publishing /print on demands goes, but just FYI another option is Lulu.com.

Disclaimer: I used to work for Lulu, but no longer do, and have no financial stake in them. Just wanted to point out the existence of another option.

robotkdick 8 hours ago 0 replies      
The article addresses the finishing rites for self-publishing, but the note on tl;dr at the top should be expanded to say something like: writing a novel is the equivalent of starting a small company. It takes at least three months of focused effort to write something worthwhile for an experienced novelist, a year or ten for a novice.

Also, it might be helful to note tha the likelihood of making a living from writing is dependent on how fast an author can complete each novel.

Balgair 11 hours ago 0 replies      
This is not related to the article, but US-based HN readers may benefit from it: You can set up an account with your local library to 'check out' books for your Kindle completely free. If you an avid reader like me, this saves a lot of cash in buying those books and reading them once or twice. There are some restrictions on the number of titles and the length of 'check out' though. Each library has different rules and stipulations. Check out if your local library has this program, most cities do by now.
marvindanig 10 hours ago 1 reply      
Shout out to @zhubert, cool article -- thanks for sharing it! This is how I'd write a novel in 2017 and do it for one web instead:


Disclosure: I'm the developer/engineer.

username223 12 hours ago 0 replies      
Interesting. I recently published a paperback in a different space (color, lots of figures), and made completely different choices. I can't write anything nearly as long or specific as your blog post here, but in brief:

* I used XeTeX plus my editor of choice.

* I sent it to a few friends, listened to what they said, and read and re-read until my eyes bled.

* I avoided Amazon like the plague, instead using a small print-on-demand shop with reasonable prices.

* I sold via pre-sales, my personal website, and consignment at small bookstores.

zitterbewegung 13 hours ago 0 replies      
I self published a book of my poetry on Kindle Direct publishing 5 years ago see http://a.co/iw4r1jqI also used lulu to make a physical copy. For lulu I think I used Microsoft word and for kindle you could just make a HTML document to be published . The tooling in this article is great but as other people have pointed out marketing your book is more important. The article should be titled how to typeset a novel in 2017.
gkya 7 hours ago 0 replies      
Literature doesn't work this way... It's hard to get your first book published because you are unknown in the literary circles. One has to start with introducing themselves in literary journals (or even blogs), publishing short stories, reviews, essays, etc. Probably none of the acclaimed authors started out with a big novel. Then, publishing with a known editor is easier, and has many positives: their name alone helps increase the amount of potential readers.
6stringmerc 12 hours ago 2 replies      
Very nifty guide and honestly very needed in the DIY space I think. Mostly because I feel long-form print (specifically hard copy) is occupying a smaller and smaller market share year after year. There's definitely still demand - as in airport bookstores - but the ROI doesn't seem very appealing.

My experience was through Smashwords and I was pleased with the platform. Never even recouped the $10 or so fee to get the ISBN number hah. It's a nice opportunity - self publishing, that is - and I think lots of amateur writers should feel compelled to give it a try. Nothing is quite like the artistic experience of working very hard on a piece, getting it out into the world, and almost nobody paying any attention to it. Except a couple purchases by relatives.

Not everybody gets to be Chuck Tingle, which, while fiscally successful, is the literary equivalent of the contents of a mop bucket at a seedy peep show joint. Ugh.

crpatino 7 hours ago 1 reply      
More or less off-topic question. How to not get sued by overzealous copyrights holders?

I have an idea for an informal Chemistry 101 notebook. I might end up making comparissons between cartoon characters and periodic table elements: Hydrogen ~= Tinkerbell, Hellium ~= Master Yoda, Lithium ~= Philoctetes (from Hercules movie), etc.

It is not reassuring that most references in that list are owned by Disney Co.

rekshaw 13 hours ago 2 replies      
Nice guide, although it is more of a 2016 guide. Amazon recently launched the public beta of KDP Print making CreateSpace redundant.


valine 10 hours ago 2 replies      
> The lingua franca for most writing is Microsoft Word so youll have to buy that eventually...

I don't understand why something as ubiquitous as writing necessitates spending $100 on software from Microsoft. A plain text editor works out of the box. If you have a need for more complex formatting you could use LibreOffice, OpenOffice, Pages (comes free with a new Mac/iPad), WPS Office, etc. I get that Word has is the standard and all, I just don't understand why the agreeded upon standard needs to cost upward of $100, especially for something as simple as word processing.

MLR 14 hours ago 2 replies      
I've been toying with the idea of a site for original written works, in the same vein as current fanfiction sites or Deviantart.

I imagine it would end up working along the shareware model, x chapters here for free and purchase access to the full story, or something along those lines - though if there is a market for it you could use it as a streamlining process for publishing houses I suppose

Is anybody aware of a site like that in the wild already?

ajeet_dhaliwal 14 hours ago 1 reply      
Thanks for this, it's interesting to see an article that goes from showing step zero all the way to selling on Amazon. I tried getting my novel published in 2012 and was rejected by many literary agents to the point I was having trouble finding any left that I had not submitted to. I considered self-publishing at the time but decided against it. I'll keep this bookmarked should I choose to self publish in the future.
morehuman 13 hours ago 0 replies      
Prolifiko are doing a great job of supporting writers via its app: http://www.thememo.com/2017/01/04/prolifiko-writing-tool-pro...
necklace 12 hours ago 2 replies      
Seems I am on a downvote streak lately so I'll keep going; why would you not use (Xe)LaTeX? If I was too lazy to use that I would probably use something like bookdown.
faet 12 hours ago 1 reply      
I have some of my books on Amazon KDP and a few not. KDP is nice because it's easy. But, the exclusivity can suck.
lutusp 8 hours ago 2 replies      
Quote: "TL;DR: Scrivener, Vellum, KDP, Createspace"

Scrivener is US$40, Vellum is Mac-only and US$200, the other two are unnecessary/replaceable and IMHO should be a list of equivalent options -- once you have a manuscript, which can be created using any number of free tools.

Someone who imagines writing the Great American Novel, but who also expects to have to pay a premium for each step along the way, may not grasp the essence of novel writing -- how it fits into the big picture.

There are any number of free word processors able to organize a book project into chapters and sections. Self-publishing is also free or should be.

My favorite story about novel creation is that of Andy Weir and The Martian. Weir started the project as a series of blog posts, got very useful feedback from his readers, improved his content on that basis, and the project grew nearly on its own. By the time Weir wanted to talk to publishers, they already wanted to talk to him.

innocentoldguy 11 hours ago 1 reply      
Scrivener exports to Word, and various other formats. Working with large manuscripts in Word is a challenge, and it lacks many of the writing features of Scrivener. I've personally never had a problem with Scrivener's Word exporter, and have never felt like I needed to purchase Word.
dredmorbius 10 hours ago 1 reply      
If you're not of the "I'm writing because I can't not" personality, you might also want to consider self publishing book statistics.


innocentoldguy 11 hours ago 1 reply      
One thing I would suggest, which isn't mentioned in the article, is to join a writing group. It will give you an opportunity to both give and receive constructive criticism, see what works and what doesn't, and will help improve your work overall (if you listen to the criticisms, anyway).
arc_of_descent 13 hours ago 1 reply      
I'm curious. Do you jot everything down on Scrivener? Or do you also write on paper?

Lately I've been carrying a notebook everywhere I go and I'm starting to write much more.

dagenleg 14 hours ago 1 reply      

- use proprietary tool 1

- enslave yourself to Amazon

- use proprietary tool 2 from Amazon

DrNuke 13 hours ago 0 replies      
Talking arty, literary novels are form more than content, so why self-publish a literary novel if form is strong enough?
yazbo_mcclure 14 hours ago 1 reply      
Ugh Facebook really? I would want t read it but how do I remember? An email would work maybe. But a text would get me for sure but I don't have Facebook
Warren Buffett's Annual Letter to Berkshire Hathaway Shareholders [pdf] berkshirehathaway.com
395 points by grellas  2 days ago   305 comments top 23
otalp 2 days ago 6 replies      
"In Berkshires 2005 annual report, I argued that active investmentmanagement by professionals in aggregate would over a period of years underperform the returns achieved by rank amateurs who simply sat still. I explained that the massive fees levied by a variety of helpers would leave their clients again in aggregate worse off than if the amateurs simply invested in an unmanaged low-cost index fund.

He then goes on to show how that's been true, and that a standard index fund outperforms almost every hedge funds even before extra fees to the hedge funds are taken into account.

It's not the first time this has been pointed out, and it suggests that for non-multimillionaires, an index fund is always the most rational choice.

You get close to the return you'd get by investing in real estate, with the added benefit of index funds being much more easily liquifiable.

dsacco 2 days ago 13 replies      
There's one particular passage I'd like to point out, on page 5:

Our efforts to materially increase the normalized earnings of Berkshire will be aided as they have been throughout our managerial tenure by Americas economic dynamism. One word sums up our countrys achievements: miraculous. From a standing start 240 years ago a span of time less than triple my days on earth Americans have combined human ingenuity, a market system, a tide of talented and ambitious immigrants, and the rule of law to deliver abundance beyond any dreams of our forefathers.You need not be an economist to understand how well our system has worked. Just look around you. See the 75 million owner-occupied homes, the bountiful farmland, the 260 million vehicles, the hyper-productive factories, the great medical centers, the talent-filled universities, you name it they all represent a net gain for Americans from the barren lands, primitive structures and meager output of 1776. Starting from scratch, America has amassed wealth totaling $90 trillion.

I don't often see this sort of pride in America. Normally the flavors I do observe are hyper-nationalistic and filled with bravado, while the tone here is lauding yet reserved. There's a sense of authenticity delivered in the way Warren Buffett - an extremely humble, yet successful man - talks about the way his country has helped him succeed. It's austere.

This isn't part of the regularly scheduled programming for threads about his letters (mostly we like to champion index funds or debate the utility of active investing), but it's what really struck me this time around. Juxtapose his words here with the same category of conversation about America in many other contexts and contrast the integrity involved. In a time when America appears to be experiencing quite a bit of social and political volatility, it is refreshing to hear optimism from a source that does not appear to use it as an instrument of control.

EDIT: Well this has since ignited a debate about America's cultural identity and history of imperialism...not really the spirit of what I was going for but here we are I guess...

tyingq 2 days ago 4 replies      
The transparency and humble tone is pretty unique.

"Unfortunately, I followed the GEICO purchase by foolishly using Berkshire stock"

"It was, nevertheless, a terrible mistake on my part"

"Despite that cautious approach, I made one particularly egregious error"

I bet you don't find that sort of thing in many other annual shareholder letters.

Radle 2 days ago 0 replies      
"Some years, the gains in underlying earning power we achieve will be minor; very occasionally, the cash register will ring loud. Charlie and I have no magic plan to add earnings except to dream big and to be prepared mentally and financially to act fast when opportunities present themselves. Every decade or so, dark clouds will fill the economic skies, and they will briefly rain gold. When downpours of that sort occur, its imperative that we rush outdoors carrying washtubs, not teaspoons. And that we will do."
defenestration 2 days ago 2 replies      
It took me 30 minutes to read the complete letter. It was time well spent. I learned why the property/casualty insurance business has a really good business model. It also reminds me to walk away from deals where the financial fundamentals are wrong, but our competition is eager to sign. And finally, I feel that his humble tone is honest and that he is trying teach by showing his considerations, successes and failures.
CurtMonash 1 day ago 0 replies      
I was a #1-ranked stock analyst. And I indeed outperformed the market on my and my parents' accounts. I also know a small hedge fund manager who I believe could consistently outperform the market. But in each case the strategy was to know a small portfolio of underfollowed stocks very very well. It's not something that could scale. He eventually just dumped his clients and managed his own money. I stopped investing in anything except index funds after I stopped being a stock analyst.

I.e., I agree with Buffett's general premise, and have since the 1980s.

ryanmarsh 2 days ago 2 replies      
"This team efficiently deals with a multitude of SEC and other regulatory requirements, files a 30,450-page Federal income tax return"

30,450 pages holy crap

NuDinNou 2 days ago 0 replies      
I liked HBO's documentary on him, "Becoming Warren Buffett", https://www.youtube.com/watch?v=70nGRBvqFNw
digitalmaster 2 days ago 0 replies      
"Americans have combined human ingenuity, a market system, a tide of talented and ambitious immigrants, and the rule of law to deliver abundance beyond any dreams of our forefathers." - W. Buffet
ambicapter 2 days ago 2 replies      
> We may in time experience a decline in float. If so, the decline will be very gradual at the outside no more than 3% in any year. The nature of our insurance contracts is such that we can never be subject to immediate or near-term demands for sums that are of significance to our cash resources. This structure is by design and is a key component in the unequaled financial strength of our insurance companies. It will never be compromised.

Is he basically saying that the insurance business is structured in such a way to never payout catastrophic amounts? Is this a harmful thing for the insurance claimants?

kennyma 2 days ago 0 replies      
Here's an annotated version of the letter by Bloomberg https://www.bloomberg.com/news/features/2017-02-25/lessons-f...
perseusprime11 2 days ago 0 replies      
Buffet is so modest and humble. It comes through in this comment:"A few, however these are serious blunders I made in my job of capital allocation produce very poor returns. In most cases, I was wrong when I originally sized up the economic characteristics of these companies or the industries in which they operate, and we are now paying the price for my misjudgments. In a couple of instances, I stumbled in assessing either the fidelity or ability of incumbent managers or ones I later put in place. I will commit more errors; you can count on that. Fortunately, Charlie never bashful is around to say no to my worst ideas."
cbanek 2 days ago 0 replies      
One hilarious thing I learned, and I can't wait to put into action:

So stop by for a quote. In most cases, GEICO will be able to give you a shareholder discount (usually8%). This special offer is permitted by 44 of the 51 jurisdictions in which we operate. (One supplemental point:The discount is not additive if you qualify for another discount, such as that available to certain groups.) Bringthe details of your existing insurance and check out our price. We can save many of you real money. Spend thesavings on other Berkshire products.

I need to get hooked up with my shareholder discount!

crb002 2 days ago 0 replies      
What Buffet left out. The massive windfall from OPIC, a U.S. Government insurance program not audited by the GAO, in the buy of Mid American. https://www.opic.gov/sites/default/files/docs/claim_mid_amer...
mrfusion 2 days ago 4 replies      
Has anyone ever attended a shareholder meeting? Sounds kind of fun.
MarkMc 2 days ago 0 replies      
I have more respect for Warren Buffett than any person outside my family.

He's smart, honest, humble, generous, witty and a great communicator. And he's the best investor in the world.

gillianlish 2 days ago 1 reply      
that is assuming the stock market doesn't crash. if you bought an index fund in 1928 you would still be broke AF in 1935 and wouldn't get your money back until the 50s.

buffett profited off the housing bubble and should not betrusted. he owned huge stakes in the ratings agencies thatwere giving AAA+ ratings to these awful mortgage products,even as publically he was decrying the financial productsinvolved as 'mass destruction' he was making money on it.

he is doing the same with his stock market push. ifa million people listen to him and go buy stocks, whatdo you think happens to his index funds? They go up of course.

absolutely hilarious and sad to watch people worship thisguy. if his secret is really to buy index funds, thenwhy do people listen to his speeches and newsletters?you could just go buy index funds and be done with it.

like every other con artist, his genius is to get peopleto buy in to his story.

ahh 2 days ago 0 replies      
Anyone else a bit disappointed?

Normally these letters have some new brilliant insight or dive into a business I know nothing about. This one feels shorter and more peremptory. I see the financials for the major sectors and the same boilerplate explanation of insurance and railroads that's in every letter.

What's up? It's not like nothing happened with Berkshire Hathaway this year.

jedberg 2 days ago 0 replies      
The "Annual meeting" section is the most entertaining. It sounds like woodstock for capitalists.
glbrew 2 days ago 0 replies      
"Come to Omaha the cradle ofcapitalism on May 6th and meet the Berkshire Bunch."
fovc 2 days ago 2 replies      
Does anyone know why it is that their insurance businesses post underwriting profits? Is there anything structural? Why does GEICO have such a cost-driven moat?
psyc 2 days ago 0 replies      
All that cheerleading for capitalism, and the only micro-nod to inequality is this: "However our wealth may be divided, the mind-boggling amounts you see around you belong almostexclusively to Americans."

"See around me," indeed.

DiabloD3 2 days ago 3 replies      
There's going to be a day where there won't be any more annual letters from him.
Prophet: forecasting at scale fb.com
499 points by benhamner  23 hours ago   108 comments top 32
confounded 22 hours ago 3 replies      
Worth noting Prophet is R/Python wrappers to some models with reasonable defaults, written in and fit by Stan, a probabilistic programming language, and Bayesian estimation framework.

Stan is amazing in that you can fit pretty much any model you can describe in an equation (given enough time and compute, of course)!

More on Stan here: http://mc-stan.org/

rodionos 21 hours ago 4 replies      
I didn't know wikipedia page view counters are available for public usage.

The wikipediatrend R package relies on http://stats.grok.se/, which in turn relies on https://dumps.wikimedia.org/other/pagecounts-raw/ which has been deprecated.

The new dump is located at https://dumps.wikimedia.org/other/pageviews/

Data is available in hourly intervals.

* pageviews-20170227-050000

 en Peyton_Manning 58 0
[edit] There is a wikipedia-hosted OSS viewer for these logs, e.g. Swedish crime stats:


saosebastiao 13 hours ago 1 reply      
This is an interesting project, and in one of the areas where almost all businesses could do better. Anecdotally, there is a ton of money left on the table by established businesses that do it poorly, which also leaves lots of room for resume-padding technical experience. So anything that claims to improve the state of the art of automated forecasting is definitely worth watching.

That being said this claim in point #1 baffles me:

> Prophet makes it much more straightforward to create a reasonable, accurate forecast. The forecast package includes many different forecasting techniques (ARIMA, exponential smoothing, etc), each with their own strengths, weaknesses, and tuning parameters. We have found that choosing the wrong model or parameters can often yield poor results, and it is unlikely that even experienced analysts can choose the correct model and parameters efficiently given this array of choices.

The forecast package contains an auto.arima function which does full parameter optimization using AIC which is just as hands free as is claimed of Prophet. I have been using it commercially and successfully for years now. Maybe prophet produces better models (I'll definitely take a look myself), but to claim that it's not possible to get good results without experience seems a bit disingenuous.

As an aside, anybody interested in a great introductory book on time series forecasting should check out Rob Hyndman's book which is freely available online. https://www.otexts.org/fpp

techno_modus 19 hours ago 1 reply      
It seems that they have developed a model for only univariate forecasts and only numeric regular time series which is a classical use case in statistics. Yet, most data sources have many dimensions (for example, energy consumption, temperature, humidity etc.) as well as categorical data like current state (On, Off). The situation is even more difficult if the data is not a regular time series but is more like asynchronous event stream. It would be interesting to find a good forecasting model for some of these use cases. In particular, it is interesting if this Prophet model can be generalized and applied to multivariate data.
schlarpc 22 hours ago 1 reply      
cardosof 22 hours ago 0 replies      
That's very cool, congrats and thank you to the Facebook guys!

A few days ago I was asked to do some forecasting with a daily revenue series for a client. Due to her business' nature the series was really tricky with weekdays and months/semesters having some specific effects on the data. I as many use Hyndman's forecast package, but I threw this data at prophet and it delivered a nice plot with the (correct) overall trend and seasonalities. Very cool and easy to do something.

anacleto 19 hours ago 0 replies      
This is so great!

I've been using CasualImpact by Google [0] for months. This seems pretty straightforward.

[0] https://google.github.io/CausalImpact/CausalImpact.html

jl6 22 hours ago 1 reply      
I wonder what Sungard/FIS think of the name, which is the same as their commercial financial modelling/forecasting tool.
yoghurtio 21 hours ago 1 reply      
We at https://yoghurt.io/ have been working towards similar forecasting solution. So far the feedback has been that automated solutions can also bring good results at a far lesser cost compared to hiring an expert analyst.

Its a completely managed solution. No need to setup anything yourself.Just upload the data and predict next week's data, today itself. There is a free trial and if anyone here is looking for an extended trial, they can reach out to me.

dmichulke 16 hours ago 1 reply      
I have been working for a few years on a similar project using evolutionary algorithms on top of other models (linear / ann). It works quite well (e.g., for equidistant energy demand / supply forecasts) but there's still lots of stuff to do.

It's major benefit is that it figures out relationship to the target time series by itself, so you can just throw in all time series and see what comes out.

Language is Clojure, 20kloc, incanter, encog. If anyone is interested in working for/with it, let me know. I currently develop a Rest Api for it and plan to release it as open source once the major code smells are dealt with.

pacifika 21 hours ago 0 replies      
The more facebook grows the more tools it aligns tooling with intelligence services.
asafira 23 hours ago 3 replies      
So...How much will this do at forecasting stock prices? =)

Very cool though --- I would be interested to dive into the methods they've implemented sometime in the near future!

hn_username 12 hours ago 0 replies      
This is a nice piece of work - thanks for sharing with the community!

Some feedback: it'd be nice to see you actually quantify how accurate Prophet's forecasts are on the landing page for the project. In the Wikipedia page view example, you go as far as showing a Prophet forecast, but it'd be nice to have you take it one step further and quantify its performance. Maybe withhold some of the data you use to fit the model and see how it performs on that out of sample data. It's nice that you show qualitatively that it captures seasonality, but you make bold claims about its accuracy and the data to back those claims up is conspicuously absent. Related, it might be worth benchmarking its performance against existing automated forecasting tools.

I'll definitely be checking it out!

hnarayanan 22 hours ago 1 reply      
Is there a way to extend these models to handle spatial variation (e.g. weather forecasting, property price estimation etc.) as well?
SmellTheGlove 12 hours ago 0 replies      
For us insurance/financial services folks, I would like to simply clarify that this is not the Sungard/FIS risk management platform that is also called Prophet! :D

I got really excited for a second. Actually, I'm still pretty excited about this even if it was something else entirely.

zebrafish 14 hours ago 0 replies      
So.... I don't understand how this is better or worse than using forecast.

You talk about having to choose the best algorithm but it seems like Prophet is just another algorithm to choose from. Is there some kind of built in grid-search or are you just stating that results from your AM have been more accurate than ARIMA?

paulvs 13 hours ago 1 reply      
For a corporate credit analyst working at a bank, what are some good introduction material for getting into forecasting using tools like these?

I see this being applicable to analysts when deciding on on a company's credit worthiness.

nickfzx 17 hours ago 1 reply      
This looks amazing, congratulations.

We're planning to add forecasting to our SaaS analytics product (https://chartmogul.com) later this year, I'm going to look and see if we can use this in our product now.

Steeeve 20 hours ago 0 replies      
This actually looks incredibly useful and pretty simple to learn.

Between this and Stan I think my free time for the next week is gone.

elwell 8 hours ago 0 replies      
Why do we need Prophet when we already have Temple OS (http://www.templeos.org/)?
minimaxir 22 hours ago 0 replies      
Interesting definition of "scale" in this context, as it does not imply "big data" like every other usage of the word scale in data science. The tool works on, and is optimized, for day-to-day, mundane data.

See also the R vignette, which shows that the data is returned per-column which gives it a lot of flexibility if you only want certain values: https://cran.r-project.org/web/packages/prophet/vignettes/qu...

syntaxing 12 hours ago 0 replies      
The fact that Prophet follows the "sklearn model API" and that it's very well integrated with pandas makes it super appealing and usable!
eternalban 15 hours ago 0 replies      
/please ignore: Oracle & Prophet. Oracle sifts through signs but Prophet has a line to the larger picture. I suppose the next 'product' will be called Messiah to complete the picture.
alexpetralia 14 hours ago 0 replies      
Slightly inconvenient that the main image <figure> needs to be replaced by an <img> tag just to have the image appear in print outs.
nodesocket 20 hours ago 1 reply      
Are there any startups/services where you pass it a series and it returns forecast models? That's something I'd be willing to pay for.
poppingtonic 19 hours ago 0 replies      
This is very interesting. Forecasters who participate in the Good Judgment Project, such as myself, will find this useful.
Helmet 11 hours ago 0 replies      
just wanted to point out to potential windows users - this will only run on python 3.5 due to dependencies (pystan only works on python 3.5 for windows)
recurser 19 hours ago 2 replies      
Very cool. Could this be re-purposed for detecting anomalies/outliers in time series data?
ayayecocojambo 17 hours ago 0 replies      
Can we use other features (like temperatue?), or it has to be only time-based?
hubot 14 hours ago 2 replies      
can someone explain what's the meaning of this line

> df['y'] = np.log(df['y'])

agounaris 22 hours ago 1 reply      
How different this framework is from statsmodels?
fagnerbrack 22 hours ago 0 replies      
Code.mil An experiment in open source at the Department of Defense github.com
375 points by us0r  3 days ago   162 comments top 21
engi_nerd 3 days ago 18 replies      
This is a huge battle I am in the middle of fighting right now. I am working on a project that is extremely late and we are having all kinds of political pressure put on us by very senior people. Meanwhile their damn IA staff won't approve any of the tools or hardware that I need to help us get the job done.

One huge obstacle to open-source anything in DoD is the attitudes of their information assurance professionals. I have been told by numerous DoD IA people that "Open Source is bad because anyone can put anything in it" and "We'd rather have someone to call." I understand the second point -- we honestly don't have the time to run every last issue to ground and it's probably better if we do have some professional support for some of our most important tools. But the first just boggles my mind.

But the IA pros are, as a group, schizophrenic, because somehow people are getting things by them anyway. The system I'm working on has Python as a build dependency. The devs are creating reports using Jupyter notebooks.

Basically the DoD needs to stop being so damn obstinate about open source.

dkhenry 3 days ago 2 replies      
I love seeing this kind of work done. Not because its going to radically change the underlying technology, but having the air cover a project like this will provide can enable so many government coders who get shut down by their first tier manager who tells them they can't use open source components or can't open source their code. Its might seem silly but just getting the projects out in the open increases their hygiene more then any other single factor.
austincheney 3 days ago 2 replies      
Speaking as a long time US soldier here is how the military perceives code:

* There is no copyright and plagiarism doesn't exist. Internally to the military everything is libre to the most maximum extreme. While people do get credit for their work they have no control over that work and anybody else in the military can use their work without permission.

* Service members and employees of the military are not allowed to sue the military. As a result software written by the military has no need to disclaim a warranty or protect itself from other civil actions.

* Information Assurance protections are draconian. This is half way valid in that there are good monitoring capabilities and military information operations are constantly under attack like you couldn't imagine. The military gets criminal and script-kiddie attacks just like everybody else, but they also get sophisticated multi-paradigm attacks from nation states. Everything is always locked down all the time. This makes using any open source software really hard unless it is written yourself or you work for some advanced cyber security organization.

lloydde 3 days ago 2 replies      
No one wants yet another license.

Is there an explanation about why Unlicense is not appropriate? Or what it would take for an Unlicense derivative to meet the legal requirements? Could the laws be changed in small ways to allow US Government employees to more fully participate in open source?

"The Unlicense is a template for disclaiming copyright monopoly interest in software you've written; in other words, it is a template for dedicating your software to the public domain. It combines a copyright waiver patterned after the very successful public domain SQLite project with the no-warranty statement from the widely-used MIT/X11 license." http://unlicense.org/

I like how other commenters have included other successfully US.gov and specifically DoD open source such as BRL-CAD and NSA's Apache Accumulo.And the DoD Open Source FAQ is interesting and something I haven't seen before: http://dodcio.defense.gov/Open-Source-Software-FAQ/

Open source and US.gov participation reminds me of what happened with NASA Nova. It was pretty sad that when OpenStack became relevant in the industry that seemed to cause a panic at NASA and they pulled completely out of OpenStack development. Instead of NASA being to help the project stay focused on being opinionated enough to be generally useful (out of the box), NASA was too afraid about the perception of competing with proprietary commercial interests. (It was nice to see last year, all these years later, that NASAs Jet Propulsion Laboratory is now a user again having purchased RedHat OpenStack.)

rectang 3 days ago 2 replies      
The NSA open sourced what became Apache Accumulo years ago, so that government org has made peace with the copyright issue.

The DoD, though, is still trying to feel its way around. There seem to be some lawyers there who are very hard to convince. For years, they've been asking to have various licenses and CLAs modified and we've been telling them no.

Here's their latest request for the Apache License 2.1:


zo7 3 days ago 0 replies      
My only bit of experience working on a DoD-related project was a huge turn-off for me to do any more work in that space in the future because they were resistive about approving any open source software. The development mindset on the project was to re-implement everything (including some tricky algorithms we were using) because it was unreasonable to expect any timely approval, even if it's a feature from the current version of a library that was already approved for an older version. I don't see the reasoning with it, since if anything open source is more secure because you know exactly what is going on inside of it, compared to closed source which may be from a trusted source but you have no idea what it's really doing under the hood.

Hopefully this helps push things in the right direction, although I'm not optimistic.

brudgers 3 days ago 2 replies      
BRL-CAD has been an open source US Department of Defense project for many years. It is architected with the *NIX philosophy of chaining small single purpose tools...The exception that proves the rule? It's own version of Emacs.

It highlights a unique aspect of Federal Government developed software: it's public domain rather than licensed based on copyright law. This facilitates reuse but complicates contribution by outside developers.



imroot 3 days ago 1 reply      
It'll be interesting to see the intersection of this and forge.mil (which was/is the DoD's implementation of SourceForge and associated services). About 5 years ago, there was a fair amount of Open Source Software being ran in DISA for supporting the branches and the software that they wrote, but, there was little open-sourcing of that software, even amongst the individual branches of service (the Marines might write something that the Army could use, but, there were political or other factors that precluded that from happening).
wyldfire 3 days ago 0 replies      
> This can make it hard to attach an open source license to our code.

It's not clear to me why this is necessary/desired. Is it because of contribution to existing works protected by copyright or something else?

From the OSI's FAQ [1]:

> What about software in the "public domain"? Is that Open Source?

> There are certain circumstances, such as with U.S. government works ... we think it is accurate to say that such software is effectively open source, or open source for most practical purposes

What problem does this license aim to solve?

[1] https://opensource.org/faq#public-domain

EDIT: ok this comment [2] clears things up a bit. AFAICT It's specifically regarding a mechanism to permit foreign contributors while allowing them to disclaim liability.

[2] https://github.com/deptofdefense/code.mil/issues/14#issuecom...

lewiscollard 3 days ago 0 replies      
> Usually when someone attaches an open source license to their work, theyre licensing their copyright in that work to others. U.S. Federal government employees generally dont have copyright under U.S. and some international law for work they create as part of their jobs. In those places, we base our open source license in contractrather than copyrightlaw.

> ...

> When You copy, contribute to, or use this Work, You are agreeing to the terms and conditions in this Agreement and the License.

I do not see how this is enforceable, or that it even makes sense, any more than it would make sense for me to take, say, a NASA photo and slap my own terms on it. If it's in the public domain, there's no ownership and no 'or else' to back a contract setting licensing terms.

The alternative is that I'm misunderstanding this license, of course. Where am I going wrong?

xemdetia 3 days ago 2 replies      
Am I missing something here or is there nothing associated with this initiative other than 'please check our LICENSE agreement?'
brilliantcode 3 days ago 6 replies      
Not only is helping the defense industry downright immoral, it's a waste of talent.

Just think back to why you studied computer science or coding. I hope it wasn't to help build spy tools on your friends & families. I hope it wasn't to help engineer destructive weapons that is dropped on innocent civilians.

Fuck code.mil, fuck lockheed martin.

edit: I've turned down VC money a while ago because I discovered they had previously sold a company to Lockheed Martin affiliate. Downvote all you want but I'm not some spinless piece of shit that will throw out principles and morals for it. I love making money but it's not worth losing your compass or soul over.

ryanmaynard 3 days ago 1 reply      
It appears some of the 18F crew are behind this. I'm interested to see what unfolds in this repo.
magicmu 3 days ago 2 replies      
On one hand it's always cool to see increased adoption of open source, but it strikes me as more than a little subversive for the DoD to adopt an open source methodology. I can't help but see the appropriation of an inherently equitable and socialist means of sharing innovation (FOSS) by a violent, exclusionary, and globally oppressive regime to be a step in a very wrong direction.
_lex 3 days ago 1 reply      
It sounds like there's a space for a company that simply validates these issues and supports opensource software, for customers like DOD. I'd expect that such a company could charge each customer quite a bit, and that each customer will want pretty much the same verification of the same libraries, with additional work only needed as new stuff gets requested. Thoughts?
kogus 3 days ago 4 replies      
I have never worked on code intended for military use. From my layman's point of view, it seems like DoD code would either be "the most boring legacy CMS you can imagine" or "top secret missile guidance AI systems". The former isn't interesting. The latter should probably stay closed-source.

Is there any DoD code that is both interesting and suitable for public consumption?

cosinetau 3 days ago 0 replies      
I did a senior research project with a DoD contractor at my university in my last semester. It was a lot of fun, and we got to get exposed to a handful of tools and practices these parties use. I'm very excited at the prospect that maybe some of them will become free. Kudos DoD!
noobermin 3 days ago 0 replies      
It makes a lot of sense for Gov't funded IP to not have a copyright attached to it. I feel similarly for gov't funded research. Of course, this doesn't include things that should be export controlled for national security reasons.
rmc 3 days ago 0 replies      
Wonder if they will have a code of conduct.... :P
rkeene2 3 days ago 1 reply      
There's also forge.mil, which has existed for a while but requires a TLS client certificate to access.
clarkenheim 3 days ago 1 reply      
Thinly veiled publicity stunt by the Department of Defence here.
Amazon guts affiliate program, cuts fees for electronics in half amazon.com
323 points by Domenic_S  3 days ago   227 comments top 32
codingdave 3 days ago 1 reply      
I make some money with their affiliate program. Not a lot, just enough to buy ourselves dinner out a few times a month. But I always consider it to be a nice bonus. I know the program can change any time. I know my web traffic can die off. Someone else could build a new site that is better than mine. Or something completely unanticipated could shut down this income. These are all risks that I accept with open eyes.

The danger comes if you are not aware of the risks inherent in your own income. Sometimes it does make sense to let your income have some instability in it, and let someone else control it -- maybe it is a case like mine where it is small enough to not matter. Or maybe it is large enough that it is worth the risk. Just don't let yourself get in a situation where it is large enough that you are living on it, but not so large that the risks are acceptable. Because that is when changes like this will bite you.

Domenic_S 3 days ago 1 reply      
Amazon's deleting volume tiers and adjusting commission ("fee") percents.

It's a massive loss (~50%) for affiliates like Wirecutter that do mostly tech/electronics, and a huge boost for the luxury beauty category.

Current fees: https://web.archive.org/web/20170106214444im_/https://images...

oliwarner 3 days ago 2 replies      
People get a bit bratty when Amazon drops the rates on certain categories. They need to be clear on what the Affiliate program's purpose is. The goal isn't to kick back money to people who link to Amazon, it's there to make Amazon dominant in multiple markets.

They're there now. They have critical mass. They're the first place organic search for new stuff.

There's no sense in throwing money after sales they'd already get. They're better off using it as discount to get sales they wouldn't.

usaphp 3 days ago 3 replies      
It will be a big loss for pc tech YouTube reviewers, I know it's a big chunk of their revenue. They already removed a lot of them from their affiliate program because youtubers used to just tell viewers to bookmark their affiliate amazon link because it supports their channel. So a lot of them had to open a new affilaite account to comply with new rules and all previous videos were demonetized because of account suspensions.
robbrown451 3 days ago 1 reply      
I'm not sure I understand where you're getting the "half" figure. I'm trying to compare the linked chart to this https://web.archive.org/web/20170106214444im_/https://images...

and not seeing what is cut in half.

(Also I notice that the new chart says musical instruments are 6%. For electronic musical instruments -- digital keyboards, for instance -- does this mean the fee has gone up from 4%?)

startupdiscuss 3 days ago 3 replies      
Confused. Which is the previous structure?


or this:https://affiliate-program.amazon.com/welcome/compensation

If they are going from a volume based approach to a margin based approach that is rational, and good for everyone.

(i.e. why payout more for 1000 rubber bands that makes them uncompetitive to sell, and you should pay out more for that high end tv).

sharkweek 3 days ago 2 replies      
As an Amazon affiliate who has done quite well with it, this is definitely a gutting.

But... if I'm being honest with myself, it also seems kind of reasonable. I think their original plan was pretty generous. I was kind of expecting this to happen at some point.

encoderer 3 days ago 4 replies      
My heart breaks for the Wirecutters of the world affected by this.
TazeTSchnitzel 3 days ago 2 replies      
The title sounds editorialised (guts), yet there's no article.
iopuy 3 days ago 1 reply      
Would it be possible to post the commissions before the change?
TekMol 3 days ago 0 replies      
Does anybody here know what the profit margins of electronics are?

I have been running onlineshops before (not electronics though) and we happily spent all of the profit margins of an order on trackable advertising. Because a) the lifetime value of the customer b) the word of mouth value of a customer and c) the untracked sales generated by the advertising.

2.5% of revenue sounds unbelievably cheap to generate an actual trackable order.

grandalf 3 days ago 1 reply      
Interestingly, Electronics are the area where I'd recently noticed Amazon was least competitive.

I stopped by the local Microcenter (which is, incidentally, has a nice assortment of hobby-oriented electronics items for sale) and they beat Amazon's price on a Samsung EVO SSD by over $20. Since they price match, I got a $3 discount on one of the other pieces of hardware I bought that day.

All in all, the time I spent driving there likely make the savings irrelevant, but I was surprised that they were so much more aggressive on the SSD pricing.

dkrich 3 days ago 0 replies      
What I'm curious about is how this will affect sites that rely on affiliate clicks but more for the 24-hour cookie (ie, where somebody buys anything within a day of clicking the link).

I could see a site like the WireCutter getting lots of clicks to Amazon and then the person not buying that product buy remembering later "hey, I forgot that I need dog food." Well dog food happens to be a 10% commission now, so maybe it isn't as bad as it would seem.

Also, the WireCutter's sister site is the Sweet Home, and I think home goods are now up to a flat 8% rate, so they may not be any worse off.

eb0la 3 days ago 1 reply      
Does anyone know which percentage of all electronics sales go to Amazon?

Affiliate programs are a good way to get market quotas. If they're #1 in sales, then there's no need to spend marketing bucks on it.

MicroBerto 3 days ago 1 reply      
My business (PricePlow) is obviously affected. However, due to being a niche site, Amazon is not a majority of our revenue, nor is it our top-trafficked store.

My strategy is this: At these commissions in the Health niche, Amazon will no be in our "preferred" tier of stores. On March 1, their products will no longer show up on our blog (unless they are the only store with it in stock) -- and the blog gets the vast majority of our traffic.

They will still show up in our main site (where I need to decide whether or not to keep their exclusive buttons), and they'll still be involved in our hot deals and price drop alerts.

Stores need to earn our best visitors, and Amazon is no longer deserving. Surprisingly, they're most often not the best deal on our site anyway, so I don't think anyone will be too upset.

I may try to negotiate my own rates, but I don't think we're big enough for that (not yet, at least). Everything is negotiable when you have legit traffic and other options.

Meanwhile, we've been diversifying our revenue with various industry SAAS services that can be scaled globally. This has been a big focus of mine, knowing that these kinds of things can happen at the drop of a hat.

But at the end of the day, this is still a paycut, and it still hurts. Amazon will ultimately lose more of our traffic for it, and I really don't think they'll even notice this on their bottom line compared to the explosive profits they get from AWS.

Seems like bad PR more than anything.

jrs235 3 days ago 0 replies      
If you think about industry/categorical margins, the new rates more closely reflect them. As others have pointed out, the more appealing prior rates were to encourage people to "push" and advertise products in categories that amazon wasn't a dominant player. They are now doing better so they have let off the gas on those products; they don't need to advertise them as much.
pasbesoin 3 days ago 3 replies      
Yet another variation on: Don't be a sharecropper.
diminish 3 days ago 7 replies      
is anyone making 4 or more digits monthly revenue from Amazon associates or any other affiliate program?
twodayslate 3 days ago 5 replies      
It is very hard to get an affiliate account right now. I can't seem to get accepted.
dawnerd 3 days ago 1 reply      
Just in time for LTT to get their account back...
johnnypalps 3 days ago 0 replies      
the real tragedy is that everyone you are likely to hear from on this subject isn't earning real money. The big earners are all on custom rates already and won't discuss terms or earnings.

Reading the Associates discussion forum is the definition of depression. People running sites for many years talking about earning $200 in a month. please, enlighten us as to your thoughts on the new rate structure!

wordpressdev 2 days ago 0 replies      
There is always a risk associated with grazing in the shadow of an elephant. One day you get your heart's content and other other you may get crushed by the mammoth. In the end of the day, it is better to have your own field - launch own product and use Amazon and the likes as sales channels.
vram22 3 days ago 3 replies      
Has anyone made more than, say, a few (tens of) dollars a month, via affiliate schemes? I mean in the last year or two. Things might have been different earlier, that is why the condition.

And related question, is there an affiliate scheme for Amazon India? I had checked a few times earlier for the US-based Amazon affiliate scheme, and IIRC, each time it said that it was only for the US, or not for India.

the_watcher 3 days ago 0 replies      
This is a huge loss for independent reviewers. Sites like The Wirecutter almost certainly would not have existed like the did without it.
eggie5 3 days ago 0 replies      
my Pinterest spam bot revenues will take a dip :(
skyisblue 3 days ago 0 replies      
This is another hit to publishers who are already struggling with low ad revenue and an evergrowing number of adblock users.
nnash 3 days ago 1 reply      
I would imagine that anyone in the space has multiple channels for affiliate revenue and not just Amazon. There are literally dozens of companies in a single niche that you could pick from for most of the affected categories.
Animats 3 days ago 1 reply      
What's the difference between a "video game" (1% fee) and a "digital video game" (10% fee)?
FT_intern 3 days ago 1 reply      
How is the Amazon affiliate commission compared to other online affiliate ecommerce websites?
robertcorey 3 days ago 0 replies      
welp had a web app idea for amazon affiliate kicking around for past year, this is what I get for not implementing.
ceyhunkazel 3 days ago 1 reply      
What is annoying is Amazon pays non-US affiliates only by gift card or by check. Direct deposit is only for US affiliates, which is nonsense. I earn commissions from my web application http://www.jeviz.com .
Google Cloud Platform is the first cloud provider to offer Intel Skylake googleblog.com
305 points by rey12rey  3 days ago   204 comments top 25
timdorr 3 days ago 2 replies      
Just for reference, since you don't choose your processor explicitly on GCP, but instead choose your zone with homogenous processors, here is their current processor/zone layout: https://cloud.google.com/compute/docs/regions-zones/regions-...

Since some GCP engineers are watching: Presumably we'll see some new zones to provide these processors, or will it be a limited release within existing zones? And if so, will you be moving away from homogenous zones in the future?

zbjornson 3 days ago 2 replies      
I've been benchmarking these against Haswell and Broadwells. Despite being 300 MHz slower, we're getting between 5 and 45% faster benchmarks on linear algebra functions that we run a lot, even without doing much work to tailor to AVX512 instructions yet.

The cache is also a whopping 56 MB.

boulos 3 days ago 2 replies      
It's been awesome to see our Skylakes rolling in over the past several weeks. I personally have been waiting nearly 10 years for AVX-512 ever since playing with LRBni.

Disclosure: I work on Google Cloud (and helped a bit in our Skylake work).

boulos 3 days ago 1 reply      
There are a few threads asking about various features (SGX, TSX, etc.) so I want to make a top-level comment: we're not ready to share more today (sorry).

Disclosure: I work on Google Cloud.

jscipione 3 days ago 3 replies      
Why is it important to offer Intel Skylake on cloud platforms? Is there some specific processor extensions present in Skylake that make them particularly compelling in a cloud environment for a particular industry or a particular set of needs?
Johnny555 3 days ago 0 replies      
Amazon's c5 (Skylake) series shouldn't be far behind...


qhwudbebd 3 days ago 1 reply      
Any sign of IPv6 support on the horizon? Slightly embarrassing in 2017...
jhgg 3 days ago 0 replies      
I wonder if Skylake would offer a material improvement for our workload. We don't necessarily use AVX-512, but we do use a heck of a lot of CPU resources on the current architecture. We are a python/elixir shop.

Great job GCP team!

youdontknowtho 3 days ago 1 reply      
Did Intel actually enable the TSX extensions in Skylake? If I'm not mistaken, they shipped it in the last couple of generations but disabled it after release. (Something like that?)

It's something that I've wanted to play with for sometime. It's cool that GCE has them available as a service.

tambourine_man 3 days ago 1 reply      
Constructive criticism:

Your calculator page is unusable on mobile due to fancy "material" form filling.


gcp 3 days ago 2 replies      
Whenever I want to try GCP, during signup I get stuck at "Account type Business" and the need to enter a VAT number.

It hints there's Individual Accounts, but I see no way how to set it to that?

lightedman 3 days ago 4 replies      
I'd rather wait for Ryzen. You won't know which Skylake processor you're getting - the gimped one or the non-gimped one. AMD tends to keep their features consistent across the line.
johansch 3 days ago 1 reply      
I would be quite nice if they actually advertised the particular type of CPU core you rent, rather than some abstract unit of computation. Or at least some kind of performance baseline.
chillydawg 3 days ago 1 reply      
Side question: are these extensions available in the desktop (i7) parts? Wanting to test out some optimisations for some code I have.
ctz 3 days ago 1 reply      
No mention of SGX; a major Skylake feature for cloud computing. Is it enabled? Is it accessible?
mtgx 3 days ago 2 replies      
Hopefully it will be the the first to offer the much cheaper AMD Ryzen/Naples, too.
anonymousDan 2 days ago 0 replies      
+1 for SGX support. Would be really cool to remotely attest the software you are running in a real-world cloud.
nodesocket 2 days ago 0 replies      
Would a typical load balancer/web server running NGINX doing SSL termination see an improvement switching to Skylake?
chaosfox 3 days ago 1 reply      
>In our own internal tests, it improved application performance by up to 30%.

this post would have been interesting if they had included those tests.

kierank 3 days ago 2 replies      
Are these E5-skylakes?
Cyph0n 3 days ago 2 replies      
Oh, so now I can't voice my opinion until I've been "in the business" for x amount of years? Yeah, nice try.

Another commenter already brought that issue up, but thanks for pointing it out again. I still think that it's quite silly to claim that Ryzen Rev. A may end up being a paperweight based on a mistake that took place a decade ago. Whatever floats your boat, I guess.

And from what I read, it seems like it was an extreme edge case, so the TLB error was triggered only during specific workloads. Sucks to be AMD back then.

stuckagain 3 days ago 3 replies      
fabrigm 3 days ago 0 replies      
A Google day is not responsive
mikecb 3 days ago 0 replies      
I think it's funny that big Xeon upgrades seem to always occur approximately 8 months after big Power architecture blog posts.
Mo3 3 days ago 6 replies      
Hahaha. Meanwhile I've been running 2 machines with Skylake and a combined 24 cores/48 threads, 256GB DDR4, 6x512G SSDs, unmetered 1Gbit/s public and 2,5Gbit/s internal for over half a year for a combined $150 total, in complete privacy and in full control of my hosts.. go dedicated, people.
Kim Jong-Nam Was Killed by VX Nerve Agent, Malaysians Say nytimes.com
327 points by matt4077  4 days ago   173 comments top 19
tlow 4 days ago 3 replies      
If we are talking about V-Series Agents, we might as well talk about the secret Soviet Program to develop additional V-series compounds[1] that would be undetectable by the west. It is important to note that there are many vectors of entry for a V-series agent, and in this case, evidence points to an atomized version, as opposed to the dermal administration which is more common among this class. An atomized version targeting the respiratory system and not the dermal would explain why two women attempting to aid "with bare hands" would not have been harmed.

Beyond VX, there exist a plethora of other analogous chemicals, namely the G-Series[2], VE[3], VG[4], VM[5], VR[6] and VP[7]. A notable commonality among these compounds is that very little is known about their effects outside of military research (ie not shared).

Given the military nature of these compounds, there is a reason to believe that this was a military assassination.

[1] https://en.wikipedia.org/wiki/Novichok_agent

[2] Sarin is a G-series agent https://en.wikipedia.org/wiki/Sarin

[3] https://en.wikipedia.org/wiki/VE_(nerve_agent)

[4] https://en.wikipedia.org/wiki/VG_(nerve_agent)

[5] https://en.wikipedia.org/wiki/VM_(nerve_agent)

[6] https://en.wikipedia.org/wiki/VR_(nerve_agent)

[7] https://books.google.com/books?id=DQw2hVGe0aMC&lpg=PA72&ots=...

andlier 3 days ago 2 replies      
There is a fascinating BBC-documentary about chemical warfare history and the british Porton Down military research facility, hosted by Michael Mosley [0]. There is a part where the researcher actually makes sarin and VX right in front of Michael in a fume-hood. They literally watch the VX-liquid condense out of the vacuum distillation apparatus right in front of Mosley and the camera team. [0] http://www.bbc.co.uk/programmes/b07hx40t

Edit: Program available here until mid March: https://tv.nrk.no/program/KOID23002916/mosley-og-de-kjemiske... If you can VPN to Norway.

sasas 4 days ago 2 replies      
Interesting tid-bit from Wikipedia [1]

In fiscal year 2008, the US Department of Defense released a study finding that the U.S. had dumped at least 124 tons of VX into the Atlantic Ocean off the coasts of New York/New Jersey and Florida, between 1969 and 1970. This material consisted of nearly 22,000 M55 rockets, 19 bulk containers holding 1,400 pounds (640 kg) each, and one M23 chemical landmine. [25]

[1] https://en.wikipedia.org/wiki/VX_(nerve_agent)#US_VX_stockpi...

gwern 4 days ago 10 replies      
Does VX explain how the two women survived despite using bare hands to administer an apparently skin-absorbable poison? It has binary agent formulations, so each women could have one half on her hand and avoid any contamination by swiping very fast.
jbenz 4 days ago 3 replies      
The Rock came out when I was 13 so needless to say, I'm a big fan.

I absolutely thought VX Nerve Agent was fictional until today.

L_226 4 days ago 2 replies      
I had thought it was going to be a fentanyl or carfentanyl aerosol spray, I suppose that might have rendered him incoherent sooner though. The use of VX seems like bragging really (as if the act wasn't already adolescent enough).
gerjomarty 3 days ago 0 replies      
It's not available right now, but I recommend a BBC doc "Inside Porton Down: Britain's Secret Weapons Research Facility"[0], in which they showed nerve agents like this being created.

[0]: http://www.bbc.co.uk/programmes/b07hx40t

mtw 3 days ago 4 replies      
Doesn't North Korea has ICBM missiles capable of reaching Italy or Washington DC?

A missile full of VX agent is scary to me. The most North KOrea can fit on a missile is a warhead as powerful as Hiroshima's but a missile full of VX could potentially kill everyone in Washington DC

Plus think of all the implications of transporting VX through international borders. Did China accept having North Korean agents transporting VX in China? Did they smuggle it through fish boats?

Element_ 4 days ago 0 replies      
Some other famous chemical assassination attempts: http://www.ctvnews.ca/world/a-look-at-assassination-attempts...
kchoudhu 3 days ago 1 reply      
Is the chemistry of VX well enough known that countries without access to it can recognize it when they see it?
sndean 4 days ago 1 reply      
I wonder if they used this binary combination: O-Ethyl O-2-diisopropylaminoethyl methylphosphonite and sulfur [0][1]. Not sure if that would be consistent with one being in a spray bottle.

[0] http://emedicine.medscape.com/article/831901-overview

[1] https://en.wikipedia.org/wiki/QL_(chemical)

seesomesense 3 days ago 0 replies      
As a side note, in some poor, largely rural countries, acetylcholinesterase inhibitors in insecticides are the most popular suicide agents.
amelius 3 days ago 1 reply      
How did they find the agent? Do they have a list of thousands of agents to test against, and do they work down the list one by one? How does this work?
aedron 3 days ago 0 replies      
Does this remind anyone else of The Interview?
ransom1538 4 days ago 5 replies      

Why kill people exotically? Why not just use a simple garrote with a thin wire? 10 seconds done, the head would be practically off. I am sure you could get a weird pair of head phones past security. If you poison someone with polonium/exotic nerve agent doesn't it narrow down the suspect pool?


ultrahate 4 days ago 4 replies      
knieveltech 4 days ago 5 replies      
throwaway_dbch 3 days ago 0 replies      
so quick to assume this was done by nk.
anigbrowl 4 days ago 2 replies      
I disapprove of assassination but I've got to admit this one scores 10/10 for sheer style.
CloudPets teddy bears leaked and ransomed, exposing kids' voice messages troyhunt.com
315 points by 0x0  8 hours ago   102 comments top 17
orf 7 hours ago 5 replies      
A guy I work with did a presentation on this product, he is big into reverse engineering bluetooth devices. I can assure you the toys themselves are just as insecure as apparently their infrastructure is.

Seeing it light up and say "destroy all humans" was pretty funny, moreso because there is pretty much zero authentication on them so you could do it from anywhere from your mobile, and the mic can turn on and record without any authentication at all.

sigh internet of things

teraflop 7 hours ago 2 replies      
For anyone who is coming straight to the comments before reading the article: the details are even worse than the headline suggests.

Not only was a huge amount of information exposed through a public, unauthenticated MongoDB instance, and not only did CloudPets ignore multiple security researchers' attempts to alert them to the problem, but the database was actually held for ransom multiple times without customers being alerted to the breach.

cm2187 4 hours ago 4 replies      
> The Germans had a good point: kids' toys which record their voices and send the recordings up to the web pose some serious privacy risks. It's not that the risks are particularly any different to the ones you and I face every day with the volumes of data we produce and place online (and if you merely have a modern phone, that's precisely what you're doing), it's that our tolerances are very different when kids are involved

It's a bit paradoxical. There are way less things a kid can say that can get him in trouble than an adult. Even the most oppressive regime will not hold what a 4yo toddler says against him. The need for privacy should rather be less for a kid than for an adult.

What it means is that violations of privacy are creepy, period. We try to rationalise it by arguing that we get something out of it, but when dealing with our kids, we stop believing our own bullshit and it is just becomes purely creepy...

nkrisc 4 hours ago 0 replies      
When will these companies be held liable for beaches like this? The time for feigned ignorance is over, this is negligence at the best, outright greedy indifference at the worst. There are no more excuses.
Animats 4 hours ago 0 replies      
"CloudPets can send and receive messages from anywhere in the world! Buy Now".[1] They delivered on that, all right.

If you want one, they're now available for the low, low price of only $3.[2] Including WiFi.

[1] https://cloudpets.com/[2] https://www.hollar.com/products/as-seen-on-tv-cloudpet-dog

dTal 7 hours ago 6 replies      
Okay, first of all:

>the average parent.. is technically literate enough to know the wifi password but not savvy enough to understand how the "magic" of daddy talking to the kids through the bear (and vice versa) actually works [or] that every one of those recordings... is stored as an audio file on the web.

If it is not considered amazingly stupid, or at least ignorant to not understand that the magic talking bear has a computer in it, and that if the computer wants the wifi password it probably uses the internet, and that if the entire purpose of the device is to make recordings available to you over the internet... then I despair. My sympathy for people who buy these sorts of products is wearing thin. But, in this particular instance...

>our tolerances are very different when kids are involved

Interesting. Why? The data is much less valuable:

>One little girl who sounded about the same age as my own 4-year old daughter left a message to her parents: "Hello mommy and daddy, I love you so much." Another one has her singing a short song, others have precisely the sorts of messages you'd expect a young child to share with her parents.

Hardly identity thief material.

Walf 1 hour ago 0 replies      
So it could all have been avoided if they'd made it unnecessary to identify oneself and paired app with toy via decent public key encrypted communications. I think the toy is a good idea, it just had a shit implementation.
simplemath 7 hours ago 2 replies      
IoT should die a swift and permanent death.

Alas, that wont happen.

snug 7 hours ago 0 replies      
Should we call this PetsBleed?
janwillemb 4 hours ago 0 replies      
Apart from the total disaster these kind of incidents are, they serve a valuable purpose: material to educate my children about security. It is surprising to see how quickly my 9-year old daughter picks up the message, especially by these kind of stories.
Taek 5 hours ago 1 reply      
Is there a fine for this? Some sort of punishment? Companies need to be taking security seriously, we are all paying the price.

Internet-of-Shit will remain exactly that until neglecting security is a substantial threat to the bottom line of a company.

They ignored multiple warnings? Got hacked multiple times? This is negligence, and this company should be fined out of business.

Kiro 6 hours ago 4 replies      
> As you can see by loading the image, all that's required to access the file is the path which is returned by the app every time my profile is loaded.

How else would you do it?

mattbgates 7 hours ago 1 reply      
Companies have to get more involved in actually encrypting their data before entering it into the database. For every web app I create, especially when sensitive information is exposed, I try to encrypt as much data as possible. With all the leaks and hacks.. it only makes sense to add some encryption method in there.
jasonlotito 5 hours ago 0 replies      
As an interesting side note, this is also seems to be built on top of the Parse Node.js self-hosted server, based on the schema provided.
matt_morgan 5 hours ago 0 replies      
I wonder what cloud-connected pets the Trump and Trump-Kushners have.
chinathrow 7 hours ago 0 replies      
Internet of bear poo.
coleifer 7 hours ago 2 replies      
Oh god, it's a kids toy. It's meant to be something fun and cute. What a bunch of jerks to go messing around with that.
The Future of Not Working nytimes.com
381 points by WheelsAtLarge  2 days ago   260 comments top 27
Razengan 1 day ago 15 replies      
With almost 8 BILLION people on this planet soon, not everyone can meaningfully contribute to something that can't be done more efficiently by automation (which is also cheaper for everyone and easier on the environment) or done away with entirely. See [1], [2], [3] for examples from our not-so-distant past.

You just cannot expect everyone to "earn" money while expecting technological progress to continue unabated.

Don't want so many people? Mandate reversible sterilization at birth.

Don't want so many disgruntled and unemployed people? Endorse some form of guaranteed income, or incorporate basic housing, meals, healthcare and internet into the list of undeniable human rights.

[1] https://en.wikipedia.org/wiki/Lamplighter

[2] https://en.wikipedia.org/wiki/Link-boy

[3] https://en.wikipedia.org/wiki/Switchboard_operator

spyckie2 2 days ago 6 replies      
The article's title is misleading - it is not about not working, it's about giving money directly to poor villages for 12 years to provide what is similar to basic income but meeting fundamentally different needs in a very different part of the world. That said, I think it is a fascinating anthropological read.

We often do not realize how many layers of wealth we had to stand on to possess our current wealth.

hackathonguy 2 days ago 4 replies      
"One estimate, generated by Laurence Chandy and Brina Seidel of the Brookings Institution, recently calculated that the global poverty gap meaning how much it would take to get everyone above the poverty line was just $66 billion. That is roughly what Americans spend on lottery tickets every year, and it is about half of what the world spends on foreign aid."

Love this.

anovikov 1 day ago 1 reply      
This looks so shiny only because the experiment is low-scale. In a country with an acute shortage of access to capital, small money explainably gives huge returns. If it was done to every, or even every poor, household in Kenya, it won't have resulted in anything but inflation and probably riots/genocide/burning of Give Directly workers for witchcraft. If everyone could buy that fishnet, fish in Lake Victoria will run out in a month, and almost everyone who did that will have simply lost that money. Further advancement will need a ton of capital AND education, and tradition of legal system to sustain complex companies that depend on intangible assets... Simply put, require a first world country to be done in. Handing out $22 a month to every Kenyan would do absolutely nothing for him - at least many times less than handing out $22 to 0.01% of Kenyans.

It's not like i don't believe in UBI. There are few other visible solutions to the automation problem (other may be economic incentivizing - like through tax breaks - and cultural promotion of resurrection of personal servants as a mass occupation) - but it can't work as good as this example simply because it doesn't scale so well.

Clubber 2 days ago 7 replies      
The people with the wealth pay people for one reason and one reason only: they have to. Once they no longer have to, they will lobby the government to continue to lower taxes and squawk about laziness, welfare queens, and all that garbage.

This will go on for a few decades until there is an uprising of sorts, then those with the money will return to giving everyone else crumbs, or just enough to quell the uprisings. This will probably go on perpetually.

chvid 1 day ago 0 replies      
As a form of foreign aid giving money directly probably works well. But idea that developing countries need basic income because of automation is just absurd.

If anything they need to get to work developing their country; those shacks are not going to be built by robots.

Fully developed countries on the other hand may face the situation where their country is so well run and have such a high level of automation and specialisation that there is too little work left for the population to be fully employed.

And thus they may lower their pension age, experiment with 30 hour work weeks, sabbaticals, maternity leaves, basic income and so on.

The countries that are closest to this are probably the Scandinavian countries. However at the moment they are all moving towards lower social transfers and higher pension age.

marmot777 2 days ago 0 replies      
I got to this on my reading list finally, realizing my first impression that this was a piece promoting an organization called GiveDirectly, wasn't a sound impression (lesson: don't comment till you read the article). This is a higher level than that, it's testing Universal Income, frequently called universal basic income.

Public policy whether implemented by governments or by organizations should test, innovate, change, not just pick an approach and run with it as seems to happen with the largest programs here in the U.S. As far as I can tell there's not been much innovation in the implementation of the safety net since Johnson.

Like anything else humans try to do, there will be bugs, there will be blind alleys, there will be mistakes. Small scale testing is a necessary step so that a working model is ready for larger-scale testing or maybe it'll be found that the implementation will have to have configurations that vary according to local conditions and even just preferences.

I'm a Pacific Northwest guy perhaps out of touch with what Silicon Valley is up to, sometimes I'm critical, but for this initiative, I say thank you. I have no clue how I'd thank anyone for this so just in case anyone involved is reading my comment I would like to express gratitude for doing work that has a high probability of playing a part in making the world a liveable place for my young son and the rest of humanity in the years to come.

By the way, if you've got the chops to beta test UI any chance you could save the Amazon Basin?! Please.

jayajay 2 days ago 0 replies      
If every known resource acquisition task was automated, and the discovery of unknown non-automated tasks could be automated to be automated, we'd be post-scarcity and the concepts of working and income wouldn't be useful metrics anymore.

So, yeah machines are a big black hole and our jobs are doomed asteroids spiraling into the black hole. As they spiral into the singularity, humans will be displaced at an accelerating rate, and it will take more ingenuity and effort for humans to maintain "work". And, for what? In the asymptotic limit, the outcome should be no more jobs and "work" in a the way we currently define them, and humans will be truly free to creative pursuits. Never shall a beautiful human mind be wasted on labor which a machine can do.

At some point, machines will be the dominant species pushing civilization forward, not us.

Until then, we're forced to work, we're forced into employment because our world does not simply give us what we want. Food and spears don't fall out of the sky, so we will waste our time hunting and farming until we figure out how to make those things "fall out of the sky".

NumberCruncher 2 days ago 2 replies      
The African people would me much better off if we would stop selling them weapons and would pay a fair price for their work and natural resources. But hey, that wouldn't be a great PR action making headlines!
paulpauper 2 days ago 1 reply      
It would seem like 'going to work' is becoming a thing of the past, at least for increasingly many people. Labor force participation at multi-decade lows. Gig jobs, welfare, disability, prolonged education, social security/retirement, and the 'underground economy' is replacing a significant chunk of the traditional job market.
rubicon33 2 days ago 2 replies      
> "The research wing of Sam Altmans start-up incubator, Y Combinator, is planning to pass out money to 1,000 families in California and another yet-to-be-determined state."

Oh, really? Where do we sign up? I'd love to be able to build my business(es) without taking investor funds.

temp-ora 2 days ago 1 reply      
we do not use money because it makes sense. money exists in the form it takes today because of human nature. we think someone has to earn their food. we think a homeless person deserves a handout because they look like they are at least trying to get on their feet (or not when they dont). machine intelligence is not the only problem that our wealth distribution system is facing. we have faced massive inequality before, and are facing it right now, and no solutions have been implemented. and like all the trials of equality before it, the automation of jobs will result in the smartest and fasted humans owning the vast majority of wealth and influence while the rest of us sit in mud.
praetorian84 1 day ago 1 reply      
Interesting comment below the article regarding a government-run programme in Brazil trying something similar:"However, there is a trend of the part of these persons become dependent of this benefit and do not strive to change this situation..."

That was my immediate reaction after reading this. What about after the twelve years, when the donors ride off into the sunset? There are some encouraging stories there of participants using the money wisely, but not all will do so. You could argue that nobody is forcing them to participate, but it does seem at least a little ethically questionable. Particularly given the targeted demographic of a rural Kenyan community with (presumably - I could be wrong) low education levels.

karmakaze 1 day ago 0 replies      
Sounds like a great programme with little reported short-term negative effects. By no way is this a beta test to anything other than reproducing this in other similar cultural conditions, which may also require having seen previous aid attempts fail.

The worst-case scenario I fear is that UBI given without also providing outlets for activities that actually get used will result in an adult version of problem of otherwise well-off of suburban youth.

prestonpesek 1 day ago 0 replies      
In order for this to work, you have to define "universal" in the context of how automation affects the global economy, not just the US or any national economy. Example: are we going to send a stipend to Bengali citizens who are displaced from textile manufacturing jobs by robot factories in the U.S.?
Dagwoodie 2 days ago 4 replies      
Here's how I think the only possible way this will ever be realized: A non-profit organization will have one of the highest (top 10 to pick an arbitrary number) net-worths of any company on earth.
agumonkey 1 day ago 0 replies      
Work will have to be redefined. It's a psychological need to form teams and solve your needs or some others. That is the underlying basis.
jimmywanger 2 days ago 2 replies      
I think that fundamentally, the thing we're going to run up against is population growth.

I think history has proven that we can live in extremely wretched conditions. By giving money to people, are we going to be increasing their living standards or just creating more mouths to feed?

Note that the basic income only applies to whoever registers at the beginning of the program. Would that amount of basic income cause the population to explode, so that the per-capita amount of goods/money remains constant?

temp-ora 2 days ago 0 replies      
the title does not reflect the article and the article does not reflect the subject. like everyone else here, i did not read it because after dangling a few hard facts and conclusions in front of your face, the article goes off on tangents about the personal stories of people who are involved but not instrumental. this toxic mix of novel-style story telling and actual reporting has made these articles unreadable for me. people dont give a shit about the narrative of the stupid author or even people involved in setting up this whole thing -- people want to know how the experiment went! did it work? did the people end up being lazy and unproductive like all the ubi detractors say they will? but no, i cannot know these things without fishing through pages of garbage. and when i know someone else has already done it here in the comments to reap the karma, why on earth would i even click the link?
Sir_Substance 1 day ago 1 reply      
This is a nice article, but I'd like to remind everyone that it's probably also native advertising.
fiatjaf 2 days ago 0 replies      
Can someone summarize the results?
compareglobal 1 day ago 1 reply      
nrdwavexe 1 day ago 1 reply      
Why is "defining a problem called 'not working'" not called "massively manipulating the economy"? From the point of view of the people who work hard to make Kenya's economy work, this can't possibly be helpful. It sounds like an evil, abusive psychological experiment.

Forget about "fake news", the New York Times is literally evil news. It is literally promoting views that proliferate evil. Injecting this level of disorder into an economy and lying about it is a level of deception that goes into moral perversion.

Let me make this clear: I am directly accusing Annie Lowrey of promoting excessively morally corrupt views. She is responsible for promoting evil. This is a person who wakes up in the morning and works hard to promote evil.

Think about that.

Edit: I was down-voted without explanation or rebuttal. If you disagree with what I have written, don't attack my anonymously. I want my karma to be a healthy score, and I don't appreciate people (or bots) decreasing my karma score, and I consider it a personal attack against my reputation.

ImTalking 2 days ago 1 reply      
Anything that reduces the oppression of women is a good thing. Freedom is the ability to make choices.
woodandsteel 2 days ago 3 replies      
It's interesting how this runs counter to the two dominant political ideologies in the US.

Liberals believe that the poor are too dumb and helpless to figure out what they want, so the government should do it, both domestically and in foreign aid.

Conservatives believe that the poor are poor because they are unintelligent and lack good values (or they are acting rationally in response to liberal welfare programs), and domestic and foreign programs should be eliminated in favor of religious missions.

What programs like this are finding is the the poor are intelligent and well-motivated, and they just need an opportunity to get out of the hole they are stuck in.

Let me add that, from what I understand, foreign aid programs can be very helpful in areas like public health.

stagbeetle 2 days ago 3 replies      
> As automation reduces the need for human labor, someSilicon Valley executives think a universal income willbe the answer and the beta test is happening in Kenya.

This is not the situation I think of when I hear "basic income." Why Kenya?

> GiveDirectly wants to show the world that a basic income is a cheap, scalable way to aid the poorest people on the planet.


I was under the belief that only the middle class protested for basic income. It would have been more interesting if the "beta test" was done on educated/ first world persons, so we can finally get progress (or a full stop) on this debate.

I believe this idea wasn't thought out past the "we want to put on airs" phase. Is injecting capital into a system that relies on crime to keep afloat, really the best idea GiveDirectly could have come up with?

This is similar to the Toms fiasco where they would donate a pair of shoes to Africa for every pair bought -- it crippled the local fabrics businesses.

Perhaps if one wanted to fix the African economy, one would invest into economic think-tanks and their executionary tandems, instead of over glorified tax shelters.

WheelsAtLarge 1 day ago 0 replies      
Giving money is a great short term solution but we all know that free always has a limit. 22 dollars per month is a good start but at 22 bux they will never reach the standard of living we enjoy in the west. The goal should be to ensure that everyone has a job or business that provides the person a decent living.

I think that in addition to the money they should help with the following:

1)Education and the ability to get it at will. Financial education should be a priority.2)Entrepreneurship, make sure anyone that wants to start a business knows what to do.3)Security and the enforcement of the law thru a judicial system, both criminal and civil.4)A working financial system. Make sure businesses and people can borrow money.5)A way to go bankrupt that will let people start over. It should not be too painful for both creditors and borrowers.6)A political system that works for the majority.7) Community leadership that works towards the betterment of the town.8)A tax system that will let the town provide items that no single person can provide on their own. It's a reality as painful as they are taxes and their prudent use help improve the community's standard of living.9) Secure property rights. If someone owns something they should do with it what they want without infringing on the community's well being and no one should be able to take it away from them by force.

What gets me railed up is the inability to use the town's human capital. Giving free money will not help forever. If you could get people to work together they would eventually get out of poverty. Maybe the current generation might not but eventually they would be able to do it.

Facts about migration and crime in Sweden government.se
359 points by teddyh  3 days ago   428 comments top 43
otalp 3 days ago 11 replies      
According to the official statistics on The Swedish Crime Survey, the sexual violence rate in Sweden remained about the same between 2005 and 2014. The refugee crisis began around 2014, and since then, the rates for sexual violence went down in 2015[1] something you never see mentioned on certain parts of the internet. 2016 saw an increase in crimes, but still less than pre-immigration levels in 2014.

Also the Swedish national council for crime prevention expected this rise over the last few years because in 2013(before there was a serious influx of migrants) Sweden broadened the definition of rape. A similar increase in crime was seen around 2006 because of 'legislative changes' about how things were recorded.

In the US research on the link between immigration and crime largely find no link between the two[2], and of the relative minority of studies that find a link, there are twice as many studies that find that increased migration reduces crime as the reverse.

In Germany, refugees are less likely to commit a crime than the average citizen[3]. From the publicly available information it is impossible to conclude with certainty that taking in refugees increases crime, especially considering that the vast majority of 'crimes' they do commit are non-violent things like not travelling with a ticket.[3]

What is rarely mentioned is the increasing crimes committed against refugees in refugee camps. In germany, there were 1,029 attacks against refugee residences in 2015, following 199 in 2014. Attacks on refugees increase the crime rate themselves.




trendia 3 days ago 9 replies      
The way this is worded is weird:

Claim: "In Sweden there are a number of 'no-go zones' where criminality and gangs have taken over and where the emergency services do not dare to go."

Facts: No. In a report published in February 2016, the Swedish Police Authority identified 53 residential areas around the country that have become increasingly marred by crime, social unrest and insecurity. These places have been incorrectly labelled 'no-go zones'. What is true, however, is that in several of these areas the police have experienced difficulties fulfilling their duties; but it is not the case that the police do not go to them or that Swedish law does not apply there

Claudus 3 days ago 3 replies      
The level of government level censorship in Sweden is concerning. Maybe worries over negative reaction in the native population are used to justify hiding crime statistics, but I think it will lead to a violent backlash eventually.

It's shocking to me that "grenade attacks" have virtually become an every day occurrence.


Refugee centers have already been burned down in several instances, and anti-migrant sentiment is growing.

I really don't see how the large scale immigration going on in a Europe is going to result in a positive result, at least in short term over the next few generations.

I think it's incredibly irresponsible to encourage migration without being able provide productive meaningful lives to the migrants. People are not pets.

tdkl 3 days ago 1 reply      
Swedish source confirms Swedish political narrative, very trust worthy. /s

Let's go and convince all the victims of crimes in recent years that they're just imaginging things and they're safer then ever. And hand out more "don't grope me" bracelets for extra protection[1].

[1] http://www.thelocal.se/20160629/swedish-police-to-hand-out-a...

[edit] Classic HN, don't forget to upvote the guy who says physically assaulting people with different opinions is OK.[2] Sounds tolerant and progressive.

Ban my account, but the comments can stay for exposing your collective hypocrisy for the future. Goodbye.

[2] https://news.ycombinator.com/item?id=13723296

Claudus 3 days ago 1 reply      
A Swedish Police Officer ranted on Facebook about crime and migration in Sweden a few weeks ago.


Translation: I'm so fucking tired. What I will write here below, is not politically correct. But I don't care. What I'm going to promote you all taxpayers is prohibited to peddle for us state employees. That tends to drive in a non-career and non-individual pay. Even though it's true. I don't care about all of this, will soon still retire after 47 years in this activity. I will now and every week to explain in detail what for employing me as investigators / investigator on coarse mcu police in rebro. It's not going to be good with the opinion or other leftist kriminologers perception in the general debate.

Our pensioners is on its knees, the school's a mess, healthcare is an inferno, the police have totalhavererat etc etc. We all know why but no one dare or wants to peddle the reason, due to the fact that Sweden always lived on the myth of prudes ultimate society who have osinnliga resources to be at the forefront when it comes to be the only politically correct option in a dysfunctional world that beats Knot on their own by destructive behavior in different name of.Here we go; this I've handled Monday-Friday this week: rape, rape, robbery, aggravated assault, rape-assault and rape, extortion, blackmail, off of, assault, violence against police, threats to police, drug crime, drugs, crime, felony, attempted murder, Rape again, extortion again and ill-treatment.

Suspected perpetrators; Ali Mohammed, mahmod, Mohammed, Mohammed Ali, again, again, again Christopher... what is it true. Yes a Swedish name snuck on the outskirts of a drug crime, Mohammed, Mahmod Ali, again and again.

Countries representing the weekly all crimes: Iraq, Iraq, Turkey, Syria, Afghanistan, Somalia, Somalia, Syria again, Somalia, unknown, unknown country, Sweden. Half of the suspects, we can't be sure because they don't have any valid papers. Which in itself usually means that they're lying about your nationality and identity.

Now we're talking just rebro municipality. And these crimes occupies our utredningsfrmga to 100 %.

So it looks here and has been like for the past 10-15 years.

Return next Friday with a statement for the past week

barking 3 days ago 3 replies      
It's a bit simplistic to speak only about migrants.

In the case of Islamic terrorism, I've heard it commented that recruits come from the children of migrants rather than the migrants themselves.This certainly seemed to borne out by the London 7/7 bombers and the Charlie Hebdo attackers to name two cases.

Prison populations in western countries also seem to have disproportionate numbers of ethnic minorities.

I also heard that Canada refuses to break down crime figures by ethnicity/race as a matter of public policy. If that is true it seems that there is a fear that the figures might look bad for minorities.

In the interests of community harmony, authorities commonly seem to want to accentuate the positive and sweep any negativity under the rug.

demonshalo 3 days ago 1 reply      
I would personally recommend you follow https://twitter.com/ArgBlatteTalar. He breaks down all the hypocrisy regarding this particular topic in his videos on YouTube. Sources for his video material can be found in the description box.




giis 3 days ago 1 reply      
Wikileaks: Swedish media admits to censoring stories for the last five years on migrant crime


redsummer 3 days ago 1 reply      
It's not true that Muslim immigrants are not integrating with modern technologically-literate Sweden. Many are making increasingly sophisticated use of social media: http://www.independent.co.uk/news/world/sweden-facebook-gang...
booleandilemma 3 days ago 3 replies      
Relevant WSJ article:

Trump Is Right: Swedens Embrace of Refugees Isnt Working https://www.wsj.com/articles/trump-is-right-swedens-embrace-...

eternal_july 3 days ago 0 replies      
"There is no cannibalism in the British navy, absolutely none, and when I say none, I mean there _is_ a certain amount."
qofcourse 3 days ago 1 reply      
The government of Sweden, which has been censoring news articles about Islamic rape and failing to punish Islamic rapists, says these are facts, so don't worry? Give me a break.
mvdwoord 3 days ago 0 replies      
Never believe anything until it is officially denied.

I see the same rhetoric in NL and DE, and other parts of Europe. Officials keep denying the issues with manipulated statistics. People know better, and as long as "populists" are labelled a cause rather than an effect, the problem is not going away.

ptaipale 8 hours ago 0 replies      
In an interview published soon after this Swedish government press release, the head of Swedish ambulance workers' union says:

"I know it's sensitive and controversial ... But for us it's really a no go because we have directives not to go into dangerous situations."

The interview video has English subtitles:


lenovouser 3 days ago 1 reply      
"Swedish government agencies have nothing to gain from covering up statistics and facts; they seek an open and fact-based dialogue." > https://www.google.com/#q=Code+291

How about you stop lying to me?

yAnonymous 3 days ago 0 replies      
That actually draws a somewhat dire picture.

Even using hand picked numbers to try and alleviate people's fears, they have to admit that the main assumptions about immigrant crime are correct and that many areas are in fact turning into "shitholes", for lack of a better term.

patrickg_zill 3 days ago 0 replies      
Brings to mind the cynical saying, "the government will tell you what it wants you to believe, and, what it can no longer conceal".
nolepointer 3 days ago 1 reply      
Remember, everyone: It is only white-majority countries that are in need of immigration and diversity. Why? Um, well ... just because!
rodionos 3 days ago 0 replies      
The way the report emphasizes particular reference points makes it hard to read. It almost looks like they're cherry-picking particular dates.

Regardless of the context in which we are discussing these counter-arguments, having raw statistics is always helpful:


The data comes from the same agency, BRA, that is referenced in the report: https://www.bra.se/bra/bra-in-english/home/crime-and-statist...

devmunchies 3 days ago 1 reply      
Why are many of Europe's leaders are childless? Isn't that strange? These people are creating laws and policies which will affect generations of people and they don't even have any skin in the game. They are fundamentally out of touch.

Doing a google image search of "Angela Merkel Family" or "Stefan Lfven family" (PM of Sweden) and its night and day compared to "Barack Obama family" or "Donald Trump Family".

Whether you are conservative or liberal, we all agree that we need leaders who are thinking about the future generations of the nation. Too much short-sightedness going on. Anyone who has raised kids knows that it changes you.

Exofunctor 3 days ago 0 replies      
Let us consider, for a moment, what biases the Swedish government may have:

First, they want to make it look as though their policy choices have had positive outcomes.

Second, they want to retain support for the current leading political power groups. The top 3 parties are the Swedish Social Democrat Party, the Moderate Party, and the Sweden Democrats. The latter two support tougher immigration laws, but they are mostly outweighed by the first. The PM (who recently made comments denying any attacks) is a member of the social democrats.

k_swden 3 days ago 1 reply      
It's not unlikely that migrants coming from a less educated background choose to settle in highly segregated area as they likelier to opt to live closer to their country men. The problem with this is very obvious, many have problem learning the language, norms and fail to gain useful knowledge about their new modern society and what's worse is their children is in the same trap and the result is poor education, poverty and rising crime. The problem grows worse as people that become successful choose to move away because they are sick of the issues plaguing these areas, economics of scale works in reverse in these areas.

The left (S, V, mp) haven't touched much of these issues (ignorant or delusional), the right (C, L, KD, M) have chosen to ignore the problems for a long time until recently (swayed by the left?), and the extreme right (SD) has gotten very popular as they acknowledged problems but they seem to believe that it's an innate trait of the culture where these people are coming from and have extreme ideas about how to deal with it (rescind citizenship and deport). I don't think it's an innate trait, I myself is an immigrant and know many other immigrants from different backgrounds, and there's a huge difference between those that grew up in these neighborhoods and those that grew up in more areas which better represent the Swedish population. The one thing that is common to all successful immigrant (and immigrant children) is that they are confident and optimist, fast learners and choose to only hold on to parts of their original culture that fits within the Swedish norms.

This failure of integration, to build a modern, cohesive and beneficial culture for everyone, is common in the west, and particularly in Sweden who primarily takes in refugee immigrants from countries in war and not highly skilled immigrants from diverse backgrounds.

I hope these areas don't deteriorate even more and became like some ghettos of USA, where people die every other day because of gun violence as that's what I would call a no go zone.

dustinmoris 3 days ago 0 replies      
The problem is not immigration though. The problem is a system which is designed to widen the gap between rich and poor, making it impossible for the poor or less fortunate to break out of this cycle. When you move a whole bunch of poor people into such a system then you force them into crime, no matter what country they come from.

The solution should be to stop creating conflicts in countries which the western world wants to destabilize or dominate because of geo-economical advantages to them, causing war and poverty and then forcing men, women and children to escape into the Western world where they get pushed into ghettos, which leaves them no option other than prostitution and crime.

The solution should not be to stop immigration, but to stop forcing people in other countries to emigrate.

ahoka 3 days ago 2 replies      
"Sweden needs immigration to compensate for the decline in numbers of babies being born here."

Is this really a problem with the increasing levels of automation?

Pxtl 3 days ago 2 replies      
Can we not do this in HN? I've watched many communities I used to enjoy get ruined by flamewars over Islamophobia and immigration, and I'd rather not see that happen here.
_of 3 days ago 0 replies      
I find it surprising that Trump supporters worry about no-go zones in Sweden. Have they ever been to New York City? Have you visited Bronx, neighborhoods in Brooklyn, or Jamaica in Queens, East New York, and would you consider them safe? NYC is your country, not a foreign country in Europe.
facepalm 3 days ago 0 replies      
They claim the last terrorist attack was 2010, but Wikipedia mentions two incidents in 2015: https://en.wikipedia.org/wiki/2015_Copenhagen_shootings#Krud...

Guess it depends on how you define terrorist attacks...

leereeves 3 days ago 3 replies      
I tried to separate recent crime statistics from the rest of the paper. Turns out there weren't many:

the level [of lethal violence] in 2015 when a total of 112 cases of lethal violence were reported was higher than for many years.

lethal violence using firearms has increased within the context of criminal conflicts. The number of confirmed or suspected shootings was 20 per cent higher in 2014 than in 2006. The statistics also show that 17 people were killed with firearms in 2011, while the corresponding figure in 2015 was 33.

The number of reported rapes in Sweden has risen.

some 13 per cent of the population were the victim of an offence against them personally in 2015. This is an increase on preceding years, although it is roughly the same level as in 2005.

In a report published in February 2016, the Swedish Police Authority identified 53 residential areas around the country that have become increasingly marred by crime, social unrest and insecurity.

stpe 2 days ago 0 replies      
Worth noting is the "Swedish Defense and National Security Advisor" recently on Fox News, who confirmed Trump views has no connection at all to Swedish security or the government, he is even completely unheard of. Also living in the US since long with a criminal conviction. So not much of an expert.


nailer 3 days ago 1 reply      
This Vice reporter has an excellent tweetstorm that covers the inaccuracies of both the left and the right regards to Sweden.

It starts here. I've scraped it with some regexs:


Thread: Both left and right are talking a lot of nonsense about the situation in #Malmo. I was there four weeks ago, reporting on the fatal shooting of 16-year-old Ahmed Obaid, an Iraqi-Swede immigrant with a bright future ahead of him. Heres some actual info for anyone not interested in the shrieking leftist eye covering or racist right wing exaggeration that is surrounding #Malmo atm.

Ahmed (police, family & gang members all agree he was innocent & not affiliated with gangs) was one of three murders in Malmo in Jan 2017. In that month, there were 13 shootings, a small IED explosion and a hand grenade thrown into the lobby of a police station. Statistically this was a sharp increase in violence.

People pretending there's no problem with gang violence in #Malmo need to get real. The problems in #Malmo stem from many things. One big issue is how the Swedish government seems to have pushed its large migrant population in #Malmo into a corner and tried to forget about them.

This, coupled with the lack of employment and easy access to weapons across from Denmark and from the Balkans, has of course created a problem. The unemployment rate for foreign-born men between 16 and 64 in #Malmo is 30%. That compares with 8% nationally. (despite what the Trump lot with their half mast Pepe hard-ons and Wotsit fingers might claim).

A lack of skilled work, discrimination, housing issues, failed assimilation and ridiculously lenient laws toward violence (sorry lefties) all plays a role in the very real problems Malmo is facing. Theres also a huge lack of support for the police in #Malmo from the Swedish government. They dont have enough officers, are under resourced & with Sweden's laws their power to lock up criminals they do catch, is diminished.

Police in #Malmo seized ~600 weapons in 2016. Some semi-auto rifles & hand grenades. From 16 therere also 13 currently unsolved murders. Whilst reporting in #Malmo, I spoke to the family of Ahmed Obaid, a gangster parading around the streets in a bullet proof vest and with a policeman about all of this. They all agreed, that yes, there IS a big problem in #Malmo and it is being largely ignored.

Unfortunately its now blown up (excuse the pun) in a way that isnt currently shedding light on anything of substance. You have the right wing pretending there are no go zones (theres arent, thats bullshit), non-stop rape and daily explosions, and you have the left whore pretending its all milk, honey and racist propaganda. Ignoring the situation in #Malmo doesnt mean it doesnt exist, and exaggerating why doesnt make it so.

TL;DR - #Malmo has a problem with gang related violence, but this cannot be blamed entirely on immigrants, it also cannot be ignored.

andrewclunn 3 days ago 2 replies      
Nobody is interested in generalized studies about immigration or 25 year statistical trends. They want to know what's happened in the last two years or so since the refugee crisis started. So much of what is put forward here just doesn't apply, and blatantly so, that I assume motivated reasoning.
staticelf 3 days ago 0 replies      
"facts"... "government.se".. yeah sure.
RyanZAG 3 days ago 1 reply      
I don't understand what this has to do with HN. Swedish immigration...? How..?

I guess it's interesting enough, but I just don't see the link. Why is it being upvoted so much?

lumberjack 3 days ago 1 reply      
This discussion about whose statistics are more correct, seems to me to resemble those who argue that certain races have statistically higher IQ or statistically higher net worth or are statistically more inclined to be involved in crime.

OK, so you have statistics that show that you are right. What you going to do with them? Start discriminating against every single individual of that particular ethnic group?

thecity2 3 days ago 0 replies      
I think the main issue with Sweden is that they invite a lot of refugees without a great plan to integrate them into their society.
alkonaut 3 days ago 1 reply      
In this discussion, please don't forget to count violence that was avoided because a migrant was able so seek refuge somewhere. It's often overlooked that the fact that someone got out of a war in the first place is a glorious success story to begin with.
chris123 3 days ago 0 replies      
I've lived in Sweden since 2006. The country seems to have changed a lot since then, and especially since around 2014, although they seem to be in denial about it. That's just my personal perception. YMMV.
factsaresacred 3 days ago 0 replies      
OK, I'm going to address two claims together:

> "The number of reported rapes in Sweden has risen. But the definition of rape has broadened over time, which makes it difficult to compare the figures. It is also misleading to compare the figures with other countries, as many acts that are considered rape under Swedish law are not considered rape in many other countries."


> "the main difference in terms of criminal activity between immigrants and others in the population was due to differences in the socioeconomic conditions in which they grew up in Sweden."

Firstly, "socioeconomic conditions" can not excuse away rape or murder. And even if they could, that's little solace to the victims of these crimes. Secondly the study they are referring to states that "socioeconomic conditions" can explain 50% to 75% of the difference. Even then, what about the other 25% to 50%?

As for the redefinition of rape, it was expanded in April 2005 to include acts perpetrated against victims in a helpless state, such as being intoxicated. So it's broader but much of what it captures still falls under the term rape in other countries' legislation too. New crimes weren't invented, they were simply shifted from the sexual assault column. Plus it keeps on rising, a decade after the redefinition.

But here's the thing. We can ignore the redefinition and the associated noise, and instead look at trends before 2005 as well as at aggravated rape (Grov vldtkt) whose frequency is not affected by changing definitions. We can also just see what the crime reports tell us. Let's do that.

Here's the facts:

- Studies in 1996 and again in 2005 showed that foreign-born individuals were 4.7 times more likely to commit a crime of rape and 3.7 times more likely to commit the crime of murder.

- Multiplying each group's proportion of suspects by their absolute size gives us the absolute amount of those suspected of "Rape" for each group. Doing that we find that "Swedes" made up 43.5% of "Rape" suspects, "Half-Swedes" made up 14.6% of "Rape" suspects, and "Foreigners" made up 42% of "Rape" suspects. These are approximations.

- 2005's info is less informative as Sweden stopped publishing info on ethnicity but had this to say in a their report: "Immigrants risk of being registered for crime has not changed in any pronounced way since the previous study conducted by the National Council, which related to the situation at the end of the 1980s"

- Before the change to the penal code in 2005, rapes were rising rapidly. "The number of consummated rapes reported to the police has increased dramatically, more than tripling over the course of the past two decades. A total of 2,261 consummated rapes were reported to the police in the year 2004. It is not possible to exclude the possibility that the dramatic increase in reported rape offences may at least to some extent be the result of an increase in the propensity to report these crimes to the police. On the whole, however, no support was found for interpretations suggesting that this factor, even taken in combination with the effects of the legislative change referred to above, would be sufficient to explain any major part of the increase in the number of reported rapes. Thus it has not been established, but it does not appear unlikely, that the number of rapes committed has in fact increased."

- "Since 1990, the number of reported cases has increased by an average 400 per year. According to the National Council for Crime Prevention (Br), peoples propensity to report has probably increased during this period, but a reasonable assumption is that actual violence against women in close relationships also increased in the 1990s."

- A 1996 BRA (Swedish Criminal statistics) study found that "there any indication that immigrants in Sweden are discriminated in the courts. Immigrant overrepresentation in registered crime is almost certainly real...nor is it caused by any generally lower social economic status (calculated as per SEI code) in Sweden."

- Swedish National Council for Crime Prevention determined that between 1985 and 1989 individuals born in Iraq, North Africa (Algeria, Libya, Morocco and Tunisia),Africa (excluding Uganda and the North African countries), other Middle East (Jordan, Palestine, Syria), Iran and Eastern Europe (Romania, Bulgaria) were convicted of rape at rates 20, 23, 17, 9, 10 and 18 greater than individuals born in Sweden respectively."

- Eurostat use the ICCS (international classification of crime for statistical purposes) method which standardises types of crimes so that they mean the same thing in different countries. Their stats show rape in Sweden is rising both before and after 2005.

- Audited sentences for rape from 2009 shows an over-representation by as many as 48 percent of the rapists were born abroad. (This represents an increase compared data from 2005, which could point to the phenomenon is growing.) Within the category of aggravated rape, the figure was as much as 64 percent.

- Professor Sten Levander, a member of BR:s scientific board, in an interview with tabloid Aftonbladet said "That the number of reported rapes has increased so significantly in a short time can not be explained by regulatory changes and increased willingness to report the crime. Scientists believe that certain types of rape may indeed have become more common."

So, yes. Sweden's real rape-rate is rising and, yes, migrants are disproportionately responsible. Often shockingly so.



DanBC 3 days ago 1 reply      
ggdG 3 days ago 0 replies      
I would take these "facts" about migration with a huge rock of salt.

In Sweden, as in other Western European countries, public debate about immigration, islamisation and its consequences to society is being smothered under a suffocating blanket of political correctness.

After the New Year's Eve attacks in Cologne - when on one square, during one night a total of about 1200 women were hemmed in individually and sexually assaulted by a mob of muslim men [1] - the German press and the government managed to keep the events under wraps for four days until the outrage on social media became too great to ignore.

In the slipstream of the press coverage that followed, the Swedish newspaper Dagens Nyheter revealed that similar events had happened since a couple of years on the summer music festival "We Are Sthlm" in Stockholm [2]. When asked for reasons as to why nothing of this ever became public knowledge, Police chief Peter gren is quoted explaining how he performs self-censorship on these kinds of cases as to not play into the hands of the anti-immigration party Sverigedemokraterna [3][4].

I don't follow Swedish media because of the language barrier but if my experience with Flemish and Dutch media is any indication then this political party might very well be demonised beyond recognition in the Swedish press. People don't like to play into the hands of what they're told to consider as the Second Coming of Lucifer, even when the events turn out to be the very thing this party has been warning for for years.

It would be quite understandable if events like wat happened in Stockholm would lead to a moral panic [5], but as soon as it becomes clear that muslim immigrants are the perpetrators, the opposite happens. People will vent their outrage about what happened in a close circle of trusted friends but put on a mask of political correctness to anyone outside that circle. Not unlike the Soviet Union in its heyday. On the other hand, as soon as there is a hint of how racist the native population allegedly is, the press kicks into full moral panic mode.

A striking example of this double standard are the events of 2016 in Belgium. During the arrest of terrorist Salah Abdeslam in Brussels [6], the anti-terror units were pelted with stones and bottles by muslim youth from the Molenbeek neighbourhood where his hideout was. Quite the contradiction to the eternal story we keep hearing about "a few bad apples". So the public broadcaster VRT decided not to mention that pesky detail. Elsewhere it hardly got any coverage until a minister got angry over it [7]. When on the other hand a few racist comments made by native Belgians are found on Facebook among millions of non-racist ones, then this is reason enough for the newspaper "De Morgen" to appear with a entirely black front page [8].

The Swedish government's "fact" sheet puts on a brave face about having immigration-related violence under control. One look at the ever growing list of recent grenade attacks [9] (that they conveniently forget to mention in their factsheet) tells us there is a very serious problem [10]. No mention neither of the fact that of the 160.000+ asylum seekers that arrived in 2015 only, fewer than 500 landed a job [11]. On a total population of 10 million people hundreds of thousands of relative newcomers - many of them functionally illiterate - are living on benefits without any prospect of ever playing a role in the economy of Sweden where less than 5% of the jobs is low-skilled [12].

The "factsheet" lambasts its own citizens - who foot the bill for the benefits and the urban unrest - for being islamophobe, for harrassing muslims and for discriminating them on the job market. It misleadingly suggest a percentage of 1.5 muslims by only counting "muslim faith communities". While the real number is probably at least 6% [13]. Apparantly the Swedish government wants us to believe that the other 4.5% have become secular.

The findings of the Dutch scholar Ruud Koopmans, who does research at the Humboldt university in Berlin tell another story. By conducting surveys among the European muslim population he comes to the conclusion that 40 to 45% percent can be classified as fundamentalist [14][15]. There is also the British Channel 4 docu "What British Muslims Really Think" [16].

That many muslims in Sweden are quite fundamentalist is why the Jewish actor Kim Bodnia decided to quit the crime series "The Bridge" because he did no longer feel safe in Malm with its growing antisemitism [17].

And if you think this will all blow over once the children of the first generation immigrants have finished school and are ready for the job market, think again. Second generation muslim immigrants are no better integrated, they are even worse integrated. If you want to look up some stats from Belgium on that topic you hit a stonewall. But the Dutch central bureau for statistics has some solid public data on that.

So one of the disturbing things they found was that for many non-Western minorities criminality rate increased with the second generation w.r.t. the first one. Take for instance Moroccans and Turks, as they are important minorities in both Belgium and the Netherlands.

Males with a Moroccan background are almost six times more likely to be a crime suspect than a native Dutchman. Males of Turkish descent more than three times. And when you split up by generation: second generation Moroccans in the Netherlands are almost three times more likely to be a crime suspect than the first generation. Second generation Turks more than two times [18].

So you have a generation of people who were born and spent their entire life in the Netherlands, went to the same schools and got the same education as Dutch kids, and yet they are more of a burden to society and are less well integrated than the first generation of immigrants.

I think you can extrapolate that to other European countries like Sweden and to immigrants with a background in other parts of the world, like the horn of Africa, Syria, Iraq or Afghanistan.

The share of muslims among the European population is also rapidly growing [19] because of a number of factors that amplify each other. First of all there is the continued influx. Then you have family reunification. Add to that the fact that many muslims of 1st, 2nd or 3rd generation prefer to look for a spouse in their country of origin. And there is the higher birthrate among muslims compared to the native population. And finally there are native people who feel alienated in their own country and go try their luck in North America, Australia or New Zealand.

So I think these "facts" are a desperate attempt by the Swedish government to shape perception towards their own interests, and you are better informed when reading the testimony of that courageous Swedish cop:


[1] https://en.wikipedia.org/wiki/New_Year's_Eve_sexual_assaults...

[2] https://en.wikipedia.org/wiki/We_Are_Sthlm_sexual_assaults

[3] http://www.spectator.co.uk/2016/01/its-not-only-germany-that...

[4] http://www.dn.se/nyheter/sverige/assaults-at-the-stockholm-f...

[5] https://en.wikipedia.org/wiki/Moral_panic

[6] https://en.wikipedia.org/wiki/2016_Brussels_police_raids

[7] https://translate.google.com/translate?sl=auto&tl=en&js=y&pr...

[8] https://twitter.com/demorgen/status/760580553850621954

[9] https://en.wikipedia.org/wiki/List_of_grenade_attacks_in_Swe...

[10] http://uk.reuters.com/article/uk-sweden-grenades-idUKKCN0QE0...

[11] http://www.independent.co.uk/news/world/europe/refugee-crisi...

[12] http://www.economist.com/news/finance-economics/21709511-too...

[13] https://en.wikipedia.org/wiki/Islam_in_Sweden

[14] https://www.wzb.eu/en/press-release/islamic-fundamentalism-i...

[15] https://phys.org/news/2015-01-islamic-fundamentalism-margina...

[16] https://www.youtube.com/watch?v=xQcSvBsU-FM

[17] http://www.telegraph.co.uk/news/worldnews/europe/sweden/1216...

[18] https://www.cbs.nl/-/media/_pdf/2016/47/ji2016s_web.pdf, paragraph 1.7, "Proportion of crime suspects by background and background characteristics, 2015*"

[19] https://en.wikipedia.org/wiki/Muslim_population_growth#Europ...

redsummer 3 days ago 2 replies      
eksemplar 3 days ago 3 replies      
jlebrech 3 days ago 0 replies      
the solution is to add checkpoints around those zones.
How to Be a Stoic newyorker.com
410 points by Tomte  2 days ago   233 comments top 29
osti 2 days ago 6 replies      
You desire to LIVE "according to Nature"? Oh, you noble Stoics, what fraud of words! Imagine to yourselves a being like Nature, boundlessly extravagant, boundlessly indifferent, without purpose or consideration, without pity or justice, at once fruitful and barren and uncertain: imagine to yourselves INDIFFERENCE as a power--how COULD you live in accordance with such indifference? To live--is not that just endeavoring to be otherwise than this Nature? Is not living valuing, preferring, being unjust, being limited, endeavouring to be different? And granted that your imperative, "living according to Nature," means actually the same as "living according to life"--how could you do DIFFERENTLY? Why should you make a principle out of what you yourselves are, and must be? In reality, however, it is quite otherwise with you: while you pretend to read with rapture the canon of your law in Nature, you want something quite the contrary, you extraordinary stage-players and self-deluders! In your pride you wish to dictate your morals and ideals to Nature, to Nature herself, and to incorporate them therein; you insist that it shall be Nature "according to the Stoa," and would like everything to be made after your own image, as a vast, eternal glorification and generalism of Stoicism! With all your love for truth, you have forced yourselves so long, so persistently, and with such hypnotic rigidity to see Nature FALSELY, that is to say, Stoically, that you are no longer able to see it otherwise-- and to crown all, some unfathomable superciliousness gives you the Bedlamite hope that BECAUSE you are able to tyrannize over yourselves--Stoicism is self-tyranny--Nature will also allow herself to be tyrannized over: is not the Stoic a PART of Nature? . . . But this is an old and everlasting story: what happened in old times with the Stoics still happens today, as soon as ever a philosophy begins to believe in itself. It always creates the world in its own image; it cannot do otherwise; philosophy is this tyrannical impulse itself, the most spiritual Will to Power, the will to "creation of the world," the will to the causa prima.


mmmBacon 2 days ago 5 replies      
I have embraced certain aspects of stoic philosophy in my life. In particular I've found The Meditations by Marcus Aurelius to be helpful and practical. I struggle with my temper and in the last few years my temper has affected my career growth. These stoic works have helped my get a better grip on things when dealing with especially difficult people. I'm not a person who reads self help books nor am I into cheesy or trendy philosophies. I usually roll my eyes at this stuff. But I have found a framework in stoicism that has helped me overcome some of my limitations and helped me achieve some of my goals.
FabHK 2 days ago 1 reply      
Here some great contemporary introductions to Stoicism:

1. William B. Irvine, "A Guide to the Good Life: The Ancient Art of Stoic Joy", https://www.amazon.com/Guide-Good-Life-Ancient-Stoic/dp/0195...

This is an introduction to Stoic thought as it applies today by a professor in philosophy, very clearly written. Great for first exposure. It (sensibly) skips some of the more arcane stuff, such as Stoic metaphysics (historically relevant, but really obsolete).

2. Donald Robertson, "Stoicism and the Art of Happiness", https://www.amazon.com/Stoicism-Art-Happiness-Teach-Yourself...

This is a touch more academic and historic on one hand, and very practical and text-book-like on the other hand, in that it has self-assessments, key points, exercises for every section. Excellent second book. The author also has a course, blog and FAQ at http://donaldrobertson.name

3. Epictetus' Enchiridion is available on Project Gutenberg, btw. It's very short, and many things are not really relevant today anymore, yet surprisingly many sections still "speak to us".

4. Note also that Tom Wolfe's huge novel "A Man in Full" is suffused with Stoic themes.

I find Stoicism quite wise, and still substantial enough when you subtract all the obsolete superstition (which cannot be said of, for example, Abrahamic religions). Certainly good for tranquility and empathy. Sometimes hard to translate into positive action, though, I find.

hartator 2 days ago 3 replies      
I can't recommend enough "A Guide to the Good Life: The Ancient Art of Stoic Joy" by Irvine, William B.

I am 2/3 into it, maybe one of the best philosophy book I've ever read.

Mendenhall 2 days ago 3 replies      
Saw a few remarks about the "bleakness" or "uncaring" of the "universe".

That view of the universe is in error, people are part of the universe and they certainly care. To view the universe without humanity is to not view the universe.

There is bleakness in the universe for sure, but there is also compassion and caring.

jwdunne 2 days ago 2 replies      
What is perhaps most interesting about stoicism is how it influenced cognitive therapy and CBT in a big way. These forms of therapy, along with derivatives that integrate practical ideas from Buddhism such as DBT and radical acceptance therapy, have been seen to perform as well as medication and in some cases providing longer term improvements.

I think both the stoics and Buddhism were definitely on to something.

Arun2009 2 days ago 1 reply      
> Albert Ellis came up with an early form of cognitive-behavioral therapy, based largely on Epictetus claim that it is not events that disturb people, it is their judgments concerning them.

This actually is presented in Buddhism too, which was where I first encountered it before re-discovering similar principles in stoicism and Ellis's Rational Emotive Behavior Therapy. See this sutta: http://www.accesstoinsight.org/tipitaka/sn/sn36/sn36.006.tha...


"When touched with a feeling of pain, the uninstructed run-of-the-mill person sorrows, grieves, & laments, beats his breast, becomes distraught. So he feels two pains, physical & mental. Just as if they were to shoot a man with an arrow and, right afterward, were to shoot him with another one, so that he would feel the pains of two arrows; in the same way, when touched with a feeling of pain, the uninstructed run-of-the-mill person sorrows, grieves, & laments, beats his breast, becomes distraught. So he feels two pains, physical & mental."

But what is nice about Buddhism is that there is a practical skill-training that comes along with the theory. When disagreeable events happen to you, mindfulness training teaches you not to grasp on to the events automatically and start your own narrative about it, but instead, observe them mindfully. This gives you the opportunity to skillfully deal with the situation. REBT in addition implores you to consider the situation rationally.

These are troubling times (especially where I live in India), and I think a little bit of stoic + Buddhist teachings can go a long way in maintaining our composure even as we engage with the world. I still struggle with this from time to time, but I would have been completely lost without these teachings.

s_kilk 2 days ago 4 replies      
[Shameless plug] You can read Marcus Aurelius "Meditations" at http://directingmind.com
factsaresacred 2 days ago 3 replies      
For such a small price, I buy tranquillity. Beautifully put.

The Penguin edition of fellow stoic Marcus Aurelius' Meditations is free on Amazon kindle:https://www.amazon.com/Meditations-Marcus-Aurelius-Wisehouse...

manmal 2 days ago 20 replies      
One interesting thing I've noticed is that ancient Stoics have not rebuked the concept of god (or "the universe"), a higher power that determines all the things that are not in our control (as a Stoic you very much need to distinguish between things in and outside of your control). I have found it difficult to really, deeply, accept things as out of my control without resorting to some concept of god or "the universe as a well-meaning entity".

Is there someone among you HNers who has retained a positive outlook by believing that the universe is a bleak, chaotic place with no intrinsic meaning to the things happening in it?

vram22 2 days ago 1 reply      
I had read a book by Epictetus some years ago. Liked it. Forget the book name now. It was about living simply, not getting overly affected (mentally or emotionally) by circumstances or things that happen to you, and a lot more stuff along those lines, and other things too.

Basically Stoicism, I suppose, though I've not looked up the term in detail.

I also like this quote by him which I read long ago:

"Practice yourself, for heaven's sake, in little things, and thence proceed to greater."




The Stockdale Paradox is also interesting. Stockdale was influenced by Epictetus.


gfiorav 2 days ago 1 reply      
Well, it turns out I've been a stoic all this time, I'm finding out.

It blows me away how that part about taking every problem as a chance to learn and become a better "wrestler" fits right in with my natural conclusions. The rest of it describes me adequately also.

I'm reading Epictetus now, thanks for sharing.

Kenji 2 days ago 1 reply      
Note that stoicism is NOT rejecting and ignoring your feelings. If you feel bad about something, that too is a fact that you have to accept and deal with in the best way possible. Stoicism is about keeping your head up in the face of adversity, and not about becoming a hardened robot capable of taking any punishment. I think a lot of people on HN might get this wrong.
Pamar 2 days ago 0 replies      
Allow me to share my collection of links to Stoicism resources (which I will soon update with this)


RivieraKid 2 days ago 2 replies      
What's up with all those submissions about stoicism on HN, is that some new SV fad?
hartator 2 days ago 2 replies      
Kudos for writing about Stoicism. However, I think it's pretty weak article. No mentions of negative visualization or Seneca while both are roots of the Stoic philosophy.
camdenlock 2 days ago 1 reply      
Hmm. To be honest, this philosophy seems like a flowery and overstuffed version of secular mindfulness, like an earlier step along the evolutionary path to what would eventually be a really simple, straightforward strategy for learning about and being with one's own mind in a skillful way.

If it helps you suffer less: great. But before you dive in, know that you might be able to save a lot of time and avoid a lot of jargon by learning about mindfulness from a secular source.

ziikutv 2 days ago 1 reply      
I love learning about Archaeology and corollary some of the philosophies of civilizations.

Stoicism has been one of the most appealing one to me. However, one issue I have with Stoicism is similar to that of religions.

Most people who follow Stoicism or any other religion, tend to pick and choose to what is the best fit of them.

Stoicism is not about giving up anything (common misunderstanding) but it IS to moderate everything including things like our carnal desires. I do not think anyone does this nowadays.

Does this mean we need a Stoicism 2.0 like we do in many religions? _______ 2.0? Not entirely sure...

heisenbit 2 days ago 0 replies      
Currently also on HN and much deeper article on stoicsm: On Anger, Disgust, and Love: Interview with Martha Nussbaum



In a section further down the article she discusses the books "Upheavals of Thoughts" and "Therapy of Desire". There she elaborate how stoicism and emotions relate in a fairly comprehensive way.

ArkyBeagle 2 days ago 0 replies      
Can anyone shed light on why so many Stoic societies/clubs seem to be essentially religious? The Stoics I have read do not seem to be particularly religious nor of any particular creed - some were polytheist, some were monotheist, some seem to nearly be agnostic or atheist.
nnd 2 days ago 3 replies      
I haven't dug deep into stoicism, but it appears to have a lot of overlap with buddhist philosophy. Is that a fair comparison?
hvass 2 days ago 0 replies      
Other than this, the author has some great writing and you can read a recent interview with her over at The Daily Stoic: https://dailystoic.com/elif-batuman-interview/
janvdberg 2 days ago 0 replies      
Tim Ferris (from the fourhourworkweek.com) also talks (podcast) and writes a lot about this subject:http://tim.blog/stoic/
mikehain 2 days ago 0 replies      
Another classic book to look at is "Letters from a Stoic" by Seneca the Younger, published by Penguin Classics. Seneca is perhaps my favorite of the Stoics.
howfun 2 days ago 0 replies      
This reminds me of Richard Feynman's quote "I am not responsible for the world I live in" from his first autobiographical book.
cylinder 2 days ago 1 reply      
What if I want to suffer more? I want to be less okay with all my procrastination, my job situation, my lack of willpower in the face of adversity, and more. I want to take my failures more personally - I want losing to be painful like it is for Michael Jordan, I'm presently too content with it.
Pica_soO 2 days ago 0 replies      
The doormat really tied the throne-room together
lngnmn 2 days ago 0 replies      
Not sure if a hipster's magazine could be an authoritative source.

The first paragraph told me that I should stop reading and what kind of Stoicism I would find below.

jvanderbot 2 days ago 0 replies      
Oh look, it's the new mindfulness.
Id Software Programming Principles felipe.rs
334 points by philix001  2 days ago   76 comments top 8
a3n 2 days ago 11 replies      
> Write your code for this game only - not for a future game. Youre going to be writing new code later because youll be smarter.

This really stood out for me. I'm always tempted, while writing something specific, to generalize it. I try to resist that, when I recognize it. Writing a ThingThatImWritingFramework risks ThingThatImWriting never seeing the light of day, or never being used.

lubujackson 2 days ago 0 replies      
It reads like a "get shit done" manifesto, and good rules of thumb for most programmers tasked with doing just that. Worth remembering that iD had some of the most advanced 3D and networking code for years and really pushed the envelope and the industry forward in many ways (first huge shareware company, first big company to allow mods, first big company to make code open source, etc.)

It is easy to slide into an OCD mindset when programming, to make things tidy and proper. It feels dirty to make stuff just work, to make stuff disposable, but evolution operates a lot like this - many little, reversible mistakes that add up to big improvements quicker than any other method.

kensai 2 days ago 1 reply      
> Programming is a creative art form based in logic. Every programmer is different and will code differently. Its the output that matters.

This one is also nice, especially for mid to large software houses. As long as a common denominator is respected, I guess.

tluyben2 2 days ago 0 replies      
Some of these things, like focusing on the task at hand and trying to be as simple as possible, not thinking too much about the potential futures is important to me. If all would do that maybe there would not be 1000s of weird half baked npms and such.
eps 2 days ago 2 replies      
I'd very curious to hear Carmack's take on this. After all Romero was making game levels, not the engines.
hyperpallium 1 day ago 1 reply      
This is first class post-hoc bullshit. They weren't making prototypes or reusing code, they sure as hell weren't composing high-sounding principles.

They just got on with it because they were talented experienced and motivated. For that reason, the rest of the talk is very inspiring - so listen to the hour-long video (half talk, half questions), and not the article which only has the post-hoc bits. https://youtu.be/E2MIpi8pIvY

Hansi 2 days ago 8 replies      
> "No prototypes. Just make the game. Polish as you go. Dont depend on polish happening later. Always maintain constantly shippable code."

I disagree with this so much, prototypes and proof of concepts teach you so much but usually they are crap you will always write it better a second time. Throw away the prototype and re-write it as a much better implementation.

partycoder 1 day ago 0 replies      
He described how literally hundreds of projects were successfully completed in C, targeting multiple platforms, while being first to market with innovative technology, with a small team in a pre-Internet world,

These are achievements beyond belief.

Fasting diet 'regenerates diabetic pancreas' bbc.com
286 points by ramblenode  3 days ago   111 comments top 19
micro_cam 3 days ago 5 replies      
Diabetic and former Diabetes genetic researcher here.

To paraphrase an old mentor, curing diabetes in mice is kind of the sport of the field. It's been done a number of times. Mice have some abilities to regrow tissue we don't. It's unclear how well various mouse models for diabetes mimic the human phenotypes.

I am very hopefully for this line of research in general but I expect any cure in humans will be more complex and perhaps also deal with somehow suppressing the immune response that destroys the Beta cells in type 1's like myself. For a type 1 the best I'd expect something like this to be able to achieve is a temporary return to the "honeymoon" period where the pancreas still produces enough insulin to make small adjustments but supplemental insulin is required.

On a personal level i have found that diet can have massive effects on my diabetes management. I may try a diet like this (with the advice of a doctor in adjusting insulin to handle it well etc and with the realization i may need to break the diet to treat low blood sugars etc). Edit: I also use a continuous glucose monitor which helps greatly with avoiding low bloodsugars while changing diet/activity levels and recommend one to any other diabetics.

jimrandomh 3 days ago 1 reply      
I have gone through this thread and given a downvote to every post that's giving dangerously-incorrect medical advice. Which seems to be most of them.

I don't expect anyone who's actually diabetic to fall for this; every T1 diabetic is in practice forced to become an expert. But, for the sake of confused bystanders: for a diabetic using insulin, fasting is dangerous. That's not an abundance of caution thing; we diabetics micromanage a key part of our metabolism using insulin, and if we leave the range of metabolic states we're familiar with we'll get insulin dosages wrong. The most likely outcome of trying to fast for a day would be being forced to abort the fast by hypoglycemia.

karmel 3 days ago 0 replies      
It is worth noting that while there is evidence that murine beta cells can regenerate even late into life, there is very little indication that human beta cells can do the same. Many beta cell regeneration studies die in between mouse and human studies. Some more on the questions around regeneration here: http://diabetes.diabetesjournals.org/content/59/10/2340 with discussion of human versus rodent toward the end.
bresc 3 days ago 15 replies      
I don't understand why it's potentially so dangerous to try it out on your own. Fasting is kinda natural. Assuming you go back to the roots and live in the forest. You are not going to eat every day... so why is it suddenly so dangerous?Some explanation on the risks would have been helpful.
hannob 3 days ago 1 reply      
Yesterday: BBC story about replication problems in science and weak studies at the top of hacker news.

Today: Story about a weak, non-replicated animal study at the top of hacker news.

austinjp 3 days ago 0 replies      
rb1 3 days ago 1 reply      
AFAIK, type 1 diabetes is thought to be an autoimmune disease, where the immune system incorrectly identifies the beta cells as an infection/foreign body and destroys them.

With that in mind, I wonder how effective this actually is. I (I'm a T1 diabetic) grow some new beta cells, my overly aggressive immune system wipes them out again..

EDIT: reading the reddit thread (https://www.reddit.com/r/science/comments/5vufpb/the_pancrea... - thanks austinjp) i'm not the only one to ask this. The general consensus is it's not going to be useful for T1 diabetics, it's just treating the symptoms, not the cause (the immune system), again (like injecting insulin).

cromulent 3 days ago 1 reply      
A friend of mine was on the brink of Type 2 diabetes and reversed the symptoms / indicators after reading about the Newcastle University study. Worked for him.


DrScump 3 days ago 0 replies      
PDF of the paper in Cell, with images:


Details on the human feedings:

"The human version of the FMD is a propriety formulation belonging to L-Nutra (http://l-nutra.com/prolon/). It is a plant-based diet designed to attain fasting-like effects on the serum levels of IGF-I, IGFBP1, glucose and ketone bodies while providing both macro- and micronutrients to minimize the burden of fasting and adverse effects (Brandhorst et al., 2015). Day 1 of the FMD supplies 4600 kJ (11% protein, 46% fat, 43% carbohydrate), whereas days 2-5 provide 3000 kJ (9% protein, 44% fat, 47% carbohydrate) per day. The FMD comprises proprietary formulations of vegetable-based soups, energy bars, energy drinks, chip snacks, tea, and a supplement providing high levels of minerals, vitamins and essential fatty acids (Figure S3). All items to be consumed per day were individually boxed to allow the subjects to choose when to eat while avoiding accidentally consuming components of the following day. For the human subjects, a suggested FMD meal plan was provided that distributes the study foods to be consumed as breakfast, lunch, snacks, and dinner. (See lists below for ingredients and supplements)"

hajderr 3 days ago 0 replies      
I'm a fan of fasting, thanks for sharing this!

All guys/gals with any sort of disease, I pray you all get well and better soon!

johnspiral 3 days ago 1 reply      
Type 1 diabetic here, I'm sure if you still retain a small amount of basal insulin in combination with regular glucose monitoring I can't see how it would be dangerous? The real danger would be the billion dollar insulin business looking to discredit this research.
eyugwefuy 3 days ago 0 replies      
How to read this thread: "what's right _for me_" not "what's right".

Also, it's impractical to fast when you have work to do and meetings. You risk becoming cranky and grumpy and pissing colleagues off. Better to fast when you have a day off or at night.

amelius 3 days ago 2 replies      
> He told the BBC: "It boils down to do not try this at home, this is so much more sophisticated than people realise." He said people could "get into trouble" with their health if it was done without medical guidance.

Ok, where can I find more information?

gukov 3 days ago 1 reply      
If T1D is properly managed (frequent testing, insulin injection every meal), fasting actually poses less danger than a typical diet that has carbs in every meal. Carbs set you up for a wild swing.
perseusprime11 3 days ago 0 replies      
There was a headline yesterday on HN that most scientific results cannot be peer reviewed. Maybe this too falls in that category and we have to take it with a grain of salt.
overcast 3 days ago 1 reply      
Apparently I've been fasting daily pretty much most of my adult life. Last meal between 17-20, I generally never eat breakfast, and then eat lunch between 12-14. Maybe that explains why I'm rarely sick, and haven't been to a doctor since I was fourteen?
sdiepend 3 days ago 0 replies      
Recent related discussion from hn: https://news.ycombinator.com/item?id=13686671
mrfusion 3 days ago 3 replies      
I'm confused. I thought type 2 diabetes was cells becoming resistant to insulin. Not anything wrong with the pancreas.
dghughes 3 days ago 0 replies      
As someone with diabetes on both sides of my family this sounds dangerous even under a doctor's supervision.
My 2015 MacBook Pro Retina Exploded medium.com
360 points by zepolen  12 hours ago   200 comments top 34
WildUtah 11 hours ago 3 replies      
I removed the back plate to observe the damage and hopefully see if the hard disk had survived.

Apple has solved this problem in the current models. There's no longer any way for the hard disk to leave you in doubt. It's now fused to the motherboard permanently so that it cannot be recovered even if it does survive some kind of trouble.

Keep your backups up to date.

coldtea 11 hours ago 3 replies      
>After reading up on the matter it seems that lithium batteries can swell, and there have been numerous reports in the past about older MacBook batteries swelling up and catching firehowever with the newer unibody laptops there is no way you can see this swelling happening.

That's true. Damn, Apple, how about a bloody sensor for such stuff at least to give an early warning?

>If you have a MacBook be careful leaving it unattended on the bed, battery fires burn hot and fast with little time to react.

Whereas if you have any other brand it's OK?

Millions of computer users were on red alert last night after they were warned that their laptops could burst into flames at any moment. In an extraordinary admission, the world's largest computer firm, Dell, said yesterday that 4.1 million laptops are at risk. The computer giant was forced to confess that problems with the laptop's batteries, made by Sony, means they are a major 'fire hazard'.


josefdlange 12 hours ago 7 replies      
I get the whole "cautionary tale" thing, but you should probably contact Apple to remedy both your personal loss and so that they have more information about failing components. In my experience they take this stuff very seriously.
Animats 10 hours ago 3 replies      
How much extra space did Apple allow around the battery for swelling? Samsung's problem seems to be that they fit the battery in so tightly that if it ever swells, it's contained by the limited space. Then pressure builds up until it shorts, goes into thermal runaway, and catches fire.[1]

Maybe it's time to require that anything bigger than a phone use lithium-iron-phosphate battery technology, which doesn't have a thermal runaway problem. Most pro power tools already do; it's expected that they will be used hard and abused. So do "Boosted" brand electric skateboards, and many (all?) second generation UL approved "hoverboards". If it's going to be banged around, that seems to be the way to go.

There's a 14% energy density penalty with lithium-iron-phosphate batters vs regular lithium-ion. They're also more expensive. But the "does not blow up or catch fire" feature is worth it. Here's a video of someone driving a 3" nail through a LiFePo battery.[2] Five minutes of heavy white smoke and some runny black stuff, but no flames or explosion. Compare the standard nail test (done by remote control) of a LIon battery.[3]

[1] https://www.cnet.com/news/why-is-samsung-galaxy-note-7-explo... [2] https://www.youtube.com/watch?v=EMARDvMz62A[3] https://www.youtube.com/watch?v=f30fBFitkSM

busterarm 12 hours ago 5 replies      
The last time I took my 2015 rMBP on a flight with me, TSA saw my laptop on the scanner and the guy at the machine's eyes bugged out while he did a double take. They swabbed the crap out of my laptop, detected nothing and then let me through.

I was confused and didn't understand why, but I wonder if maybe battery swelling is why.

teekert 11 hours ago 1 reply      
Hmm, reading this I think my old Kindle Keyboard has a swollen battery. I googled a bit and found this excellent write-up [0]. It suggests to stop using it immediately. Bummer! I have been using it for 2 years now (I think) in the swollen state...

[0] https://www.howtogeek.com/244846/what-to-do-when-your-phone-...

mynegation 12 hours ago 2 replies      
I do not know what happened, but given that bed is in the picture, it could happen that the laptop was put on a blanket or a pillow, which closed the air ducts.

Having said that, of course, safety mechanisms should have shut down everything before the temperature goes into the proximity of the danger zone.

awiesenhofer 12 hours ago 2 replies      
Defective batteries aren't that new to Apple, I remember having to exchange the battery from my white pre-unibody MacBook twice because it was swollen by over a centimeter. There was a recall even IIRC. Of course, back then you could swap it out yourself.
nodesocket 43 minutes ago 0 replies      
As a shareholder, curious what Apple said and did as a response. Did they offer a brand new MacBook free of charge?
ipsin 12 hours ago 3 replies      
If unseen swelling is a problem, couldn't you fix it with a simple sensor, like a fragile paper tape conductor that goes around the battery?

It swells, the circuit goes dead, and that's the signal for the charger to stop charging.

bratsche 9 hours ago 0 replies      
There have been a number of stories about laptops and mobile phones exploding due to issues with batteries. Fortunately the author here managed to get the Mac into a reasonably safe place just before it really exploded and he got away with only blistered fingers.

What I'm curious about is, are companies like Tesla able to put some sort of safety precautions into their cars and their PowerWall to prevent this from happening and to alert the user that something in their battery is horribly wrong? An electric car battery is way bigger than a Mac's battery, but at least the car owner has the chance to get out of the car and get away from it. But a Powerwall? If it's going to blow up is it going to burn your house down in the process?

evo_9 12 hours ago 2 replies      
Unsurprisingly even Apple laptops require ventilation; I thought it was common knowledge that you can easily destroy any laptop by running it on a soft, heat multiplying surface like a bedspread....
jimrandomh 8 hours ago 0 replies      
> There was a bang as I backed away causing the back to pop and smoke kept pouring out. It kept sizzling for a few minutes and then finally it stopped.

> The house had filled up with smoke everywhere, the acidic stench of melted plastic made my eyes water.

> After I had opened up all the windows in the house and cleared out the smoke, ...

Wrong answer. The correct answer was "leave the building and call the fire department". You reallyreally do not want to breathe the smoke from a battery fire.

BadassFractal 12 hours ago 1 reply      
Had a portable bluetooth speaker do the same to me while I was in the same room with it, it was simply charging, wasn't even being used. Also very fortunate to be able to extinguish it right on the spot before it set the apartment and consequently the building on fire. I've grown pretty skeptical of that sort of batteries after the fact, but there's not much you can do about it at this point since there's one in almost every device you can think of. It's like sitting on an explosive device that can go off anytime without any notice.
PascLeRasc 12 hours ago 1 reply      
Is there some way to tell if a battery is swelling using CoconutBattery? Like some sudden dropoff in capacity?
hasbroslasher 12 hours ago 1 reply      
Didn't Samsung already patent this feature?
DenisM 12 hours ago 4 replies      
Well, one more thing to worry about. Should I leave my MacBooks in the bathroom sink when going out?
rickyc091 9 hours ago 0 replies      
One thing I'm curious about is if the author noticed a budge before the laptop exploded and brought it to the Apple store. I had a similar problem as I noticed the laptop was uneven as I was typing. Noticed there was a bump on the bottom and brought it to the store to have it repaired. Not saying it's ideal, but there might have been a chance it could have been prevented before it got too far out of hand.
dfsegoat 10 hours ago 0 replies      
Just curious if there is a manufacturer+model and/or lot number that is still legible on the battery or an old system report output? Have been having some weird overheating and "hard off" power-issues with my 2015 MBP --- and now am pretty concerned about this.

It is a remanufactured from Apple though. So I know the battery was replaced. But still...

BWStearns 9 hours ago 0 replies      
Similar thing happened to my retina external display the other week and I had to unplug my monitor and run it out to my balcony while I could see flames in the display (though I assume the root of the problem was different as there is no battery). Luckily it suffocated itself pretty quickly.
doctorwho 11 hours ago 0 replies      
This has been a problem since forever. I had one of the first Intel Macbooks and the damned thing blew up 2 batteries. They swelled up to about 4 times their original thickness overnight. Luckily, they didn't explode but after the second incident the Macbook got recycled with extreme prejudice.
HugoDaniel 10 hours ago 0 replies      
Apple has a page dedicated to batteries


roryisok 10 hours ago 1 reply      
yikes. I have two very swollen lithium batteries in my shed from two old mbps I've been meaning to ditch. I had no idea they could spontaneously combust. I'll be getting rid of them tomorrow!
partiallogic 10 hours ago 0 replies      
I'd be interested to know how the bathroom tiles look and whether people recommend to do the same in a similar situation.
erdojo 9 hours ago 1 reply      
If you sit a MBP on a pillow, the fan circulation is significantly reduced, causing overheating. It also depends on your CPU usage...running with a few dozen tabs open while editing videos? Yikes, hot.

One other thing: if you smoke, residue can also reduce the effectiveness of cooling systems and affect system performance.

EDIT: Not suggesting this was the OP's fault, just suggesting there are logical ways to reduce this risk.

ZoFreX 10 hours ago 0 replies      
Pretty lucky he dealt with it so quickly. A mattress fire is not a trivial thing to deal with!
JustSomeNobody 11 hours ago 2 replies      
> After reading up on the matter it seems that lithium batteries can swell...

People really need to be educated on battery chemistry when they buy battery operated products. Here's a programmer, so I assume he has some technical abilities/interests, and yet even he doesn't seem to know that some batteries can do this.

zeveb 10 hours ago 1 reply      
This really worries me: I own three laptops, use a fourth for work and thus I often have three and sometimes four laptops fully-charged at home. What exactly are the parameters under which an unattended laptop may catch fire? Only when the laptop itself is running? Only if running and heat exchange is impeded?

I honestly don't know, and that worries me.

pimlottc 11 hours ago 2 replies      
This is definitely frightening but "exploded" sounds a bit hyperbolic to me. Every time I've read about an "exploding" phone or other device it seems like "caught on fire" would be a more accurate description.
John23832 12 hours ago 2 replies      
Given the debacle that was the Note 7 (which came from Samsung's obsession with thinness), I'm surprised we don't see more of these super thin devices catching fire. Luckily nobody was seriously hurt.

Next-gen's MPB will be .5 inches slimmer.

yourapostasy 11 hours ago 2 replies      
Perhaps Apple can attach a capacitor sufficient to drive the new touch bar, or make the touch bar e-ink, then display an overheat warning and prevent the power button from operating?
bpsagar 12 hours ago 1 reply      
Similar thing happened with my IMac. Heard the hissing noise and smoke started rising up from behind the screen. Quickly switched off the power supply, thankfully it didn't explode but couldn't get it fixed after that. They claimed that they weren't supporting that model anymore.
kippfe 12 hours ago 0 replies      
heat/ventilation cause it? Using notebook not on a flat surface is the cause of heated unit
theandrewbailey 11 hours ago 0 replies      
> After I had opened up all the windows in the house and cleared out the smoke, I removed the back plate to observe the damage and hopefully see if the hard disk had survived.

> Didnt look like it:

I agree. This is the first time I've seen a hard drive transform into (what looks like) an SSD under any condition.

       cached 28 February 2017 05:11:01 GMT